CyberWire Daily: Bolstering the Digital Shield

Host: Dave Bittner
Guest: Oren Corin, Co-founder and Chief Product Officer at Verity
Release Date: January 16, 2025

1. Introduction

In the January 16, 2025 episode of CyberWire Daily, host Dave Bittner delves into pressing cybersecurity issues affecting various sectors, with a special focus on healthcare cybersecurity. The episode titled "Bolstering the Digital Shield" features insightful discussions, expert analyses, and the latest updates on significant cyber incidents.

2. President Biden's Comprehensive Cybersecurity Executive Order

Dave Bittner opens the episode by discussing the landmark cybersecurity executive order issued by President Joe Biden just days before leaving office.

• Mandates and Provisions:

  • Stronger Network Monitoring: Enhancing the surveillance capabilities across federal networks to detect and respond to threats promptly.
  • Secure Software Development: Implementing robust security practices in the software development lifecycle to mitigate vulnerabilities.
  • Stricter Protections for Cloud and IoT Systems: Establishing stringent security standards for cloud infrastructure and Internet of Things (IoT) devices to prevent exploitation.

• Emphasis on AI Integration:

  • The directive promotes the incorporation of artificial intelligence in cybersecurity strategies, aiming to safeguard critical infrastructure and improve threat analysis.

• Compliance and Enforcement:

  • Software Vendor Requirements: Vendors must demonstrate secure development practices.
  • Empowering CISA: The Cybersecurity and Infrastructure Security Agency is granted enhanced authority to conduct proactive threat hunting.
  • Reduced Reliance on Dominant IT Providers: Encouraging diversification to minimize risks associated with single points of failure.

Notable Quote:

“The directive seeks to address vulnerabilities exposed by incidents like the SolarWinds hack,” said Dave Bittner at [04:15].

• Potential Impact and Future Outlook:
  • The effectiveness of the executive order hinges on the incoming administration's commitment to cybersecurity priorities and the appointment of key officials.
  • Aimed at laying a strong foundation for ongoing cybersecurity enhancements, the order addresses both immediate and long-term security challenges.

3. Major Cybersecurity Incidents

a. Silk Typhoon's Breach of the US Treasury Department

Bloomberg reports a significant breach by the Chinese state-sponsored group Silk Typhoon, compromising the US Treasury Department.

• Details of the Breach:

  • Affected Systems: 419 computers accessed, targeting staff involved in sanctions, international affairs, and intelligence.
  • Data Compromised: Over 3,000 files, including policy documents, sanctions materials, and sensitive law enforcement data.

• Methodology:

  • Exploited vulnerabilities in Beyond Trust's systems without deploying malware, indicating a sophisticated and stealthy attack vector.

Notable Quote:

“Investigators found no evidence of malware or long-term infiltration into classified systems,” stated Dave Bittner at [06:40].

• Response and Implications:
  • Treasury reported the incident to CISA and sought FBI assistance.
  • The breach has prompted Congressional briefings and a reevaluation of security practices at affected organizations.

b. FBI Investigation into Chinese Telecom Firm Buycel's Technology

Reuters highlights the FBI's scrutiny of Buycel's Technology, a Chinese telecom hardware firm founded by former Huawei executives.

• Concerns Raised:
  • National Security Risks: Potential vulnerabilities in base stations and risks of remote access leading to espionage.
  • Company Background: Despite assertions of independence from its Chinese parent, Buycel's operations show strong ties to Chinese military interests.

Notable Quote:

“Critics allege Buycel is managed from China, with most equipment sourced from Chinese suppliers,” explained Dave Bittner at [08:20].

• Ongoing Investigations:
  • The US Commerce Department and FBI are probing Buycel’s activities, reflecting heightened fears about Chinese telecom firms compromising US infrastructure.

c. Critical Vulnerability in UEFI Secure Boot Mechanism

A severe flaw identified in the UEFI secure boot mechanism allows attackers to bypass protections and deploy malicious bootkits.

• Vulnerability Details:
  • Affected Systems: Most UEFI-based systems, including recovery tools from vendors like Howyar, Greenware, and Radix.
  • Exploitation Method: Utilization of a custom loader by Microsoft’s UEFI application, leading to persistent undetected access during boot.

Notable Quote:

“This vulnerability highlights concerns over third-party UEFI security practices and Microsoft's code signing process,” noted Dave Bittner at [09:50].

• Mitigation Measures:
  • Microsoft has revoked vulnerable binaries in its January 2025 Patch Tuesday update.
  • Users are advised to update systems, ensure secure boot databases are current, and audit UEFI configurations.

d. Data Breach at California-Based Cannabis Brand Stizzy

Stizzy, a cannabis brand operating in California, experienced a data breach affecting 380,000 individuals.

