CyberWire Daily - CISA's calls for a JCDC makeover.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout. That's JoinDeleteMe.com slash N2K, code N2K. C-SAC recommends key changes to the Joint Cyber Defense Collaborative. Cloud vendor Snowflake says single-factor authentication is to blame in their recent breach.

Starting point is 00:01:40 Publishers sue Google over pirated e-books. The FBI shares lock-bit decryption keys. V3B is a phishing-as-a-service campaign targeting banking customers. Commando Cat targets Docker services to deploy crypto miners. Our guest is Danny Allen, Snyk's chief technology officer, discussing how in the rush to implement generative AI, some companies are bypassing best practices and security policies. And Club Penguin fans stumble upon a cache of secrets in the house of mouse. It's Thursday, June 6, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing.

Starting point is 00:02:29 Thank you for joining us here today. It is great to have you with us. Yesterday, the Cybersecurity and Infrastructure Security Agency convened its second quarter 2024 Cybersecurity Advisory Committee meeting, CSAC, and recommended key changes to the Joint Cyber Defense Collaborative to address member complaints about mismanagement and inefficiency. The JCDC, launched by CISA in 2021, allows private companies to share threat information with the government. The CSAC's recommendations include refining the JCDC's goals, membership criteria, and operations. In February, some JCDC members criticized the initiative for slow responses and insufficient technical expertise. The JCDC includes over 300 organizations,

Starting point is 00:03:34 such as Google, Microsoft, and Amazon. The CSAC met at West Point, New York, and unanimously approved three recommendations. First, focus JCDC activities on operational collaboration and incident response rather than policy. Second, establish clear membership criteria and provide information on membership requirements within 60 days. Members also requested a physical space for collaboration. And last, develop better coordination structures for identifying appropriate partners and responding to active and future threats. CISA Director Jen Easterly

Starting point is 00:04:13 acknowledged the challenges of the JCDC, emphasizing the need for companies to collaborate and share information despite being competitors. She expressed support for the recommendations to optimize the initiative. The JCDC has been praised for its role in addressing crises like the log-for-shell vulnerability and the cybersecurity impacts of Russia's invasion of Ukraine. The changes will be implemented or responded to by Easterly ahead of the next CSAC meeting in December. Unrelated to yesterday's meeting, a seven-year-old Oracle WebLogic server vulnerability has been

Starting point is 00:04:51 added to CISA's known exploited vulnerability catalog. This flaw, allowing remote command execution, is now being exploited by Chinese cybercriminal group WaterSigbin for crypto mining. Despite patches released in 2017, the vulnerability remains a significant threat, highlighting the need for timely updates. WaterSigbin's sophisticated obfuscation techniques complicate detection and prevention.

Starting point is 00:05:18 Oracle may release a new patch soon to address the issue. In a follow-up report, cloud vendor Snowflake claims to have been targeted in a campaign exploiting single-factor authentication. They say hackers used stolen credentials from a former employee to access demo account data, including clients like Ticketmaster. Contrary to claims by shiny hunters of leaking 600 million accounts from Ticketmaster and Santander Bank, Snowflake's investigation found no such breach. The attackers demanded half a million dollars for the data. Security firms CrowdStrike and Mandiant corroborate Snowflake's findings. CISA issued an alert urging vigilance against phishing and recommending two-factor authentication to mitigate such threats.

Starting point is 00:06:08 Threat actors claim to have stolen three terabytes of data from Advance Auto Parts' Snowflake account, including 380 million customer profiles, 140 million orders, and 44 million loyalty card numbers. The data, being sold for $1.5 million also includes sensitive employee information. Advance Auto Parts operates over 4,700 stores and serves numerous locations across North America and the Caribbean. The breach has not yet been publicly acknowledged by the company. TechCrunch reports that hundreds of Snowflake customer credentials are available for sale online. Four major educational publishers, Elsevier, Cengage Learning, Macmillan Learning, and McGraw-Hill, have filed a lawsuit against Google. The lawsuit accuses Google of promoting pirated e-book versions of textbooks while ignoring infringement notices from the publishers.

