CyberWire Daily - COATHANGER isn’t hanging up just quite yet.
Episode Date: June 12, 2024Dutch military intelligence warns of the Chinese Coathanger RAT. Pure Storage joins the growing list of Snowflake victims. JetBrains patches a GitHub IDE vulnerability. A data broker hits the brakes o...n selling driver location data. Flaws in VLC Media player allow remote code execution. Patch Tuesday updates. On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey, taking on Domain 8, Software Development Security. Farewell, computer engineering legend Lynn Conway. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Learning Layer On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey using N2K’s comprehensive CISSP training course, CISSP practice test, and CISSP practice labs. Sam and Joe take on Domain 8, Software Development Security, and tackle the following question: At which step of the SDLC should security considerations be first integrated? Functional requirements defining Project initiation and planning Testing and evaluation control System design specification Selected Reading Dutch intelligence says Chinese hacking campaign ‘more extensive’ than previously known (The Record) Pure Storage confirms data breach after Snowflake account hack (Bleeping Computer) Users of JetBrains IDEs at risk of GitHub access token compromise (CVE-2024-37051) (Help Net Security) GitHub phishing campaign wipes repos, extorts victims (SC Magazine) Data broker shuts down product related to driver behavior patterns (The Record) VLC Media Player Vulnerabilities Allow Remote Code Execution (Cyber Security News) Microsoft June 2024 Patch Tuesday fixes 51 flaws, 18 RCEs (Bleeping Computer) ICS Patch Tuesday: Advisories Published by Siemens, Schneider Electric, Aveva, CISA (SecurityWeek) Column: Lynn Conway, leading computer scientist and transgender pioneer, dies at 85 (LA Times) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Thank you. JetBrains patches a GitHub IDE vulnerability. A data broker hits the brakes on selling driver location data.
Flaws in VLC media player allow remote code execution.
We got some Patch Tuesday updates.
On our Learning Layer segment, hosts Sam Meisenberg and Joe Kerrigan continue their discussion of Joe's ISC2 CISPI certification journey,
taking on Domain 8 software development security.
And farewell computer engineering legend, Lynn Conway.
It's Wednesday, June 12th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
The Dutch Military Intelligence and Security Service has issued a warning about an extensive Chinese cyber espionage
campaign. According to the National Cyber Security Center, state-sponsored hackers exploited a
vulnerability in FortiGate devices for two months before it was disclosed. This zero-day attack
infected 14,000 devices targeting Western governments international organizations and defense companies
dutch officials revealed that the hackers breached the dutch ministry of defense's network
deploying the coat hanger remote access trojan the ongoing investigation shows the hackers
accessed at least 20 000 fortigate systems globally in 2022 and 2023. Identifying and removing the
coat hanger malware remains challenging, and many systems likely remain compromised.
Cloud storage provider Pure Storage confirmed a breach in its Snowflake workspace,
exposing telemetry data, customer names, usernames, and email addresses.
No credentials or customer data were compromised.
The breach was promptly addressed, and Pure Storage found no evidence of further malicious activity.
Over 11,000 customers, including high-profile companies like Meta and NASA, use Pure Storage's platform.
Snowflake, working with Mandiant and CrowdStrike, have confirmed that attackers exploited stolen credentials from InfoStealer malware
to breach accounts lacking multi-factor authentication.
These attacks, linked to the threat actor UNC-5537, have impacted around 165 organizations.
Recent breaches at Santander, Ticketmaster, and Advance Auto Parts
are associated with this campaign,
highlighting the ongoing threat to Snowflake customers.
Integrated development environment provider JetBrains
has fixed a critical vulnerability in its GitHub plugin
for IntelliJ-based IDEs,
which could expose GitHub access tokens.
The flaw, reported on May 29, allowed malicious content in pull requests to access these tokens,
risking unauthorized access to GitHub accounts and repositories.
