CyberWire Daily - Cracking down on spyware.
Episode Date: February 6, 2024The global community confronts spyware. Canon patches critical vulnerabilities in printers. Barracuda recommends mitigations for Web Application Firewall issues. Group-IB warns of ResumeLooters. Milli...ons are at risk after a data breach in France. Research from the UK reveals contradictory approaches to cybersecurity. Meta’s Oversight Board recommends updates to Facebook’s Manipulated Media policy. We’ve got a special segment from the Threat Vector podcast examining Ivanti's Connect Secure and Policy Secure products. And it’s time to brush up on IOT security. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest In a special segment from Palo Alto Networks’ Threat Vector podcast, host David Moulton, Director of Thought Leadership at Unit 42, along with guests Sam Rubin, VP, Global Head of Operations, and Ingrid Parker, Senior Manager of the Intel Response Unit, dives deep into the critical vulnerabilities found in Ivanti's Connect Secure and Policy Secure products. You can check out the full conversation here. Selected Reading US to restrict visas for those who misuse commercial spyware (Reuters) Britain and France assemble diplomats for international agreement on spyware (The Record) Israeli government absent from London spyware conference and pledge (The Record) Government hackers targeted iPhones owners with zero-days, Google says (TechCrunch) Google agrees to pay $350 million settlement in security lapse case (Washington Post) Canon Patches 7 Critical Vulnerabilities in Small Office Printers  (SecurityWeek) Barracuda Disclosed Critical Vulnerabilities in WAF, Affecting File Upload and JSON Protection (SOCRadar) ResumeLooters target job search sites in extensive data heist (Help Net Security) Millions at risk of fraud after massive health data hack in France (The Connexion) Fragmented cybersecurity vendor landscape is exacerbating risks and compounding skills shortages, SenseOn research reveals (IT Security Guru) Meta’s Oversight Board Urges a Policy Change After a Fake Biden Video (InfoSecurity Magazine) Toothbrushes are a cybersecurity risk, too: millions participate in DDoS attacks (Cybernews) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The global community confronts spyware.
Canon patches critical vulnerabilities in printers.
Barracuda recommends mitigations for web application firewall issues.
Group IB warns of resume looters.
Millions are at risk after a data breach in France.
Research from the UK reveals contradictory approaches to cybersecurity.
Meta's oversight board recommends updates to Facebook's manipulated media policy.
We've got a special segment from the Threat Vector podcast
examining Avanti's Connect Secure and Policy Secure products.
And it's time to brush up on IoT security.
It's Tuesday, February 6, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thank you for joining us today. It is great to have you with us.
The U.S. has introduced a new visa restriction policy targeting individuals involved in misusing commercial spyware. Announced yesterday by Secretary of State Antony Blinken, this policy enables the
State Department to impose visa restrictions on those who participate in, facilitate, or benefit
from the abuse of commercial spyware. This move is part of a broader effort to curb malicious
digital espionage by foreign governments and companies, which have historically enabled
cyberattacks against human
rights activists, journalists, and opposition figures in developing countries. The policy
also extends to investors and operators of misused spyware. It follows President Biden's
executive order last year aimed at curbing the malevolent use of digital spy tools targeting U.S. personnel and civil society.
This included barring U.S. agencies from conducting business with such companies
and adding several surveillance firms to the economic trade blacklist,
such as Hungary-based Citrox, Greek firm Intellexa, and Israeli companies NSO Group and Kandiru.
Intelexa and Israeli companies NSO Group and Kandiru. Organized under the Immigration and National Act, the policy applies to a wide range of individuals involved in digital operations
that surveil, harass, suppress, or intimidate journalists, activists, dissidents, marginalized
communities, vulnerable populations, and their family members. In March of last year, the U.S. and partner countries advocated for stricter domestic
and international controls to counter the proliferation and misuse of commercial spyware.
The U.K. and France are hosting a conference at Lancaster House in London this week
to launch the Pall Mall process, a new international initiative
addressing the proliferation of commercial spyware. Attended by 35 nations, big tech leaders,
legal experts, human rights defenders, and vendors of cyber intrusion tools, the conference will see
the signing of a declaration committing to joint action on this issue, including a follow-up meeting in Paris in 2025.
