A new era for CISA under Trump?

Dave Buettner

You're listening to the Cyberwire network, powered by N2K. Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. You know I started my first business back in the early 90s and oh what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row. All of that technical stuff, the legal stuff, the registrations of the business, the taxes, all of those things that you need to go through when you're starting a business, the hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run and protect your business all in one place and they save you from wasting hours making sense of all that legal stuff. Launch, run and protect your business. To make it Official today@legalzoom.com you can use promo code CYBERTEN to get 10% off any LegalZoom business information product, excluding subscriptions and renewals that expires at the end of this year. Get everything you need from set up to success@legalzoom.com and use promo code CYBER10. That's legalzoom.com and promo code CYBER10. Legalzoom provides access to independent attorneys and self service tools. Legalzoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm LZ Legal Services LLC. CISA's director easterly plans to step down in the coming year. DHS issues recommendations for AI and critical infrastructure Palo Alto Networks confirms active exploitation of a critical zero day vulnerability in its firewalls. Threat actors exploit Microsoft's 365 admin portal to send sextortion emails. A China based APT targets zero day and Fortinet's Windows vpn. The EPA reports on vulnerabilities in drinking water systems. A critical authentication bypass vulnerability affects a popular WordPress plugin. Researchers track a rise in the click fix social engineering technique. An 18 year old faces up to 20 years behind bars for swatting. Our guest is Rob Boyce, Global Lead for Cyber Resilience at Accenture, discussing SIM swapping services targeting telcos and nuisance calls are in decline. It's Monday, November 18th, 2024. I'm Dave Buettner and this is your Cyberwire Intel Briefing. Happy Monday and thank you for joining us here today. It is great to have you with us. Jenn Easterly, the Director of the Cybersecurity and Infrastructure Security Agency will step down on January 20. Coinciding with the inauguration of President Elect Donald Trump. Deputy Director Nitin Natarajan is also set to depart. This is a routine transition during a change in administration, a CISA spokesperson confirmed. Easterly, a West Point graduate and Rhodes Scholar, served two decades in the U.S. army, helping establish U.S. cyber Command in response to a major DoD malware incident in 2008. Her career also included senior roles at the NSA, the National Security Council and Morgan Stanley. She became CISA director after an eight month vacancy following Chris Krebs firing in 2020. During her tenure, easterly advanced CISA's Secure by Design initiatives, pushing manufacturers to embed security into their products. She led the agency through major cyberattacks, including Chinese hacks targeting US Officials, and provided steady leadership during election cycles, reaffirming the integrity of election infrastructure. She also issued guidance on emerging technologies like AI and quantum cryptography. Easterly's departure leaves questions about CISA's direction under Trump's administration. GOP allegations of censorship against CISA and proposed budget cuts raise concerns over future cybersecurity priorities. Senator Rand Paul, a CISA critic, is positioned to lead the Senate Homeland Security panel. Meanwhile, Ohio Secretary of State Frank Larose is reportedly a candidate to succeed Easterly. The agency faces an uncertain future as these transitions unfold. The U.S. department of Homeland Security has issued voluntary recommendations for securely developing and deploying AI in critical infrastructure. The Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure outlines guidance for cloud providers, AI developers, critical infrastructure operators, civil society and public sector organizations. The framework focuses on five key securing environments, responsible system design, data governance, safe deployment, and performance monitoring. Cloud providers are urged to vet supply chains, protect data centers, and report anomalies. AI developers should adopt secure by design practices, address biases, and ensure privacy. Critical infrastructure operators must safeguard AI systems and provide transparency on their AI use. DHS Secretary Alejandro Mayorkas emphasized the framework's role in protecting essential services like water and power, calling it a living document that evolves with AI advancements. Palo Alto Networks has confirmed active exploitation of a critical zero day vulnerability in its firewalls, affecting management interfaces exposed to the Internet. The flaw, rated 9.3 out of 10 in severity, allows unauthenticated remote command execution while a patch is not yet available. Palo Alto Networks urges users to restrict access to management interfaces to internal trusted IP addresses. This mitigation reduces the severity to 7.5 but still requires careful monitoring. The company tracks vulnerable devices via its support portal and has observed malicious activity from specific IPs, including potential misuse of third party VPN services, malicious code was found on affected devices. Separately, Palo