CyberWire Daily - Bolstering the digital shield.
Episode Date: January 16, 2025President Biden issues a comprehensive cybersecurity executive order. Updates on Silk Typhoon’s US Treasury breach. A Chinese telecom hardware firm is under FBI investigation. A critical vulnerabi...lity has been found in the UEFI Secure Boot mechanism. California-based cannabis brand Stiiizy suffers a data breach. North Korea’s Lazarus Group lures freelance developers. The FTC highlights major security failures at web hosting giant GoDaddy. Veeam patches a critical vulnerability in their Backup for Microsoft Azure product. Hackers leak sensitive data from over 15,000 Fortinet firewalls. Our guest today is Oren Koren, Veriti's Co-founder and CPO, sharing insights about the state of healthcare cybersecurity. Shiver me timbers! Meta’s AI trains on a treasure chest of pirated books. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest today is Oren Koren, Veriti's Co-founder and CPO, sharing insights about the state of healthcare cybersecurity. You can read more in their “The State of Healthcare Cybersecurity 2025” report. Selected Reading Biden to sign executive order on AI and software security (Axios) Treasury Breach by Chinese Sponsored Hackers Focused on Sanctions, Report Says (Bloomberg) Exclusive: Chinese tech firm founded by Huawei veterans in the FBI's crosshairs (Reuters) New UEFI Secure Boot Bypass Vulnerability Exposes Systems to Malicious Bootkits (Cyber Security News) 380,000 Impacted by Data Breach at Cannabis Retailer Stiiizy (SecurityWeek) North Korean Hackers Targeting Freelance Software Developers (SecurityWeek) GoDaddy Accused of Serious Security Failings by FTC (Infosecurity Magazine) Veeam Azure Backup Solution Vulnerability Allows Attackers To Enumerate Network (Cyber Security News) Hacking group leaks Fortinet users’ details on dark web (Computing) Meta Secretly Trained Its AI on a Notorious Piracy Database, Newly Unredacted Court Docs Reveal (WIRED) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. President Biden issues a comprehensive cybersecurity executive order,
updates on Silk Typhoon's U.S. Treasury breach,
a Chinese telecom hardware firm is under FBI investigation,
a critical vulnerability has been found in the UEFI secure boot mechanism.
California-based cannabis brand Stizzy suffers a data breach.
North Korea's Lazarus Group lures freelance developers.
The FTC highlights major security failures at web hosting giant GoDaddy.
Veeam patches a critical vulnerability in their backup for Microsoft Azure product.
Hackers leak sensitive data from over 15,000 Fortinet firewalls. Our guest today is Oren
Koren, Verity's co-founder and CPO, sharing insights about the state of healthcare cybersecurity.
And Shiver Me Timbers, Meta's AI trains on a treasure chest of pirated books.
It's Thursday, January 16th, 2025. I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us here today. Great to have you with us.
As expected, President Joe Biden, just days before leaving office,
issued a comprehensive cybersecurity executive order to bolster the U.S. government's digital defenses.
The directive mandates stronger network monitoring, secure software development,
and stricter protections for cloud and IoT systems. It emphasizes using AI for cybersecurity,
with programs to safeguard critical infrastructure and analyze threats.
Agencies must adopt digital identity tools, secure open-source software,
and prepare for post-quantum cryptography.
Key measures include requiring software vendors to prove secure practices,
empowering the Cybersecurity and Infrastructure Security Agency to conduct threat hunting,
and reducing reliance on dominant IT providers.
The order also introduces consumer IoT labeling and prioritizes research on AI security.
The directive seeks to address vulnerabilities exposed by incidents like the SolarWinds hack.
However, its future depends on the incoming administration,
which has yet to define its cybersecurity approach
or appoint key officials. The order aims to set a strong foundation for continued improvements.
Bloomberg has an update on the Chinese state-sponsored hackers identified as Silk
Typhoon who breached the U.S. Treasury Department, compromising 419 computers and accessing sensitive, unclassified
data. The attackers targeted staff involved in sanctions, international affairs, and intelligence,
stealing usernames, passwords, and over 3,000 files, including policy documents,
sanctions material, and law enforcement-sensitive data. They also accessed information on
investigations by the Committee on Foreign Investment in the U.S. The breach occurred
between September and November and exploited contractor Beyond Trust's systems. Investigators
found no evidence of malware or long-term infiltration into classified systems. Treasury reported the attack to CISA
and sought FBI assistance. Congress was informed of the breach, with officials conducting a damage
assessment and considering alternatives to Beyond Trust. China denied involvement, calling the
allegations groundless. Treasury employees will brief the Senate Banking Committee, while Beyond Trust's systems remain offline.
