CyberWire Daily - A “must patch” list in the making.
Episode Date: October 15, 2024CISA adds a Fortinet flaw to its “must patch” list. Splunk releases fixes for 11 vulnerabilities in Splunk Enterprise. ErrorFather is a new malicious Android banking trojan. New evidence backs sec...ure-by-design practices. CISA warns that threat actors are exploiting unencrypted persistent cookies. The FIDO Alliance standardizes passkey portability. Cybercriminals linger on Telegram. On our Industry Voices segment today, our guest is Matt Radolec, Vice President, Incident Response and Cloud Operations at Varonis, discussing how AI amplifies the need for data privacy regulation and opens doors for abuse. We mark the passing of the co creator of the BBS. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment today, our guest is Matt Radolec, Vice President, Incident Response and Cloud Operations at Varonis, discussing how AI amplifies the need for data privacy regulation and opens doors for abuse. Selected Reading Tens of thousands of IPs vulnerable to Fortinet flaw dubbed 'must patch' by feds (CyberScoop) Fortinet FortiGuard Labs Observes Darknet Activity Targeting the 2024 United States Presidential Election (Fortinet) Splunk Enterprise Update Patches Remote Code Execution Vulnerabilities (SecurityWeek) Cerberus Android Banking Trojan Deployed in New Multi-Stage Malicious Campaign (Infosecurity Magazine) Organizations can substantially lower vulnerabilities with secure-by-design practices, report finds (CyberScoop) Eight Million Users Download 200+ Malicious Apps from Google Play (Infosecurity Magazine) TrickMo malware steals Android PINs using fake lock screen (Bleeping Computer) CISA: Hackers abuse F5 BIG-IP cookies to map internal servers (Bleeping Computer) FIDO Alliance is Standardizing Passkey Portability (Thurrott) So far, cybercriminals appear to be just shopping around for a Telegram alternative (The Record) Ward Christensen, BBS inventor and architect of our online age, dies at age 78 (Ars Technica) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA adds a Fortinet flaw to its must-catch list.
Splunk releases fixes for 11 vulnerabilities in Splunk Enterprise.
Error Father is a new malicious Android banking trojan.
New evidence backs secure-by-design practices.
CISA warns that threat actors are exploiting unencrypted persistent cookies.
The Fido Alliance standardizes passkey portability.
Cyber criminals linger on telegram. On our industry voices segment, our guest is Matt Radulik, vice president of incident response and cloud operations at Varonis. We're discussing how AI amplifies the need for data privacy regulation and opens the doors for abuse. And we mark the passing of the co-creator of the BBS.
It's Tuesday, October 15th, 2024.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today. It is great to have you with us and great to be back. Around 87,000 IP addresses are potentially vulnerable to a critical Fortinet flaw,
which CISA added to its must-patch list due to active exploitation,
according to the Shadow Server Foundation.
CISA requires federal agencies to patch this remote code execution vulnerability by October 30th
after rating it a 9.8 on the vulnerability scale.
Fortinet discovered the flaw internally and issued a fix in February,
warning it reduces but doesn't fully prevent exploitation.
Most affected IPs are in Asia, followed by North America and Europe.
It's unclear if the vulnerability has been used in ransomware attacks,
though Fortinet vulnerabilities have
been exploited before, including in a Chinese cyber espionage campaign reported by Dutch
intelligence in June. Speaking of Fortinet, their FortiGuard Labs has released a new threat
intelligence report that uncovers significant cyber threats targeting the 2024 U.S. presidential election.
The report reveals that phishing scams aimed at voters and donors are on the rise, with threat actors selling phishing kits on the darknet designed to impersonate presidential candidates.
These scams seek to steal personal information like names, addresses, and credit card details.
Since the start of 2024,
over 1,000 malicious domains related to the election
have been registered,
many mimicking legitimate fundraising sites.
Meanwhile, darknet forums are flooded
with U.S. personal data,
including social security numbers and login credentials,
posing a serious risk of fraud and phishing attacks.
Ransomware attacks against U.S. government agencies have spiked by 28%,
threatening the integrity of the election process.
Fortinet emphasizes the need for strong cybersecurity measures,
including multi-factor authentication and regular software updates,
to protect against these growing threats.
and regular software updates to protect against these growing threats.
Splunk has released fixes for 11 vulnerabilities in Splunk Enterprise,
including two high-severity flaws leading to remote code execution on Windows systems. The most critical affects Windows instances and allows remote code execution
for users without admin or power roles.
Another flaw allows arbitrary file writing,
potentially enabling malicious code execution.
Recent Splunk Enterprise versions resolve these issues,
along with other medium-severity flaws affecting JavaScript code execution,
password exposure, and system crashes.
A new malicious campaign dubbed Error Father is deploying a Cerberus-based Android banking Trojan, according to Cyble.
