CyberWire Daily - A serious breach showdown.
Episode Date: February 5, 2024Anydesk confirms a serious breach. Clorox and Johnson Controls file cyber incidents with the SEC. There’s already a potential Apple Vision Pro kernel exploit. A $25 million deepfake scam. Akamai res...earch hops on the FritzFrog botnet. The US sanctions Iranians for attacks on American water plants. Commando Cat targets Docker API endpoints. Pennsylvania courts fall victim to a DDoS attack. A new leader takes the reins at US Cyber Command and the NSA. Our guest is Dr. Heather Monthie from N2K Networks, with insights on the White House's recent easing of education requirements for federal contract jobs. And remembering one of the great cryptology communicators. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Heather Monthie from N2K Networks shares some insight into the White House's recent easing of education requirements for federal contract jobs. You can find the background to that in our Selected Reading section. Selected Reading AnyDesk, an enterprise remote software platform used by major firms including Raytheon and Samsung, suffered a security breach - here’s what you need to know (IT Pro) Clorox and Johnson Controls Reveal $76m Cyber-Attack Bill (Infosecurity Magazine) MIT student claims to hack Apple Vision Pro on launch day (Cybernews) Finance worker pays out $25 million after video call with deepfake ‘chief financial officer’ (CNN) FritzFrog botnet is exploiting Log4Shell bug now, experts say (The Record) US sanctions Iranian officials over cyber-attacks on water plants (BBC) The Nine Lives of Commando Cat: Analysing a Novel Malware Campaign Targeting Docker  (Cado Security) Pennsylvania court agency's website hit by disabling cyberattack, officials say (ABC News) Cyber Command, NSA usher in Haugh as new chief (The Record) White House moves to ease education requirements for federal cyber contracting jobs (CyberScoop) White House moves to ease education requirements for federal cyber contracting jobs (GAO) David Kahn, historian who cracked the code of cryptology, dies at 93 (Washington Post) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Any desk confirms a serious breach.
Clorox and Johnson Controls file cyber incidents with the SEC. There's already a potential Apple Vision Pro kernel exploit. Aando Cat targets Docker API endpoints.
Pennsylvania courts fall victim to a DDoS attack.
A new leader takes the reins at U.S. Cyber Command and the NSA.
Our guest is Dr. Heather Monthe from N2K Networks
with insights on the White House's recent easing of education requirements
for federal contract jobs
and remembering one of the great cryptology communicators.
It's Monday, February 5th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing. briefing. Late last Friday afternoon, remote software company AnyDesk confirmed a significant
security breach in its systems. Unauthorized access was detected during a routine security audit,
leading to the exposure of a substantial amount of source code
and code-signing certificates.
The company has engaged the services of cybersecurity experts CrowdStrike
and is working closely with authorities to address the situation.
They say it is notably not related to ransomware. In an effort to mitigate
risks, AnyDesk has revoked and is replacing compromised security certificates and systems.
Additionally, they have reset passwords for their web portal, advising customers to change their
credentials as a precaution. The breach led to a service interruption with a four-day outage at the end
of January, where users were unable to log in to the AnyDesk client. Despite this disruption,
the company assures that there is no evidence of end-user devices being affected.
AnyDesk serves over 170,000 enterprise customers globally, including major brands like Samsung and Comcast.
Following this disclosure, some observers have criticized the company for what's been perceived
as a Friday afternoon news dump, an attempt to downplay the story by releasing it just before
the weekend. Continuing with breach disclosures, two major companies recently filed SEC disclosures outlining significant financial losses due to cyber incidents.
Clorox, the cleaning product manufacturer, faced a major operational disruption from an attack last August, leading to $49 million in expenses by December of 2023. The costs primarily involve third-party consulting, IT recovery, forensic
experts, and additional operational costs due to the disruption. Clorox anticipates reduced future
expenses and has not yet received insurance proceeds for the incident. Meanwhile, Johnson
Controls, a building management conglomerate, reported a $27 million expense in the last quarter of 2023 following a confirmed ransomware attack in September.
