AI-powered propaganda.

Dave Bittner

You're listening to the Cyberwire network, powered by N2K.

Unknown Sponsor Voice

The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why Cloudflare created the first ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business.

Dave Bittner

The US sanctions Russian and Iranian groups over election misinformation Apple settles a class action lawsuit over Siri privacy allegations Double clickjacking exploits a timing vulnerability in browser behavior Fire scam targets sensitive info on Android devices. ASUS issues a critical security advisory for several router models A former crypto boss faces extradition amidst allegations of defrauding investors out of more than $40 billion. HHS unveils proposed updates to HIPAA. Millions of email servers have yet to enable encryption. Our guest is Joe Saunders, co founder and CEO of Run Safe Security, discussing the complexities of SAF critical infrastructure and using DOOM to prove you're human. It's Friday, January 3rd, 2025. I'm Dave Bittner and this is your Cyberwire Intel Brief. Thanks for joining us here today and happy Friday. It is great to have you with us. The United States has sanctioned two groups tied to Iranian and Russian disinformation campaigns targeting American voters. The treasury accused these organizations of spreading fake videos, news and social media posts to deepen divisions and undermine trust in US Elections. The Moscow based Center for Geopolitical Expertise used AI to create deepfake videos and fake news websites. Its director allegedly collaborated with Russian military intelligence to support cyberattacks. Iran's Cognitive Design Production center, linked to the Revolutionary guard, has incited U.S. political tensions since 2023 and targeted officials with cyber attacks. U.S. intelligence also blames Iran for promoting protests related to Israel's conflict with Hamas. Both nations denied the allegations. U.S. officials say Russia aimed to bolster Trump while Iran opposed him due to policies like reimposing sanctions and the killing of Iranian general Qassem Soleimani. The broader effort included actions by China to undermine US democracy. Apple has agreed to a $95 million settlement in a class action lawsuit claiming Siri violated user privacy. The lawsuit alleged Siri unintentionally activated recorded and shared private communications without user consent. Eligible US residents who owned Siri enabled devices between September 17, 2014 and December 31, 2024, can file claims for pro rata payments capped at $20 per device. Devices include iPhones, iPads, Apple watches, Macs and HomePods plaintiffs accused Apple of violating privacy and consumer protection laws. Apple denied wrongdoing but settled after five years of litigation. The settlement covers 10 to 15% of estimated damages, with attorney fees up to 30% of the fund. The preliminary settlement was filed in federal court in Oakland, California. Notifications will go to affected Siri device owners, as the class size is expected to be substantial. It's worth noting that no definitive proof has emerged from reputable cybersecurity researchers or investigations that Apple intentionally uses Siri to listen to conversations and then sells that data to advertisers. Apple's privacy policies explicitly state that it does not sell user data, including Siri recordings, to third parties. Meanwhile, security researchers have discovered sysbumps, a novel attack targeting macOS systems on Apple silicon processors. The attack exploits speculative execution vulnerabilities in system calls to bypass kernel address space layout randomization, a key security feature. The research, led by a team from Korea University, demonstrates how sysbumps leverages speculative execution and translation lookaside buffer side channel analysis to infer kernel memory layouts. Using a prime probe technique, attackers identify valid kernel addresses with 96% accuracy, exposing systems to further exploitation. The attack highlights challenges in securing modern processors, particularly Apple's ARM based M series chips. While no immediate fixes exist, the researchers proposed mitigation strategies and responsibly disclosed their findings to Apple. Users are advised to update their systems as patches become available. Hackers are exploiting a timing vulnerability in browser behavior with a technique called double clickjacking, a sophisticated evolution of clickjacking attacks. Security researcher Paulos Yebelo identified this method, which manipulates the delay between two mouse clicks to trick users into authorizing sensitive actions such as granting OAuth permissions, enabling account takeovers, or confirming transactions. Double clickjacking bypasses modern browser protections like same site cookies and X frame options by exploiting the moused down and click event sequence. The attack starts with a deceptive browser window such as a captcha prompt, which closes after the first click, revealing a sensitive action like an authorization form. The second click, intended for the initial prompt, unwittingly triggers malicious actions. Yabello