Summary5 min read

Risky Bulletin: Biden's Last Cyber Executive Order – Detailed Summary

Podcast Title: Risky Bulletin
Host: Claire Aird, Risky Business Team
Release Date: January 19, 2025

Introduction

In the latest episode of Risky Bulletin, host Claire Aird delves into a series of significant cybersecurity developments shaping the digital landscape. From President Joe Biden's final cyber executive order to major cyberattacks and regulatory actions, this episode provides a comprehensive overview of the current state of cybersecurity. Below is a detailed summary of the key discussions, insights, and conclusions presented.

1. Biden's Final Cyber Executive Order

The episode opens with the announcement of President Joe Biden signing his last cyber executive order, marking a pivotal moment in U.S. cybersecurity policy.

New Cybersecurity Requirements:
The executive order imposes stringent cybersecurity measures on federal agencies and their contractors. Key obligations include:
- Phishing Resistant Authentication Systems: Deployment across all federal platforms.
- Email Traffic Encryption: Ensuring secure communication channels.
- Encrypted Communication Systems: Mandatory use to safeguard information.
"Federal agencies will also have to secure their address space and routing, share detection data with CISA, and only buy IoT devices that feature the US Cyber Trust Mark," explains Claire Aird (00:04).
Enhanced Legal Powers:
The order expands the authorities of federal agencies to sanction foreign threat actors targeting U.S. critical infrastructure, strengthening the nation's defensive posture against cyber threats.

2. US Treasury Sanctions on Sichuan Xuxinque Network Technology

A significant development highlighted is the U.S. Treasury's sanctions against Sichuan Xuxinque Network Technology, a Chinese cybersecurity firm.

Connection to Salt Typhoon APT Group:
The company is linked to the Salt Typhoon Advanced Persistent Threat (APT) group, involved in hacking multiple U.S. telecommunications companies.
Impact on Federal Networks:
"The Salt Typhoon Group was also active on several federal networks before the group's telco hacks," notes Claire Aird (00:04). CISA Director Jen Easterly emphasized the early detection efforts that led to seizing one of the group's servers, uncovering a broader cyber campaign.
Additional Sanctions:
Shanghai-based Yin Keqiang, affiliated with the Chinese Ministry of State Security and supporting the Silk Typhoon group, has also been sanctioned. This group reportedly accessed over 400 U.S. Treasury laptops and desktops, stealing more than 3,000 unclassified documents. Notably, "US Treasury Secretary Janet Yellen's computer was one of the compromised systems," Aird states (00:04).

3. GoDaddy Settles FTC Investigation Over Security Failures

Web hosting giant GoDaddy has reached a settlement with the Federal Trade Commission (FTC) concerning multiple cybersecurity lapses.

Settlement Conditions:
- Implementation of Robust Security Programs: GoDaddy must establish comprehensive security measures.
- Multi-Factor Authentication: Mandatory rollout for both customers and employees.
- Network Security Enhancements: Removal of outdated equipment and protection of APIs.
"The company has agreed to set up a robust security program and is prohibited from misleading customers about its security features," Claire Aird reports (00:04).
No Financial Penalty:
Interestingly, the FTC did not impose a fine but enforced operational changes to prevent future security breaches.

4. FTC Bans General Motors from Data Practices

In a related move, the FTC has prohibited General Motors (GM) from collecting and selling customer information for five years.

Reason for Ban:
The agency took action after reports surfaced that GM was selling geolocation data and driver behavior metrics to insurance companies. This data was allegedly used to adjust insurance rates based on individual driving styles, raising privacy and ethical concerns.

5. European Commission's Cybersecurity Plan for Healthcare

The European Commission unveiled a strategic initiative to bolster cybersecurity within the healthcare sector.

Key Components of the Plan:
- EU-Wide Early Warning Service: This service will provide timely alerts on potential cyber threats to healthcare facilities.
- Rapid Response Service: Utilizes trusted private service providers to assist hospitals in mitigating cyberattacks.
- Financial Assistance: Allocated funds to support smaller hospitals and healthcare providers in enhancing their cybersecurity defenses.
"Officials plan to build an EU-wide early warning service that will deliver alerts on potential cyber threats," states Claire Aird (00:04).

6. Surge in Mobile Spyware Market

The episode highlights a significant uptick in the mobile spyware market, with nearly 100 foreign governments purchasing spyware designed to compromise cell phones.

Market Growth:
Michael Casey, head of the U.S. government's counterintelligence agency, remarks, "The mobile spyware market has seen huge growth, with dozens of companies selling surveillance products," (00:04).
Global Proliferation:
The agency notes that approximately 20 new countries have acquired mobile spyware since 2023, raising alarms about global surveillance and privacy violations.

7. Otelia's Amazon S3 Cloud Storage Breach

A breach of the Amazon S3 cloud storage environment used by hotel management platform Otelia has compromised data for millions of customers.

Affected Entities:
Major hotel chains like Marriott, Hilton, and Hyatt rely on Otelia's platform for managing reservations.
Details of the Breach:
The attack occurred in July 2024, resulting in the theft of sensitive data. Otelia has confirmed the breach, stating that employees had their Atlassian credentials stolen, facilitating unauthorized access.

8. Leakage of Fortinet Firewall Configurations

Security researcher Kevin Beaumont uncovered a significant data leak involving over 15,000 Fortinet firewall configurations and login credentials.

Method of Exploitation:
The data was harvested in October 2022 through a zero-day vulnerability, highlighting vulnerabilities in cybersecurity defenses.
Attribution and Actions:
The responsible threat actor, known as the Belson Group, has been identified. Security researchers are currently notifying affected organizations after extracting the IPs of all impacted devices.

"A threat actor has leaked config files and login credentials for over 15,000 Fortinet firewalls," Aird explains (00:04).

