CyberWire Daily - Breached but not broken.
Episode Date: December 19, 2024CISA urges senior government officials to enhance mobile device security. Russian state-sponsored hacker group Sandworm is targeting Ukrainian soldiers. A website bug in GPS tracking firm Hapn is expo...sing customer information. Multiple critical vulnerabilities have been identified in Sharp branded routers. Ireland’s Data Protection Commission fines Meta $263 million for alleged GDPR violations. Google releases an urgent Chrome security update to address four high-rated vulnerabilities. Cyberattacks on India-based organizations surged 92% year-over-year. Cybercriminals target Google Calendar to launch phishing attacks. Fortinet patches a critical vulnerability in FortiWLM. Juniper Networks warns of a botnet infection targeting routers with default credentials. Our guest is Jeff Krull, principal and practice leader of Baker Tilly's cybersecurity practice, with advice on using employee access controls to limit internal cyber threats. When is “undesirable” a badge of honor? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Jeff Krull, principal and practice leader of Baker Tilly's cybersecurity practice, talking about using employee access controls to limit internal cyber threats. Selected Reading CISA urges senior government officials to lock down mobile devices amid ongoing Salt Typhoon breach (The Record) Sandworm-linked hackers target users of Ukraine’s military app in new spying campaign (The Record) Tracker firm Hapn spilling names of thousands of GPS tracking customers (TechCrunch) Multiple security flaws reported in SHARP routers (Beyond Machines) Meta fined $263 million for alleged GDPR violations that led to data breach (The Record) Update Google Chrome Now—4 New Windows, Mac, Linux Security Warnings (Forbes) India Sees Surge in Banking, Utilities API Attacks (Dark Reading) Google Calendar Phishing Scam Targets Users with Malicious Invites (Hackread) Fortinet Patches Critical FortiWLM Vulnerability (SecurityWeek) Juniper Warns of Mirai Botnet Targeting Session Smart Routers (SecurityWeek) Recorded Future CEO Calls Russia’s “Undesirable” Listing a “Compliment” (Infosecurity Magazine) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA urges senior government officials to enhance mobile device security.
Russian state-sponsored hacker group Sandworm is targeting Ukrainian soldiers.
A website bug and GPS tracking firm Happn is exposing customer information.
Multiple critical vulnerabilities have been identified in Sharp-branded routers.
Ireland's Data Protection Commission fines Meta $263 million for alleged
GDPR violations. Google releases an urgent Chrome security update to address four high-rated
vulnerabilities. Cyber attacks on India-based organizations surge 92% year over year. Cyber
criminals target Google Calendar to launch phishing attacks. Fortinet patches a critical
vulnerability in FortiWLM.
Juniper Networks warns of a botnet infection targeting routers with default credentials.
Our guest is Jeff Krull, principal and practice leader of Baker Tilly's cybersecurity practice,
with advice on using employee access controls to limit internal cyber threats.
And when is undesirable a badge of honor?
It's Thursday, December 19th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing. briefing. Thanks again for joining us here. It is great to have you with us.
CISA has urged senior government officials to enhance mobile device security following the Salt Typhoon breach, where Chinese hackers accessed the phone data, messages, and calls of 150 top U.S. officials.
The agency recommends using end-to-end encrypted apps
and warns that all communications, government or personal,
are at risk of interception or manipulation.
High-profile targets included President-elect Donald Trump,
Vice President Kamala Harris' staff, and Senator Chuck Schumer. CISA's latest advisory emphasizes
a whole-of-government effort to secure mobile ecosystems, with insights gathered from over
5 million devices across 94 agencies. The breach underscores the vulnerability of U.S. telecom networks,
with Chinese hackers reportedly maintaining access to compromised systems.
The breach has escalated U.S.-China cyber tensions, prompting discussions about banning
TP-Link routers, widely used in federal operations. China, in turn, accuses U.S.
intelligence of cyber attacks against its tech firms,
alleging the theft of sensitive data and exploitation of software vulnerabilities.
The cyber standoff continues to intensify.
Russian state-sponsored hacker group Sandworm is targeting Ukrainian soldiers in a new espionage campaign,
according to MilSertUA.
The hackers create fake websites mimicking the Ukrainian military app ArmyPlus to trick users
into downloading malicious software. ArmyPlus, launched earlier this year, streamlines bureaucratic
tasks for soldiers, making it a critical tool. The fake sites, hosted on Cloudflare workers,
deliver an installer crafted with NSYS. When executed, the file grants hackers hidden access
to compromised systems, allowing data exfiltration via the Tor network. CERT-UA links this campaign
to Sandworm, known for major attacks like the 2015 power grid disruption
and the 2017 NotPetya incident. This operation underscores ongoing Russian cyber aggression
targeting Ukraine's military infrastructure. Recent attacks include malware planted in
messaging apps and campaigns aimed at conscripts, highlighting a persistent focus on disrupting Ukrainian forces.
