Breached but not broken. - CyberWire Daily

Summary

CyberWire Daily: "Breached but Not Broken" – December 19, 2024

Host: Dave Bittner
Guest: Jeff Kroll, Principal and Practice Leader of Baker Tilly's Cybersecurity Practice

Introduction

In this episode of CyberWire Daily, hosted by Dave Bittner, listeners are presented with a comprehensive overview of the latest developments in the cybersecurity landscape. The episode, titled "Breached but Not Broken," delves into significant security breaches, vulnerabilities, regulatory actions, and expert insights on mitigating internal cyber threats through effective employee access controls.

Key Cybersecurity News

1. CISA Urges Enhanced Mobile Device Security Amid SALT Typhoon Breach

At the forefront of today's discussions is the alarming SALT Typhoon breach, where Chinese state-sponsored hackers infiltrated the mobile devices of 150 top U.S. officials, including President Elect Donald Trump, Vice President Kamala Harris, and Senator Chuck Schumer. The breach exposed sensitive data, including phone data, messages, and calls.

Dave Bittner reports:

"CISA's latest advisory emphasizes a whole-of-government effort to secure mobile ecosystems, with insights gathered from over 5 million devices across 94 agencies." (02:30)

The Cybersecurity and Infrastructure Security Agency (CISA) recommends the adoption of end-to-end encrypted applications and warns of the pervasive risk of communication interception and manipulation. This incident has exacerbated U.S.-China cyber tensions, leading to considerations of banning widely used TP-Link routers in federal operations. China retaliates by accusing U.S. intelligence agencies of cyberattacks targeting its tech firms.

2. Russian Hacker Group Sandworm Targets Ukrainian Military Infrastructure

The Russian state-sponsored hacker group Sandworm has launched a new espionage campaign targeting Ukrainian soldiers. According to Milcert UA, Sandworm is creating fake websites that mimic the Ukrainian military app "Army," designed to trick users into downloading malicious software.

"These fake sites deliver an installer crafted with EnSys, granting hackers hidden access to compromised systems and allowing data exfiltration via the Tor network." (06:45)

Sandworm, infamous for the 2015 power grid disruption and the 2017 NotPetya attack, continues its relentless focus on undermining Ukraine's military capabilities through persistent cyber aggression.

3. Heapon's Website Bug Exposes Customer Data

A critical website bug in the GPS tracking firm Heapon has compromised over 8,600 GPS trackers, exposing customer names, affiliations, and IMEI numbers. Although location data remains secure, the breach discloses business affiliations and user details accessible through developer tools.

"Hepon, formerly Spytech, claims to manage over 460,000 tracked devices, including those of Fortune 500 customers, but has yet to respond to multiple outreach attempts regarding the data exposure." (10:15)

4. Multiple Vulnerabilities Identified in Sharp Routers

Security analysts have uncovered several critical vulnerabilities in Sharp-branded routers from NTT, Docomo, SoftBank, and KDDI. The most severe flaw allows remote exploitation without authentication, enabling attackers to execute commands with root privileges. Additional issues include OS command injection, improper authentication, and buffer overflow vulnerabilities.

"Users should check advisories and update firmware promptly to mitigate risks." (12:05)

5. Ireland's Data Protection Commission Fines Meta $263 Million

Ireland's Data Protection Commission (DPC) has levied a hefty fine of $263 million against Meta for alleged GDPR violations linked to a 2018 Facebook data breach affecting 29 million accounts globally. The breach exposed sensitive user information, including locations, religions, genders, and contact details, due to a flaw in Meta's video upload system.

"The DPC cited Meta's failure to integrate adequate data protection measures and poor breach documentation as key factors for the fine." (14:20)

This penalty follows previous fines totaling 1.2 billion euros in May 2023 for improper EU-US data transfers and 405 million euros in 2021 for mishandling miners' data.

6. Google Releases Urgent Chrome Security Updates

Google has issued an urgent security update for Chrome to address four high-rated vulnerabilities affecting over 3 billion users. The issues include type confusion, out-of-bounds memory access, and use-after-free flaws in the Chrome V8 JavaScript engine and browser compositing function. Security researchers who identified these vulnerabilities were awarded a total of $75,000 in bounties.

