CyberWire Daily - A snapshot of security woes.
Episode Date: June 7, 2024Microsoft's recall raises red flags. Ukraine's CERT sounds alarm. Russian hacktivists cause trouble in EU elections. DEVCORE uncovers critical code execution flaw. LastPass leaves users locked out. Ap...ple commits to five years of iPhone security. An AI mail fail. Inside the FCC's plan to strengthen BGP protocol. Dave sits down with our guest Camille Stewart Gloster, Former Deputy National Cyber Director at the White House, as she shares a retrospective of her public service career. And let’s all Cheers to cybersecurity. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Camille Stewart Gloster, Former Deputy National Cyber Director at the White House, shares a retrospective of her public service career. Camille’s full conversation with Dave can be found on our weekly cybersecurity law, policy and privacy podcast, Caveat. You can listen to it here. Selected Reading Microsoft’s Recall Feature Is Even More Hackable Than You Thought (WIRED) Microsoft Research scientist gives non-answer when asked about Windows Recall privacy concerns (TechSpot) TotalRecall: A New Tool that Extracts Data From Windows 11 Recall Feature (Cyber Security News) Exclusive: Senators express "serious concern" with Pentagon's Microsoft plan (Axios) UAC-0020 used SPECTR Malware to target Ukraine defense forces (Security Affairs) Russian hacktivists vow mass attacks against EU elections (The Register) Ransomware Actor Exploited CoinMiner Attacker's Proxy Server (Cyber Security News) Critical PHP Remote Code Execution Flaw let Attackers Inject Malicious Scripts (Cyber Security News) Users furious after LastPass down for hours (Cybernews) Apple Says iPhones Will Get Security Updates for at Least 5 Years (SecurityWeek) EmailGPT Exposed to Prompt Injection Attacks (Infosecurity Magazine) FCC Proposes BGP Security Reporting for Broadband Providers (SecurityWeek) Unpacking the SEC 10-K cyber disclosures (PwC) Apple set to launch Passwords app, taking on LastPass and 1Password (TechSpot) Wineloader Mimic As Ambassador Of India To Start The Infection Chain (Cyber Security News) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Thank you. Learn more at zscaler.com slash security. red flags. Ukraine's cert sounds alarm. Russian hacktivists cause trouble in EU elections.
DevCorp uncovers critical code execution flaw. LastPass leaves users locked out.
Apple commits to five years of iPhone security. An AI mail fail. Inside the FCC's plan to
strengthen BGP protocol. And Dave sits down with our guest, Camille Stewart Gloucester, former
Deputy National Cyber Director at the White House, as she shares a retrospective of her
public service career. And let's all cheers to cybersecurity.
Today is June 7th, 2024.
I'm Maria Varmasis, host of N2K's T-Space Daily, sitting in for Dave Bittner.
And this is your CyberWire Intel Briefing. Microsoft's new recall feature, which captures desktop screenshots every five seconds for AI analysis,
is being criticized by cybersecurity experts as highly insecure and a privacy risk.
Initially, accessing recalls data required administrator privileges, providing a level of protection.
However, James Forshaw, a researcher from Google's Project Zero, identified methods to bypass this safeguard, allowing data access without admin privileges.
Forshaw exploited Windows access control lists and identified simpler techniques to grant user-level access to recall data.
and identified simpler techniques to grant user-level access to recall data.
Cybersecurity strategist Alex Hagenau confirmed these vulnerabilities,
integrating Forshaw's methods into a tool demonstrating how easily hackers can access a user's entire desktop history.
This revelation highlights recall as a significant security risk, potentially acting as pre-installed spyware.
Critics argue that recall was rushed to market without proper security risk, potentially acting as pre-installed spyware. Critics argue that recall was rushed to market without proper security review, undermining Microsoft's commitment to prioritizing security.