The company expects further expenses in fiscal 2024, mainly in the first half, for response and remediation efforts.
The attack disrupted their billing systems, but is not expected to materially impact net income,
with a substantial portion of the costs likely covered by insurance.
Joining me is Brandon Karpf. He is an executive producer here at N2K Cyber Wire,
also a former naval officer who spent time at Cyber Command.
Brandon, welcome back.
Hey, Dave. Thanks for having me again.
So this story appears at first blush to be simple reporting here.
And we've seen a number of these over the past couple of weeks. But there's some nuance here that you want to capture.
Yes, most definitely.
So big picture with the SEC and these types of filings is that the SEC implemented a new
set of rules in December of 2023 for public companies, which now requires
them to report any breach that they identify that's material to their business operations
within four days. And the business would file that with a form called the 8K form, which is
a notification to investors of any material information to the business. The other part
of this rule change was that companies are now required
to report information about their cybersecurity programs,
successes, failures, processes, maturity,
in their annual 10-K filing to the SEC as well.
We haven't seen any of those yet,
at least not to my knowledge,
since the rule just went into effect in December.
We have seen a few of these 8 8K filings in the last month, one from Microsoft, one from Hewlett-Packard.
But this is a 10Q filing. So this is the quarterly filing. And this is the first one,
to my knowledge, that has included this much detail about a cybersecurity incident,
response and remediation, financial impactsational Impacts, the inclusion of
insurance information and recovery information, and then the future outlook. So this 10Q, this
quarterly filing, is probably an indication of what we can likely see in some of the annual
filings that will be coming out this year from these public companies. This information is very
relevant to any cybersecurity professional,
CISO, CSO, vice president of security who's working at a public company, just to give you
a sense of the type of information you might want to start including in these filings.
And it's your sense that CISOs are sitting up and taking notice at this?
Most definitely they have to. Now, the part of the organization that is actually submitting this is typically the part of the organization that works for the chief financial officer.
But they don't have that type of cybersecurity program information.
So the chief security officers, the CISOs, the other people within the security organization will have to provide this type of information to the CFO's office to make sure that they're filing the right information
and doing it in a way that's auditable, that's clear, and that meets the SEC's guidelines.
Now, this is going to become a huge part of the role of any security organization at a public company.
Brandon Karf is executive producer here at N2K CyberWire.
Brandon, thanks so much for joining us.
Yeah, thanks, Dave.
executive producer here at N2K CyberWire.
Brandon, thanks so much for joining us.
Yeah, thanks, Dave.
Apple launched their much-anticipated spatial computing platform
Apple Vision Pro last week.
And now, CyberNews reports
that Joseph Rachinandran,
an MIT PhD student,
revealed a potential kernel exploit
for the device.
The exploit triggers
when the device crashes,
switching to full pass-through and prompting a reboot. Kernel exploit for the device. The exploit triggers when the device crashes, switching to full pass-through and prompting a reboot.
Kernel exploits, which are coveted by attackers for their ability to bypass security and execute malicious code,
are serious vulnerabilities.
Ravi Chandran is known for identifying the Pac-Man attack on Apple's M1 CPU, and he highlighted this shortly after Apple's recent software update
aimed at patching security flaws. Apple and Rabichandran have yet to comment on the exploit
revelation. A finance worker at a multinational firm was deceived into transferring $25 million
due to an elaborate deepfake scam, as reported by Hong Kong police. The worker attended
a video call, believing he was interacting with the company's CFO and other staff members,
but they were all deepfake simulations. Initially skeptical due to a suspicious email discussing a
secret transaction, the worker was convinced after the video call
where the participants appeared
and sounded like real colleagues.
This led to him remitting approximately $25.6 million.
Hong Kong police, who have made six arrests
related to similar scams,
revealed that deepfake technology
has been used in multiple instances
to deceive facial recognition systems for fraudulent loan applications and bank account registrations.
This scam was uncovered when the employee verified the transaction with the company's head office.
