When exploits go wild and patches race the clock.

Dave Buettner

You're listening to the Cyberwire Network, powered by N2K. Quick question. Do your end users always, and I mean always without exception, work on company owned devices and IT approved apps? I didn't think so. So my next question is how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices? 1Password has an answer to this Extended Access Management 1Password Extended Access Management helps you secure every sign in for every app on every device because it solves the problems traditional IAM and MDM can't touch. And it's now available to companies with Okta and Microsoft Entra and in beta for Google Workspace customers. Check it out@1Password.com cyberwire that's 1Password.com cyberwire Microsoft confirms a critical Windows Zero Day vulnerability Global law enforcement agencies dismantled 27 DDoS platforms Researchers compromise memory in AMD virtual machines. Ivanti reports multiple critical vulnerabilities in its cloud services application group. IB Researchers expose a sophisticated global phishing campaign. A zero day vulnerability in Clio's managed file transfer software is under active exploitation. The US sanctions a Chinese firm for a 2020 firewall exploit. Congress looks to require the FCC to regulate telecom cybersecurity. Our guest is Malachi Walker, security strategist at Domain Tools, discussing their role in odni' newly established Sentinel Horizon program and Spartan Warriors Dodge a Telegram crackdown. It's Wednesday, December 11th, 2024. I'm Dave Buettner and this is your Cyberwire Intel Brief. Hello and thank you for joining us here today. Great to have you with us as always. Microsoft has confirmed a critical zero day vulnerability impacting all Windows editions back to server 2008, which is currently being exploited in the wild. The flaw, a heap based buffer overflow in the Windows Common Log file system driver, poses significant risks, including full system compromise, with a CVSS score of 7.8. Experts suggest treating this as a critical issue. CISA has added the vulnerability to its known Exploited Vulnerabilities catalog, urging immediate patching. Cyber criminals, particularly ransomware groups, are expected to exploit this flaw given their history of targeting clfs vulnerabilities. While Microsoft included a fix in December's Patch Tuesday updates, experts emphasize that the aging CLFS code base requires a complete overhaul to prevent future issues. All Windows users are strongly advised to update their systems promptly to mitigate the risks. And speaking of Patch Tuesday, in total, Redmond's update included fixes for 16 critical vulnerabilities, many targeting remote code execution. These include nine flaws in Windows Remote Desktop Services, three in Lightweight Directory Access Protocol and two in Microsoft Message Queuing. One LDAP flaw stands out with a CVSS score of 9.8, allowing attackers to execute code via specially crafted LDAP calls. Microsoft advises restricting domain controller exposure to mitigate risks Atlassian and Spunk released patches addressing over two dozen vulnerabilities across their products. Atlassian fixed 10 high severity flaws in bamboo, BitBucket and confluence, impacting third party components like Apache Commons, compress, AWS, SDK, Hazelcast and bouncy castle. No exploitation has been reported, but updates are strongly advised. Splunk resolved 15 vulnerabilities, including a high severity deserialization flaw in Secure Gateway that allows remote code execution. Splunk Enterprise versions also received fixes for additional bugs. No active exploitation of these flaws has been reported. Google has released a critical Chrome update to address three high severity vulnerabilities. These include a type confusion flaw in the V8 JavaScript engine, a use after Free bug in the Translate feature, and an undisclosed flaw to prevent exploitation during the rollout. The December 2024 ICS patch Tuesday brought critical security updates from CISA and major industrial automation companies. Schneider Electric addressed a critical flaw in modicon controllers, allowing unauthenticated disruption, a high severity vulnerability in Harmony and Proface HMI products enabling device control via malicious code and a medium severity denial of service bug in Powerchute serial shutdown. Siemens released 10 advisories including high severity issues in rugged COM Rox 2 devices, Simatic S7 products and engineering tools like Team Center Visualization. Some vulnerabilities lack patches but offer mitigations. Rockwell Automation disclosed high severity code execution flaws in its arena software, while CISA issued seven advisories highlighting vulnerabilities in Horner, Seascape, National Instruments, labview and Mobitime's network master clock. Phoenix Contact also warned of security issues in PLCnext firmware. Elsewhere, global law enforcement agencies have dismantled 27 platforms used for launching distributed denial of service attacks, arresting three administrators in France and Germany and identifying over 300 users dubbed Operation Power Off. The effort targeted booter and stressor websites used by cyber criminals and hacktivists to disrupt websites with illegal traffic. Europol provided analytical and forensic support, while prevention measures included online ad campaigns warning against DDoS activities targeting potential offenders through YouTube and Google Ads. Over 250 warning letters and 2,000 emails were also issued to deter future misuse. Researchers have uncovered a vulnerability dubbed Bad ram that compromises AMD's secure encrypted virtualization Secure Nested