CyberWire Daily - CISA issues urgent warning.
Episode Date: November 8, 2024CISA issues a warning about a critical security flaw in Palo Alto Networks’ Expedition tool. A federal agency urges employees to limit phone use in response to Chinese hacking. Law enforcement is pe...rplexed by spontaneously rebooting iPhones. A key supplier for oilfields suffers a ransomware attack. Hewlett Packard Enterprise (HPE) patches multiple vulnerabilities in its Aruba Networking access points. Cybercriminals use game-related apps to distribute Winos4.0. Germany proposes legislation protecting security researchers. The TSA proposes new cybersecurity regulations for critical transportation infrastructure. Our guest is Aaron Griffin, Chief Architect from Sevco Security, sharing the discovery of a significant Apple iOS bug involving iPhone Mirroring. AI tries to wing it in a Reddit group, but moderators put a fork in it. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Aaron Griffin, Chief Architect from Sevco Security, sharing the discovery of a significant Apple iOS 18 and macOS Sequoia privacy bug that exposes employee personal iPhone apps and data to companies through iPhone Mirroring. Read Sevco’s blog on the topic. Selected Reading CISA warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks (GB Hackers) U.S. Agency Warns Employees About Phone Use Amid Ongoing China Hack (Wall Street Journal) Host of House panels getting briefed on major Chinese hacker telecom breaches (CyberScoop) Police Freak Out at iPhones Mysteriously Rebooting Themselves, Locking Cops Out (404 Media) Texas-based oilfield supplier faces disruptions following ransomware attack (The Record) HPE Patches Critical Vulnerabilities in Aruba Access Points (SecurityWeek) Winos4.0 hides in gaming apps to hijack Windows systems (The Register) Germany drafts law to protect researchers who find security flaws (Bleeping Computer) TSA proposes new cybersecurity rule for surface transportation, seeks public feedback (Industrial Cyber) Reddit’s ‘Interesting as Fuck’ Community Rules That AI-Generated Video Is Not Interesting (404 Media) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA issues a warning about a critical security flaw
in Palo Alto Network's expedition tool.
A federal agency urges employees to limit phone use in response to Chinese hacking.
Law enforcement is perplexed by spontaneously rebooting iPhones.
A key supplier for oil fields suffers a ransomware attack.
Hewlett Packard Enterprise patches multiple vulnerabilities in its Aruba networking access points.
Cyber criminals use game-related apps to distribute Windows 4.0.
Germany proposes legislation protecting security researchers.
The TSA proposes new cybersecurity regulations for critical transportation infrastructure.
Our guest is Aaron Griffin, chief architect from Sevco Security,
sharing the discovery of a significant Apple iOS bug involving iPhone mirroring.
And AI tries to wing it in a Reddit group, but moderators put a fork in it.
It's Friday, November 8th, 2024.
I'm Dave Bittner, and this is always great to have you with us.
The U.S. Cybersecurity and Infrastructure Security Agency has issued a warning about a critical security flaw in Palo Alto Network's Expedition tool used for firewall migration and configuration.
The flaw, classified as a missing authentication vulnerability, enables attackers with network
access to potentially hijack the Expedition admin account. This could grant cybercriminals access
to sensitive configuration data, including credentials and highly privileged information.
CISA stresses that the vulnerability poses a significant risk due to the level of access
it grants, although there is no confirmation yet of active exploitation. Organizations using the
expedition tool are urged to apply Palo Alto's recommended mitigations. If these aren't feasible,
CISA advises discontinuing the tools used to prevent potential compromise.
The deadline for federal agencies addressing this vulnerability is November 28th,
as CISA emphasizes immediate action to mitigate any potential threat.
Following the recent hack of U.S. telecommunications infrastructure by suspected Chinese operatives,
the Consumer Financial Protection Bureau issued a directive urging employees to avoid using mobile phones for work-related matters.