From mid-September to late October of this year, Cyble's research identified 15 malicious apps posing as Chrome and Play Store applications.
posing as Chrome and Play Store applications.
Trojan uses a multi-stage infection chain to target financial and social media apps,
leveraging keylogging, overlay attacks, and virtual network computing.
Cerberus, first seen in 2019, is known for stealing banking credentials and personal information.
Despite its age, Errorfather has modified Cerberus's code to evade detection.
The campaign employs a telegram bot for communication and uses a domain generation algorithm for resilient command and control operations. Cyble recommends using official
app stores, antivirus software, strong passwords, multi-factor authentication, and biometric security to mitigate the risk.
The campaign remains active with its C2 server still operational.
In related news, Zemperium has identified 40 new variants of the Trickmo Android banking trojan,
tied to 16 droppers and 22 command and control infrastructures.
These variants feature Android PIN theft,
one-time password interception,
screen recording, and data exfiltration.
Trickmo, which has been active since 2019,
abuses the accessibility service to steal banking credentials through phishing overlays.
A fake lock screen mimics the Android
unlock prompt to capture pins. At least 13,000 victims have been exposed, mostly in Canada,
the UAE, Turkey, and Germany. Trickmo spreads via phishing, and Google Play Protect offers
some defense. A new report from Secure Code Warrior reveals that training developers
in secure-by-design practices can reduce software vulnerabilities by over 50%.
Analyzing data from 600 enterprises over nine years, the report found organizations with more
than 7,000 developers saw a 47% to 53% decrease in vulnerabilities.
This supports the U.S. Cybersecurity and Infrastructure Security Agency's push for
secure-by-design development, part of a broader national cybersecurity strategy.
The report also highlights that secure-by-design practices are more effective when mandated by executives or regulations.
While the financial services sector leads in adopting these practices,
other critical infrastructure sectors like healthcare and defense are progressing.
However, the energy and communications sector wasn't included due to fewer active developers.
The National Institute of Standards and Technology notes that
fixing software defects during testing can be up to 100 times more costly
than secure-by-design approaches.
CISA warns that threat actors are exploiting unencrypted persistent cookies
in F5 Big IP's local traffic manager to map out internal network devices.
These cookies, used for session persistence in load balancing,
contain encoded IP addresses and other sensitive details about internal servers.
When unencrypted, attackers can identify vulnerable devices,
potentially leading to network breaches.
F5 Big IP administrators are urged to encrypt these cookies, a feature available since version 11.5.
Encryption prevents attackers from leveraging the cookie data for network discovery.
CISA also recommends using F5's diagnostic tool BigIP iHealth to identify misconfigurations.
Administrators can enforce AES-192 encryption to secure all persistent cookies,
reducing the risk of exploitation during cyberattacks.
The FIDO Alliance, in collaboration with companies like 1Password, Bitwarden, Dashlane, Google, Microsoft, Apple, and Samsung
is standardizing how password managers can make passkeys portable across providers.
This effort aims to accelerate passkey adoption, improving security and user experience.
With over 12 billion online accounts now accessible via PassKeys, the benefits are significant.
PassKeys reduce phishing, prevent credential reuse, and improve sign-in success rates by 20%,
while being 75% faster than traditional passwords or SMS-based two-factor authentication.
Despite Telegram founder Pavel Durov's arrest and his commitment to combat illegal activities on the app,
many cybercriminals are expected to remain on the platform, according to researchers at Intel 471.
While some hacker groups are exploring alternatives like Jabber, Tox, and Signal,
Telegram's convenience and extensive reach make it hard to leave.
Its robust features, such as large group chats, bots, and customizable tools, are unmatched by
other platforms. Though Durov pledged increased cooperation with law enforcement and stricter
moderation, a mass exodus of criminals hasn't occurred. Some groups, like Bloody Ransomware,
have left, but most are still using Telegram due to its popularity. Researchers will continue
tracking cybercriminal activity across various platforms while Telegram prepares to handle an
influx of law enforcement requests targeting the worst offenders.
Coming up after the break, our guest Matt Radilek from Baronis shares how AI amplifies the need for data privacy regulation.
Stay with us. Like right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more dot i o.
Matt Radelec is vice president of incident response and cloud operations at Varonis.
In today's sponsored industry voices segment,
Matt shares how AI amplifies the need for data privacy regulation and opens
doors for abuse.
I think we're, we're metaphorically still children crawling around in our cribs. We're just starting to taste the gains of AI.
We haven't gone that far down the rabbit hole yet. Many, many companies still don't leverage their
first AI products. Lots of companies are still developing their first AI offerings or their
first AI integrated offerings.
And so there's a lot of buzz and a lot of hype and a lot of people hard at work to see what they can get out of it.
And we're already starting to see tremendous risk.
And I think that's sort of like the opening of Pandora's box that we can't go and undo.
