CyberWire Daily - Casting a wider hiring net.
Episode Date: January 12, 2024The Feds look to cast a wider hiring net. Legislators focus on deepfakes. Cookie stealers bypass MFA on Google accounts. A Fast food hiring chat bot got hacked. Medusa casts her gaze toward extortion.... Akira ransomware is active in Finland. GitLab patches critical vulnerabilities. Bosch thermostats are vulnerable to some hot firmware. CSAM vendors’ crypto sophistication grows. CISA released ICS advisories. On our Solution Spotlight, N2K’s Simone Petrella speaks with Kim Jones, Director of Intuit's CyberCRAFT team, about the SEC's heightened focus on cybersecurity. And a little listener feedback, Karaoke style. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Solution Spotlight, N2K’s Simone Petrella discusses a possible hurdle with Kim Jones, Director of Intuit's CyberCRAFT team. They talk about the SEC's heightened focus on cybersecurity. Selected Reading An analysis of cyberattacks against Danish energy infrastructure. Cryptomining campaign targets weak SSH passwords. (CyberWire) White House moves to ease education requirements for federal cyber contracting jobs (CyberScoop) State Legislators Tighten A.I. Rules to Combat Deceptive Election Ads (New York Times) Info-stealers can steal cookies for permanent access to your Google account (Malwarebytes) Hackers Break into AI Hiring Chatbot, Could Hire and Reject Fast Food Applicants (404 Media) Medusa Ransomware Turning Your Files into Stone (Unit 42 by Palo Alto Networks) Akira ransomware attackers are wiping NAS and tape backups  (Help Net Security) Urgent: GitLab Releases Patch for Critical Vulnerabilities - Update ASAP (The Hacker News) Vulnerability Puts Bosch Smart Thermostats at Risk of Compromise (Infosecurity Magazine) Child Abusers Are Getting Better at Using Crypto to Cover Their Tracks (WIRED) CISA Releases Nine Industrial Control Systems Advisories (CISA) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The feds look to cast a wider hiring net.
Legislators focus on deepfakes.
Cookie stealers bypass MFA on Google accounts.
A fast food hiring chatbot got hacked.
Medusa casts her gaze toward extortion.
Akira ransomware is active in Finland.
GitLab patches critical vulnerabilities.
Bosch thermostats are vulnerable to some hot firmware.
CSAM vendors' crypto sophistication grows.
CISA releases ICS advisories.
On our Solutions Spotlight, N2K's Simone Petrella speaks with Kim Jones,
director of Intuit's CyberCraft team, about the SEC's heightened focus on cybersecurity.
And a little listener feedback, karaoke style.
It's Friday, January 12th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Fink. Hello and thank you for joining us. We are glad to have you here with us.
National Cyber Director Harry Coker is working to change federal cybersecurity hiring practices. Collaborating
with the Office of Management and Budget, the plan is to revise educational requirements for
some federal cybersecurity contracting jobs, opening these positions to skilled individuals
without four-year degrees. These changes are part of the Biden administration's effort to
strengthen cybersecurity.
Coker aims to diversify the workforce, historically underrepresented by women and people of color. The federal government will conduct hiring sprints later this year.
These will involve recruitment events in previously overlooked areas, including community colleges.
This is all part of the Biden administration's strategy to bolster
the cybersecurity workforce, enhance education and skills, expand the workforce, and increase
federal cybersecurity employees. Over half a million cybersecurity positions are vacant
and urgently need filling. Staying with policy news, the New York Times reports on a recent state legislator's conference
where a panel demonstrated the rapid advancement of AI-generated deepfakes.
Initially, legislators chuckled at a primitive deepfake of former President Trump and Obama playing basketball.
However, a more realistic video created a year later caused alarm.
This spurred state lawmakers to consider regulating false or misleading political ads made by AI,
especially with the 2024 primary elections approaching.
Tim's story from the National Conference of State Legislators emphasized the need for regulatory guardrails.
legislators emphasized the need for regulatory guardrails. Cautionary tales from overseas,
like Slovakia's election influenced by deepfake recordings, highlight the urgency. In the U.S., the campaign of Governor Ron DeSantis of Florida released fake AI images involving President Trump
and Dr. Fauci. As of early 2023, only California and Texas had laws regulating AI in campaign
advertising. Since then, Washington, Minnesota, and Michigan have passed similar laws with
bipartisan support, mandating disclaimers for AI-made ads. Kentucky's proposed bill is notable,
making first-time violations a felony with up to five years in
prison. By January, 11 more states introduced similar legislation. These bills focus on
disclosure requirements for misleading AI ads, particularly during critical pre-election periods.