"Users are urged to update Chrome and restart the browser to activate protection." (16:50)

7. Cyber Attacks on India-Based Organizations Surge by 90%

Cyber attacks targeting organizations in India have surged by 92% year-over-year in the third quarter of 2024, with nearly 1.2 billion attacks recorded, according to Indus Face. The majority of these attacks exploit vulnerabilities in APIs and websites, often facilitated by AI tools that lower the barrier for hackers.

"Only 19% of Indian companies use automated API security scanners, while over 30% of critical vulnerabilities remain unpatched after six months." (18:30)

The banking, financial services, and utilities sectors are the most heavily targeted, driven by geopolitical motives. The surge underscores the pressing need for enhanced cybersecurity measures and proactive vulnerability management.

8. Cybercriminals Exploit Google Calendar for Phishing Attacks

Hackers are leveraging Google Calendar to launch sophisticated phishing attacks targeting over 500 million users. By exploiting features like Google Drawings and Google Forms, attackers send emails containing malicious links that bypass traditional security filters, redirecting victims to fake login pages or fraudulent websites to steal sensitive information.

"Over 4,000 phishing emails affecting 300 brands were detected in a recent four-week period." (20:10)

9. Fortinet and Juniper Networks Address Critical Vulnerabilities

Fortinet has patched a critical vulnerability in Forta WLM, a wireless management tool. The flaw allows unauthenticated remote attackers to execute arbitrary code or access sensitive files via a path traversal vulnerability.

"Security researcher Zach Hanley noted that the flaw could allow attackers to hijack admin sessions." (21:05)
Juniper Networks warns of a botnet infection campaign targeting routers with default credentials, exploiting Mirai malware. The affected Session Smart routers are being used in DDoS attacks, prompting Juniper to advise immediate action to change default passwords and monitor for unusual behavior.

"Reimaging infected devices is the only surefire way to eliminate the threat." (22:00)

Interview: Jeff Kroll on Employee Access Controls

Guest: Jeff Kroll, Principal and Practice Leader of Baker Tilly's Cybersecurity Practice
Topic: Utilizing Employee Access Controls to Mitigate Internal Cyber Threats

Best Practices for Employee Access Controls

Jeff Kroll emphasizes the critical role of employee access controls in safeguarding organizational assets:

"Real best practice is making sure employees only have access to the things they need to have access to, contemporaneous with when they need to have that access." (15:14)

He advocates for the principle of least privilege, ensuring that employees obtain access strictly necessary for their roles and only for the duration required.

Challenges in Implementing Access Controls

Implementing stringent access controls is often fraught with operational challenges:

"Without some real heavy-duty thought and automation around those things, it's really, really difficult to do." (16:32)

Kroll highlights the tension between security and operational efficiency, where the need for quick access adjustments can lead to broader access privileges, undermining security protocols.

Balancing Security and Reducing Friction

Effective communication and organizational buy-in are paramount:

"Communication is absolutely key... helping them to understand what the potential risks are of that additional access." (20:34)

Kroll suggests that executive leadership must view cybersecurity as a business risk rather than an IT issue, fostering a culture that prioritizes security across all departments.

Managing High-Level Access Risks

High-ranking executives often require tailored access control strategies:

"The higher up you are in an organization, the less access you actually want that person to have." (22:53)

Kroll advises limiting the access of top executives to minimize their vulnerability to cyberattacks, recommending that sensitive information be managed through trusted lower-level personnel.

Recommendations for Implementing Access Controls

Kroll offers pragmatic advice for organizations embarking on access control enhancements:

"Don't try to boil the ocean. It's better to just pick one or two applications, knock them out, and then start working through the other hundred." (24:22)

He stresses the importance of incremental progress, focusing on achievable goals to build a sustainable and effective access control framework.

Conclusion: Russia Labels Recorded Future as Undesirable

In a notable development, Russia has designated cybersecurity firm Recorded Future as "undesirable," a term traditionally reserved for NGOs and media organizations. CEO Christopher Alberg referred to this move as a "rare compliment," acknowledging Recorded Future's significant support for Ukraine since Russia's full-scale invasion. The firm has provided substantial intelligence, cloud access, and collaboration with Ukrainian agencies to protect critical infrastructure and investigate war crimes.

