CyberWire Daily - A push to debunk election disinformation.
Episode Date: November 1, 2024Georgia’s Secretary of State Pushes Social Media to Remove Russian Disinformation. CISA introduces its first international strategic plan. Microsoft issues a warning about the Quad7 botnet. Research...ers uncover a zero-click vulnerability in Synology devices. CISA warns of critical ICS vulnerabilities. The U.S.and Israel outline the latest cyber activities of an Iranian threat group. Researchers track an online shopping scam operation called “Phish ‘n’ Ships.” A Colorado Pathology lab notifies 1.8 million patients of a data breach. Our guest is Gary Barlet, Public Sector CTO at Illumio, with a timely look at election security. Packing a custom PC full of meth. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Gary Barlet, Public Sector CTO at Illumio, discussing where elections are most vulnerable and the potential dangers beyond national elections. Selected Reading Georgia official asks social media sites to take down Russian disinformation video (The Record) CISA Strategic Plan Targets Global Cooperation on Cybersecurity (Security Boulevard) Microsoft: Chinese hackers use Quad7 botnet to steal credentials (Bleeping Computer) Microsoft delays Windows Recall again, now by December (Bleeping Computer) Zero-Click Flaw Exposes Potentially Millions of Popular Storage Devices to Attack (WIRED) CISA Warns of Critical Software Vulnerabilities in Industrial Devices (Infosecurity Magazine) US, Israel Describe Iranian Hackers' Targeting of Olympics, Surveillance Cameras (SecurityWeek) Fake product listings on real shopping sites lead to stolen payment information (SC Media) Medusa Ransomware Hack of Pathology Lab Affects 1.8 Million (BankInfo Security) Someone tried to smuggle 100kg of synthetic drugs into Australia inside a bunch of PC cases (TechSpot) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Georgia's Secretary of State pushes social media to remove Russian disinformation.
CISA introduces its first international strategic plan.
Microsoft issues a warning about Quad7 botnet.
Researchers uncover a zero-click vulnerability in Synology devices.
CISA warns of critical ICS vulnerabilities.
The U.S. and Israel outline the latest cyber activities of an Iranian threat group.
Researchers track an online shopping scam operation called Fish and Ships. A Colorado
pathology lab notifies 1.8 million patients of a data breach. Our guest is Gary Barlett,
public sector CTO at Illumio, with a timely look at election, and packing a custom PC full of meth.
It's Friday, November 1st, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here today. It is great to have you with us.
Georgia's Secretary of State, Brad Raffensperger, is calling on social media platforms, including
ex-Twitter, to remove a fake video circulating on accounts linked to a known Russian disinformation
network. The video falsely claims that Haitian immigrants are being issued U.S.
identifications to vote in Georgia. Disinformation experts quickly identified the source as
Storm 1516, a Russian network connected to the Russian presidential administration.
Despite being debunked by authorities, the video remains accessible on ex-Twitter,
where it has spread to an account with nearly 650,000 followers.
Raffensperger issued a strong statement condemning the disinformation
as an attempt to disrupt the 2024 U.S. presidential election.
He expressed concerns over foreign interference aimed at fueling discord
and requested cooperation from social media companies to counteract the disinformation.
His office, in partnership with CISA and federal agencies, is actively monitoring and responding to these threats.
This incident reflects a broader trend.
Last week, the ODNI, FBI, and CISA flagged another Russian-produced video falsely depicting election misconduct in Pennsylvania.
Russian actors have repeatedly targeted Vice President Kamala Harris and Democratic nominee Tim Walz with AI-generated videos, amplifying divisive narratives.
the importance of rejecting these tactics, stating, as Americans, we can't let our enemies use lies to divide us and undermine our faith in our institutions. CISA has introduced its first
international strategic plan aiming to build stronger global alliances against cyber threats.
The plan focuses on three main goals, enhancing the resilience of foreign infrastructure critical to U.S. security,
fortifying integrated cyber defense, and improving agency coordination on international efforts.
In partnership with U.S. law enforcement, the State Department, and intelligence agencies,
CISA seeks a unified global approach to cyber defense.
The strategy emphasizes transparency and accountability in the supply chain,
requiring thorough assessments from international vendors to secure hardware, software, and communications.
Experts praise the initiative, with Casey Ellis of BugCrowd calling cybersecurity a team sport
and James Scobie of Keeper Security noting its potential
for robust global collaboration. This plan, they say, sets a critical foundation for shared threat
intelligence, standardized security practices, and a stronger global digital ecosystem.
Microsoft has issued a warning about the Quad 7 botnet, also known as Covert Network 1658,
a network of compromised SOHO routers primarily used by Chinese threat actors to steal credentials via password spray attacks.
Initially discovered by security researcher GetWorm, Quad7 compromises attacked routers and networking devices, including those
from TP-Link, Asus, Ruckus, Accenture, and Zyzel. Once compromised, threat actors install custom
malware that enables remote access over Telnet with distinctive banners indicating the affected
device. Microsoft reports that Quad 7 is used strategically,
submitting minimal login attempts to avoid detection alarms.
