CyberWire Daily - Hacking the bureau.
Episode Date: January 17, 2025The FBI warns agents of hacked call and text logs. The US Treasury sanctions entities tied to North Korea’s fake IT worker operations. Russian hacking group Star Blizzard attempted to infiltrate Wha...tsApp accounts of nonprofits supporting Ukraine. Yubico discloses a critical vulnerability in its Pluggable Authentication Module)software. Google releases an open-source library for software composition analysis. CISA hopes to close the software understanding gap. Pumakit targets critical infrastructure. Simplehelp patches multiple flaws in their remote access software. The FTC bans GM from selling driver data. HHS outlines their efforts to protect hospitals and healthcare. Our guest Maria Tranquilli, Executive Director at Common Mission Project, speaks with N2K’s Executive Editor Brandon Karpf about the origins and impact of Hacking for Defense. Even the best of red teamers are humbled by AI. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest Maria Tranquilli, Executive Director at Common Mission Project, speaks with N2K’s Executive Editor Brandon Karpf about the origins and impact of Hacking for Defense, and how universities can get involved. Selected Reading FBI Has Warned Agents It Believes Hackers Stole Their Call Logs (Bloomberg) US Announces Sanctions Against North Korean Fake IT Worker Network (SecurityWeek) Russian Star Blizzard hackers exploit WhatsApp accounts to spy on nonprofits aiding Ukraine (The Record) Yubico PAM Module Vulnerability Let Attackers Bypass Authentications In Certain Configurations (Cyber Security News) Google Releases Open Source Library for Software Composition Analysis (SecurityWeek) Closing the Software Understanding Gap (CISA) Pumakit - A Sophisticated Linux Rootkit Attack Critical Infrastructure (Cyber Security News) Vulnerabilities in SimpleHelp Remote Access Software May Lead to System Compromise (SecurityWeek) FTC hands GM a 5-year ban on selling sensitive driver info to data brokers (The Record) How HHS has strengthened cybersecurity of hospitals and health care systems (CyberScoop) Microsoft AI Red Team says security work will never be done (The Register) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. The FBI warns agents of hacked call and text logs.
The U.S. Treasury sanctions entities tied to North Korea's fake IT worker operations.
Russian hacking group Star Blizzard attempted to infiltrate WhatsApp
accounts of non-profits supporting Ukraine. Yubico discloses a critical vulnerability in
its pluggable authentication module software. Google releases an open-source library for
software composition analysis. CISA hopes to close the software understanding gap.
Humakit targets critical infrastructure. SimpleHelp patches multiple flaws
in their remote access software.
The FTC bans GM from selling driver data.
HHS outlines their efforts
to protect hospitals and healthcare.
Our guest is Maria Tranquilli,
Executive Director at Common Mission Projects,
speaking with N2K's Brandon Karpf
about the origins and impacts of hacking
for defense. And even the best of red teamers are humbled by AI.
It's Friday, January 17th, 2025.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us here today. It is great as always to have you with us.
According to an FBI document reviewed by Bloomberg, hackers breached AT&T's systems in 2022,
stealing months of FBI agents' call and text logs, triggering concerns about exposing confidential informants. The stolen data, including agents' phone numbers and call details,
could link investigators to their secret sources,
but excluded content of communications and encrypted messaging records.
AT&T disclosed the breach in July,
which involved six months of customer data following an extortion attempt by hackers.
The FBI has raced to mitigate risks to its sources and investigations,
underscoring concerns about the Bureau's operational security.
The breach was part of a broader campaign targeting AT&T and Snowflake customers,
with hackers exploiting accounts lacking multi-factor authentication.
Federal prosecutors charged individuals connected to the breach and related extortion schemes.
Despite efforts to secure the data, it's unclear if the information remains at risk,
raising alarms about safeguarding sensitive data in third-party systems.
The U.S. Treasury's Office of Foreign Assets Control has sanctioned two individuals and four entities tied to North Korea's scheme to generate illicit funds through fake IT worker operations.
North Korean operatives used stolen identities and AI to secure IT jobs in Western countries, funneling earnings to the regime.
in Western countries, funneling earnings to the regime. Hundreds of companies in the U.S., U.K., and Australia unknowingly hired these workers, while others were stationed in Russia,
China, and beyond. North Korea's government withholds up to 90 percent of these workers'
wages, funding weapons programs, including WMDs and ballistic missiles. Sanctions target North Korean front companies,
Korea Osang Shipping Company, and Chonsurim Trading Corporation, as well as their leaders.
A Chinese company was also sanctioned for supplying electronics to facilitate these
activities. These operations generate hundreds of millions annually for Pyongyang's regime.
The Russian hacking group Star Blizzard attempted to infiltrate WhatsApp accounts of non-profits supporting Ukraine,
using phishing messages impersonating U.S. officials.
