One tap, total access: Pegasus exploits unveiled.

Dave Buettner

You're listening to the Cyberwire network, powered by N2K. Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. You know I started my first business back in the early 90s and oh what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row, all of that technical stuff, the legal stuff, the registrations of the business, the taxes, all of those things that you need to go through when you're starting a business, the hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run and protect your business all in one place. And they save you from wasting hours making sense of all that legal stuff. Launch, run and protect your business. To make it Official today@legalzoom.com you can use promo code CYBERTEN to get 10% off any LegalZoom business information product, excluding subscriptions and renewals that expires at the end of this year. Get everything you need from set up to success@legalzoom.com and use promo code CYBER10. That's legalzoom.com and promo code CYBER10. Legalzoom provides access to independent attorneys and self service tools. Legalzoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm LZ Legal Services LLC. Unredacted court filings from WhatsApp's 2019 lawsuit against NSO Group reveal the scope of spyware infections. Gloves Stealer can bypass app bound encryption in chromium based browsers. Researchers uncover a new zero day vulnerability in Fortinet's FortiManager. Rapid7 detects an updated version of Loderat. CISA warns of active exploitation of Palo Alto Network's Expedition tool. Misconfigured Microsoft Power Pages accounts expose sensitive data Iranian state hackers mimic North Koreans in fake job scams. Australia warns its critical infrastructure providers about state sponsored embedded malware. An especially cruel Cyber criminal gets 10 years in the slammer. Our guest is Ambuj Kumar, co founder and CEO of Symbian, who joins us to discuss how AI agents may change the cyber landscape. And we're counting down the top 10 least secure password it's Friday, November 15th, 2024. I'm Dave Buettner and this is your Cyberwire Intel Briefing. Thanks for joining us here today and happy Friday. It is great as always to have you with us. Unredacted court filings from WhatsApp's 2019 lawsuit against NSO Group reveal that the Israeli spyware firm used its Pegasus tool to infect 1400 devices targeting journalists, human rights activists and political dissidents. Pegasus, a zero Click spyware, exploited WhatsApp vulnerabilities to gain full access to targeted phones phones. NSO developed methods, including the Eden and Heaven exploits, by reverse engineering WhatsApp's code and creating a fake client to bypass security measures. NSO admitted to creating a WhatsApp installation server to impersonate the app and Deploy spyware. Despite WhatsApp's updates thwarting these exploits, NSO adapted, allowing its government clients to easily target devices by entering phone numbers. Pegasus provided turnkey access, retrieving data with no technical input from users, according to depositions. Notably, Pegasus was allegedly used against Dubai's Princess Haya amid human rights violations by Sheikh Mohammed bin Rashid Al Maktoum. WhatsApp vows to hold NSO accountable for violating US laws and user privacy. A new malware glove Stealer can bypass app bound encryption in chromium based browsers, a security Mechanism introduced in Chrome 127 to protect cookies written in. NET. The malware exfiltrates sensitive data like credentials, cookies and information from cryptocurrency wallets, password managers, email clients and over 80 local applications. It also targets data in 280 browser extensions. GloveStealer exploits the iElevator service unique to each browser to harvest and decrypt encryption keys. While primarily affecting chromium browsers like Chrome, Edge and Brave, it also targets Opera, Yandex and Cryptotab, delivered via phishing emails with malicious HTML attachments. Victims are tricked into running scripts that execute the info stealer. The malware gains administrative privileges, downloads additional modules, and exfiltrates protected data through a command and control server. Security firm Watchtower has uncovered a new zero day vulnerability in Fortinet's fortimanager, dubbed Forta Jump Higher. This flaw enables privilege escalation from a managed fortigate device to control the central fortimanager instance, potentially compromising entire Fortinet managed fleets. Forta Jump Higher resembles an earlier vulnerability, Forta Jump, which allowed remote code execution on FortiManager via unauthenticated crafted requests. Forta Jump carries a CVSS score of 9.8 and has been actively exploited. Watchtower claims Fortinet's patch for Forta Jump missed key exploit methods, leaving systems vulnerable. Attackers could exploit these flaws to escalate privileges and compromise entire networks. Rapid7 has detected a malware campaign featuring an updated version of Loader Rat, a remote access tool first observed in 2016, this new version can steal cookies and credentials from Microsoft Edge and Brave browsers. Written in Auto it, loaderrat retains its core functions such as screen capturing, webcam control, data exfiltration, and delivering additional payloads, but it hasn't seen major updates since 2021. The malware is now distributed via Donut Loader and Cobalt Strike and often masquerades as legitimate software like discord or Skype. Rapid7 also found Loaderrat on systems infected with other malware families, though its distribution method remains uncertain. Unlike earlier targeted campaigns, this version has global reach. By tweaking older code, attackers demonstrate that even legacy malware can remain effective, emphasizing the need for vigilance