CyberWire Daily - A new era for CISA under Trump?
Episode Date: November 18, 2024CISA’s Director Easterly plans to step down in the coming year. DHS issues recommendations for AI in critical infrastructure.Palo Alto Networks confirms active exploitation of a critical zero-day vu...lnerability in its firewalls. Threat actors exploit Microsoft’s 365 Admin Portal to send sextortion emails. A China-based APT targets a zero-day in Fortinet’s Windows VPN. The EPA reports on vulnerabilities in drinking water systems. A critical authentication bypass vulnerability affects a popular WordPress plugin. Researchers track a rise in the ClickFix social engineering technique. An 18 year old faces up to twenty years behind bars for swatting. Our guest is Rob Boyce, Global Lead, Cyber Resilience at Accenture, discussing SIM swapping services targeting telcos. Nuisance calls are in decline. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, we are joined by Rob Boyce, Global Lead, Cyber Resilience at Accenture, discussing SIM swapping services targeting telcos. Selected Reading CISA Director Jen Easterly to depart on Inauguration Day (Nextgov/FCW) DHS Releases Secure AI Framework for Critical Infrastructure (Dark Reading) Palo Alto firewalls exploited after critical zero-day vulnerability (Cybernews) Microsoft 365 Admin portal abused to send sextortion emails (Bleeping Computer) Fortinet VPN Zero-Day Exploited in Malware Attacks Remains Unpatched: Report (SecurityWeek) 300 Drinking Water Systems in US Exposed to Disruptive, Damaging Hacker Attacks (SecurityWeek) Security plugin flaw in millions of WordPress sites gives admin access (Bleeping Computer) Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape (Proofpoint) Teen serial swatter-for-hire busted, pleads guilty, could face 20 years (The Register) FTC Records 50% Drop in Nuisance Calls Since 2021 (Infosecurity Magazine) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA's director Easterly plans to step down in the coming year.
DHS issues recommendations for AI and critical infrastructure.
Palo Alto Networks confirms active exploitation of a critical zero-day vulnerability in its firewalls.
Threat actors exploit Microsoft's 365 admin portal to send sextortion emails.
A China-based APT targets zero-day in Fortinet's Windows VPN. Thank you. engineering technique, an 18-year-old faces up to 20 years behind bars for swatting.
Our guest is Rob Boyce, global lead for cyber resilience at Accenture,
discussing SIM swapping services targeting telcos. And nuisance calls are in decline. It's Monday, November 18th, 2024.
I'm Dave Bittner, and this is for joining us here today.
It is great to have you with us.
Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency,
will step down on January 20th, coinciding with the inauguration of President-elect Donald Trump.
Deputy Director Nitin Natarajan is also set to depart. This is a routine transition during
a change in administration, a CISA spokesperson confirmed. Easterly, a West Point graduate and
Rhodes Scholar, served two decades in the U.S. Army, helping establish U.S. Cyber Command in
response to a major DoD malware incident in 2008. Her career also included senior roles at the NSA,
the National Security Council, and Morgan Stanley. She became CISA director after an
eight-month vacancy following Chris Krebs' firing in 2020. During her tenure, Easterly advanced
CISA's Secure by Design initiatives, pushing manufacturers to embed security into their
products. She led the agency through major cyber attacks, including Chinese hacks targeting U.S.
officials, and provided steady leadership during election cycles, reaffirming the integrity of
election infrastructure. She also issued guidance on emerging technologies like AI and quantum
cryptography.
Easterly's departure leaves questions about CISA's direction under Trump's administration.
GOP allegations of censorship against CISA and proposed budget cuts raise concerns over future cybersecurity priorities.
Senator Rand Paul, a CISA critic, is positioned to lead the Senate Homeland Security Panel.
Meanwhile, Ohio's Secretary of State Frank LaRose is reportedly a candidate to succeed Easterly.
The agency faces an uncertain future as these transitions unfold.