Affected IDEs include Aqua, Clion, DataGrip, Dataspel, Goland, IntelliJ Idea, MPS,
PHPStorm, PyCharm, Rider, RubyMine, RustRover, and WebStorm. Users should update their IDEs and
revoke any GitHub tokens used by the plugin. Google's IntelliJ-based Android Studio users should also upgrade and
revoke tokens. JetBrains confirmed no evidence of active exploitation before the fix,
but emphasized prompt updates to minimize risks.
Meanwhile, GitHub users are facing a phishing and extortion campaign, exploiting the site's
notification system and a malicious
OAuth app.
Attackers mention users in comments, triggering legitimate email notifications from GitHub.
These comments mimic GitHub's staff, offering jobs or alerting to security breaches, and
direct users to fake GitHub domains.
Approving the OAuth request allows attackers to wipe repositories
and demand ransom via Telegram to recover data. Compromised accounts are then used to perpetuate
the scam. Max Gannon from Cofence highlights that while attackers, dubbed GitLocker,
seem low-skilled and extortion-focused, the incident underscores the risk of supply chain attacks and
the need for vigilance in tracking code sources. Further evidence links GitLocker to additional
extortion attempts demanding payments to prevent data exposure. General Motors recently faced
backlash for selling driver behavior data to brokers, who then resold it to insurers.
In response, data broker Verisk stopped accepting data from carmakers like GM, Honda, and Hyundai,
and ceased providing driving behavior reports to insurers. Privacy for cars confirmed this
after inquiring with Verisk. However, LexisNexis Risk Solutions continues to promote
its driver behavior data product to insurers, despite criticism from state governments and
consumer groups. Their telematics on-demand service still markets partnerships with automakers,
including Kia, Subaru, and Mitsubishi. LexisNexis emphasizes responsible data use and transparency,
but the auto industry's data sharing practices face increasing scrutiny from state and federal
authorities. Videoland disclosed critical vulnerabilities in the popular VLC media
player that could allow remote code execution. Both desktop and iOS versions are
affected. On the desktop, an integer overflow in handling MMS streams can lead to a heap overflow,
potentially crashing the player or executing arbitrary code. Users should update to version
3.0.21 and avoid untrusted MMS streams.
On iOS, a Wi-Fi file-sharing path traversal vulnerability could allow local network attacks, leading to a denial of service.
Users should update to version 3.5.9 to mitigate this risk.
Yesterday was Patch Tuesday, and Microsoft released updates for 51 security flaws.
Key updates include 18 RCE vulnerabilities with one critical flaw in Microsoft message queuing,
25 elevation of privilege vulnerabilities, 3 information disclosure vulnerabilities,
and 5 denial-of-service vulnerabilities.
The disclosed zero-day involves a DNSSEC validation flaw causing
CPU exhaustion, potentially leading to a denial-of-service. It was previously disclosed
in February and has been patched in multiple DNS implementations. Other notable fixes include
Microsoft Office RCEs and Windows Kernel Privilege Elevation flaws, enhancing overall
system security. June's 2024 patch Tuesday brings critical security updates from several ICS
vendors, including Siemens, Schneider Electric, Aviva, and the U.S. cybersecurity agency CISA.
Siemens issued 14 new advisories addressing over 120 vulnerabilities, with patches and mitigations available.
Most flaws affect third-party components known since last year.
Notable issues include a critical authentication bypass in the PowerAssist service for PowerLink 5100 and SWT3000, allowing local attackers to gain admin privileges. High-severity code execution
vulnerabilities were also patched. Aviva released two advisories. One highlights a high-severity
local code execution vulnerability in the PI Asset Framework client. The other addresses a
remote code execution flaw in the PI Web API, both related to deserialization of untrusted data.
Schneider Electric published five advisories covering 11 vulnerabilities.
In Sage RTUs, a critical authentication bypass and other high-severity issues were fixed, including disruption and unauthorized uploads.
including disruption and unauthorized uploads.