Alto disclosed other vulnerabilities in its Expedition Migration tool, including OS command and SQL injection flaws, which could expose sensitive firewall configurations. Threat actors are exploiting the Microsoft 365 admin portal to send sextortion emails, making them appear trustworthy and bypassing spam filters. Sextortion scams claim hackers accessed compromising images or videos of victims and demand payment in cryptocurrency to prevent their release. Though common since 2018, these scams can still alarm recipients. Scammers abuse the Microsoft Message Center's Share feature, which allows notifications to be forwarded with a personal message. While this field is limited to 1000 characters, attackers bypass the restriction by manipulating browser development tools to input longer messages. Microsoft lacks server side checks to enforce the limit, enabling full extortion messages to be sent. Microsoft says they are investigating, but they've not yet implemented fixes. The Deep Data malware framework linked to China based Apt41 is exploiting a zero day vulnerability in Fortinet's Windows VPN client to steal credentials. According to cybersecurity firm Voloxity, Deep Data uses plugins to extract sensitive data from browsers, communication apps and password managers and can record audio via the system's microphone. APT41, also associated with the LightSpy malware, has targeted journalists, politicians and activists in Southeast Asia. The zero day vulnerability, reported to Fortinet in July, remains unpatched and lacks a CVE identifier. Velocity attributes the malware's development to Brazen Bamboo, a state sponsored group. Deep Data and LiteSpy share technical similarities including plugin designs and infrastructure. A new Windows variant of LightSpy has also been identified, showcasing Brazen Bamboo's broad multi platform surveillance capabilities. A report by the EPA's Office of Inspector General reveals cybersecurity vulnerabilities in over 300 US drinking water systems serving 110 million people. The assessment highlighted risks such as service disruptions, denial of service attacks and compromised customer data. Critical or high severity issues were identified in 97 systems serving 27 million individuals, while medium and low severity weaknesses like open portals affected 211 systems covering 83 million people. The vulnerabilities span email security, IT hygiene and threat detection. OIG warns that exploiting these flaws could lead to significant damage to water infrastructure. Additionally, the EPA lacks a cybersecurity incident reporting system and relies on CISA for coordination, raising concerns about emergency response and mitigation strategies. A critical authentication bypass vulnerability has been identified in the WordPress plugin. Really Simple Security this plugin, used on over 4 million websites, provides SSL configuration, two factor authentication and security monitoring. Discovered by Wordfence on November 6, the flaw stems from improper handling of the login nonce parameter in the plugin's two factor rest API. If login nonce verification fails, the code incorrectly authenticates users based on their user ID alone, allowing attackers to gain administrative access to vulnerable sites. The flaw is particularly severe because it can be exploited at scale with automated scripts. Fixes were released earlier this month. Hosting providers and administrators are urged to update immediately as millions of sites remain at risk. Researchers at proofpoint have observed a rise in the Click Fix social engineering technique, which manipulates users into executing malicious PowerShell scripts by disguising them as solutions to fabricated problems. Initially linked to campaigns by TA571 and Clearfake, this method has now been adopted by various financially motivated and espionage focused threat actors. ClickFix exploits trust by presenting fake error messages or software update prompts directing users to copy and run PowerShell commands that ultimately deliver malware. Recent campaigns leveraged fake CAPTCHA verifications, GitHub notifications, and spoofed emails from platforms like Microsoft Word and Chat GPT. Malicious payloads observed include Asyncrat. NET Support, lumastealer, and Xworm. The technique bypasses traditional security controls by relying on human error, preying on users desire to independently resolve issues. To mitigate these threats, organizations should train users to recognize such tactics and avoid manually executing unverified commands. The technique's popularity underscores the evolution of social engineering strategies. An 18 year old, Alan Filion has pleaded guilty to making over 375 fake emergency threats, the practice known as swatting. Filion targeted religious and educational institutions, government officials and individuals across the US between 2022 and 2024, beginning at age 16. Swatting involves falsely reporting emergencies to prompt police SWAT team responses, often causing chaos and endangering lives. Filion admitted to using social media to offer swatting services for a fee. On one occasion, he boasted about causing police to detain victims and search their homes for fabricated crimes. Facing up to five years in prison for each of four felony counts, Billion's sentencing is set for February. Coming up after the break, my conversation with Rob Boyce, Accenture's global lead for cyber resilience.