The U.S. Department of Homeland Security has issued voluntary recommendations for securely developing
and deploying AI in critical infrastructure. The Roles and Responsibilities Framework for
Artificial Intelligence in Critical Infrastructure outlines guidance for cloud providers, AI
developers, critical infrastructure operators, civil society, and public sector organizations.
civil society, and public sector organizations. The framework focuses on five key areas,
securing environments, responsible system design, data governance, safe deployment,
and performance monitoring. Cloud providers are urged to vet supply chains, protect data centers,
and report anomalies. AI developers should adopt secure by design practices, address biases, and ensure privacy.
Critical infrastructure operators must safeguard AI systems and provide transparency on their AI use.
DHS Secretary Alejandro Mayorkas emphasized the framework's role in protecting essential services like water and power, calling it a living document that evolves with AI advancements.
Palo Alto Networks has confirmed active exploitation of a critical zero-day vulnerability in its firewalls, affecting management interfaces exposed to the internet. The flaw, rated 9.3 out
of 10 in severity, allows unauthenticated remote command execution.
While a patch is not yet available, Palo Alto Networks urges users to restrict access to
management interfaces to internal trusted IP addresses.
This mitigation reduces the severity to 7.5, but still requires careful monitoring.
to 7.5, but still requires careful monitoring. The company tracks vulnerable devices via its support portal and has observed malicious activity from specific IPs, including potential misuse of
third-party VPN services. Malicious code was found on affected devices. Separately, Palo Alto
disclosed other vulnerabilities in its Expedition migration tool,
including OS command and SQL injection flaws, which could expose sensitive firewall configurations.
Threat actors are exploiting the Microsoft 365 admin portal to send sextortion emails,
making them appear trustworthy and bypassing spam filters.
Sextortion scams claim hackers accessed compromising images or videos of victims
and demand payment in cryptocurrency to prevent their release. Though common since 2018,
these scams can still alarm recipients. Scammers abuse the Microsoft Message Center's
Share feature, which allows notifications to be forwarded with a personal message.
While this field is limited to 1,000 characters, attackers bypass the restriction by manipulating
browser development tools to input longer messages. Microsoft lacks server-side checks to enforce the limit, enabling full
extortion messages to be sent. Microsoft says they are investigating, but they've not yet implemented
fixes. The Deep Data Malware Framework, linked to China-based APT41, is exploiting a zero-day
vulnerability in Fortinet's Windows VPN client to steal credentials,
according to cybersecurity firm Veloxity.
DeepData uses plugins to extract sensitive data from browsers, communication apps, and password managers
and can record audio via the system's microphone.
APT41, also associated with the LightSpy malware, has targeted journalists,
politicians, and activists in Southeast Asia. The zero-day vulnerability, reported to Fortinet in
July, remains unpatched and lacks a CVE identifier. Veloxity attributes the malware's development to
Brazen Bamboo, a state-sponsored group.
DeepData and LightSpy share technical similarities, including plugin designs and infrastructure.
A new Windows variant of LightSpy has also been identified, showcasing Brazen Bamboo's broad multi-platform surveillance capabilities.
A report by the EPA's Office of Inspector General reveals cybersecurity vulnerabilities in over 300 U.S. drinking water systems serving 110 million people.
The assessment highlighted risks such as service disruptions, denial of service attacks, and compromised customer data. Critical or high-severity issues were identified in 97
systems serving 27 million individuals, while medium and low-severity weaknesses, like open
portals, affected 211 systems covering 83 million people. The vulnerabilities span email security,
IT hygiene, and threat detection. OIG warns that exploiting these
flaws could lead to significant damage to water infrastructure. Additionally, the EPA lacks a
cybersecurity incident reporting system and relies on CISA for coordination,
raising concerns about emergency response and mitigation strategies.
response and mitigation strategies.
A critical authentication bypass vulnerability has been identified in the WordPress plugin Really Simple Security. This plugin, used on over 4 million websites, provides SSL configuration,
two-factor authentication, and security monitoring. Discovered by WordFence on November 6th, the flaw stems from improper
handling of the login nonce parameter in the plugin's two-factor REST API. If login nonce
verification fails, the code incorrectly authenticates users based on their user ID alone,
allowing attackers to gain administrative access to vulnerable sites.
The flaw is particularly severe because it can be exploited at scale with automated scripts.
