CyberWire Daily - Biden administration brings down the hammer.
Episode Date: April 3, 2024The Cyber Safety Review Board hands Microsoft a scathing report. Jackson County, Missouri declares a state of emergency following a ransomware attack. The concerning growth of Chinese brands in U.S. c...ritical infrastructure. Malware campaigns make use of YouTube. OWASP issues a data breach warning. Trend Micro tracks LockBit’s faltering rebound. India’s government cloud service leaks personal data. ChatGPT jailbreaks spread on popular hacker forums. On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's CISSP study journey and focus on the when and how of studying for Domain 1. And you can no longer just walk out of an Amazon grocery store. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's CISSP study journey and focus on the when and how of studying for Domain 1. Resources for this session: Effect of sunlight exposure on cognitive function among depressed and non-depressed participants: a REGARDS cross-sectional study Selected Reading Scathing federal report rips Microsoft for shoddy security, insincerity in response to Chinese hack (AP News) Missouri county declares state of emergency amid suspected ransomware attack (Ars Technica) Forescout research finds surge in Chinese-manufactured devices on US networks, including critical infrastructure (Industrial Cyber) YouTube channels found using pirated video games as bait for malware campaign (The Record) OWASP issues data breach alert after misconfigured server leaked member resumes (ITPro) Trend Micro: LockBit ransomware gang's comeback is failing (TechTarget) Indian government’s cloud spilled citizens’ personal data online for years (TechCrunch) ChatGPT jailbreak prompts proliferate on hacker forums (SC Media) Amazon Ditches 'Just Walk Out' Checkouts at Its Grocery Stores (Gizmodo) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. The Cyber Safety Review Board hands Microsoft a scathing report.
Jackson County, Missouri declares a state of emergency following a ransomware attack.
The concerning growth of Chinese brands in U.S. critical infrastructure.
Malware campaigns make use of YouTube.
OWASP issues a data breach warning.
Trend Micro tracks Lockbit's faltering rebound.
India's government cloud service leaks personal data.
ChatGPT jailbreaks spread on popular hacker forums.
On our Learning Layer segment, hosts Sam Meisenberg and Joe Kerrigan
continue their discussion of Joe's CISSP study journey and focus on the when and how of studying for Domain 1.
And you can no longer just walk out of an Amazon grocery store.
It's Wednesday, April 3rd, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thank you for joining us here today. It is great to have you with us. In a scathing report released yesterday, the Biden administration's Cyber Safety Review Board
criticized Microsoft for security failings that allowed Chinese hackers to infiltrate
email accounts of top U.S. officials, including Commerce Secretary Gina Raimondo.
of top U.S. officials, including Commerce Secretary Gina Raimondo.
The board highlighted Microsoft's inadequate security culture and practices,
contributing to breaches affecting U.S. agencies dealing with China.
It asserted the intrusion, identified in June and originating in May,
was avoidable, stemming from a series of Microsoft's errors,
and called for an overhaul of the tech giant's security approach due to its critical role in global infrastructure.
The board recommended halting feature additions to Microsoft's cloud computing until significant security enhancements are made,
and urged for a transparent, security-focused reform plan. The breach compromised 22 organizations and over 500 individuals globally,
including the U.S. ambassador to China,
with 60,000 emails from the State Department downloaded.
Additionally, the board criticized Microsoft
for misleading public statements
and a culture that sidelines security investment
and risk management,
alongside expressing concerns over a separate hack attributed to Russian hackers. Microsoft
acknowledged the need for a new security engineering culture and pledged to harden
its system against attacks. We note that Microsoft is a CyberWire partner, but we cover them just like we do any other company.
Jackson County, Missouri has declared a state of emergency and indefinitely shut down major
offices after a suspected ransomware attack disrupted its IT systems, affecting services
like tax payments, marriage licenses, and inmate searches. Although the attack coincided with a special election,
the electoral offices remained unaffected. This incident adds to the growing number of
ransomware attacks targeting local governments, with 28 such incidents reported this year.
Jackson County, with a population of 654,000, is actively investigating the breach with cybersecurity partners to ascertain the
attack's nature and extent. County Executive Frank White Jr. has highlighted the potential
financial implications and emphasized the need for protective measures for resident data and
county assets while maintaining essential services. Law enforcement and IT security
contractors have been engaged
to assist in the investigation and recovery efforts.
