CyberWire Daily - Anchoring security for US ports.
Episode Date: February 21, 2024President Biden to sign EO to bolster maritime port security. Apple announces post-quantum encryption for iMessage. Malwarebytes examines the i-Soon data leak. Law enforcement airs LockBit’s dirty l...aundry. Varonis highlights vulnerabilities affecting Salesforce platforms. An appeals court overturns a $1 billion piracy verdict. NSA’s Rob Joyce announces his retirement. Anne Neuberger chats with WIRED. A leading staffing firm finds its data for sale on the dark web. In our sponsored Industry Voices segment, Navneet Singh, VP of Marketing Network Security at Palo Alto Networks, discusses the transition to the cloud and shares some examples from healthcare. Hackers and hobbyists push back on the proposed Flipper Zero ban. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, Navneet Singh, VP of Marketing Network Security at Palo Alto Networks, discusses the transition to the cloud and shares some examples in healthcare. Selected Reading Biden to sign executive order to give Coast Guard added authority over maritime cyber threats (CyberScoop) Apple Announces 'Groundbreaking' New Security Protocol for iMessage (MacRumors) A first analysis of the i-Soon data leak (Malwarebytes) Cops turn LockBit ransomware gang's countdown timers against them (The Register) Security Vulnerabilities in Apex Code Could Leak Salesforce Data (Varonis) Court blocks $1 billion copyright ruling that punished ISP for its users’ piracy (Ars Technica) NSA cyber director to step down after 34 years of service (Nextgov/FCW) Anne Neuberger, a Top White House Cyber Official, Is Staying Surprisingly Optimistic (WIRED) Critical flaw found in deprecated VMware EAP. Uninstall it immediately (Security Affairs) Hackers Claim Data Breach at Staffing Giant Robert Half, Sell Sensitive Data (HackRead) Save Flipper (Save Flipper) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
President Biden will sign an executive order to bolster maritime port security.
Apple announces post-quantum encryption for iMessage.
Malwarebytes examines the iSoon data leak.
Law enforcement airs LockBit's dirty laundry.
Varonis highlights vulnerabilities affecting Salesforce platforms.
An appeals court overturns a $1 billion piracy verdict.
NSA's Rob Joyce announces his retirement,
and Neuberger chats with Wired.
The leading staffing firm finds its data for sale on the dark web.
In our sponsored Industry Voices segment,
Navneet Singh, VP of Marketing Network Security at Palo Alto Networks,
discusses the transition to the cloud
and shares some examples from healthcare.
And hackers and hobbyists push back on the proposed Flipper Zero ban.
It's Wednesday, February 21st, 2024.
I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thank you for joining us here today. It is great to have you with us.
President Joe Biden is set to issue an executive order to bolster the cybersecurity of U.S. maritime ports,
granting the Coast Guard new powers to tackle cyber threats,
and initiating a rulemaking process for enhanced cyber requirements in the maritime sector.
This move, which includes over $20 billion in port infrastructure investments over five years,
aims to fortify the nation's supply chains and national security in response to threats like
the China-linked Volt Typhoon hacking group. The order mandates maritime entities to improve
digital defenses and report cyber incidents to the Coast Guard. Additionally, it addresses
concerns over Chinese-manufactured cranes'
vulnerability to hacking, imposing specific security requirements. The initiative reflects
the critical economic and security role of ports, which facilitate over 90% of U.S. overseas trade
and are integral to the country's $5.4 trillion annual economic activity.
integral to the country's $5.4 trillion annual economic activity.
Apple introduced a new post-quantum cryptographic protocol for iMessage they call PQ3, designed to offer post-quantum encryption.
Touted as the most significant cryptographic upgrade in iMessage history, PQ3 aims to elevate
secure messaging with its state-of-the-art encryption
and defense mechanisms, surpassing the security features of other widely used messaging apps.
