CyberWire Daily - Canada cuts TikTok ties.
Episode Date: November 7, 2024Canada orders ByteDance to shut down local operations. Cisco releases urgent patches for multiple vulnerabilities. SteelFox malware delivers a crypto-miner and info-stealer. North Korean campaigns pur...sue fake jobs and remote workers. A suspected cyber intrusion disrupts Washington state court systems. Over 200,000 customers of SelectBlinds have their credit card info stolen. Cyber experts encourage congress to pursue bipartisan readiness studies despite DoD pushback. On our Industry Voices segment, we welcome guest Jeremy Huval, Chief Innovation Officer at HITRUST®, discussing the AI explosion and the need to consider the risks before implementation. Curiosity killed the cat lover’s computer. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, we welcome guest Jeremy Huval, Chief Innovation Officer at HITRUST®, discussing the AI explosion and the need to consider the risks before implementation. Learn more about how robust your AI risk management program is here. Selected Reading Canada Orders Shutdown of Local TikTok Branch Over Security Concerns (Infosecurity Magazine) Cisco Patches Critical Vulnerability in Industrial Networking Solution (SecurityWeek) Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information (GB Hackers) ‘SteelFox’ Miner and Information Stealer Bundle Emerges (SecurityWeek) North Korean Hackers Employing New Tactic To Acquire Remote Jobs (Cyber Security News) Outages impact Washington state courts after ‘unauthorized activity’ detected on network (The Record) SelectBlinds says 200,000 customers impacted after hackers embed malware on site (The Record) Congress must demand a study of America’s cyber forces (CyberScoop) Cybercrooks target Bengal cat lovers in Australia (The Register) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Canada orders ByteDance to shut down local operations.
Cisco releases urgent patches for multiple vulnerabilities.
Steel Fox malware delivers a crypto miner and info stealer.
North Korean campaigns pursue fake jobs and remote workers.
A suspected cyber intrusion disrupts Washington's state court systems.
Over 200,000 customers of select blinds
have their credit card information stolen.
Cyber experts encourage Congress
to pursue bipartisan readiness studies
despite DOD pushback.
On our Industry Voices segment,
we welcome guest Jeremy Houval,
Chief Innovation Officer at HITRUST,
discussing the AI explosion
and the need to consider the risks
before implementation.
And curiosity killed the cat lover's computer.
It's Thursday, November 7th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here once again today.
It is great to have you with us, as always.
Canada has ordered ByteDance, the owner of TikTok,
to close its Canadian subsidiary, TikTok Technology Canada,
which will result in shutting down offices in Toronto and Vancouver,
announced on November 6th by François-Philippe Champagne,
Canada's Minister of Innovation, Science and Industry,
the decision follows a national security review
under the Investment Canada Act
aimed at mitigating risks from foreign investments.
The Canadian government cited concerns
over potential security threats
tied to ByteDance's connections with the Chinese government.
Despite the subsidiary's closure, the TikTok app remains accessible in Canada, with the government encouraging users to adopt strong cybersecurity practices.
ByteDance criticized the decision, saying it would impact hundreds of Canadian jobs, and announced plans to challenge the order in court.
This move aligns with similar actions by the U.S. and EU, which have restricted TikTok over national security concerns.
patches for multiple vulnerabilities in its enterprise products,
including a critical flaw in its unified industrial wireless software,
scoring a perfect 10 out of 10 on the CVSS scale.
This vulnerability allows unauthenticated attackers to inject commands with root access via the web-based management interface on affected devices.
Users are advised to update to the latest version to
mitigate the risk. Additionally, Cisco fixed a high-severity bug in the Nexus dashboard fabric
controller, which could be exploited for SQL injection, and another high-severity flaw in
enterprise chat and email that could lead to denial of service.
Cisco addressed nearly two dozen other medium severity issues,
affirming that none of the vulnerabilities have been exploited in the wild.
Cisco has also identified a vulnerability in its desktop phone,
IP phone, and video phone series that could allow remote attackers to access sensitive data like call
records if the web access feature is enabled. This flaw, due to improper handling of sensitive
information in the web UI, can be exploited by browsing the device's IP address. Although web
access is off by default, Cisco has issued patches to secure affected devices and advises users to
apply updates promptly. The malware bundle Steelfox has been impersonating legitimate software like
Foxit, PDF Editor, and AutoCAD to steal user information since 2023. Distributed through
torrents, forums, and blogs, SteelFox delivers both a cryptocurrency
miner and an information-stealing component. It installs via fake cracks of popular software,
requesting administrator privileges during installation to later exploit them for
malicious purposes. SteelFox uses a vulnerable driver to escalate its privileges,
making its processes hard to terminate. The malware collects extensive user data,
including browser history, cookies, location, and system details, packaging it in a JSON file,
and sending it to a command and control server. Kaspersky reports victims worldwide and advises users to download software
only from official sources and use robust security measures to avoid similar threats.