Rob Boyce

Stay with us. And now a word from our sponsor. Knowbefore it's all connected and we're not talking conspiracy theories. When it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training KnowBe4, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBe4's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco 35. Vendor integrations and Counting Security Coach analyzes your Security Stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefore.com SecurityCoach that's knowbe4.com SecurityCoach and we thank KnowBefore for sponsoring our show.

Dave Buettner

Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. Get this more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. Rob Boyce is global lead for cyber Resilience at Accenture. I recently caught up with him to discuss sim swapping services that are targeting telcos. Rob, welcome back.

Rob Boyce

Thanks Dave. I was excited to be here.

Dave Buettner

I want to touch today on something I know you and your colleagues there at Accenture have been tracking and that's sim swapping. You know these folks who are targeting the telcos with this sort of bring us up to speed here.

Rob Boyce

What's the latest?

Sure, actually we're seeing something super interesting. So sim swapping as you said, it's nothing new. We've actually been tracking Dark web forum. It's probably about since 2018 for SIM swapping. But however what we're seeing now which is really really unique is we're seeing one threat actor offer a service for resetting passwords or MFA bypass via sim swap. But they're doing it from what we believe is an API exploit which is unique because up until now a lot of, to really do sim swapping you really needed an insider or some form of social engineering. And so this is the first time that we're actually seeing a real exploit being able to be used. And this threat actor is claiming right now that this exploit works against six major US telcos. And we have been tracking them to show that people have been buying it and pleased with the service. And so we believe the credibility of this claim is pretty high at this point.

Dave Buettner

Well, walk us through how something like this would work. I mean how, how does one get access to this API? What's, what's the, if it's, if it's hitting multiple telcos, explain to me the breadth of its access.

Rob Boyce

Yeah, so this is, this is one thing that is a little still unclear which is, you know, what system does this exploit exist in. But clearly there a commonality at least between these six telcos in the US leveraging probably a very similar system where this, you know, this API exploit is being able to be able to connect and exploit. And what we're finding the start actor is offering right now is they're offering two types of service which I think is also very interesting. One is a one time SIM swap. So being able to purchase one number basically and being able to swap that and they're, you know, they're charging right now somewhere between four and $7,000 for that or being able to offer more of a full rights to the exploit for about 15k. And I think this is so new that I have a very strong feeling these prices are going to change, meaning the 15k will probably be higher and the 4 to 7k will probably be much lower for the single SIM swap. And we'll start to see that economy stretch out a little bit, which I think is going to be super interesting. And this, this allows for a speed and scale for sim swapping that we have not seen in the past. So this is going to be a really concerning area and something to keep an eye on for sure.

Dave Buettner

Who would need access to this sort of API? I mean, is this the kind of thing where, you know, I'm thinking of the folks at the mall kiosk who you can walk up and buy a phone and maybe you can choose one of several different providers depending on who's running a special that day. Is that the kind of thing we're talking about, why something like this would exist?

Rob Boyce

Yeah, I mean honestly David, at this point it's a Little unclear. So this is so new to us. We're still finishing up our research on how the exploit actually works.

Dave Buettner

I see.

Rob Boyce

So the systems that it's connecting to is a little bit unclear. But we know though, I mean, as I said, it's highly, highly credible now that this does work. So it's really. Now how, how does it work is where really what we need to dig into a little bit next.

Dave Buettner

And at this point, you're seeing this coming from a single supplier.