Israeli officials are not attending, and it's notable that the attendee list lacks vendors
providing the controversial services targeted by the conference. Dr. Joseph Devani from King's
College London noted the importance of engaging beyond like-minded states for progress. The
absence of countries like Israel, which hosts sanctioned companies for cyber tool trafficking,
was significant. Of the attendees, only 24 of 35 signed a pledge for greater action,
with countries like Hungary and Mexico linked to spyware abuses not signing. The U.S. is a signatory.
Staying with spyware, Google's Threat Analysis Group reported that government hackers exploited
three undisclosed vulnerabilities in Apple's iPhone OS using spyware developed by the European
startup Veristan. This campaign, discovered in March of 2023, targeted iPhones in Indonesia
with a malicious SMS link, leading to spyware infection and redirection to a local news article.
Apple has not commented on this finding. Veristan, a Barcelona-based company,
is gaining attention for its spyware tools tools previously analyzed by Google. The company,
facing employee departures, collaborates with entities like Protected AE from the UAE to
develop and sell spyware packages, incorporating Veriston's Heliconia software. Despite the focus
on Israeli firms like NSO Group in recent years, Google's report highlights the growing reach of European spyware makers like Veriston, CypherGate, RCS Lab, and NEG.
Japanese electronics firm Canon has released software updates to fix seven critical vulnerabilities affecting various small office printer models.
vulnerabilities affecting various small office printer models. These buffer overflow bugs carry a high CVSS score of 9.8 and pose risks of remote code execution and denial of service attacks.
Canon urges customers to install the latest firmware available on their regional websites
to enhance security. No exploits have been reported, but users are advised to increase printer security
by using firewalls or routers and setting private IP addresses. These vulnerabilities were reported
to Canon through Trend Micro's zero-day initiative. Barracuda has released a security advisory for
its web application Firewall, detailing seven high-to-critical vulnerabilities.
These issues, split into two categories, involve bypassing WAF protections. Category 1 vulnerabilities
allow bypassing file upload protections using HTTP methods other than POST, risking remote
code execution or local file inclusion. Category 2 vulnerabilities pertain to bypassing JSON security protections
through unspecified HTTP methods in API specifications.
Barracuda recommends updating firmware
and adjusting HTTP method restrictions to address these security concerns.
Group IB discovered a large-scale malicious campaign by a group they call Resume Looters,
targeting job search and retail websites across the Asia-Pacific region,
particularly in India, Taiwan, Thailand, Vietnam, China, and Australia.
Between November and December of 2023,
Between November and December of 2023, resume looters infected at least 65 websites using SQL injection and XSS attacks, stealing databases containing over 2 million unique emails, names, phone numbers, and job-related information.
This stolen data was subsequently sold on Telegram channels. Resume looters primarily used penetration testing
frameworks and tools like SQL Map, Acunetics, and Metasploit to inject malicious SQL queries
and retrieve substantial user data. Over 70% of their victims are in the Asia-Pacific,
but compromised websites were also found in countries like Brazil, the U.S.,
and Russia. The group's XSS attacks aim to steal HTML code and potentially admin credentials by
implanting malicious scripts on legitimate job sites. To counter such attacks, companies are
advised to use parameterized statements, perform input validation, and conduct regular security assessments.
Millions of people in France are at risk of fraud due to a data breach at Viamedis,
a company that handles third-party payments for 84 insurance providers. Viamedis manages payments
for over 20 million people. The breach, announced on February 2nd, exposed sensitive data,
including names, civil status, dates of birth, social security numbers, and insurance provider details.
However, bank information, postal addresses, phone numbers, and emails were not compromised.
Via Metis has disconnected the compromised program.
This disconnection might affect third-party payments with opticians and hearing aid specialists.
Via Metis has filed a police complaint and informed the French Data Protection Authority.
New research from UK security firm SenseOn reveals that the UK's largest organizations have a contradictory approach to cybersecurity.
The survey of 250 IT and security decision makers from UK and Irish companies,
with over 250 employees,
found a prevalent belief that purchasing more cybersecurity tools enhances protection.
However, adopting these tools takes an average of two and a half months,
detracting from critical activities like threat hunting and security awareness training.