Additional medium-severity flaws were addressed in Modicon M340 controllers,
PowerLogic P5 relays, EVLink HomeSmart EV chargers, and SpaceLogic controllers,
preventing unauthorized firmware updates, device hijacking, and denial-of-service attacks.
CISA released several ICS advisories,
including a high-severity denial- service vulnerability in Rockwell automation controllers, critical code execution and data exposure in Intrado 911 emergency gateway, and high-severity information disclosure and code execution flaws in MicroDICOM software. Coming up after the break,
Sam Meisenberg and Joe Kerrigan
continue their discussion
of Joe's ISC2 CISPI certification journey.
Stay with us. Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
moves us. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
On today's Learning Layer segment, our hosts Sam Meisenberg and Joe Kerrigan are once again together to discuss Joe's ISC2 CISPI certification journey.
Today, they're taking on Domain 8 software development security. Welcome back to Learning Layer.
Today on the Learning Layer segment, we're continuing our conversation with Joe Kerrigan as he gets ready for his CISSP.
Joe, Domain 8.
Domain 8.
The final domain.
I have a degree in domain eight.
Okay.
So I don't even know why we're talking.
Right.
No, no.
You always got to study even your strengths.
And remember, I didn't do too well in the pre-test in that.
Right.
And it's this thing.
It's this weird thing where you have so much experience and so much knowledge, yet sometimes
that real-world experience doesn't translate to exam world, and ISE 2 might have their own reality.
So let's do a question together.
Okay.
So why don't you start by reading the question,
and then we'll do our usual thinking about it,
and then go find the right answer.
Okay.
Go ahead.
The question reads as this.
At which step of the SDLC, the software development lifecycle,
should security considerations be first integrated?
That's the question.
Okay, so actually I know I asked you for some analysis.
Let me do one thing of my own.
Okay.
From a humanities major who used to be a speechwriter.
Okay.
Weird syntax.
Like, let's think about what these words are actually saying.
At which step should security considerations...
So consideration is kind of a soft word, right?
It's not like we're doing security necessarily.
We're just thinking about it.
Right.
We're considering it.
Yep.
And then it says be integrated.
So, like, I guess as somebody who's done, you know, or manage SDLCs before,
what does like an integration mean? First thing I think when I see the word integrated is I think
about integrations and making two pieces of different tech work together. Maybe you're
going to make some middleware or something, but that's not what this means. This is at what
point in time, at what part of the SDLC should you be considering security as part of the product?
Because you're going to have some kind of security stance on this product, regardless of whether you acknowledge it or not.
It could be a terrible stance.
And generally, I'll bet if you don't acknowledge it, it will be a bad stance.
Yeah.
So the question is asking, when should you start thinking about security, really, for whatever this project or product is?
And the answer to that question is as early as possible.
As early as possible.
As early as possible.
Because if you go to the end of development and you say, okay, now let's make it secure, you have already done all the requirements gathering, all the designing, all the development,
and maybe some of the testing,
and now you're saying, let's patch on security at the end.
That's what you're going to be doing,
is patching on security at the end.
You need to think about security
as soon as you're defining what the system is going to do.
So my initial answer, as we say,
you frequently remind me, try to pick an option.
I'm going to say at the concept of operations, which is part of the waterfall lifecycle and also part of the systems engineering
lifecycle. Very first thing, you're coming up with a concept of operations. Security considerations
should be considered there. They should be integrated into that portion and that document
that you're going to come up with. So bake security into the product.
Don't bolt it on after.
Yes.
Why don't we read the answer choices?
The answer choices, number one, are functional requirements defining, which might seem like
a good place, requirements definition.
Sure.
That comes almost exactly after concept of operations.
Then number two is project initialization and planning.
Ha-ha.
So right at the beginning.
Yeah.
Right?
Testing and evaluation control.
So that's all the way towards the end.
Okay.
Right?
And then system design specifications.
And that's after requirements generally.
Okay.
So no, that's not good.
