CyberWire Daily: "Breached but Not Broken" – December 19, 2024

Host: Dave Bittner
Guest: Jeff Kroll, Principal and Practice Leader of Baker Tilly's Cybersecurity Practice

Introduction

In this episode of CyberWire Daily, hosted by Dave Bittner, listeners are presented with a comprehensive overview of the latest developments in the cybersecurity landscape. The episode, titled "Breached but Not Broken," delves into significant security breaches, vulnerabilities, regulatory actions, and expert insights on mitigating internal cyber threats through effective employee access controls.

Key Cybersecurity News

1. CISA Urges Enhanced Mobile Device Security Amid SALT Typhoon Breach

At the forefront of today's discussions is the alarming SALT Typhoon breach, where Chinese state-sponsored hackers infiltrated the mobile devices of 150 top U.S. officials, including President Elect Donald Trump, Vice President Kamala Harris, and Senator Chuck Schumer. The breach exposed sensitive data, including phone data, messages, and calls.

Dave Bittner reports:

"CISA's latest advisory emphasizes a whole-of-government effort to secure mobile ecosystems, with insights gathered from over 5 million devices across 94 agencies." (02:30)

The Cybersecurity and Infrastructure Security Agency (CISA) recommends the adoption of end-to-end encrypted applications and warns of the pervasive risk of communication interception and manipulation. This incident has exacerbated U.S.-China cyber tensions, leading to considerations of banning widely used TP-Link routers in federal operations. China retaliates by accusing U.S. intelligence agencies of cyberattacks targeting its tech firms.

2. Russian Hacker Group Sandworm Targets Ukrainian Military Infrastructure

The Russian state-sponsored hacker group Sandworm has launched a new espionage campaign targeting Ukrainian soldiers. According to Milcert UA, Sandworm is creating fake websites that mimic the Ukrainian military app "Army," designed to trick users into downloading malicious software.

"These fake sites deliver an installer crafted with EnSys, granting hackers hidden access to compromised systems and allowing data exfiltration via the Tor network." (06:45)

Sandworm, infamous for the 2015 power grid disruption and the 2017 NotPetya attack, continues its relentless focus on undermining Ukraine's military capabilities through persistent cyber aggression.

3. Heapon's Website Bug Exposes Customer Data

A critical website bug in the GPS tracking firm Heapon has compromised over 8,600 GPS trackers, exposing customer names, affiliations, and IMEI numbers. Although location data remains secure, the breach discloses business affiliations and user details accessible through developer tools.

"Hepon, formerly Spytech, claims to manage over 460,000 tracked devices, including those of Fortune 500 customers, but has yet to respond to multiple outreach attempts regarding the data exposure." (10:15)

4. Multiple Vulnerabilities Identified in Sharp Routers

Security analysts have uncovered several critical vulnerabilities in Sharp-branded routers from NTT, Docomo, SoftBank, and KDDI. The most severe flaw allows remote exploitation without authentication, enabling attackers to execute commands with root privileges. Additional issues include OS command injection, improper authentication, and buffer overflow vulnerabilities.

"Users should check advisories and update firmware promptly to mitigate risks." (12:05)

5. Ireland's Data Protection Commission Fines Meta $263 Million

Ireland's Data Protection Commission (DPC) has levied a hefty fine of $263 million against Meta for alleged GDPR violations linked to a 2018 Facebook data breach affecting 29 million accounts globally. The breach exposed sensitive user information, including locations, religions, genders, and contact details, due to a flaw in Meta's video upload system.

"The DPC cited Meta's failure to integrate adequate data protection measures and poor breach documentation as key factors for the fine." (14:20)

This penalty follows previous fines totaling 1.2 billion euros in May 2023 for improper EU-US data transfers and 405 million euros in 2021 for mishandling miners' data.

6. Google Releases Urgent Chrome Security Updates

Google has issued an urgent security update for Chrome to address four high-rated vulnerabilities affecting over 3 billion users. The issues include type confusion, out-of-bounds memory access, and use-after-free flaws in the Chrome V8 JavaScript engine and browser compositing function. Security researchers who identified these vulnerabilities were awarded a total of $75,000 in bounties.

"Users are urged to update Chrome and restart the browser to activate protection." (16:50)

7. Cyber Attacks on India-Based Organizations Surge by 90%

Cyber attacks targeting organizations in India have surged by 92% year-over-year in the third quarter of 2024, with nearly 1.2 billion attacks recorded, according to Indus Face. The majority of these attacks exploit vulnerabilities in APIs and websites, often facilitated by AI tools that lower the barrier for hackers.