Two-thirds of respondents from the largest companies with between 5,000 and 10,000 employees see third-party risk as a primary challenge, contradicting the notion that more tools equal better security. This creates a cycle where organizations keep buying tools
only to worry about the risks and time consumed
in integrating these new systems.
The constant introduction of new tools,
often difficult to manage due to staffing shortages,
adds stress and workload to already overwhelmed security teams.
The stress impacts staff retention,
with 95% of respondents acknowledging it as a factor.
To reduce stress, 83% suggested tools using AI for automation,
and 81% recommended security awareness training.
A fake video depicting U.S. President Joe Biden
inappropriately touching his granddaughter
circulated on Facebook and other platforms, leading to calls for Meta to revise its policy
on deepfakes and manipulated content. The video, edited from footage of Biden voting in the 2022
U.S. midterm elections, was not removed by Meta as it didn't meet their current manipulated
media policy criteria. This policy currently applies only to content created using AI
or showing people saying things they didn't say. Meta's oversight board criticized the policy as
too narrow and ineffective against misinformation, especially with the upcoming elections in 2024.
The board suggested expanding the policy
to include all forms of altered content,
whether AI generated or not,
and to cover actions people did not do.
They also recommended labeling manipulated content
instead of removing it,
providing clear definitions of the harms
intended to be prevented
and unifying the policy's presentation for clarity. This move aims to address misinformation
more effectively, considering the prevalence of non-AI-altered misleading content.
Coming up after the break, we've got a special segment from the Threat Vector podcast examining Avanti's Connect Secure and Policy Secure products.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Threat Vector podcast is right here on the CyberWire podcast network,
presented by Palo Alto Network's David Moulton,
Director of Thought Leadership at their Unit 42.
In his most recent episode, he spoke with guests Sam Rubin,
VP and Global Head of Operations,
and Ingrid Parker, Senior Manager of the Intel Response Unit,
diving deep into the critical vulnerabilities found in Avanti's Connect Secure and Policy Secure products.
Here's their conversation.
These Avanti vulnerabilities are being actively exploited by a wide variety of threat actors.
So you really need to take action now.
This is not something that is an area where you can really wait.
Welcome to the Threat Vector segment, where Uniforty2 shares unique threat intelligence insights, new threat actor TTPs, and real-world case studies.
and real-world case studies.
Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world.
I'm your host, David Moulton, Director of Thought Leadership for Unit 42.
In today's episode, I'm joined by Sam Rubin, Global Head of Operations for Uniforty2, and Ingrid Parker, Senior Manager for Uniforty2's Intel Response Unit.
We're going to discuss the escalating situation related to two new Ivanti vulnerabilities found in Ivanti Connect Secure and Policy Secure products.
Sam, Ingrid, thanks for joining me today on Threat Vector.
Let's get right into it. Sam, software vulnerabilities are actually pretty common.
What makes these last two Ivanti vulnerabilities so critical? Yeah, thanks, David. So I think the first thing to point out is that
software vulnerabilities are common, but anytime it's on something like a VPN concentrator,
people take notice. This is how you authenticate to a network or an organization from the outside, from the internet.
So if that has a vulnerability, we've got something to pay attention to.
And then in particular, with respect to the Avanti situation, we have this series of vulnerabilities that were identified over the month of January.
We had two disclosed on January 10th, and then two more on the 31st.
And so this sort of string of continuing vulnerabilities that have been exploited got a lot of attention from the federal government,
sort of leading up to the U.S. Cybersecurity and Infrastructure Security Agency, CISA,
issuing a directive for all federal agencies to disconnect any affected Avanti products
no later than 11.59 p.m. this past Friday on Friday, February 2nd.
How do directives from CISA influence the response strategies of non-governmental organizations
and the broader cybersecurity community.
Sure. So I think the first point here is that this type of directive, this type of action from CISA is not common.
It really highlights the severity of the situation and the perspective that they have that they don't feel comfortable
that this is under control and that they're sort of issuing a mandate here to all federal agencies.
You need to take action and that action is to get this software off of your network so you're not
using it. It's an unusual step and I think it really brings to the attention of IT and security administrators nationwide, certainly, and potentially globally, that they should probably be doing the same, or at least seriously considering it.
