Massive malware cleanup.

Dave Bittner

You're listening to the Cyberwire network, powered by N2K.

Sponsor Voice

And now a message from our sponsor. Zscaler, the leader in cloud security Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible eliminating lateral movement Connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@zscaler.com Security.

Mike Hamilton

The FBI deletes plug X malware from thousands of US computers Researchers uncover vulnerabilities in Windows 11, allowing attackers to bypass protections and execute code at the kernel level. A look at a busy patch Tuesday researchers uncovered six critical vulnerabilities in a popular Linux file transfer tool. Texas sues Allstate for allegedly collecting, using and selling driving data without proper consent. An executive order enables AI developers to build data centers on federal lands. On our Industry Voices segment, we're joined by Mike Hamilton, chief information officer at cloudflare, discussing how tech sprawl emulates the old Snake game and meta profits while users suffer. It's Wednesday, January 15th, 2025. I'm Dave Buettner and this is your Cyberwire Intel Briefing. Thank you once again for joining us here today. It is great as always to have you with us. The US Department of Justice announced that the FBI has deleted PlugX malware linked to the Chinese espionage group Mustang panda from over 4,200 U.S. computers. PlugX, active since 2008, is a powerful cyber espionage tool capable of data theft, keystroke logging and command execution. This variant spread via USB drives, infecting devices across governments, dissident groups and companies worldwide. The operation was part of a global effort led by French law enforcement and cybersecurity firm Sequoia, which started dismantling the botnet in 2024. U.S. authorities obtained court orders to delete Plugx from infected computers without collecting user data. Notifications were sent to affected users. Sequoia identified the botnet's command server, which connected to 2.5 million devices globally with 100,000 daily pings. PlugX's source code, potentially leaked in 2015, complicates attribution as various threat actors continue to exploit it. This takedown marks a significant win in combating cyber threats. Researchers from HN Security uncovered vulnerabilities in Windows 11's virtualization based security and hypervisor protected code integrity, allowing attackers to bypass protections and execute code at the kernel level. VBS isolates memory for OS security, while HVCI prevents unauthorized drivers from loading. An exploit transforms an arbitrary pointer dereference vulnerability into a read write primitive, enabling attackers to manipulate kernel memory and execute data only attacks without triggering security mechanisms. The techniques allow privilege escalation, disabling of endpoint detection and response, and manipulation of protected process light features. These vulnerabilities affect Windows 11 and Windows Server 2016 through 2022. While Microsoft has addressed some kernel vulnerabilities, others remain exploitable. Researchers emphasize the importance of layered security beyond built in OS features, as sophisticated attackers can still bypass advanced protections. Microsoft's January 2025 Patch Tuesday addressed eight zero day vulnerabilities, three of which were actively exploited. These included elevation of privilege flaws in Windows Hyper V with a CVSS score of 7.8. Despite the moderate score, experts warned these vulnerabilities allow attackers to escalate privileges, disable security tools, and pivot within enterprise networks. Additionally, five publicly disclosed zero days, including EOP and spoofing vulnerabilities were patched. Other critical updates addressed issues in Windows NTLM, multicast drivers and OLE, with CVSS scores as high as 9.8. Experts emphasize the importance of automated patch management due to the 150 vulnerabilities fixed. This month, Google released Chrome 132, fixing 16 security flaws, including high severity issues in its V8 engine and Skia graphics library. Researchers earned $37,000 in bug bounties. Meanwhile, Nvidia Zoom and Zyzzle released patches for high severity vulnerabilities, urging users to update to mitigate risks. Ivanti resolved critical path traversal flaws in Endpoint Manager, while Apple patched a macOS vulnerability, allowing attackers to bypass system integrity protection. This exploit posed significant risks by enabling rootkits and privileged malware installations. Turning to industrial control systems, Schneider Electric, Siemens Phoenix Contact, and CISA issued ICS security advisories for January 2025. Schneider addressed nine vulnerabilities, including high severity flaws in PowerLogic, SCADA Pack, TMX 70 and Modicon products with risks like privilege escalation, remote code execution, and information disclosure. Siemens published five advisories covering vulnerabilities in Mendix, Ciprotech 5, and Simatic S7 1200, some lacking patches. Phoenix Contact disclosed a cryptographic issue in CM Dongle and a privilege escalation flaw in some of their controllers. CISA released four ICS advisories, including critical vulnerabilities in Hitachi Energy, Foxman un, and a denial of service flaw in Linfone Desktop. The updates underscore the need for proactive security practices, timely updates, and layered defenses to counter evolving threats. Organizations should prioritize patching critical vulnerabilities to prevent potential exploitation. Researchers uncovered six critical vulnerabilities in Rsync, a popular Linux file transfer tool, with the most severe flaw allowing remote code execution on rsync servers with anonymous read access. Other issues include information leakage, path traversal, and privilege escalation vulnerabilities. The flaws affect all rsync versions prior to 3.4.0, released on January 14th of this year. Given RSync's widespread use in backups and software distribution, experts urge immediate updates or mitigation by disabling checksum options in server configurations. Texas Attorney General Ken Paxton has sued Allstate and its subsidiary Arity for allegedly collecting, using and selling driving data from over 45 million Americans without proper consent. The companies reportedly embedded tracking software in popular apps like Life360 and GasBuddy to collect location and movement data every 15 seconds. This data was used to profile driving habits, adjust insurance premiums, and sold to other insurers. The lawsuit claims violations of the Texas Data Privacy and Security act, the Data Broker Law, and the Texas Insurance Code. It alleges deceptive practices, including purchasing location data from automakers like Toyota and Mazda to refine pricing. The suit seeks civil penalties, consumer restitution, data destruction, and an injunction to halt these practices. Allstate denies the allegations. Asserting compliance with laws, President Biden signed an executive order enabling AI developers to build gigawatt scale data centers powered by clean energy on federal lands. The Departments of Defense, Energy, and Interior will identify suitable locations with minimal community impact and accessible transmission infrastructure. Developers must fully fund and match data center electricity demand with clean energy to avoid burdening consumers with higher energy costs. This initiative addresses skyrocketing energy needs for AI, highlighted by a 2024 DOE report noting grid strain from hyperscale facilities. Agencies will evaluate AI infrastructure's impact on energy prices and explore ways to integrate new clean energy sources. The order also includes safeguards for computing hardware on federal sites, aiming to maintain US Leadership in AI and clean energy. As competition with China intensifies, implementation challenges may arise with the upcoming Washington transition. Coming up. After the break, Mike Hamilton from cloudflare joins us to discuss how tech sports sprawl emulates the Snake game and meta profits while users suffer. Stay with us.