This approach has allowed actors like Storm0940
to obtain and quickly exploit stolen credentials,
often breaching networks and deploying further tools
for persistence and data exfiltration.
The exact method of router compromise is unclear,
though Sequoia observed an open WRT zero-day exploit,
suggesting that threat actors are utilizing advanced vulnerabilities to gain access.
Staying with Microsoft, Redmond is delaying the rollout of its AI-powered Windows Recall feature,
initially set for October, to December for further testing.
First announced in May,
Recall captures and analyzes screenshots of active Windows,
allowing users to search them with natural language.
However, concerns over privacy led Microsoft to implement opt-in usage,
Windows Hello verification, and filtering for
sensitive content. Microsoft also promises additional security measures, including
anti-hammering and rate limiting, to address feedback from customers and privacy advocates.
Dutch researchers have uncovered a zero-click vulnerability in Synology's network-attached storage devices,
specifically in the pre-installed Synology Photos application.
This flaw, which requires no user interaction, allows attackers to access devices, steal files,
plant back doors, or deploy ransomware, potentially locking users out of their data.
or deploy ransomware, potentially locking users out of their data.
The vulnerability affects Synology's B-Station devices,
as well as the widely used DiskStation systems,
which many individuals and businesses rely on for scalable data storage.
Synology NAS devices have previously been targeted by ransomware groups, with attacks on disk station users reported as recently as
this year. This discovery highlights the persistent cybersecurity risks associated
with network-attached storage systems, which are increasingly targeted by ransomware campaigns.
Looking at industrial control systems, CISA has advised manufacturing companies to implement
security mitigations following the discovery of critical vulnerabilities in Rockwell Automation and Mitsubishi control systems.
Key vulnerabilities include issues in Rockwell's factory talk fin manager, allowing database manipulation and denial of service attacks, and Mitsubishi's FA Engineering software products, which could
permit remote code execution. These flaws, with CVSS scores up to 9.8, are remotely exploitable
with low complexity. CISA's advisory includes mitigation measures and emphasizes defensive
actions to minimize exploitation risks. The United States and Israel have issued a joint advisory detailing the latest cyber activities of
Iranian threat group Emanet Passarghad, now operating under the name Arya Sapir Ayandesasan.
We're going to go with ASA. They're known to target Israel and Western nations. The group uses fronts such as server speed and VPS agent to host servers and conceal operations.
Recent ASA attacks include hacking French display systems during the 2024 Summer Olympics
to spread anti-Israeli messages and compromising surveillance cameras in Israel and Gaza
with sensitive footage made available through private servers.
Additionally, ASA reportedly contacted families of hostages taken by Hamas
to inflict psychological harm.
The group also hacked a U.S.-based IPTV service to distribute propaganda.
Using AI for advanced voice modulation and photo generation, ASA continues to evolve its
tactics. U.S. officials have sanctioned the group, underscoring its role in state-sponsored
influence operations across critical Western and Middle Eastern infrastructure.
Human Security's Satori Threat Intelligence and Research team uncovered an ongoing phishing scheme called Fish and Ships,
which has compromised over 1,000 legitimate shopping sites since 2019.
Using fake product listings, the operation lures shoppers to fraudulent sites with high-demand items at bargain prices.
Once on these fake sites, users' payment data is stolen
through compromised checkout processes, with the attackers often using legitimate payment
processors to add credibility. Fish and Ships has built 121 fake stores to funnel traffic,
and attackers use SEO techniques to ensure listings appear high in search results.
SEO techniques to ensure listings appear high in search results.
Human has worked with partners to disrupt this scheme, removing some fake listings from Google and notifying affected payment processors.
However, the operation remains active, and shoppers are advised to remain cautious of
offers that seem too good to be true.
Six months after a Medusa ransomware attack, Colorado's Summit Pathology Laboratory has
notified 1.8 million patients of a data breach.
The attack, which began when an employee clicked a phishing email, exposed patient names, addresses,
social security numbers, and medical records.
Medusa hackers claimed credit for the breach, but Summit has not disclosed if a ransom was paid.
They worked quickly to secure their network
and involve the FBI, preventing major disruptions.
Since announcing the breach,
Summit faces eight class-action lawsuits
alleging negligence and seeking damages.
Coming up after the break,
my conversation with Gary Barlett,
public sector CTO at Lumio.
We're talking election security.
Stay with us. Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000
off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
gary barlett is public sector cto at illumio i recently caught up with him to discuss elections where they're most vulnerable and potential dangers at the local level here's our conversation
so i think that it's probably the most secure ever. Is it as secure as it could be?
Probably not, if you want to be honest. I think that every time we go through one of these,
we get better and better and we learn lessons from previous elections, but there's always more
lessons to be learned for sure. Well, can you unpack it for us? I mean, what are some of the
specific challenges that we
face here, given the way that we configure our elections? Sure. When you think about the way
that, you know, people think about elections being this, hey, we're electing the president
of the United States, so it's a national election. But the reality is, right, all these elections are
conducted at the local level, right? You walk into a local precinct to vote. Those votes are
collected locally. They're tabulated at the state level, right? They're certified at the state level, right? You walk into a local precinct to vote. Those votes are collected
locally. They're tabulated at the state level, right? They're certified at the state level,
and then they're rolled up to more national results. So the challenge is it's not like
there's a quote-unquote national voting system, right, that we're all using that somehow the
federal government is protecting this amorphous, magical national voting system, right?