Hackers are increasingly exploiting vulnerabilities among remote workers,
often using tactics like vishing to impersonate IT staff and steal sensitive information.
Recently, Zscaler uncovered two North Korean campaigns,
Contagious Interview and Wage Mole,
aimed at bypassing financial sanctions by securing remote jobs under false identities.
The Contagious Interview campaign lures developers with fake job postings, infecting them with
JavaScript-based malware Beavertail and Python-based Invisible Ferret, which exfiltrates data via
encrypted HTTP protocols.
This malware targets developers on Windows, Linux, and macOS, affecting victims primarily
in India, Pakistan, Kenya, and Nigeria.
Stolen identities from these attacks fuel the Wage Mole campaign, allowing operatives to land
remote jobs in Western firms. These operatives use AI-generated documents, portfolios, and even
voiceover tools to pass interviews, impersonating experienced developers.
Zscaler advises companies to verify employment history, use virtual environments for suspicious
files, and authenticate applicant identities to combat these tactics.
A suspected cyber intrusion has disrupted Washington state court systems this week,
affecting multiple counties, including King, Pierce, and Thurston.
The Washington State Administrative Office of the Courts detected unauthorized activity on its network,
leading to outages in public access to court services.
While Pierce County reports minimal impact, some courts have suspended hearings and experienced issues with electronic filing and fine payment systems.
The Administrative Office of the Courts is working to secure systems and restore service, but has not confirmed whether ransomware is involved.
This incident follows a wave of cyberattacks on various U.S. court systems and other Washington state entities.
Hackers stole credit card and personal data from over 200,000 customers of home decor retailer Select Blinds
by embedding malware on the company's website, allowing them to scrape data entered on the checkout page.
allowing them to scrape data entered on the checkout page.
Discovered in late September, the malware had been active since January capturing usernames, passwords, credit card details, names, addresses, and emails.
Select Blinds has locked user accounts requiring password changes and removed the malware.
The company advised customers to update reused passwords on other sites.
This attack is part of a broader trend where hackers use e-skimmers
to inject malicious code into online checkout pages
to siphon credit card data for sale on dark web markets.
In a time of political division,
bipartisan efforts to strengthen U.S. cybersecurity are at risk.
Recently, the Defense Department opposed a proposal for an independent study on America's cyber force readiness,
even though this bipartisan initiative has backing across both congressional chambers.
In an opinion piece for CyberScoop, cybersecurity experts Colin Ahern, chief cyber
officer of the state of New York, Erica Lonergan, assistant professor at Columbia University's
School of International and Public Affairs, and Mark Montgomery, retired rear admiral and senior
director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies,
emphasize that traditional physical barriers like oceans
don't shield the U.S. in cyberspace,
where adversaries routinely infiltrate critical infrastructure,
deploy malware, and gather sensitive information
from government and private networks.
The proposed legislation seeks to evaluate
whether the U.S. has the cyber personnel,
strategy, and resources necessary
to counter growing digital threats.
It also explores creating a dedicated cyber force,
similar to the Space Force,
focused on recruiting and training cyber specialists.
Given that much cyber expertise
lies within the private sector,
an independent study would explore how a cyber force could enhance collaboration
between military and civilian sectors, federal and local governments,
and public-private partnerships.
Such a force could also support a cyber-specific National Guard and Reserve,
offering flexibility and knowledge-sharing
for high-stakes cyber defense. The authors contend that the Defense Department's resistance
may stem from concerns about uncovering readiness deficiencies, as recruitment and training for
cyber roles remain fragmented across military branches. This bureaucratic divide harms overall readiness, yet institutional
interests often resist substantial change. Congress, they argue, should not bow to Defense
Department pressure, but instead move forward with the study to assess America's force posture
in cyberspace. With threats escalating globally, including Chinese incursions into U.S.
infrastructure, Iranian attacks on water systems, and cyber warfare in Ukraine, the authors stress
that the U.S. cannot afford to delay. An independent, transparent assessment would
offer unbiased insights into the readiness and potential reforms needed to secure the nation
against digital threats.
Coming up after the break, my conversation with Jeremy Huval,
Chief Innovation Officer at HITRUST. We're discussing the AI explosion
and the need to consider the risks before implementation.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security. Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Jeremy Huval is Chief Innovation Officer at HITRUST. In today's sponsored Industry Voices segment, we discuss the recent explosion in AI and the need to consider the risks before
implementation. My personal perspective is that, from a security perspective, the threat actors,
as well as the organizations adopting AI, are both in a similar spot. I'd say both are working
to understand AI's capabilities, and both are sort of in this kicking the tires phase of AI.
