CyberWire Daily: "Multi-factor Frustration" Summary Release Date: January 13, 2025 Host: Dave Bittner, N2K Networks

Introduction

In the January 13, 2025 episode of CyberWire Daily, host Dave Bittner provides a comprehensive overview of the latest developments in the cybersecurity landscape. The episode delves into significant incidents, policy changes, and emerging threats, culminating in an insightful interview with Philippe Humeaud, CEO and founder of CrowdSec, who discusses the pivotal role of open-source cybersecurity platforms and the looming challenges posed by AI.

Headline News

1. Microsoft’s Multi-Factor Authentication (MFA) Outage

Microsoft experienced an MFA outage impacting Microsoft 365 Office applications, particularly affecting users in Western Europe due to a specific infrastructure failure. Symptoms included difficulties in MFA registration and resets, alongside crashes in Microsoft 365 apps on some Windows Server 2016 devices.

• Dave Bittner [02:58]: "Microsoft rerouted traffic to alternative infrastructure during its investigation, which revealed the outage was limited to users in Western Europe served by a specific section of unresponsive infrastructure."

This incident follows a series of disruptions, including past outages affecting Office Web apps, the Admin Center, and a global service disruption in November impacting Teams, Exchange, SharePoint, and Outlook.

2. Biden Administration’s New Export Controls on AI Technology

The U.S. government is implementing stringent export controls aimed at preventing adversaries like Russia and China from accessing advanced AI chips and machine learning blueprints. Effective in 12 months, these rules feature a tiered restriction system, exempting key allies such as Australia, Japan, and the EU.

• Commerce Secretary Gina Raimondo [02:58]: "We are protecting US leadership in AI while allowing secure technology diffusion."

However, the rollout has faced criticism from industry leaders like Nvidia, citing potential risks to innovation.

3. Emergence of Funk Sec Ransomware Group

A new ransomware group, Funk Sec, has claimed responsibility for 85 victims in December 2024. Operating as a ransomware-as-a-service (RaaS) entity, Funk Sec employs AI-assisted tools to facilitate low-skilled actors in deploying advanced malware.

• Dave Bittner [03:55]: "Funk Sec employs double extortion tactics, combining data theft with encryption and targets organizations globally, particularly in countries aligned with Israel."

Checkpoint Research notes skepticism regarding the authenticity of some victim claims, suggesting overlaps with previous hacktivist activities.

4. Cyber Attack on Eindhoven University of Technology

Eindhoven University of Technology in the Netherlands halted lectures and network services following a cyber attack detected on a Saturday night. While no data theft has been confirmed, the university remains investigating the breach.

5. Indictment of Russian Nationals for Operating Cryptocurrency Mixers

Three Russian nationals have been indicted for running cryptocurrency mixers Blender IO and Sinbad IO, which laundered funds from various cybercrimes, including the Axie Infinity hack. Charges include money laundering, conspiracy, and operating an unlicensed money transmitting business, with potential sentences of up to 20 years.

6. Juniper Networks Releases Junos OS Security Updates

Juniper Networks announced critical security patches for Junos OS, addressing numerous vulnerabilities such as an out-of-bounds read in the routing protocol daemon and a kernel memory exhaustion flaw triggered by malformed IPv6 packets. Users are urged to apply these patches promptly.

7. Data Breach at Telefonica, Spain’s Largest Telecommunications Company

Telefonica confirmed a data breach involving its internal ticketing system, resulting in the leakage of 2.3 gigabytes of data on breach forums. The breach was executed using compromised employee credentials, with attackers associated with the Hellcat ransomware group.

• Dave Bittner [07:45]: "Telefonica has blocked access and reset impacted accounts while enhancing security measures."

8. Banshee Infostealer Exploits Apple’s Encryption Algorithm

The Banshee malware targets macOS systems, utilizing a stolen Apple encryption algorithm to evade antivirus detection. Initially priced at $1,500 on Russian cybercrime marketplaces, newer variants have demonstrated heightened sophistication, effectively bypassing most antivirus solutions.

9. Novel Ransomware Campaign Targeting Amazon S3 Buckets

Researchers identified a ransomware campaign by a group dubbed Code Finger, which targets Amazon S3 buckets using AWS's server-side encryption with customer-provided keys. This approach results in permanent data loss for victims if ransom payments are not made.

10. Major Data Breach at Gravy Analytics

Gravy Analytics, a prominent location data broker, suffered a significant breach exposing millions of sensitive location data points. The compromised data includes information tracking individuals' movements to sensitive locations such as the White House and military bases, raising serious privacy and national security concerns.

