CyberWire Daily - Almost letting hackers rule the web.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. A WordPress plugin vulnerability puts 5 million sites at risk. Google releases an emergency Chrome update addressing an actively exploited vulnerability. Cisco patches multiple vulnerabilities. Researchers say Slack AI is vulnerable to prompt injection.

Starting point is 00:02:16 Widely used RFID smart cards could be easily backdoored. The FAA proposes new cybersecurity rules for airplanes, engines, and propellers. A member of the Russian Karakurt ransomware group faces charges in the U.S. The Five Eyes release a guide on best practices for event logging and threat detection. The Kremlin claims widespread online outages are due to DDoS, but experts think otherwise. In our Threat Vector segment, guest host Michael Sikorsky speaks with Jason Healy, senior research scholar at Columbia University's School of International and Public Affairs. And a deadbeat dad dodges debt through death.

Starting point is 00:03:04 It's Thursday, August 22nd, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us here today. It is great to have you with us. A vulnerability in the Lightspeed Cache WordPress plugin allows unauthenticated users to escalate their privileges to an administrator level, putting over 5 million sites at risk.

Starting point is 00:03:39 The issue stems from a weak security hash in the user simulation feature, which uses insecure random number generation. The flaw allows attackers to brute force the security hash, potentially gaining full control of a site. The vulnerability was discovered by researcher John Blackbourne, who received a $14,400 bounty for his findings. Although the vulnerability is mitigated by updating to version

Starting point is 00:04:07 6.4 of the plugin, users are urged to act swiftly. The Lightspeed team has implemented additional security measures, including stronger hash validation and one-time use hashes to prevent exploitation. Google has released an emergency Chrome update to address a high-severity zero-day vulnerability which is being actively exploited in the wild. The vulnerability found in Chrome's V8 JavaScript engine was reported by Microsoft security teams and could allow attackers to execute arbitrary code on unpatched devices.

Starting point is 00:04:47 Google has fixed the issue in the latest versions for Windows, macOS, and Linux. The update will be automatically rolled out, but users can manually check and install it via the Chrome menu. Google has withheld further details until most users are protected. Cisco has released patches for multiple vulnerabilities, including a high severity issue in its Unified Communications Manager products. This vulnerability with a CVSS score of 8.6 affects the SIP call processing function and can be remotely exploited without authentication. Attackers could send crafted SIP messages to trigger a denial of service condition by causing the device to reload. Cisco has provided patches with no workarounds available.

Starting point is 00:05:34 The issue was reported by the U.S. National Security Agency, and there are no reports of it being exploited in the wild. Cisco also addressed four medium severity bugs affecting Identity Services Engine and Unified CM, including SQL injection and cross-site scripting vulnerabilities. Further details are available on Cisco's security advisories page. Slack AI, an assistive service within Salesforce's messaging platform, is vulnerable to prompt injection, according to security firm Prompt Armor. This flaw allows attackers to exfiltrate sensitive data, such as API keys, from private Slack channels.

Starting point is 00:06:18 The vulnerability arises because Slack AI can fetch data from both public and private channels, including those not joined by the user. Prompt Armor demonstrated how a malicious prompt in a public channel could trick Slack AI into exposing private data through clickable links. The risk is exacerbated by a recent Slack update that allows files from channels and direct messages to be included in AI-generated responses, potentially making user files a target for injection attacks. PromptArmor has warned that this vulnerability could lead to significant data breaches, urging Slack admins to restrict AI access to documents until the issue is resolved. Slack considers this behavior to be intended, but PromptArmor disagrees. Quarkslab, a French security company, has uncovered a major backdoor in millions of contactless cards

Starting point is 00:07:16 produced by Shanghai Fudan Microelectronics Group, a leading Chinese chip manufacturer. The backdoor, detailed by researcher Philippe Thuen, enables rapid cloning of RFID smart cards, which are widely used for accessing offices and hotel rooms globally. The vulnerability lies in a specific variant of the MyFair Classic card introduced by Fudan in 2020, which contains a static encrypted nonce countermeasure. Tuan discovered that an attacker with just a few minutes of physical proximity to a card

Starting point is 00:07:52 could exploit this backdoor to crack its keys, which are uniform across all cards. This flaw extends to other card models from Fudan and even some older cards from NXP Semiconductors and Infineon Technologies. Quark's lab urges organizations to assess their infrastructure immediately, as these vulnerable cards are found worldwide, including in hotels across the U.S., Europe, and India. The FAA has proposed new cybersecurity rules for airplanes, engines, and propellers to address the growing threat of cyberattacks as aircraft become increasingly connected to internal and external networks. The proposed regulations aim to standardize and codify the special conditions that have been issued on a case-by-case basis since 2009, reducing the complexity and cost of certification.