The FritzFrog botnet, active since 2020, has evolved to exploit the log-for-shell vulnerability, targeting not just internet-facing applications,
but also internal networks.
Researchers at Akamai detail this shift in the botnet's behavior.
FritzFrog, known for compromising SSH connections to deploy crypto miners,
now scans system files on infected hosts
to identify and attack vulnerable Java applications.
Dubbed Frog for Shell, this campaign leverages the Log for Shell bug found in the Log4J web tool,
which led to a major global patching effort starting in 2021.
Despite these efforts, researchers are still finding vulnerable systems two years later.
Fritz Frog has been particularly
notorious, compromising over 500 servers, including those in banks, universities,
and medical centers. It had a period of dormancy but resurfaced in 2022. Akamai's research reveals
over 20,000 FritzFrog attacks affecting more than 1,500 victims. This botnet poses a unique risk by
exploiting unpatched internal machines, which were initially considered less vulnerable and
so often neglected. The malware targets all hosts within a network, exposing even patched
internet-facing applications to risk if any part of the network is breached. The botnet has also
developed new capabilities,
including privilege escalation and cyber defense evasion tools. Researchers anticipate that Fritz
Frog will continue to evolve, possibly integrating more exploits. In 2022, about 37% of the infected
nodes were in China, but the victims were globally distributed. There's
speculation that the Fritz Frog operator might be based in China or is attempting to appear so.
The U.S. has sanctioned six Iranian Islamic Revolutionary Guard Corps officials for cyber
attacks on American water plants last year. These attacks come amidst heightened tensions following a drone strike in
Jordan that killed three U.S. soldiers, for which an Iranian-backed militia is blamed.
The U.S. Treasury's undersecretary emphasized the seriousness of targeting critical infrastructure
and vowed to hold perpetrators accountable. The IRGC-affiliated Cyber Avengers targeted several U.S. water systems, including
one in Pennsylvania, exploiting weak cybersecurity like default passwords. While the attacks were
considered low-level, they raised concerns about the vulnerability of U.S. water systems.
Federal officials, including Pennsylvania senators and a congressman, have urged for a full investigation.
The U.S. Cybersecurity and Infrastructure Security Agency warns that countries like Iran are increasingly investing in cyber capabilities, posing significant threats to U.S. infrastructure.
Researchers at Cato Security have discovered a new malware campaign named CommandoCat targeting Docker API endpoints.
This is the second Docker targeting campaign in 2024, following a recent report on the malicious use of the 9Hits traffic exchange application.
cryptojacking campaign, exploiting Docker for initial access, using the server to access the host's file system and execute multiple interdependent payloads. These payloads aim
to establish persistence, enable backdoors, steal cloud service provider credentials,
and run a cryptocurrency miner. The malware exhibits unique evasion techniques, including
a rare process hiding mechanism using the HID
process hider script instead of more common rootkit kernel modules. It also employs a
Docker registry black hole to prevent other attackers from accessing the compromised system.
Commando Cat functions as a credential stealer, a stealthy backdoor, and a cryptocurrency miner, making it a versatile threat.
Its payloads bear similarities to those used by other threat actors, particularly Team TNT,
suggesting CommandoCat could be a copycat group, building upon Team TNT's techniques.
The sophistication, redundancy, and evasion tactics of this malware make it a challenging threat to detect.
Over the weekend, the website of the Pennsylvania State Courts Agency
experienced a cyber attack which disabled several online systems.
This incident was confirmed by officials on Sunday night
who noted that the attack did not compromise any data.
Chief Justice Deborah Todd says the attack is being investigated by the U.S. Department of Homeland Security and the FBI.
She described the incident as a denial-of-service attack, a method where attackers overload a system with traffic,
causing it to crash and denying access to legitimate users.
The agency, known as the Administrative Office of Pennsylvania Courts,
has not yet identified the attackers or their motives, and it remains unclear whether their
cybersecurity measures were effective or if any ransom was demanded. Key online services affected
include the docket sheets and an electronic document filing portal. Despite these disruptions,
and an electronic document filing portal.
Despite these disruptions, the state's courts continued to operate.