In Congress, Senators Amy Klobuchar and Josh Hawley lead AI bill initiatives. State Representative Julie
Althoff's bill requires disclaimers for AI-altered media. The broader legislative effort aims to
combat the challenge of rebutting convincing fake videos or recordings, addressing First
Amendment concerns by focusing on disclosure rather than outright bans. Turning to threats and vulnerabilities,
researchers at Malwarebytes report on a method to gain unauthorized access to Google accounts,
circumventing multi-factor authentication. Hackers achieve this by stealing and extending
the lifespan of authentication cookies, which remain effective even if the account password is changed.
Since this exploit's discovery, both white and black hat security researchers have examined it,
leading to its incorporation into various information-stealing malware.
This exploit abuses a Google API meant for syncing accounts across Google services
to reactivate expired authentication cookies.
accounts across Google services to reactivate expired authentication cookies.
According to Bleeping Computer, Google considers the API to function as intended and doesn't view this as a vulnerability, suggesting no permanent fix is forthcoming. To check for unauthorized
access, users can review recent device logins in their Google account settings. If compromised,
signing out of all browsers and
resetting the password is recommended to invalidate old session tokens. For administrators managing
Google Workspace or Cloud Identity, they can reset sign-in cookies in the Google Admin Console.
Hackers infiltrated the backend of Chatter, an AI chatbot used by fast food franchises for automating hiring, 404 Media reports.
The breach was discovered by a group of researchers who utilized a script to scan for exposed Firebase credentials,
focusing on companies using the.ai top-level domain.
The script identified a Firebase configuration for fast food chain KFC.
Using FirePwn, a GitHub tool for testing Firebase app security, the researchers gained read-and-write
access to Chatter's database after creating a new user account. This access revealed sensitive data,
including names, phone numbers, email addresses, branch locations, messages, work shifts, and some passwords.
The data pertained to franchisee managers, job applicants, and chatter employees.
The breach extended beyond KFC, allowing access to an administrator dashboard with oversight over multiple organizations using chatter.
This granted the ability to accept or reject job applicants
and manage financial transactions.
The researchers have reported the vulnerability to Chatter,
which markets itself as a comprehensive AI-powered hiring tool
for the hourly workforce,
handling tasks like application review, interview scheduling, and background checks.
Palo Alto Network's Unit 42 threat intelligence analysts report an increase in Medusa ransomware attacks,
with a notable shift toward extortion tactics.
In early 2023, the Medusa Group launched a dedicated leak site, the Medusa Blog,
to publish sensitive data from victims who refuse to pay ransoms.
This multi-extortion approach offers victims various paid options on their leak site,
including time extensions, data deletion, or downloading the compromised data,
with costs varying based on the affected organization.
David Moulton is host of the Threat Vector podcast from Unit 42,
and in their most recent episode, David spoke with Duell Santos on this very issue.
I would put it in two particular points.
One, it has been operating pretty much on the low side of things for a year now,
which has benefited a lot because they're not in the eye of law enforcement.
They're not in the eyes of many cybersecurity researchers. And then in 2023, once they felt
comfortable with the structure of their ransomware service,
they would start to impact different organizations, start to
function on the weak side, and they have no particular code of conduct,
right? Everything is a target, everything can be compromised by these particular
individuals in a way for them to make profit. Medusa threat actors also use a public telegram
channel named Information Support to share files from compromised organizations. This method
provides broader access than traditional onion sites. The Unit 42 Incident Response Team's
involvement in a Medusa ransomware incident has revealed additional tactics, tools, and procedures employed by these threat actors.
The Finnish National Cybersecurity Center, NCSC-FI, reported increased activity of Akira ransomware in Finland, especially towards the end of 2023.
Twelve attacks were reported in 2023, with three occurring during the Christmas holidays.
In December, six out of seven ransomware cases in Finland involved Akira.
Attackers targeted organizations with vulnerable Cisco ASA or FTD devices,
either using leaked credentials or brute force attacks exploiting a specific Cisco firewall
vulnerability. Victims typically lacked multi-factor authentication, allowing attackers
to enter networks, delete backups, and encrypt servers. The report notes that attackers meticulously
destroyed backups, including network-attached storage servers and automatic tape backup devices,
resulting in almost complete loss of backups.
To counter these threats, NCSC-FI recommends implementing MFA, updating Cisco devices,
creating offline backups at different physical locations, and adhering to the 3-2-1 backup rule.
Three backups in two different places with one copy entirely off the network.
GitLab has issued security updates to address two critical vulnerabilities,
including a severe flaw with a CVSS score of 10.
This vulnerability could enable account takeovers
by sending password reset emails to an unverified email address due to a bug in the email verification process.
It affects self-managed instances of GitLab Community Edition and Enterprise Edition.
The issue affects all authentication methods.
Users with two-factor authentication are vulnerable to password reset but not full account takeover. Another
critical vulnerability patched in the update allows abuse of Slack or Mattermost integrations
to execute slash commands as another user. GitLab recommends upgrading to a patched version and
enabling 2FA, especially for users with elevated privileges, to mitigate potential threats.
for users with elevated privileges to mitigate potential threats.