PQ3 aims to safeguard against harvest-now-decrypt-later attacks by future quantum computers,
ensuring end-to-end encryption that secures both key establishment and message exchange,
end-to-end encryption that secures both key establishment and message exchange,
achieving what Apple defines as Level 3 security. The protocol will eventually replace the current cryptographic standards across all supported iMessage conversations.
Malwarebytes has published an early analysis of the leak from iSoon, a Chinese cybersecurity firm believed to be an APT for hire for China's
Ministry of Public Security. The leaked information has revealed a wide array of
hacking tools and services, likely exposed by a disgruntled employee. The data includes complaints,
chat records, financial details, product information, employee data, and evidence of infiltration into government
departments across India, Thailand, Vietnam, South Korea, and NATO. The tools showcased include a
Twitter stealer capable of real-time monitoring and posting tweets, custom remote access trojans
for various operating systems with extensive surveillance capabilities, portable network attacking devices, special equipment for operatives,
a user lookup database for social media correlation,
and frameworks for targeted penetration testing.
Further analysis of the comprehensive data is ongoing.
Following up on yesterday's reporting,
Western law enforcement agencies have taken down the infamous LockBit ransomware group's infrastructure
and have done so with a flourish, turning the criminal's own dark web platform against them.
Coined Operation Kronos, this takedown has seen the UK's National Crime Agency not only seize,
but also sassily repurpose Lockbits' site to dish out
the gang's dirty laundry. With a touch of British bravado, the NCA has kept the site's original
layout but replaced nefarious content with tantalizing teasers of Lockbits' exposed secrets,
complete with countdown timers for when the next bombshell will drop. This follows the successful infiltration of LockBit's operations,
leading to the arrest of two of its affiliates,
further tightening the noose around the syndicate known for its multi-million dollar extortion schemes.
Demonstrating a swagger rarely seen in law enforcement announcements,
the NCA has effectively slapped LockBit with its own
modus operandi, potentially signaling a bold approach to cybercrime takedowns.
The operation has not only nabbed affiliates and frozen over 200 cryptocurrency accounts,
but has also gathered a treasure trove of intelligence, including decryption keys and
the gang's source code. This wealth of data stands
as a testament to the coordination of global authorities delivering a clear message. They're
not just on Lockbitch Trail. They're steps ahead, ready to dismantle and mock the cyber criminals'
efforts with relentless and tenacious resolve. Varonis Threat Labs uncovered serious vulnerabilities and misconfigurations in APEX,
a programming language akin to Java that's used for customizing Salesforce platforms.
The misconfigurations were found within several Fortune 500 companies and government agencies.
These issues pose a risk not just to large organizations, but to any entity utilizing APEX off-the-shelf applications,
potentially leading to data leaks, corruption, and harm to business operations.
Varonis emphasizes the importance of securing APEX classes, especially those running without sharing,
to prevent unauthorized data access and maintain the security of Salesforce instances.
A federal appeals court has overturned a $1 billion piracy verdict against Cox Communications,
originally decided in 2019 for copyright infringement by its users.
The court dismissed Sony's argument that Cox directly profited from these infringements.
dismissed Sony's argument that Cox directly profited from these infringements.
This verdict necessitates a new trial for damages,
likely reducing the compensation amount.
Despite rejecting the vicarious liability claim, the court upheld the finding of Cox's willful contributory infringement.
The case, initiated by Sony and other music copyright holders,
accused Cox of not adequately combating piracy on its network.
This ruling has implications for how ISPs manage copyright infringement claims
and could alleviate concerns that harsh penalties might compel ISPs
to disconnect users based on mere accusations of infringement,
a scenario that advocacy groups like the Electronic Frontier Foundation have warned against.
The case now returns to the U.S. District Court for the Eastern District of Virginia
for a new damages trial.
Rob Joyce, the NSA Cybersecurity Director,
will retire at the end of March after 34 years of service.
Joyce's tenure was marked by significant engagements,
including shaping a Trump-era executive order for greater cybersecurity accountability.