Victims were invited to join a fake WhatsApp group, U.S.-Ukraine NGOs Group,
and prompted to scan a malicious QR code,
giving attackers access to their messages.
This marks the first use of WhatsApp by the group,
which is linked to Russia's FSB.
Despite recent U.S. actions dismantling their infrastructure,
Star Blizzard quickly adapted, demonstrating their resilience.
Their targets include government entities,
non-profits, and Ukraine aid organizations. Ubico has disclosed a critical vulnerability
in its pluggable authentication module software package. This flaw could allow attackers to bypass
authentication under certain configurations. The vulnerability, rated high with a CVSS score of 7.3,
impacts macOS and Linux systems
but does not affect Yubico hardware devices.
Users should upgrade to the latest version
or modify configurations to mitigate risks.
Google has released OSV Scalibur,
an open-source Go library for software composition analysis.
The tool scans software inventory, identifies vulnerabilities, and generates software bills of materials in SPDX and CycloneDX formats.
It supports Linux, Windows, and macOS, and works with OS packages, binaries, and source code.
OSV Scalibur is used within Google for scanning live hosts, repositories, and containers
and will integrate further with Google's OSV Scanner.
Users can leverage its plugins for software extraction and vulnerability detection
with custom plugins supported.
software extraction and vulnerability detection with custom plugins supported.
CISA, alongside federal partners, released a report titled Closing the Software Understanding Gap, calling for a national effort to better understand and secure software critical to
infrastructure and national security. The report urges collaboration between public and private sectors to prioritize software analysis under all conditions.
Recommendations include stronger security in software development, such as network segmentation, multi-factor authentication, encrypted data storage, and robust supply chain risk management.
management. CISA also launched the Vulnrichment program to enhance the national vulnerability database by adding detailed metadata for better vulnerability tracking. These measures align with
CISA's secure-by-design principles, aiming to shift the security burden from users to manufacturers,
ultimately improving resilience against cyber threats to critical infrastructure systems.
The advanced Linux rootkit PumaKit has been identified targeting critical infrastructure sectors,
including telecommunications, finance, and national security.
Discovered by Elastic Security Labs, PumaKit operates at the kernel level,
employing sophisticated evasion techniques to
remain undetected. It conceals malicious activities, ensures persistence through reboots,
and disables security tools, enabling long-term access to compromised systems.
Indicators of compromise include unusual kernel modules, suspicious traffic to specific IPs, and concealed processes.
Organizations are urged to apply security patches, enforce multi-factor authentication,
monitor for anomalies, and use Elastic's YARA rule for detection.
Critical vulnerabilities in SimpleHelp remote access software could allow attackers to compromise
servers and client machines, Horizon 3 AI reports.
These include a path traversal flaw enabling unauthorized file access, an arbitrary file upload vulnerability allowing remote code execution,
and a privilege escalation bug enabling technicians to gain admin access.
a privilege escalation bug enabling technicians to gain admin access.
Simple Help patched the issues in January and urges users to update and reset admin and technician passwords promptly to mitigate risks.
The Federal Trade Commission has imposed a five-year ban on General Motors and its OnStar
subsidiary from selling sensitive driver data, including geolocation
and driving behavior, to data brokers. The ban stems from allegations that GM misled customers
about data collection and shared precise driver information, such as location and habits,
without consent. This data, often sold to insurers, led to premium spikes or policy
cancellations for some drivers. The FTC settlement requires GM to obtain explicit consent for data
collection, improve transparency, and provide mechanisms for consumers to delete or limit
data collection. The automaker must also allow users to disable precise geolocation tracking.
GM, which ended its smart driver program and related third-party contracts in 2023, stated the FTC order enforces stricter privacy standards beyond current laws.
In an editorial for CyberScoop, Deputy Secretary of the Department of Health and Human Services, Andrea Palm,
describes the significant steps the agency has taken to combat rising cyberattacks targeting hospitals and health systems.
These attacks disrupt care, jeopardize patient safety, and erode trust.
Palm says HHS has focused on three areas, policy, resources, and coordination.
Policies include updated HIPAA rules and new cybersecurity requirements for medical devices.
Funding efforts like $240 million for hospital preparedness and a proposed $1.3 billion through Medicare aim to bolster cybersecurity for under-resourced organizations.
The agency also provides free training, a cybersecurity risk map, and plans to use
AI to guide security improvements. HHS emphasizes a sector-wide approach to protect interconnected
health systems and has enhanced incident response and collaboration with industry.
systems and has enhanced incident response and collaboration with industry. Despite progress,
HHS stresses continued investment and bipartisan support are crucial to strengthening cybersecurity and protecting national security.
Coming up, our guest Maria Tranquilli from the Common Mission Project
speaks with our own Brandon Karp about the origins and impact of hacking for defense.