The U.S. Commerce Department and FBI are investigating Bicels Technology, a telecom
hardware firm founded in China by former Huawei executives, over potential national security risks,
Reuters reports. Bicels, established in 2014,
supplies equipment for mobile networks across all U.S. states.
The probes focus on the company's Chinese origins,
vulnerabilities in its base stations,
and potential risks of remote access or espionage.
The Pentagon recently listed Bicels as linked to Chinese military,
while CISA flagged security flaws in its products.
FBI concerns date back to 2019, including warnings to customers near sensitive U.S. sites.
Despite claims of independence from its Chinese parent,
critics allege Bicels is managed from China, with most equipment sourced from Chinese suppliers.
Bicels denies security risks and say they cooperate with investigators,
but scrutiny reflects ongoing fears about Chinese telecom firms compromising U.S. infrastructure.
Federal agencies and customers remain wary.
A critical vulnerability has been found in the UEFI secure boot mechanism impacting most UEFI-based systems.
Discovered by ESET, the flaw allows attackers to bypass secure boot protections
and deploy malicious bootkits like BootKitty and Black Lotus, even on systems with secure boot enabled.
Lotus, even on systems with secure boot enabled. The issue lies in a UEFI application signed by Microsoft, which improperly uses a custom loader instead of secure UEFI functions. Affected
software includes recovery tools from vendors like Haujar, Greenware, and Radix. Exploitation
grants attackers persistent undetected access during boot by replacing
legitimate bootloaders. Microsoft revoked vulnerable binaries in its January 2025 Patch
Tuesday update. Users are advised to update systems, ensure secure boot databases are current,
and audit UEFI configurations. Though no real-world attacks have been observed,
this vulnerability highlights concerns
over third-party UEFI security practices
and Microsoft's code-signing process.
California-based cannabis brand Stizzy
is notifying 380,000 individuals
of a data breach stemming from a vendor's cyber attack.
Between October 10th and November 10th of last year,
attackers accessed systems at the vendor,
stealing personal information tied to four STIZI locations
in San Francisco, Alameda, and Modesto.
Compromised data includes government ID details,
medical cannabis cards, transaction histories, and more.
STISI suspects ransomware as the Everest Ransomware Group claimed responsibility, leaking some stolen records.
STISI is offering affected individuals 12 months of free credit monitoring.
North Korean hackers, specifically the Lazarus Group, are targeting the software supply chain in a campaign dubbed Operation 99, according to Security Scorecard. The campaign lures Web3 and cryptocurrency developers via fake LinkedIn profiles offering freelance projects.
offering freelance projects. Victims are directed to clone malicious GitLab repositories, which connect to attackers' command and control servers, deploying custom malware tailored to
each victim's platform, be it Windows, macOS, or Linux. The malware steals files, credentials,
clipboard data, and key logs, maintaining persistence through advanced encoding and modular frameworks.
Lazarus's goal is to compromise developer workflows, steal intellectual property,
and access cryptocurrency wallets. The campaign is part of North Korea's broader strategy to
fund its regime, reportedly stealing $1.34 billion in cryptocurrency in 2023 and $660 million in 2024. The operation exemplifies the
growing sophistication of North Korean cyber tactics to exploit trust and disrupt critical
supply chains. The Federal Trade Commission has identified major security failures at web hosting giant GoDaddy, attributing multiple data breaches from
2019 through 2022 to inadequate cybersecurity practices. A proposed FTC settlement requires
GoDaddy to overhaul its security measures, including implementing robust information
security programs, real-time event analysis, and mandatory multi-factor authentication
for employees and third parties. The breaches exposed sensitive data, including customer
credentials, credit card numbers, and websites, affecting millions of small businesses and their
customers. The FTC alleges that GoDaddy failed to manage assets, update software, monitor security events, and segment shared hosting environments, leaving customers vulnerable to malware, data theft, and website compromises.
The proposed order prohibits misleading security claims and mandates annual security testing.
Although no financial penalty is included, noncompliance could result in significant fines.
A critical vulnerability has been identified in Veeam backup for Microsoft Azure, affecting versions up to 7.1.0.22.
This high-severity flaw enables unauthenticated attackers to exploit a server-side request forgery weakness,
allowing unauthorized network enumeration and potential follow-up attacks.