His departure coincides with heightened security concerns
due to potential cyber threats from countries like China and Russia,
especially with the upcoming presidential election.
like China and Russia, especially with the upcoming presidential election.
Joyce's career also included leading the NSA's Tailored Access Operations Unit,
focusing on cyber warfare and intelligence gathering. General Timothy Hogg praised Joyce's leadership and contributions to the NSA's cybersecurity mission. David Luber,
the Cybersecurity Directorate's second-in-command, will take his place.
In a comprehensive interview with Wired, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology,
discusses her critical role in steering the United States' cybersecurity and emerging technology policies under the Biden administration,
policies under the Biden administration. Drawing on her decade-long tenure at the National Security Agency and her experience leading the Cybersecurity Directorate, Neuberger outlines her office's
achievements and ongoing efforts to safeguard national security amid evolving cyber and
technological threats. She touches on several key initiatives, including the government's response
to the Colonial Pipeline ransomware attack, the development and implementation of major executive orders on
cybersecurity and artificial intelligence, and strategies to protect critical infrastructure.
Neuberger also delves into the challenges and opportunities presented by emerging technologies
such as AI, autonomous vehicles, and quantum computing, emphasizing the importance of
international cooperation and proactive policymaking to address these issues.
The interview provides insight into Neuberger's vision for a secure and technologically advanced
future, reflecting her commitment to leveraging technology for societal benefit while mitigating its risks.
VMware has issued a warning for users to uninstall the deprecated Enhanced Authentication plugin due to a high-risk vulnerability with a CVSS score of 9.6.
This flaw enables attackers to manipulate domain users with the EAP installed in their browsers
into relaying service tickets for any Active Directory service principal names,
leading to potential arbitrary authentication relay and session hijacking incidents.
No workarounds are available for this vulnerability,
highlighting the need for immediate removal of the plugin.
Discovery of the issue has been credited to Sari Coburn of
Pentest Partners. HackRead reports that Robert Half International, a leading global staffing
and consulting firm, has fallen victim to a data breach orchestrated by hackers known as
Intel Broker and Sangiero. This breach involves the theft of significant amounts of sensitive data,
including confidential records, employee and customer information, and configuration details
for services like OpenAI and Twilio. The information is now being sold on breach forums
for $20,000 in Monero cryptocurrency, with screenshots of the stolen data showing a client list with
comprehensive contact details. The extent of the breach and the total number of affected
individuals remain unclear, and Robert Half International has yet to issue a formal response.
They previously fell victim to a similar data breach back in 2022.
Coming up after the break,
my conversation with Navneet Singh,
VP of Marketing Network Security at Palo Alto Networks.
We're discussing the transition to the cloud,
and he's got some examples from healthcare.
Stay with us. Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more It is my pleasure to welcome back to the show Navneet Singh.
He is the VP of Marketing Network Security at Palo Alto Networks.
Nav, great to have you back.
And we're going to talk today about OT.
We're going to talk today about OT. We're going to talk today about OT, operational technology security.
And it's my understanding that this is something that you have a personal history with,
that OT and critical infrastructure are kind of near and dear to your heart.
That's right, Dave.
I grew up in a small town in India.
My dad worked in a fertilizer manufacturing plant.
He was in the production department. And my mom also worked in fertilizer manufacturing plant. He was in the production
department. And my mom also worked in the same company. She was in materials department. And
actually that small town, even though only 10,000 people, it's actually well known in India. If you
ask people in India what it's known for, it's actually known for a large dam. When it was
constructed, it was the highest in Asia with a hydroelectric power plant.
So, you know, as I was growing up, I was looking at these symbols of critical infrastructure
that India was investing in as it, you know, after it gained independence from the UK.
So I was looking at that and really that was my personal connection as I was growing up.
Now, as a security professional, I witnessed the alarming rise of sophisticated attacks that happen.
They are targeting our critical infrastructure.
And that convergence of my childhood observations with what I'm seeing as a professional, that has really deepened my commitment to securing the critical infrastructure.
Well, let's start with some basics here.