A website bug in GPS tracking firm Happn is exposing customer names, affiliations, and data
on over 8,600 GPS trackers, TechCrunch reports. While location data isn't included, IMEI numbers and details about business affiliations
of users are accessible through developer tools. Happn, formerly SpyTech, provides GPS tracking
for vehicles and possessions and claims over 460,000 tracked devices, including Fortune 500
customers. The company has not responded to multiple outreach
attempts, leaving the data exposed. Multiple critical vulnerabilities have been identified
in SHARP routers and models from NTT, Dacomo, SoftBank, and KDDI, requiring immediate firmware
updates. The most severe flaw allows remote exploitation without authentication
enabling attackers to execute commands with root privileges.
Other issues include OS command injection, improper authentication and buffer overflow risks.
Users should check advisories and update firmware promptly to mitigate risks.
and update firmware promptly to mitigate risks.
Ireland's Data Protection Commission fined Meta $263 million for alleged GDPR violations tied to a 2018 Facebook data breach affecting 29 million accounts globally.
The breach, linked to a flaw in Meta's video upload system exposed sensitive user data, including locations,
religions, genders, children's personal data, phone numbers, and email addresses.
The DPC cited Meta's failure to integrate adequate data protection measures into its
systems, poor breach documentation, and inadequate compliance practices.
and inadequate compliance practices.
This fine follows several others against Meta,
including €1.2 billion in May 2023 for improper EU-US data transfers and €405 million in 2021 for mishandling miners' data.
Meta responded by highlighting its corrective actions and commitment to user safety.
Google has released an urgent Chrome security update to address four high-rated vulnerabilities
affecting over 3 billion users. The issues include type confusion, out-of-bounds memory access,
and use-after-free flaws in the Chrome version 8 JavaScript engine
and browser compositing function. Security researchers earned $75,000 in bounties for
identifying these risks. Users are urged to update Chrome and restart the browser to activate
protection. Dark Reading reports that cyber attacks on India-based organizations surged 92% year-over-year events and 215 million bot-driven API requests
are increasingly exploiting vulnerabilities in APIs and websites
fueled by AI tools like large language models.
These tools lower the barrier for hackers
enabling rapid exploitation of issues like SQL injection.
The banking, financial services, and utilities
sectors were heavily targeted, with geopolitical motives driving disruptions. Despite rising
threats, only 19% of Indian companies use automated API security scanners, while over
30% of critical vulnerabilities remain unpatched after six months, with 44% of Indian businesses
reporting data breaches costing over $500,000 in three years. Cybersecurity is now a top priority
for 61% of executives, according to PwC. Cybercriminals are targeting Google Calendar,
used by over 500 million people, to launch phishing attacks, according to Checkpoint Research.
Attackers exploit Google Calendar's features like Google Drawings and Google Forms to send emails with malicious links that bypass traditional security filters.
These links often redirect victims to fake login pages or fraudulent websites, stealing sensitive data like passwords or financial details.
Over 4,000 phishing emails affecting 300 brands were detected in a recent four-week period.
Fortinet has released patches for a critical vulnerability in FortaWLM, a wireless management tool,
critical vulnerability in Forta WLM, a wireless management tool, which could allow unauthenticated remote attackers to execute arbitrary code or access sensitive files via a path traversal flaw.
The issue affects multiple versions of Forta WLM, with updated versions resolving the issue.
Security researcher Zach Hanley of Horizon3.ai reported the flaw, noting it could
allow attackers to hijack admin sessions. Fortinet also patched a related OS command injection bug
in Fortimanager. Juniper Networks warns of a botnet infection campaign targeting routers
with default credentials exploiting Mirai Malware.
Customers Reported Unusual Activity On Session Smart Routers, Which Were Compromised And Used In DDoS Attacks.
The Malware Scans For Devices Using Default Passwords, Gains Access, And Executes Malicious Commands.
Juniper Advises Changing Def credentials, using strong passwords, monitoring
for unusual behavior, blocking unauthorized access with firewalls, and keeping devices updated.
Reimaging infected devices is the only surefire way to eliminate the threat.
Coming up after the break, Jeff Krull from Baker Tilly's Cybersecurity Practice has advice on using employee access controls to limit internal cyber threats.
And when is undesirable a badge of honor?
Stay with us. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Jeff Kroll is principal and practice leader of Baker Tilly's cybersecurity practice.
