CyberWire Daily - Cybersecurity on the ballot.
Episode Date: August 20, 2024The Dem’s 2024 party platform touches on cybersecurity goals. The feds warn of increased Iranian influence operations. A severe security flaw has been discovered in a popular WordPress donation plug...in. The Lazarus Group exploits a Windows zero-day to install a rootkit. Krebs on Security takes a closer look at the significant data breach at National Public Data. Toyota confirms a data breach after their data shows up on a hacking forum. A critical Jenkins vulnerability is added to CISA’s Known Exploited Vulnerabilities catalog. Cybercriminals steal credit card info from the Oregon Zoo. Guest CJ Moses, CISO at Amazon, discussing partnership and being a good custodian of the community in threat intel and information sharing. CISA gets new digs. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest CJ Moses, CISO at Amazon, speaks with N2K’s Brandon Karpf about partnership and being a good custodian of the community in threat intel and information sharing at re:Inforce 2024. Selected Reading Democratic Party Platform Contains Three Cyber Goals (Metacurity) US warns of Iranian hackers escalating influence operations (Bleeping Computer) Critical WordPress Plugin RCE Vulnerability Impacts 100k+ Sites (Cyber Security News) Windows driver zero-day exploited by Lazarus hackers to install rootkit (Bleeping Computer) National Public Data Published Its Own Passwords (Krebs on Security) Toyota confirms breach after stolen data leaks on hacking forum (Bleeping Computer) Critical Jenkins vulnerability added to CISA’s known vulnerabilities catalog (SC Media) Cybercriminals siphon credit card numbers from Oregon Zoo website (The Record) CISA to Get New $524 Million Headquarters in DC, Backed by Inflation Reduction Act Funding (SecurityWeek) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Dems' 2024 party platform touches on cybersecurity goals.
The feds warn of increased Iranian influence operations.
A severe security flaw has been discovered in a popular WordPress donation plug-in.
The Lazarus Group exploits a Windows Zero day to install a rootkit.
Grabs on Security takes a closer look at the significant data breach at National Public Data.
Toyota confirms a data breach after their data shows up on a hacking forum.
A critical Jenkins vulnerability is added to CISA's known exploited vulnerabilities catalog.
Cyber criminals steal credit card information from an Oregon zoo.
Our guest is CJ Moses, CISO at Amazon,
discussing partnerships and being a good custodian of the community
in threat intel
and information sharing. And CISA's getting new digs.
It's Tuesday, August 20th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us here today. It is great to have you with us.
The Democratic Party kicked off their presidential nominating convention last night,
and just ahead of that, they released the Democratic Party's 2024 platform,
which includes three key cybersecurity goals.
Despite a late-stage switch in the presumptive nominee from President Biden to
Vice President Harris, the platform remains largely unchanged. It mentions combating cyber
threats within the context of criminal justice, protecting children online, and bolstering
military cyber capabilities. Although the platform is brief on cybersecurity, both Harris and her running mate, Governor Tim Walz, have significant records in this area.
Harris has focused on cybersecurity and foreign policy, AI safety, and space security,
while Walz has issued cybersecurity executive orders and supported data privacy measures.
The Harris-Walz campaign hasn't detailed their cybersecurity
strategy yet, but they're expected to continue the Biden administration's initiatives.
The U.S. government has issued a warning about increased cyber efforts from Iran
aimed at influencing upcoming elections. A joint statement from the ODNI, FBI, and CISA
revealed that Iran is conducting cyberattacks
to access sensitive election-related information, intending to undermine trust in U.S. democratic institutions.
The advisory highlights Iran's heightened interest in this election due to its potential impact on Tehran's national security,
leading to more aggressive cyber activities targeting
presidential campaigns and the public. Recent incidents include an Iranian breach of former
President Trump's campaign and increased misinformation efforts using platforms like
ChatGPT. Reports from Microsoft and Meta confirm elevated Iranian cyber activities,
with Iran being the second most frequent source
of foreign interference following Russia. U.S. authorities urge stakeholders to report suspicious
activity and assure the public that election infrastructure remains secure. A severe security
flaw has been discovered in the popular WordPress donation plugin GiveWP, which has over 100,000 active installations.
The vulnerability, classified as an unauthenticated PHP object injection leading to remote code execution,
was reported through the WordFence bug bounty program on May 26th and has been assigned a CVE with a maximum score of 10.0.
The flaw allows attackers to inject malicious PHP objects via the give title parameter,
potentially leading to remote code execution and file deletion.