A vulnerability in Bosch smart thermostats has been identified by Bitdefender.
The issue is rated as high severity and allows attackers to send commands to the thermostat and replace its firmware.
The flaw is in the unit's Wi-Fi microcontroller, which acts as a network gateway for the thermostat's
logic microcontroller, which acts as a network gateway for the thermostat's logic microcontroller.
The vulnerability enables malicious commands to be sent to the thermostat,
indistinguishable from legitimate cloud server commands.
Journalist Andy Greenberg writes in Wired that cryptocurrency tracing firm Chainalysis
has reported an increase in sophistication among online child sex abuse
materials vendors using cryptocurrencies. The Chainalysis annual crime report reveals
that while total revenue and the number of new CSAM sellers accepting cryptocurrency
have declined since 2021, the use of advanced privacy tools by these vendors has risen.
the use of advanced privacy tools by these vendors has risen.
Approximately 46% of CSAM sellers utilized cryptocurrency mixers in 2023,
up from 22% in 2020 to obfuscate transaction trails.
CSAM vendors are also increasingly using instant exchanger services to trade Bitcoin for privacy coins like Monero and Zcash,
which make tracing more difficult. This shift to more sophisticated methods has resulted in
CSAM vendors operating online for longer periods. On average, active CSAM vendors in 2023 remained
online for 884 days, significantly longer than in previous years.
Chainalysis' study correlates the use of Monero-friendly instant exchangers with the
increased survival rates of CSAM vendors. Despite these developments, the overall scale of CSAM
transactions for cryptocurrency seems to be decreasing, potentially due to increased awareness of traceability in
cryptocurrency. The report suggests that while more cautious CSAM sellers are emerging,
advances in blockchain analysis could still pose a significant threat to their operations.
CISA yesterday released nine industrial control systems advisories covering equipment from Rapid Software, Horner Automation, Schneider Electric, and Siemens.
As usual, update them if you got them.
Coming up after the break, on our Solutions Spotlight, N2K's Simone Petrella speaks with Kim Jones,
Director of Intuit's CyberCraft team,
about the SEC's heightened focus on cybersecurity.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Our own N2K president, Simone Petrella, recently spoke with Kim Jones, director of Intuit's CyberCraft team.
Here's their conversation. Normally, we spend a lot of time on this segment talking about solutions
to the cyber people problem, which you focus a lot on. But today, we're going to spend a little
bit of time talking about a possible hurdle. So we're doing the anti-solution spotlight,
at least for publicly traded companies, and that's the SEC's heightened focus on cybersecurity.
So for background, for anyone listening, on October 30th, the United States Security and Exchange Commission, the SEC, announced it filed charges against SolarWinds. CISO for defrauding investors and customers through misstatements and omissions that
concealed poor cybersecurity practices and failed to disclose its increasing cybersecurity risks.
These charges from October seem to indicate that the SEC is poised not only to enforce the new
disclosure requirements, but also kind of look to other possible violations that stem from
inadequate cybersecurity practices. So there's a key theme that I would like to talk about today around the SEC,
but also the theme of the complaint,
which is around management's awareness of ongoing cybersecurity issues,
the failures of those cybersecurity practices over the years,
and the fact that it didn't disclose them.
So that's the backdrop.
Kim, let's get right to the good stuff here.
As a former CISO,
what's your hot take on these recent charges? So first, the general disclaimer to make all the lawyers in my life happy. The opinions you're about to hear and I'm about to express are my own.
They do not reflect into its opinions or opinions of any of our customers.
I am not a lawyer.
I do not play one on TV.
I am an old security guy, so I'm comfortable giving my opinion.
Take it for what it's worth.
All disclaimers done.
All right.
Disclaimers aside.
Got it.
Let's go.
So my focus here, you talked about the complaint against the SEC, and you talked about the complaint against the CISO. Let me start with the latter and then move to the former very briefly. As a layman,
the complaint against the CISO centers around the concept of fraud and centers around your say-do,
what you said and what you did, you know, differed in terms of internal versus external, et cetera.
I'm an old intelligence guy.
I'm a West Point grad, as you know.
I spent 10 years in Army intelligence.
And I was raised with the saying that my job was to always very, very directly,
very, very openly tell the truth on the ground.
Now, yes, that truth on the ground is based upon my educated opinion.
What the commanders who actually move the troops do with that is their call.
And I took that mentality into my time as a CISO and into my time as a security professional.
I have often said that I only fail in my job as a CISO,
not if I get breached, but if leadership can credibly make the statement they didn't know.
And note that I caveated that with credibly. So my job is more than one occasion to be the
bearer of bad news. More than once in my career, I have been pressured to change my opinion.
