CyberWire Daily - Breaking Bad (records).
Episode Date: July 30, 2024ZScaler uncovers the largest ransomware payment to date. IBM says the average cost of a breach is closing in on five million dollars. Hackers exploited Proofpoint's email protection platform to send m...illions of phishing emails. NIST launches Dioptra to test ML models. AcidPour targets Linux data storage devices for wiping. WhatsApp for Windows allows Python to run wild. The White House releases the National Standards Strategy for Critical and Emerging Technology (USG NSSCET) Implementation Roadmap. A bipartisan Senate bill aims to fund cybersecurity apprenticeships. CISA adds three exploits to its vulnerability catalog. Ben Yelin joins us today to discuss a U.S. District Court judge’s recent dismissal of charges against SolarWinds. Loose lips sink ships, but leaky HDMI cables flood the airwaves with digital data. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Ben Yelin, co-host of our Caveat podcast and Program Director, Public Policy & External Affairs at University of Maryland Center for Health and Homeland Security, joins us today to discuss the U.S. District Court judge dismissing most charges against SolarWinds. For more detail on the SolarWinds decision, check out this article. Selected Reading Zscaler just uncovered what could be the largest ransomware payment of all time (ITPro) Hackers exploit Proofpoint to send millions of phishing emails (Tech Monitor) Average data breach cost jumps to $4.88 million, collateral damage increased (Help Net Security) NIST releases open-source platform for AI safety testing (SC Media) AcidPour Malware Attacking Linux Data Storage Devices To Wipe Out Data (GB Hackers) WhatsApp for Windows lets Python, PHP scripts execute with no warning (Bleeping Computer) US government debuts Implementation Roadmap for national standards strategy on critical and emerging technologies (Industrial Cyber) Bipartisan Senate bill would promote cybersecurity apprenticeship programs (CyberScoop) CISA warns of three new critical exploited vulnerabilities (The Stack) AI can reveal what’s on your screen via signals leaking from cables (New Scientist) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Zscaler uncovers the largest ransomware payment to date.
IBM says the average cost of a breach is closing in on $5 million. Zscaler uncovers the largest ransomware payment to date.
IBM says the average cost of a breach is closing in on $5 million.
Hackers exploited Proofpoint's email protection platform to send millions of phishing emails.
NIST launches Dioptra to test ML models.
AcidPoor targets Linux data storage devices for wiping.
WhatsApp for Windows allows Python to run wild.
The White House releases the National Standard Strategy for Critical and Emerging Technology Implementation Roadmap.
A bipartisan Senate bill aims to fund cybersecurity apprenticeships.
CISA adds three exploits to its vulnerability catalog.
Ben Yellen joins us to discuss a U.S. District Court judge's
recent dismissal of charges against solar winds.
And loose lips sink ships, but leaky HDMI cables flood the airwaves with digital data.
It's Tuesday, July 30th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thank you for joining us here. It is great to have you with us.
The most recent report from Zscaler's Threat Labs has identified the largest ransomware payment ever recorded, amounting to $75 million.
This payment, made to the Dark Angels group, is almost double the previous record.
group, is almost double the previous record. The surge in ransomware attacks continues,
with an 18% increase in the volume of attacks from April 2023 to 2024. Additionally, the number of victim organizations listed on data leak sites has risen by nearly 58%. Threat Labs' research
also identified 19 new ransomware families, bringing the total to 391. This
particular record-breaking payment signals the thriving state of digital extortion and may
encourage other cybercriminal groups to adopt similar strategies. IBM's 2024 Cost of a Data
Breach report reveals the global average breach cost hit $4.88 million, a 10%
increase from last year. Breaches caused significant disruption for 70% of affected
organizations, driven by lost business and post-breach costs. Recovery took over 100 days
for most fully recovered entities. Staffing shortages, which increased by 26%, raised breach costs by $1.76 million.
AI-powered prevention helped reduce costs by $2.2 million,
with 67% of organizations using security AI and automation.