Sponsor Voice

And now a word from our sponsor, KnowBefore. It's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBeFor's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco 35 vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbe4.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show.

Dave Bittner

Foreign.

Mike Hamilton

Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with Threat Locker, the cybersecurity solution trusted by businesses worldwide. Threat Locker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. Mike Hamilton is Chief Information Officer at cloudflare, and on today's sponsored Industry Voices segment, we discuss how TechSprawl emulates the old Snake game.

Dave Bittner

I think the main challenge that all CTOs face these days is how to leverage artificial intelligence. Just in general, I think that that's the burning thought on everybody's mind right now. There has not been this is exactly as transformational as the invention of the computer was to business. If you rewind 30 plus years and you think about what businesses face back then, it's like, hey, there's this new thing called a computer. We should probably get one of those and Then you bring the computer into the business and try to understand, how do we make this work and do something transformational? Because our competitors are probably doing the same thing. Coming back to the present time, we're in the same situation today where we've got to figure out, how do we transform businesses around artificial intelligence? How do we think about this? What is our competitive advantage for leveraging artificial intelligence? And I don't think that there's any way around that, But I think CTOs, and quite frankly, anybody in the C suite also has to worry quite a lot about security still. And it never goes away. Security is always something we're thinking about, but in particular, security is a way of investing in your business to protect it from people who are also using a budget. So I think that the nature of adversaries in the security space is shifting as well. We're not just talking about someone who's trying to be a nuisance or experimenting with something. We're talking about organized crime. At this point, the adversarial relationship that businesses have with cybercrime has shifted into, hey, these people have budgets, they have economic models where they're using one attack to raise money to fund a different type of attack. And so that's top of mind as well. For every dollar that you put into security, where does that dollar need to go? How do I know that dollar is actually being as effective as it needs to be? And how are my adversaries spending money to. To attack, basically?

Mike Hamilton

Can we touch on the issue of complexity here? I mean, it strikes me that as organizations grow, the complexity isn't necessarily linear. You know, a doubling in the number of employees. It could be an exponential growth in the complexity of your network and all the different interconnections. Is that an accurate way to look at it?

