CyberWire Daily - A pivotal global menace.
Episode Date: January 10, 2024The World Economic Forum names AI a top global threat. The SEC suffers social media breach. The FTC settles with a data broker over location data sales. A massive data leak hits Brazil. Chinese resear...chers claim and AirDrop hack. A major real estate firm suffers data theft. Pikabot loader is seeing use by spammers. Ukraine’s Blackhit hits Russia’s M9 Telecom. Stuxnet methods are revealed. A Patch Tuesday rundown. Our guest is Tim Eades from the Cyber Mentor Fund to discuss the growing prevalence of restoration as a part of incident response. And Hackers could screw up a wrench. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Tim Eades from Cyber Mentor Fund joins us to discuss the growing prevalence of restoration as a part of incident response. Selected Reading AI-powered misinformation is the world's biggest short-term threat, Davos report says (AP News) NSA: Benefits of generative AI in cyber security will outweigh the bad (IT Pro) SEC account on X ‘compromised’ and regulator has not approved bitcoin ETFs (MarketWatch) SEC did not have 2FA enabled: X safety team on fake Bitcoin ETF post (Cointelegraph) FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data (Federal Trade Commission) Entire population of Brazil possibly exposed in massive data leak (Security Affairs) China says state-backed experts crack Apple's AirDrop (Digital Journal) Fidelity National Financial says hackers stole data on 1.3 million customers (TechCrunch) Water Curupira Hackers Launch Pikabot Malware Attack on Windows Machine (GBHackers On Security) Ukrainian “Blackjack” Hackers Take Out Russian ISP (Infosecurity Magazine) Ukraine is on the front lines of global cyber security (Atlantic Council) Dutch Engineer Used Water Pump to Get Billion-Dollar Stuxnet Malware Into Iranian Nuclear Facility: Report (SecurityWeek) New research paper explores post-quantum cryptography for critical infrastructure cybersecurity (Industrial Cyber) AI Helps U.S. Intelligence Track Hackers Targeting Critical Infrastructure (Wall Street Journal) Hewlett Packard Enterprise nears $13 billion deal to buy Juniper Networks (Reuters) January Patch Tuesday: New year, more Windows bugs (The Register) Cybersecurity Advisory: Apache Struts Vulnerability CVE-2023-50164 (Uptycs) Hackers can infect network-connected wrenches to install ransomware (Ars Technica) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The World Economic Forum names AI a top global threat.
The SEC suffers a social media breach.
The FTC settles with a data broker over location data sales.
A massive data leak hits Brazil.
Chinese researchers claim an airdrop hack.
A major real estate firm suffers data theft.
Peek-a-Bot loader is seen used by spammers.
Ukraine's Black Hit hits Russia's M9 telecom.
Stuxnet methods are revealed, a Patch Tuesday rundown.
Our guest is Tim Eades from the Cyber Mentor Fund
to discuss the growing prevalence of restoration as a part of incident response.
And hackers could screw up a wrench.
It's Wednesday, January 10th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. briefing. Thank you all for joining us today. It's good to have you here. The World Economic Forum's latest Global Risks Report identifies AI-driven misinformation and disinformation as the most significant short-term risks to the global economy, democracy, and social stability.
Released before the Davos Summit, the report, based on a survey of 1,500 experts, highlights the adverse effects of rapidly advancing technology.
effects of rapidly advancing technology. AI technologies, particularly generative AI chatbots,
are facilitating the creation of sophisticated synthetic content, elevating concerns about manipulation and societal polarization. The risk is particularly acute as several countries with
large economies, including the U.S., Britain, and India, approach election periods.
Carolina Clint, a risk management leader at Marsh, who co-authored the report along with Zurich Insurance Group,
emphasizes the potential of AI in exacerbating misinformation.
She warns that AI-driven deepfakes and synthetic content could challenge the legitimacy of democratic processes and intensify societal divides.
AI also poses risks in cybersecurity, enabling more accessible and sophisticated cyberattacks and embedding biases in AI models through tainted training data.
Generative AI is increasingly becoming a double-edged sword in the realm of
cybersecurity. Rob Joyce, director of cybersecurity at NSA, told attendees at an event at Fordham
University in New York that this technology significantly enhances the ability of security
experts to detect and counteract cyber threats. It's particularly effective in identifying abnormal activities
and potentially malicious actors hiding within networks,
utilizing large-scale data analysis
without the need for constant human oversight.
