CyberWire Daily - Hackers strike LiteSpeed cache again.
Episode Date: August 23, 2024The exploitation of the LiteSpeed Cache Wordpress plugin has begun. Halliburton confirms a cyberattack. Velvet Ant targets Cisco Switch appliances. The Qilin ransomware group harvests credentials stor...ed in Google Chrome. Ham radio enthusiasts pay a million dollar ransom. SolarWinds releases a hotfix to fix a hotfix. A telecom company will pay a million dollar fine over President Biden deepfakes. The Justice Department is suing the Georgia Institute of Technology and an affiliated company for allegedly failing to meet required cybersecurity standards for Pentagon contracts. Today’s guest is Dustin Moody, mathematician at NIST, speaking with N2K's Brandon Karpf about post-quantum encryption standards. When it comes to phishing simulations, sometimes the cure is scarier than the disease. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s guest Dustin Moody, mathematician at NIST, talks with N2K's Brandon Karpf about their first 3 finalized post-quantum encryption standards. You can hear more of Brandon and Dustin’s conversation as they go into more detail on the individual standards on Sunday in our Special Edition podcast. Stay tuned. You can read more on the newly-released standards here. Want to learn more about what post-quantum cryptography is? Check out this resource from NICE. Selected Reading Hackers are exploiting critical bug in LiteSpeed Cache plugin (Bleeping Computer) Oil industry giant Halliburton confirms 'issue' following reported cyberattack (The Record) China-Nexus Threat Group ‘Velvet Ant’ Exploits Zero-Day on Cisco Nexus Switches (Sygnia) Qilin ransomware now steals credentials from Chrome browsers (Bleeping Computer) ARRL IT Security Incident - Report to Members (ARRL: The National Association for Amateur Radio) SolarWinds Leaks Credentials in Hotfix for Exploited Web Help Desk Flaw (SecurityWeek) Telecom company hit with $1 million penalty over AI-generated fake Biden robocalls (The Record) DOJ sues Georgia Tech over allegedly failing to meet cyber requirements for DOD contracts (CyberScoop) Uni phishing test based on fake Ebola scare prompts apology (The Register) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The exploitation of the Lightspeed Cash WordPress plugin has begun.
Halliburton confirms a cyber attack.
Velvet Ant targets Cisco Switch appliances.
The Keelan Ransomware Group harvests credentials stored in Google Chrome.
Ham Radio enthusiasts pay a million-dollar ransom.
SolarWinds releases a hotfix to fix a hotfix.
A telecom company will pay a million dollar fine over President
Biden deep fakes. The Justice Department is suing the Georgia Institute of Technology for allegedly
failing to meet required cybersecurity standards for Pentagon contracts. Our guest today is Dustin
Moody, mathematician at NIST, speaking with N2K's Brandon Karpf about post-quantum encryption standards. And when it comes to phishing simulations,
sometimes the cure is scarier than the disease.
It's Friday, August 23rd, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing.
So
thanks for joining us here today. It is great to have you with us.
Hackers have begun exploiting a severe vulnerability in the Lightspeed Cache WordPress plugin
just a day after its technical details were disclosed.
The vulnerability affects all versions up to 6.3.0.1
and allows attackers to escalate privileges without authentication.
The flaw originates from a weak hash check in the plugin's user simulation feature,
enabling attackers to brute force the hash value and create rogue admin accounts,
leading to complete site takeovers. Over 5 million sites use Lightspeed Cache,
but only 30% have updated to a safe version, leaving millions vulnerable.
WordFence has detected over 48,500 attacks exploiting this flaw in just 24 hours.
Users are urged to upgrade to version 6.4.1 or uninstall the plugin to protect their websites.
This is the second major security issue with Lightspeed Cash this year.
Halliburton, one of the largest oil field services companies,
confirmed that its networks were impacted by a cyber attack,
as first reported by Reuters.
The incident, which occurred on Wednesday,
appears to have affected operations at the company's Houston headquarters, though it's unclear if other locations were impacted.
Halliburton employs nearly 48,000 people globally and generated over $23 billion in revenue last year.
The nature of the cyberattack remains unspecified, but some staff were reportedly told not to connect to internal networks.
Halliburton is working with external experts to address the issue
and has activated its response plan.
Despite the attack, the company's stock remained stable.
The incident highlights ongoing cyber threats to the petroleum sector,
though experts say disruptions to Halliburton's operations
are unlikely to affect gas supplies.
Researchers from CYGNIA document the threat group Velvet Ant,
who earlier this year exploited a zero-day vulnerability in Cisco switch appliances,
enabling them to evade detection and maintain long-term access within networks.
and maintain long-term access within networks.
This vulnerability allowed attackers with admin credentials to bypass the NXOS command line interface
and execute arbitrary commands on the underlying Linux OS,
leading to the deployment of custom malware named Velvet Shell.
The malware operates invisibly,
making detection by common security tools difficult.
Velvet Ant's shift to targeting network devices like Cisco switches
demonstrates their evolving tactics in a multi-year espionage campaign.
