CyberWire Daily - An unprecedented surge in credential stuffing.
Episode Date: April 29, 2024Okta warns of a credential stuffing spike. A congressman looks to the EPA to protect water systems from cyber threats. CISA unveils security guidelines for critical infrastructure. Researchers discove...r a stealthy botnet-as-a-service coming from China. The UK prohibits easy IoT passwords. New vulnerabilities are found in Intel processors. A global bank CEO shares insights on cybersecurity. Users report mandatory Apple ID resets. A preview of N2K CyberWire activity at RSA Conference. Police in Japan find a clever way to combat gift card fraud. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest It’s the week before the 2024 RSA Conference. Today, we have N2K’s own Rick Howard, Brandon Karpf, and Dave Bittner previewing N2K’s upcoming activities and where you can find our team at RSAC 2024. Special Edition: Threat Vector Understanding the Midnight Eclipse Activity and CVE 2024-3400: Host David Moulton and Andy Piazza, Sr. Director of Threat Intelligence at Unit 42, dive into the critical vulnerability CVE-2024-3400 found in PAN-OS software of Palo Alto Networks, emphasizing the importance of immediate patching and mitigation strategies for such vulnerabilities, especially when they affect edge devices like firewalls or VPNs. Selected Reading Okta warns customers about credential stuffing onslaught (Help Net Security) Crawford puts forward bill on cybersecurity risks to water systems (The Arkansas Democrat-Gazette) CISA unveils guidelines for AI and critical infrastructure (FedScoop) Chinese Botnet As-A-Service Bypasses Cloudflare & Other DDoS Protection Services (GB Hackers) UK becomes first country to ban default bad passwords on IoT devices (The Record) Researchers unveil novel attack methods targeting Intel's conditional branch predictor (Help Net Security) Standard Chartered CEO on why cybersecurity has become a 'disproportionately huge topic' at board meetings (The Record) Security Bite: Did Apple just declare war on Adload malware? (9to5Mac) Apple users are being locked out of their Apple IDs with no explanation (9to5Mac) Japanese police create fake support scam payment cards to warn victims (Bleeping Computer) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Thank you. guidelines for critical infrastructure. Researchers discover a stealthy botnet as a service coming
from China. The UK prohibits easy IoT passwords. New vulnerabilities are found in Intel processors.
A global bank CEO shares insights on cybersecurity. Users report mandatory Apple ID resets.
A preview of N2K Cyber Wire activity at RSA conference.
And police in Japan find a clever way to combat gift card fraud.
It's Monday, April 29th, 2024.
I'm Dave Bittner and this is your CyberWire Intel Briefing.
Identity and Access Management Company, Okta, warns of what they're describing as an unprecedented surge in
credential stuffing attacks, where attackers use stolen usernames and passwords from previous
breaches to access online services. These attacks often involve anonymizing proxies like Tor and
residential proxies including NSOX, Luminati, and Data Impulse, automated through scripting tools.
Okta's observations align with recent findings by Duo Security and Cisco Talos on similar tactics
used in brute force attacks. A significant percentage of identity-based incidents investigated
by Expel in 2023 also involved malicious logins from such infrastructure.
Okta advises customers to use Okta Identity Engine and enable Threat Insight in login
and force mode to block requests from these proxies before authentication, enhancing security
against these attacks.
Upgrading to Okta Identity Engine is recommended as it's free and includes additional features like CAPTCHA for risky sign-ins and passwordless authentication via Okta FastPass.
U.S. Representative Rick Crawford, a Republican from Arkansas, has introduced a bill aiming to establish a water risk and resilience organization under the EPA.
a water risk and resilience organization under the EPA.
This body would develop risk and resilience requirements for water systems to safeguard against cybersecurity threats.
The proposed regulations would help drinking water
and wastewater systems enhance their resilience
to cyber disruptions, including attacks aimed
at compromising service delivery.
The bill, co-introduced with Representative John Duarte,
comes in response to growing concerns
about the vulnerability of U.S. water systems
to cyber attacks, highlighted by recent incidents
linked to foreign adversaries like Iran and China.
Crawford emphasized the need
for robust cybersecurity practices
to protect critical water infrastructure
and prepare operators at all
levels to handle potential threats. The bill is currently under review by two House committees.