Paging feature in its EPYC processors designed to protect memory in virtual machines using only $10 of hardware. Attackers can exploit the vulnerability by tampering with the SPD chip on DRAM modules, tricking the CPU into accessing unauthorized memory areas. Badram allows attackers to bypass memory protections, expose sensitive data and compromise SEV protected virtual machines, including faking remote attestation reports and inserting back doors. While primarily a concern for cloud environments, insider threats or unlocked BIOS settings could enable attacks without physical access. AMD has worked with researchers to mitigate the issue, releasing firmware updates to validate memory configurations at boot. Organizations are urged to update their processors. Ivanti has issued a security advisory for three critical vulnerabilities in its Cloud Services application, including a maximum 10 rated flaw, which allows unauthenticated attackers to gain administrative privileges via authentication bypass in the admin web console. Two additional vulnerabilities, both rated 9.1, include a command injection flaw enabling remote code execution and an SQL injection bug that allows arbitrary SQL commands. Patches are available. Ivanti stated there is no evidence of exploitation, but urges immediate updates to prevent potential risks. This follows previous high profile CSA vulnerabilities flagged by CISA due to active exploitation risks. A sophisticated phishing campaign is targeting employees of over 30 companies across 12 industries, including energy, finance and government sectors. Using trusted domains, dynamic company branding and document platform impersonation, attackers bypass email security to steal login credentials via over 200 malicious links. Stolen credentials are sent in real time to attackers via C2 servers or Telegram Bots Group IB researchers expose the campaign and urge organizations to implement multifactor authentication, advanced email filters and employee training to mitigate risks. Hackers are actively exploiting a zero day vulnerability in Clio's managed file transfer software, impacting products like Harmony, vltrader and Lexicom. The flaw allows unrestricted file uploads and remote code execution, bypassing a prior patch from October of this year. Attackers use PowerShell commands to steal data, deploy web shells and compromise Systems. With over 390 exposed servers globally, most in the U.S. researchers at Huntress recommend immediate mitigations, including firewall restrictions, disabling autorun features and checking for malicious files. Clio plans to release a patch soon. The US Government has sanctioned Chinese firm Sichuan Silence and employee Guan Taifeng for exploiting a firewall vulnerability in a 2020 attack affecting 81,000 devices globally, including US critical infrastructure. The attackers employed the Asnarok Trojan to steal credentials and attempted to install Ragnarok ransomware, risking serious damage and potential loss of life such as oil rig malfunctions, Sichuan silence linked to Chinese intelligence specialized in offensive cyber techniques. Sanctions freeze their US assets and a $10 million reward is offered. For further information, Senator Ron Wyden introduced legislation to require the FCC to regulate telecom CyberSecurity under the 1994 Communications Assistance for Law Enforcement Act. This response follows the SALT Typhoon breach where Chinese linked hackers infiltrated US Telecom networks, compromising calls and messages in a years long espionage campaign. The proposed bill mandates FCC action within a year, with input from CISA and the Office of the Director of National Intelligence, and includes annual testing of telecom systems for vulnerabilities. It also requires independent audits to ensure compliance. Wieden criticized the FCC for previously allowing telecom companies to self regulate cybersecurity, calling it a failure that enabled foreign spying. The legislation builds on FCC efforts to strengthen telecom security and Wyden's broader push to address SALT Typhoon's devastating impact on national security. Coming up after the break, my conversation with Malachi Walker, security strategist at Domain Tools and Spartan Warriors Dodge a telegram crackdown and now a word from our sponsor, KnowBefore. It's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBe4, provider of the world's largest library of security awareness training, provides a way to integrate your existing Security Stack tools to help you strengthen your organization's security culture. KnowBe4's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft CrowdStrike and Cisco 35 vendor integrations and Counting Security Coach analyzes your Security Stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefore.com SecurityCoach that's knowbefore.com SecurityCoach and we thank KnowBe4 for sponsoring our show. Identity Architects and engineers Modernize your identity systems with Strata. Integrate legacy apps with any idp, ensure seamless identity failover and apply MFA without touching app code. Strata offers robust, efficient identity management, reducing tech debt and enhancing security. Gain peace of mind and operational efficiency with Strata's comprehensive solutions. Visit Strada IO, share your biggest identity challenge and enjoy free AirPods Pro. Optimize your identity solutions today. Visit Strata IO CyberWire. And our thanks to Strata for being a longtime friend and supporter of this podcast. Malachi Walker is security Strategist at Domain Tools. I recently caught up with him to discuss their role in ODNI's newly established Sentinel Horizon program.