This highlights significant security risks associated with third-party appliances,
emphasizing the need for enhanced logging, continuous monitoring,
and threat hunting to detect such advanced persistent threats.
The Keelan ransomware group has adopted a new tactic, deploying a custom stealer to harvest credentials stored in Google Chrome.
This method, observed by Sophos XOps during incident response, marks a concerning development in ransomware strategies.
The attack began with Keelan accessing a network via compromised VPN credentials,
followed by an 18-day dormancy, likely used for reconnaissance. The attackers then moved
laterally to a domain controller, modifying group policy objects to execute a PowerShell script that
collected Chrome-stored credentials across all logged-in machines. These stolen credentials
were exfiltrated and traces were erased before deploying the ransomware payload.
This approach complicates defense, as widespread credential theft can facilitate further attacks
and make response efforts more challenging.
To mitigate risks, organizations should enforce strict policies against storing credentials in browsers,
implement multi-factor authentication, and apply least-privilege principles.
The ARRL, the American Radio Relay League, is a national association for amateur radio enthusiasts
in the United States. A letter to their members says that in early May of this year, ARRL's
network was compromised by threat actors using dark web-purchased information. The attackers
infiltrated both on-site and cloud-based systems, deploying ransomware across various devices from desktops to servers.
The highly coordinated attack took place on May 15, leading to significant disruption.
Despite ARRL being a small non-profit, the attackers demanded a multi-million dollar ransom.
After some tense negotiations, ARRL paid a million-dollar ransom, largely covered by insurance.
The organization quickly formed a crisis management team and involved the FBI, who categorized the attack as uniquely sophisticated.
Most systems have been restored, with the logbook of the world back online within four days.
within four days. ARRL is now simplifying its infrastructure and establishing an Information Technology Advisory Committee to guide future IT decisions.
SolarWinds has released a second hotfix for its web help desk software to address critical
vulnerabilities, including a serious issue with hard-coded credentials introduced in the first hotfix.
This flaw, with a CVSS score of 9.1, could allow remote unauthenticated users to access and modify internal data.
The new hotfix removes the hard-coded credentials, fixes an SSO issue,
and resolves the critical remote code execution vulnerability that the initial hotfix
aimed to address. CISA quickly added the RCE bug to its known exploited vulnerabilities catalog,
indicating it may have been exploited in the wild.
Organizations are urged to apply the latest hotfix immediately to secure their systems.
to secure their systems.
Lingo Telecom will pay a $1 million fine for transmitting deceptive robocalls in New Hampshire
that used AI to spoof President Biden's voice,
violating federal caller ID rules, the FCC announced.
The robocalls sent before the New Hampshire primary
were arranged by political consultant Steve Kramer,
who's also facing a
$6 million fine and criminal indictment. The FCC emphasized the need for transparency in AI usage
in communications. Lingo Telecom also agreed to a compliance plan to prevent future violations.
The Justice Department is suing the Georgia Institute of Technology and an affiliated company
for allegedly failing to meet required cybersecurity standards for Pentagon contracts.
The lawsuit, backed by the False Claims Act, purports that Georgia Tech's Astrolavos Lab
did not develop a proper system security plan as mandated by the Department of Defense
and falsely reported their cybersecurity
assessment to the Pentagon. Despite implementing a plan in February of 2020, the lab reportedly
failed to cover all necessary devices. The whistleblower lawsuit filed by two former
Georgia Tech cybersecurity team members alleges a lack of enforcement of cybersecurity regulations at the university.
Georgia Tech disputes the claims, stating that the lawsuit misrepresents their commitment to
innovation and integrity and insists there was no breach or data leak involved.
Coming up after the break, our guest Dustin Moody, mathematician at NIST,
discusses the latest post-quantum encryption standards.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Dustin Moody is mathematician at NIST. He recently sat down with N2K's Brandon Karf to discuss post-quantum encryption standards.
I'm joined today by Dustin Moody,
supervisory mathematician at the National Institute of Standards and Technologies.
And Dustin's here today to fill us in on the recent standards released by NIST around post-quantum cryptography.
Dustin, great to have you on the show.
Really excited to have this conversation.
Great, happy to be here.
So could you fill us in just on the background of NIST's project
for post-quantum cryptography and where we've gotten to today
and ultimately what the goal is for the program?
Yeah, certainly.
So since the 1990s, cryptographers and others have been aware
that if a large-scale quantum computer could be built, it would break some of the crypto systems
that we rely on to protect our information. Back then, it was mostly a theoretical concern because
quantum computers were imagined, they weren't realities. But since then, different companies and organizations
have been working on building them
because they would bring a lot of positive benefits to society.
They could do a lot of things that our current computing technology cannot.
At NIST, our particular group deals with cryptography
and we approve the algorithms that the federal government uses
to protect all of our information.
So we were aware of this.
Probably around 10 years ago,
we started scaling up our project a little bit
because we saw the progress in quantum computers was growing
and that they were becoming larger.