and timely patching. CISA has issued an alert about new vulnerabilities in Palo Alto Network's Expedition tool being exploited in the wild. Initially, the agency warned of a critical flaw that allowed attackers to take over administrator accounts and access sensitive credentials. Now, two additional vulnerabilities have come to light. The first, newly exploited flaw allows attackers to run operating system commands as root, exposing clear text credentials, device configurations, and API keys. The second lets attackers manipulate the database to extract sensitive information and create or read files on the system, all without authentication. These issues come alongside news of an unrelated zero day remote code execution vulnerability affecting Palo Alto firewalls. The attacks don't appear Connected organizations are unintentionally exposing sensitive data online due to misconfigured access controls in Microsoft Power Pages, a popular low code website creation tool. Aaron Costello of appomny discovered these issues, revealing leaks of personal and organizational data caused by excessive permissions granted to authenticated users, often treated as internal despite public registration options. One notable case involved a UK National Health Service provider inadvertently exposing data for over 1 million employees, including email addresses and home addresses. While this issue was fixed, other organizations globally spanning health, finance and tech sectors were also affected. Costello attributed most leaks to overly permissive database settings such as global access or unprotected columns. Despite Microsoft warnings about risky configurations, complex access controls and column security setups are often ignored, leaving sensitive information vulnerable to exploitation. Iranian state hackers tracked as TA455 or APT35 are mimicking north Korean tactics to target the aerospace industry with fake job offers. Using platforms like LinkedIn and malicious domains such as careerstofind.com, these hackers create convincing recruiter profiles to lure victims into downloading malware. Called snail resin, this campaign mirrors North Korea's Operation Dream Job, employing DLL sideloading techniques and malicious zip files disguised as job related documents. These files have low antivirus detection rates, increasing their effectiveness. Hackers encode command and control data on GitHub and leverage Cloudflare to mask their infrastructure, making tracking difficulty clear sky. Researchers suggest Pyongyang may have shared tools or methods with Tehran given the overlap in techniques. By exploiting Trust based platforms, TA455 circumvents traditional security measures and infiltrates networks under the guise of legitimate activity The Australian government is warning critical infrastructure providers about state sponsored cyber actors embedding malware in networks to disrupt national security during crisis or milit military conflicts. The Cyber and Infrastructure Security center highlighted threats posed by foreign actors compromising systems without immediate espionage value to enable strategic disruption. The Five Eyes alliance previously warned about China sponsored Volt Typhoon which infiltrated US critical infrastructure sectors like energy, water and telecoms to prepare for potential attacks. These actors employ stealthy living off the land techniques using built in tools to evade detection and blend into normal network activity. In response, Australia expanded its critical infrastructure protections, requiring designated operators to enhance incident response, fix vulnerabilities and share system data. Legislative updates also empower regulators to enforce risk management and support cybersecurity resilience across interconnected systems. Robert Purbeck, a 45 year old from Idaho, has been sentenced to 10 years in prison for a series of cybercrimes targeting medical facilities and other organizations. Over seven years PR Beck hacked systems, stole sensitive personal data and extorted victims causing devastating financial and emotional harm. His crimes impacted at least 19 victims, including medical practices, a safe house for domestic violence survivors and public institutions. Using aliases like Lifelock and Stud Master, Purbeck sent threatening emails to extort payments, often targeting individuals families. In one case he harassed a dentist threatening to expose patients data and even reference the dentist's child to intimidate compliance. Another victim, an orthodontist, suffered significant losses and had to sell their practice due to Purbeck's relentless harassment. The FBI seized Purbeck's devices in 2019, revealing the data from 132,000 people targeting a safe house for women and children fleeing domestic violence is particularly vile, turning a refuge into a potential danger zone. Coming up after the break, Ambuj Kumar from Symbium joins us to talk about how AI agents are going to change the cyber landscape. Stick around. And now a word from our sponsor. Knowbefore it's all connected and we're not talking conspiracy theories. When it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBefore, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBe4's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco 35. Vendor integrations and counting Security Coach analyzes your Security Stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefore.com SecurityCoach that's knowbe4.com SecurityCoach and we thank KnowBefore for sponsoring our show. Do you know the status of your compliance controls right now? Like right now we know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. Ambuj Kumar is CEO and co founder of Symbian. I recently caught up with him to talk about how AI agents may change the cyber landscape.