Starting point is 00:08:48 The rules would require applicants to identify cybersecurity risks, protect against unauthorized electronic interactions, and develop mitigation strategies. These efforts stem from the need to protect aircraft systems from potential cyber threats that could affect airworthiness, such as compromised maintenance laptops, wireless sensors, and satellite communications. While the new rules focus on vulnerabilities with tangible impacts on safety, experts like Joseph Saunders argue that they do not go far enough in addressing future unknown vulnerabilities. The proposal follows a significant increase in reported cyberattacks in the airline industry,

Starting point is 00:09:30 which grew by 530% from 2019 to 2020. Denis Zolotarjovs, a member of the Russian Karakurt ransomware group, has been charged in the U.S. with money laundering, wire fraud, and extortion. Zolotarjovs, a Latvian national living in Moscow, was arrested in Georgia, Eastern Europe, in December 2023 and recently extradited to the U.S. The FBI's investigation revealed his involvement in Karakurt's extortion operations, where the group stole data from companies and demanded ransoms to prevent its public release. Operating under the alias Svorza Sessarini, Zolotarjov's negotiated extortions, including a case where a victim paid over $1.3 million.

Starting point is 00:10:19 His arrest marks the first of a Karakurt member being extradited to the U.S., His arrest marks the first of a Karakurt member being extradited to the U.S., potentially paving the way for further prosecutions. The charges against him carry a maximum sentence of 20 years in prison plus significant fines. Karakurt, linked to the notorious Conti cybercrime syndicate, focuses on data exfiltration without using encryption tools. focuses on data exfiltration without using encryption tools. The Australian Signals Directorate's Cyber Security Centre, CISA, the FBI, NSA, and international partners have released a guide on best practices for event logging and threat detection to help organizations establish a baseline for event logging.

Starting point is 00:11:03 The participating agencies say this guide is crucial for detecting and mitigating cyber threats, especially as malicious actors increasingly use techniques like living off the land and fileless malware. CISA urges IT decision makers, OT operators, and critical infrastructure organizations to review and implement these recommended practices to enhance cybersecurity. The Kremlin is blaming widespread disruptions on Russian websites and apps,

Starting point is 00:11:34 including WhatsApp, Telegram, and Wikipedia, on a supposed DDoS attack targeting telecom operators. However, digital experts are skeptical, noting that it's highly improbable to launch a DDoS attack affecting all 2,000 Russian telecom providers simultaneously. Major telecom operators like Megafon and Rostelecom reported no issues, fueling suspicions that these disruptions were state-imposed. Critics suggest the Russian government may be behind the outages, likely attempting to censor access to Western platforms. This aligns with previous incidents where Russian authorities have intentionally slowed or blocked services such as YouTube and Telegram under the guise of regulatory enforcement or anti-terrorism measures.

Starting point is 00:12:26 Experts believe the disruptions could be an attempt by Roskomansor to block Telegram, inadvertently affecting other services. Such actions are consistent with Russia's ongoing efforts to control digital information within its borders. Coming up in our Threat Vector segment, guest host Michael Sikorsky speaks with Jason Healy, senior research scholar at Columbia University's School of International and Public Affairs. Stay with us. Do you know the status of your compliance controls right now? Like right now. We know that real-time visibility is critical for security, We know that real-time visibility is critical for security,

Starting point is 00:13:28 but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.

Starting point is 00:13:58 Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk.

Starting point is 00:14:50 In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. In today's segment from the Threat Vector podcast, guest host Michael Sikorsky speaks with Jason Healy, senior research scholar at Columbia University's School of International and Public Affairs. Welcome to Threat Vector, the Palo Alto Network's podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm Michael Sikorski, the CTO of Unit 42, and I'm taking over the Threat Factor podcast today as your host. I'm joined here with Jason Healy, a senior researcher scholar at Columbia University's School of International and Public Affairs. Jay, welcome to Threat Factor. Thanks for joining me today. I really appreciate it.

Starting point is 00:16:19 You know, I've been teaching at Columbia University for, I think it's 11 years now, and that's sort of how we first got in touch. Although we did overlap together at the NSA, I believe, as well, back in the day. And, you know, I think it's really interesting how the computer science world, which is where I teach, and the School of International Affairs, where you teach, has a lot of overlap, right? And things really start to come together there, especially when we talk about, I see you wearing your cyber war con shirt. especially when we talk about, I see you wearing your cyber war con shirt. Can you give the audience some insight on your perspective as to how cybersecurity has evolved over your time? You know, spending time in the military, the White House, now you're an academic,

Starting point is 00:16:59 focused on, you know, the threat at a bigger policy scale. Can you talk about that change over time? Yeah, thanks, Sikko. First, it's just, like you're right, it's incredible how amazing this field that we're in, that we both teach in the same place, but you're on this super technical reverse engineering. I'm dealing with policy students, but we're both trying to say, how can we make things better? How can we defeat the threat actors? How can we leave the world a better place? And the field is so big, right?

Starting point is 00:17:28 One of the things that I did was I did the first history book of cyber conflict. It came out 10 years ago, and it was just looking at, if we treat this as military history, right? I came into this through the Air Force. And how does the story look? And some of the quotes that I came across while I was doing that book, I found really astounding.

