CyberWire Daily Podcast Summary Episode: Biden’s Final Cyber Order Tackles Digital Weaknesses
Release Date: January 9, 2025
Host: Dave Bittner, N2K Networks

Biden’s Final Cyber Order Tackles Digital Weaknesses

In his concluding efforts to strengthen U.S. cybersecurity, the Biden administration is finalizing an executive order aimed at mitigating digital vulnerabilities exposed during his tenure. Host Dave Bittner outlines that the order emphasizes robust identity authentication and encryption for government communications, ensuring that sensitive information remains secure even in the event of a system breach.

Dave Bittner (00:46): “The executive order also proposes securing cryptographic keys via hardware security modules and tightening access management for federal contractors.”

The order responds to significant breaches, including a notable Treasury Department hack attributed to the Chinese group Silk Typhoon, which involved the theft of digital keys from Beyond Trust, a third-party provider. The administration is pushing for software vendors to adhere to stringent cybersecurity standards, such as prompt patching of known vulnerabilities and the implementation of multi-factor authentication.

However, uncertainty looms as the incoming Trump administration has hinted at rolling back federal regulations, particularly those concerning artificial intelligence safeguards, raising questions about the order's future.

Ivanti Addresses Critical Zero Day Vulnerability

Ivanti has issued emergency updates to address a critical zero day vulnerability in its Ivanti Connect Secure VPN devices, which allows for remote code execution. The vulnerability, actively exploited by suspected Chinese nation-state actors, necessitates immediate action from users.

Dave Bittner (00:46): “Avante recommends factory resetting devices before applying the update to remove potential malware that may fake the update process.”

Additionally, Ivanti has identified a stack-based buffer overflow with a high severity rating, although it has not yet been exploited in the wild. Similar vulnerabilities have been found in Ivanti’s Policy Secure and Neurons for Zero Trust Access Gateways, with patches expected by January 21. The company credits Mandiant and Microsoft’s Threat Intelligence Center for uncovering these flaws.

Karyo Control Firewall Software Flaw

A critical vulnerability discovered in Karyo Control firewall software allows attackers to achieve one-click remote code execution. Researcher Egidio Romano identified the flaw, which arises from improper input sanitization across multiple interface pages, enabling HTTP response splitting and open redirect attacks.

Dave Bittner (00:46): “The flaw stems from improper input sanitization in several interface pages, enabling HTTP response splitting and open redirect attacks.”

Initially classified as low risk, the vulnerability was later elevated to a high severity rating (CVSS of 8.8) due to its exploitation potential via an older GFI software vulnerability. While the vendor has been notified, no patches are currently available.

Palo Alto Networks Patches Multiple Vulnerabilities

Palo Alto Networks has addressed several vulnerabilities in its retired Expedition migration tool, including a high severity SQL injection flaw. This flaw permits authenticated attackers to access sensitive data such as usernames, passwords, and device configurations, as well as manipulate system files.

Dave Bittner (00:46): “Expedition, retired at the end of last year, will no longer receive updates or security fixes, and users are urged to find alternatives.”

In response, Palo Alto has released the latest Expedition version, which resolves the SQL injection issue along with four additional medium and low severity vulnerabilities. Additionally, the company updated Prisma Access Browser to mitigate six Chromium vulnerabilities, including two critical flaws in the V8 JavaScript engine. Although no exploits have been reported for these vulnerabilities, CISA previously warned about Expedition-related flaws being exploited in attacks.

Security Researchers Targeted with Fake Exploits for Microsoft Vulnerabilities

Security researchers are facing increased threats from fake exploits targeting Microsoft vulnerabilities. Trend Micro discovered a malicious version of a legitimate proof-of-concept (POC) exploit for LDAP Nightmare, a denial-of-service bug patched in December. This counterfeit POC replaces Python files with a malicious executable that deploys a PowerShell script to download malware aimed at stealing user data.

Dave Bittner (00:46): “LDAP nightmare highlights two critical vulnerabilities, including one with a severity of 9.8, but both significant due to LDAP's widespread use in Windows environments.”

These deceptive tactics continue the trend of state-sponsored attackers targeting security experts, utilizing methods such as social media deception, zero-day exploits, and backdoor tools to compromise professionals in major tech firms.

Medusynd Data Breach Impacts Over 360,000 Individuals

Medusynd, a U.S.-based medical and dental billing company, experienced a substantial data breach affecting over 360,000 individuals. The compromised data includes:

• Health insurance details
• Medical records
• Payment information
• Government IDs
• Contact information

Dave Bittner (00:46): “The company has offered affected individuals 24 months of free credit monitoring and identity protection.”

Discovered in December 2023, the breach involves stolen files containing personal information, posing risks of medical identity theft and financial fraud. Medusynd, headquartered in Miami, Florida, services thousands of healthcare providers across the U.S. and India.