Dave Bittner

I think there's really two. It is an accurate way. And I think that there's two lenses we can put on that. The first would be internal infrastructure and sort of company scalability. Every company faces how do we get our systems to work well together? How do we have our infrastructure serving our business? That's a challenge that everybody faces, and there's a natural sprawl that comes along with that. But then I think from an external perspective, we also have this. The. The nature of the industry itself. So in the. In the security space, a lot of companies have popped up to address a problem that they see coming. Like, security works a little bit differently than, say, Salesforce or. Or a product that's serving a different part of the business. Security products tend to work around very smart people, founding companies to solve very specific problems because they see the demand emerging. But what that creates is a landscape of products that are only solving individual problems and only solving individual area domains of risk. What that means over time, though, is that companies find themselves with a myriad of applications that are providing some value in theory, but it's difficult to articulate how much and comparing and contrasting with business for a second business applications. The sprawl that happens there is largely due to the way that the buying cycle changed. It used to be that companies sold to the CIO or to the IT department. And because somebody would have to figure out how to run this application behind the firewall. How many servers is it going to take? How much is it going to operational overhead? Is this going to add to our business, et cetera. But when SaaS came on the scene and took away that complexity, then the problem shifted to like, hey, I don't really need to sell to it anymore. I'll just sell directly to the line of business. But it changed the expectation the line of business has as well. They're like, oh, I need five applications for this, I need 10 applications. And not really getting them in the door with necessarily an integrated strategy or a way that these applications would work together. And so sprawl on the business application side is just really due to the number of applications available and the fact that buyers are enticed by hopefully solving problems of buying a bunch of applications. On the security side, the sprawl is caused by emerging demand based on the changing landscape of cyber threats in the cybersecurity space. And that creates a natural fragmentation. But it's largely the factor of companies trying to address being ahead of the curve. Can I get ahead of some of these threats as they're emerging by buying something that's innovative, that gets me there. And it's tough. It's really difficult for businesses to manage this.

Mike Hamilton

Talking about that old classic Snake game where the more you eat, the longer the Snake gets. And it strikes me that that's a comparison with folks adding more and more point solutions here that over time it becomes more and more cumbersome and it's hard for you to navigate.

Dave Bittner

Absolutely. I like the analogy for that reason. In fact, there's two factors of the Snake game that remind me of the world that we live in. The Snake gets longer. So every time a new product gets adopted, the complexity of our tech environment increases. But the Snake also goes faster. Our ability to handle all, to pay attention to all these different things also comes into play, and how do we focus in the right things at the right times to make sure that we're getting the value out of all these point solutions that we're buying? And the reality is it's just very difficult to do because what's also happening and the thing that makes the snake go faster in a lot of ways is that for every point security solution I've purchased, that company is trying to find its next feature or its next capability that keeps them relevant for longer. Right. So in every application, there's something new coming out or they're trying to emerge into a new space. And the Venn diagram of what a security applic covers just keeps getting bigger, which means not only am I dealing with having a lot of solutions, but these solutions are starting to overlap with each other, and they're not intended to work together. They're actually direct competitors in some cases. The more these, these solutions overlap with each other, the more they're actually competing with each other. And I'm not getting the benefit necessarily, as the buyer.

Mike Hamilton

When you talk about purchasing and that cycle, can we talk a little bit about the timing? Why is important to. To time these things with each other? And I suppose there are a lot of challenges there as well.

Dave Bittner

I think timing is best managed by really being honest about prioritization. If everything's a fire, then nothing's a fire. You know, if everything's a P0, nothing's a P0 is something you'll hear a lot of people in the industry say. And I think that that's true at the same time that there's. That emerging security products are often truly addressing an emerging threat. Sometimes they're also a solution looking for a problem. And as buyers, we can be convinced that, like, this is the most important thing. But I think it's really important to sort of take the solutions out of the landscape for a second and ask a really simple question. What's my security strategy like? You know, what's. What's the biggest attack surface area that I need to deal with and how do I have to address, as an example, for all of the products that we can buy in the world, the most common threat vector is actually compromising someone's credentials. With phishing, it's still one of the most effective ways to do it. It's one of the cheapest ways to compromise something. So that's an inherent great place to start. It's an excellent place to start in terms of, like, hey, let's protect our users first, and then the next threat landscape. It may be somewhere between how many servers are you running or it could be your entire laptop fleet. Like how do we protect this laptop fleet? How do we make sure that it's safe and that our users are protected? And so it's really important to have these hard conversations with yourself. I like to think about it as crown jewels. Like where, where are the crown jewels of the company and where is the biggest attack surface area? And how do I leverage a strategy to protect both equally?