However, this same technology is also being exploited by cyber criminals.
They use generative AI to sophisticate frauds, scams, and social engineering
attacks, as noted by researchers at Mandiant and Darktrace. These advancements in AI-enabled
cyberattacks pose a major challenge, enabling hackers to refine their techniques and launch
more personalized and potent attacks. Despite these threats, national security agencies and cybersecurity
experts are leveraging AI to improve their defensive capabilities. AI is, of course,
not a panacea, as Rob Joyce points out, but it significantly bolsters the effectiveness of
skilled practitioners. It assists in real-time detection of cyberattacks, monitors unusual login activities,
and can proactively respond to potential threats.
AI is even being trained to predict attacks before they occur.
The U.S. Securities and Exchange Commission yesterday fell victim to a breach of their ex-Twitter account,
leading to a false announcement of a Bitcoin exchange-traded
fund, an ETF. Reports highlight the lack of two-factor authentication on the SEC's main
social media account, and that the vulnerability was exploited through a SIM swap hack, where an
attacker gained control of the phone number associated with the SEC's account.
This type of attack involves convincing a telecom provider to transfer a victim's phone number to the attacker,
allowing them access to various accounts linked to that number.
U.S. Senators J.D. Vance and Tom Tillis have expressed serious concerns about the SEC's cybersecurity procedures,
demanding an explanation and transparency about the SEC's cybersecurity procedures, demanding an explanation and transparency about
the incident. The Federal Trade Commission has reached a settlement with data broker XMODE
Social and its successor OutLogic to prohibit them from sharing or selling sensitive location data.
This settlement addresses allegations that the companies sold precise location data which could track individuals to sensitive locations, such as medical and reproductive health clinics, places of worship, and domestic abuse shelters.
This marks the FTC's first settlement with a data broker over the collection and sale of sensitive location information.
and sale of sensitive location information.
The FTC found that X-Mode Social and Outlogic failed to implement proper safeguards for the use of such data by third parties.
They sold precise location data collected from third-party apps using their software,
their own apps, and other data brokers.
This data, linked to mobile advertising IDs and not anonymized,
could potentially reveal personal and sensitive information about individuals.
The FTC's complaint highlighted that until May 2023, there were no policies to exclude sensitive locations from the data sold.
The practices exposed consumers to privacy violations, discrimination, and physical or emotional harm.
The proposed order requires XMODE and OutLogic to delete or destroy all collected location
data unless consumers consent or the data is de-identified.
They must also develop programs ensuring informed consumer consent, protect sensitive locations, and establish a comprehensive privacy program.
The FTC will accept public comments on the agreement before finalizing the order.
Researchers at CyberNews have uncovered a massive data leak affecting Brazilian individuals,
with over 223 million records exposed, possibly affecting that country's
entire population. The leak was found in a publicly accessible Elasticsearch instance
and contained sensitive personal data such as full names, dates of birth, gender, and taxpayer
identification numbers. The source of the leak has not yet been identified, as the data wasn't linked to any
specific company or organization. The data is no longer publicly available, but the potential
impact of the leak remains concerning. Chinese researchers, presumably backed by the state,
claim to have developed a method to identify users of Apple's AirDrop, the encrypted service that
allows content sharing between nearby Apple devices without the internet. This service was
popular during the 2019 Hong Kong pro-democracy protests for its ability to bypass government
surveillance. The Beijing municipal government stated that this new technique can uncover an iPhone's encrypted log,
revealing the user's phone number and email.
Apple limited AirDrop for Chinese users in 2022,
introducing a 10-minute time limit for receiving files from unknown contacts.
This move aligns with China's extensive digital surveillance efforts,
which include mandatory real-name registration
for social media and communication services.
Apple is often criticized
for complying with Chinese regulations.
They previously removed a map app
used by Hong Kong protesters in 2019,
citing safety concerns.
Fidelity National Financial,
a major real estate services company,
has revealed a cyber attack from November of last year, leading to the theft of data from 1.3 million customers and causing a week-long system outage. The firm disclosed in a regulatory filing
that an unauthorized party accessed their systems, deployed non-self-propagating malware,
and extracted data. The specific nature of the stolen data wasn't detailed, but FNF is offering
credit monitoring and identity theft services to affected customers, indicating the data was
personal and sensitive. The ransomware group ALF-V, also known as Black Cat, claimed responsibility for the
attack. FNF managed to contain the attack by November 26th. Peekabot, a loader malware used
by the threat group Water Kurapira, has seen increased activity in spam campaigns, especially
after the takedown of CackBOT from June to September of 2023.