I recently caught up with him for advice on using employee access controls to limit internal cyber threats. It's interesting. It's really a wide spectrum, but it's really an area
that I think a lot of organizations don't necessarily put as much scrutiny to as they
should. So really, when you think about employees, right, they're the ones who have access to almost
everything in an organization, right? They're running the organization. They need access to
whatever applications you have, whatever systems you have, whatever SharePoints you have.
So it's usually, depending on the size of organization, a lot of people.
And a lot of organizations, I would say, put in processes to add a new user, delete a user, modify access for a user.
The scrutiny that's not always there, though, is within all of those processes for changing a user's access is how much access should they have. So it's an interesting area where, you know, in my mind,
employee access really goes from the day an employee shows up or even when you're interviewing
them in some cases all the way through to when, you know, ultimately they leave the organization.
All of the bells and whistles and controls along the way of how somebody gets access,
gets granted access, gets moved access, and ultimately loses access is all in that population,
as well as obviously authentication mechanisms and how people are authenticated for what they have.
Well, let's dig into some of the details here. I mean, what would you consider to be best practices?
Well, so, you know, real best practice is interesting because, you know, a lot of people these days are talking about zero trust environments and people, you know, for years before that
have talked about least privilege as a concept, right?
And so really the real best practice in my mind is, and it's easier said than done, making
sure employees only have access to the things they need to have access to contemporaneous
with when they need to have that access, right? So I'll use healthcare as usually a relatively straightforward
example of that, right? Let's say you have a hospital and you have a whole bunch of nurses.
Should all of the nurses have access to all the floors at any given time? Well, probably not,
right? Ultimately, you figure those nurses should only have access to the floor they're working on
that day, right? Or that shift. And maybe even you narrow it down further to say, well, you have a
scheduling system. Could you somehow real-time only grant access to the patients that nurse is
working with on that floor at that given time? Sounds great in theory, right? It sounds like, well, yeah, of course,
why should the nurse have access to everything?
Because if somebody breaks into her account,
they have access to everything.
If the nurse wants to do something bad,
she has access to everything.
So if you can limit her access to just those patients,
just that floor, just that time,
all of a sudden you've really mitigated the risk
of access related to that employee, right?
The challenge with that is obviously
when you think
through that, without some real heavy-duty thought and automation around those things,
it's really, really difficult to do. So that's why I really think, even though that I would say is
the best practice, is to really limit people to only what they need access to to really get their
job done. You have these competing priorities both with regards to operationalizing that and how
do you make that actually work in a real-life environment? And can your technology support you
to be able to do that? You also have challenges sometimes just with management of an organization
saying, well, that's great that you only want this nurse to work on this floor at this time,
but he or she maybe gets called up to another floor. And how am I going to handle that? And
it's an emergency situation.
And so what happens is sometimes operationally,
people go to the other end of the spectrum and say,
give them access to everything because we don't know what will go on.
So there's kind of this interesting balance there that gets really difficult to manage.
It's really easy for me to imagine the system starting to erode,
you know, as people get annoyed with it, right?
You know, Somebody needs access
to something. They can't get it. They complain. They complain loudly. And the people who are in
charge kind of throw up their hands and say, okay, give this person access to this. And then
it never goes away. Am I speaking about a realistic peril here?
You are spot on. That is exactly what happens.
And even though people talk about reviewing access,
I always say, do periodic access reviews
really get to that deep level, right?
Probably not, right?
So a lot of times what we find is,
once access is granted, it usually persists.
And a lot of times the people making the decisions,
I'll call it from an IT department
or cybersecurity department, right?
The people who are a lot of times looking to say, hey, let's limit access, I'll call it from an IT department or cybersecurity department, right? The people who are, you know,
a lot of times looking to say,
hey, let's limit access, let's keep it tight.
They may not be as involved in the business process
to always be ready to push back
on some of those decisions, right?
When somebody in the business is saying,
no, our people all need this access.
And hey, look, yesterday we had this big problem
and that big problem was because they didn't have access.
So go grant some more access. It's sometimes difficult for them not being necessarily the experts in
whatever that business process is to be able to be like, well, wait a second. I get that
happened yesterday. But that's like a once-in-a-year event. And we could probably design
some type of exception process. We could work when that once-in-a-year event happens.
But because they're not necessarily in the know,
to your point, somebody's screaming, somebody's mad,
and all of a sudden access gets expanded
beyond what is probably the ideal access.
I mean, it really strikes me that communication
is a real key part of implementing
this sort of thing effectively.
It's absolutely.
