CyberWire Daily - Guarding the Vote
Episode Date: October 31, 2024CISA spins up an election operations war room. Microsoft neglected to restrict access to gender-detecting AI. Yahoo uncovers vulnerabilities in OpenText’s NetIQ iManager. QNAP issues urgent patches ...for its NAS devices. Sysdig uncovers Emerald Whale. A malvertising campaign exploits Meta’s ad platform to spread the SYS01 infostealer. Senator Ron Wyden wants to tighten rules aimed at preventing U.S. technologies from reaching repressive regimes. Researchers use AI to uncover an IoT zero-day. Sophos reveals a five year battle with firewall hackers. Our guest is Frederico Hakamine, Technology Evangelist from Axonius, talking about how threats both overlap and differ across individuals and critical infrastructure. Be afraid of spooky data. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Frederico Hakamine, Technology Evangelist from Axonius, talking about how threats both overlap and differ across individuals and critical infrastructure. Selected Reading CISA Opens Election War Room to Combat Escalating Threats (GovInfo Security) Agencies face ‘inflection point’ ahead of looming zero-trust deadline, CISA official says (CyberScoop) Microsoft Provided Gender Detection AI on Accident (404 Media) Yahoo Discloses NetIQ iManager Flaws Allowing Remote Code Execution (SecurityWeek) QNAP patches critical SQLi flaw (Beyond Machines) EMERALDWHALE: 15k Cloud Credentials Stolen in Operation Targeting Exposed Git Config Files (Sysdig) Fake Meta Ads Hijacking Facebook Accounts to Spread SYS01 Infostealer (Hackread) Exclusive: Senator calls on Commerce to tighten proposed rules on exporting surveillance, hacking tech to problematic nations (CyberScoop) GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI (GreyNoise) Inside Sophos' 5-Year War With the Chinese Hackers Hijacking Its Devices (WIRED) Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats (Sophos News) Spooky Data at a Distance (LinkedIn) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA spins up an election operations war room.
Microsoft neglected to restrict access to gender-detecting AI.
Yahoo uncovers vulnerabilities in OpenTech's NetIQI manager.
QNAP issues urgent patches for its NAS devices.
Sysdig uncovers Emerald Whale.
A malvertising campaign exploits Meta's ad platform to spread the CISO1 infostealer.
The campaign exploits Meta's ad platform to spread the CIS-01 info-stealer.
Senator Wyden wants to tighten rules aimed at preventing U.S. technologies from reaching repressive regimes.
Researchers use AI to uncover an IoT zero-day.
Sophos reveals a five-year battle with firewall hackers.
Our guest is Federico Hakamini, technology evangelist from Axonius,
talking about how threats both overlap and differ across individuals and critical infrastructure. And you know what day it is.
Be afraid of spooky data.
It's Thursday, October 31st, 2024.
I'm Dave Bittner, and this is your Spooky CyberWire Intel Briefing. Spooky CyberWire Intel Briefing
Happy Halloween, everyone, and thank you for joining us here today.
The Cybersecurity and Infrastructure Security Agency, led by Jen Easterly, has launched an election operations war room to assist election officials and counter threats ahead of the 2024 U.S. presidential election.
U.S. presidential election. This temporary office aims to coordinate national support and deploy resources where needed as cyber and physical threats rise. Easterly noted that
misinformation is a growing challenge, often spread by foreign adversaries to undermine public
trust in the electoral process. Incidents have already been reported, including attempted foreign interference and
attacks on campaign data. CISA, working with federal agencies and private sector partners,
has intensified its security efforts to protect election infrastructure. Congress has raised
concerns over a separate hacking incident linked to Chinese telecoms targeting U.S. communications infrastructure, which authorities
are now investigating. Despite the tense security landscape, Easterly has been reassuring voters,
stating that U.S. election security has been significantly strengthened to ensure the
integrity of each vote. As federal agencies prepare to submit updated zero-trust implementation plans,
CISA's Shelley Hartsook reports significant progress since OMB's 2022 zero-trust mandate.
Speaking at the Cyber Talks event in Washington, D.C. yesterday,
Hartsook noted improvements in multi-factor authentication implementation across agencies,
with standard MFA use rising from 53% to 80%,
and phishing-resistant MFA increasing from 46% to 71%.
CISA has strengthened its support, holding numerous training workshops and partnering
with the Cloud Security Alliance for further training on micro-segmentation and zero-trust
for operational tech.