Ambuj Kumar

AI Agent is a virtual employee that is using a brain powered by large language model or AI and is working just like a human, taking some easy things from you in the beginning, later on learning to do more and more complex things.

Dave Buettner

And so how does this differ from the day to day experiences that people have with using tools like ChatGPT for example?

Ambuj Kumar

Yeah, so in ChatGPT you will go and ask it that hey, I got this alert about email phishing from one of my employee what should I do? And then ChatGPT will give you maybe 10 sentences that okay, you know, first go check that employee has clicked on a bad link or not ask them when did they receive it Et Cetera, et cetera. And you will go and do those things in case of AI agent. For example, my company, Symbian, we are building an AI agent for cybersecurity. So our AI agent will directly take that input, directly take that alert, and actually go and do those things. So they will come to you and say that, hey, in last one hour, we have seen 100 different alerts. I have been able to completely take care of maybe 90% of them, 90 of them. And here is what I did. Here is why I think they are malicious, Here is why I think they are not malicious. And here are 10 where I'm struggling to completely take care of them on my own. So this is what Agent would do. Just like an employee, right? An employee. You are not asking them every minute that, hey, what should I do? What should I do? Rather, you expect your employee to take care of tasks autonomously. So very different approach.

Dave Buettner

And I suppose just as with a regular employee, there's an onboarding process here of getting the AI agent accustomed to how things are done at your organization. And also, I imagine you have to be careful about what access you provide.

Ambuj Kumar

Absolutely, absolutely. So Symbian has two fundamental building blocks in technology. One is our trusted LLM, and trusted LLM is combination of commodity LLM like GPT4 or Sonnet, combined with our security knowledge. And so at end of trusted LLM, you get a virtual employee that is skilled in security. Right? But just like you said, when you hire these virtual employees, when you onboard them now, you need to tell them that, hey, these are our VIP users. These are my CEO, CFOs, these are my crown jewel applications. This is my biggest customer. We run things on AWS every Tuesday, we roll out our patch. If you see like an alert about this application, here is a person to go to. Here is how we triage these kind of things. So all that information that you give to your human employees when you onboard them, Symbian has a technology to capture all that structure on the structure information. And we call that context lake, and we feed that context lake to our AI agent and collectively those two things start to do real work for you, just like a normal human employee.

Dave Buettner

LLMs are kind of famous or perhaps even notorious for this notion of hallucinating, of making things up. How does that play into this? How do you prevent that sort of thing from happening?

Ambuj Kumar

Yeah, great question. And in fact, this is why. It's one of many reasons why this is easy to dream hard, to build, right? And LLMs are, I mean, they hallucinate because they always want to please you. So you know, it becomes like an employee who never says no, always, you know, says yes and always says that they got, you know, did their job. And half the time it's job well done. Half the time, job not well done. And if you work in security that is worse than, you know, worse than where you were in the beginning. Because if you don't know when you can trust the result, then you are always going to double check them and review them. And so it becomes even another monkey on your back rather than something that takes work off you. So the way Symbian does it, and this is one of our unique technology, is that our trusted LLM has a built in error correction or detection logic. So whenever LLM generates a answer, first we verify internally whether that answer is correct or not. If it is correct, then only we pass it to user, otherwise we kind of iterate. So we said that, okay, we tried to take this one approach, it didn't work out. Let me take another approach. Does it work out? And eventually you find an answer that we internally think it's correct. And then we tell the user that, okay, here is what I got, the answer. And many times if it's unable to find that answer, then we say that okay, we tried the best and this is a job that's just too hard for us to do. And we bail out just like you expect your trusted normal human employee to do. We, we are building our AI agents in same mold.