According to the Wall Street Journal, an email sent Thursday from the CFPB's chief information officer, advised that sensitive internal and external meetings
should be conducted only on secure platforms like Microsoft Teams or Cisco WebEx, not via phone calls
or texts on either work-issued or personal devices. While there's no evidence the CFPB
was specifically targeted, the guidance aims to reduce potential risk. This directive reflects heightened concerns
among U.S. officials about the hack's severity, which has reportedly impacted major telecommunications
firms. The guidance aims to reduce potential risk. The Cybersecurity and Infrastructure
Security Agency has yet to comment on the incident. U.S. executive branch agencies briefed several House committees on Thursday
about the hack by a Chinese-linked group known as Salt Typhoon
that targeted major telecommunications companies
and allegedly accessed the phones of Donald Trump's top campaign members
and high-ranking U.S. officials.
The House Energy and Commerce, Homeland Security, Intelligence, Judiciary,
and Appropriations subcommittees received updates from the FBI, CISA, and other security agencies.
The Senate will receive a similar briefing next week, with the Senate Intelligence Committee
already being updated regularly. The breach, reportedly impacting numerous individuals, has drawn increased
congressional concern. Telecommunications companies like Lumen have responded,
though AT&T and Verizon redirected questions to the FBI. Federal agencies are investigating the
incident, and the Cyber Safety Review Board plans its own inquiry. Policy discussions now focus on whether Salt Typhoon exploited telecom carriers' compliance
with the Communications Assistance for Law Enforcement Act to gain unauthorized access.
Law enforcement has reported an unusual issue where iPhones,
securely stored for forensic examination, are rebooting unexpectedly,
making them significantly harder to unlock. According to a document obtained by 404 Media,
these reboots may be due to a potentially new security feature in iOS 18, which could cause
iPhones disconnected from cellular networks to reboot after a certain time.
When these devices reboot, they shift from an after-first-unlock state,
which is easier to access, to a before-first-unlock state,
which current forensic tools struggle to bypass.
Some officials speculate that iOS 18 devices communicate with each other in secure settings,
triggering reboots among nearby devices.
Experts, however, remain skeptical about this hypothesis.
The document advises forensic labs to isolate iOS devices and monitor any reboots closely
to avoid losing valuable data access.
closely to avoid losing valuable data access. This situation highlights the ongoing security tensions between law enforcement and phone manufacturers.
New Park Resources, a key supplier for oil fields, reported a ransomware attack on October 29,
causing disruptions and limiting access to some internal systems. Despite this, New Park's manufacturing
and field operations continue under established downtime procedures. In a regulatory filing,
the company stated that financial reporting systems were impacted, but that the attack is
not expected to materially affect its financial health. No group has yet claimed responsibility.
its financial health. No group has yet claimed responsibility. Hewlett Packard Enterprise, HPE,
a major tech company specializing in enterprise hardware and software, announced patches this week for multiple vulnerabilities in its Aruba networking access points, widely used in business
networks. Among the vulnerabilities are two critical command injection flaws, which could
allow remote unauthenticated attackers to execute code as privileged users by sending a specially
crafted packet to UDP port 8211. HPE advised that enabling cluster security and blocking access can
mitigate risks. Additionally, three high-severity remote code execution vulnerabilities
could allow authenticated attackers to compromise system files and execute commands.
Hatches were released through Aruba's bug bounty program
with no evidence of active exploitation.
Cybercriminals are using game-related apps to distribute WinOS 4.0, a malware framework that grants full control over infected Windows systems.
Rebuilt from the GhostRat malware, WinOS 4.0 was detected in various gaming tools and optimization utilities, which lure users into downloading the infection.
which lure users into downloading the infection.
Similar to Cobalt Strike, the malware enables cyber espionage, ransomware deployment, and lateral movement.
Once executed, the malware downloads a fake BMP file from a malicious server, beginning a multi-stage infection.
The first DLL file establishes persistence and injects shellcode,
while the second stage connects to a command and control server.
Subsequent stages gather system details, check for antivirus software, and capture sensitive information, including crypto wallet data and screenshots.
This final stage sets up a persistent backdoor, allowing the attacker long-term access.
