CyberWire Daily Podcast Summary
Episode: Court Puts the ‘Spy’ in Spyware
Release Date: December 23, 2024
Host: Dave Buettner, CyberWire Network
Guest: Sven Krasser, Senior Vice President of Data Science and Chief Scientist at CrowdStrike

1. NSO Group Held Liable for WhatsApp Hacks

A pivotal moment in cybersecurity legal accountability occurred as a federal judge in California ruled that NSO Group, the developer of Pegasus spyware, is liable for hacking 1,400 WhatsApp users. Targets included activists, journalists, and diplomats, marking the first instance of NSO being held responsible for spyware abuses.

• Legal Basis: The court found NSO violated the Federal Computer Fraud and Abuse Act, California's Comprehensive Computer Data Access and Fraud Act, and WhatsApp's terms of service.
• Judge's Critique: Judge Phyllis Hamilton highlighted NSO's failure to produce complete Pegasus source code, contributing to the imposition of sanctions.
• NSO Admissions: During depositions, NSO executives acknowledged controlling data extraction from hacked devices and designing Pegasus to bypass WhatsApp's security measures.
• Impact: Natalia Krapieva of Access lauded the ruling as a significant victory for digital security and human rights, setting a precedent for holding spyware companies accountable.

Quote:

"This ruling is a victory for spyware victims and signals increased accountability for spyware companies," said Natalia Krapieva of Access. (02:30)

2. China Accuses US of Cyberattacks on Tech Firms

China's National Cyber Incident Response Center (CN CERT) accused the US government of conducting cyberattacks targeting two Chinese technology firms to steal trade secrets.

• Details of Accusations:
  • First Attack (May 2022): Targeted a high-tech company in China's smart energy sector by exploiting Microsoft Exchange vulnerabilities to implant backdoors.
  • Second Attack (August 2023): Infiltrated an advanced material research unit through a document management system vulnerability, infecting over 270 hosts with Trojans.
• Context: These allegations come amid ongoing tensions, with mutual accusations of cyber espionage between the US and China.

Quote:

"The US intelligence agency exploited vulnerabilities to gain control over company systems," explained a representative from CN CERT. (05:15)

3. UK's Operation Destabilize Uncovers Vast Criminal Network

The UK's National Crime Agency (NCA) concluded Operation Destabilize, a four-year investigation that exposed a broad criminal network linking street-level drug dealing to global money laundering.

• Key Findings:
  • Ransomware Groups Involved: Including Ryuk and Conti.
  • Financial Links: Connected to Russian businesses involved in espionage and sanction evasion.
  • Significant Arrest: Fawad Saidi, a cash courier, was arrested for laundering over £15.6 million through a cash-for-crypto scheme tied to high-profile figures Ekaterina Zanova and George Rossi.
• Outcome: The operation revealed extensive use of cryptocurrency by drug cartels, organized crime, and Russian elites to launder money and evade detection.

Quote:

"We tackled both street-level crime and high-level conspiracies, marking a significant step in combating global financial crime," stated Dave Buettner. (10:05)

4. Arrest of Alleged Lockbit Developer

Israeli authorities detained Rostolov Panev, the alleged developer behind Lockbit ransomware, a dual Russian-Israeli national accused by US authorities.

• Charges: Panev faces 41 charges, including computer-related extortion and conspiracy.
• Lockbit's Impact: Since 2020, Lockbit extorted over $500 million and infected 2,500 victims globally before its disruption in 2024.
• Panev's Admission: Initially claimed ignorance of Lockbit's criminal use but later admitted to continuing his work for financial gain.

Quote:

"Panev developed malware to bypass antivirus protections, receiving $10,000 monthly from Lockbit's leader," reported Dave Buettner. (12:45)

5. Apache Releases Security Update for Tomcat Web Server

Apache has addressed a remote code execution vulnerability in its Tomcat web server, affecting multiple versions on case-insensitive file systems with default Servlet write enabled.

• Vulnerability Details: A time of check, time of use race condition.
• Recommendation: Users are urged to upgrade to the latest version, with future updates enforcing safer defaults to prevent similar issues.

Quote:

"Users should upgrade immediately to protect against potential exploits," advised Apache. (14:20)

6. Siemens Issues Critical Security Advisory

Siemens released a security advisory concerning a critical heap-based buffer overflow vulnerability in its user management component, impacting industrial control systems in manufacturing and energy sectors.