• Breach Details:

  • Timeline: Between October 10 and November 10 of the previous year.
  • Compromised Data: Government IDs, medical cannabis cards, and transaction histories.

• Attack Attribution:

  • Everest Ransomware Group: Claimed responsibility for the breach, suggesting ransomware as the attack vector.

Notable Quote:

“Stizzy is offering affected individuals 12 months of free credit monitoring,” reported Dave Bittner at [11:30].

e. North Korea's Lazarus Group Expands Attacks

The Lazarus Group, affiliated with North Korea, is intensifying its cyber campaigns targeting the software supply chain.

• Operation 99:

  • Methodology: Utilizes fake LinkedIn profiles to lure Web3 and cryptocurrency developers into cloning malicious GitLab repositories.
  • Malware Deployment: Custom malware tailored for various platforms steals files, credentials, and cryptocurrency wallet information.

• Financial Motivation:

  • The group has reportedly stolen $1.34 billion in cryptocurrency in 2023 and $660 million in 2024, aiming to fund the North Korean regime.

Notable Quote:

“Lazarus’ goal is to compromise developer workflows, steal intellectual property, and access cryptocurrency wallets,” explained Dave Bittner at [12:10].

f. FTC's Action Against GoDaddy for Security Failures

The Federal Trade Commission (FTC) has identified significant security lapses at GoDaddy, resulting in multiple data breaches.

• Allegations:
  • Inadequate Cybersecurity Practices: Failure to manage assets, update software, monitor security events, and segment shared hosting environments.
  • Impact: Exposure of sensitive data, including customer credentials and credit card numbers affecting millions of small businesses.

Notable Quote:

“The FTC alleges that GoDaddy failed to manage assets, update software, monitor security events, and segment shared hosting environments,” stated Dave Bittner at [13:40].

• Proposed Settlement:
  • Security Overhaul: Implementation of robust information security programs, real-time event analysis, and mandatory multi-factor authentication.
  • Compliance Requirements: Annual security testing and prohibition of misleading security claims.

g. Critical Vulnerability in Veeam Backup for Microsoft Azure

Veeam has patched a high-severity vulnerability in their Backup for Microsoft Azure product.

• Vulnerability Details:
  • Affected Versions: Up to 7.1.0.22.
  • Exploitation Risk: Allows unauthenticated attackers to perform server-side request forgery, enabling unauthorized network enumeration and potential subsequent attacks.

Notable Quote:

“Veeam discovered the issue during internal testing and released a patch to address it,” mentioned Dave Bittner at [14:20].

• User Recommendations:
  • Immediate system updates.
  • Ensuring secure configurations and regular patch management.

h. Data Leak from Over 15,000 Fortinet Firewalls

The Belsen Group has leaked sensitive data from more than 15,000 Fortinet firewalls on the Dark Web.

• Leak Details:
  • Data Compromised: Usernames, passwords (some in plain text), SSH keys, digital certificates, and firewall rules.
  • Origins: The leak stems from a 2022 zero-day vulnerability affecting Fortaos, Fortaproxy, and Forta Switch Manager.

Notable Quote:

“The leaked data highlights ongoing risks from unpatched systems,” observed Dave Bittner at [15:05].

• Mitigation Measures:
  • Fortinet has urged organizations to check patch histories, update credentials, and assess exposure.
  • A recent warning about another zero-day vulnerability underlines the continuous threat landscape.

4. Interview with Oren Corin: Healthcare Cybersecurity

Oren Corin, Co-founder and Chief Product Officer at Verity, provides an in-depth analysis of the current state of healthcare cybersecurity and the emerging challenges posed by AI integration.

a. Healthcare as a Prime Cybersecurity Target

• Ease of Exploitation:

  “They will still be a main target because in some cases it's easier to hack a hospital,” Oren Corin stated at [16:08].

• Security Control Vulnerabilities:

  • Corin highlights instances where hospitals possess advanced security tools but fail to utilize them effectively, leaving systems vulnerable despite compliance mandates.

Notable Quote:

“When we've logged into the different layers of security, everything was turned off. It's like 100% turned off,” shared Corin at [17:00].

b. The Rise of AI in Healthcare and Associated Risks

• Data Outside Organizational Boundaries:

  “We are seeing so many hospitals and healthcare institutes are starting to use AI outside of their own boundaries,” explained Corin at [16:45].

• Centralized Data Repositories:

  • The move to cloud-based AI solutions centralizes sensitive data, making it a lucrative target for attackers aiming to exploit vulnerabilities in external services.

Notable Quote:

“If data was stored inside the hospital... from an attacker perspective, you just need to go to the center of the data that is outside of the organization,” Corin emphasized at [17:40].

c. Recommendations for Strengthening Healthcare Cybersecurity

• Continuous Threat Exposure Management (CTAM):

  “CTAM is something everyone needs. But in healthcare, it's about scoping ourselves on what is important to protect,” Corin advised at [22:15].