There's a lot of experimentation. There's a lot of prototyping.
Less so are their AI-enabled systems being used for security campaigns.
But I think that's going to change really, really quickly here.
But I think that's going to change really, really quickly here.
Nothing about AI has been slow ever since sort of the explosive adoption of ChatGPT a few years ago. We've seen nothing but really accelerated activity and adoption and research and development and innovation on the AI space.
But my own read is that we're leaving the kicking the tires experimentation phase, and we're about to rapidly find ourselves surrounded by AI tools.
You know, one of the things that we talk about over the past few years, it seems like the cybersecurity professionals have learned that when they communicate with their board, when they communicate with the people who are the powers that be at their company, that it's most effective for them to do that in terms of risk.
And when I think about AI, I think about how much of a black box it is and how complex
it is and how that really makes that message of risk, translating that message of risk
a lot more complicated.
Do you think that's an accurate way to describe it?
It's a good read. Certainly, the lack of explainability of generative AI systems
contributes to the challenge of understanding and managing those risks. It's bigger than that,
though. There's certainly the complexity, and there's certainly the kind of low explainability of its outputs and decisions.
I've been really, really impressed
with sort of the organizations like NIST and ISO
and OWASP and others who have stepped back and said,
look, we've got a chance to think holistically
about the risks that AI adoption is going to bring.
And what they've come up with
is this concept of trustworthy and responsible AI
that is a very big umbrella,
more than what we typically focus on
from a cybersecurity perspective
and certainly larger than the remit
of any single department in an organization.
So under this kind of responsible
and trustworthy AI umbrella,
you start to talk about risks around, you know,
sustainability and the environmental impact
of AI system creation
and training all these great big AI models.
You start to talk about the impact of safety
and humans' well-being being put at risk,
potentially if AI systems aren't governed
and designed correctly.
You think about privacy, you think about reliability and fairness and accountability.
All these other things under this big umbrella of trustworthy and responsible AI
makes you quickly appreciate that this is a bigger problem than just one single department
like cybersecurity within an organization.
Certainly, cybersecurity is an important part of trustworthy and responsible AI,
but it's just that, it's a part.
I know one of the things that you and your colleagues
at HITRUST are advocating for
is this notion of prescriptive controls
when it comes to AI security.
Can you unpack that for us?
What exactly do we mean by that?
Yeah, good question, Dave.
If you think about what right looks like in a controls framework or any kind of set of guidelines or standards, you can sort of put them into two buckets.
One is objective-based or sort of this high-level goals-driven.
So like, hey, as a goal, go manage cybersecurity risk.
like, hey, as a goal, go manage cybersecurity risk. And as a goal, make sure you've got a good secure software development process building up to the delivery of that AI system. Those are high
level. They're important. And it's really critical to state that as objectives, certainly these
things need to be there. But how do you do that? What are the specific actions necessary to have a robust,
secure software development methodology within your organization building up to the release of
that AI system? Do I have to just train my developers? Do I have to have a really locked
down CICD pipeline? What other prescriptive actions are necessary behind that one goal?
And that's really what we mean when we say a prescriptive framework is warranted for AI security
in the sense that there's a lot of really good thinking and direction at a high level about
if you want to secure AI, you should have these goals in mind.
But what we found is an absence of really prescriptive guidance on how to achieve those.
And certainly that'll change over time.
But we've done a lot of work to sort of fill that gap.
Where do we find ourselves in terms of organizations communicating about these threats?
I mean, there's certainly no shortage of talk about AI.
It is the hot thing
right now. But behind the scenes, are folks collaborating? Oh, yeah, absolutely. I read
somewhere that there was something like 400 different AI working groups of some different
flavor just in the U.S. alone in 2024. And so there's a lot of collaboration going on in the public sector, in the private sector, internationally as well.
The problem with AI, in my opinion, is that there's not a shortage of guidance.
You're sort of drowning in guidance.
The UK government, specifically the Alan Turing Institute, maintains a website called AISTandardsHub.org.
And by my last count, it had over 300 AI-specific standards.
And not all of them are security,
and some of them are really industry-specific.
But it's reflective of this current state of,
there's just so much guidance,
you're almost drowning in it.
And for a regular organization
who's just maybe interested in standing up,
maybe at first sort of a generative AI chatbot, but is also exploring other gen AI driven use cases.
It's overwhelming. Really navigating the AI standards landscape isn't their core focus.