After attempts to contact the plugin's developers, StellarWP, WordFence escalated the issue to
WordPress.org. A patched version was released on August 7th. WordPress site administrators are strongly urged to update immediately and perform security audits to mitigate the risk of exploitation.
Lazarus Hacking Group exploited a zero-day flaw in the Windows AFD.sys driver to install the FUD module rootkit on targeted systems.
This vulnerability, part of a bring-your-own-vulnerability-driver attack,
allowed the attackers to gain kernel-level privileges and evade detection
by disabling Windows monitoring features.
Microsoft patched the flaw during its August 2024 patch Tuesday,
addressing it alongside seven other zero-day vulnerabilities.
The AFD.SYS flaw was discovered by GenDigital researchers, who reported that Lazarus exploited
it as a zero-day to infiltrate systems without needing to install older detectable drivers.
to infiltrate systems without needing to install older detectable drivers.
The vulnerability's severity lies in its presence on all Windows devices by default.
This attack is believed to be related to a broader campaign targeting Brazilian cryptocurrency professionals.
Lazarus is infamous for high-profile cyberattacks,
including the 2014 Sony Pictures hack and the 2017 WannaCry ransomware campaign.
Krebs on Security takes a closer look at the significant data breach at National Public Data,
a consumer data broker, which exposed the social security numbers, addresses,
and phone numbers of hundreds of millions of Americans. The breach, dating back to December of 2023,
was first exploited by a cybercriminal named USDOD,
who began selling the stolen data in April of 2024.
By July, over 272 million records were leaked online. Further investigation revealed that a sister site, recordscheck.net,
accidentally published usernames and passwords to its back-end database, exposing sensitive information.
The breach involved the mishandling of credentials and outdated site versions, further compromising security.
This incident underscores the importance of freezing credit files to protect against identity theft,
as stolen data is now widely available to cybercriminals.
Toyota confirmed data breach after a threat actor 07 Group leaked 240 gigabytes of data
on a hacking forum. The stolen data includes information on Toyota employees, customers,
contracts, financial details, and network infrastructure,
which the attackers reportedly accessed using the AD Recon tool.
Toyota acknowledged the breach but stated it was limited in scope and not a system-wide issue.
They're working with affected individuals but have not disclosed when the breach occurred or how it happened.
The files were likely stolen on December 25th of 2022. This breach follows several other incidents
involving Toyota, including a Medusa ransomware attack in 2022 and multiple data leaks due to
cloud misconfigurations, prompting the company to implement automated monitoring systems.
configurations, prompting the company to implement automated monitoring systems.
A critical vulnerability in the Jenkins CI-CD automation server has been added to CISA's known exploited vulnerabilities catalog due to its potential for remote code execution
and theft of sensitive information.
The flaw, with a CVSS score of 9.8, was exploited by the RansomX ransomware group in a supply chain attack against Brantu Technology Solutions, impacting SeaEdge Technologies customers, primarily rural banks in India.
2024 and affecting Jenkins versions 2.441 and earlier, the vulnerability allows attackers to read files on the Jenkins controller system and potentially escalate privileges to execute
arbitrary code. Despite the patch released in January, over 28,000 Jenkins servers remain
vulnerable as of August of this year. The flaw can also lead to decrypting secrets,
deleting items, and accessing sensitive information through various RCE conditions.
Cybercriminals stole credit card information from over 100,000 individuals by compromising
the Oregon Zoo's website. The attack, which redirected online transactions to unauthorized
actors, occurred between December 20th of 2023 and June 26th of this year. The breach was
discovered in late June, leading the zoo to decommission its site and investigate.
The compromised data includes names, payment card numbers, CVV codes, and expiration dates. In total, nearly
118,000 people were affected, but no animals, and the zoo has notified federal law enforcement and
offered credit monitoring services to victims. This incident is part of a broader trend in payment
skimming attacks, where hackers embed malware on e-commerce sites
to steal credit card information.
The Oregon Zoo is one of several zoological organizations
targeted recently,
highlighting the ongoing threat posed by e-skimming
to online payment systems.
Coming up after the break, C.J. Moses, CISO at Amazon,
discusses partnerships and being a good custodian of the community.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The CyberWire's executive editor, Brandon Karpf,
recently sat down with CJ Moses, CISO at Amazon.
They discussed partnerships and being a good custodian of the community
in threat intel and information sharing.
Here's their conversation.
I am here today at AWS Reinforce with CJ Moses.
CJ is the CISO of Amazon.
CJ, always great to have you back on the podcast.
Thanks for joining us.
Always love to be here.
Thank you.