Rob Boyce

Yes, exactly correct.

Dave Buettner

Huh?

Rob Boyce

Exactly right. And that's what makes it also a little bit unique, honestly. And why they can charge the prices they're charging because there is not a competitive threat actor in the space at this moment.

Dave Buettner

Interesting. So what are your recommendations here? I mean, this is a tough one.

Rob Boyce

This is what's, this is what's really interesting because I think for a long time now we've always been telling organizations foundational is mfa. You need to have MFA in your environment to be able to provide that higher level of assurance that password just isn't enough for externally exposed applications, etc. So more and more organizations, of course, have been implementing mfa, but what we see now is not all MFA is rated the same. So MFA that leverages SMS is very susceptible to this type of attack.

Dave Buettner

Right.

Rob Boyce

And so what we're now starting to see is MFA maturing within its own space. Right. And so I think the future of MSA is really passwordless authentication with the adoption of a couple of open standards like Fido 2 or PassKey, because what these technologies allow us to do is really replace passengers with cryptographic keys. So this of course now enhances the ability to eliminate common attacks like the phishing or social engineering, which I think is really interesting. And they work alongside biometrics, so it's. So it can work with your PIN or with your, your fingerprint or your facial recognition. So it offers a very seamless user experience and it's highly adopted by the major companies like Apple and Google and Microsoft. So it's going to be, you know, not just a higher level of security, but it's also going to be a better user experience, I think, in the future. And so there is hope for this, of course, but it's now just realizing that when, you know, organizations, when people give recommendations of implementing mfa, it's not just any nfa. We have to think about what the right MFA is going to be to ensure that we're eliminating the exposures that could be introduced from things like SimSwap.

Dave Buettner

Yeah. All right. Well, Robert Boyce is Global Lead for Cyber Resilience at Accenture. Rob, thanks so much for joining us.

Rob Boyce

Of course Dave, anytime. Thank you.

Dave Buettner

Our thanks to Rob Boyce for joining us. He is global lead for Cyber Resilience at Accenture. And now a word from our sponsor, NordPass. NordPass is an advanced password manager from the team behind NordVPN designed to help keep your business safe from data leaks and cyber threats. It gives your IT professionals control over who has access to your company's data and makes it easy for everyone else on your team to use strong passwords. Right now you can go to www.nordpass.com cyberwire for 35% off the NordPass business yearly plan. Don't miss out on that. And finally, our Caller ID desk brings some good news. The FTC is winning the fight against scam and nuisance calls. According to the agency's latest report, complaints about these pesky interruptions have dropped by more than half since 2021. That's a huge win for the 254 million Americans who've signed up for the national Do Not Call registry and who probably wish telemarketers would stop ignoring it. In 2024, the FTC logged 2 million complaints. With most gripes focused on medical and prescription scams, imposter calls came in a close second, proving scammers are still bad actors. Literally. Robocalls dominated the complaint charts at 53%, while 37% were old school humans trying to sell you something you didn't want. The FTC isn't just sitting back and letting the registry do the work. New rules and initiatives like the Impersonation Rule and Operation Stop Scam calls are cracking down on both scammers and the companies profiting from them. And for the cherry on top, the agency is tackling deepfake phone scams with a voice cloning challenge because AI scammers are a thing now. Sam Levine, head of the FTC's Bureau of Consumer Protection, summed it up, saying, illegal calls remain a scourge. But we're making progress with scams still costing consumers over $1 billion last year. There's plenty more work ahead. For now, though, it's still best to let that unknown number go straight to voicemail. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show every week. You can find grumpy old geeks wherever the fine podcasts are listed, we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send in email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your teams smarter. Learn how @N2K. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iban. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpie is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here tomorrow. The IT world used to be simpler.

Rob Boyce

You only had to secure and manage environments that you controlled.

Dave Buettner

Then came new technologies and new ways to work.

Rob Boyce

Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why Cloudflare created the first ever connectivity cloud. Visit cloudflare.com to protect your business Everywhere you do business.