CyberWire Daily - Biden's cyber splash in protecting the nation's water systems.
Episode Date: March 20, 2024The White House Mobilizes a National Effort to Shield Water Systems from Cyber Threats and Announces Major Investment in U.S. Chip Manufacturing. The U.S. and Allies Issue Fresh Warnings on China's Vo...lt Typhoon Cyber Threats to Critical Infrastructure. Microsoft Streamlines 365 Services with a Unified Cloud Domain. Ukrainian authorities take down a credential theft operation. LockBit claims another pharmaceutical company. A popular Wordpress plugin puts tens of thousands of websites at risk. A breach at Mintlify compromises GitHub tokens. An Idaho man pleads guilty to online extortion. The SEC fines firms for AI washing. We’ve got part two of our continuing Learning Layer series with Joe Carrigan and Sam Meisenberg logging Joe’s journey toward his CISSP certification. And password stuffing Pokemon. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Join us as part two of the Learning Layer special series kicks off. Over the next several weekly episodes of the Learning Layer, host Sam Meisenberg talks with Joe Carrigan from Johns Hopkins University Information Security Institute, and co-host of Hacking Humans podcast. On this episode, they continue to discuss Joe's journey to becoming a CISSP as well as discussing step one of Joe's study journey: the diagnostic assessment. Selected Reading White House Calls on States to Boost Cybersecurity in Water Sector (SecurityWeek) Five Eyes issue another China Volt Typhoon warning (The Register) Biden to Tout Government Investing $8.5 Billion in Intel's Computer Chip Plants in Four States (VoaNews) Microsoft Notifies DevOps Teams That Major Domain Change Is Coming (Cybersecurity News) Ukraine Arrests Hackers for Selling 100 Million Email, Instagram Accounts (Hack Read) Pharmaceutical development company investigating cyberattack after LockBit posting (The Record) WordPress Plugin Flaw Exposes 40,000+ Websites to Cyber Attack (GBHackers) Mintlify Confirms Data Breach Through Compromised GitHub Tokens (Hack Read) ‘Lifelock’ hacker pleads guilty to extorting medical clinics (The Record) What does 'AI Washing' mean? Firms Fined $400K by SEC for Exaggerated Statements (Cybersecurity News) Pokémon resets some users’ passwords after hacking attempts (TechCrunch) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The White House mobilizes a national effort to shield water systems from cyber threats and announces major investments in U.S. chip manufacturing.
The U.S. and its allies issue fresh warnings on China's Volt Typhoon cyber threats to critical infrastructure.
Microsoft streamlines 365 services with a unified cloud domain.
Ukrainian authorities take down a credential theft operation.
LockBit claims another pharmaceutical company. domain. Ukrainian authorities take down a credential theft operation. Lockbit claims
another pharmaceutical company. A popular WordPress plugin puts tens of thousands of
websites at risk. A breach at Mintlify compromises GitHub tokens. An Idaho man pleads guilty to
online extortion. The SEC fines firms for AI washing. We've got part two of our continuing Learning Layers series with Joe Kerrigan
and Sam Meisenberg,
logging Joe's journey toward his CISSP certification.
And password-stuffing Pokemon.
It's Wednesday, March 20th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thank you for joining us here today. It is great to have you with us.
The White House is rallying state environmental health and homeland security agencies
for a critical meeting aimed at bolstering the cybersecurity defenses of the nation's water and wastewater systems.
Scheduled for March 21st, this one-hour virtual gathering will spotlight the U.S. government's initiatives to enhance cybersecurity in the water sector, identify existing gaps, and encourage swift action from states and water systems.
from Iranian and Chinese state-sponsored actors, targeting vital water infrastructure,
which pose a significant threat to the provision of clean and safe drinking water.
In response, the Biden-Harris administration is urging collaboration to fortify the cybersecurity of water-critical infrastructure, with a particular emphasis on the Environmental Protection Agency's
leadership role. Furthermore, the establishment of a water sector cybersecurity task force is on the agenda,
aimed at devising strategies to mitigate these risks.