The Cybersecurity and Infrastructure Security Agency released new safety and security guidelines
for critical infrastructure following the Department of Homeland Security's recent focus
on the same area. These guidelines are in response to the Biden Security's recent focus on the same area.
These guidelines are in response to the Biden administration's executive order on artificial intelligence from October and aim to harness AI's potential while mitigating its risks across 16 sectors, including farming and IT.
CISA's guidelines encourage owners and operators to use the National Institute of
Standards and Technologies' AI Risk Management Framework to govern, map, measure, and manage
AI usage. They emphasize understanding AI dependencies, inventorying AI use cases,
reporting security risks, and regularly testing AI systems for vulnerabilities.
security risks and regularly testing AI systems for vulnerabilities. The move is part of broader efforts to prepare for and mitigate AI-related threats in U.S. critical infrastructure.
A comprehensive botnet-as-a-service network originating from China has been identified by
researchers at EP Cyber. It features multiple domains, over 20 active telegram groups, and uses domestic
communication channels. This infrastructure supports a botnet capable of launching coordinated
attacks, including DDoS strikes that can incapacitate systems despite advanced DDoS
protections from services like Cloudflare. The botnet's efficacy in bypassing current defenses poses significant threats.
Particularly at risk are European companies,
as attackers target their domain names,
potentially redirecting users to harmful sites.
This highlights vulnerabilities in the domain name system,
underscoring the urgent need for robust DNS security
to protect online operations
and maintain customer trust. The UK has become the first nation to prohibit default easily
guessable passwords on IoT devices, addressing a key vulnerability that had previously enabled
large-scale cyber attacks such as the Mirai botnet. This legislative move under the Product Security and Telecommunications Infrastructure Act of 2022
mandates unique default passwords and introduces minimum security standards for manufacturers.
Companies must now disclose how long their products will be supported with security updates
and provide contact details for reporting vulnerabilities.
Non-compliance could result in fines up to £10 million or 4% of global revenue.
The Office for Product Safety and Standards will oversee these regulations,
ensuring manufacturers adhere to the new law
aimed at safeguarding consumer data and devices from cyber threats.
Similar initiatives are under consideration in other regions, including the EU,
although no equivalent federal law exists in the U.S.
Researchers from multiple universities, including UC San Diego and Purdue,
along with industry partners such as Google, have discovered two
new types of cyberattacks targeting the conditional branch predictor in Intel processors. These
attacks, detailed in their upcoming presentation at the 2024 ACM ASPLOS conference, exploit the
Path History Register, a feature that tracks the order and addresses of branches,
revealing more precise information than previous methods.
The attacks allow for an unprecedented level of control
and data extraction from affected processors,
posing potential risks to billions of devices.
These findings have prompted Intel and AMD to issue security advisories.
The research showcases the ability to manipulate processor behaviors, potentially exposing
confidential data through sophisticated techniques that outpace existing security measures.
The Record from Recorded Future has published a conversation with Bill Winters, CEO of Standard Chartered, one of the largest banks in the world.
Winters highlights the growing importance of cybersecurity in the bank's operations,
stressing that it has become a key focus in board meetings and overall company culture.
As cyber threats evolve, the bank has prioritized significant investments in cybersecurity,
from employee training to enhancing its technological defenses. Evolve, the bank has prioritized significant investments in cybersecurity,
from employee training to enhancing its technological defenses. Winters points out the integration of AI in handling large volumes of transaction data for compliance purposes,
improving the bank's ability to detect and respond to potential illicit activities.
Standard Chartered has also adopted cautiously to advancements like generative AI,
focusing on maintaining strict data privacy and cybersecurity protocols. The bank is particularly
attentive to sanctions compliance, especially in light of recent geopolitical conflicts,
which have heightened the complexity of managing international transactions.
On the topic of cryptocurrency,
Winters describes Standard Charter's cautious but innovative approach, including investments
in secure crypto custody and trading services, emphasizing the importance of maintaining high
cybersecurity standards in these ventures. He also underlines the potential of digital asset
tokenization to transform financial markets by reducing costs and removing intermediaries.
Overall, Winters asserts that cybersecurity discussions at board meetings reflect both the banks' and regulators' prioritization of managing cyber risks,
considering them crucial for maintaining the integrity and trustworthiness of banking operations.