Fixes were released earlier this month. Hosting providers and administrators are urged to update
immediately as millions of sites remain at risk. Researchers at Proofpoint have observed a rise in the ClickFix
social engineering technique, which manipulates users into executing malicious PowerShell scripts
by disguising them as solutions to fabricated problems. Initially linked to campaigns by TA571
and ClearFake, this method has now been adopted by various financially motivated and
espionage-focused threat actors. ClickFix exploits trust by presenting fake error messages or
software update prompts, directing users to copy and run PowerShell commands that ultimately
deliver malware. Recent campaigns leveraged fake CAPTCHA verifications, GitHub notifications, and spoofed emails from platforms like Microsoft Word and ChatGPT.
Malicious payloads observed include AsyncRat, NetSupport, LumaStealer, and XWorm.
The technique bypasses traditional security controls by relying on human error,
preying on users' desire to independently resolve issues.
To mitigate these threats, organizations should train users to recognize such tactics
and avoid manually executing unverified commands.
The technique's popularity underscores the evolution of social engineering strategies.
strategies. An 18-year-old Alan Fillion has pleaded guilty to making over 375 fake emergency threats, the practice known as swatting. Fillion targeted religious and educational institutions,
government officials, and individuals across the U.S. between 2022 and 2024, beginning at age 16.
Swatting involves falsely reporting emergencies to prompt police SWAT team responses,
often causing chaos and endangering lives.
Fillion admitted to using social media to offer swatting services for a fee.
On one occasion, he boasted about causing police to detain victims
and search their homes
for fabricated crimes. Facing up to five years in prison for each of four felony counts,
Millian's sentencing is set for February.
Coming up after the break, my conversation with Rob Boyce,
Accenture's global lead for cyber resilience.
Stay with us. Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off. And now a message from Black Cloak. Did you know the easiest way for cyber
criminals to bypass your company's
defenses is by targeting
your executives and their families
at home? Black Cloak's
award-winning digital executive protection
platform secures their personal
devices, home networks, and
connected lives. Because when
executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Rob Boyce is global lead for Cyber Resilience at Accenture.
I recently caught up with him to discuss
SIM swapping services that are targeting telcos.
Rob, welcome back.
Thanks, Dave. I was excited to be here.
I want to touch today on something I know you and your colleagues
there at Accenture have been tracking, and that's SIM swapping.
You know, these folks who are targeting the telcos
with this sort of thing.
Bring us up to speed here.
What's the latest?
Actually, we're seeing something super interesting.
So SIM swapping, as you said, it's nothing new.
We've actually been tracking, you know,
dark web forums probably about since 2018
for SIM swapping.
But however, what we're seeing now,
which is really, really unique,
is we're seeing one threat actor offer a service for resetting passwords or MFA bypass via SIM swap, but they're
doing it from what we believe is an API exploit, which is unique because up until now, to really
do SIM swapping, you really needed an insider or some form of social engineering.
And so this is the first time that we're actually seeing a real exploit being able to be used.
And this startup is claiming right now that this exploit works against six major US telcos.
And we have been tracking them to show that people have been buying it and pleased with
the service.
And so we believe the credibility of this claim is pretty high at this point.
Well, walk us through how something like this would work. I mean, how does one get access to
this API? If it's hitting multiple telcos, explain to me the breadth of its access.
telcos. Explain to me the breadth of its access.
Yeah, so this is one thing that is a little still unclear,
which is, what system does this exploit exist in? But clearly, there is a commonality at least between these six telcos
in the U.S., leveraging probably a very similar system, where
this API exploit is being able to
be able to connect and exploit.
And what we're finding the startup actors offering right now
is they're offering two types of service,
which I think is also very interesting.
One is a one-time SIM swap.
So being able to purchase one number, basically,
and being able to swap that.
And they're charging right now
somewhere between $4,000 and $7,000 for that.
Or being able to offer more of a full rights to the exploit for about $15,000.
And I think this is so new that I have a very strong feeling these prices are going to change.
Meaning the $15,000 will probably be higher and the $4,000 to $7,000 will probably be much lower for the single SIM swap.
And we'll start to see that economy
stretch out a little bit,
which I think is going to be super interesting.
And this allows for a speed and scale
for SIM swapping that we have not seen in the past.
So this is going to be a really concerning area
and something to keep an eye on for sure.