Starting point is 00:17:48 Quotes like, contemporary technology cannot secure a system in an open environment, right? That if you have uncleared people and it's not locked away in its own vault, then you can't secure it. Quotes that say the red team always gets through. And those quotes were from 1970 and 1972.

Starting point is 00:18:11 So it's been 50 years that we know that the attackers have these advantages. That if the red team gets through, it's saying to some degree that the adversary, that threat actors are going to get through, that the threat actors have a lot of advantages in their favor. And just having that perspective that, wait a minute, we're not 10 years or 15 years into this. Like, our grandparents were dealing with the same stuff as we are. And unless we do better,

Starting point is 00:18:37 our grandkids are going to be inheriting a worse internet and a worse cyberspace than we have today. Yeah, that's interesting. I do think there has been some change in recent years. Your talk at Black Hat specifically focuses on some of the groundbreaking nature of the national cybersecurity strategy and the shift that's occurring. I've seen a noticeable shift when it comes to collaborative defense, where I think agencies are more willing to collaborate. When we worked at the NSA, you didn't tell anybody you worked there. Now they have a cyber collaboration center, which is a great thing.

Starting point is 00:19:13 We see that going. What do you think triggered this really big movement the last couple years? Do you think without, I think of SolarWinds and Colonial Pipeline, those two big events, I think of SolarWinds and Colonial Pipeline, those two big events, like somebody seeing disruption to our gas lines, and then also the speed and growth in which China and Russia continue to escalate, and specifically the escalations and the wars in those regions. think that's what's pushing it or do you see it a different way as to why we're finally getting this doctrine that we were always missing and focus of like this is a real war that's going to have be more and more costly over time yeah it's a great question i ever thought of it quite that way right because i suspect there's both supply and demand right i mean there's both been oh mike you say the war is that's getting you know the i mean I mean, there's a land war in Europe, and there has been for, you know, kind of like 10 years now, certainly since the full-scale invasion of Ukraine by Russia,

Starting point is 00:20:11 that is focusing, that is focusing attention. And I find that particularly important because I think there's been, when states were at relative peace, right, in the post-Cold War era was the longest period of peace we've had. States in general were not causing cross-border harm, right? So I, on my side of the campus, right? There's a lot of folks in international relations. And one of the astounding things they've found

Starting point is 00:20:40 is that post-Cold War, every kind of cross-border violence has gone down. And so to me, it hasn't been a surprise that we haven't seen nations using offensive cyber capabilities to really cause harm. We've been pulling our punches and it's largely been an espionage game. So my concern is, yeah, as you pointed out, now that we're having more geopolitical crises, we're having states that are invading their neighbors for territorial gain, we have to start worrying about a PRC invasion of Taiwan, that states are going to be using these in a more dangerous

Starting point is 00:21:14 manner. And so fortunately, I think that's helped drive this. But it's also been, I think, a good supply. And by that, I mean, the agencies getting together, the White House. You know, when I was in White House the first time, there were four of us that were looking at the internet and cybersecurity. The NSC, even three years ago, they had maybe six people, eight people that were looking at defense. Now, at the Office of National Cyber Director, you've got 70. That allows them to get in a lot more detail and focus in on things like budgets and skilled workforce and these other areas

Starting point is 00:21:53 that we just didn't have the investment, we just didn't have the resources to invest in. All right, Jay, thanks a lot today for joining us on the Threat Factor podcast. I think it was an awesome conversation covering education, cyber war, and everything in between. Look forward to collaborating with you more into the future. Great. Thanks to the entire Palo Alto team.

Starting point is 00:22:29 You know, it's nice that we can zoom out like this sometime and have these larger conversations. So appreciate everything that Palo Alto is doing. That's it for Thrift Vector today. Stay safe, stay secure, happy reversing. Goodbye for now. Be sure to check out the ThreatVector podcast right here on the N2K CyberWire podcast network or wherever you get your favorite podcasts. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,

Starting point is 00:23:24 a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default- default deny approach can keep your company safe and compliant. And finally, our deadbeat dad desk tells us of a 39-year-old U.S. man, Jesse Kipf, who was sentenced to 81 months in jail for a bizarre and ultimately failed attempt at faking his own death. Kipf, who apparently didn't want to pay child support, hacked into Hawaii's death registry system, posed as a physician, and officially killed himself off.

Starting point is 00:24:26 His ploy worked, at least for a while, as government databases marked him as deceased. Meanwhile, Kipf enjoyed his new dead status, thinking he was off the hook for child support. But Kipf's antics didn't stop there. He hacked into other states' death registries, corporate networks, and even tried selling access on the dark web. The law caught up with him, though, and he's now facing over $195,000 in restitution, plus a lengthy stay in the slammer.

Starting point is 00:25:00 Turns out, faking your own death isn't as easy as Googling how to stop paying child support when you're dead. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app.

Starting point is 00:25:34 Please also fill out the survey in the show notes or send an email to cyberwire at N2K dot com. We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.

Starting point is 00:26:14 Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilpie is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate

Starting point is 00:27:13 your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

CyberWire Daily - Almost letting hackers rule the web.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.