CyberWire Daily - Biden’s final cyber order tackles digital weaknesses.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash n2k and enter code N2K at checkout. That's join delete me dot com slash N2K code N2K. The Biden administration is finalizing an executive order to bolster U.S. cybersecurity. Avante releases emergency updates to address a critical zero-day vulnerability. A critical vulnerability is discovered in Cario control firewall software. Palo Alto Networks patches multiple vulnerabilities in its retired migration tool.

Starting point is 00:02:23 Fake exploits for Microsoft vulnerabilities lure security researchers. A medical billing company data breach affects over 360,000. A cyber attack disrupts the city of Winston-Salem. CrowdStrike identifies a phishing campaign exploiting its recruitment branding. Our guest is Danny Allen, CTO from Snyk,

Starting point is 00:02:42 sharing how a balanced approach between AI and human oversight can strengthen cybersecurity and the worst of the worst from CES. It's Thursday, January 9th, 2025. I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us. It is great to have you with us here today. Thanks for joining us. It is great to have you with us here today. The Biden administration is finalizing an executive order to bolster U.S. cybersecurity in its final days, following major breaches during Biden's term, including a Treasury Department hack attributed to the Chinese group Silk Typhoon.

Starting point is 00:03:46 The order emphasizes strong identity authentication and encryption for government communications. This would protect sensitive information, even if systems are breached, by ensuring hackers cannot access encrypted documents. The Treasury hack reportedly involves stolen digital keys from Beyond Trust, a third-party provider, granting access to unclassified sanctions-related data. The executive order also proposes securing cryptographic keys via hardware security modules and tightening access management for federal contractors. Additionally, it mandates that software vendors demonstrate adherence to cybersecurity standards, like fixing known vulnerabilities and using multi-factor authentication. It's unclear if the incoming Trump administration will retain the order,

Starting point is 00:04:32 as Trump has signaled intentions to roll back federal regulations, including on artificial intelligence safeguards. Avanti has released emergency updates to address a critical zero-day vulnerability actively exploited by suspected Chinese nation-state attackers. The flaw affects Avanti Connect Secure VPN devices and allows remote code execution. Avanti recommends factory resetting devices before applying the update to remove potential malware that may fake the update process. A second vulnerability, also a stack-based buffer overflow,

Starting point is 00:05:11 has a high severity rating but hasn't been exploited in the wild. Avanti also warns that similar vulnerabilities exist in its policy-secure and neurons-for-zero-trust-access gateways, with patches expected by January 21. Attackers have used malware to block legitimate updates, creating a fake-update facade. Avanti credits Mandiant and Microsoft's Threat Intelligence Center for discovering the flaws. The U.S. CISA and the U's NCSC urge immediate action, highlighting the risks to critical edge devices and advising organizations to review networks for signs of intrusion. A critical vulnerability in CarioControl firewall software allows attackers to achieve

Starting point is 00:05:59 one-click remote code execution. Discovered by researcher Aguidio Romano, the flaw stems from improper input sanitization in several interface pages, enabling HTTP response splitting and open redirect attacks, potentially leading to severe consequences like gaining root access to the firewall. Initially deemed low-risk, it was reclassified as high severity with a CVSS of 8.8 due to exploitation potential via an older vulnerability. GFI software, the vendor, has been notified, but no patches are available yet. Palo Alto Networks has patched multiple vulnerabilities in its retired Expedition migration tool,

Starting point is 00:06:46 including a high-severity SQL injection flaw. This flaw allows authenticated attackers to access sensitive data, such as usernames, passwords, and device configurations, and manipulate files on the system. Expedition, retired at the end of last year, will no longer receive updates or security fixes, and users are urged to find alternatives. The latest Expedition version resolves the flaw and four additional medium and low severity issues. Palo Alto also updated Prisma Access Browser to address six Chromium vulnerabilities, including two critical flaws in the V8 JavaScript engine. While no exploitation has been reported for the latest vulnerabilities,

Starting point is 00:07:32 CISA previously warned about critical expedition flaws exploited in attacks. Users should restrict network access to expedition or deactivate it if unused. Security researchers are being targeted again, this time with fake exploits for Microsoft vulnerabilities. Trend Micro identified a malicious version of a legitimate proof-of-concept exploit for LDAP Nightmare, a denial-of-service bug patched in December. The counterfeit POC replaces Python files with a malicious executable that delivers a PowerShell script which downloads malware to steal user data. LDAP nightmare highlights two critical