Four Scout Vedera Labs reports a concerning 40% year-over-year increase in Chinese-made devices
within U.S. networks, notably critical infrastructure sectors, despite official bans.
The study underscores the presence of banned Hikvision and Daoa cameras in government networks and widespread use of Yealink voice-over IP phones, highlighting a significant security vulnerability.
With sectors such as manufacturing, healthcare, and financial services showing substantial increases
in Chinese device usage, the potential for remote access and tampering by the Chinese government
poses a significant threat. Nearly 300,000 devices from 473 Chinese manufacturers were
identified in U.S. networks as of February 2024, marking a 41% increase from the previous year.
This growth emphasizes the risks associated with the expanding footprint of Chinese technology
in essential services, with concerns over espionage, sabotage, and exploitation of software vulnerabilities.
Four scouts' findings call for heightened vigilance and a reassessment of cybersecurity measures in safeguarding critical infrastructure against sophisticated cyber threats.
Hackers are exploiting YouTube channels, often associated with cracked or pirated video games, to distribute malware such as Vidar, SteelSea, and LumaStealer, according to Proofpoint researchers.
These malicious campaigns utilize video descriptions to guide users to external sites
where malware is downloaded, targeting particularly popular games among younger audiences.
Proofpoint's investigation uncovered more than 24 such accounts, which YouTube has since removed.
The platform employs a mix of machine learning and human review to enforce its guidelines uncovered more than 24 such accounts, which YouTube has since removed.
The platform employs a mix of machine learning and human review to enforce its guidelines against malicious content.
The malware distribution is facilitated primarily through Mediafire URLs,
but Discord links have also been implicated.
This campaign, difficult to attribute to any specific threat actor,
appears designed to target non-enterprise individual users
likely to possess sensitive personal information valuable to attackers.
Despite YouTube's efforts, including the removal of over 20 million channels
in the fourth quarter of last year for policy violations,
the challenge of policing content and protecting users from these sorts
of threats persists.
The Open Worldwide Application Security Project, better known as OWASP, has issued a warning
to its members who joined between 2006 and 2014 about a data breach stemming from a misconfigured
old wiki web server, leading to the potential exposure
of personal information contained in resumes. This misconfiguration allowed unauthorized access
to names, email addresses, phone numbers, and physical addresses of members who had provided
their resumes as part of the membership process. The breach was identified in late February
following support requests prompting
OWASP to take immediate remedial action. Measures included disabling directory browsing,
reconfiguring the web server, removing resumes, and purging cache data. OWASP has since enhanced
its security protocols and no longer collects resumes, minimizing future data collection
to essential information only. Efforts to contact affected members are underway,
particularly those whose data may still be current and at risk of being used for scam purposes.
After the international law enforcement operation, dubbed Operation Kronos disrupted the LockBit ransomware gang in February,
the group is struggling to regain its footing. Despite efforts to recover, including the quick
establishment of new.onion domains, Trend Micro reports that LockBit's rebound is faltering.
The operation, led by the UK's National Crime Agency, seized domains, source code and decryption keys, also arresting two suspected members.
Law enforcement's strategic use of LockBit's own leak site to publish agency press releases and decryption keys, coupled with a personalized warning to gang affiliates, has severely damaged LockBit's reputation.
gang affiliates, has severely damaged LockBit's reputation. The gang's distinct brand, a key asset in the ransomware community, has been notably undermined, affecting their recovery efforts.
Furthermore, LockBit's operator was banned from prominent hacker forums,
significantly hindering the group's operations. This takedown has not only debilitated LockBit,
but also induced paranoia and self-reflection among other ransomware groups, potentially marking a novel approach in combating cybercriminal organizations.
led to the exposure of sensitive citizen data, including Aadhaar numbers, COVID-19 vaccination records, and passport details.
Security researcher Surajit Majumder discovered the misconfiguration in 2022,
which allowed this data to be accessible online and indexed by search engines.
Despite reporting the issue to India's CERT-IN and with the support from the Internet Freedom Foundation, personal information continued to leak as recently as last week.
Efforts by TechCrunch to highlight the unresolved exposures prompted action,
resulting in the removal of the exposed data from public access.