Testing at the end is not good. Functional requirements defining, maybe you're okay
starting there, but I would say you're better off starting at project initiation and planning,
that you put security in there as part of the definition of the system.
as part of the definition of the system.
I have two sort of reactions to this question and how you approached it.
Okay.
The first is, you know what's interesting?
Every single one of these steps
has a security component to it.
It does.
But that's not what the question was asking.
No.
The question is asking, when should you first do it?
Right, right.
My second reaction is, and this was hard, especially for me when I was studying domain
eight without a background in it.
Some of the, I don't know, words or labels for the SDLC steps can get a little abstract.
Yeah.
And, you know, everybody sometimes has a different name for it.
Right.
So you can still get this question right
without, you know, fully memorizing or being familiar with what happens in all the steps.
Meaning, taking your prephrase of as early as possible. Right. You just need to ask yourself.
Which one of these is earlier? Which one sounds like it happens first?
Do you do a project planning first or do you do a functional
requirements first? Well, it makes sense. You probably need to scope out the project first
and think about it and plan, and then functional requirements might come after. Right. So without
knowing what happens, I would pick B as well. Yeah. That's what I would say. All right. And
let's find out what the right answer is. Drum roll.
Nailed it.
Nice.
Okay, good.
And it is B.
Very good.
So I'll give you the final word since this is domain A.
Any parting thoughts?
Yes.
I do want to say something about what you said.
Yeah.
In that there is security in all of these things. So you're going to be, when you're developing some kind of software project, there is something called a requirements traceability matrix, an RTM, that takes your code or your behaviors or your use cases all the way back.
Everything goes all the way back to the requirements, which eventually points, which will also point back to something in the concept of operations.
So you're right that system design should have security components in it.
You should definitely be testing and evaluating the entirety of the software, including the security that is implemented.
And you should be able to trace those requirements all the way back to the requirements and even before then to the concept of operations.
All right, Joe.
We keep saying we're in the homestretch.
We're actually in the homestretch.
We're actually done with the material now.
Now it's just time for practicing and taking the test.
That's right.
And everything will come together.
It feels like ages ago when you started Domain One.
It does indeed.
So it's time to reintroduce it and blend it all together.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
That's Sam Meisenberg,
along with my Hacking Humans co-host, Joe Kerrigan.
And finally, we note the passing of former IBM and Xerox PARC engineer Lynn Conway. She achieved remarkable success in the 1960s and 70s,
despite facing intense personal and professional challenges,
including her transgender transition.
Conway passed away Sunday from a heart condition, leaving behind a legacy of groundbreaking contributions to
technology and society. Her pivotal work in computer engineering began at IBM and later
at Xerox PARC, where she collaborated with Carver Mead on VLSI design, revolutionizing microprocessor technology and impacting millions
of PCs. She also led a supercomputer program at DARPA and became a professor at the University
of Michigan. In 2020, IBM formally apologized for firing Conway in 1968 due to her gender transition,
Conway in 1968 due to her gender transition, recognizing her courage and influence. Beyond her technical achievements, Conway was a beacon of hope and inspiration for the transgender community.
She fought against discrimination and provided guidance through her personal website,
offering role models and hope for many undergoing gender transition. Conway's story of resilience includes overcoming
being barred from seeing her daughters for 14 years and working her way up through various
startups before her significant contributions at Xerox PARC. Her life's work enriched both the
technological and transgender communities, providing profound inspiration and advancing the cause of equality and acceptance.
Lynn Conway's legacy is one of remarkable bravery and resilience.
She not only faced her challenges but prevailed over them,
leaving an indelible mark on the world and enriching the lives of countless individuals.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire
is part of the daily routine
of the most influential leaders and operators
in the public and private sector
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement
agencies. N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Trey Hester
with original music
and sound design
by Elliot Peltzman.
Our executive producer
is Jennifer Iben.
Our executive editor
is Brandon Karp.
Simone Petrella
is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.