Excelsior Orthopedics Ransomware Attack Compromises Personal Data

In June 2024, Excelsior Orthopedics, a New York-based healthcare provider, fell victim to a ransomware attack compromising the personal and health information of approximately 357,000 individuals. The breach impacted patients and employees of Excelsior and related entities, including Buffalo Surgery Center and North Town's Orthopedics.

Dave Bittner (00:46): “Affected individuals have been offered 12 months of free credit monitoring and fraud assistance services.”

The Monti ransomware gang claimed responsibility, with 300 gigabytes of stolen data now publicly available. Excelsior responded by disconnecting external access to its network and initiating recovery efforts. The company has not disclosed the specific nature of the attack but acknowledges significant data compromise.

Cyber Attack Disrupts Winston Salem Utility Payment Systems

A post-Christmas cyber attack targeted the online utility payment systems in Winston Salem, North Carolina, affecting 250,000 residents and nearby Forsyth County. Discovered on December 26, the attack forced the city to take systems offline, hindering residents from making online payments without incurring late penalties.

Dave Bittner (00:46): “The attack coincides with severe weather communication challenges and follows similar incidents across North Carolina.”

City officials are collaborating with state and federal agencies to restore full services. North Carolina’s 2022 law prohibits government entities from paying ransoms, complicating the response to such attacks.

CrowdStrike Identifies Phishing Campaign Exploiting Recruitment Branding

CrowdStrike has detected a sophisticated phishing campaign that leverages its recruitment branding to distribute malware. The attack utilizes emails impersonating CrowdStrike’s recruitment efforts, directing victims to a malicious site that offers downloads of a fake employee CRM application.

Dave Bittner (00:46): “The downloaded executable, written in Rust, acts as a downloader for the cryptominer XMRig.”

The malware employs advanced evasion tactics, including debugger detection, process checks, and sandbox avoidance. Before deploying the XMRig cryptominer, the malware establishes persistence by creating batch scripts in the Startup directory and adding registry entries to re-execute upon system logon. CrowdStrike advises verifying the authenticity of their communications and avoiding the download of unsolicited files.

Interview with Danny Allen: Balancing AI and Human Oversight in Cybersecurity

Danny Allen, CTO of Snyk, discusses the balanced approach between artificial intelligence (AI) and human oversight to enhance cybersecurity. Conducting a survey of 400 organizations with over 1,000 employees, Allen reveals significant insights:

• C-suite executives are five times more likely to view AI coding tools as non-risky compared to application security teams, highlighting a disconnect in risk perception.

Danny Allen (16:16): “...executives instead are looking at it and saying, how can we be productive in using this.”

• Two-thirds of developers lack training in AI security, posing risks as they integrate AI tools like ChatGPT into their workflows without understanding potential security implications.

Danny Allen (18:02): “...developers were saying they weren't being trained on AI security.”

Allen emphasizes the necessity of guardrails to ensure AI enhances productivity without compromising security. He advocates for comprehensive training programs and security controls that align AI usage with corporate policies.

Danny Allen (20:19): “You don't want to be slowing down the organization... But you do need to have those guardrails in place.”

CES Worst in Show Highlights Privacy and Security Concerns in Tech

The podcast also covers the Worst in Show awards from the Consumer Electronics Show (CES), which spotlight gadgets that raise privacy, security, and sustainability concerns:

1. FacePalms Ultra Human's $2,200 Luxury Smart Ring: Criticized for limited durability, lasting only 500 charges before becoming irreparable.

2. Bosch's AI-Powered Crib: Labeled as surveillance for your infant, it incorporates cameras, microphones, and radar, infringing on privacy within a supposed safe environment.

3. Soundhound's AI in Car Commerce System: Accused of promoting wasteful takeout and encouraging distracted driving.

4. TP-Link's Router: Declared least secure due to vulnerabilities that prioritize government alerts over user safety.

5. LG's AI Refrigerator: Won the overall award for being flashy, pricey, and prone to premature obsolescence.

Conclusion

The episode of CyberWire Daily provides a comprehensive overview of the current cybersecurity landscape, highlighting significant governmental actions, emerging threats, and the ongoing challenges in balancing innovation with security. The insights from Danny Allen underscore the critical need for integrating AI responsibly within cybersecurity frameworks, ensuring that technological advancements do not outpace the necessary safeguards.

For those interested in deeper insights, the podcast offers a link to Snyk's AI Readiness Report in the show notes.

Produced by Liz Stokes, mixed by Trey Hester, with original music by Elliot Peltzman. Executive Producer: Jennifer Ibin. Executive Editor: Brandon Karp. President: Simone Petrella. Publisher: Peter Kilke.