Fortinet warns users to download apps only from trusted sources to mitigate risk.
Germany's Federal Ministry of Justice has proposed a law to legally protect security researchers who responsibly report vulnerabilities.
The draft law, aimed at fostering IT security,
exempts researchers from criminal liability
when they act within defined parameters to identify and report security risks to responsible
entities like system operators or the Federal Office for Information Security.
This protection requires that the researchers limit system access strictly to what's necessary
for vulnerability detection.
system access strictly to what's necessary for vulnerability detection. The proposed amendment also imposes stricter penalties, with sentences from three months to five years for malicious
data spying and interception, especially when targeting critical infrastructure or involving
substantial financial damage, profit motives, or organized crime. The bill's details are under review by German states and relevant
associations until December 13th, after which it will be presented to the Bundestag. This follows
similar steps by the U.S. Department of Justice in 2022 to protect good-faith security research.
The Transportation Security Administration, the TSA, has proposed new cybersecurity regulations for critical transportation infrastructure, finalizing and expanding emergency directives issued after the Colonial Pipeline ransomware attack in 2021.
cybersecurity policies of the Biden administration targets nearly 300 entities in freight rail,
passenger rail, rail transit, and pipeline sectors, requiring them to adopt mandatory cyber risk management programs, operational plans, and regular audits. Covered entities
must also report incidents to the Cybersecurity and Infrastructure Security Agency and comply with CISA's secure-by-design
and secure-by-default standards. The proposed rule extends requirements to large hazardous
liquid and carbon dioxide pipelines, critical suppliers to the Pentagon, and over-the-road
bus operators. The TSA seeks public and industry feedback by February 5th of 2025, aiming to
build a more permanent cybersecurity framework for transportation and align it across sectors
like aviation and pipeline infrastructure. Coming up after the break, my conversation with Aaron Griffin from Sevco Security.
We're discussing a significant Apple iOS bug involving iPhone mirroring.
Stay with us.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
We rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting. Thank you. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Aaron Griffin is chief architect at Sevco Security. I recently caught up with him to discuss their discovery of a significant Apple iOS bug involving iPhone mirroring.
What we found is that in the new iOS mirroring feature that they launched as part of iOS 18 and macOS Sequoia,
that it appears that there's a data leak for application inventory from your phone
due to a technical detail,
I think, of the way that those applications
get replicated to your Mac
to do things like notifications,
little bits of the feature that they drive.
It inadvertently augmented your Mac's software inventory with every application that
exists on your iOS device when the feature is enabled. So for folks who may not be familiar
with it, what exactly is iPhone mirroring? Yeah, so that's actually one of the cooler
features of the new version of iOS, that you can essentially mirror everything that you're doing on your phone to your Mac.
So if you're on the go, you're going to send a text, you've got a browser tab open,
something like that. You come back to your computer and sit down, you can open up this
iOS mirroring feature and continue your work from your computer. In some ways, it gives somewhat ironically extra privacy because maybe you can send text messages over iMessage in a way that doesn't get replicated to your MacBook rather than using iMessage on the Mac side.
I see. So what is under the hood here that you all suspect has gone wrong?
hood here that you all suspect has gone wrong? Yeah, so our suspicion is that in order to drive the notification flow that they have on the Mac, they're creating a stub inventory of all of the
applications. And what I mean by stub inventory is a bunch of files that look like apps. They
register themselves with the Mac's indexing service as applications, which is why they get picked up.
But if you crack them open, they actually don't contain any form of executable code at all. It's
really just icon sets and metadata. And so that's what does it. That's what ends up with augmented
inventory. So help me understand what the potential problem here is. How could personal information be exposed, for example?
Yeah, so from an employee perspective,
I think the risk would be that you have an app
that you don't necessarily want to disclose to your employer
that you have installed
because it doesn't really affect their security posture at all.
Example might be that you live somewhere where VPNs are prohibited
and you have that installed,
or a dating app that reveals a sexual orientation, something that reveals a health condition.
All of those being present in your corporate software inventory could be a pretty significant breach of your privacy.