demonstrated the technique on major platforms like Salesforce, Slack, and Shopify. He proposed defenses including client side JavaScript, disabling critical buttons until intentional interaction is detected and introducing a double click protection. HTTP header platforms like Dropbox and GitHub have already adopted these mitigations. A new threat has emerged in the Android ecosystem, a stealthy malware known as Firescam, capable of harvesting sensitive information and monitoring user activities, according to research from Ciferma. Disguised as Telegram Premium, Fyrescam spreads through a phishing website imitating the Roostore app Store hosted on a GitHub IE domain. Once downloaded, FhirsCam's installer gains control over the device by requesting extensive permissions. It lists installed apps, modifies storage, and prevents updates from other sources, ensuring its persistence. The malware tricks users into granting unrestricted background operation, further solidifying its grip on the system. Fhir Scam doesn't stop at merely existing it actively observes it fingerprints devices, monitors applications, and registers a backdoor using Firebase cloud messaging, enabling remote commands. It tracks interactions, intercepts USSD communications, and exfiltrates data to a fire based database. By exploiting legitimate services and phishing tactics, Fire Scam showcases a chilling capacity to compromise privacy and security, highlighting the need for vigilance against evolving cyber threats. ASUS has issued a critical security advisory for several router models, highlighting vulnerabilities in multiple firmware versions. These flaws could allow authenticated attackers to execute arbitrary commands via the AI cloud feature, potentially compromising network security. ASUS has released firmware updates and urges users to update immediately. To enhance security, the company advises using strong unique passwords and disabling Internet accessible services on older routers. Do Hyung Kwon, the co founder and former CEO of a cryptocurrency firm, has been extradited to the US From Montenegro to face fraud charges. Appearing in a Manhattan court, Kwon, 33, is accused of defrauding investors in TerraForm cryptocurrencies between 2018 and 2022, leading to losses exceeding $40 billion, according to the Department of Justice. Kwon allegedly misrepresented Terraform's stability and success, inflating the value of its cryptocurrencies. He claimed the Terra protocol maintained a stablecoin's dollar peg, exaggerating the independence of the Luna foundation guard and fabricated partnerships, including with payment processor Kai. Despite early efforts to mask issues, a collapse in 2022 exposed systemic vulnerabilities, causing massive losses. Kwon faces charges of commodities and securities fraud, wire fraud and money laundering, with a potential 130 year prison sentence if convicted. The US Department of Health and Human Services today unveiled a proposed overhaul of the HIPAA security rule, the first major Update in over 20 years. The revisions aim to shift from a flexible, process oriented approach to to more prescriptive requirements, including mandatory encryption, multi factor authentication and vulnerability scanning every six months. Key proposals include annual technology, asset inventories, network mapping and a requirement to restore critical systems within 72 hours. Additionally, business associates must verify compliance with technical safeguards annually. Critics argue the 72 hour restoration mandate is unrealistic and could increase risks if systems are restored prematurely. The update responds to surging healthcare data breaches, with incidents increasing 102% between 2018 and 2023. Compliance costs are estimated at $9 billion in the first year and $6 billion annually thereafter, raising concerns about the financial strain on small and rural healthcare providers. Public comments on the rule are open until March. Millions of email servers worldwide are sitting exposed, vulnerable to network sniffing attacks. According to Shadow server, over 3.3 million IMAP and POP3 email servers lack TLS encryption, leaving sensitive email data, including usernames and passwords transmitted in plain text. IMAP, often used for accessing email across multiple devices, and POP3, which downloads emails to a single device, rely on TLS to protect data during transmission. Without it, these servers become easy targets for attackers. Shadow Server has alerted mail server operators, urging them to enable TLS encryption or reassess the necessity of exposed services. Despite modern TLS 1.3 being introduced in 2018 and outdated versions retired by major tech companies in 2020, many servers remain unsecured. The NSA has also warned that outdated configurations allow attackers to intercept and manipulate traffic. The message is clear. Without secure protocols, sensitive data is at significant risk. Coming up after the break, my conversation with Joe Saunders from Run Safe Security. We're discussing the complexities of safeguarding critical infrastructure and using DOOM to prove you're human. Stay with us.