• Risks: Exploitation could allow attackers to execute arbitrary code, disrupt operations, exfiltrate data, or manipulate critical systems.
• Affected Products: Includes OpsCenter, Execution Foundation, Simatic PCs, Neo, and Synec NMS.
• Mitigation: Siemens has issued patches for some products and advises restricting access to ports 4002 and 4004.

Quote:

"Exploitation of this vulnerability could compromise entire industrial operations," warned Siemens. (15:50)

7. Italy Fines OpenAI for Data Protection Violations

Italy's Data Protection Authority imposed a €15.6 million fine on OpenAI for unlawfully processing personal data to train ChatGPT and lacking transparency with users.

• Findings:
  • Data Processing Issues: Unlawful processing of personal data and inadequate age verification measures exposed minors to inappropriate content.
• OpenAI's Response: The company deems the fine disproportionate, plans to appeal, and agrees to initiate a public awareness campaign to enhance privacy compliance.

Quote:

"The fine exceeds our revenue in Italy during the period under investigation," OpenAI stated. (17:10)

8. Researchers Bypass WPA3 Security Protocol

University of the West Indies researchers unveiled a method to circumvent WPA3, the latest Wi-Fi security protocol, by exploiting weaknesses in WPA3's transition mode.

• Attack Method: Utilizes a downgrade attack to capture WPA3 handshakes, deauthenticate users, and create a rogue access point with a captive portal to steal passwords.
• Implications: Highlights vulnerabilities in networks lacking protected management frames and underscores the need for enhanced user education and configuration.

Quote:

"Our findings stress the need for robust configurations to safeguard WPA3 against such exploits," stated the research team. (18:30)

9. Apple's Spyware Notification System Reviewed

Apple's system for notifying potential spyware victims directs users to nonprofit organizations for assistance, a move that has raised questions about the company's responsibility in handling spyware threats.

• Functionality: Since 2021, Apple's alerts have notified users in over 150 countries about targeted attacks, often linked to spyware like Pegasus.
• Criticism: Users and critics question why Apple, with its vast resources, does not provide direct technical assistance, leaving victims to rely on nonprofits like Access Now or Amnesty Tech.

Quote:

"While Apple assures that these attacks are rare, the hands-off approach leaves users seeking help elsewhere," observed Dave Buettner. (20:00)

10. Interview with Sven Krasser: Balancing AI and Human Intervention

Sven Krasser from CrowdStrike discussed the integration of AI in cybersecurity, emphasizing the necessity of balancing automated systems with human oversight.

• AI in Cybersecurity: Krasser described AI as "table stakes" in the industry, essential for handling the increasing volume and complexity of data threats.
• Human-AI Synergy: He highlighted the importance of human insights in training AI models, creating a "flywheel" where human analysis enhances AI effectiveness, which in turn frees up human analysts for more critical tasks.
• Best Practices: Krasser advised organizations to leverage both traditional and generative AI to manage data-driven security challenges effectively.

Notable Quotes:

"Leveraging AI is table stakes right now," Krasser stated. (15:37)
"AI is not the panacea; we still need human review and ground truth," he added. (16:33)
"We're moving more information from 'looks fishy' to 'certainly good or bad,'" Krasser explained. (18:09)
"Cybersecurity is a battle of human minds against human minds," he noted. (23:15)

11. McDonald's McDelivery App Security Flaw

A security researcher exposed a significant vulnerability in McDonald's McDelivery app in India, allowing users to manipulate cart prices, hijack orders, and track delivery drivers in real time.

• Exploited Vulnerabilities: Poorly secured APIs with broken object-level authorization.
• Data Breach: Sensitive information such as driver names and license plates were publicly exposed.
• Resolution: McDonald's addressed and fixed the issues within 90 days after receiving the detailed report from the ethical hacker.

Quote:

"This case underscores the need for stronger cybersecurity in consumer apps," stated Dave Buettner. (25:00)

Conclusion

This episode of CyberWire Daily covered significant developments in cybersecurity, from legal accountability for spyware companies to cutting-edge vulnerabilities in widely used technologies. The insightful interview with Sven Krasser highlighted the crucial balance between AI advancements and human expertise in combating cyber threats. Additionally, real-world incidents like the McDonald's app flaw emphasized the ongoing need for robust security measures in both enterprise and consumer applications.

For detailed insights and updates, listeners are encouraged to subscribe to the CyberWire Daily podcast.