Communication, and I think
there's an element of buy-in a lot of times from what I'll call the non-IT professionals,
the business professionals, don't always have the mindset that they need to keep access really
limited. And so I think that's one of the hurdles a lot of organizations need to overcome is not
that they're doing something wrong by asking for the additional
access, but rather helping them to understand what the potential risks are of that additional
access, right? Because we all know it's a matter of when, not if, every organization or almost
every organization has some type of cyber event, some type of breach, right? Well, those breaches
get a lot easier if the access that they get into is somebody who has their access really limited. Those breaches get a lot harder
when that access is really broad. Well, in your experience, do you have any words of wisdom here
for how to strike that balance between limiting access but also limiting friction?
You know, it's a difficult thing.
I think it's really a tone at the top issue,
meaning I think, you know,
a cyber IT department can work with whatever,
procurement department, right?
They try and come to a meeting of the minds
and that can obviously happen.
But what I find,
the best controlled organizations
from a cyber perspective
tend to be the ones where the boardroom cares and your C-suite cares.
And they set the message that they really want to be a secure organization.
And that then starts permeating down.
That's really where it needs to come from and really viewing it not as an IT thing, but as a business risk, right?
Cyber and access is not an IT risk. It's a business risk.
And the organizations that view it as a business risk and drive it down through the organization
that way, at least in my experience, tend to have a better security posture, maybe not perfect,
but a better security posture than the ones who view it, you know, the old saying, you know,
that's an IT problem. Those are the ones that tend not to be as well secured. What about the folks who tend to have the most access?
You know, I would hate to be the IT person who has to report to the CEO and say, you're not going
to be able to access everything whenever you want to. How's that going to fly, right? So that's a
great question, right? So, and we run into that a lot where some of the higher-up executives start asking for more and more access.
Generally speaking, not exclusively, but generally speaking, we actually view it as more of a risk when the higher-ups have excessive access, right?
Because if you think about a CEO of a company, of a large organization, everybody knows the name of that CEO.
And there's lots of people doing all sorts of investigation into what that person does, whether they like it or not, right?
There's lots of bad actors out there trying to glean information and figure out nuances that CEO, ways they could potentially spoof them, when they go on vacation, stuff like that.
So usually, the higher up you are in an organization,
the less access you actually want that person to have.
You actually want to take that access out of their hands
and give it to somebody maybe a little lower down.
Obviously recognizing sometimes there's sensitive data,
things like that, that you couldn't do that with.
But what I call the rank and file,
you know, super user type access,
we usually recommend,
unless there's a really good reason,
don't get that in the hands of your C-suite.
In fact, take information access out of their hands
because they're by nature a target of bad actors.
You know, every organization setting down this path
has their own particular starting point here.
Do you have any advice for those folks as they're heading down this path to
make it as easy for everybody involved as possible? Yeah, the biggest advice I always have is don't
try to boil the ocean, right? There's going to be lots of applications. You're never done
with reviewing access. You're never done with trying to get access to where you want it to be.
access. You're never done with trying to get access to where you want it to be.
A lot of organizations I do see sometimes get caught up in analysis paralysis. We have 100 applications, and we need to find data owners, and we need to do this, we need to do that.
And while you want to have good processes across the board that are sustainable,
usually it's actually better to just say, okay, if we have 100 applications, let's pick one or two.
Let's knock them out.
Let's figure out what works for us as an organization.
Get your quick wins, right?
Get your quick, hey, here's where we're able to limit access, and then start working through the other 100, right?
You don't have to get everything done tomorrow.
Obviously, the sooner you get it done, the better.
But a lot of organizations almost bite off more than they can chew a lot of times
in these access control projects. And as a result, because they bite off so much,
they actually don't get anything done over a period of time versus trying to break it
into bite-sized pieces and say, we're going to go deal with this department for the next three months.
That's Jeff Krull, Principal and Practice leader of Baker Tilly's Cybersecurity Practice.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Thank you. Thank you. Thank you. Thank you. Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you. Thank you. Thank you. Thank you. Thank you. And finally, Russia has labeled cybersecurity firm Recorded Future as undesirable,
a badge CEO Christopher Allberg cheekily dubbed a rare compliment.
The Russian prosecutor general accused the firm of aiding Ukraine in offensive information operations and supporting the West's
propaganda campaign. Ahlberg and team, undeterred, probably framed the notice.
Recorded Future has actively supported Ukraine since Russia's full-scale invasion,
providing $10 million in intelligence cloud access, $20 million in aid in 2023 alone, and collaborating with 16
Ukrainian agencies to protect critical infrastructure and investigate war crimes.
Their insect groups research, often spotlighting Russian cyber antics,
likely didn't win them any fans in Moscow. Interestingly, they're the first cybersecurity company to make Russia's undesirable
list, typically reserved for NGOs and media. Imagine being so effective that an entire country
bans you. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, Thank you. that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's
preeminent intelligence and law enforcement agencies.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester,
with original music and sound design by Elliot Teltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you.