So it's been a great event so far.
We've covered pretty much every topic there is to cover in security at Reinforce, naturally.
Although the one topic we haven't hit and that I really want to hit with you is this idea of key partnerships, key custodianship around the idea of threat intel,
information sharing. So from your perspective, at the highest levels of Amazon, the security
enterprise, can you talk us through your vision for threat intel and information sharing?
Yeah, absolutely. One of the things at Amazon that
we have, given that we have about a quarter of the internet's IP space, that means we also have
at a minimum a quarter of the vision across all of the internet. And with that comes a responsibility
to make sure that you're a good custodian of the information that you learn by having that
environment. And what we've done over the years
from a threat perspective is to instrument our environment with different sensors to be able to
see what's going on obviously those sensors we talked about mad pot and chris brought up mention
today during his keynote of sonaris so mad pot MadPot is essentially honeypots within EC2
as a basic way to explain it.
And then subsequently, Sonaris is essentially both a scanner
as well as a layer four network logging aggregator
and subsequently be able to identify apparitions in the logs
and things of that nature.
And tying those things all together ultimately,
along with other information, creates what today we would consider threat intelligence. And that would be tactics,
techniques, procedures, whatever you want to, TTPs or indicators of compromise,
based upon all of that information, as well as the precursors to all of those.
You start to see a lot of the, you know, scenarios and things like that are actually blocking billions, well, billions
in the case of S3, enumerations of S3 buckets, and 2.6 trillion attempts at looking for vulnerabilities
on EC2 instances. So when you're talking about billions and trillions of things that are happening,
on EC2 instances.
So when you're talking about billions and trillions of things that are happening,
this is not something that's done manually.
This is definitely a mechanized means
by which to aggregate the information,
identify the aberrations beyond the things
that we automatically defend against,
and then subsequently use that information
in order to be able to defend against that.
And we do that in a very automated fashion
for those that are customers of AWS,
just given in Amazon as a whole in a lot of ways,
just given the mechanistic interactions
between the sensor systems
and subsequently to the actual, the S3s, the VPCs,
all the parts of AWS,
as well as the security services like GuardDuty
and Inspector and things like that. But above and beyond even all of AWS, as well as the security services like GuardDuty and Inspector and things like that.
But above and beyond even all of that, then there's the information that potentially gets
outside of that scope, where it's not maybe directly in an automated fashion, where we'll
actually have threat information that we want to share with someone either in the community
or otherwise.
And a lot of that goes back to being able to either make notification to a customer, literally through a messaging type
of thing, or take it even to a step further to non-customers outside of that. So there's a lot
of different ways that we endeavor to do so, as well as providing general notifications to CISA
in places like that of
trends or things that we're seeing or anything that's a big aberration that may be, you know,
something that we need to, as a community, jump on. And, you know, having come from that world
myself, you know, to what extent are you able to support that mission set and drive good information,
good, you know, open source intelligence to those users who
might actually be able to take action where the rest of us in the private sector can't.
So straight up, the best thing that we can do with threat information is provide that threat intel
to those that can act upon it. The FBI has the ability within the United States to act upon it
when it comes to especially criminal
groups or otherwise. And as much attribution we can provide as well is helpful to them.
And if we're able to derive and provide clear information, they're able to clearly act on it.
And as much as we can be there to support that kind of activity to keep bad things from happening
to our customers, we're all about that. Obviously, we maintain the privacy and confidentiality of our customers. We're not sharing any of their
information. This is more broad brush, TTPs, IOCs, things of that nature where we're able to share
and not break that trust that we have with our customers. At the same time, our customers expect
us to defend them. So part of that defense is sharing with the likes of the FBI or international
law enforcement or intelligence agencies that are in a position to stop the things from happening.
The best way to stop things from happening is to go to the source. And if you can take out the
source, all the better. We have to always remember that the computers aren't attacking the computers.
There's humans on a keyboard somewhere that are actually behind that. And that's, you know, last year at Green Force,
I spent a lot of time talking about that. And that still hasn't changed. There's still humans
behind the keyboard. Even if you have Gen AI helping them, there's still a human there.
And that's the type of thing that if we can assist law enforcement, intel community,
And that's the type of thing that if we can assist law enforcement, Intel community, actually even other customers or other companies that are even outside of our ecosystem, we're more than glad to do so. Because we have that responsibility, that sense of responsibility that if we have the information that can stop something bad from happening, we're going to share it with those that can do so.
Okay.