The feature's default integration into upcoming CoPilot Plus PCs exacerbates these concerns,
presenting a severe threat to enterprise security. And we note here that Microsoft
is an N2K CyberWire sponsor. The Computer Emergency
Response Team of Ukraine, or CERT-UA, has outlined a cyber espionage campaign by the UAC-0020 threat
actor that's using Spectre malware to target the defense forces of Ukraine. The malware is
distributed via spear phishing emails with malicious RAR archive attachments.
CERT-UA says the malware is used to download stolen documents, files, passwords, and other information from the computer.
Russian hacktivist groups are targeting the European Union elections.
They're attempting to disrupt the electoral process by launching cyber attacks aimed at EU election infrastructure and disseminating disinformation.
These attacks are part of a broader strategy to undermine democratic institutions and sow
discord within the EU. The attacks involve sophisticated methods, including DDoS attacks,
and attempts to manipulate public opinion through social media and other online platforms.
Sometimes cyber attacks target not only companies but also threat actors.
Recently, CoinMiner Group's proxy server was exposed, allowing a ransomware actor's RDP scan
attack to infiltrate and infect the botnet with ransomware. Researchers at DevCore have discovered
a critical remote code execution vulnerability affecting PHP. The researchers explain, while implementing PHP,
the team did not notice the best-fit feature of encoding conversion within the Windows operating
system. This oversight allows authenticated attackers to bypass the previous protection of
CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers
through the argument injection attack.
PHP's development team released a patch for the flaw yesterday.
A LastPass outage yesterday left users,
including at least two members of the N2K production team,
unable to access their password vaults, causing widespread frustration.
The issue, which lasted several hours, unable to access their password vaults, causing widespread frustration.
The issue, which lasted several hours, affected both individual and enterprise customers.
The company has since resolved the problem,
but faced criticism over the lack of communication and transparency during the incident.
Apple has announced that iPhones will receive security updates for at least five years to comply with new UK regulations.
This commitment applies to iPhones released after September 2023, running iOS 17 or later.
The move follows the UK's new security requirements for consumer-connectable products.
Despite this, Apple's update period is shorter than Google's and Samsung's
seven-year commitments for their Android devices.
Email GPT, a tool designed to assist users writing emails within Gmail using AI,
has been found vulnerable to prompt injection attacks.
The flaw allows attackers to manipulate the AI's responses by embedding malicious prompts in emails,
potentially compromising sensitive data.
The FCC has proposed requiring broadband providers to enhance Border Gateway Protocol,
or BGP, security and submit quarterly progress reports. This initiative aims to mitigate BGP-
related risks, including data theft and espionage, by implementing Resource Public Key Infrastructure, or RPKI, measures.
The proposal highlights the need for robust security in internet routing to protect national
security and public safety.
Coming up after the break, we share an excerpt of Dave's conversation from our Caveat podcast with former Deputy National Cyber Director at the White House, Camille Stewart Gloucester.
Dave and Camille spoke about her public service career.
We'll be right back.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta
brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
I recently had the pleasure of speaking with Camille Stewart Gloucester.
She is former Deputy National Cyber Director at the White House.
Also one of my favorite people to interview.
It's always time well spent when I get to chat with Camille Gloster.
Here's our conversation.
Well, let's start off by talking about the journey that you had
becoming the Deputy National Cyber Director at the White House.
How did you initially get the call to see if this was something you might be interested in?
So that journey began before the office was even stood up.
I had started a mentorship program
in collaboration with West Exec during the pandemic.
So everyone was locked up at home
through an organization I started called NextGenNATSAC.
And in organizing, I also participated and was paired with Chris Inglis. And over the course of about six months, we had a number of conversations around cybersecurity and national
security in our careers. And it was a very fruitful conversation. But one of the things
that we discussed was the need for an office of the National Cyber Director.
He had been a part of the Cyber Salarian Commission
and I had been writing articles
about passing this in the NBAA
and getting it stood up and the importance of the office.
And so we had a number of conversations
about what it should look like
and why it was important
and how essential it was to get the office stood
up as soon as possible. And when Chris got nominated to be the first national cyber director,
I was really excited because I knew from firsthand conversations that he had put a lot of thought and
energy into what the office should look like. But I guess he also knew the same about me. And so he approached me to lead a part of the organization
focused on future resilience.