So what are some of the specific perils here then?
Yeah, so one thing is, you know, like any emerging technology market,
there are these AI as a service startups that are going to market very quickly
and unfortunately aren't even implementing some basic security controls.
Like in the application security world, people talk about what's called the OWASP top 10 a lot.
And that has to deal with application security and the top 10 ways that
applications get hacked. And there are these AI as a service companies that are collecting and
amassing large amounts of data that are vulnerable to cross-tenant session hijacking. Meaning if you
have an access key for your data and your AI in that particular service, you can maybe change
something about the URL or modify that token
and be able to view someone else's data,
which isn't intended.
There are other places where organizations
are adopting more branded AI,
like Gen AI, like co-pilots,
without fully understanding the permissions models,
and they're exposing data unintentionally
to their employees and other users of those systems.
That's probably the one that many of your listeners are experiencing right now today.
Well, I mean, let's dig into data privacy here.
We sort of famously here in the U.S. are flying without any type of federal data privacy legislation.
How important is that when it comes to our conversations about AI?
Yeah, I think it's this missing piece.
Oftentimes, we're looking to regulation after something it comes to enforcing regulation that ultimately could
protect consumers and citizens of the U.S. from having their data be used to train a model that
could even potentially be used against them. I think a lot about a European company that was
just fined, I think it was somewhere in the round of a few million dollars, that they used images
that they collected from
the public internet in order to create facial recognition software. And so it begs the question
for like, you know, kind of citizens or end users, whatever you want to refer to them as,
when they uploaded that picture to Facebook or Instagram, or even their company's website,
were they consenting to having it be used to track their face? You know, I think that's the bigger privacy
question here is what data can be used and trained in models that's publicly available on the web?
And was that the license that the person who's that likeness belongs to granted when they, you
know, was it like an unrestricted license when you upload stuff to Instagram, for instance,
you're basically agreeing to let Meta do whatever they want with that picture,
including sell it for profit.
Does that same thing apply with any other website?
And I think this is the questions that people should be asking
because all the data that's on the public internet
is clearly being used to train lots and lots of AI models.
That's a really interesting point you bring up here.
Not even specifically about AI, but just this regime we kind of live in with the EULAs, where you've got this giant legal document that I think it's fair to say for social media platforms, most people just click through because they want to have free access to whatever's being offered there. But there's so much that you're giving consent to, there's no granularity.
No. And I think it's also not made simple for people to kind of understand it. And AI just
makes that worse, right? A lot of the problems that you think about in data security are either
due to lack of awareness or lack of control or even
obscurity, right? Where like, it's just hard for a non-technical person to usually figure out how
to get to large swaths of data. But these large language models and these co-pilots are making it
super, super easy. And that's like the first kind of light that's shining out of Pandora's box for
me that says, we really need to rethink about how
we're choosing to regulate AI. A lot of people will joke about before the robots take over the
world, if you've ever seen Terminator. But I do think that that is a future state that we could
be up against as you look at more autonomous drones, whether flying or robotic. You look at
them being potentially AI-powered
on their own self-learning and self-enhancing models.
I don't think it's that far off.
It's not that far-fetched anymore.
That reality from Terminator is more visible now
than it was a year or five years ago.
I think a lot of folks, even security folks,
they find themselves in this situation
where the powers that be in
their organizations, the members of the board, you know, leadership teams, they see all of this
enthusiasm about AI and they see their competitors adopting it. And there's this fear that if we
don't do something, we just do anything, we're going to get left behind. I think that's a real legitimate fear. I should probably
also say I'm one of the biggest proponents of exploring and experimenting with AI. One of my
closest colleagues who conveniently shares your name, Dave, or if you go by David, David Gibson
at Varonis, he thinks that the AI age is going to be bigger than space. And I think that's it. I
agree with him. I think that we as humanity are
going to benefit more from the development and advancement of AI for like the common person,
whether it's from medicine or infrastructure or civil services, than we will from the exploration
of space. That's what makes us feel so fortunate. So I personally encourage organizations to pursue
those gains. That's how you can get a competitive advantage in the market by being first to innovate something.
The fintech industry is really ripe for that right now.
Fintech is one of the sectors that's leading the charge with AI, finding all the efficiency
gains that they can.
But they're also one of the same sectors that's closely evaluating data security because the
difference between a fintech company having a competitive advantage or not
is those formulas and rates
and sophisticated spreadsheets
that they use to analyze markets
that are proprietary and confidential.
So they've typically taken data security
really seriously from the get-go.
So they're one that understands the risk and the reward.