• Utilizing Existing Security Controls:

  • Instead of investing in more tools, Corin advocates for maximizing the use of current security measures through effective remediation and validation.

• Adopting Cloud Security Posture Management (CSPM):

  “Use the CSPM first because you've moved to the cloud and if it's an external service, external application that you use...,” Corin suggested at [23:05].

• Hiring Specialized Expertise:

  • Encouraging partnerships with Managed Security Service Providers (MSSPs) to bridge gaps in in-house expertise and manage complex cloud environments.

Notable Quote:

“They don't need more, they actually need to use what they have there,” Corin stated at [23:50].

5. Meta's Legal Troubles: AI Training on Pirated Content

The episode concludes with a shocking revelation about Meta's legal challenges concerning the use of pirated content to train its AI models.

• Court Document Revelations:
  • Meta's AI Team utilized Libgen, a repository known for pirated books, to train AI models, leading to accusations of copyright infringement.

Notable Quote:

“Internal exchanges reveal employee concerns over torrenting pirated data on corporate devices,” reported Dave Bittner at [26:10].

• Legal Implications:

  • The lawsuit, backed by authors like Richard Kadri and Sarah Silverman, alleges that Meta knowingly employed stolen works, potentially violating the Digital Millennium Copyright Act (DMCA).

• Corporate Response and Defense:

  • Meta argues fair use, but the exposed practices significantly weaken their position, exposing the company to severe legal repercussions and undermining their defense.

Impact on Intellectual Property Practices:

“The scandal underscores Meta's cavalier approach to intellectual property,” Bittner summarized at [27:20].

6. Conclusion

The "Bolstering the Digital Shield" episode of CyberWire Daily offers a comprehensive overview of the evolving cybersecurity landscape, highlighting critical vulnerabilities, high-profile breaches, and the intricate challenges faced by the healthcare sector. With expert insights from Oren Corin, the discussion underscores the necessity for continuous threat management, effective utilization of existing security tools, and the prudent integration of AI in sensitive environments. Additionally, the revelations about Meta's legal issues serve as a stark reminder of the ethical and legal responsibilities tech giants bear in safeguarding intellectual property.

For a more in-depth analysis, listeners are encouraged to access the full State of Healthcare Cybersecurity 2025 report available in the show notes.

Notable Quotes Summary

• Dave Bittner:

  • [04:15]: “The directive seeks to address vulnerabilities exposed by incidents like the SolarWinds hack.”
  • [06:40]: “Investigators found no evidence of malware or long-term infiltration into classified systems.”
  • [08:20]: “Critics allege Buycel is managed from China, with most equipment sourced from Chinese suppliers.”
  • [09:50]: “This vulnerability highlights concerns over third-party UEFI security practices and Microsoft's code signing process.”
  • [11:30]: “Stizzy is offering affected individuals 12 months of free credit monitoring.”
  • [12:10]: “Lazarus’ goal is to compromise developer workflows, steal intellectual property, and access cryptocurrency wallets.”
  • [13:40]: “The FTC alleges that GoDaddy failed to manage assets, update software, monitor security events, and segment shared hosting environments.”
  • [14:20]: “Veeam discovered the issue during internal testing and released a patch to address it.”
  • [15:05]: “The leaked data highlights ongoing risks from unpatched systems.”
  • [26:10]: “Internal exchanges reveal employee concerns over torrenting pirated data on corporate devices.”
  • [27:20]: “The scandal underscores Meta's cavalier approach to intellectual property.”

• Oren Corin:

  • [16:08]: “They will still be a main target because in some cases it's easier to hack a hospital.”
  • [16:45]: “We are seeing so many hospitals and healthcare institutes are starting to use AI outside of their own boundaries.”
  • [17:00]: “When we've logged into the different layers of security, everything was turned off. It's like 100% turned off.”
  • [17:40]: “If data was stored inside the hospital... from an attacker perspective, you just need to go to the center of the data that is outside of the organization.”
  • [22:15]: “CTAM is something everyone needs. But in healthcare, it's about scoping ourselves on what is important to protect.”
  • [23:05]: “Use the CSPM first because you've moved to the cloud and if it's an external service, external application that you use...”
  • [23:50]: “They don't need more, they actually need to use what they have there.”

Final Thoughts

As cyber threats continue to evolve, "Bolstering the Digital Shield" emphasizes the critical need for organizations, especially within the healthcare sector, to adopt proactive and intelligent cybersecurity measures. By leveraging expert insights and staying informed about the latest vulnerabilities and breaches, stakeholders can better protect their digital assets and maintain robust security postures in an increasingly hostile digital landscape.

For more details and access to supporting reports, visit CyberWire Daily and check out the show notes accompanying this episode.