Starting point is 00:07:05 The complaint claims Google's actions violate the Copyright Act, the Lanham Act, and New York's general business law, causing significant harm to the publishers. The publishers argue that Google's policies support piracy, adversely affecting students who often end up with stolen credit cards, incomplete materials, and no refunds. The lawsuit highlights Google's failure to remove thousands of infringing ads and its restriction of ads from legitimate sellers. The case could significantly impact how tech companies handle copyright infringement and the $8.3 billion U.S. textbook market. and the $8.3 billion U.S. textbook market. The FBI has announced it possesses over 7,000 decryption keys to aid victims of the LockBit ransomware gang. These keys were obtained during an international law enforcement operation

Starting point is 00:07:56 earlier this year that disrupted LockBit's activities. LockBit, which offers ransomware as a service, has inflicted billions of dollars in damages. Although the gang remains active, its capacity has been significantly reduced. The FBI is urging potential victims to contact its Internet Crime Complaint Center. The operation also exposed LockBit's mastermind, Dmitry Koroshev, who attempted to negotiate leniency by betraying competitors. The release of these decryption keys is seen as a major victory for law enforcement,

Starting point is 00:08:31 further undermining LockBit's operations. A cybercriminal group is selling and distributing a sophisticated phishing kit called V3B through phishing-as-a-service and self-hosting methods. Launched in March of 2023, the kit targets EU banking customers stealing login credentials and one-time codes using social engineering tactics. The group has over 1,200 members on Telegram and has caused millions of euros in losses. V3B mimics legitimate banking processes across several EU countries

Starting point is 00:09:07 and supports advanced features like localization, MFA, anti-bot measures, and live chat. Sold for between $130 and $450 per month, it uses obfuscated JavaScript to evade detection. Fraudsters use real-time interaction and QR code manipulation to steal sessions. Researchers at Trend Micro

Starting point is 00:09:40 describe CommandoCat, a campaign that exploits exposed Docker remote API servers to deploy cryptocurrency miners. Active since early this year, attackers use the cmd.cat chatter Docker image to gain access to the host system. They create containers that bind the host's root directory, allowing unrestricted access. The attackers download and execute a malicious binary, often employing sophisticated techniques to evade detection. This campaign underscores the importance of securing Docker configurations,

Starting point is 00:10:16 using trusted images, and performing regular security audits to prevent such attacks. to prevent such attacks. Coming up after the break, my conversation with Danny Allen, Chief Technology Officer at Snyk. We're discussing how in the rush to implement generative AI, some companies have bypassed best practices and security policies.

Starting point is 00:10:40 Stay with us. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.

Starting point is 00:11:57 They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Thank you. reached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. Danny Allen is Chief Technology Officer at Snyk, and I caught up with him to discuss how in the rush to implement generative AI, some companies have bypassed best practices and security policies. Well, one of the things that we're seeing, Dave, is a huge adoption of AI within the software engineering and software development community.

Starting point is 00:13:38 I would say it's near the peak of inflated expectations. And actually, in the study that we did of over 500 professionals, what we found is that 96% of them were using AI at least some of the time. And over half of them were using it most of the time within their software engineering practices. And so understanding AI, understanding its risk becomes very important. It's really an interesting observation there. I mean, AI strikes me as something that when you mention it, you'll get a lot of eye rolls, but then because of the hype, but then at the same time, lots of people are using it in their day-to-day. Yes, and I might be one of those people who sometimes rolls their eyes at it, but people are using it in their day-to-day. Like I said, 96%

Starting point is 00:14:24 of organizations said they were using it in their day-to-day, and I use it myself. And why is that? Because it makes me more productive. If you look at things like code generation with Copilot or CodeWhisperer or CodeAssist, these products make the developer more productive, and everyone wants to be more productive. Well, let's dig into some of the things in the report here. I mean, what are the things that you think deserve folks' attention here? Well, I think one of the interesting data points was that 55% of the organizations actually now considered AI code completion to be part of their software supply chain.

Starting point is 00:15:00 And we all know that securing the software supply chain becomes very important. And so understanding how AI is used and securing it becomes critically important, not just for software engineering, but for the CISO and for the board of directors and those people that are responsible for governance and risk. Well, what are your recommendations here? I mean, it strikes me that one of the challenges with AI is that it is demonstrably useful, but at the same time, it can be a bit of a black box. It is a bit of a black box, Dave. That's true, because you don't know what that code has been trained on. And in fact, one of the data points, one of the things that we asked those 500 individuals were, have you ever seen it introduce insecure code? And 92% of them said, yes, it happened at least once. And it was 56% said that it happened frequently. And that jives

Starting point is 00:15:52 actually with a study that was done just recently by Cornell University. It was published last month in April of 2024 that said that 36% of the code that was being created introduced vulnerabilities. said that 36% of the code that was being created introduced vulnerabilities. It's probably not surprising because it's trained on public domain code. And of course, public domain code typically has vulnerabilities within it. So what do you recommend then as an approach here? I mean, for folks to both make use of the time savings, but also do it in a secure way? of the time savings, but also do it in a secure way? One of the things that I'm a very big proponent of is don't fight the next generation of innovation. So things like code documentation or code generation