9. Russian APT Group Targets WhatsApp Accounts

Microsoft has identified a Russian APT group, Star Blizzard, actively targeting WhatsApp accounts of government officials and organizations supporting Ukraine.

Operational Tactics:
The group, linked to Russia's FSB intelligence service, has adjusted its tactics following the FBI's seizure of some of its server infrastructure in October.

"Microsoft claims the group mixed up its TTPS to target WhatsApp accounts after the FBI seized some of the group's server infrastructure in October," Claire Aird reports (00:04).

10. Kubernetes Vulnerability Patch

The Kubernetes project has addressed a critical vulnerability that previously allowed threat actors to commandeer compute nodes.

Nature of the Vulnerability:
Attackers exploiting the logging endpoint of a node could execute arbitrary commands, potentially compromising entire systems.
Scope of Impact:
The vulnerability specifically affected nodes running on Windows, and the patch ensures enhanced security against such exploits.

Conclusion

The episode of Risky Bulletin provides an in-depth analysis of the evolving cybersecurity threats and the corresponding measures being implemented to counter them. From high-level executive orders shaping national security to specific incidents of cyber breaches and regulatory actions against major corporations, the landscape remains dynamic and challenging. Hosts like Claire Aird ensure that listeners are well-informed about these critical developments, empowering them to navigate the complex world of cybersecurity.

For more detailed insights and updates, listeners are encouraged to tune into future episodes of Risky Bulletin.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
Biden signs his last cyber Executive Order, A threat actor leaks 15,000 Fortinet firewall configs, the US treasury sanctions a company behind Salt Typhoon and the NFTC settles with GoDaddy over its many cybersecurity failures. This is the Risky Bulletin prepared by Katalin Kimpanu and read by me, Claire aird. Today is the 20th of January and this podcast episode is brought to you by Resource, the company that can help you manage Terraform securely. In today's top story, outgoing U.S. president Joe Biden has signed an executive order that places new cybersecurity requirements on federal agencies and their contractors. New obligations include deploying Phishing Resistant authentication systems, encrypting email traffic, and using encrypted communications systems. Federal agencies will also have to secure their address space and routing, share detection data with CISA, and only buy IoT devices that feature the US Cyber Trust Mark. The executive order also expands the legal powers of federal agencies to sanction foreign threat actors that target US Critical infrastructure. In other news, the US treasury has imposed sanctions on Sichuan Xuxinque Network Technology, a Chinese cyber security company linked to the Salt Typhoon APT group. The US Says the company was directly involved in hacking multiple US Telcos. CISA Director Jen Easterly says the Salt Typhoon Group was also active on several federal networks before the group's telco hacks. Easterly says the early detection allowed CISA to seize one of the group's servers and spot the larger campaign. The US treasury has also sanctioned Shanghai based Yin Keqiang, who was involved in hacking the treasury itself late last year. Officials say. Yin is a Ministry of State security affiliate and his work supported the Chinese APT group Silk Typhoon. According to a private intelligence report, the group had direct access to over 400 laptops and desktop computers inside the U.S. treasury. The agency says Silk Typhoon stole over 3,000 unclassified documents in December, operating outside of normal working hours to avoid detection. The intrusion targeted the agency's sanctions and foreign investment bureaus, and US Treasury Secretary Janet Yellen's computer was one of the compromised systems. Web hosting company GoDaddy has settled an FTC investigation into its many security failures. The company has agreed to set up a robust security program and is prohibited from misleading customers about its security features. GoDaddy will have to roll out multi factor authentication for customers and employees, remove outdated gear from its network, and protect its APIs. The agency did not impose a fine. The FTC has also banned American carmaker General Motors from collecting and selling its customers information for five years. The agency's actions come after reports that GM sold geolocation data and driver behaviour to insurance companies. The data was used to raise insurance rates for drivers based on their driving styles. The European Commission has unveiled a plan to strengthen cybersecurity in the healthcare sector. Officials plan to build an EU wide early warning service service that will deliver alerts on potential cyber threats. The EU will also establish a rapid response service using trusted private service providers to help hospitals deal with cyber attacks. The scheme also includes financial assistance for smaller hospitals and healthcare providers. Almost 100 foreign governments have purchased spyware designed to compromise cell phones. The head of the US government's counterintelligence agency, Michael Casey, says the mobile spyware market has seen huge growth, with dozens of companies selling surveillance products. The agency says nearly 20 new countries have acquired mobile spyware since 2023. A threat actor breached the Amazon S3 cloud storage environment of hotel management platform Otelia in July last year. Otelia's platform is used by big chains like Marriott, Hilton and Hyatt to manage reservations. Over 10,000 hotels use the platform and the attacker is believed to have stolen the data of millions of customers. The company has confirmed the breach, which allegedly took place Vi and employees stolen Atlassian credentials A threat actor has leaked config files and login credentials for over 15,000 Fortinet firewalls, according to security researcher Kevin Beaumont. The data was collected in October 2022 using what was a zero day vulnerability at the time. Security researchers have extracted the IPs of all affected devices and are notifying affected organisations. The threat actor behind the leak calls itself the Belson Group. A Russian apt group Microsoft calls Star Blizzard is targeting the WhatsApp accounts of government officials and organisations that provide support to Ukraine. The group has been linked to Russia's FSB intelligence service. Microsoft claims the group mixed up its TTPS to target WhatsApp accounts after the FBI seized some of the group's server infrastructure in October. And finally, the Kubernetes project has patched a vulnerability that could have allowed threat actors to take over compute nodes. Vulnerability allowed attackers who could query a node's logging endpoint to execute commands. Only nodes running on Windows are impacted and that is all for this podcast edition. Today's show is brought to you by our sponsor Resourcely. Find them@resourcely IO. Thanks for your company.