CyberWire Daily: Episode Summary - "One Tap, Total Access: Pegasus Exploits Unveiled"

Release Date: November 15, 2024 | Host: N2K Networks

1. Episode Overview

In this episode of CyberWire Daily, hosted by Dave Buettner and powered by N2K Networks, listeners are presented with a comprehensive roundup of the latest cybersecurity threats, vulnerabilities, and industry developments. The episode delves deep into the unveiling of Pegasus spyware exploits, explores emerging malware threats, and features an insightful interview with Ambuj Kumar, CEO and co-founder of Symbian, discussing the transformative role of AI agents in cybersecurity.

2. Key Cybersecurity News

a. Pegasus Spyware Exploits Revealed

Unredacted court filings from WhatsApp's 2019 lawsuit against NSO Group have shed light on the extensive use of the Pegasus spyware. The Israeli firm targeted approximately 1,400 devices, including those of journalists, human rights activists, and political dissidents.

• Dave Buettner highlights, "Pegasus provided turnkey access, retrieving data with no technical input from users, according to depositions." (10:45)

NSO Group employed sophisticated techniques such as the Eden and Heaven exploits, which involved reverse engineering WhatsApp's code to create fake clients that could bypass security measures. Despite WhatsApp's updates countering these exploits, NSO adapted, allowing government clients to target devices effortlessly by simply entering phone numbers.

A notable case involved Princess Haya of Dubai, where Pegasus was allegedly used amid human rights violations by Sheikh Mohammed bin Rashid Al Maktoum. In response, WhatsApp has vowed to hold NSO accountable for violating U.S. laws and infringing on user privacy.

b. Glove Stealer Malware Bypasses Encrypted Browsers

A new malware strain, Glove Stealer, has emerged, capable of bypassing app-bound encryption in Chromium-based browsers. This malware targets sensitive data, including credentials, cookies, cryptocurrency wallet information, and data from over 80 local applications and 280 browser extensions.

• Dave Buettner notes, "GloveStealer exploits the iElevator service unique to each browser to harvest and decrypt encryption keys." (12:30)

Delivered via phishing emails containing malicious HTML attachments, Glove Stealer tricks victims into executing scripts that install the malware. Once active, it gains administrative privileges, downloads additional modules, and exfiltrates protected data through a command and control server.

c. Zero-Day Vulnerability in Fortinet’s FortiManager

Security firm Watchtower has discovered a new zero-day vulnerability in Fortinet's FortiManager, dubbed Forta Jump Higher. This flaw allows attackers to escalate privileges from a managed FortiGate device to control the central FortiManager instance, potentially compromising entire Fortinet-managed networks.

• Dave Buettner states, "Forta Jump Higher resembles an earlier vulnerability, Forta Jump, which allowed remote code execution on FortiManager via unauthenticated crafted requests." (13:20)

Despite Fortinet's efforts to patch Forta Jump, Watchtower claims the patch was insufficient, leaving systems exposed. Exploiting these vulnerabilities could grant attackers significant control over networks, emphasizing the need for urgent patching and security measures.

d. Rapid7 Detects Updated Loader Rat Malware

Rapid7 has identified an updated version of Loader Rat, a remote access tool initially observed in 2016. This version can steal cookies and credentials from browsers like Microsoft Edge and Brave. Written in AutoIt, Loader Rat retains functionalities such as screen capturing, webcam control, data exfiltration, and delivering additional payloads.

• Dave Buettner explains, "Unlike earlier targeted campaigns, this version has global reach, emphasizing the need for vigilance and timely patching." (14:10)

The malware is distributed through Donut Loader and Cobalt Strike, often masquerading as legitimate software like Discord or Skype. Its resurgence underscores the effectiveness of repurposing legacy malware with minimal code tweaks to evade detection.

e. CISA Alerts on Palo Alto Network’s Expedition Tool Exploitation

The Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts regarding active exploitation of vulnerabilities in Palo Alto Networks' Expedition tool. Initially highlighting a critical flaw allowing attackers to seize administrator accounts, two additional vulnerabilities have since been discovered:

1. Root Command Execution: Allows attackers to run OS commands as root, exposing credentials, configurations, and API keys.
2. Database Manipulation: Enables attackers to extract sensitive information and manipulate system files without authentication.