Dave Buettner

What are some of the kind of low hanging fruit tasks that you would recommend? Organizations who are curious about AI agents, what are some of the places where they can kind of turn them loose in an exploratory way.

Ambuj Kumar

Yeah, so there are two use cases that are getting lots of traction and we have some early production uses on both of them. One is Security Operation Center. So in soc you have your tier one analyst, your tier two analyst, tier three analyst, you have threat hunters. And all of them are working, I mean overworking, they are overworked and there is constantly like maybe five times more job that they can do. So they're always looking for efficiency. And so the way SOC works is that you get an alert from your SIM or your XDR or maybe you get a trigger from your CTI source that is saying that I'm seeing something bad happening in Wild, and then your tier one analyst look at that alert and tries to say whether it's false positive, false or not. I mean it's true positive, then they go and investigate it. And if it really turns out something material, then you put a response plan and you respond to it. And what Symbian can do is 90% of those alerts, it can completely take care of them all by itself. So instead of your tier one analyst seeing 100 alerts, Symbian is taking care of 90 of them and they see only the remaining 10. And those 10, when Symbian passes that to your analyst, it has already added lots of auxiliary information. So it will say that, okay, I have enriched this IP address based on type of alert it was, I have pulled this information from your EDR CrowdStrike, et cetera. And so when human employees start to triage that alert, they get some boost because they don't have to spend time manually doing various things that AI has already done for them. And so that's one use case soc. And we are seeing lots of traction, lots of happy customers there. Second, Use case is on grc. So on grc, one of the things that we are doing right now is that you are a vendor, you are trying to sell your technology to somebody, maybe a bank. And bank says that, okay, before I purchase your product, I need to know about security. Are you using firewall, what kind of encryption used to protect, what kind of PII data are you in cloud? Do you have two FA on your applications? Is your API continuously reviewed and fixed, et cetera, et cetera. So these security questionnaires, they tend to be very manual heavy and people spend lots of time answering them and then reviewing them. We have automated all of that so we can create a trust center for you where we put all your compliance documents and security documents behind a NDA firewall. And then we use that information as well as live information from your tools. And when you get a security questionnaire, we automatically fill it. And then you can either send it to customer directly or you can set it so that we send it back. And when the bank sees that response, they can also use Symbian to evaluate. So bank has certain information that is very sensitive, they're looking for some answer to those questions. And so they can use Symbian to evaluate whether the response is good or not. So both security questionnaire filling as well as security questionnaire review that tend to be very manual and we have completely automated that.

Dave Buettner

You know, I think a lot of folks are concerned about the actual security of the AI models that they're using. That information that they share with. It isn't then put into the corpus of information or shared with other organizations, either intentionally or accidentally. What kind of questions should someone be asking if they're out looking for these sorts of products to make sure that those kinds of things aren't going to be a concern?

Ambuj Kumar

Yeah. So first you should ask whether the service is SOC 2 certified or not. And hopefully they should be. I mean that's a very easy one. Second one is what kind of encryption they use. Are you encrypting your customer data or not? Are you keeping different customers data separate from each other? So meaning that do you have multi tenancy and cross tenancy data security problems taken care of? Then you should ask that, hey, do you tokenize my information before you receive? So for example, I'm sending a bunch of my PIA information as part of my security data to you. Do you ensure that you tokenize that information before it reaches your system? Then you should ask that, hey, are you training your AI model on my data? And answer should be no, right? Then you should ask that, okay, you know, if you are not training your global AI system on my data, how are you using my data to actually help me? And answer should be yes, right? I mean if you are using AI, AI should be able to use your data to help you. If it's not doing that then you know, it's all, it's not going to be very, very helpful. So you do that. Then you should ask where is the LLM large language model that is powering all of this? You know, hosted, Is it self hosted by the vendor or is it hosted by some third party company like OpenAI or Google? Right. And in either case you should ask is it physically where it's located? Because many times companies have geographic concerns, right? So they don't want to send their data cross country, etc. For variety of reasons. Then you can also, if you are enterprise, you can also ask to actually host all of those things in your own vpc, in cloud or even your own data centers, especially if you have your own GPUs. So there are increasing level of sophistication starting from very basic SOC 2 to something where everything is hosted in your own data centers. It's nicely encrypted. Even the service provider like Symbian cannot look at and access your data. Nothing leaves your data center ever. And so these are two extremes and depending on your own sophistications and needs, you should choose a vendor that fits.