Malachi Walker

So it's really a landmark program where it's combining a lot of the intelligence that's being seen across the private sector with the capabilities and the reach of the public sector. And this is going to be a great program to foster some more of those public private partnerships to get more information on cybersecurity incidents and really collect information on every niche of cybersecurity to better inform policy decisions, track malicious adversaries, and then even protect America from state sponsored level threats.

Dave Buettner

Well, I know you and your colleagues there at Domain Tools have been selected as one of the foundational partners here with this program. What does that mean for you all? What sort of things will you be contributing?

Malachi Walker

Absolutely. We're very excited to kind of contribute our data into DNS, into malicious domains and just domains in general as they're being spun up. We have a view of infrastructure as that infrastructure is being developed. So before it even enters the network there's going to be some visibility there into different domains, their associated IP addresses and how they might relate to known malicious infrastructure. And this knowledge will be incredibly helpful in combined with the amazing tools that are also incorporated with this program to gain more visibility and make more informed decisions when related to keeping America safe from states that sponsored threats, even financially motivated adversaries, and just overall bettering the security posture as a whole.

Dave Buettner

So your organization and other organizations as well are going to be feeding information into this program. What's your understanding of what happens once it gets there and gets blended and analyzed and then, you know, put out the other side. How exactly do you suppose that's all going to work?

Malachi Walker

Well, I don't want to speculate because everything is still in the early stages and there are a lot more informed individuals like on the day to day working with ctec, who's spearheading this effort from the domain tool side. But what I can say is that this will be an IC wide approach. So this will help collectively prioritize and build different intelligence on cybersecurity related matters. And you can see that with the other companies that have announced their participation in this program and the different efforts they work towards, there's truly a large breadth of capabilities involved in this program that are ultimately going to lead to More intelligence that can help make more informed decisions that ultimately protect the American people from these outsider risks.

Dave Buettner

And what was it about this program that made you all decide that this is something you wanted to be part of, it was something you wanted to pursue?

Malachi Walker

We're deeply in line with the mission of odni and we've been supporting the IC for as long as we've been involved in cybersecurity in general. So we see ourselves as an essential component to the IC's effort in protecting the nation from state sponsored adversaries and malicious threats. And we see that these efforts are going to be a continuous priority. And we want to make sure that we're doing everything in our power with the data that we're seeing, with the domains that we see as they're being spun up to help inform and not operate in a silo. We want to make sure that we can do our part to foster that collaboration between the public sector, the private sector, different private sector organizations, and allow that intelligence to be the rising tide that lifts all boats.

Dave Buettner

Yeah, you know, conversations that I have with folks in the ic, one of the things that comes up time and time again is this desire and need for public private partnerships. Can you speak to that element of this? I mean, why is that the way forward here?

Malachi Walker

It's going to take all of us. When you think about a cybersecurity incident, even down to an individual organization's level, you're only as strong as the area that's being exploited. And so if there is a gap in visibility from one part of a company, then it doesn't matter that everything else is being put in place, all these different controls. The adversary only needs to be right one time. And so public private partnerships take that concept at the organizational level and expand it to a countrywide level where there's going to be more visibility into what threats should be prioritized. There's going to be less blind spots because information is going to be shared better. And so this will be helpful for private sector organizations in protecting themselves, but also public sector organizations in protecting the American people. And everyone who's involved in a private sector organization that's an American citizen is going to be benefited from being in this country and protected from these other threats on the public side as well. So it's really mutually beneficial for public and private sector organizations to be sharing information, understanding that intelligence, and protecting each other and giving that visibility. So if there's anything that might not be seen on one end, having that other visibility on the other side will be incredibly essential to paint a full picture and better inform different decision makings without opening up either American citizens or even an organization in general to different cybersecurity risks.

Dave Buettner

That's Malachi Walker from Domain Tools. And finally, Spartan Warriors With a Z A prolific phishing scam group is proving it takes more than a Telegram channel shut down to stop their operation. Known for selling and distributing over 300 fishing kits targeting brands across industries like financial institutions, retail delivery services and social media, they lost their Telegram channel on Nov. 21, which had 5,300 subscribers. Within hours, they launched a new one, inviting old subscribers while scouting for fresh recruits. The group's kits, while not the flashiest, are highly effective. They enable phishing campaigns with features like credential theft, captcha prompts and redirections to Google or fake 404 pages. They even let criminals exfiltrate stolen data through Telegram's API. Spartan warriors also provide access to compromise websites and email spamming tools, solidifying their foothold in the phishing ecosystem. Though Telegram promised a crackdown on criminal channels following the arrest of its CEO, Pavel Durov in August, Spartan warriors has adapted, taking precautions to avoid further disruptions. Their persistence and willingness to distribute free kits for popular brands have cemented their reputation as determined operators in the criminal world. For now, Spartan warriors remain a thorn in the side of cybersecurity professionals, showing that while they might not reinvent the fishing wheel, they've mastered the art of persistence and adaptability. And that's the CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your team smarter. Learn how@n2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iban. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilpie is our publisher. And I'm Dave Buettner. Thanks for listening. We'll see you back here tomorrow.