Nam3l3ss but not harmless. - CyberWire Daily

Summary

CyberWire Daily – Episode: "Nam3l3ss but not Harmless"
Release Date: December 3, 2024
Host: Dave Buettner
Produced by: N2K Networks

Introduction

In this episode of CyberWire Daily, host Dave Buettner delves into a range of critical cybersecurity issues impacting organizations worldwide. Covering significant data breaches, evolving cyber threats, regulatory developments, and insightful interviews with industry leaders, this summary encapsulates the episode's key discussions, insights, and conclusions.

Major Data Breach Exposed

Nameless Group Leaks Data from Move It Hack

A substantial data breach has come to light, affecting over 760,000 employees across major organizations such as Bank of America, Coca-Cola, Nokia, and Morgan Stanley. The breach, orchestrated by the CLOP Ransomware Group, exploited a zero-day vulnerability in Progress Software's Move It file transfer tool, impacting nearly 2,800 organizations and 100 million individuals.

Dave Buettner highlights:
"The breach underscores growing risks tied to large-scale cyber extortion campaigns."
(Timestamp: 00:02)

Key Details:

Data Exposed: Names, emails, phone numbers, job titles, and managerial details.
Attack Vector: Zero-day vulnerability in Progress Software’s Move It tool.
Analysis: Atlas Privacy linked the breach to CLOP, noting the data's high value for social engineering attacks.
Impact: Bank of America reported over 288,000 affected employees, making it the most impacted organization.

This incident emphasizes the increasing sophistication of cyber extortion tactics and the vulnerability of widely used software tools.

UK's Escalating Cyber Threats

Richard Horn Warns of Underestimated Cyber Risks

Richard Horn, the new head of the UK's National Cyber Security Centre (NCSC) under GCHQ, issued a stern warning about the UK's cyber defenses lagging behind the evolving threats.

Horn states:
"There's a widening gap between the increasing sophistication of cyber threats and the UK's defenses, particularly around critical national infrastructure."
(Timestamp: Not provided in summary)

Key Points:

Incident Management: Over the past year, NCSC handled 430 incidents, with 89 deemed nationally significant.
Primary Threats: Ransomware remains the most immediate threat, with state-linked actors targeting industrial control systems.
Vulnerabilities: Two major vulnerabilities exploited by state-backed hackers linked to Iran and ransomware groups pose significant risks to UK infrastructure.
Cyber Essentials Scheme: Horn criticized low adoption, with only 31,000 organizations certified out of 5 million eligible.
Call to Action: Urgent improvements in resilience are needed to counteract rising risks from state and non-state actors, notably Russia and China.

Horn's insights reveal the critical need for enhanced cybersecurity measures and broader adoption of certification schemes to protect national infrastructure.

Regulatory Developments: CFPB Targets Data Brokers

Consumer Financial Protection Bureau (CFPB) Proposes New Rules

The CFPB has introduced a rule aimed at preventing data brokers from selling Americans' personal and financial information, including Social Security numbers and phone numbers, under the Fair Credit Reporting Act (FCRA).

Rohit Chopra, CFPB Director, remarks:
"This rule would address the widespread evasion of federal privacy laws and hold data brokers to the same standards as credit bureaus and background check companies."
(Timestamp: Not provided in summary)

Key Aspects:

Objective: Close loopholes allowing data brokers to bypass FCRA regulations.
Impact: Restricts brokers from selling sensitive identifying information, thereby reinforcing FCRA protections.
Public Engagement: The proposal is open for public comment until March 2025, amid uncertainties regarding potential regulatory rollbacks.
Significance: Marks heightened scrutiny of data brokers and anticipates substantial regulatory changes affecting how personal data is managed and sold.

This regulatory move aligns with President Biden's executive order to limit private data sales, signaling a robust approach to enhancing consumer data privacy.

Ransomware Attack on N Global Corporation

N Global Faces Operational Disruption After Ransomware Incident

N Global Corporation, a U.S. government and energy sector contractor, has experienced a ransomware attack that encrypted some of its data files, leading to operational restrictions.