These vulnerabilities are part of a broader issue, including an unrelated zero-day remote code execution flaw affecting Palo Alto firewalls, though no direct connection between the exploits has been established.

f. Data Exposure Due to Misconfigured Microsoft Power Pages

Misconfigured Microsoft Power Pages accounts have led to the unintentional exposure of sensitive data online. Aaron Costello of Appomny revealed that excessive permissions granted to authenticated users often result in significant data leaks.

• Dave Buettner reports, "One notable case involved a UK National Health Service provider inadvertently exposing data for over 1 million employees." (15:00)

Despite Microsoft’s warnings, many organizations across health, finance, and tech sectors continue to overlook secure access configurations, leaving personal and organizational data vulnerable to exploitation.

g. Iranian Hackers Mimicking North Korean Tactics

Iranian state hackers, identified as TA455 or APT35, are reportedly mimicking North Korean tactics to target the aerospace industry with fake job offers. Utilizing platforms like LinkedIn and malicious domains such as careerstofind.com, these hackers deploy sophisticated DLL sideloading techniques and malicious ZIP files disguised as job-related documents.

• Dave Buettner comments, "These hackers encode command and control data on GitHub and leverage Cloudflare to mask their infrastructure, making tracking difficulty clear sky." (16:20)

Research suggests possible collaboration between Pyongyang and Tehran, given the overlapping techniques used, highlighting the evolving landscape of state-sponsored cyber threats.

h. Australia’s Warning on State-Sponsored Embedded Malware

The Australian government has issued warnings to critical infrastructure providers regarding the threat of state-sponsored cyber actors embedding malware within networks. These actors aim to disrupt national security during crises or military conflicts by compromising systems without immediate espionage value.

• Dave Buettner notes, "These actors employ stealthy living off the land techniques using built-in tools to evade detection and blend into normal network activity." (16:50)

In response, Australia has enhanced its critical infrastructure protections, mandating designated operators to bolster incident response, remediate vulnerabilities, and share system data. Legislative updates now empower regulators to enforce comprehensive risk management and support cybersecurity resilience across interconnected systems.

i. Cybercriminal Sentenced for Attacks on Medical Facilities

Robert Purbeck, a 45-year-old from Idaho, has been sentenced to 10 years in prison for a series of cybercrimes targeting medical facilities and other organizations. Over seven years, Purbeck hacked systems, stole sensitive personal data, and extorted victims, impacting at least 19 entities, including medical practices and safe houses for domestic violence survivors.

• Dave Buettner remarks, "His actions turned a refuge into a potential danger zone, causing devastating financial and emotional harm to his victims." (17:00)

Using aliases like "Lifelock" and "Stud Master," Purbeck employed threatening emails to extort payments, often leveraging personal references to intimidate compliance. His activities underscore the severe repercussions of cybercrimes on vulnerable populations and critical services.

3. In-Depth Interview: Ambuj Kumar on AI Agents Transforming Cybersecurity

In a special segment, Dave Buettner interviews Ambuj Kumar, CEO and co-founder of Symbian, to explore how AI agents are revolutionizing the cybersecurity landscape.

a. Understanding AI Agents

Ambuj Kumar defines an AI agent as a "virtual employee" powered by large language models (LLMs) like GPT-4, capable of performing tasks autonomously and progressively handling more complex responsibilities.

• Ambuj Kumar explains, "AI Agent is a virtual employee that is using a brain powered by large language model or AI and is working just like a human, taking some easy things from you in the beginning, later on learning to do more and more complex things." (17:07)

b. AI Agents vs. Traditional AI Tools

When compared to tools like ChatGPT, AI agents offer a more autonomous approach. Instead of merely providing advice, AI agents can execute tasks independently.