Breaches involving multi-environment data storage averaged over
$5 million in costs. Internal detection of breaches improved, reducing the breach life
cycle to 258 days, the lowest in seven years. Intellectual property theft rose by 27%,
with costs per stolen record up nearly 11%. Critical infrastructure sectors like healthcare and financial services
saw the highest breach costs, with healthcare averaging $9.77 million.
Hackers exploited Proofpoint's email protection platform
to send millions of phishing emails daily from January to June of this year
in a campaign dubbed Echo Spoofing.
By manipulating vulnerabilities, they impersonated major companies like IBM,
Coca-Cola, and Disney. Proofpoint confirmed that these vulnerabilities have been patched
and no customer data was exposed. The unidentified attackers used compromised
Proofpoint servers to make phishing emails appear legitimate
Proofpoint and Guardio Labs quickly collaborated to mitigate the threat
implementing measures to ensure only authorized emails are relayed
The National Institute of Standards and Technology, NIST, has launched Dioptra
an open-source tool to test the
resilience of machine learning models against various attacks. Released alongside new AI
guidance, Dioptra fulfills requirements from President Biden's executive order on AI safety.
Available on GitHub, Dioptra features a web-based interface, user authentication, and experiment provenance tracking to ensure reproducibility.
Dioptra addresses three main attack types, evasion, poisoning, and oracle.
Initially designed for image classification models, it can be adapted for other ML applications.
The tool helps users measure attack impacts and test defenses like data sanitization.
It supports Unix-based systems and requires significant computational resources.
NIST says they plan to continue improving Dioptra based on user feedback.
Additionally, NIST released new AI safety guidance focusing on risks associated with
generative AI and dual-use models,
accepting public comments until September 9th. In March of this year, a new variant of the
Acid Rain wiper malware named AcidPore emerged, targeting Linux data storage devices and rendering
them inoperative by permanently erasing data.
According to researchers at Splunk, ACID-POR targets crucial sectors like SCSI SATA, MTD,
MMC storage, DM setup, and UBI devices, making data recovery nearly impossible.
Unlike ACID-RAIN, which attacked MIPS-based modems and routers, ACID Poor has a defense evasion technique, overwriting itself with random bytes and a command line message. It employs a time-based evasion technique using the SELECT function.
ACID Poor systematically wipes important directories, including the boot directory,
and replaces files with 32 kilobytes of random data.
It overwrites designated device paths with 256 kilobyte buffers,
making systems unbootable after a reboot.
AcidPore's destructive methods are similar to AcidRain and VPNFilter,
but focus on data destruction rather than data exfiltration or code injection.
A security flaw in the latest version of WhatsApp for Windows
allows execution of Python and PHP attachments without warning when opened,
bleeping computer reports.
This primarily affects users with Python already installed,
like developers and researchers.
The issue is similar to a previous Telegram
vulnerability. Despite blocking several risky file types, WhatsApp does not block Python scripts,
which can be executed directly from the app. Security researcher Samyajit Das discovered
this vulnerability and reported it to Meta, but the issue was dismissed as non-applicable.
and reported it to Meta, but the issue was dismissed as non-applicable.
DOS criticized this decision, suggesting that simply adding the relevant file extensions to WhatsApp's block list could prevent exploitation.
WhatsApp advises users not to open files from unknown sources
and has no plans to fix the issue, leaving users vulnerable to potential attacks.
plans to fix the issue, leaving users vulnerable to potential attacks.
The U.S. government has released the National Standards Strategy for Critical and Emerging Technology Implementation Roadmap, detailing actions to support private sector-led standards
development. The roadmap emphasizes immediate and long-term efforts for standards coordination,
partnering with stakeholders to address challenges in critical and emerging technology standards.
Key areas of focus include enhancing federal-private sector coordination, improving standards policy collaboration with foreign governments, and incentivizing federal engagement in standardization.
The roadmap also highlights the importance of supporting research and development and
education in standards.
Immediate actions involve increasing government pre-standardization R&D, tracking CET standards
education programs, and evaluating technology cooperation agreements.