The bank continues to invest heavily in cybersecurity, anticipating more sophisticated threats,
and emphasizing the importance of robust defenses and compliance systems to safeguard against potential financial and operational disruptions.
Reports came in last Friday of a widespread Apple ID outage affecting numerous
users who report being unexpectedly logged out of their Apple IDs across multiple devices
and forced to reset their passwords to regain access. Despite Apple's system status page
showing no issues, social media and direct reports indicate significant disruptions.
The cause of these forced logouts and password resets remains unclear, and it's unknown if this
incident is connected to ongoing password reset attack issues previously tracked. Users with
stolen device protection face additional challenges if logged out away from a trusted location.
Furthermore, resetting the Apple ID password also resets any app-specific passwords set up through iCloud.
Meanwhile, in other Apple security news, Apple's XProtect has made significant strides in combating malware,
notably with its recent update targeting Adload, a pervasive
adware that's troubled macOS users since 2017. Initially introduced in 2009 with macOS 10
Snow Leopard, XProtect started as a basic alert system for malware and installation files.
It's since evolved into a robust anti-malware suite following the retirement of
the malware removal tool in April of 2022. XProtect now consists of three components,
the XProtect app, XProtect Remediator, and XProtect Behavior Services, utilizing minimal CPU impact.
It employs YARA rules for dynamic malware detection, a method that allows for customized rule creation.
Despite Apple's use of obfuscated malware names that complicate identification,
resources like Phil Stokes' GitHub repository provide clarity by mapping these names to more commonly recognized industry terms.
A quick program note.
Over the weekend, we dropped a special edition podcast into your CyberWire feed. This features David Moulton and Andy Piazza,
Senior Director of Threat Intelligence at Unit 42, diving into the critical vulnerability found
in PanOS software of Palo Alto networks, emphasizing the importance of immediate
patching and mitigation
strategies for these sorts of vulnerabilities, especially when they affect edge devices like
firewalls or VPNs. Do check it out.
Coming up after the break, my N2K CyberWire colleagues Rick Howard and Brandon Karp join me to discuss the goings-on of our team at RSA Conference.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details. Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. at blackcloak.io.
It is always my pleasure to welcome back to the show,
N2K CyberWire's Chief Security Officer,
also our Chief Analyst, Rick Howard.
Rick, welcome back.
Hey, Dave. It's good to see you.
And also joining us is one of our executive producers here,
Brandon Karp.
Brandon, glad to have you with us.
Hey, Dave.
Thank you for having me back.
So we are at that moment that comes but once a year, and it is right standing on the precipice of RSA Conference 2024, looking over the edge and about to hold hands and jump off, right,
together.
It's the most wonderful time of the year.
It is. And so I thought it would be
useful for us and for our listeners as well to go through some of the special events that we've got
planned at RSA Conference 2024 this year. Quite a number of things that we're participating in
that folks might be interested in. Rick, why don't I start off with you? Our listeners know that you
have been active for years with the cybersecurity canon, and you've got an event related to that?
Yeah, the canon has gotten organized in the last couple of years, and we've made a partnership deal
with the RSA bookstore. So we've got a couple of things going on there, mainly that some of
the committee members will be outside the bookstore Monday, Tuesday, and Wednesday. All right. If you're
looking for your next great cybersecurity read, the bookstore has put in a shelf of
Canon Hall of Fame books. And if you're still not sure by looking at the titles,
the concierge there, one of the committee members will advise you on what you should be picking up
to read. And I'm going to be there and a couple of other committee members are going to be there.
So I would love to meet you all.
So come on by.
The thing that I love
about Rick and the Canon
is they took what was already
an incredibly nerdy conference
and just made it even nerdier.
You're welcome.
Now, my understanding,
Rick, you're not going
to be flying solo there.
There'll be some other folks
from our team
who'll be on site. Yeah,'re not going to be flying solo there. There'll be some other folks from our team who'll be on site.
Yeah, Brandon's going to come along.
And after we're done doing some of that stuff,
I should also mention that we published a book last year,
Cybersecurity First Principles.
And I'll be doing a book signing outside that very same bookstore.
And then Brandon and Simone, our big boss,
will be around to help customers
talk about it. Brandon, what are you guys doing there? Yeah, well, we wanted to highlight part of
the Cybersecurity First Principles book, which was the lost chapter or the chapter we didn't write
about cyber talent and development. We just did this great special edition miniseries
through the CyberWire Daily about Cyber Talent Insights.