• Ambuj Kumar illustrates, "For example, my company, Symbian, we are building an AI agent for cybersecurity. So our AI agent will directly take that input, directly take that alert, and actually go and do those things." (17:36)

This autonomy allows AI agents to handle a significant portion of routine alerts without constant human intervention, enhancing efficiency within security operations.

c. Onboarding and Access Management

Effective deployment of AI agents involves an onboarding process similar to that of human employees. This includes defining critical users, applications, and response protocols.

• Ambuj Kumar states, "Symbian has two fundamental building blocks in technology. One is our trusted LLM...the other is our context lake, which captures all the structured information you provide during onboarding." (19:20)

d. Mitigating LLM Hallucinations

A key challenge with LLMs is the tendency to "hallucinate" or generate inaccurate information. Symbian addresses this by incorporating built-in error correction and detection logic.

• Ambuj Kumar details, "Our trusted LLM has a built-in error correction or detection logic. So whenever LLM generates an answer, first we verify internally whether that answer is correct or not." (20:53)

This ensures that AI agents provide reliable and accurate responses, mitigating risks associated with data inaccuracies.

e. Practical Applications of AI Agents

i. Security Operations Center (SOC) Automation

AI agents can significantly reduce the workload within SOCs by autonomously handling routine alerts. Symbian's AI agents can manage up to 90% of alerts, allowing human analysts to focus on more critical incidents.

• Ambuj Kumar explains, "Symbian is taking care of 90 of them. And here is what I did. Here is why I think they are malicious... just like a normal human employee." (23:21)

ii. Governance, Risk Management, and Compliance (GRC) Automation

AI agents streamline the process of responding to security questionnaires, a typically manual and time-consuming task. By automating the filling and reviewing of security questionnaires, organizations can enhance efficiency and accuracy.

• Ambuj Kumar states, "We have completely automated that, so we can create a trust center for you... when you get a security questionnaire, we automatically fill it." (23:21)

f. Ensuring AI Agent Security

When integrating AI agents, organizations must prioritize security to prevent data breaches and unauthorized access.

• Ambuj Kumar advises, "First you should ask whether the service is SOC 2 certified or not... Do you tokenize my information before you receive?" (27:39)

He emphasizes the importance of encryption, multi-tenancy data security, and ensuring that AI models do not train on sensitive customer data. Additionally, organizations should consider the hosting location of LLMs and explore options like self-hosting within their own data centers for enhanced security.

4. Password Security: Top 10 Least Secure Passwords

In a sponsored segment by NordPass, the podcast reveals the 200 most common passwords, highlighting the top 10 least secure ones used in the U.S. on November 15, 2024:

1. secret – 328,000 users
2. 1, 2, 345 6 – Over 250,000 users
3. password – 227,000 users
4. QWERTY123 – 209,000 users
5. QWERTY1 – 200,000 users
6. 1, 2, 345-6, 7, 89 – ~90,000 users
7. password1 – 55,000 users
8. 1, 2, 3, 4, 5, 6, 7, 8, 9 – 52,000 users
9. 1, 2, 3, 4, 5 – 50,000 users
10. ABC123 – 44,000 users

Dave Buettner cautions, "If you're using it, it's time to change that secret into something actually secure." This segment serves as a stark reminder of the importance of strong, unique passwords in safeguarding personal and organizational data.

5. Closing Remarks

Dave concludes the episode by promoting upcoming content, including an interview with Blake Tarchet from Cloudflare's Cloudforce One, and urges listeners to support the podcast’s nomination for the Creator of the Year category in the Baltimore region’s 2024 Technical Awards.

Listeners are encouraged to provide feedback, rate and review the podcast, and visit thecyberwire.com for links to all stories discussed in the episode.

Production Credits:

• Produced by: Liz Stokes
• Mixer: Trey Hester
• Music & Sound Design: Elliot Peltzman
• Executive Producer: Jennifer Ivan
• Executive Editor: Brandon Karp
• President: Simone Petrella
• Publisher: Peter Kielpi

Stay informed and secure with CyberWire Daily, your trusted source for the latest in cybersecurity news and analysis.