You're really talking about a family of systems that are all being maintained, really, by local,
you know, state, local, or, you know, representatives and IT professionals that are
trying to manage those systems independently. And I suppose it's fair to say that that is
not necessarily a bug, but a feature.
Yeah, right.
I mean, like I said, I mean, you know, by default, that's where our elections are designed,
right?
That each state conducts, you know, has its own rules and its own ways that it conducts
elections and tabulates those votes and rolls those votes up.
I mean, it's by design, you know, that the elections are supposed to be done
at a state level and not really at a federal level. When you think about some of the potential
vulnerabilities here, what are some of the things that come to mind? Right. So the challenge is,
right, if you think about what I just said, right, since there's no national system, right,
you're really relying on, you know, at a minimum minimal 50 plus, you know, systems that you're dealing with to tabulate votes and, you know, roll those results up, right?
So you've got this potential for disparity in the way that each of those individual systems are being protected, right?
Each has its own vulnerabilities.
Each has its own risks and its own challenges, right? And so cumulatively, every one of those risks and challenges poses an overall threat to protecting our national elections.
Where do we stand when it comes to electronic systems versus paper ballots?
So it's interesting, right?
And again, it depends on the state you're talking to, right? A lot of times they'll keep the paper ballots? So it's interesting, right? And again, there's a, there's a, it depends on
the state you're talking to, right? A lot of times they'll keep the paper ballots, right? And that's
kind of the, that's oftentimes seen as the backup. Sometimes they do, you know, in-state, you know,
in-person validation of those ballots, you know, to cross-reference against the results. Sometimes
it's only, you know, if there's some sort of challenge to results that they'll go back and
count paper ballots. You know, many of us probably remember the infamous hanging chads from Florida back in
the day. You know, so there's a lot of different ways about this. But at the end of the day,
you know, the results are collected and oftentimes transmitted electronically.
And as you and I both know, anytime there's anything electronic, right, it opens itself to some sort of compromise, you know, from potentially an adversary, you know, a nation state that wants to try to affect our elections.
Well, and indeed, I mean, we've seen countless reports at this point that our adversaries are out there trying to sow doubt in the confidence of the system, put the question mark in the voters' minds.
Absolutely, right? And if you think about it, you know, oftentimes, right, we hear these doomsday
scenarios of, oh, you know, a voting system may have gotten compromised and it flips votes from,
one candidate to another or something like that. You know, but the real challenge is, right,
you don't necessarily have to actually change any votes.
All you have to do is, like you said, sow that doubt, right?
If you start to get the populace of the United States to start to question elections, right, and that's not hard nowadays, you start getting people to potentially question the results of an election, right?
The nation states that want to see us kind of in disarray have won. They've achieved their results. If they start getting more and more people to question the validity of their elected leaders, that can cause internal strife. And if the U.S. government is dealing with internal strife, they've got less capacity to deal with external strife and external threats.
to deal with external strife and external threats.
What would be your advice to folks who are heading to the polls here?
I mean, in terms of a frame of mind, a mindset as they consider the state of security of our elections here.
So I would say, listen, I've already voted, right?
And I voted with confidence.
I think that between the efforts of the federal government in coordination with state and local governments, I think they're doing as good a job as can be done with reality.
Nothing's ever 100 percent. We can't fool ourselves into thinking that anything's ever going to be 100 percent secure.
But I think that there are enough processes and checks and balances built into the system that we should have confidence in our electoral process. Because as you mentioned earlier, right, at the end of the day, we always have the paper
ballots we can fall back on, right? If in doubt, go back to the old-fashioned way of counting paper
ballots. So I think that at the end of the day, I think that voters should have confidence in
the voting systems. Our thanks to Gary Barlett from Illumio for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatL are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
sensitive data and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And finally, our down-under desk reminds us that building a custom PC setup is easier than ever, but one Malaysian man took creative assembly to a new level.
Recently, Australian authorities intercepted his DIY project.
PC tower cases packed not with graphics cards, but with 100 kilograms of meth.
The drug-packed towers were shipped from Malaysia, arriving in Australia on October 16th.
When Australian Border Force officers examined the computer equipment, they found blocks of
white powder hidden inside. Lab tests revealed the powder was meth,
setting off a quick response from the Australian Federal Police.
The alleged smuggler showed up to pick up his hardware
from a storage unit on October 30th, where he was promptly arrested.
Australian authorities estimated the meth-filled towers
could have hit the streets as millions of doses.
estimated the meth-filled towers could have hit the streets as millions of doses.
Instead, this peculiar tech upgrade earned him a drug possession charge,
carrying a potential life sentence.
No motherboard needed for that rig.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Amnam Kushnier from Signia. We're discussing their work China Nexus threat group Velvet Amp leverages a zero-day to deploy malware on Cisco Nexus switches.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that
keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show,
please share a rating and review in your favorite podcast app. Please also fill out the survey in
the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Thank you. products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.