After six years, Army General Paul Nakasone has passed the leadership of U.S. Cyber Command and the National Security Agency to Air Force General Timothy Hogg.
The change of command ceremony, held at NSA's Morrison Center,
occurs amidst increasing challenges in digital warfare
and concerns over election security against potential foreign hacking.
Nakasone, praised for his leadership during a period of heightened global challenges and
low morale following security breaches, introduced significant changes, including the persistent
engagement doctrine and the establishment of
the Cybersecurity Directorate at NSA. Hogg, previously Cyber Command's deputy and head of
the Air Force's Digital Warfare Branch, is recognized as highly qualified for leading
these agencies. The ceremony, attended by top national security officials, highlighted the evolving importance of technology in national security, with Hogg expressing enthusiasm for future challenges and opportunities.
Coming up after the break, my conversation with Dr. Heather Munthe from N2K Networks with insights on the White House's recent easing of education requirements for federal contract jobs. Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Biden administration recently announced updates to their federal hiring standards for folks seeking jobs in cybersecurity.
Joining me to discuss this is my N2K colleague, Dr. Heather Monthe.
She is a cyber workforce consultant here at N2K.
Heather, welcome to the show.
Thank you for having me. I'm glad to be here.
So give us a rundown here of what has gone into this adjustment of the federal hiring standards.
Well, I think that there's been a lot of talk over the last 10 or so years about how do we get more people involved in cybersecurity and how do we help fill the cyber workforce gap?
One thing that has been identified is that the bachelor's degree has sort of been this stopping point for a lot of people to break
into the field. And there's a lot of different roles within cybersecurity that don't necessarily
require a bachelor's degree to get started in that position. So I know that the federal government
has been talking about this for many years, and I'm glad to see that there's some progress being
made into opening up opportunities to work in the cybersecurity profession for people
who may have already had some really good success in another career, but don't necessarily meet the
bachelor's degree requirements and want to get into this field. Do we have many specifics yet
here of what sorts of positions this could be affecting? I haven't read anything yet with
regards to the specifics, but I think if you look at any profession,
any burgeoning profession, and I say cybersecurity is a relatively new field compared to, say,
the medical industry, where we don't have very well clearly defined paths with how to get into
that field yet. And the medical industry 150 years ago was very much the same way. We didn't
have these paths of how do you become a surgeon? How do you become a nurse? How do you become a
person who works at the health insurance company, right? And I think
cybersecurity is that same type of a field where there's a lot of different opportunities in a lot
of different areas. It's not just pen testing. It's not just this one thing. Much like the medical
profession, there's going to be fields that require advanced training and advanced skills.
And then there's going to be professions that you can jump right in and get started without four years of higher education.
Who do you suspect this is going to affect here?
I mean, people who are aspiring to get into the cybersecurity business here.
I would imagine there's a range of folks who could take advantage of this.
Yeah, I think there's a couple different groups of people. I think there's a lot of young people who have really started questioning the
value of higher education and figuring out, you know, if I know how to do a skill, do I really
need to go to college and get a piece of paper to prove that I know how to do it when I have
other ways that I can prove that I know how to do it? I have other ways that I can prove that I know how to do it. I have a portfolio of projects that I've completed and things that I can show employers saying,
hey, I can do this work. There's also a group of people, I think, that are a little bit older that
maybe already have had some success in another profession. And quite frankly, if you think about
it, if you're in your 30s and going back to school to get a bachelor's degree, four years can be a long time.
That's a long time when you've got responsibilities, you've got families, mouths to feed, mortgages to pay.
If you can get into the cybersecurity profession with a much shorter path to get there, that's going to be very appealing to somebody who's maybe trying to pivot their career or re-career.
appealing to somebody who's maybe trying to pivot their career re-career.
I would imagine this is an opportunity for community colleges here as well to kind of step up and provide here. Yeah, I think community colleges have played a huge role in developing
the cybersecurity workforce. There's a lot of community colleges out there that they've also
recognized that a lot of people, not just the federal government, but there's still a lot of companies that are requiring this bachelor's degree.