However, the full extent of the leak remains unclear, raising concerns
about potential identity theft, discrimination, and the urgent need for security reforms in
government data handling. ChatGPT jailbreaks, tools for bypassing OpenAI's content and safety policies,
are increasingly prevalent on hacker forums nearly two years after
ChatGPT's release. These tactics enable cybercriminals to create phishing emails and
other malicious content. Mike Britton from Abnormal Security noted a rise in detailed
discussions on cybercrime forums about specific jailbreaking prompts, with some forums even dedicating sections to AI misuse.
State-sponsored groups and other threat actors are using ChatGPT for various malicious activities,
including social engineering and vulnerability research.
Abnormal Securities' analysis reveals that jailbreaking ChatGPT is primarily used
for launching sophisticated social engineering attacks at scale.
The company highlighted five common jailbreak prompts
and suggested that organizations incorporate defenses against adversarial generative AI into their cyber strategies.
Despite OpenAI's efforts to curb misuse by strengthening ChatGPT's adherence to safety guidelines,
efforts to curb misuse by strengthening ChatGPT's adherence to safety guidelines,
the adaptability of threat actors poses ongoing challenges in preventing malicious use of generative AI technologies.
Coming up after the break, on our Learning Layer segment,
Sam Meisenberg and Joe Kerrigan are back to discuss Joe's CISSP study journey.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details. Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io. On our latest Learning Layers segment,
our host, Sam Meisenberg, joins Joe Kerrigan
to continue their discussion of Joe's CISSP study journey,
focusing on the when and how of studying for Domain 1.
Welcome back to another Learning Layer segment.
In this segment, we are continuing our conversation with Joe Kerrigan as he gets geared up for his CISSP.
So, Joe, where we left things is that you took the diagnostic,
you got the results, talked a little bit about the results,
went a little deep into one of the questions.
Now the question is,
what do you do next? Meaning you have all this data that hopefully is helpful. Now you got to
study. Right. So how are you going to study? Well, I am probably just going to go through
one through eight. Okay. And again, I think you hit the nail on the head there. It just sounds
intuitive to me. Yeah, I did okay on
the first domain, the security and risk management domain. I got a 70 out of all those questions on
the diagnostic. But so in the training materials, there are three main pieces. There's the book
as a reading assignment. And then there's a series of lectures that are broken down into small,
digestible pieces. And then there's one big lecture at the end, which you should probably
dedicate two hours to watching. So it's interesting because in some weird way,
the content is structured in a way that you can actually sort of like tell yourself a story
about the material. So meaning like domain one, security and risk management, can actually sort of like tell yourself a story about the material.
So meaning like domain one, security and risk management,
that's kind of like the framework for how we deal with cybersecurity at an organization.
It kind of starts at the top.
You think about business requirements, you think about business impacts,
and then security kind of flows from there.
So in a way, it does make sense maybe to at least start with domain one
because again, it's a starting place for cybersecurity.
Yeah, I think it might be the case that the ISC Squared organization has thought about this.
I say it.
I think I'm being facetious there.
It's obvious that they've thought about this.
What you're saying is when we talk about domain, what should we worry about first? Well, the first thing is, why, you know, why even have a cybersecurity program? What's
your point in having that? Okay, that's a good question. And here's the business recommendation
or the business need for it. And then it kind of breaks out into the individual areas.
But this, you know, domain one is the overarching area,
and it does contain a lot of also risk management,
which is kind of a higher level of thinking,
I think, in terms of management styles.
You know, it's not something that the SOC analyst
really thinks about, right?
It's something that, it might not even be something
that a SOC manager thinks about.
It's something that somebody who is pretty high up the food chain has to start thinking about and worrying about. And that's why this exam
is so challenging, right? It's a mix of technical content with managerial content. So you got to
kind of think like a manager when you're approaching a lot of these questions and sort of, as you said,
like, don't answer like a SOC analyst. Answer like the SOC analyst is boss is boss is boss and the things that they care about.
Right. So we're starting with domain one. Let's talk about some like, you know, maybe obvious
logistics, but maybe some people don't think about when they are starting to study. So here's the,
I guess the hardest one. When are you going to study? Meaning how many hours are you dedicating
a week? And when does that studying actually happen?
I mean, you're a busy guy.
