Transcript
Dave Buettner (0:02)
You're listening to the Cyberwire network, powered by N2K. Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. You know I started my first business back in the early 90s and oh what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row. All of that technical stuff, the legal stuff, the registrations of the business, the taxes, all of those things that you need to go through when you're starting a business, the hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run and protect your business all in one place and they save you from wasting hours making sense of all that legal stuff. Launch, run and protect your business. To make it Official today@legalzoom.com you can use promo code CYBERTEN to get 10% off any LegalZoom business information product, excluding subscriptions and renewals that expires at the end of this year. Get everything you need from set up to success@legalzoom.com and use promo code CYBER10. That's legalzoom.com and promo code CYBER10. Legalzoom provides access to independent attorneys and self service tools. Legalzoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm LZ Legal Services LLC. CISA's director easterly plans to step down in the coming year. DHS issues recommendations for AI and critical infrastructure Palo Alto Networks confirms active exploitation of a critical zero day vulnerability in its firewalls. Threat actors exploit Microsoft's 365 admin portal to send sextortion emails. A China based APT targets zero day and Fortinet's Windows vpn. The EPA reports on vulnerabilities in drinking water systems. A critical authentication bypass vulnerability affects a popular WordPress plugin. Researchers track a rise in the click fix social engineering technique. An 18 year old faces up to 20 years behind bars for swatting. Our guest is Rob Boyce, Global Lead for Cyber Resilience at Accenture, discussing SIM swapping services targeting telcos and nuisance calls are in decline. It's Monday, November 18th, 2024. I'm Dave Buettner and this is your Cyberwire Intel Briefing. Happy Monday and thank you for joining us here today. It is great to have you with us. Jenn Easterly, the Director of the Cybersecurity and Infrastructure Security Agency will step down on January 20. Coinciding with the inauguration of President Elect Donald Trump. Deputy Director Nitin Natarajan is also set to depart. This is a routine transition during a change in administration, a CISA spokesperson confirmed. Easterly, a West Point graduate and Rhodes Scholar, served two decades in the U.S. army, helping establish U.S. cyber Command in response to a major DoD malware incident in 2008. Her career also included senior roles at the NSA, the National Security Council and Morgan Stanley. She became CISA director after an eight month vacancy following Chris Krebs firing in 2020. During her tenure, easterly advanced CISA's Secure by Design initiatives, pushing manufacturers to embed security into their products. She led the agency through major cyberattacks, including Chinese hacks targeting US Officials, and provided steady leadership during election cycles, reaffirming the integrity of election infrastructure. She also issued guidance on emerging technologies like AI and quantum cryptography. Easterly's departure leaves questions about CISA's direction under Trump's administration. GOP allegations of censorship against CISA and proposed budget cuts raise concerns over future cybersecurity priorities. Senator Rand Paul, a CISA critic, is positioned to lead the Senate Homeland Security panel. Meanwhile, Ohio Secretary of State Frank Larose is reportedly a candidate to succeed Easterly. The agency faces an uncertain future as these transitions unfold. The U.S. department of Homeland Security has issued voluntary recommendations for securely developing and deploying AI in critical infrastructure. The Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure outlines guidance for cloud providers, AI developers, critical infrastructure operators, civil society and public sector organizations. The framework focuses on five key securing environments, responsible system design, data governance, safe deployment, and performance monitoring. Cloud providers are urged to vet supply chains, protect data centers, and report anomalies. AI developers should adopt secure by design practices, address biases, and ensure privacy. Critical infrastructure operators must safeguard AI systems and provide transparency on their AI use. DHS Secretary Alejandro Mayorkas emphasized the framework's role in protecting essential services like water and power, calling it a living document that evolves with AI advancements. Palo Alto Networks has confirmed active exploitation of a critical zero day vulnerability in its firewalls, affecting management interfaces exposed to the Internet. The flaw, rated 9.3 out of 10 in severity, allows unauthenticated remote command execution while a patch is not yet available. Palo Alto Networks urges users to restrict access to management interfaces to internal trusted IP addresses. This mitigation reduces the severity to 7.5 but still requires careful monitoring. The company tracks vulnerable devices via its support portal and has observed malicious activity from specific IPs, including potential misuse of third party VPN services, malicious code was found on affected devices. Separately, Palo Alto