And that's really what I would encourage organizations to do
is balance the risk and the reward of moving forward with AI. I would give it an endorsement. It's definitely
something that you want to do. Our company does it. We have AI embedded in our solutions and in
the services that we offer in order to provide better service to our clients. But we take the
security of those large language models and the data that we feed into these AIs really,
really seriously because we don't want to magnify open permissions model or a data security problem by enabling a really powerful feature. And I think that's what every organization is
up against right now is how do we strike that balance, which is something that is typical to
security, right? The balance of security and productivity has always been there. AI is just
shining a light on data risk. You, in your position, you're VP of Incident Response and
Cloud Operations at Varonis. What is your advice to folks who are responsible for things like
incident response in their own organizations? Any words of wisdom here? Yeah, I have a couple.
First one is know and understand your blast radius.
And what I mean by that is a person or a system,
a device at your organization has access to things,
has access to data, has access to other systems,
is interconnected to other systems.
Figure out what that is and measure it periodically
because what you'll find out is that is and measure it periodically. Because what you'll
find out is that most of the time it's too big. So do things to revoke access and restrict unused
access away, whether it's network access or data access or access to applications. Because oftentimes
these AI function with pass-through permissions as your users. So the less amount of stuff that
they can get to, the less amount of stuff that the AI can get to
to use layman's terms.
The second thing that you want to do, though,
is monitor how your employees use these AIs.
I often talk a lot in the Microsoft Copilot world
about policing the prompts, right?
It's just like how you're given a driver's license,
you can get car insurance and buy a car,
you can drive it on public roads,
but there are these guardrails in place by society and enforced by police officers and state troopers in order to keep you from going off the reservation.
And that same type of thing is what the corporate responsibility is for your employees' use of AI.
Give them the tools, but monitor how they use them. Make sure that people are using them responsibly and
not doing things like saying, what's the upcoming bonus and who's getting the biggest bonus? Or
create a spreadsheet of all of our patients' PII and put it in a CSV format or a PDF format.
Or do we have any plain text passwords available that can log into the XYZ application. Like, make sure that you don't have users that are making queries or prompts with bad intent
and do something about it.
That's the responsible way to move forward.
Mike, like anything in security, right?
You know, there's a famous saying here.
I'm drawn to blank, Dave.
Give me a second.
Oh, trust but verify, right?
Like, trust your users to do the
right thing, but be looking over their shoulders and verify that. So in terms of prioritizing their
efforts here, I mean, where do you recommend that people focus? Focus on your vaults. These are your
large warehouses of information. These are going to be things like your storage arrays in your data
centers, your cloud storage from Amazon, like S3, or Microsoft, like Azure Blob, your snowflakes,
your sales forces. These are often large data warehouses where these AIs can suck up a lot of
data. But if you've got your security well, that won't happen. Our thanks to Matt Radelec, Vice President of Incident
Response and Cloud Operations at Varonis, for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And finally, the passing of Ward Christensen feels like the closing of a chapter for those of us who remember the early days of online communication.
Ward, alongside his friend Randy Seuss, invented the first computer bulletin board system in 1978.
And with that, they gave many of us our first taste of the online world.
Before the internet became what it is today,
BBSs were the gateway to connect with others, share files, and explore early online communities.
Ward's creation was a lifeline for hobbyists, gamers, and tech enthusiasts,
opening up a world where you could dial in, leave a message,
and feel a part of something larger.
Born out of a snowstorm, the idea for the first BBS came
when travel to their Chicago computer club was impossible.
Ward's technical brilliance combined with Randy's hardware expertise,
and in a matter of weeks, they built the system that would change the way people communicated.
Ward wrote the software which allowed users to dial into a dedicated machine,
leave messages, share files, and even play games,
a virtual pushpin board for the digital age.
And they didn't keep it to themselves. They
openly shared the concept, sparking a wave of innovation that led to the development of countless
other BBSs. For those of us who were there, these BBS systems weren't just technical achievements.
They were community. They introduced us to the power of connecting with others across distances.
And for many, they were the first brush with what would later become the internet.
Ward's influence can still be felt today in everything from multiplayer gaming to online
forums. Ward never sought fame or recognition, even as his creation laid the groundwork for
so much of our digital world. While he enjoyed a long career at IBM,
Ward never flaunted his role in shaping online communication.
He was quiet, unassuming, and content to let others shine,
despite his monumental contributions.
Jason Scott, who interviewed Ward for BBS the documentary,
said it best,
Ward was the quietest, pleasantest, gentlest dude.
Though he's gone, Ward's spirit of openness and sharing will live on.
His decision to make his work freely available to others is a legacy we should all honor.
He didn't just create technology, he created a culture of generosity
that still influences how we think
about the digital world. As we say goodbye to Ward, we remember him not just as an innovator,
but as a pioneer who made the online world a little more connected, a little more generous,
and a lot more fun. Rest in peace, Ward. You've earned it.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your team smarter.
Learn how at N2K.com.
This episode was produced by Liz Stokes. Our mixer is Trey
Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer
Iben. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilby
is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.