Dave Buettner

That's Ambuj Kumar from Symbian. And now a word from our sponsor, NordPass. NordPass is an advanced password manager from the team behind NordVPN, designed to help keep your business safe from data leaks and cyber threats. It gives your IT professionals control over who has access to your company's data and makes it easy for everyone else on your team to use strong passwords. Right now you can go to www.nordpass.com cyberwire for 35% off the NordPass business yearly plan. Don't miss out on. And finally, the folks at NordPass have released their annual list of the 200 most common passwords. So sit down, tune in your favorite FM radio, and let's review the list. American Top 40 welcome back to our countdown. If you're just joining us, we're not talking about the latest pop hits. Nope. We're diving into the top 10 passwords people are using in the U.S. that's right, folks. These are the biggest security slip ups on repeat year after year. So grab a seat, secure your logins, and let's count down from number 10 to number one. Starting off our list list at number 10, it's a classic combo that just won't quit. ABC 123. With over 44,000 people using it, this one's cracked faster than you can say weak password. Coming in at number nine, it's 1, 2, 3, 4, 5. Now, I don't know what's shorter, this password or the time it takes to crack it. Less than a second. With nearly 50,000 users, this one's practically an invitation. Sliding into the number 8 spot is another familiar sequence. 1, 2, 3, 4, 5, 6, 7 8. Over 52,000 people use this one and hackers can break through it before you can blink. Lucky number seven, it's password one. Clever, right? Well, maybe not so much. With around 55,000 users, it's one of the easiest passwords for hackers to guess, locking in at under a second to Crack at number six, we've got the classic 1, 2, 345-6-7, 8 9. Almost 90,000 people keep going up in numbers, thinking it'll somehow protect them. More spoiler alert, it doesn't. Moving into the top five now, things are getting predictable. Number five is QWERTY1. That's right. It's what's right there on your keyboard just waiting to be hacked. Over 200,000 people are using it. At number four. Say hello to QWERTY123, a crowd favorite with over 209,000 users. And yes, it still cracked in less than a second. I should really call this one gateway password. Now, folks, the top three taking the third spot is simply password. Yep, you heard that right. It's got 227,000 users thinking they're safe, but with a crack time of under one second, it's more like an open door. Number two might sound familiar. 1. 2, 345 6. Over a quarter million people are relying on this one. I guess they like to keep things simple, but so do hackers. And finally, America, the number one most used password. Drumroll, please. It's secret. Yes, the least secret secret ever. Over 328,000 people use it, but it is also cracked in less than a second if you're using it, it's time to change that secret into something actually secure. So there you have it, folks. America's Top 10 password. If any of these sound familiar, it might be time for an upgrade. Remember, a strong password is your first line of defense. So here's a reminder to keep your feet on the ground and your passwords long and random. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@the cyberwire.com Be sure to check out this weekend's Research Saturday and my conversation with Blake Tarchet, head of Cloudforce One at Cloud Flair. We're discussing their work unraveling sloppy lemmings operations across South Asia. That's Research Saturday. Check it out. It's time for a shameless plug. On behalf of myself and my amazing hacking humans co hosts Maria Vermazzis and Joe Kerrigan, we are hoping to earn your vote. I know you thought the election was over and it is, but our hosting team was nominated in the Creator of the Year category and the 2024 technically awards for the Baltimore region. We love your support. There's a link in our show notes to cast your vote. Make sure you choose the Baltimore region on your ballot. That's where our nomination is. And do be quick about it. Voting ends on Monday, November 18th. Thanks for your support. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwiren2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your team smarter. Learn how@n2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kielpi is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here next week. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why Cloudflare created the first ever connectivity cloud. Visit cloudflare.com to protect your business Everywhere you do business.