In 2022, Microsoft pledged to phase out its AI tools for detecting age, emotion, and gender,
citing ethical concerns and risks to marginalized groups, especially transgender individuals.
However, recent findings reveal that Microsoft's gender detection tool
remained accessible to some users.
The artist Ada Ada Ada discovered she could still use the older version
of Microsoft's image analysis API to classify age and gender,
despite Microsoft's announcement to retire these capabilities.
Microsoft attributed this oversight to an error allowing limited unintended access,
which it says has now been corrected.
Critics argue this reflects a broader trend in ethical AI,
where commitments to responsible practices are inconsistently enforced.
Yahoo's vulnerability research team, which goes by the name Paranoid,
uncovered 11 vulnerabilities in OpenTex NetIQ iManager, a tool for secure enterprise directory
management. These flaws, if exploited together, could allow remote code execution, file upload,
and privilege escalation, among other risks.
Four vulnerabilities were detailed as particularly severe.
Attackers could exploit these by tricking users into accessing malicious websites,
potentially gaining administrator credentials and control over downstream directory services,
which store sensitive user account data.
Patches were released in April.
QNAP has issued urgent patches for critical vulnerabilities in its network-attached storage devices,
including a severe SQL injection flaw that allowed researchers at Pwn2Own Ireland 2024
to gain root access on a QNAP TS-464 model.
Another zero-day vulnerability in QNAP's HBS3 hybrid backup sync was also patched
after enabling arbitrary command execution.
Given QNAP's attractiveness for ransomware due to its sensitive data storage,
users should immediately update their devices via the App Center to secure against these risks.
The Sysdig threat research team recently uncovered Emerald Whale,
a global campaign targeting exposed Git configuration files,
resulting in the theft of over 15,000 cloud service credentials.
Attackers exploited these misconfigurations to access and clone private repositories,
extracting sensitive information
and storing it in a publicly accessible S3 bucket.
The stolen credentials,
primarily from cloud service providers,
are likely used for phishing, spam, and resale.
Emerald Whale automated scanning
to locate vulnerable repositories, focusing on
gitconfig and laravel.env files, which often contain sensitive data. Sysdig reminds users
this incident highlights the need for vigilant exposure management and continuous monitoring,
as secret management alone is insufficient for comprehensive security.
A malvertising campaign is exploiting Meta's ad platform to spread the CISO1 infostealer,
targeting men over 45 with fake ads for popular software.
The malware steals Facebook credentials, especially from users managing business pages,
and uses these compromised
accounts to create new malicious ads, thus fueling a self-sustaining cycle. The attack disguises
itself through a wide range of trusted brands, from Office 365 to Netflix, and relies on an
Electron app to evade detection. Impacting users globally, the malware poses significant risks,
especially in the EU and North America.
In an exclusive for CyberScoop, Tim Starks reports that
Senator Ron Wyden has urged the U.S. Commerce Department
to tighten proposed rules aimed at preventing U.S. technologies
from reaching repressive regimes that could misuse them for surveillance and human rights abuses.
The 2022 law behind these rules expanded controls to foreign police and intelligence,
inspired by a UAE case where former U.S. operatives allegedly used cyber tools against targets, including Americans.
used cyber tools against targets, including Americans. Wyden argues the rules should cover more countries beyond the current list of 23 nations, specifically naming countries with
poor human rights records like Egypt, Saudi Arabia, and the UAE. He also advocates closing
a loophole allowing foreign companies to bypass restrictions by not disclosing client lists
and recommends extending controls to all biometric technologies,
not just facial recognition.
This proposal aligns with the Biden administration's
new restrictions on investments in sensitive tech
that could strengthen China's military and cyber capabilities.
Researchers at Graynoise have used AI
to uncover zero-day vulnerabilities in IoT-connected live streaming cameras
deployed in critical sectors like healthcare, industry, and houses of worship.
The discovery followed an automated exploit attempt detected by GrayNoise's Honeypot, where AI flagged the unusual activity.
pot, where AI flagged the unusual activity. Analysis showed attackers could gain full control of the cameras, manipulate video feeds, disable operations, or use the devices in botnet
attacks. This case highlights AI's potential in accelerating zero-day detection, allowing
Gray Noise to intercept and report the vulnerabilities before widespread exploitation.
gray noise to intercept and report the vulnerabilities before widespread exploitation.
Wired's Andy Greenberg chronicles a five-year battle between Sophos and a group of hackers exploiting vulnerabilities in its firewall products, leading to a detailed report highlighting
the cybersecurity industry's struggle with inherent risks in network security devices.