Details from Dave Buettner:
"N Global, whose clients include the Departments of Defense and Energy, is investigating the attack but has not determined its financial impact."
(Timestamp: Not provided in summary)

Impact:

Date Disclosed: November 25.
Response: The company has reported the breach in an SEC filing and is actively investigating the incident.
Current Status: Full restoration of IT systems remains uncertain, highlighting the prolonged impact ransomware can have on critical contractors.

This case underscores the vulnerability of contractors tied to sensitive government and energy sectors, emphasizing the need for robust cybersecurity defenses.

Emerging Threats: Smoked Ham Windows Back Door

UNC 2465 Deploys Smoked Ham Back Door

Cyber researchers at Track Labs have identified a renewed threat from UNC 2465, a cybercriminal group with ties to the defunct Darkside Ransomware. The group is actively deploying the Smoked Ham Windows back door, which facilitates initial access and persistence within targeted networks.

Dave Buettner explains:
"The back door allows for reconnaissance lateral network movement using tools like Mimikatz and credential harvesting."
(Timestamp: Not provided in summary)

Key Features:

Delivery Methods: Trojanized installers disguised as legitimate tools, phishing emails, malicious ads, and cloud services (e.g., Google Drive, Dropbox).
Capabilities: Credential theft, keylogging, browser injections, and maintaining persistence across systems.
Evasion Techniques: Uses steganography and obfuscated scripts to avoid detection.
Threat Level: Despite the disruption of some ransomware groups, UNC 2465 remains a significant threat by adapting its tactics and maintaining ransomware partnerships.

The deployment of Smoked Ham highlights the ongoing evolution of cyber threats and the necessity for continuous vigilance and advanced security measures.

National Security Concerns: Reliance on Chinese LiDAR Technology

Foundation for Defense of Democracy Raises Red Flags

The Foundation for Defense of Democracy’s think tank has issued a report warning against the over-reliance on Chinese-made LiDAR technology, citing significant national economic and cybersecurity risks.

Report Highlights:
- LiDAR Usage: Critical for 3D mapping, autonomous navigation, infrastructure monitoring, and military applications like enemy detection.
- Risks: Potential for espionage and sabotage by Beijing through integration into U.S. critical infrastructure such as public safety, transportation, and utilities.
- Supply Chain Vulnerabilities: China’s control over LiDAR systems and rare earth elements could be exploited to disrupt supply chains and exert strategic pressure.

Recommendations:

Reduce Dependency: Limit reliance on untrusted vendors.
Enhance Standards: Implement rigorous cybersecurity standards for LiDAR systems.
Boost Domestic Production: Increase domestic LiDAR manufacturing to secure vital systems.
Legislative Action: Consider bans on purchasing Chinese LiDAR to mitigate these vulnerabilities.

This report underscores the strategic importance of securing technology supply chains to protect national security interests.

Advanced Malware Campaigns: Smokeloader Targets Taiwan

Smokeloader Malware Campaign Detected by Fortagard Labs

Researchers at Fortagard Labs have uncovered a sophisticated Smokeloader malware campaign targeting companies in Taiwan across sectors like manufacturing, healthcare, and IT.

Key Insights from Dave Buettner:
"The malware was delivered via phishing emails, exploiting vulnerabilities in Microsoft Office, and used cloud services like Google Drive to host payloads."
(Timestamp: Not provided in summary)

Campaign Characteristics:

Modular Design: Acts both as a downloader and a direct attacker, fetching plugins from command and control servers.
Advanced Evasion: Utilizes steganography and obfuscated scripts to avoid detection.
Functionalities: Credential theft, keylogging, browser injections, and system persistence.
Delivery Channels: Phishing emails, malicious advertising campaigns, and exploitation of cloud services.

Fortagard's Advice:
Organizations should remain vigilant and strengthen defenses against such advanced malware operations to mitigate the persistent threats posed by adaptable malware like Smokeloader.

NIST's Updated Password Guidelines

Wall Street Journal Examines NIST's New Recommendations

The National Institute of Standards and Technology (NIST) has proposed updated password guidelines aimed at enhancing security and usability, with finalization expected in 2025.