I see. So it's that inventory of apps that are existing on your phone that gets revealed on the Mac that is the problem here.
Yeah, that's exactly right.
It'll appear to your employer in their EDR console or whatever is doing this collection as though you have the Apple Watch app installed on your MacBook or anything else that you have installed.
They'll be associated in that way.
I see.
So you all have alerted Apple
and they've been responsive here? Yeah, that's exactly right. We reached out to them same day
and they were great about it. They treated it with urgency and let us know that there was going to be
a fix issued fall of this year. And actually that was the patch that Apple pushed out,
I think it was Monday, earlier this week. And we've confirmed that the issue,
while parts of it are still present,
the real dangers of it have been mitigated.
They've updated the stub inventory on the Macs
with a flag that stops them from being indexed.
So while an EDR or a tool like that
may be able to find that data if it went looking,
it should stop incidental collection.
I see.
So what are your recommendations then?
Is it as simple as just making sure that you're up to date with the latest patches?
Yeah, that's for sure the first step.
Making sure that you're up to date with the last patches.
For the employer side, you should go through the inventory and make sure that you haven't incidentally collected any of this data that you don up to date with the last patches. For the employer side, you should go through the inventory
and make sure that you haven't incidentally collected
any of this data that you don't want.
Make sure that it gets cleaned out.
That's a liability that you probably don't want to have.
And it's a good opportunity to have a conversation
with your users about the privacy boundary
that exists between work devices and personal devices.
This particular privacy breach only happens if you're signed in on your personal iCloud
to a work computer.
It's common for there to be policies that don't really spell that out.
And users will log in with their iCloud account to get all these cool features.
Maybe they want to use Apple Music or the podcast.
They want messages to sync, anything like that.
to use Apple Music or the podcast. They want messages to sync, anything like that. It's a good opportunity to talk with them about the risks that that potentially can convey when they
intermingle them that way. Our thanks to Aaron Griffin, Chief Architect from Sevco Security,
for joining us. Thank you. And we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And finally, friends, buckle up. We're about to dive into a tale that's as interesting as Fork.
Let's keep it family-friendly by saying Fork whenever we mean that other word.
Reddit's legendary community, interesting as Fork, just faced an AI invasion, and boy were
they having none of it. Last Friday, a post titled Mother's Love is Universal, showing a heartwarming scene
of a parrot sheltering chicks from the rain. Aw, right? Well, not so forking fast. Redditors with
eagle eyes, or should we say parrot eyes, quickly spotted telltale glitches, dodgy lighting,
shadow errors, and the classic signs of AI trickery.
The post raked in 12,000 upvotes before moderators yanked it, declaring,
Fork no! This doesn't even meet our species standards. With 13 million members,
interesting as fork is one of Reddit's biggest and oldest subreddits, and the moderators take interesting very seriously.
One mod noted that AI-generated content not only misleads viewers,
but can undermine genuine, curiosity-sparking content.
The AI parrot?
Well, it wasn't tagged as AI, it wasn't a real bird behavior,
and not even the species the title claimed.
Here's the real kicker. Reddit's
loose policy on AI content lets communities decide their own rules. Some subs embrace the bots,
others boot them to the curb. Interesting as fork keeps the standards high, while other sites online
like, oh, I don't know, Facebook are awash in AI spam. So what are the stakes?
As AI becomes more realistic, the line between real and fake gets blurrier. So the next time
you see a parrot doing people-level parenting, maybe pause and think, is this real or just
interesting as four.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
A quick program note,
we are not publishing Saturday through Monday in observance of the Veterans Day holiday.
We'll have a special edition for you on Sunday
and Rick Howard's Veterans Day episode
of CSO Perspectives for All
on Monday in your CyberWire daily feed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your
favorite podcast app. Please also fill out the survey in the show notes or send an email to
cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the
most influential leaders and operators in the public and private sector, from the Fortune 500
to many of the world's preeminent intelligence and law enforcement
agencies. N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and
sound design by Elliot Peltzman. Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Thank you.