Sophos tracked the attacks to a network of vulnerability researchers in Chengdu, China,
linked to state-aligned groups like APT41.
The hackers initially launched widespread attacks before transitioning to more targeted
efforts against critical sectors, including military, government, and energy facilities
in Asia and beyond.
To counter the attackers, Sophos deployed surveillance implants on the hackers' test
devices and preempted further attacks by intercepting malware samples. However,
as hacking techniques evolved, Sophos observed the attackers exploiting outdated, unsupported
devices. The report underlines
the risk of unpatched end-of-life devices as entry points and calls for transparency and
rigorous end-of-support policies within the industry, emphasizing the need for ongoing
vigilance as the threat landscape continues to shift.
to shift. Coming up after the break, my conversation with Federico Hakimini from Axonius. We're talking about how threats both overlap and differ across individuals
and critical infrastructure. Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Federico Hakimini is technology evangelist at Axonius. I recently caught up with him to talk about how threats both overlap and differ across individuals and critical infrastructure.
Many sectors will have differences in two things.
sectors will have differences in two things. The first one is who they are and what they are subject for as part of that responsibility. And the second one is what they have. We're talking
about infrastructure, we are talking about the people they work for and things of that nature.
Great example of that, carrying over to a sector. If you are in critical infrastructure,
let's say you are part of a very important healthcare company
or if you work on the energy industry, basic infrastructure,
like I said, you cannot help but be a target of nation-state attackers
because that can really affect people, affect politics,
affect general infrastructure that people use to live and to have the basics.
But if you work in e-commerce or if your company is on the e-commerce space, chances are you're much more subject to scopers or to DDoS attackers or to credit card fraud.
So depending on the sector and who you are, you get that challenge.
But depending on your technology, you also get different kinds of challenges. So let's say there are two companies
in the same space. One company uses Kubernetes in infrastructure as a code like Terraform,
and the other one doesn't. So what that changes for you as a company is that that will greatly
change the variety of assets
and things you need to protect, the skills that you need to protect those things, and
how those things keep changing every day.
Infrastructure as a code, an hour ago, you had 10,000 assets to protect.
And then tomorrow, because there's a spike in your website, you have 100,000.
So those are the main differences
when it comes to individuals versus sectors
versus things that are personal to you as a company.
Make sense?
It does.
So what are the practical implications then?
I mean, is this primarily a matter of security pros
having to evaluate this
and then dial in what's appropriate
for their individual
situation? There's a little bit of that, but there's a little bit of also skills in how much
things you need to protect. So coming up to the first thing we talked about, like depending on the
kind of attacker who's targeting you, you need to take different strategies.
If there's a nation state attacker, chances are you're going to get a certain kind of attack pattern.
Whereas if you're a company at a low key, low profile, you're going to have much more social attacks or much more generic attacks, not specific targeted to you.
much more social attacks or much more generic attacks,
not specific targeted to you.
That's one.
But to the infrastructure, what that does, it really changes the kind of skills that you got to have
in the kind of cognitive load that you need
in order to secure something.
So let's say if you are a company in the past and you have just servers and bare metal to
protect, that will require you to have certain skills.
But if you have multiple cloud vendors and virtual machines and those virtual machines
handle containers, that requires much more skills.
That makes you as a cybersec pro have a lot more to carry on and take care of.
What about scalability?
You know, as a company grows and their attack surface changes in size,
how do you approach that?
Yeah, so as companies grow, both in technology and also in size,
they have that change in threat surface.
It's growing in number, it's growing in variety, and it's growing in rate of change. We gave some examples over here.
And to make matters worse, there is
a very strong cybersecurity pro shortage. Companies can only
fill 70% of the job openings here in the States. Just like
unfilled security jobs in 2024, we're talking about 3.5 million
people or enough to fill 50 NFL can fill security jobs in 2024. We're talking about three and a half million people
or like enough to fill 50 NFL stadiums.
So to address that,
like security pros need to think about the root cause.
When I think about that,
it's like kind of providing new tools
to fight the asymmetric battle.
Much more than, and especially important,
of course, we need to invest in defense in depth,
having a good device strategy, having a good identity strategy, having a good overall strategy
to help you as an individual cover as many systems as possible with the time you already have,
with the mental bandwidth you already have. So we're talking about automating assessment,
having insights to remove the cognitive load, and automating remediation too.
How do you communicate this strategy to the various stakeholders in your organization here to help them understand how you're setting your priorities and using the various resources that you have?