And so community colleges have tried to address that in the sense that helping the industry to understand what they're doing in the classroom to help students get prepared for these roles.
But also they are offering up opportunities.
get prepared for these roles, but also they are offering up opportunities. If somebody does want to go get a bachelor's degree, many community colleges are now offering applied bachelor's
degrees. And then they've also got agreements with area universities so that students can
go from earning their associate's degree into completing their bachelor's degree at a university
that's nearby. You know, so far, the reactions I've seen to this have been overwhelmingly positive.
I suppose there was a fear that the administration could be accused of trying to dumb things down or lower their standards.
But that doesn't seem to have been the case here.
There was a really big push for many years, 20, 25 years or so, to get everybody going to a four-year university, getting a bachelor's degree.
There was this huge push, and we've seen society shift away from that now and recognizing that not every profession or not every field requires somebody to go and get a four-year bachelor's degree.
go and get a four-year bachelor's degree.
I think it's been this sort of the shift back to,
let's learn a skill that can help you make money so that you can support your family
and also make a big difference in the world.
For folks who are out there looking at these jobs,
again, someone who's aspiring to join this workforce,
any words of wisdom here
for how they should be calibrating their own journey given
this new reality yeah i have a couple different pieces of advice i've been teaching for a very
long time and i have a couple pieces of advice that i give people that are trying to break into
this field whether you're 18 and trying to figure out what you're going to do with your life or
you're 35 and you're pivoting your career and one thing is that if you see a job posting that you think is interesting to you
and you don't meet the requirements for it, you should apply for it anyways. There's a lot of
job descriptions that are written out there that the employer is asking for a unicorn and they
probably know it. They're just kind of trying to see what they're going to get. So apply for those
jobs anyways. And really just figure out what are those skills
that you already have that are transferable. So if you go and you look at job postings that are
out there, go on LinkedIn and some of these job boards and look at those job postings that are
out there, you're going to see some things in there that are not necessarily technical or
cybersecurity skills. You're going to see some more professional type skills, such as written communication,
oral communication, giving presentations, teamwork, project management, all that kind
of stuff.
And if you've got some work experience in another field, pull those things out of your
work history and get that on your LinkedIn page, get that on your resume, be able to
talk very clearly about it and about how that is a transferable skill that you can bring into the cybersecurity team at a company that you're
trying to potentially get a job in. Heather Monthe is Cybersecurity Workforce Consultant
right here at N2K Networks. Heather, thanks so much for joining us. Thank you. to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant. Great. That's 1% closer to being part of the 1%.
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31st, 2025. Visit td.com slash dioffer to learn more.
And finally, David Kahn, a renowned journalist and historian known for his groundbreaking work on cryptology, passed away at age 93 due to complications from a stroke. His fascination
with cryptology began at age 13 after discovering a book on codes and ciphers.
Kahn's landmark 1967 book, The Codebreakers, explored the history of secret communication,
establishing him as a leading figure in the field. Despite initial resistance from the U.S.
government and the NSA, his work eventually gained widespread recognition and respect.
the NSA. His work eventually gained widespread recognition and respect. Kahn's career in journalism began at Newsday and later included a stint at the New York Herald Tribune's Paris
edition. He earned a doctorate in modern history from Oxford University, where he focused on German
military intelligence in World War II, leading to his book Hitler's Spies. His other works included Seizing the Enigma and The Reader
of Gentleman's Mail. Despite not being a skilled cryptanalyst himself, Kahn's extensive knowledge
and collection of intelligence artifacts earned him a special place in the field, culminating in
the NSA's National Cryptologic Museum, housing the David Kahn collection.
Kahn's work significantly contributed
to the public's understanding of cryptology
and signals intelligence.
May his memory be a blessing to those who knew and loved him.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment
on Jason and Brian's show every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent
intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the
value of your biggest investment, your people. We make you smarter about your team while making
your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer
is Trey Hester with original music by
Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon Karp. Our executive
editor is Peter Kilby and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.