"Only 19% of Indian companies use automated API security scanners, while over 30% of critical vulnerabilities remain unpatched after six months." (18:30)

The banking, financial services, and utilities sectors are the most heavily targeted, driven by geopolitical motives. The surge underscores the pressing need for enhanced cybersecurity measures and proactive vulnerability management.

8. Cybercriminals Exploit Google Calendar for Phishing Attacks

Hackers are leveraging Google Calendar to launch sophisticated phishing attacks targeting over 500 million users. By exploiting features like Google Drawings and Google Forms, attackers send emails containing malicious links that bypass traditional security filters, redirecting victims to fake login pages or fraudulent websites to steal sensitive information.

"Over 4,000 phishing emails affecting 300 brands were detected in a recent four-week period." (20:10)

9. Fortinet and Juniper Networks Address Critical Vulnerabilities

• Fortinet has patched a critical vulnerability in Forta WLM, a wireless management tool. The flaw allows unauthenticated remote attackers to execute arbitrary code or access sensitive files via a path traversal vulnerability.

  "Security researcher Zach Hanley noted that the flaw could allow attackers to hijack admin sessions." (21:05)

• Juniper Networks warns of a botnet infection campaign targeting routers with default credentials, exploiting Mirai malware. The affected Session Smart routers are being used in DDoS attacks, prompting Juniper to advise immediate action to change default passwords and monitor for unusual behavior.

  "Reimaging infected devices is the only surefire way to eliminate the threat." (22:00)

Interview: Jeff Kroll on Employee Access Controls

Guest: Jeff Kroll, Principal and Practice Leader of Baker Tilly's Cybersecurity Practice
Topic: Utilizing Employee Access Controls to Mitigate Internal Cyber Threats

Best Practices for Employee Access Controls

Jeff Kroll emphasizes the critical role of employee access controls in safeguarding organizational assets:

"Real best practice is making sure employees only have access to the things they need to have access to, contemporaneous with when they need to have that access." (15:14)

He advocates for the principle of least privilege, ensuring that employees obtain access strictly necessary for their roles and only for the duration required.

Challenges in Implementing Access Controls

Implementing stringent access controls is often fraught with operational challenges:

"Without some real heavy-duty thought and automation around those things, it's really, really difficult to do." (16:32)

Kroll highlights the tension between security and operational efficiency, where the need for quick access adjustments can lead to broader access privileges, undermining security protocols.

Balancing Security and Reducing Friction

Effective communication and organizational buy-in are paramount:

"Communication is absolutely key... helping them to understand what the potential risks are of that additional access." (20:34)

Kroll suggests that executive leadership must view cybersecurity as a business risk rather than an IT issue, fostering a culture that prioritizes security across all departments.

Managing High-Level Access Risks

High-ranking executives often require tailored access control strategies:

"The higher up you are in an organization, the less access you actually want that person to have." (22:53)

Kroll advises limiting the access of top executives to minimize their vulnerability to cyberattacks, recommending that sensitive information be managed through trusted lower-level personnel.

Recommendations for Implementing Access Controls

Kroll offers pragmatic advice for organizations embarking on access control enhancements:

"Don't try to boil the ocean. It's better to just pick one or two applications, knock them out, and then start working through the other hundred." (24:22)

He stresses the importance of incremental progress, focusing on achievable goals to build a sustainable and effective access control framework.

Conclusion: Russia Labels Recorded Future as Undesirable

In a notable development, Russia has designated cybersecurity firm Recorded Future as "undesirable," a term traditionally reserved for NGOs and media organizations. CEO Christopher Alberg referred to this move as a "rare compliment," acknowledging Recorded Future's significant support for Ukraine since Russia's full-scale invasion. The firm has provided substantial intelligence, cloud access, and collaboration with Ukrainian agencies to protect critical infrastructure and investigate war crimes.

"Imagine being so effective that an entire country bans you." (28:31)

This designation underscores the geopolitical ramifications of cybersecurity operations and the pivotal role of intelligence firms in modern conflicts.

Final Thoughts

"Breached but Not Broken" provides a thorough examination of the current cybersecurity threats and strategic measures necessary to combat them. From high-profile breaches and regulatory actions to expert insights on internal threat mitigation, this episode equips listeners with valuable knowledge to navigate the evolving digital threat landscape.

For more information and comprehensive coverage of today's stories, visit CyberWire Daily or subscribe to our daily briefing.