Interview with Philippe Humeaud, CEO and Founder of CrowdSec

Topic: Open-Source Cybersecurity Platforms and the Impact of AI

Introduction to CrowdSec’s Approach

Philippe Humeaud introduces CrowdSec as an open-source, multiplayer firewall platform designed to enhance cybersecurity through collective intelligence. Unlike traditional proprietary solutions, CrowdSec leverages community-driven data to identify and mitigate threats in real time.

• Philippe Humeaud [16:12]: "Right now our biggest concern, I would say, is the fact that we expect AI to be weaponized... we call this moai, Massively Multimodal Offensive AI."

The Threat of Massively Multimodal Offensive AI (MOLAI)

Humeaud elaborates on the concept of MOLAI, highlighting the risks associated with AI systems trained on vast datasets of human cyber activities, enabling them to develop sophisticated hacking techniques that can be offered as a service.

• Philippe Humeaud [16:50]: "They learn from actually humans doing research and they become extremely good at that after quite some training... you will rent an offensive AI as a service as well."

CrowdSec’s Open-Source Advantage

CrowdSec’s open-source nature allows for widespread adoption, fostering a community where servers share information about malicious IP addresses in real time. This collective approach creates a dynamic and up-to-date map of cyber threats, enhancing the platform’s effectiveness.

• Philippe Humeaud [18:34]: "We decided to give it for free because we wanted the largest number to use it... We get signals from all around the world constantly, day in, day out, something like 10 million signals per day."

Multiplayer Firewall Analogy

Humeaud compares CrowdSec to Waze, where shared data contributes to a global threat intelligence network. Each participating server acts like a node, sharing and receiving information about malicious activities to preemptively block threats.

• Philippe Humeaud [19:36]: "We share with each other the dangers of the digital highways... It's something awfully similar with Waze as well."

Recommendations for Server Protection

Highlighting the sheer volume of automated attacks on servers, Humeaud emphasizes the necessity of automating defense mechanisms to filter out background noise and focus on highly qualified threats.

• Philippe Humeaud [21:43]: "You want to automate that as best as possible and you want to get rid of the noise in the first place... On the other end of the spectrum... they know how to do it."

He advises organizations to prioritize automation in handling routine threats, thereby reducing alert fatigue and allowing cybersecurity teams to concentrate on targeted, sophisticated attacks.

The Importance of Sharing in Cyber Defense

Humeaud underscores the collaborative nature of cybersecurity, advocating for collective efforts to neutralize threats before they can inflict damage.

• Philippe Humeaud [24:17]: "We should partake all together to defuse all the rockets. That's why... Join the army. It's free, it's open source, it's available to everyone."

Conclusion

The episode of CyberWire Daily encapsulates a broad spectrum of current cybersecurity challenges, from infrastructure outages and policy shifts to sophisticated malware campaigns and data breaches. The interview with Philippe Humeaud of CrowdSec offers a forward-thinking perspective on leveraging open-source platforms and collective intelligence to combat evolving threats, particularly those augmented by AI. As cybersecurity threats become increasingly complex and pervasive, the emphasis on collaboration and innovation, as advocated by CrowdSec, becomes ever more critical.

Notable Quotes

• Philippe Humeaud [16:12]: "Right now our biggest concern, I would say, is the fact that we expect AI to be weaponized."

• Dave Bittner [02:58]: "Microsoft rerouted traffic to alternative infrastructure during its investigation, which revealed the outage was limited to users in Western Europe served by a specific section of unresponsive infrastructure."

• Gina Raimondo [02:58]: "We are protecting US leadership in AI while allowing secure technology diffusion."

• Philippe Humeaud [18:34]: "We decided to give it for free because we wanted the largest number to use it."

• Philippe Humeaud [19:36]: "We share with each other the dangers of the digital highways... It's something awfully similar with Waze as well."

• Philippe Humeaud [24:17]: "We should partake all together to defuse all the rockets."

Additional Resources

For a deeper dive into today’s stories and more details on each topic, listeners are encouraged to visit thecyberwire.com. Feedback and ratings can be submitted through favorite podcast platforms or directly via email to cyberwire2k.com.

This episode was produced by Liz Stokes, mixed by Trey Hester, with original music and sound design by Elliot Penny. Executive production by Jennifer Ibin, executive editing by Brandon Carp, and publishing overseen by Simone Petrella and Peter Kilpe.