The Biden administration also announced a substantial investment in Intel
to boost U.S. semiconductor production across Arizona, Ohio, New Mexico, and Oregon, committing up to
$8.5 billion in direct funding and $11 billion in loans. This financial support aims to fuel
a leap from manufacturing zero to 20% of the world's most advanced chips by 2030.
The deal, negotiated by Commerce Secretary Gina Raimondo, is seen as crucial
for national security and economic stability, addressing the U.S.'s current incapacity to
manufacture advanced chips domestically. Intel's initiative, fueled by the bipartisan 2022 Chips
and Science Act, represents the largest investment under the law to date,
expected to generate 30,000 jobs and entail $100 billion in capital investments over five years,
covering construction and equipment for new and modernized facilities across the four states.
Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency,
along with the National Security Agency, FBI, and international partners, issued a warning about potential cyberattacks from China's Volt Typhoon group targeting critical infrastructure.
This follows a February alert about the group compromising U.S. networks, highlighting the threat of disruptive or destructive attacks. The latest advisory aims to guide senior non-technical leaders,
emphasizing the use of intelligence-informed tools for cyber defense,
like the Cybersecurity Performance Goals.
It stresses the importance of implementing cybersecurity best practices,
developing incident response plans, conducting exercises,
and securing the supply chain by enforcing strict security standards and managing risks, including foreign influences.
The guidance seeks to bolster defenses against sophisticated tactics, including living-off-the-land techniques used by attackers to evade detection.
evade detection. A bit of quick follow-up on Monday's story where we highlighted a breach affecting Fujitsu, the global brand with headquarters in Japan. A listener sent in a
kind note to remind us that the Fujitsu UK Horizons scandal, the one we mentioned about
the UK post office, is out of Fujitsu UK and not associated with other Fujitsu locations around the world like
Ireland, Poland, or Spain. Thanks to our listener for the clarification.
Microsoft is consolidating its Microsoft 365 services under the unified domain
cloud.microsoft to enhance user experience and streamline administration.
This move will simplify domain management for authenticated apps and services,
bolster security, and facilitate tighter ecosystem integrity.
Specifically, Teams, Outlook, and Microsoft 365 web applications will transition to this new domain.
Developers must update Teams apps to the latest Teams.js client library
before June 2024 to ensure functionality on the new teams.cloud.microsoft domain,
which will feature a dynamic list of trusted domains. Those unable to update in time will
remain on the existing domain until updates can be made. The shift to a dynamic trust list is aimed at reducing maintenance
and supporting seamless app functionality across Microsoft 365 services.
Of course, anytime there's a major transition like this,
the baddies step up to take advantage of the potential confusion,
so heads up for that.
We note for clarity that Microsoft is a CyberWire partner.
Ukrainian authorities have dismantled a significant cybercrime operation,
arresting three individuals linked to the theft and sale of 100 million email and Instagram
accounts on the dark web. Utilizing brute force attacks to obtain login credentials,
the suspects offered these accounts to other cybercriminals, facilitating scams and fraudulent activities.
The enforcement operation involved extensive searches across multiple cities,
resulting in the seizure of computer equipment, phones, and cash.
The ongoing investigation also explores potential collaborations with foreign entities,
particularly those benefiting Russian interests.
Krenetics Pharmaceuticals is probing a cybersecurity breach
after the LockBit ransomware gang claimed it had stolen from the Nasdaq-listed firm.
The company noticed suspicious activity in an employee's account, which was promptly disabled,
triggering a comprehensive incident response, including engaging cybersecurity experts and notifying law enforcement.
Despite the incident, Krenetics asserts that its operations and key databases remain unaffected.
The company says they are determined to conduct a thorough investigation and fulfill any legal obligations.
they are determined to conduct a thorough investigation and fulfill any legal obligations.
This incident coincides with LockBit's attempt to recover from a significant law enforcement crackdown that disrupted its operations.