And so there's value in having a controls framework or an approach to securing AI or managing risk or understanding governance,
there's value in sort of saying, what are the core things I got to do to secure this AI system
or to update my risk management capability to include AI? What are the core governance aspects
I need to control those controls around AI? In terms of recommendations for folks who are
trying to get a better handle on
this, as you say, it can be overwhelming. What are your words of wisdom for people to
try to break this down into manageable bits? I would say, don't try to start from scratch
if you can help it. It's a mistake to try to say, look, I'm going to grab the latest NIST this or
ISO that or guideline from some industry think tank that I really like and design my entire
program around that. I think that's a mistake because the organization that you're in very
likely has processes for risk management and processes for governance. And as a security team with a great
number of security processes and expectations that should be built on and augmented to address
the specificities of AI instead of a single group within the organization trying to stand up a
complete new program for AI in a silo based on a single piece of guidance. That's tip one. And I think
tip two is embrace continual learning. Because with AI, like I mentioned, there's just so much
change. In the past year or two, we saw the explosive just generative AI period. In 2025,
my read is we're going to see a lot more agentic AI, which are these really capable,
almost autonomous AI-driven agents that can do things on your behalf. And so I've got a whole
team of AI agents that can do this or that for me. We're going to see a lot more of that.
We might see the explosion of small language models, maybe rival the growth of large language
models. But I bring up those examples as just a couple of things
that are going to be different in the AI space next year.
And without someone in the company that can say,
look, I'm committed to trying to be a learner in this space,
you'll find yourself always reactive and trying to fall behind.
The other guidance I think I would certainly recommend
is to look to your existing control framework or your existing
IT assurance mechanisms, whether it's a certification or some assessment or some
internal audit capability that exists in the company, and see what can be offered by way of AI
within that framework or within those practices. HITRUST, like many different controls frameworks right now, is looking inward to say, are we
doing enough to provide assurances and insight and ID gaps associated with AI?
And if you're looking at your control framework particularly and you're not finding it, it's
probably better to move your whole company to a control framework that's got the
AI specificities as opposed to standing up yet another control framework just for AI.
It strikes me that there's this tension, you could describe it as, between this idea that
we have to get on board with AI because the market demands it and there are certainly benefits. But at
the same time, you can understand wanting to sort of sit back and wait and see how things are going
to flesh out, who are going to be the winners, what kind of regulations are we going to see.
It sounds to me like you're really advocating that folks need to be proactive here.
that folks need to be proactive here?
I think so, because as soon as AI is used within a company,
and I say uses really carefully here,
as soon as AI is used within a company,
there's new risks that the company needs to consider.
And guess what?
It's happening now.
Whether those charged with governance of the company have really made it a focus to tackle or not,
it's happening.
Now, those risks are certainly amplified
and there's new risks when a company
does make that big strategic decision
to either prototype AI
and consider rolling it out into production
or really start to even take the deep dive
and start to train their own predictive AI models
and stuff like that.
It's focused organization.
It is sort of a make or break moment.
And it's true, there's always winners and losers. But I think tomorrow's winners are going to be shaped by the organizations who work to embrace this now.
That's Jeremy Haval from HITRUST. Thank you. Locker, the cybersecurity solution trusted by businesses worldwide. Threat Locker is a full
suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant.
And finally, in a curious case of cyber crooks targeting feline fans,
Sophos reports that the Goot Loader malware gang,
typically laser-focused
on high-value targets like banks,
has turned its gaze
toward an unusual group,
Australian fans of Bengal cats.
Yes, you heard that right.
This infamous malware,
known for sneaking into systems via SEO-poisoned search results,
has been spotted targeting folks simply curious about the legality of owning Bengal cats down under.
The story goes like this.
Unsuspecting cat enthusiasts, innocently googling,
are Bengal cats legal in Australia, are met with booby-trapped search
results. Sophos investigators found that clicking the top link led these curious minds straight to
a zip file harboring Gootloader's payload. From there, the malware initiates its devious plan,
dropping a huge JavaScript file and establishing persistence with PowerShell
commands. The endgame? Bringing out the heavy hitters like Cobalt Strike and Ransomware.
As bizarre as it seems, this cat-loving cyber caper reminds us just how far cyber criminals
will go, and how important it is to think twice before downloading anything from that helpful forum post.
It may be the perfect crime.
I mean, talk about catfishing.
We're talking forbidden content, and that's just scratching the surface.
Let's not get hysterical.
I could do this all day, folks.
I could do this all day, folks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to
optimize your biggest investment, your people. We make you smarter about your teams while making
your teams smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer
is Trey Hester, with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.