Ingrid, can you explain the nature and potential impact of the newly disclosed vulnerabilities from Avanti Connect Secure and Policy Secure products and why they're considered so high risk?
Absolutely.
Thanks for having us on, David.
So when you look at these vulnerabilities,
you really want to focus on the first two that came out.
Those work in tandem with each other.
And there you're looking at an authentication bypass vulnerability
and a command injection vulnerability.
And the combination of those actually allows attackers without authentication
to run arbitrary commands on a compromised system.
So that basically gives that malicious actor
access to do whatever they want to on a system.
At that point, Avanti put a set of mitigations
and was starting to work on patches in place.
However, these two new vulnerabilities
put those same systems back at risk again.
So even if you were taking care of what happened
with the first two vulnerabilities,
you are now having that same issue.
And in this case, it's very similar.
They're different types, technically.
One's a privilege escalation vulnerability.
One's a server-side request forgery vulnerability.
These allow hackers to establish
persistent system access, including full compromise of your target information systems.
And when that happens, that means an actor not only can act on the system that they've gotten
access to, but they can move laterally within your environment. They can perform data exfiltration.
They can take a lot of other actions that go beyond just compromising that single system.
And so it's
this combination plus the buildup of having multiples of these that is really putting
users at risk and needing to take action in order to mitigate these vulnerabilities.
Given that the proof of concept code for these vulnerabilities has been publicly released and
we're seeing active exploitation of these vulnerabilities.
What immediate steps should organizations take to mitigate the risk of exploitation,
especially as the patches are still being made available?
Number one is go to the Avanti site, read their documentation, understand the options that are
available to you, whether that's a mitigation option, whether that's a patching option,
figure out what you can actually do in this space, assuming that you are at risk,
and consider some of the guidance that CISA has put out, especially when it comes to things like actually disconnecting your system, figuring out what you need to do for additional monitoring.
Avanti itself is actually recommending as a best practice that all customers factory reset their appliance before they applied a patch to prevent the threat actor from gaining upgraded persistence.
And so it's really important that you go through, read this set of documentation, understand what's out there and the order that you want to do things in order to make sure that you're going to put yourself in a great protection point. And from there, you need to continue to hunt for potential activity, knowing that these vulnerabilities were in place before patches and mitigations came out.
And as I mentioned before, an actor can move laterally.
They can be in other parts of your system.
So even as you're patching the Ivanti applications, you want to go ahead and
be looking for other types of activity that are going on. And so making sure that you're doing
the immediate triage for today, but also looking for things that might have happened beyond just
that particular appliance is going to be really important.
Ingrid and Sam, thanks for joining me today on this segment of Threat Vector.
To hear our full conversation, listen and subscribe to our podcast.
For the latest insights and research on the Avanti vulnerabilities, visit the Unit 42 Threat Research Center.
A link to the threat brief on the Avanti vulnerabilities is linked in the show notes.
If you believe that you are at risk because of an Avanti vulnerability, Palo Alto Networks is offering a no-cost, no-obligation emergency bundle for your organization.
You can find the details on our website, and we'll provide a direct link in our show notes.
If you think that you may be under attack, contact the experts at Unit 42
to help assess your risk and exposure. We'll be back in two weeks. Until then, stay secure,
stay vigilant. Goodbye for now.
Once again, be sure to check out the Threat Vector podcast wherever you get your podcasts.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
With TD Direct Investing, new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%...
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31,, 2025. Visit td.com slash DI offer
to learn more. And finally, a report out of Switzerland claims that cyber criminals have
hijacked approximately 3 million smart toothbrushes,
using them to create a botnet for a distributed denial-of-service attack.
These internet-connected toothbrushes, typically used for monitoring dental hygiene habits,
were compromised via vulnerabilities in the Java programming language.
The malware-infected devices were then used to target and overload
a Swiss company's website server. Toothbrushes. Internet. Connected. Toothbrushes.
Here's a little personal tidbit. I have been fortunate throughout my life to have an unusually
high resistance to tooth decay. Through a combination of good luck and good dental hygiene,
I have never had a cavity.
It is my superpower.
I'm still trying to figure out a way to use my abilities for the greater good.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many
of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce
Intelligence optimizes the value of your biggest investment, your people. We make you smarter about
your team while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.