I mean, in your estimation,
why is it important to protect critical infrastructure and OT environments?
You know, these systems, they underpin vital sectors of our economy,
such as electricity, water, transportation, healthcare, and more.
And so you can imagine a successful attack on bees,
it could lead to catastrophic outcomes, really disrupting our everyday life.
It could endanger public health and safety.
It could cause significant economic damage.
And this really is brought home to people I talked to with some examples.
A few months ago, there was a cyber attack on the municipal water authority in Pennsylvania.
And so the hackers were able to gain access to a water pressure booster station.
It was a controller that controlled the water pressure.
And when that happened, the authorities were able to see that
that had happened, and they were able to revert to manual operations and no harm was done.
But later, the attackers were allegedly aligned to an Iranian group that was discovered later.
So think about it. Even though no harm was caused by this attack,
nation states can potentially get access to our water supply.
So another example is in May of last year,
22 energy funds were hacked,
and that was done in a coordinated attack on Denmark's critical infrastructure.
So all these sectors, energy, water, transportation, logistics,
all of these are on the table for the attackers.
So you mentioned that, you know, that one of these attacks was allegedly assigned to Iranian actors.
Why do you suppose that critical infrastructure is a target for folks like this?
Yeah, so when I talk to customers, they really tell me that their OT environments are changing
really fast. So you and I, we are knowledge workers. We work on our laptops. I work on my
mobile phone as well. I badge in and work on the computer, even work from home. We can't
imagine a life without Wi-Fi, without connectivity, without having data at our fingerprints. So all of
us are connected to what we call the IT network, which is completely connected. But there is this
whole environment of OT or operational technology, which was never connected in the past. Think of
factory floors, think of nuclear power plants, think of electricity grids, right? But now,
more and more sensors like IoT devices are being connected, and they are in these OT environments,
but they produce a lot of data that gets transferred to the IT area where
people like you and I look at the data, analyze it, and make decisions that improve productivity,
that improve quality of life.
And especially with AI, more and more data gets processed and it promises innovation.
So that's all great and connectivity is really required, but that
connectivity also leads a pathway for attackers to reach these OT environments, which was not
possible before. So that's the primary reason. Another reason that customers talk about is also
people. Customers tell me that when OT environments needed to be secured because of
connectivity, often their IT teams were asked to secure these OT environments, and IT teams did
not have the skills. They did not know what policies to apply to these OT sensors, for example. So
that's another gap. And these are the two main reasons why we are seeing more attacks on OT
right now. Well, in terms of the trends that you
and your colleagues are tracking about when it comes to securing these OT environments, what sort
of things are you seeing? Yeah, one thing actually that we talked about recently on this podcast,
the Biden administration had released the national cybersecurity strategy that happened last year.
It recommended the adoption of a zero-trust architecture,
especially in critical industries.
And that sparked a lot of interest from critical sector industries.
We at Polo Network saw customers lean in,
arise in executive briefings from these customers,
and they wanted to know more about zero-trust.
They wanted to know more about how to implement it, how long does it take, what are the best practices that others have
implemented and so on. So that's why I believe that there are three major things that I would
say in terms of if you are in the critical infrastructure, three things that you should do.
One, if you haven't read it, go familiarize yourself with the national cybersecurity strategy.
And if you're
somewhere outside the United States, I'm sure governments and other agencies are producing
similar cybersecurity documents. Two, in your organization, if different teams manage the
security of IT and OT, in that case, bring them together so that they can discuss and create a
holistic cybersecurity strategy that spans both IT and OT systems.
If your IT teams are being held responsible for OT security now, then invest in skills training.
Third, you really don't have to do it alone. You should choose a cybersecurity partner who can
help with all of this. Choose a partner who understands OT, who talks the language
of your industry, and who can help you build a cybersecurity roadmap for your organization.
Can we talk about some specifics here? I mean, what are some of the kinds of attacks
that tend to happen in an OT environment? Yeah, some of these attacks are really targeted at disrupting
everyday life. So I think a lot of us are familiar with the colonial pipeline attack.