LockBit has been notorious for targeting pharmaceutical firms, among other global entities,
with demands for a $4 million ransom from Krenetics,
adding to the pharmaceutical industry's ongoing challenges with cybersecurity threats.
A popular WordPress plugin, Automatic, developed by ValvePress,
has been found to have critical security flaws affecting over 40,000 websites.
The identified vulnerabilities expose sites to unauthenticated SQL queries
and potential file download or SSRF attacks, respectively.
ValvePress responded by removing the compromised component and adding security checks,
including a nonce requirement for privileged user actions.
A security breach at software documentation platform Mintlify compromised 91 GitHub tokens, potentially exposing private repositories.
The breach, attributed to a system vulnerability identified by a bug bounty hunter, led to unauthorized access.
which links to customers' GitHub repositories for creating software documentation,
acted swiftly by revoking the affected tokens, enhancing security protocols, and patching the vulnerability.
Initial investigations suggest limited unauthorized repository access,
with ongoing efforts to ascertain the full impact.
In response, Mintlify has notified users, tightened security measures, and initiated collaborations with GitHub and cybersecurity vendors to prevent future incidents.
Users are urged to update their passwords, activate 2FA, and review API key permissions.
Robert Perbeck from Idaho has pleaded guilty in U.S. federal court to computer fraud and abuse charges.
Purbeck was accused of hacking medical clinics and a police department, impacting over 130,000 individuals.
Using stolen dark web credentials, he infiltrated networks in Georgia and targeted additional victims nationwide. Purbeck, who went by the
hacker names LifeLock and StudMaster, threatened extortion using sensitive personal data,
including information about an orthodontist's child. Scheduled for June sentencing,
Purbeck agreed to a $1 million restitution for his crimes.
restitution for his crimes. The SEC has fined two companies, Delphia Incorporated and Global Predictions Incorporated, a combined $400,000 for making false claims about their artificial
intelligence capabilities in investment strategies. This practice, referred to as AI washing,
involves companies overstating the use of AI to attract clients with the promise of data-driven decisions.
The crackdown reflects the SEC's stance on transparency and honesty, as these sorts of misleading claims can harm investors.
Both firms, without admitting or denying the allegations, agreed to penalties and cease and desist orders.
Additionally, the SEC issued an investor alert on AI and investment fraud,
stressing the importance of integrity in the burgeoning AI finance sector
and the regulatory role in protecting investors from deceptive practices.
We are shocked, shocked that anyone out there would overstate
the capabilities of artificial intelligence.
Coming up after the break,
in our ongoing Learning Layer series,
Joe Kerrigan and Sam Meisenberg join up
to discuss Joe's journey toward his CISSP certification.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new
way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
My Hacking Humans co-host Joe Kerrigan
has been on a journey to get his CISSP certification.
And along the way, he's been checking in
with N2K CyberWire's Sam Meisenberg.
In today's Learning Layer episode,
they continue their conversation.
Welcome back to another Learning Layer segment.
And on this one, we continue our conversation with Joe Kerrigan as he's getting ready and prepped for his CSSP.
So Joe, you're ready to start studying.
Yes.
You told me last time that you were excited and you were anxious to get started. I'm curious, for a lot of people, this is such a daunting exam. There's so much stuff
to learn. Yeah. So like, where do we start? What's step number one? Step number one is I'm
going to have to take that test, the diagnostic test, as it's called. Yes. It's like a pre-test.
the diagnostic test, as it's called.
Yes, yes. In this, it's like a pre-test.
So, the diagnostic test is going to go through all eight domains
and essentially give me an idea of, number one,
how well I am already and where I might need to focus.
Now, to give you some context here,
I took the pre-test for the CC certification,
and I scored 96% on that.
So hang on, hang on.
Let's stop, let's stop.
First of all, as my parents were very strict academically on me growing up would say,
if he got a 96%, why couldn't he get 100?
What happened to those other two questions, Joe?
Well, one of them I disagree with the being marked wrong on.
Right.
Okay, so you got a 98%.
Right.
My follow-up question is, well, I'm giving you points for the one that was scored correctly.