Long-term goals aim to sustain funding, engage academia,
and enhance communication about standards. The Cyber-Ready Workforce Act, a bipartisan
Senate bill by Senators Jackie Rosen, a Democrat from Nevada, and Marsha Blackburn, a Republican
from Tennessee, aims to address cybersecurity workforce shortages through competitive grants
awarded by the Department of Labor. These grants will support the creation and expansion of
registered apprenticeship programs in cybersecurity, providing technical instruction, workplace
training, and industry-recognized certifications. The apprenticeships will prepare participants for
various cybersecurity careers, such as computer support specialists and security specialists, offering training in CompTIA, Microsoft programs, Certified Network Defender, and Certified Ethical Hacker.
The Department of Labor will oversee registration and assist employers with training costs and connections to education providers.
At least 85% of grant funds must be used for program management,
with 15% for marketing and outreach.
This legislation is part of broader congressional efforts
to fill the estimated half-million cybersecurity job gap,
including initiatives targeting community colleges,
disadvantaged communities, and veterans.
CISA has updated its vulnerability catalog to include three new exploits in ServiceNow
and Acronis cyberinfrastructure. The ServiceNow vulnerabilities both involve input validation
issues allowing unauthenticated remote code execution with CVSS ratings of 9.3 and 9.2.
These have been patched but were actively exploited, affecting over 105 databases and
exposing 42,000 instances. The third vulnerability affects Acronis cyber infrastructure due to insecure default passwords, with a CVSS score of 9.8.
Acronis has also issued patches for this exploit.
Coming up after the break, Ben Yellen joins us to discuss the recent U.S. District Court
judge's dismissal
of charges against SolarWinds. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Ben, welcome back.
Good to be with you, Dave.
I want to touch base with you and get your take on this recent dismissal we saw
from a judge about the SEC charges against SolarWinds.
Unpack what's going on here, Ben.
So the Security and Exchange Commission had filed a lawsuit against SolarWinds for the
infamous cyber incident that took place in late 2020. It was seen as a groundbreaking
legal challenge to hold a large company accountable for such a cybersecurity breach,
and not just the company itself, but high-ranking executives. So this went to a district court in the Southern District of New York,
and the district court has dismissed the vast majority of the case.
The judge in this case, Paul Engelmeyer,
claims that the Security and Exchange Commission
does not plausibly plead actionable deficiencies
in the company's reporting of the cybersecurity hack.
They impermissibly rely on
hindsight and speculation. Okay, so in English, Ben, in English. Yeah, that is a lot of legalese.
Basically, there are not enough facts in evidence in the initial pleadings in this case
to show that the company violated the law and the regulations as it related to reporting requirements
of the hack. To the extent that there are reporting requirements, there's not enough
evidence that SolarWinds violated those requirements. Basically, the pleading on behalf
of the SEC relies on what the judge calls hindsight and speculation. Basically, the pleading on behalf of the SEC relies on what the judge calls hindsight and speculation.
Basically, Monday morning quarterbacking, if we're going to put it colloquially.
The one claim that the judge does sustain is related to one of SolarWinds' pre-sunburst statements about Orion security.
But it dismissed a bunch of other claims about separate cybersecurity
assertions. So SolarWinds isn't completely out of the woods here, but much of what they were
concerned about, this judge has said, the SEC can't pursue. Yeah, the vast majority of the suit
and the potential repercussions on behalf
of SolarWinds have been thrown out. There is this remaining claim. A spokesperson for SolarWinds
said that they are pleased that the judge has largely granted their motion to dismiss and that
they will have the opportunity to present their own evidence and demonstrate why this remaining
claim is factually inaccurate. I think the broader lesson here is that our court
system is hesitant to go along with the administration through the SEC's effort to
hold companies and senior executives accountable for these hacks, these cyber incidents.
I think this was part of a broader effort to inspire the industry to take proactive measures with the threat of potential legal action hanging over them.
And what the judge here is saying is we can't sustain one of those claims unless there is clear and convincing evidence of some type of legally actionable decision making on the part of these hiring
executives. And that just doesn't exist in this case. And I think from what analysts have said
is if they can't prove it in this case, at least in the pleading stage, it's going to be much harder
for lower profile cases where we don't have a body of evidence the way we do in SolarWinds.
a body of evidence the way we do in solar winds. So I think the industry is very pleased.