I am remarkably busy.
You have a family.
You got like four cats, two dogs.
Only three cats.
Okay, three cats.
Three cats, two dogs.
Dude, a lot of stuff happening.
You're a busy guy.
So when are you going to carve out the time?
I'm going to make the time.
You know, recently I've kind of moved away from a lot of my other activities.
Like, I don't spend a lot of time watching TV.
I have completely stopped playing video games, which I really enjoy doing.
Sure.
But, yeah, I don't have time for that anymore.
Yeah, and you have to make sacrifices, right?
Like something has to go.
And also, it's short-term.
It's not like you're never going to play a video game.
Yeah, I didn't understand all the games.
Yeah, exactly.
They're still on my PC.
You'll play after as a way to celebrate.
Right.
After I have my CISSP, I'm getting on Fortnite.
That's right.
Here I am, a CISSP official certified online.
They're not going to know where I hid them.
So we sort of have the when and the sort of how. I'm curious also, again, another practical
thing to think about, where are you going to study? Like where physically are you carving
out the space in the same way that you would carve out the time?
I'm fortunate enough that I have essentially like an office slash lab at home,
which has a bunch of computers in it.
Right now there's only two that are, there's my main Windows tower,
and then I have a Linux tower underneath of that.
And I'm building a third one that's going to be, I think it's going to be Proxmox.
So I have the space.
The space really isn't an issue. I have a desk. I have a computer. I have multiple monitors. So I'm good
to go there. So yeah, that's not really an issue for me. I can absolutely understand somebody
trying to do this on a laptop in their living room. I feel for you because I've been in that
position. Can't do this. Right. And I think my question behind the question for those who are listening who may not be
in the same situation as Joe, I think my point is you have to have a dedicated space to study.
Yes.
Like even just the like walking in with the mindset that I'm going to be super focused
for an hour, two hours, whatever it is, a half an hour, how much you can manage, and
just having a dedicated space that's part of your study routine. Because as you said, you're not going to do it unless you
carve out the time. And I think having a physical space, ideally with a lot of windows, yes, there's
real, it's not surprising, it makes sense, but there's real learning science data that shows
sunlight is actually really good for knowledge retention and focus. So ideally, some sort of dedicated space,
maybe with some windows that you can kind of walk back into
and get in that mindset and saying,
I'm going to focus, I'm going to study.
That's interesting.
I have, in my home lab, I have an eastern-facing window.
Okay.
So in the morning, it gets all the sun.
At work, it faces north.
So the sun never comes into my office at work.
So don't study at work.
I won't.
I don't know that I have time to study at work.
Maybe I will.
If I'm at lunch, I'll probably watch a couple of videos.
Nice.
So I feel like we have an overall structure.
We have an overall flow.
It's time to get started and dive in
as you said with domain one
so Joe next time we'll talk
we'll hear about how domain one studies are going
alright That's my N2K CyberWire colleague Sam Meisenberg
speaking with my Hacking Humans co-host Joe Kerrigan. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And finally, Amazon is discontinuing its Just Walk Out technology in Amazon Fresh grocery stores,
shifting towards using Amazon Dash carts and self-checkout counters. Initially celebrated for automating the checkout process
via cameras and sensors, Just Walk Out required significant human intervention, with over 1,000
employees in India reviewing footage for accurate checkouts. The system also faced
challenges such as delayed receipt delivery and did not meet Amazon's internal efficiency goals,
contrary to expectations. In contrast, dash carts provide a more direct and reliable shopping
experience. While the Just Walkout technology will remain in a limited number of UK stores and Amazon Go convenience stores,
this pivot suggests Amazon's ongoing adjustment in its strategy to solidify its footprint in the grocery market
beyond its ownership of Whole Foods and amidst competition from larger grocery retailers.
For me, while I have not personally experienced Amazon's Just Walkout
technology, I've used a similar system at my local Apple Store, finding what I need on a shelf,
scanning it in the Apple Store app on my phone, paying in the app, and then just leaving. Maybe
it's the shape of things to come, but for this kid who grew up in the 80s, it feels
weird. Like I'm waiting for a giant cage to drop out of the ceiling or a burly security guard to
wrestle me to the ground. It's like leaving a party without saying goodbye. Feels odd.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.