My follow-up question is, well, I'm giving you points for the one that was scored correctly.
So to kind of go back to the original question, your plan is to take the SISB diagnostic in the same way that you started with the diagnostic for the CC.
Correct.
And let me ask this question like this in a polite way.
I don't think you're going to get a 96% on the SISB diagnostic.
I would be shocked if I'd be like,
I would be shocked and elated if that was,
I am also with you.
So what are you going to do with the result? What are you expecting?
And then what are you going to,
how are you going to use the results?
How, what am I expecting?
I'm expecting to do better than random chance.
So if you play A for everything, you get a 25%. Right. What am I expecting? I'm expecting to do better than random chance.
So if you play A for everything, you get a 25%. Right.
So if I get a 25%, I'm going to be like,
all right, I really need to sit down.
I don't know anything about this is what I'm going to say.
If I get a 50%, I'll be like, okay, I'm doing pretty well.
What is that?
You're guessing right 25% of the time. And then,
you know, if I got somewhere in the 75% range, I would be ecstatic about that.
I would be very comfortable with my knowledge if I scored 75 on this pre-test.
Sure. And for those of you who don't remember my learning layer from a couple of segments ago,
those of you who don't remember my learning layer from a couple segments ago, I actually talked about the, there's real learning science data that shows doing the diagnostic as a,
and a pre-test helps ensure better learning outcomes. Okay. So it's for the obvious reasons,
like you were explaining, Joe, you get to study efficiently, you know, your strengths and your
weaknesses and you spend more time right on your weak, your weak areas and you can study efficiently.
But also they think there's like a psychological sort of piece around taking a diagnostic
where you can actually get more excited around the content because you have a bit of a challenge,
you have a place to start, and then you sort of have a way to measure yourself by and it
feels like you're making progress.
So that's a long way of saying I endorse your way to start.
For those of you who are not familiar with N2K products,
every single one of our certification courses and even role-based training courses
start with a diagnostic assessment for just the reasons that we were talking about.
So, Joe's going to take a 100-question multiple-choice exam
that's going to cover, as Joe said, all eight domains of SISB.
Joe, what domain do you think is going to be your strongest
and which domain will be your weakest?
I'm going to say, right off the bat,
strongest is probably going to be software development.
Okay.
That's where I think I'm going to be
because I've been a software engineer
for most of my technical career.
Got it.
So I feel very comfortable with programming.
The domain I'm not all that
comfortable with is domain one, security and risk management, mainly because my risk management
stuff, I get the idea of risk management. You measure likelihood and you measure impact.
But there's been, in my career, there's been some places where I've just not been able to grasp some things.
So I'm a little bit concerned about that domain.
Okay.
Well, Joe, I think we've had enough talk.
You need to go take this thing, and then we'll go.
When we meet again, you will have taken the diagnostic, and we'll chat a little bit about the results and figure out where to go from there.
All right.
I'll get on it.
Good luck.
See if you can beat 96.
Probably not going to happen. That's N2K Cyber Wire's Sam Meisenberg
with my Hacking Humans co-host, Joe Kerrigan. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada. This situation has changed very quickly. Helping make sense of the world
when it matters most. Stay in the know. Download the free CBC News app or visit cbcnews.ca.
And finally, the Pokemon company detected hacking attempts targeting some user accounts,
leading to a proactive reset of passwords for those potentially affected.
An official alert on their support website initially highlighted the issue, but was later removed, with a spokesperson clarifying that there was no system breach,
merely attempts to access
certain accounts. To safeguard customers, password resets were enforced for a small fraction of users,
about 0.1%, who were actually compromised by these attempts. Likely credential stuffing attacks,
where stolen usernames and passwords are tried on various platforms. Unlike some companies that have adopted mandatory two-factor authentication in response to similar incidents,
the Pokemon company currently does not offer this security option to its users.
Our gaming desk suggests the hackers thought they could Pika-choose some accounts.
Nice try, but no pika for you.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us
at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are
Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby
and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.