Cybersecurity researchers at Trend Micro have noted a surge in these phishing campaigns
targeting Windows machines.
Peekabot gains initial access through spam emails, using thread hijacking to appear legitimate
and prompt users to open attachments that seem authentic.
appear legitimate and prompt users to open attachments that seem authentic.
In an apparent response to Russia's attack on Kyivstar, a Ukrainian hacking group linked to the SBU spy agency attacked a Moscow ISP, M9 Telecom. The group, known as Blackjack,
deleted 20 terabytes of data, disrupting Internet service in parts of Moscow.
They claim the attack is a warm-up retaliation on their Telegram page.
M9 Telegram's website is operational despite claims of complete data destruction.
A two-year investigation by Dutch newspaper De Volksgrant
has revealed a Dutch engineer, Erik van Saben, was reportedly
recruited by the Netherlands intelligence agency AIVD to deploy the Stuxnet malware in an Iranian
nuclear facility back in 2010. Stuxnet targeted Iran's nuclear program, infecting and damaging
numerous devices and centrifuges. It's believed van Saben planted Stuxnet using a water pump at Natanz's nuclear complex,
although the exact method remains uncertain.
Van Saben died in a motorcycle accident two weeks after the Stuxnet attack.
Former CIA chief Michael Hayden, while not confirming specifics due to classified information,
hinted at the high cost of developing Stuxnet, estimated between $1 and $2 billion.
Yesterday was Patch Tuesday, and Microsoft released 49 Patch Tuesday updates for Windows,
including two critical flaws. Additionally, Microsoft Edge received patches for four high-severity Chrome flaws.
Adobe fixed six important vulnerabilities in Substance 3D's stager,
while SAP addressed various security issues, including two new hot news notes.
Cisco updated two Privilege Escalation CVEs in its identity services engine,
but one remains unpatched.
Google's Android security bulletin covered 59 CVEs,
with the most severe in the framework components,
posing a risk of local privilege escalation.
If you will indulge me tooting our own horn for just a moment,
we're proud to announce that N2K Networks and the nonprofit Women in Cybersecurity Organization have partnered to conduct a comprehensive cyber talent study.
The study will utilize the N2K NICE Workforce Diagnostic Assessment to analyze cybersecurity skills among WSIS professional members.
cybersecurity skills among WSIS professional members. Participants will gain insights into their strengths and weaknesses aligned with the NICE cybersecurity workforce framework.
You can learn more about the study and the partnership on our CyberWire website.
Coming up after the break, Tim Eades from the Cyber Mentor Fund discusses the growing prevalence of restoration as a part of incident response.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And it is always my pleasure to welcome back to the show Tim Eades.
He is the co-founder of the Cyber Mentor Fund and also a serial entrepreneur in the space.
Tim, welcome back.
Dave, great to be here.
So I want to talk today about incident response and some of the evolution that you are seeing.
There's some shift in terminology that's happening yeah there definitely
is they you know god has proliferated proliferated this term you know response xdr mdr india hdr
whatever it is but the response is kind of well what is it what does it actually do and it's meant
to be broad but it's not not in terms of the business owner.
What we should be focusing on now, and I think we will focus on going forward,
is restoration or reconstruction, getting the business back up and running.
Incident response, you know, obviously is tied to really BI, business interruption. And as you start to see cyber insurance, you know, that market is maturing. I've invested in three
different companies in that space at different levels. As cyber insurance starts to mature, it's all about business
interruption, getting the business back up and running. So when you see ransomware attacks,
whether it's Caesars or whatever it may be, what people care about is, yeah, finding the bad guys,
understanding the forensics to do it,
having the fidelity of the forensics to make sure that you extract them out of your network,
but they're measured on
getting the business back up and running.
So response, in my point of view,
would be part of it,
but really the bigger part is
get the business back up and running.
And restoration is absolutely key to this.
And that's how I think people are
going to look at it over the next 10 years. How do you define restoration? I mean,
what's the nuance in that particular turn of phrase?
Well, let me give you an example. So there's a company that we know that we're
a cyber mental fund, our investor, and that we're very close to a large food company got uh compromised recently they get the call
on i think it was on monday they were in there by tuesday physically the engineers were to extract it
um they also actually was interesting they got the call from the food company from the insurance
company and from a forensics company and they fly in and their job is to get the business back up and running think of it like
colonial pipeline when remember everybody remembers colonial pipeline particularly if you're on the
east coast then you sit there like okay yeah i got bad guys on the network that's that's not a
response that's not enough of a response i needed to get back up and working otherwise people can't
get to work and otherwise people don't get heating and all the other stuff.