And he said my background on supply chain security issues
and in emerging technology spaces,
and then my personal passion for people
and empowering people in these spaces
and national security spaces and cybersecurity spaces led him to think that I should lead a team focused on future resilience.
And the journey started there.
And what was that transition like to go into public service?
Was that a bit of a culture shock for you?
No, this is not my first tour of duty, as they say in government.
culture shock for you? No, this is not my first tour of duty, as they say in government. In the Obama administration, I was at the Department of Homeland Security and I helped stand up the
Office of Cyber Infrastructure and Resilience Policy. And so coming back to government felt
like coming home in some ways. It was definitely a shift in many others because I was coming from
Google. And there's kind of a change of perspective that you have to flip the
switch on when you transition between government and the private sector. But I find that I was
often thinking about how government could take the ball further than I could in the private sector,
and then usually vice versa when I switched roles. And so by the time I was coming back into
government and moving into the White House, I was excited about all of the areas where I saw opportunity for the federal
government to really lean in and to sit in a seat where I really had the power to drive that kind of
change. And what was the day-to-day like? What sort of problem solving were you actively involved with?
So much. I mean, first was just the standing up of the Office of the National Cyber Director. There was one person and a half on my team when I arrived. And so envisioning what this broad mandate to think about future resilience and emerging technology and cyber workforce, what did that really mean in practice?
And who were the experts and thought leaders that should be a part of that team?
What would the connectivity to the interagency look like?
What structures would we need to set up?
So I did a lot of thinking about what was the vision and mission of this part of the organization and how did we realize that affirmative vision that we were starting to build out in the National Cybersecurity Strategy
and eventually instantiated in that.
So a lot of work was there, but also with the
day-to-day policy writing, the sitting in deputies committee meetings, making decisions about
national security policy as a whole, particularly where it intersects with the issues that I was
leading. It was engaging with the private sector. I mean, one of the hallmarks of the Office of the National Cyber Director is collaborating,
truly collaborating with the private sector, with non-federal entities to get a holistic
and complete understanding of the cyber threat landscape and the opportunity landscape.
And so a lot of my work was that kind of engagement with our non-federal partners,
our international partners, and then building out action-oriented ways to achieve those goals.
How do we not only think through these things,
but then deliver on the priorities that we set as a federal government,
but also collectively as a nation or as a global society?
How did you and your colleagues there measure success?
It depended on the initiative.
On the cyber workforce side, I think a lot of the initiatives that we had that called upon non-federal entities to commit time, talent, resources, really demonstrated the forward motion.
And the cyber workforce face, you know know the federal government only has a small
piece of the work and so every time we got a company or a state government or an academic
institution or a training provider to commit to delivering more cyber training to commit to
training up more people or delivering more programs that were relevant, that really demonstrated success. And then on some of these
emerging technology issues and supply chain issues, some of the success was coordination.
Quite frankly, there are a lot of authorities that can be brought to bear throughout the
executive branch. And one entity really looking at not only the national security implications,
but the economic implications, the human security implications, but the economic implications,
the human security implications, and be able to provide that holistic perspective,
prioritize, de-conflict, that kind of work, living in ONCD was really an added benefit.
And so I think we moved better as a federal government. It was clearer who was doing what.
I mean, I think that's obvious in things like the implementation plan from the National
Cybersecurity Strategy.
We were able to deliver on things like the AIEO, which was a whole government effort
and led at the White House.
And I think the fact that security is right at the top really demonstrates how ONCV poured
into that process
and really helped deliver. So it's obvious in a number of different things. A lot of the
collaborative policy efforts you see, implementation of the strategies we delivered,
the novel policy conversations that we're having, the exposure of private sector to some
information that can help guide how they move.
Like we had all of these conversations on things like space, cybersecurity, and climate
and cybersecurity that really kind of infused cybersecurity as parts of broader conversations
that were already ongoing.