They're not large enough to threaten current cryptographic levels,
but we need to get these standards in place well in advance of that.
So at NIST, we started building our team and our expertise,
and we eventually decided that the best way to create new standards
to get new crypto systems in place
would be to do a large international competition-like process
to select algorithms
that we would evaluate internally and the cryptographic community could also evaluate.
And this has done this sort of thing in the past, and it has gained a lot of acceptance,
a lot of credibility, because people can trust the algorithms that come out of this
because they've been so well studied. So we announced that back
in 2016 that we would be doing this. In response, we received a large number of submissions.
We had a total of 82 that were sent in to us from different teams around the world
who had all designed the best algorithms that they could come up with to provide protection.
Over the past eight years or so,
we've gone through a series of evaluation and analysis.
Internally, both we've looked at them,
we've implemented them,
checked out their performance benchmarks.
And similarly, people around the world
have been doing the same thing.
Some of them were broken along the way.
That's what happens.
The strongest ones survive.
And we have more confidence because they've been
studied so carefully. So after a series of three rounds back in July of 2022,
we announced the four algorithms that we would be standardizing as a result of this process.
Since that time, it took us a year or two to write up the standards for those algorithms,
It took us a year or two to write up the standards for those algorithms, but that's where we are now.
Great. So could you walk us through those standards?
There was, just in the last few weeks, three that were officially released, and it sounds like a four might be on its way.
Could you walk us through these?
Yeah. So we were looking for two different cryptographic functionalities, one of which is to do key establishment, or you can equivalently do encryption.
And another is to do what's called digital signatures, which are used to provide authentication online.
We selected a few algorithms for each category.
For digital signatures, we selected an algorithm called Crystals Dilithium. It's the main algorithm that we expect people to use.
It's based on something called lattices.
We can get into all the math if you really wanted to,
but most people are just happy to know that it's on something called lattices.
We also selected two other algorithms.
Another algorithm based on lattices that's called Falcon.
It has smaller key sizes than dilithium, but its implementation is a lot more complex.
You have to use floating point arithmetic,
and many devices might struggle to securely implement it.
So it's available for certain applications
that really need those shorter signatures,
but most applications will be able
to use dilithium just fine.
The third signature that we selected is called Sphinx Plus.
It's based on a different idea than lattices.
The idea there is to have a backup in case there's some attack or some vulnerability discovered.
We have something not based on lattices.
It is around for that purpose.
However, it's a bit slower and bigger, so it wouldn't work
in many applications. But if security were your number one concern, security analysis is a bit
more conservative. So for some users, it might be their choice. So those were the three signatures.
We selected an algorithm called Crystals Kyber
for key establishment. It was also based on lattices. Over the course of the past eight years,
lattices turned out to be the most promising area for post-quantum algorithms. It has great
performance, has great security. So it was selected. Now now three of those were standardized that's kyber dilithium and sphinx plus
they they came out in documents that we call fips federal information processing standards
and they first went out for public comment we had a draft form we got some feedback made a few small
changes and then just a week ago we published them in their final form
so that people can begin to use them. The fourth algorithm, Falcon, that was selected, we're still
writing the standard. It's not yet done. We wanted to focus on dilithium first because it's the
primary signature we want people to use. And because of the complex implementation, it's just
taken us a little bit longer to write the standard.
And we hope to have it out by the end of 2024.
Really appreciate you coming on.
Thank you. Thanks for having this conversation and helping spread the word.
That's Dustin Moody, mathematician at NIST, speaking with our own Brandon Karp.
For more information about these post-quantum encryption standards,
we'll have links in our show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, in the world of fishing simulations,
there's a fine line between effective training and causing unnecessary panic.
Just ask the folks at UC Santa Cruz.
On August 18th, UCSC sent out an email with the alarming subject line,
Emergency Notification, Ebola Virus Case on Campus!
Students and staff were understandably rattled,
only to later discover it was all part of a phishing awareness exercise.
The email, mimicking a real phishing scam,
urged recipients to log in for more details.
Classic phishing bait. While the goal was to
teach the community to spot phishing attempts, the choice of topic, an Ebola outbreak, backfired
spectacularly. The simulated email triggered widespread concern, prompting the Student Health
Center to issue a clarification. UCSC's chief information security officer quickly apologized, admitting the
simulation crossed a line and caused undue stress. Lesson learned, phishing simulations should teach
caution, not create chaos. In the future, UCSC aims to avoid such alarming scenarios,
focusing instead on less panic-inducing content.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation
with Robert Duncan, VP of Product Strategy at NetCraft.
We're discussing their work,
Mule as a Service Infrastructure Exposed.
That's Research Saturday.
Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey and the show notes
or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire
is part of the daily routine
of the most influential leaders and operators
in the public and private sector
from the Fortune 500
to many of the world's preeminent intelligence
and law
enforcement agencies. N2K makes it easy for companies to optimize your biggest investment,
your people. We make you smarter about your teams while making your team smarter. Learn how at
n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and
sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella
is our president. Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening.
We'll see you back here next week. Thank you. hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.