Unknown Sponsor Voice

And now a word from our sponsor, knowbefor. It's all connected, and we're not talking conspiracy theories. When it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBeFor's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35 vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbe4.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show.

Dave Bittner

Joe Saunders is co founder and CEO of Run Safe Security. I caught up with him to discuss the complexities of safeguarding critical infrastructure amid the looming threat of cyber attacks and military conflict.

Joe Saunders

Well, of course, protecting critical infrastructure is a complex problem. There's a whole subcommittee in Congress dedicated to funding critical infrastructure protection in general. And naturally, that's where CISA's budget comes from. And I think the challenge, of course, is that a majority of the critical infrastructure is not government owned, it's commercially owned. And the technology provided to critical infrastructure is provided by commercial organizations, which isn't necessarily a bad thing when it comes to security. It just means more coordination needs to happen. And with that said, if you look across all the sectors, there's 16, 17, depending on how you count them, critical infrastructure sectors. And there are industry groups, government agencies, technology companies, and all the like that are sort of focused on making sure critical infrastructure is protected. And of course, the problem is there's all sorts of legacy code, you know, hardware, software that's been deployed in energy grid or power stations or everywhere else that's been around for 5, 10, 15, 20, sometimes 30 years. And so it's a complex problem where I think we're only scratching the surface in terms of really doing a good job protecting security, given the variety of technology, the complexity of who's involved, the agency, of who has an interest in ensuring security. Is it a national security issue? Is it good business practice? All of the above. So with that said, I think it's a complex problem and we're only scratching the surface to really solve it in a good way thus far.

Dave Bittner

Well, in your estimation, what are some of the things that could be done to move us in the right direction?

Joe Saunders

Well, there's multiple things that can be done. You have to think about the workforce, you have to think about the education and awareness of the problem to the owners and operators of critical infrastructure. For example, if you look at water utilities, there's 10,000 water utilities in the U.S. which means there are some really big ones and there are some pretty small ones. And yet, you know, if, if those systems that operate the water systems are compromised, then of course that's a bad day from a cyber event perspective. It could deny people water. It could be doing a lot of things. And so you can imagine there's a lot of education, a lot of coordination, and a lot of technology that has to come to bear. And so specifically, I think what can happen of course is education of the workforce, even enhancing the workforce. But there's also room then for programs like Secure by Design, which CISA is promoting obviously very well, and its counterparts, Secure by Demand, where it's, you know, looking to identify ways asset owners and operators can demand or ask their suppliers for better security posture, the technology that they deliver. And then there's, you know, of course, understanding the nature of the problem itself and assessing the risk in the software and in the assets that you deploy. And so if I think about the workforce, the programs and the awareness and then the nuts and bolts of really understanding the nature of the risk, all three of those things have areas where we can do some work, but also where some work has been started.

Dave Bittner

Can we talk about China specifically? I think we see a lot of reports about China kind of staging their presence within some of our critical infrastructure here, you know, preparing battle space, preparation, as one of my colleagues likes to say. What is your take on where we stand with that? And I also want to touch on the looming presence of China in Taiwan.

Joe Saunders

Sure. So there's no doubt, as we've seen with Volt, typhoon and other APTs and threat actors that originate from China, that as you say, the preparation that battlefield has already commenced, that China has technology pre positioned inside critical infrastructure to pick a day of its choosing when it may want to administer, let's call it a payload, a cyber payload to disrupt service or operations. And that threat is always real, whether whether it comes true or not. The fact that there are, there is pre positioning means that there is risk in basic services that the US provides. And so, you know, I think about telecommunications equipment being compromised, you know, if you're Verizon or AT&T and you know, some of the embedded software deep into the telecom equipment and network infrastructure, it's very scary to think that that is pre positioned and could be exploited, but also water utilities like I already mentioned and you know, in other sectors. So China, you know, I like to think of China as a very persistent, aggressive adversary. If you look at the historical track record of its prowess in stealing intellectual property, I think we can think about their tactics in the same way when it comes to cyber attacks themselves. If this is the new phase of some of their cyber operations, you know, China, given a well determined, well funded, you know, sophisticated adversary who thinks long term, is no doubt pre positioning technology, you know, in preparation of the battlefield. And it may not be a kinetic battle we're talking about, but it could be some of these gray zone matters, you know, cyber attacks here you know, that that can just be disruptive. It can, it can cause confusion in the US it could help focus the US government internally instead of externally on other matters like Taiwan, if we want to talk about that. But you can see that a very determined adversary with a 51 manpower advantage in cyber warfare. As Director Ray from the FBI said last January, February, before the Select Committee on ccp, that we need to take it very seriously. And it's not just China, of course, it's Russia and Iran and North Korea and others. But China, you know, seems to be very aggressive in its long term view of disrupting infrastructure with the pre positioning they've already done.