When you joined the organization, did you have any sort of time
range in mind for how long you felt like this was going to be the place for you?
No, I usually went impact drive tenure. And so I was committed to staying as long as the
opportunity for impact was great. And I think a lot of work was done
to instantiate the office
of the National Cyber Director
to deliver on the things
that I really came there to do,
like work on AI,
like work on supply chain security,
like work on cyber workforce.
And so having achieved those things
and feeling like maybe it was time
that I could do a little bit more
from the outside
than I could do from the inside
was kind of the catalyst for that decision.
But people usually only last in the White House about 12 to 18 months.
So I made it just about two years on part of that.
Did you ever have kind of pinch yourself moments where you looked around and you said to yourself, I'm in the White House?
All the time.
I feel like if you don't, then you're not paying attention.
There's so much history and so much about who we are as a nation,
who we are as people has been impacted by the decisions made in those halls
and by the people who choose to dedicate their lives to service.
And, you know, whether it be the structures like walking through the White House and the executive
office building, or it be thinking about the impact of the work that you're doing and the
urgency of the things that make it to your table because they are national security imperatives or
economic security imperatives.
I hope that everybody in these seats has stopped to reflect routinely.
But yes, it hit me quite often.
Yeah.
Where do you suppose that we're headed here? I mean, when it comes to cyber policy, having had that insider's view,
are you optimistic that we're in a good place as a nation
in terms of developing good,
meaningful, actionable policy? I think we are pointed in the right direction,
but have lots of work to do. And the federal government is a big ship to turn. And so
a two-year, two-and-a-half-year, almost three-year-old organization cannot make all
the changes that would need to be made in a moment, nor can a
series of goals, right? CDP is a new organization within state. I think we've identified some of the
apparatuses that we need to make effective cyber policy and to make that values aligned and
designed to achieve our desired goals rather than organizing ourselves around combating the threat,
right? Like let that be a feature of achieving the desired goal rather than the way we orient
ourselves. So I think we have started to put the structures in place, but there's work to be done
to make sure that those are strong and healthy and continue to drive towards actionable policy
that really addresses the root issue we seek to fix
or the value we seek to preserve. And I'm excited to see that work continue.
Before I let you go, any words of wisdom for folks who might be considering a career
in public service? Please do it. The federal government, the international and national cyber ecosystem in general will benefit from your experience in the private sector or in civil society.
from all sectors and different industries.
So please make your career one that allows you to move from organization to organization
and include the federal government in that.
And you can hear Dave's full conversation with Camille
on yesterday's Caveat episode.
We'll have a link for you in our show notes.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions Thank you. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And finally, picture this.
A classy wine-tasting invite from the ambassador of India lands in your inbox.
Intrigued, you click on it, only to find yourself trapped in a sinister spear-phishing campaign
orchestrated by the infamous APT29, a.k.a. Nobelium, or Cozy Bear.
ArcLabs dives deep into the details of this cunning scheme, unraveling
the secrets of Wine Loader, a crafty backdoor making waves in the cybersecurity world.
This sneaky tool, first spotted by Zscaler and later dissected by Mandiant, is a master of
deception. The infection chain kicks off with a seemingly innocuous email invitation to a wine-tasting event hosted by the Ambassador of India.
The email redirects victims to a malicious site that downloads a zip file containing an obfuscated HTA file.
And when executed, this file downloads another zip with the wineloader payload.
In short, APT29's wineloader is like a crafty sommelier serving up a vintage blend of cyber mischief.
But with a little caution, you're equipped to sniff out and thwart their next attack.
I think we can all cheers to that.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to tune in to Research Saturday tomorrow, where Dave is joined by Jerome Segura, Senior Director of Threat Intelligence at Malwarebytes.
And he is discussing their work on threat actors ride the hype for newly released Arc browser.
That's Research Saturday.
Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep
you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value
of your biggest
investment, people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with
original music by Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby
And I'm Maria Varmasis
Dave Bittner will be back next week
Thanks for listening everyone
Have a wonderful weekend Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.