So response has to include restoration.
Otherwise, it's like observing a problem and doing nothing about it, which is not the path we should be going down.
How should folks be setting their priorities and planning their resources to make this happen?
Yeah, I met a DFIR company,
a digital forensics incident response company the other day.
And they were doing, this is a big one, right? They were doing like 2,000 or 3,000 incident responses a year.
And so as we start to look at this problem,
getting the business back up and running
has a series of metrics that when a compromise
has happened, whether it's ransomware or not, the metrics have to be
tied from a security professional perspective to
getting the business back up and running. But you can only do that with, like I said earlier,
the efficacy of getting the forensics
right so you know what you're restoring, it is appropriate.
Because otherwise, you're just going to go back
to a known bad state.
And you need to get to a good state very quickly.
So the metrics will be tied to a certain extent
to a cyber insurance policy.
What do your policies say?
And what is your business imperative?
So like a company that we know is looking at Air Force
substations, as they get compromised,
how fast can they get back up and running?
That's a big deal, right?
I guess it's one of those things
that sounds like it takes one amount of effort in theory,
but then, you know, I guess it's that old thing,
and no plan survives contact with the enemy.
Right.
Yeah, you have to have a plan for it.
And people talk about business interruption all
the time, like if there's a misconfiguration
and the server goes down
because of a failed whatever.
Cyber guys
obviously talk about that more and more and more.
But in the world of the
incident from a cyber perspective,
business interruption is going to be
a... and business restoration is going to be and business
restoration is going to be
the terminology going forward. And Gartner
is gradually changing
that word response. They're actually using the word
reconstruction now more.
But it's got to get
more business for capital
because they've got to get the business back up.
Is this a matter of also
making this easier for the folks at the board level
to understand what we're talking about?
Is this a word that resonates with them?
Absolutely, it does.
I think this is a great part of, you know,
a lot of the board reporting right now is,
do I have the right controls in the right place doing the right things?
You know, from an audit perspective, from an independent board member, from an auditor perspective,
and from a CISO perspective. But the business continuity plan
is not just
hey, this developer did something bad and this server got taken out.
But it's also got to, and it does tie into
instant response, but the measurement on
business interruption in the the way that the cyber security companies have got to think about
it differently because the life of the cso they've been talking about business continuity for ages
but the security companies partly driven by gartner don't talk about getting the business
up and running it up that's my basic point The CCO will talk about business continuity all the time, but the cybersecurity companies don't.
And they've got to take that point and make the business come back quicker if there was an attack.
It's funny. It reminds me of an old friend of mine was a commercial real estate insurance agent, and he said he would ask his clients to imagine a wily coyote smoking hole in the ground
and start from there.
And he said that visualization often helped them sort of ground themselves as to,
you know, what do we need to prepare for, possibly?
Yeah.
I mean, you can have all the best detection
and prevention things in the world,
but eventually you're going to get attacked.
But my frustration is with the security vendors
and not with the CISOs, to be clear,
they have to be more aligned with the business
and talk about how they get somebody back up and running.
All right.
Interesting stuff as always.
Tim Eades, thanks so much for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, researchers at Nozomi have discovered 23 vulnerabilities in the Bosch Rexroth handheld nutrunner, a network-connected wrench used in factories around the world.
These flaws could let hackers sabotage or disable the wrench, crucial for assembling sensitive instruments with precise torque levels.
The ZOMI says these vulnerabilities could allow unauthorized remote code execution with root privileges.
In a wrench.
Hackers could potentially install ransomware.
In a wrench.
They could alter torque settings while displaying normal values to operators in a wrench.
Bosch Rexroth acknowledged the issue and is working on a patch due for release in January 2024.
While mass exploitation is unlikely, the risk of work stoppages or tampering with critical settings warrants installing patches when available.
It seems in this case, it's the wrench's security that needs a little tightening.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine
of many of the most influential leaders and operators in the public and private sector, as well as the critical
security teams supporting the Fortune 500 and many of the world's preeminent intelligence
and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value
of your biggest investment, your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with
original music by Elliot Peltzman. Our executive producers are Jennifer Iben and Brendan Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.