Yeah, I like to think that it all comes back to the basics of security.
When we communicate with stakeholders, think about it, right?
Security is always being in a conversation about risk trade-off.
There's no such a thing as zero risk.
I mean, there is not doing anything like, hey, I won't start a business.
So there's zero risk with that.
But ever since you do it, you have a risk conversation
to have with your stakeholders.
In the language of risk
and risk trade-offs,
it's what makes it stick.
It's what makes people understand.
So I have,
my workforce have
this amount of cybersecurity pros
and we have this amount
of things to protect,
whether those are people
or technology.
With our time, we can take care of this amount of things to protect, whether those are people or technology. With our time, we can take care of these amount of things.
And from now on, we need to start prioritizing,
like what's higher risk, what's lower risk.
Sounds extremely basic, I know.
But having the mechanisms and the tooling
and the processes that allow you to have
these basic conversations in basic risk language is what allows you to carry intelligent conversations with your leaders and even more so with the people you are mobilizing, right?
A lot of the issues we find, they get fixed by IT.
They get fixed by the SREs running our production systems.
So level setting into the risk conversation,
the risk trade-off really simplifies that conversation.
What are your recommendations for organizations
who are at the early stages of this journey?
They understand that this is something they want to focus on.
This is a technique they want to adopt.
What's the best way to get started?
I think the best way is to first ask yourself some basic questions and seeing your level
of confidence on that.
I'll say three questions out loud here that could help you see how you are in the journey.
The first one is like, think about an asset that you have in your company.
Maybe these are devices, these are identities, maybe these are SaaS applications.
And ask yourself and your peers, like, how many of those we have?
If you start getting different numbers and different answers, it means like
there might be a gap. The second kind of question is like,
hey, we got an urgency to solve insecurity and we got to
mobilize IT.
If there's like a very hard conversation around prioritization,
or the last question is like,
how confident we are on the things we're securing.
If you get like very confident on the things where,
let's say things that you control,
the devices that belong to your company,
but you don't have much on BYOD or other gaps,
that can tell you like, hey, I need to do something about it.
When it comes to doing something, I'm a strong believer that if you cannot measure, you cannot
secure well, you cannot formulate the basis of a very strong risk conversation.
So looking at solutions and alternatives that give you a good view of your cyber asset management
can be a great baseline for discovery, insights, and automation.
So think about those things like formulating a good baseline, answering those three questions
with confidence that will greatly help you see the basics.
And from there, it's like building a snowball.
We see automation coming in many different places, shapes and forms.
And I highly recommend that you as a leader or as a cybersec grow, start looking at like, how do I build my work in an automated way?
Every day I wake up, I know what I need to protect.
I know how, what is at a greater risk, not only based on external scenes, but based on my internal information.
And especially the triage is already pre-automated.
That's Federico Hakamini from Axonius.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. And finally, in an article on LinkedIn,
Simpson Garfinkel, chief scientist at BasisTech,
shares a Halloween-themed essay on spooky data
that draws a parallel between quantum
entanglement and data privacy. Just as entangled particles influence each other at a distance,
spooky data connects seemingly separate data points, affecting one when the other changes.
In cybersecurity, public and private keys act as an entangled pair,
where deleting a private key enhances a server's security without changing the server itself.
A relatable example of spooky data involves data de-identification.
Suppose a teacher shares a seemingly anonymized class average.
Knowing one student's grade can reveal all other students' scores, demonstrating
how partial data disclosure can expose private information. This is a risk explained by the
fundamental law of information recovery, highlighting that without differential privacy,
releasing statistical information can compromise data privacy. Differential privacy adds randomization
to mask exact values, though occasionally resulting in surprising figures, like a class
average above 100, thus preserving privacy while keeping data largely accurate. So,
just when you thought your data was safe, along comes spooky entanglement with a ghostly surprise.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. We'd love to know what you think of this podcast. It's your feedback that brings
our insights to life and keeps them from haunting your inbox. If you like our show, please share a
rating and review in your favorite podcast app. For an extra treat, fill out the survey in the
show notes or send an email to cyberwire at n2k.com. It's no trick. We are honored that
N2K Cyber Wire is part of the daily routine
for the most influential leaders and operators in the public and private sectors,
from the Fortune 500 to some of the world's most spirited intelligence and law enforcement agencies.
N2K makes it frightfully easy for companies to optimize their most valuable asset.
Their people will make you sharper about your teams while making your teams eerily effective.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester,
with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our president. Peter Kilpie
is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Or will we? Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.