"Imagine being so effective that an entire country bans you." (28:31)

This designation underscores the geopolitical ramifications of cybersecurity operations and the pivotal role of intelligence firms in modern conflicts.

Final Thoughts

"Breached but Not Broken" provides a thorough examination of the current cybersecurity threats and strategic measures necessary to combat them. From high-profile breaches and regulatory actions to expert insights on internal threat mitigation, this episode equips listeners with valuable knowledge to navigate the evolving digital threat landscape.

For more information and comprehensive coverage of today's stories, visit CyberWire Daily or subscribe to our daily briefing.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire Network. Powered by n2k. This episode is brought to you by Dutch Bros. Big smiles, rocking tunes and epic drinks. Dutch Bros. Is all about you. Choose from a variety of customizable handcrafted beverages like our Rebel Energy drinks, coffees, teas and more. Download the Dutch Bros app for a free medium drink plus find your nearest shop, order ahead and start earning rewards Offer valid for new app users only. Free medium Drink Reward upon registration. 14 day expiration terms apply. See Dutchbros.com do you know the status of your compliance controls right now? Like right now we know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off CISA urges senior to enhance mobile device security Russian state sponsored hacker group Sandworm is targeting Ukrainian soldiers. A website bug and GPS tracking firm Heapon is exposing customer information. Multiple critical vulnerabilities have been identified in Sharp branded routers. Ireland's Data Protection Commission finds Meta $263 million for alleged GDPR violations. Google releases an urgent Chrome security update to address four high rated vulnerabilities. Cyber attacks on India based organizations surged 90 year over year. Cybercriminals target Google Calendar to launch phishing attacks. Fortinet patches a critical vulnerability in Forta WLM Juniper Networks warns of a botnet infection targeting routers with default credentials. Our guest is Jeff Kroll, Principal and practice leader of Baker Tilly's cybersecurity practice, with advice on using employee access controls to limit internal cyber threats and when is undesirable a badge of honor.

Jeff Kroll (3:01)

Foreign.

Dave Bittner (3:07)