disclosed other vulnerabilities in its Expedition Migration tool, including OS command and SQL injection flaws, which could expose sensitive firewall configurations. Threat actors are exploiting the Microsoft 365 admin portal to send sextortion emails, making them appear trustworthy and bypassing spam filters. Sextortion scams claim hackers accessed compromising images or videos of victims and demand payment in cryptocurrency to prevent their release. Though common since 2018, these scams can still alarm recipients. Scammers abuse the Microsoft Message Center's Share feature, which allows notifications to be forwarded with a personal message. While this field is limited to 1000 characters, attackers bypass the restriction by manipulating browser development tools to input longer messages. Microsoft lacks server side checks to enforce the limit, enabling full extortion messages to be sent. Microsoft says they are investigating, but they've not yet implemented fixes. The Deep Data malware framework linked to China based Apt41 is exploiting a zero day vulnerability in Fortinet's Windows VPN client to steal credentials. According to cybersecurity firm Voloxity, Deep Data uses plugins to extract sensitive data from browsers, communication apps and password managers and can record audio via the system's microphone. APT41, also associated with the LightSpy malware, has targeted journalists, politicians and activists in Southeast Asia. The zero day vulnerability, reported to Fortinet in July, remains unpatched and lacks a CVE identifier. Velocity attributes the malware's development to Brazen Bamboo, a state sponsored group. Deep Data and LiteSpy share technical similarities including plugin designs and infrastructure. A new Windows variant of LightSpy has also been identified, showcasing Brazen Bamboo's broad multi platform surveillance capabilities. A report by the EPA's Office of Inspector General reveals cybersecurity vulnerabilities in over 300 US drinking water systems serving 110 million people. The assessment highlighted risks such as service disruptions, denial of service attacks and compromised customer data. Critical or high severity issues were identified in 97 systems serving 27 million individuals, while medium and low severity weaknesses like open portals affected 211 systems covering 83 million people. The vulnerabilities span email security, IT hygiene and threat detection. OIG warns that exploiting these flaws could lead to significant damage to water infrastructure. Additionally, the EPA lacks a cybersecurity incident reporting system and relies on CISA for coordination, raising concerns about emergency response and mitigation strategies. A critical authentication bypass vulnerability has been identified in the WordPress plugin. Really Simple Security this plugin, used on over 4 million websites, provides SSL configuration, two factor authentication and security monitoring. Discovered by Wordfence on November 6, the flaw stems from improper handling of the login nonce parameter in the plugin's two factor rest API. If login nonce verification fails, the code incorrectly authenticates users based on their user ID alone, allowing attackers to gain administrative access to vulnerable sites. The flaw is particularly severe because it can be exploited at scale with automated scripts. Fixes were released earlier this month. Hosting providers and administrators are urged to update immediately as millions of sites remain at risk. Researchers at proofpoint have observed a rise in the Click Fix social engineering technique, which manipulates users into executing malicious PowerShell scripts by disguising them as solutions to fabricated problems. Initially linked to campaigns by TA571 and Clearfake, this method has now been adopted by various financially motivated and espionage focused threat actors. ClickFix exploits trust by presenting fake error messages or software update prompts directing users to copy and run PowerShell commands that ultimately deliver malware. Recent campaigns leveraged fake CAPTCHA verifications, GitHub notifications, and spoofed emails from platforms like Microsoft Word and Chat GPT. Malicious payloads observed include Asyncrat. NET Support, lumastealer, and Xworm. The technique bypasses traditional security controls by relying on human error, preying on users desire to independently resolve issues. To mitigate these threats, organizations should train users to recognize such tactics and avoid manually executing unverified commands. The technique's popularity underscores the evolution of social engineering strategies. An 18 year old, Alan Filion has pleaded guilty to making over 375 fake emergency threats, the practice known as swatting. Filion targeted religious and educational institutions, government officials and individuals across the US between 2022 and 2024, beginning at age 16. Swatting involves falsely reporting emergencies to prompt police SWAT team responses, often causing chaos and endangering lives. Filion admitted to using social media to offer swatting services for a fee. On one occasion, he boasted about causing police to detain victims and search their homes for fabricated crimes. Facing up to five years in prison for each of four felony counts, Billion's sentencing is set for February. Coming up after the break, my conversation with Rob Boyce, Accenture's global lead for cyber resilience.