They were concerned that the threat of these lawsuits would prevent companies from probing their vulnerabilities. Because by revealing those vulnerabilities, if there is an attack,
then there can be a claim that's proved in court that they had prior knowledge of it,
and they failed to act
and that was negligent in some legally actionable way.
And now that we have this decision here,
I think that abates the concern of these companies
that they're going to be punished for doing their due diligence.
So is part of the idea here that perhaps the SEC
was trying to make an example out of SolarWinds?
Totally. I think they were making an example out of SolarWinds.
It's not a coincidence that this is the most high-profile case.
This is probably the most high-profile hack in the last five years, would you say?
I mean, if we go back further than that,
we can talk about OPM and Equifax and that sort of thing.
But at least in the early 2020s, this is the hack of all hacks.
And the SEC made it a policy, a central organizing principle to pursue executive or aggressive
policies to hold companies accountable for lack of cybersecurity practices. This is the first time
they had ever pursued court action
against the target of a nation-state attack
for claims made to investors about cybersecurity practices.
And for the most part, this challenge fell on its face.
From the perspective of the SEC,
they're going to have to go back to the drawing board
and figure out a way to hold these companies accountable
by getting past the district court gatekeepers
here who are going to be looking for clear and convincing evidence that companies did
not comply with cybersecurity standards.
Now, at the risk of crossing the streams here or perhaps mixing metaphors, does the recent
Supreme Court case with Chevron deference, does that have any impact here of what the SEC could do in the future?
I think it does.
It doesn't have a direct impact on this case.
I think this case was drafted without Chevron in mind and probably before the decision came
out several weeks ago overturning Chevron.
I do think Chevron is implicated in future cases, because as we talked about on the Caveat podcast a couple of weeks ago, the SEC doesn't have statutory authority to take action on cybersecurity-related matters.
It is the Securities and Exchange Commission.
It is about the actions of private companies that potentially mislead their investors. And in a world with Chevron deference, courts would defer to the SEC
as to what they would consider defrauding investors. If the SEC decided that defrauding
investors with some type of cybersecurity incident was within their jurisdiction,
they would defer to the SEC's interpretation. But without Chevron
in place, it'll now be up to courts to determine whether abating cybersecurity risks is within the
statutory authority of the SEC. To me, it's very clearly, if you look at the letter of the law,
it's not in there. So it would have to be a strained judicial interpretation,
looking at legislative history, looking at other things
to make a finding that SEC has the authority
to regulate on cybersecurity matters.
So it's definitely something that's going to come up in future cases.
I think it'll come up in future cases where a company has been fined
or there's been a lawsuit against the company
and they might anticipate that they would lose on the merits.
So they'll bring up a Chevron argument and say,
hey, you can't even regulate us in the first place.
We're in a new post-Loper Bright era
where you've lost the authority to regulate us.
So I think that's definitely something we could see in the future.
All right. Well, Ben Yellen, thanks so much for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And finally, our signals intelligence desk tells us that hackers may have a sneaky new trick up their sleeves, intercepting electromagnetic radiation from your HDMI cable and decoding what's on your screen with, wait for it, AI.
Imagine a digital spy lurking outside your window, antenna in hand, ready to steal your Netflix binge secrets or online banking information.
But don't panic. This is more like a spy movie plot for most of us.
In the past, analog connections were easier targets for such snooping.
Today's digital HDMI cables leak less readable data.
But still enough for Federico Larocca and his team at
the University of the Republic in Uruguay to develop an AI model that can reconstruct what's
on your screen from a few meters away. Their AI, trained on pairs of original and intercepted
signals, managed to accurately recover about 70% of the text.
While this might sound scary,
it's mainly a concern for high-security environments where even the walls have shields.
So, unless you're guarding national secrets,
rest easy knowing the hackers are probably more interested
in juicier targets than your cat videos.
Still, if you're the paranoid type,
maybe keep that tinfoil hat handy.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver
the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to CyberWire at N2K.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at N2K.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester
with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Carr.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.