Key Recommendations:
- Eliminate Outdated Practices: Phasing out frequent password changes and overly complex requirements.
- Emphasize Length and Simplicity: Minimum of eight characters, ideally 15+, supporting special characters including emojis.
- Promote Modern Tools: Encourage the use of password managers and passkeys (biometric-based authentication).
- Implement Block Lists: Prevent the use of compromised or common passwords to enhance security.
NIST's Rationale:
"Strict password rules often backfire, leading users to create predictable patterns."
(Timestamp: Not provided in summary)

The new guidelines aim to balance user convenience with robust security measures, reshaping password practices across government and industry sectors.

South Korea's Crackdown on DDoS Device Manufacturing

Arrests Made Over Satellite Receivers with DDoS Capabilities

South Korean authorities arrested the CEO and five employees of a company involved in manufacturing over 240,000 satellite receivers embedded with DDoS attack functionalities.

Details from Dave Buettner:
"These devices, sold at the request of a purchasing company starting in 2018, enabled illegal attacks targeting external systems, allegedly to counter Arrival's actions."
(Timestamp: Not provided in summary)

Criminal Activity:

Device Deployment: 98,000 devices shipped with pre-installed DDoS modules; others were updated later.
Legal Actions: Authorities seized assets totaling approximately $4.35 million and charged the suspects under Korea's Information Protection Act.
Investigative Insights: The scheme was uncovered through Interpol intelligence linking a Korean manufacturer and a foreign broadcaster.

Ongoing Efforts:
Korean police are seeking international cooperation to apprehend the operators of the purchasing company, who remain at large.

This crackdown highlights international cooperation in combating the manufacturing and distribution of cyberattack tools.

Threat Vector Segment: Palo Alto Networks Interview

Behind the Scenes with Palo Alto Networks' CIO and CISO

In the Threat Vector segment, host David Moulton interviews Mira and Niall, leaders from Palo Alto Networks, discussing their strategies to balance innovation with security amidst evolving cyber threats.

Mira’s Perspective:
"It's not an option to say no to a security control that we need. I just need to figure out how I'm going to get that."
(Timestamp: 18:41)
Niall’s Approach:
"What's the business value? What's the set of priorities? How much resources is going to require."
(Timestamp: 19:47)

Key Discussion Points:

Incident Response: Leveraging Unit 42 for threat intelligence and proactive defense.
Risk Prioritization: Aligning cybersecurity initiatives with business objectives and resource availability.
AI Integration: Utilizing AI for productivity without compromising security integrity.
Team Alignment: Ensuring cohesive strategy execution across different project phases.

The interview provides valuable insights into effective cybersecurity leadership and the integration of advanced technologies to maintain robust defenses.

ChatGPT's Vulnerabilities: The Voldemort Moment

ChatGPT Struggles with Specific Names, Leading to AI Hallucinations

A curious issue has emerged where ChatGPT becomes unresponsive or produces incorrect information when prompted with certain names, such as David Meyer, Jonathan Zatrain, and Jonathan Turley.

Dave Buettner muses:
"It's been shown how an attacker could interrupt a session using a visual prompt injection of one of the names rendered in a barely legible font embedded in an image."
(Timestamp: Not provided in summary)

Incident Examples:

Jonathan Turley: ChatGPT falsely claimed involvement in a non-existent sexual harassment scandal, erroneously citing a fabricated Washington Post article.
Jonathan Zittrain: His inclusion triggers ChatGPT's "unable to produce a response" feature, possibly linked to his work on AI regulation.
David Mayer: Initially blocked but later unblocked for unclear reasons.

Security Implications:

Vulnerabilities: Hard-coded filters can lead to erroneous responses and potential exploitation through prompt injections.
Potential Exploits: Attackers could use specific names to disrupt chat sessions or manipulate data processing.

Speculative Solutions:
Proposing that ChatGPT could "whisper" restricted names, akin to the invisibility of Voldemort, to mitigate these issues.

This phenomenon raises concerns about AI reliability and the robustness of content moderation mechanisms within conversational agents.

Conclusion

This episode of CyberWire Daily presents a comprehensive overview of significant cybersecurity challenges and developments. From large-scale data breaches and sophisticated malware campaigns to regulatory changes and AI vulnerabilities, the discussions provide valuable insights for industry leaders and cybersecurity professionals aiming to navigate the complex threat landscape effectively.

Stay informed and protected by following the latest updates and expert analyses presented in each episode.

For more detailed discussions and expert insights, listen to the full episode on your preferred podcast platform or visit The CyberWire.