Dave Bittner

Well, let's talk about Taiwan specifically. I mean, where do you suppose Taiwan finds itself right now? I'm thinking of both their ability to defend themselves, but also, you know, looking at the broader diplomatic picture of, of who has Taiwan's back in this particular case.

Joe Saunders

Right, yeah. If you think about Taiwan, at least from a cyber perspective, from some counts I've heard up to 30 million cyber attacks a month take place in Taiwan and that seems like an outrageous number. And with that said, you can imagine a lot of testing of, you know, ability to attack. And if you think about the ability to disrupt core sectors in Taiwan that, that matter to, you know, a well functioning society for them, certainly communications, certainly energy, certainly financial system. If you think about their ability to communicate as an island, they need, you know, redundant systems. They need the ability to communicate. If you think about, you know, their dependence on importing energy, then the storage and the distribution of that, of those of the energy sources within the island are essential. And certainly the financial system, you know, people need to be able to move money and conduct transactions and do commerce. And so those are the sectors I think about when I think about, you know, helping protect critical infrastructure in Taiwan. And naturally those are just subsets of a broader geopolitical consideration as you say. So if there was some kind of kinetic attack on Taiwan, some people have said, including Director Easterly at CISA and even Director Ray at FBI, that there could be a simultaneous attack in US critical infrastructure. So that's a second level of, of thinking. And then the third level of course is you know, what if there's a blockade, what if there's, there is an all out war, who, who comes to, to defend China or defend Taiwan in that case. And naturally those are a lot of open questions I don't think I can answer. They are complex. There is the historic strategic ambiguity in terms of US policy towards Taiwan and, and China but nonetheless, there's a lot at stake in the region. You think about what happens if Taiwan is not supported and China were to integrate Taiwan back into China. Then you think about what does that mean for Japan, what does that mean for India, what does that mean for Singapore and others in the region. And so I think there is a lot of interest from India, a lot of interest from Japan, from Australia to come to Taiwan's assistance, as there should be from the U.S. i mean, China projecting further power out, taking over, you know, a free, democratic society that is a major top 20 economic powerhouse with strategic technology like semiconductors. There's simply a lot at stake. And so I think in particular how to support Taiwan and cyber needs to be elevated. You know, just as we think about how to protect U.S. critical infrastructure, I think protecting critical infrastructure in Taiwan is essential.

Dave Bittner

That's Joe Saunders, co founder and CEO of Run Safe Security. And finally, our classic gaming desk tells us that Guillermo Rosch, CEO at web platform provider Vercel, spent the holidays doing something a bit more intense than sipping eggnog. He created a captcha that requires users to slay three monsters in doom on nightmare mode. Yes, instead of squinting at blurry traffic lights or clicking on crosswalks, you'll need to channel your inner demon slayer. Captchas have evolved from distorted text puzzles in 1997 to Google's Recaptcha, which works quietly in the background. But bots are now better at solving captchas than humans. Rauch's Doom captcha, announced on New Year's Eve, might be the most entertaining workaround yet if you can survive the nightmare level difficulty, where enemies are relentless and your health drains and your health bar drains faster than post holiday enthusiasm. It's a fun tech demo, though admittedly unlikely to gain mainstream adoption. And while bots may one day conquer doom, for now, it's a captcha worth trying if you dare. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's Research Saturday and my conversation with Carlo Zanki, reverse engineer at Reversing Labs. We're discussing their work. Malicious pypi, crypto pay package, implants, infosteel or code. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. This episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilpy is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.