So in that attack, somebody was able to gain access to a VPN system that attacked the billing
systems and the billing systems were taken
offline.
And when the billing system is not happening at that time, the organization, even though
they had been operating very well for more than 50 years, for the first time in their
history, they had to shut down the pipeline for 13 days.
That affected, that had gas shortages, affected fuel that you and I used to
drive. It also affected airlines. So that's an example. Everybody is also familiar, I think,
with the Ukrainian power grid that happened a few years ago. And in that example,
somebody was able to gain access again through a VPN. They were able to gain access to the OT environment or power grid and was able to pass some OT protocols that just shut down the grid.
In addition, they also had a DDoS attack so that people could not even contact the command center or the customer service center.
center or the customer service center. And people were without power in freezing temperatures two days before Christmas for six to eight hours. And imagine what loss of power would do, especially to
the ICUs in hospitals. So those are just some examples of how it affects our everyday life.
Yeah, I mean, it's serious stuff for sure. What are your recommendations here?
I mean, for some of the folks that you're working with,
you know, people who are dealing with critical infrastructure
and OT environments,
what are the words of wisdom that you can share with us today?
Yeah, so I think as we were mentioning,
I think it's really critical for you to see
what strategies are others implementing.
And the National Cybersecurity Strategy is one document that you can just take a look at
what are the recommendations from CISA, for example, in the United States Center for
Infrastructure and Cybersecurity Agency. So you can just take a look at what others are
implementing, what are the recommendations,
especially for implementing a zero trust architecture. And people gap is another area
that you need to continue to invest in, bringing IT and OT teams together, investing in skills
training so that the IT security teams know what kinds of policies to apply to the OT infrastructure. And thirdly, you can also use the capabilities that AI provides.
Many cybersecurity vendors actually are using AI.
We use AI to recommend policies to these OT environments
based on all the data that we are seeing from different customers.
So choose a vendor that can help you implement those policies and even help you bridge that skills gap.
Nav, are you optimistic as we continue through this year that we're gaining ground on this
issue? Do you feel like folks are getting a handle on things?
Of course, Dave. I believe that the organizations that have OT environments, they are becoming more aware of the risk facing them, especially due to these high profile attacks.
And we will see them shore up their defenses in 2024 and beyond.
Ultimately, as you know, right, we all want a world where we can reap the benefits of AI, of 5G connectivity, and other emerging technologies.
But we want the world to do it safely.
And I really see that that's possible with cybersecurity.
Navneet Singh is VP of Marketing Network Security at Palo Alto Networks.
Nav, thanks so much for joining us. Thank you. And we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
With TD Direct Investing, new and existing clients could get 1% cash back.
Great. That's 1% closer to being part of the 1%.
cash back. Great. That's 1% closer to being part of the 1%. Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing. Conditions apply. Offer ends January 31st,
2025. Visit td.com slash DI offer to learn more.
And finally, cybersecurity professionals have started an online petition opposing the Canadian government's proposed ban on the Flipper Zero,
a portable device which features all sorts of clever ways to interact with other devices
using RF protocols like RFID, NFC, and
radio remotes. The Canadian government claims the ban is aimed at combating vehicle theft.
Opponents believe the policy is based on outdated technological assumptions and will not effectively
prevent thefts but could instead stifle innovation and harm the economy. Furthermore, they say it may conflict with recent legislative support
for the right to repair and interoperability,
penalizing legitimate analysis and repair activities.
They suggest that resources would be better spent collaborating
with cybersecurity experts and industry stakeholders
to enhance automotive security
and establish minimum security standards for keyless entry systems.
We don't question the Canadian government's good intentions here,
but their proposal does seem to lack nuance.
When all you have is a legislative hammer, everything looks like a nail.
looks like a nail.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know
what you think of this podcast.
You can email us
at cyberwire at n2k.com.
We're privileged that N2K
and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders
and operators in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent
intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karf.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.