Who would need access to this sort of API?
I mean, is this the kind of thing where, you know,
I'm thinking of the folks at the mall kiosk who you can walk up and buy a phone
and maybe you can choose one of several different providers
depending on who's running a special that day.
Is that the kind of thing we're talking about?
Why something like this would exist?
Yeah, I mean, honestly, Dave, at this point, it's a little unclear.
So this is so new to us.
We're still finishing up our research on how the exploit actually works.
I see.
So the system that it's connecting to is a little bit unclear.
But we know, though, I mean, as I said, it's highly, highly credible now that this does work.
So it's really now how does it work
is really what we need to dig into a little bit next.
And at this point,
you're seeing this coming from a single supplier?
Yes, exactly correct.
Huh.
Exactly right.
And that's what makes it also a little bit unique, honestly,
and why they can charge the price that they're charging
because there is not a competitive threat actor
in the space at this moment.
Interesting. So what are your recommendations here? I mean, this is a tough one.
This is what's really interesting because I think for a long time, we've always been telling organizations, foundational is MFA. You need to have MFA in your environment to be able to
provide that higher level of assurance
that, you know, where a password just isn't enough for external exposed applications, etc. So,
you know, more and more organizations, of course, have been implementing MFA. But what we see now
is not all MFA is rated the same. So MFA that leverages SMS is very susceptible to this type of attack.
And so what we're now starting to see
is MFA maturing within its own space.
And so I think the future of NSA
is really passwordless authentication
with the adoption of a couple of open standards
like FIDO2 or Passkey.
Because what these technologies allow us to do
is really replace passwords with
cryptographic keys. So this, of course, now enhances the ability to eliminate common attacks
like the phishing or social engineering, which I think is really interesting. And they work
alongside biometrics. So it can work with your PIN or with your fingerprint or your facial
recognition. So it offers a very seamless user experience,
and it's highly adopted by the major companies like Apple and Google and Microsoft.
So it's going to be not just a higher level of security,
but it's also going to be a better user experience, I think, in the future.
And so there is hope for this, of course,
but it's now just realizing that when organizations,
when people give recommendations of implementing MFA,
it's not just any MFA.
We have to think about what the right MFA is going to be
to ensure that we're eliminating the exposures
that could be introduced from things like SYNSWAP.
Yeah.
All right.
Well, Robert Boyce is Global Lead
for Cyber Resilience at Accenture.
Rob, thanks so much for joining us.
Of course, Dave.
Anytime.
Thank you.
Our thanks to Rob Boyce for joining us.
He is Global Lead for Cyber Resilience at Accenture.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default deny approach can keep your company safe and compliant. And finally, our caller ID desk brings some good
news. The FTC is winning the fight against scam and nuisance calls. According to the agency's latest report,
complaints about these pesky interruptions have dropped by more than half since 2021.
That's a huge win for the 254 million Americans who've signed up for the national Do Not Call
registry and who probably wish telemarketers would stop ignoring it. In 2024, the FTC logged 2 million complaints, with most gripes focused
on medical and prescription scams. Imposter calls came in a close second, proving scammers are still
bad actors, literally. Robo calls dominated the complaint charts at 53%, while 37% were old-school
humans trying to sell you something you didn't want.
The FTC isn't just sitting back and letting the registry do the work.
New rules and initiatives like the impersonation rule and Operation Stop Scam Calls
are cracking down on both scammers and the companies profiting from them.
And for the cherry on top, the agency is tackling deepfake phone scams with a voice
cloning challenge, because AI scammers are a thing now. Sam Levine, head of the FTC's Bureau
of Consumer Protection, summed it up, saying, illegal calls remain a scourge, but we're making
progress. With scams still costing consumers over a billion dollars last year, there's plenty more
work ahead. For now, though, it's still best to let that unknown number go straight to voicemail. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks wherever the fine podcasts are listed. We'd love to know what you
think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity. If you like our show, please share a rating and
review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire
is part of the daily routine
of the most influential leaders and operators
in the public and private sector
from the Fortune 500 to many of the world's
preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies
to optimize your biggest investment, your people.
We make you smarter about your teams
while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music
and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.