Veeam discovered the issue during internal testing and released a patch to address it.
Users are urged to update their systems immediately to mitigate risks.
Hackers known as the Belson Group have leaked sensitive user data from over 15,000 Fortinet firewalls on the dark web. The data, reviewed by security researcher Kevin Beaumont, appears authentic, including usernames, passwords, some in plain text, SSH keys, digital certificates, and firewall rules.
keys, digital certificates, and firewall rules. The leak stems from a 2022 zero-day vulnerability affecting FortiOS, Fortiproxy, and FortiSwitch Manager. Organizations are urged to check patch
histories, update credentials, and assess exposure. Many impacted devices remain in use,
often maintained remotely. The leaked data, dating back to October 2022,
highlights ongoing risks from unpatched systems.
Fortinet has also recently warned of another zero-day vulnerability potentially under attack.
Coming up after the break, my conversation with Oren Koren, Verity's co-founder, speaking about healthcare cybersecurity, and Shiver Me Timbers,
Meta's AI trains on a treasure chest of pirated books. Stay with us. Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
executives, and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Oren Koren is Verity's co-founder and chief product officer.
I recently caught up with him for insights on the state of healthcare cybersecurity.
I think what you've seen in 2024 and 2023
will be the same, but with another layer of complexity.
First of all, the same, they will be still the main target
because in some cases it's easier to hack a hospital.
And if you want, I can explain that.
But the second piece is we are seeing so many hospitals and health care
institutes are starting to use AI outside of their own boundaries.
That means saving, sending, sharing our own personal data
within external AI solutions or advanced processes.
And those, I believe, will become the targets because if the data was stored
inside the hospital, and again, we can talk about how easy or not easy to get in,
but now maybe we don't need to get in as an attacker
from an attacker perspective.
You just need to go to the center of the data
that is outside of the organization.
I believe that we will see a massive increase in 2025 for that.
Well, let's go at those one at a time.
I mean, starting with the notion of the hospital itself,
the healthcare organization being an attractive target.
We talk about how they have that combination of perhaps
not being as fully funded as other organizations and also obviously
having a critical mission. I mean, that is
par for the course these days. That has not changed over the past
few years, right?
And it will not.
The example for that is,
me and my other co-founder, Adi,
we went to the Health Care Institute
for a discussion, just a security discussion,
not something related to the product.
And I've asked the CISO and the CIO,
can you please grant me access to your security control
just for a second?
I just want to see what actually you do with them.
Are you using them?
The answer was definitely yes.
And when we logged in to the different layers of security,
everything was turned off.
It's like 100% turned off.
I looked at them and I said, that's on you.
You understand that, right?
In two, three months, someone will get in.
They said, yes, but they might get in, but no one will die
because the security controls that we have will not take down the MRI.
What we see in hospitals or healthcare is that they cannot patch because mainly compliance,
because the MRI that is on Windows Vista or something will not be patched for the next
eight years until the next episode of compliance processes.
That means they have the vulnerability, they have the risk of the exposure, and they cannot update, upgrade with all of the
known processes. They need to use the compensating controls, but they do not
want to use them. Or they are reducing the protection
because those are very intrusive and are impacting
their business, their businesses saving lives.
We are seeing that all the time.
Almost every time you will see a research
on someone that hacked,
it's because they had everything.
They had the ability to protect.
It's mandatory compliance
to have all of those tools and controls,
but they have not used them
because they will say,
yeah, I will not use those.
It will take me down
and I'm not going to jeopardize
someone's life because of a signature that I need to enable for my vulnerability.
It's very common, unfortunately, today. Yeah, I've certainly heard that story before.
Well, talking about AI and the data going off-site, explain that to me. Are we talking about the casual use
of readily available AIs,
the chat GPTs of the world,
or are we talking about the custom solutions
for the medical industry that is also,
let's say, cloud-based?
No, the custom solutions.
Definitely in chat GPT and those tools,
there is a risk,
but I don't think that that will be the main one.
Yet another example, I went to another institute
and they have a project for the human genome.
They actually map everything.
They collect all the data from everyone that comes to the hospital
and send it to advanced analysis.
Everything is analyzed in the cloud.
So actually, there is one repository with all of the genome structure
and also all of the, it's not photos, all of the results of the tests
of everyone that came to the hospital.
It's one location.
Now I will ask the engineer or the IT manager in the hospital,
do you know how to secure your cloud?
Let's say it's an application you've deployed in your AWS.
Do you know how to secure it or how to validate the security there?