Starting point is 00:08:15 vulnerabilities including one with a severity of 9.8 but both significant due to LDAP's widespread use in Windows environments. While experienced researchers may spot red flags, such as executables in Python projects, these lures still exploit trending issues to target a broader audience. This tactic follows a pattern of attackers targeting researchers, including incidents involving North Korean operatives. Previous cases have seen state-sponsored attackers use social media deception, zero-day exploits, and backdoored tools to compromise experts at major tech firms. Medusind, a U.S.-based medical and dental billing company,

Starting point is 00:09:01 suffered a data breach affecting over 360,000 individuals. Exposed data includes health insurance details, medical records, payment information, government IDs, and contact information, though impacted data varies per person. Threat actors could exploit this information for medical identity theft or financial fraud. The breach, discovered in December of 2023, involves stolen files containing personal information. MediSynd has offered affected individuals 24 months of free credit monitoring and identity protection. The company, headquartered in Miami, Florida,

Starting point is 00:09:40 serves thousands of healthcare providers across the U.S. and India. Meanwhile, Excelsior Orthopedics, a New York-based health care provider, experienced a ransomware attack in June of 2024, compromising the personal and health information of approximately 357,000 individuals. The breach affected patients and employees of Excelsior and related entities, including Buffalo Surgery Center and Northtown's Orthopedics. Exposed data includes names, social security numbers, medical records, diagnosis and treatment details, and more. Initially thought to impact only employees, the breach's scope was later found to include patient data. The Monty ransomware gang claimed responsibility, stealing 300 gigabytes of data, now publicly available. Excelsior disconnected

Starting point is 00:10:34 external access to its network and continues recovery efforts. Affected individuals have been offered 12 months of free credit monitoring and fraud assistance services. The company has not confirmed the specific type of attack, but acknowledges significant data compromise. A post-Christmas cyber attack disrupted online utility payment systems in Winston-Salem, North Carolina, affecting a quarter of a million residents and a nearby Forsyth County. Discovered on December 26, the attack forced the city to take systems offline, though fire and police services remain unaffected.

Starting point is 00:11:13 Residents can pay bills in person without late penalties. City officials working with state and federal agencies have yet to restore full services. The attack coincides with severe weather communication challenges and follows similar incidents across North Carolina. The state prohibits government entities from paying ransoms under a 2022 law. Earlier this week, CrowdStrike identified a phishing campaign exploiting its recruitment branding to distribute malware. The attack uses phishing

Starting point is 00:11:46 emails impersonating CrowdStrike recruitment to direct victims to a malicious site offering downloads of a fake employee CRM application. The downloaded executable written in Rust acts as a downloader for the crypto miner XMRig. The malware employs evasion tactics such as debugger detection process checks and sandbox avoidance before downloading and running XM rig it establishes persistence by creating batch scripts in the startup directory and adding registry entries to re-execute on system logon victims are urged to verify the authenticity of CrowdStrike communications and avoid downloading unsolicited files. CrowdStrike emphasizes that it does not ask

Starting point is 00:12:32 candidates to download software for interviews or process payments. Organizations should educate employees on phishing risks, monitor suspicious activity, and implement endpoint protection to mitigate these kinds of threats. Coming up next, we've got my conversation with Snyk's CTO Danny Allen about how a balanced approach between AI and human oversight can strengthen cybersecurity, and hear about Worst in Show, also known as when your fridge knows too much about you. We'll be right back. Do you know the status of your compliance controls right now? Like, right now.

Starting point is 00:13:38 We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.

Starting point is 00:14:35 And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. Danny Allen is Chief Technology Officer at Snyk. I recently caught up with him to talk about how a balanced approach between AI and human oversight can strengthen cybersecurity.

Starting point is 00:15:34 AI is clearly a focus for most organizations right now, from CEO to CIO on down. Organizations are asking, how can I effectively use AI? That is not an exclusion for the development organization, which we regularly meet with. And so what we wanted to do is understand how organizations were thinking about AI and how they're rolling it out within the organization. And so this led to a survey by Snyk of 400 organizations with a thousand or more employees. Well, let's go through some of the findings together here. What are some of the things that caught your eye? Well, the thing that probably stood out the most to me is that the C suite, so CEOs, CIOs, et cetera, CISOs, were five times more likely to rate AI coding tools, because we were specifically honing

Starting point is 00:16:26 in on development and AI coding tools, as not risky at all, as compared to the application security folks who were saying they were risky. And the numbers there, I think 5% of the application security team were saying, hey, these are not risky, where for the C-suite, 25 percent of them said not risky at all. So there's clearly a disconnect between executives and the application security team. It's probably the most significant standout from the report for myself. Now, that's an interesting disconnect there. What do you make of that? What do you suspect might be driving it? I suspect that application security folks are very in tune with security issues and tend to be more paranoid. They have a lengthy history of dealing with security. And when it comes to AI, of course, security is the top concern. And so they just look at it as a new type of infrastructure. We need to