December 19, 2024 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks again for joining us here. It is great to have you with us. CISA has urged senior government officials to enhance mobile device security. Following the SALT Typhoon breach where Chinese hackers access the phone data, messages and calls of 150 top US officials. The agency recommends using end to end encrypted apps and warns that all communications, government or personal, are at risk of interception or manipulation. High profile targets included President Elect Donald Trump, Vice President Kamala Harris staff and Senator Chuck Schumer. CISA's latest advisory emphasizes a whole of government effort to secure mobile ecosystems, with insights gathered from over 5 million devices across 94 agencies. The breach underscores the vulnerability of US telecom networks, with Chinese hackers reportedly maintaining access to compromised systems. The breach has escalated U S China cyber tensions, prompting discussions about banning TP link routers widely used in federal operations. China in turn accuses U.S. intelligence of cyber attacks against its tech firms, alleging the theft of sensitive data and exploitation of software vulnerabilities. The cyber standoff continues to intensify. Russian state sponsored hacker group Sandworm is targeting Ukrainian soldiers in a new espionage campaign. According to Milcert ua, the hackers create fake websites mimicking the Ukrainian military app army to trick users into downloading malicious software. Army launched earlier this year, streamlines bureaucratic tasks for soldiers, making it a critical tool. The fake sites hosted on cloudflare workers deliver an installer crafted with ensys. When executed, the file grants hackers hidden access to compromised systems, allowing data exfiltration via the Tor network. Cert UA links this campaign to Sandworm. Known for major attacks like the 2015 power grid disruption and the 2017 NotPetya incident, this operation underscores ongoing Russian cyber aggression targeting Ukraine's military infrastructure. Recent attacks include malware planted in messaging apps and campaigns aimed at conscripts, highlighting a persistent focus on disrupting Ukrainian forces. A website bug in GPS tracking Firm Happen is exposing customer names, affiliations and Data on over 8,600 GPS trackers, TechCrunch reports. While location data isn't included, IMEI numbers and details about business affiliations of users are accessible through developer tools. Hapin, formerly Spytech, provides GPS tracking for vehicles and possessions and claims over 460,000 tracked devices, including Fortune 500 customers. The company has not responded to multiple outreach attempts, leaving the data exposed. Multiple critical vulnerabilities have been identified in sharp routers and models from NTT, Docomo, SoftBank and KDDI, requiring immediate firmware updates. The most severe flaw allows remote exploitation without authentication, enabling attackers to execute commands with root privileges. Other issues include OS command injection, improper authentication and buffer overflow. Risks Users should check advisories and update firmware promptly to mitigate risks. Ireland's Data Protection Commission fined Meta $263 million for alleged GDPR violations tied to a 2018 Facebook data breach affecting 29 million accounts globally. The breach, linked to a flaw in Meta's video upload system, exposed sensitive user data including locations, religions, genders, children's personal data, phone numbers and email addresses. The DPC cited Meta's failure to integrate adequate data protection measures into its systems, poor breach documentation and inadequate compliance practices. This fine follows several others against Meta, including 1.2 billion euros in May 2023 for improper EU US data transfers and 405 million euros in 2021 for mishandling miners data. Meta responded by highlighting its corrective actions and commitment to user safety. Google has released an urgent Chrome security Update to address four high rated vulnerabilities affecting over 3 billion users. The issues include type confusion, out of bounds, memory access and use after free flaws in the Chrome version 8 JavaScript engine and browser compositing function. Security researchers earned $75,000 in bounties for identifying these risks. Users are urged to update Chrome and restart the browser to activate protection. Dark Reading reports that cyber attacks on India based organizations surged 92% year over year in the third quarter of 2024, with nearly 1.2 billion attacks recorded, up from 600 million the previous year, according to Indus Face. The attacks, including 377 million denial of service events and 215 million bot driven API requests, are increasingly exploiting vulnerabilities in APIs and websites fueled by AI tools like large language models. These tools lower the barrier for hackers, enabling rapid exploitation of issues like SQL injection. The banking, financial services and utilities sectors were heavily targeted with geopolitical motives driving disruptions despite rising threats. Only 19% of Indian companies use automated API security scanners, while over 30% of critical vulnerabilities remain unpatched after six months. With 44% of Indian businesses reporting data breaches costing over $500,000 in three years, cybersecurity is now a top priority for 61% of executives, according to PwC. Cybercriminals are targeting Google Calendar, used by over 500 million people to launch phishing attacks, according to Checkpoint Research. Attackers exploit Google Calendar's features like Google Drawings and Google Forms to send emails with malicious links that bypass traditional security filters. These links often redirect victims to fake login pages or fraudulent websites stealing sensitive data like passwords or financial details. Over 4,000 phishing emails affecting 300 brands were detected in a recent four week period. Fortinet has released patches for a critical vulnerability in fortawlm, a wireless management tool which could allow unauthenticated remote attackers to execute arbitrary code or access sensitive files via a path traversal flaw. The issue affects multiple versions of Forta wlm, with updated versions resolving the issue. Security researcher Zach Hanley of Horizon 3 AI reported the flaw, noting it could allow attackers to hijack admin sessions. Fortinet also patched a related OS command injection bug in Forta Manager Juniper Networks warns of a botnet infection campaign targeting routers with default credentials exploiting Mirai malware. Customers reported unusual activity on Session Smart routers, which were compromised and used in DDoS attacks. The malware scans for devices using default passwords, gains access, and executes malicious commands. Juniper advises changing default credentials, using strong passwords, monitoring for unusual behavior, blocking unauthorized access with firewalls, and keeping devices updated. Reimaging infected devices is the only surefire way to eliminate the threat. Coming up after the break, Jeff Kroll from Baker Tilly's Cybersecurity Practice has advice on using employee access controls to limit internal cyber threats and when is undesirable a badge of honor. Stay with us. And now a word from our sponsor, Know before it's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing Security Stack tools to help you strengthen your organization's security culture. KnowBefore's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35 vendor integrations and Counting Security Coach analyzes your Security Stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbe4.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why Cloudflare created the first ever Connectivity Cloud. Visit cloudflare.com to protect your business everywhere you do business. Jeff Kroll is principal and practice Leader of Baker Tilly's cybersecurity practice. I recently caught up with him for advice on using employee access controls to limit internal cyber threats.