Mike Hamilton

Well, help me understand here. I mean, I certainly get that folks want to minimize the number of point solutions they have to decrease that level of complexity and to be able to stay nimble. At the same time, I could understand someone being hesitant to put all their eggs in one basket, to have one platform that does everything. How do you recommend that people balance those two impulses?

Dave Bittner

I like to start with the idea of what's our user experience. So let's go back to human beings as being the weakest link in terms of any security strategy because they're the easiest thing to compromise and they have the most access, right? So let's start with the principle that the easy thing to do or the simple thing for a user to do is the most secure thing that they can do. So if I'm asking people to jump through 60 hoops just to authenticate, people are going to find a way around it and it's going to be painful and we're somehow going to be less secure. Think of all of the different authentication sequences you've been through your entire life, especially over the last 20 years, where logging in could be as simple as just I entered my password and I'm logged in. Or it could be as complex as well, I've had to do multiple multi factor methodologies, depending on the application, depending on the time, maybe I had a smart card at some point. From a user perspective, the simple thing is not necessarily the thing that they're asked to do. If we start with the principle of let's keep users lives simple, let's try to provide security transparently to them, then that to me is the first order of defense. That's with things like, hey, how do we protect them from phishing attacks, how do we make authentication as secure as possible while also driving still the authentication that we need to see, and that being a key part of the strategy. And then I think the next layer of it is which parts of the business are the most vulnerable. So thinking about what system being down or which bit of data that would be inaccurate would cause you the most headache and the most pain. That's the thing you need to protect the most. That's the crown jewels. A typical company these days has hundreds of SaaS applications and hundreds. If you were to rewind in time, go back 20 years and go, hey Mike, someday you're going to work for a company that'll have hundreds of applications running, I'd be like, wow, how am I going to run that? Because SaaS didn't exist 20 years ago in the same state that it is today. Now it's normal. People don't even think twice about it. Hundreds of applications. But really out of those hundreds of applications, the business is only really running on about 10 to 20 of them. That's really it. Those are the core applications. And thinking about how do we circle the wagons around these 10 to 20 applications and make sure that those are secure, such that we have a high confidence that we know those are secure. So let's start really two categories of things. Then let's make the user experience positive and such that the easy thing to do is a secure thing to do. And that's where I think zero trust. A good zero trust implementation is a big part of that. Good anti phishing is a big part of that. And then the next layer is from an application security perspective, how do I secure my applications as much as I possibly can within reason to give me confidence that the business is safe?

Mike Hamilton

That's Mike Hamilton, Chief Information Officer at cloudflare. We'll have a link to a blog post with more of Mike's thoughts in our show.

Sponsor Voice

Notes.

Mike Hamilton

Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber. That's vanta.com cyber for $1,000 off. And finally, an article from Four Hundred and Four Media examines Meta's uneven moderation policies and how they enable harm on a massive scale. The company profits from ads promoting Crushmates, an AI app that creates non consensual nude images. Despite banning explicit content, Meta platforms like Facebook and Instagram have allowed crushmate to run thousands of ads featuring doctored videos of real women, including influencers and onlyfans creators like Sophie Rain and Michaela Demaiter. These ads violate Meta's policies, yet they remain live, exploiting loopholes that allow the app to evade detection. Crushmate's ads account for 90% of the app's traffic, according to SimilarWeb. They show how easily Meta's systems can be manipulated by bad actors who create fake profiles and redirect URLs. Although flagged repeatedly, hundreds of similar ads remain active, amplifying the app's reach and harm. Disturbingly, while individual users uploading explicit images face swift removal, advertisers like crushmate are held to laxer standards when they pay Meta. This double standard prioritizes profit over safety of those victimized by the app, including miners. As generative AI tools like this make it easy to target anyone, Meta's failure to proactively address this issue raises serious questions about its commitment to user safety. The harm extends beyond privacy violations. By allowing ads that promote the app, Meta not only facilitates exploitation but actively profits from it, making a mockery of its supposed community standards. Victims deserve better safeguards from platforms that claim to protect them. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast. Appreciate Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try Delete me. I have to say, delete me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Deleteme's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.