Starting point is 00:17:24 be concerned about security. Executives, on the other hand, they just look at it as a new type of infrastructure. We need to be concerned about security. Executives, on the other hand, are not looking at it from a negative perspective of, I need to be paranoid about this. Executives instead are looking at it and saying, how can we be productive in using this? And so they are looking at it more optimistically than the security team who are looking at it and say, what are the risks associated with this? team who are looking at it and say, what are the risks associated with this? One of the things that caught my eye was this finding that organizations may not be making the proper

Starting point is 00:17:52 preparations when it comes to AI coding security. Can you explain that for us? Yes. So on the development side, what we found is that two of three devs, so 66% of developers were saying they weren't being trained on AI security. And if you think about this logically, a developer can take code and put it in ChatGPT and say, can you make this faster or more efficient or convert this to a different language? There's obviously security concerns about that because they just took proprietary code and put it in chat GPT. And so one of the things that organizations

Starting point is 00:18:30 are not thinking about is developers that are trying to be more efficient and they're using AI to be more efficient, but they haven't been trained on the security concerns that come along with the use of this AI. And what you find is that most of the organization, it's the proprietary information that they're trying to optimize because it's their crown jewels. And they're saying, how do I do this more effectively? Having security training around

Starting point is 00:18:56 that is obviously critical. Yeah. What are the take-homes here in terms of lessons learned or words of wisdom for folks to take away from this report? What do you hope they get from it? Well, I really hope that organizations realize that AI, first of all, is extremely effective. And it helps organizations to be so much more productive. So this is in no way meant to say, don't use AI. Instead, it's to say, we should be using AI to make our organizations more productive, to develop more quickly. But we also need to be thinking about the guardrails that come along with that AI. And those guardrails can be at a people level.

Starting point is 00:19:38 So, for example, training developers on how to use AI more effectively. They can also be at a process level so that they're trained on how to use the AI within their daily workflows. And then also at a security level, there's many ways that we can put in security controls that as organizations are using AI, they're doing it in a way that conforms with the corporate policy. Do you have any guidelines for best practices for folks to kind of dial in the balance between effective use of AI, but also the necessity for human oversight? I'm not yet convinced that AI is ready to be completely autonomous. Some human oversight is valuable. I think of self-driving cars. I'm not yet ready to get in a self-driving car and say, drive me across the country. I still need to be sitting in the seat with my hands on the steering wheel. However, that being said, you want to do it

Starting point is 00:20:35 in a way that takes advantage of what the AI is giving you. In other words, if you're in a self-driving car, of course, you can pay attention to the traffic, but you don't have the stress associated with it. And I think that's the same way when it comes to AI within the organization. You don't want to be slowing down the organization. You don't want the guardrails to be so onerous that it doesn't allow them to achieve the outcome and that they are achieving the benefit of it. But you do need to have those guardrails in place. Our thanks to Danny Allen from Snyk for joining us. We'll have a link to Snyk's AI readiness report in the show notes.

Starting point is 00:21:47 Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And finally, CES, the Consumer Electronics Show, is all about futuristic gadgets designed to improve lives. But sometimes innovation veers into eyebrow-raising territory. Enter the Worst in Show Awards, where dystopia

Starting point is 00:22:55 experts highlight the most repair-challenged, privacy-invading, and unsustainable tech. Topping the list of face palms, UltraHuman's $2,200 luxury smart ring, which lasts just 500 charges before becoming irreparable bling. Two years of use for that price? A new low, quipped iFixit CEO Kyle Wiens. Next up, Bosch's AI-powered crib, promising to rock babies to sleep and track their vitals. The Electronic Frontier Foundation dubbed it surveillance for your infant, packing cameras, mics, and radar into what should be a privacy-safe sanctuary. The least sustainable prize? SoundHound's AI in-car commerce system, encouraging wasteful takeout and distracted driving.

Starting point is 00:23:48 And TP-Link's router, one least secure, thanks to vulnerabilities that prioritize government alerts over user safety. Finally, the overall winner, that would be LG's AI refrigerator. Flashy, pricey, and doomed to premature obsolescence. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast.

Starting point is 00:24:33 Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here

Starting point is 00:25:10 tomorrow. Thank you.

CyberWire Daily - Biden’s final cyber order tackles digital weaknesses.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.