I have been threatened with my job to change my opinion, which meant more than once in
my career, I have calmly set my badge down on the desk and asked for an escort out of
the building, at which case, by the way, in all cases, management backed off and we had a good conversation.
We got through it.
If, big if,
the allegations against the CISO
are proven to be valid,
it would appear that
that level of solid line in the sand
or in the concrete was not maintained.
And again, big ifs here.
I don't know the case.
I am not a lawyer.
All those pieces in there.
But if those allegations prove to be correct, this was a case of you draw the line in the sand, you communicate up, and you don't move.
you don't move. I think collectively, and this is the old guy in me, that as the profession has evolved, we have forgotten or may have put on the back burner the need for us and the importance for
us to do that. So that's the CISO end. But it sounds like kind of what you're kind of saying here is that you can very realistically see an environment where someone in a position at a public company like SolarWinds is, even if they're coming to the table saying the bad news or kind of trying to be transparent, there's a lot of pressure, whether it's overt or maybe a little bit more subversive, even if it's not intentional,
to essentially be like, you know what?
I will back off.
I'm not going to sort of like keep this hard line in the sand.
And the problem that I have here is that we're,
as a profession, we act as if that's new.
Doing this a long time.
That's the gig.
That has always been the gig.
It will always be the gig.
Now, it doesn't mean I'm going to take my sledgehammer and beat the company up in public domains.
It's like the old Watergate saying, Simone, you're in the D.C. area.
It wasn't the crime.
It was the cover-up.
Where you have problems is if I'm deliberately not looking because I don't want to see what's out there or I'm hiding what's going on.
It's like,
look, this is a case where here's what the requirement is. Or if I disagree with your interpretation of the requirement and my interpretation of the requirement, we got
lawyers on both sides. Figure it out. Tell me what my opinion is and I'll go that way.
I don't have a problem with that. And no CISO should. Yeah. Well, I think we've
thrown a gauntlet here. I mean, I was going to ask you next, what are some of the ways that you
would recommend CISOs at public companies evaluate and report on their cyber practices, you know,
for not only the overall security of the company, but their filings? I think you gave us a couple
starting points here, right? Whether it's FAIR or some other more data-driven process. Are there any other recommendations that you could discreetly say if maybe someone's not at a point where they are mature enough in an organization to use something like FAIR? Like, what are some things that they could do to evaluate and report on their cybersecurity practices and overall position, especially when it comes to public companies
who have to file? I am a huge, huge, huge, huge fan of the NIST cybersecurity framework.
For those of you watching the States, I go to NIST.gov, Google it, you'll find it.
If outside of the States, one of the reasons I'm a huge fan of it is because they're fairly
comprehensive, they're well-structured, and oh, by the way, they're free, so you don't have to pay for the models.
The CSF is truly the first, in my knowledge, risk-focused framework out there.
even better. If you get into the framework, it tells you guys, if you're a small mom and pop startup or just 10 or 15 people, please, God, don't try and implement everything in the framework.
Pick the ones that make the most sense for you, start there, and then grow. I love the CSF as a
framework to do that, and it's simple. So I'd start there. Yeah, no, that's great. And I think,
you know, Kim, first of all, thank you so much for joining and having this simple. So I'd start there. Yeah. No, that's great. And I think, you know, Kim,
first of all, thank you so much for joining and having this conversation. I think it's going to be really enlightening for a lot of folks that are watching and listening. I think it's actually
a great place to stop and let people really think on that from a conversation. Kim, thank you again
for joining us this morning and appreciate all of your opinions and thoughts,
even if they are your own
and not to represent a company or an organization.
Really enjoyed the conversation.
I really did as well.
Always great to talk with you, Simone.
Thank you for having me.
That's our own Simone Petrella
speaking with Intuit's Kim Jones.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And finally, a message to our most recent reviewer on Apple Podcasts.
Thank you for the excellent feedback, Lola.
We love to hear from our fans and audience.
To address your specific concerns.
She walked up to me and she asked me to dance.
I asked her her name and in an AI voice she said,
Robot.
R-O-B-O-T, Robot. R-O-B-O-T, Robot.
R-O-R-O-R-O-B-O-T.
If you have feedback about the show
and want a call-out on air just like Lola,
you can always email us at cyberwire at n2k.com
or submit a review in your favorite podcast app.
And as always, thanks for being a part of our community.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Ryan Westman,
Senior Manager of Threat Intelligence with eSentire's Threat Response Unit.
We're discussing their research,
Two Russian-speaking cyber gangs attack employees from 23 different companies.
That's Research Saturday. Check it out.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies. Thank you. by Liz Stokes. Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben
and Brandon Karp.
Our executive editor
is Peter Kilby
and I'm Dave Bittner.
Next Monday,
we will not be publishing
in honor of the
Martin Luther King Jr. holiday.
We'll see you back here
on Tuesday. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.