Starting point is 00:16:36 are very valuable. It helps in the productivity of developers and you don't want to stop that. But you can introduce it or allow it with guardrails. And so one of the things that we found to be very effective is organizations that do enable this code generation capability, but they do it in tandem with security assessment capabilities. And that's security assessment both on the open source components that the code generators are including, but also the code itself. There's

Starting point is 00:17:03 those two types of assessment, both the open source components as well as the custom code that is introduced. Were there any results from the surveying that you did that were unexpected or anything that surprised you? Well, I always look for the dissonance, Dave, between different groups of people. And one of the questions in our AI readiness report was, do you consider these to be risky? And it was interesting to me that the executives of the organizations were five times more likely to say that AI code generation and AI usage in development was not risky at all. Five times more. Now that was 24%, I think, versus 5% of developers.

Starting point is 00:17:49 But that type of dissonance is what we're trying to eliminate. You want the people who are creating code to be on the same page and same understanding as the executives. And how do you suppose people can go about bridging that gap? Well, I'm a big believer in giving visibility and understanding. Most of the CISOs, chief information security officers that I speak with today, they start with what do I have and, you know, is it being tested? And then they provide the visibility to that. But

Starting point is 00:18:18 that's never enough because what you typically find with these organizations is they'll have thousands, if not tens of thousands, hundreds of thousands sometimes of issues. And so you need to go from there to, okay, help me prioritize it. And then actually use AI, not only for the discovery of these vulnerabilities, but the prioritization. And lastly, the management, building these into workflows so that it doesn't happen in the future, that these vulnerabilities are not introduced. that it doesn't happen in the future, that these vulnerabilities are not introduced. Is there an element here where people are kind of afraid of being left behind, that, you know, there's a feeling like we have to use these tools or, you know, our competitors are going to have advantage over us? There is no question in my mind, without a doubt, that AI provides immense benefit from a speed of creation

Starting point is 00:19:07 more than anything else. I was just at RSA conference and I was speaking with a customer who said they had a 45% measurable improvement in velocity because they adopted AI generation. And so, you know, what is your differentiator as an organization? It's to move fast. And so, you know, what is your differentiator as an organization? It's to move fast. And so my belief is you use AI, of course, to move fast, to develop quickly, but you also want to use that same AI to ensure that you're doing it securely. And you can do that in a very seamless, autonomous fashion if you build it into your workflows, but it takes time and thoughtfulness and intentionality for the organization to do that. Well, based on the information that you all have gathered here, what are your take-homes here?

Starting point is 00:19:48 What do you hope people take away from the report? Well, I guess my number one would be don't be afraid of artificial intelligence when it comes to software engineering. And that might be for code generation, which we've been talking about. It's also for documentation. It's also for testing. We shouldn't be afraid of this. We should embrace it. However, we need to make sure that we have the policy and the guardrails in place to ensure that you can leverage this type of artificial intelligence, but do it in a very secure fashion. That's Danny Allen, Chief Technology

Starting point is 00:20:21 Officer at Snyk. You can learn more in the Snyk Organizational AI Readiness Report. We'll have a link in the show notes. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your

Starting point is 00:21:06 organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And finally, if your kids are of a certain age, there's a good chance they were obsessed with Club Penguin. Well, some nostalgic fans of the MMO took their love to a whole new level by hacking Disney's Confluence server. They aimed to snag some Club Penguin secrets, but ended up with two and a half gigabytes of Disney's internal data. These digital mischief makers initially found 137 PDFs about the game, including old

Starting point is 00:22:01 emails, design docs, and character sheets. But they also accessed corporate strategies, advertising plans, and developer tools like Helios and CommuniCore. Disney's infrastructure and internal projects were exposed due to previously leaked credentials. While the Club Penguin files were ancient, the rest of the haul was fresh, dated as recent as this month. Despite repeated inquiries from Bleeping Computer and others, Disney has yet to comment on the breach. Who knew the path to Disney secrets was paved with nostalgia for virtual snowball fights?

Starting point is 00:22:46 And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.

Starting point is 00:23:29 We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon Karp. Our executive editor is Peter Kilpie. Our president is Simone Petrella. And I'm Dave Bittner.

Starting point is 00:23:51 Thanks for listening. We'll see you back here tomorrow. Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

CyberWire Daily - CISA's calls for a JCDC makeover.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.