So Simone, our president,
and Jeff, our chief learning officer,
is going to tag along with you
at your book signing
at the RSA bookstore.
Anyone who wants to chat
about Cyber Talent,
Talent Insights, Talent Development,
they will be on site next to Rick,
making Rick look prettier
in order to chat with everyone.
We all know that's not possible.
Well, you're talking about the last chapter.
We had this great insight a month after we published the book
and a month after the last conference.
We're calling it Moneyball for Workforce Development,
and Simone and I are presenting on that topic on Thursday.
So if you're not sick
enough of she and I talking about it, you should come hear that presentation. We have some new
ideas about that. And by the way, I think there's some really fantastic ideas in there. So come on
down. Rick, you are also taking part in a panel from another company. I believe Cyware is sponsoring
a panel. Yeah, Cyware, I love them.
I'm an advisor to Cyware, so buyer beware.
But you all know that I've been involved
in information sharing, geez,
since almost the beginning, back in 1999.
And the whole process has really kind of been stuck
in the way we've done it back then.
You know, we're still sharing indicators
that compromise with spreadsheets and email.
Finally, finally, some companies are coming along that helps automate that process.
Cyware is one of them.
All right.
And they're doing a whole panel on first principles on what the SOC might look like in the future.
All right.
So we're going to give away copies of my book there.
Right.
And so if you're looking to get out from the main stuff going on at the RSA conference, come on by and see us.
Brandon, there's also opportunities if folks want to just come by and say hi, maybe get a CyberWire sticker or something like that.
Where can they find our team?
Yeah, of course.
I'm going to be there on the ground doing all of that great fan engagement and audience engagement.
I'll be there with you, Brandon. All right, come on. I'm friendly. I don't bite when you see the oddly hobbit looking
gentleman walking around wearing a Cyber Wire t-shirt. Please stop me, say hello. I will have
stickers. I will have potentially some coins and some other swag. So swing by, grab those from me.
We'll also be based, we've got a media room in the Marriott Marquis Foothills,
which is that first floor right inside the Marriott.
And then we are also, we're thrilled that we get to engage with Night Dragon all day Tuesday.
They're running their Innovation Summit.
So you'll see the CyberWire team there.
N2K CyberWire team there.
N2K CyberWire will be on site recording and engaging with the audience there as well.
Well, not to mix nerd properties, Brendan, but I'll be the Hogar-like figure standing next to you.
Okay.
That's quite a sight to see, folks.
Let me tell you.
Oh, my. So we will have the details about all of these events, the times, the locations, all that good stuff here in the show notes.
Rick, I have to say it's kind of, well, I'm a little sad for you that you're going to be doing your book signing outside of the bookstore.
The real authors get to do it inside the bookstore.
But I guess it's good.
At least this year they let you in the building.
I like the way you said it,
they're real authors.
Yeah, I have a special corner outside the bookstore.
They kind of have a sign
that points that way.
So have some pity on me.
Speak to this man
at your own peril.
All right.
Rick Howard is N2K Cyber Wire's
chief security officer,
also our chief analyst. And Brandon Karp is our executive producer. Gentlemen, thank you so much for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
And finally, Japanese police in Fukui Prefecture have implemented a novel strategy to combat tech support scams
targeting the elderly by placing fake payment cards in convenience stores.
These cards, labeled Virus Trojan Horse Removal Payment Card
and Unpaid Bill Late Fee Payment Card, serve as an alert mechanism. When elderly customers
directed by fraudsters attempt to purchase these cards, store employees intervene to inform them
of the scams. This initiative, tested in 34 local stores, has proven effective,
helping at least two elderly men realize they were being scammed. The police also reward
employees who assist in preventing these scams, aiding further in scam identification and
investigation. This approach not only prevents financial loss, which amounted to $7.5 million
in the region last year,
but also educates potential victims about such scams. Here in the States, we need to stock the
shelves with cards that read, the errand your boss sent you on while they were in an important
meeting and unavailable to chat card.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I
contribute to
a regular segment on Jason and Brian's show every week. You can find Grumpy Old Geeks where all the
fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at
cyberwire at n2k.com. N2K Strategic Workforce Intelligence optimizes the value of your biggest
investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Ivan and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.