So if the answer is yes, let's hope.
If the answer is no, okay, use the CSPM first
because you've moved to the cloud.
And if it's an external service, external application that you use,
that means the hospital might not be the target.
They will just target someone else,
an external resource,
or even a startup that is doing that,
that might have security, might not.
And in one place,
they will be able to collect all the data
or to encrypt all of it.
And in some cases, it's human life
because the MRI
analysis today is using AI
inside the system, just like inside the hospital, but also
outside. So would you pay a million bucks
for someone's life if you need to pay the ransom
or not? That's, I think,
a crucial question that we'll see even more,
but not by attacking the hospitals themselves, but the external locations where the data is stored.
Given these realities, the things that we've laid out here, what are your recommendations then?
I mean, what is there for these organizations to do?
Let's start with AI.
When you're moving to the cloud,
you cannot assume you know what you do.
You've deployed firewalls and routers
and the EDR and the WAFs of the globe,
and you've done that for the last 20 years.
And you're amazing at that.
As a CISO, you've done that in your career,
and then you got the CISO position,
and now you actually know how to manage it,
how to define the security, and how to enforce it
or how to validate the team is doing their
job. But when you are moving to the cloud,
it's almost the same,
but it's different. Someone
needs to know what to do there. And the
engineer that worked for the last 20 years at the hospital
still needs to work there. You still have the
infrastructure, but you need someone else
that have the expertise.
And what I've seen
from the U.S. government standpoint,
in the flight I've done
with someone from Microsoft,
they finished a project
with the U.S. government
that the U.S. government
is giving an MSSP service
to the hospitals
without any payment
to help them.
Use those service providers.
You don't have enough budget to hire all the DevOps you need.
So my recommendation will be, if you have those projects,
and it's very easy to map today if data is being sent outside
or saved or stored outside, or hire the relevant ones
and first of all use a CSPM, run a CSPM to understand if there is a misconfiguration there.
But second, move to services,
because probably you will not be able to hold the manpower.
They will not go to work at a hospital.
They will go to a big firm or a big tech company
if you want strong DevOps.
So that's for the AI.
For the organizations themselves,
the exposure management and remediation today,
and it was defined by Gartner as CTAM,
continuous threat exposure management,
is something that everyone needs.
But in healthcare, the idea of CTAM,
and I think it's a very important thing to focus on,
is let's scope ourselves
on what is important to protect.
What are my assets or important assets?
Let's understand if I have the way to protect them.
And then let me protect them with what I have.
It's actually a circle of five steps.
I'm seeing CTAM as something that,
again, continuous threat exposure management
is something that is very common today in lots of discussions with C-levels.
But what they need to realize or understand is
it's not about budget or buying more controls.
They don't need more.
They actually need to use what they have.
Verity is one way, and we are doing the remediation piece,
validation piece, find the gap and then resolve it.
But just to be aware
that you have the controls to
protect, and it's your responsibility.
That's the first
step.
That's Oren Koren,
Verity's co-founder and chief
product officer. We have a
link to their State of Healthcare
Cybersecurity 2025 report in
our show notes. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And finally, Meta's legal troubles have deepened as new evidence exposes the company's reliance on pirated content
to train its AI models,
marking a major escalation in its copyright infringement case.
Unredacted court documents reveal Meta's AI team used LibGen,
a notorious repository of pirated books, to train its models.
The lawsuit, filed by authors including Richard Kadri and Sarah Silverman,
claims Meta knowingly leveraged stolen works.
The court slammed Meta's excessive secrecy,
accusing it of seeking to avoid bad PR rather than protecting business interests.
Internal exchanges reveal employees' concerns over torrenting pirated data on corporate devices
and even escalations to CEO Mark Zuckerberg, who allegedly approved its use.
to CEO Mark Zuckerberg, who allegedly approved its use.
Meta also seeded pirated files,
effectively becoming a distributor of stolen material.
Meta's arguments hinge on fair use,
but the revelations could significantly bolster the plaintiff's case,
including potential Digital Millennium Copyright Act violations.
The scandal underscores Meta's cavalier approach to intellectual property and its shaky defense against claims of exploiting shadow libraries. Move fast and pirate things. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the
rapidly changing world of cybersecurity. If you like our show, please share a rating and review
in your favorite podcast app. Please also fill out the survey in the show notes or send an email to
cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the
most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's
preeminent intelligence and law enforcement agencies.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester,
with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our
president. Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you
back here tomorrow. Thank you.