Can you give us a tangible
example of providing the critical information for someone to take action on? Yeah. I'll take
one of the examples where it's not a customer. It was a non-customer. We had shared some information
during daylight hours with their IR team of a multinational large fast food restaurant.
And they, my team advised me later in the evening that we're not getting a real reaction.
They said, no, we dealt with that.
It's not an issue anymore.
And we continued to see the activity because of those sensors that we have.
We can see some of the backscatter on the internet from this particular attack that was going on. What type of indicators are you seeing?
So we were actually seeing traffic that was emanating off of their networks onto ours
that were indicators of compromise for a particular threat. And they thought they had,
that particular company thought they had gotten that threat out of their environment.
They had done an incident response.
They had done all the things they thought they should do.
But advanced persistent threats, or APTs, as they're now known,
they weren't known as that 20 years ago when I was doing this for a living early days,
but are very persistent.
And in their case, they were persisting.
And so we weren't getting the right response
out of that team.
So, you know, in good Amazonian fashion,
I asked to escalate.
I said, I will call and hunt down their CISO.
And it took me till 2 a.m. in the morning
and finally was able to get to the CISO of that company
through friends that knew them
such that there was a reason for them to get up at 2 a.m. So, you know, CJ is not one that's going to call you at 2. He
doesn't want to be up at 2 a.m. himself. He's not going to call you at 2 a.m. So, we actually...
You have a race the next day or something like that.
Yeah, exactly. You know, got to keep the race car going. Don't want to be tired in the car. That's
bad. But, you know, was able to wake him up and we had a quick
discussion i was like hey i'm not waking you up to tell you something that you already know
you had an issue you thought you fixed it my data real time still continues to say that you have an
issue your team is telling me you do not i want you as the sizzle just as i would expect you to
tell me that there's an issue and i was like I want to share with you live real-time logs.
And I started just, you know, hacking the keyboard and sending stuff over,
screenshots of logging that we were having that was going on.
And he was like, oh, this is bad.
So he was like, can I conference in the head of my IR team?
I was like, you do that.
I'm going to conference in my guy.
So our two people that were was like, you do that. I'm going to conference in my guy. So our two people that
were responsible for, you know, my, my threat Intel slash IR team was actually, I brought one
of the, one of the people in and he brought his team in. And before we were done, he and I went
off to bed and left them to, to work through the details. But it was very clear that it was a useful,
through the details, but it was very clear that it was a useful type of engagement. And it was one of those phone calls that, you know, at 2 a.m. you never expect for somebody to thank you for
waking them up in the middle of the night, but he for sure did. And, you know, they weren't a
customer, but lo and behold, because of that trust building exercise, that wasn't intended to be one.
They became a customer soon thereafter.
And apparently if you are actually, you know,
running a secure infrastructure
and you help others to keep their secure,
all of a sudden, I guess that's marketing,
but not my space, but that seems how it works out.
You know, as we used to say in the service,
one team, one fight, right?
Roger that.
And that, you know, that example of partnership,
of collaboration, of doing it for the security
of the enterprise, of the whole community.
I mean, there is altruism in security.
Absolutely.
And that's one of the things we see
across the industry as a whole.
Not all clouds can be as secure as ours. And we work with all the
other providers in order to try to help them with any of the threat that we learn of and vice versa.
So, I mean, within that ecosystem, if you will, it allows us to be able to, you know, one fight,
one team when it comes to securing, you know, stuff from the bad guys.
We want the good guys to be taken care of and the bad guys not to be.
We got to keep up the good fight against those APTs.
Well, CJ, as always, it's great to have you on the podcast.
We look forward to having you back on again soon.
Oh, my pleasure. Thank you.
That's CJ Moses, CISO at Amazon, speaking with N2K's Brandon Karp.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.
And finally, the U.S. General Services Administration and the Department of Homeland Security just handed out a healthy $524 million to build a shiny new headquarters
for the Cybersecurity and Infrastructure Security Agency.
Nestled in Washington, D.C.'s St. Elizabeth's West Campus,
this new CISA headquarters is set to be the crown jewel of cybersecurity with all the bells and whistles, including a $115 million boost from the Inflmarked for low-carbon materials like eco-friendly asphalt and steel,
and another $35 million to hit those high-performance green building standards.
The result? A 630,000-square-foot energy-efficient cyber fortress that'll make other federal buildings green with envy.
With features like chilled beams, advanced lighting controls,
and a building envelope that's basically a high-tech blanket, CISA's new digs are setting
the bar high, because even cybersecurity needs a swanky, sustainable home.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app.
If you like our show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams
while making your teams smarter. Learn how at n2k.com. This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.