And even the best of red teamers are humbled by AI.
Stay with us. Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes! Yes! with savings of up
to 40 on transat south packages it's easy to say so long to winter visit transat.com or contact
your marlin travel professional for details conditions apply air transat travel moves us
do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Maria Tranquilli is Executive Director of the Common Mission Project. She recently got together
with N2K's Executive editor, Brandon Karp,
to discuss the origins and impact of Hacking for Defense and how universities can get involved.
And we are joined today by Maria Tranquilli, the executive director of the Common Mission
Project. Maria, thank you so much for joining us today. I'm so happy to speak to you today,
Brandon. So curious for our listeners to understand, some of them may have heard of Hacking for Defense or Common Mission Project or BMNT.
We've had a few folks on the podcast over the last few months, including Steve Blank, about those programs.
But can you give us, in your own words, what is Common Mission Project?
What does that organization do?
Absolutely.
So the Common Mission Project is a global entity. We are present in the United States,
Australia, the UK, and expanding. We ensure that mission-driven entrepreneurs, specifically within
universities at the moment, are able to access the lean startup methodology
through a program titled Hacking for Defense.
We also offer Hacking for Diplomacy,
Hacking for Homeland Security,
and soon to be shared, Hacking for Manufacturing.
We're actually piloting Hacking for Manufacturing
currently in the United States.
And we're hoping to expand that program
not only throughout universities
and research institutions across the U.S., but also with our allied counterparts across the globe.
Oh, very cool.
And for this audience, our podcast mostly speaks to professionals in the cybersecurity and national security industry.
This idea of hacking is obviously very familiar to them.
Can you kind of share what this Hacking 4 series of
programs is all about and how they work? Absolutely. So, you know, just to speak to the global dynamics
that we are seeing at the moment, we know that the complexity of national security and defense
problems will only intensify as the years go on. And we also know that there
are rapid advancements in technologies like cybersecurity, AI, artificial intelligence,
unmanned systems, all of which are very important technology verticals within the defense space and
also across the private sector. And we also see this globally. There is a very high level of
interest across allied partners, including NATO,
including the Ministry of Defense in the UK, and including the Department of Defense in the
United States. So when it comes to the Hacking for programs, we ensure that mission partners
across our global entities are able to identify problems that need to be solved at the speed of a startup. And in order
to do that, we partner with BM&T. It's actually our for-profit arm. BM&T works with our government
partners to help those government entities identify problems that need to be solved at speed.
identify problems that need to be solved at speed. Those problems are then deployed into research institutions and classrooms, again, across our global instances in which we are running one of
our Hacking4 programs. Students, and I'd like to say here, students means very specifically
undergraduate and graduate level students. So we have students that are sophomores all the way
through four to five years of schooling in universities working, yes, working on these
problems. So they are handed problems to validate. There's a number of reasons this is incredibly
important. One, we don't want the Department of Defense in the United States, Ministry of Defense, etc., to waste time building solutions for problems that are not to be solved or have not yet been validated.
So students will actually validate those problems, and they do this in a number of ways.
And they do this in a number of ways. They ensure that they are doing proper customer discovery within the government and across government entities to narrow down to exactly the right problem that needs a solution paired with it. And this can take one month, this can take three months. It really depends on the type
of customer discovery that these students are able to do. From customer discovery through
problem validation, students then, with the help of Common Mission Project, have the opportunity to be funded, to travel, to understand even more deeply how to build solutions to those problems.
So I'll stop there, Brendan.
Any specific questions there?
Yeah, it strikes me that this is a pretty sophisticated set of programming.
I mean, the model itself sounds fairly complex.
I mean, the model itself sounds fairly complex.
You're managing multiple stakeholders, some in the government, certainly some at research institutes and universities, managing student work, and it sounds like curriculum as well.
That is a very complex program.
I imagine that's evolved over many years.
Can you share maybe where we are today in terms of some of the successes that this program has had? Absolutely. I love that you asked. Well, first I'll say we are coming up on
our 10-year anniversary of Hacking for Defense programs. Happy decade of running this. That's
awesome. Thank you. Thank you. Well, I have to tell you, I am standing on the shoulders of giants.
The founders of this program, Pete Newell and Steve Blank,
who I know you've spoken to in the past, are two incredibly dynamic individuals that have
brought me into this ecosystem to help scale and expand even further than the footprint that they
have built so far. So currently, we are looking at that 10-year anniversary coming up through the second quarter of 2025.
So we're hoping, and this is a shout out to everyone listening, we are really excited for pairing the 10-year H4D anniversary with a National Security Innovation Education Conference.
H4D anniversary with a National Security Innovation Education Conference. And we have some very,
thank you, and we have some very specific goals to hit during that conference. We are looking to eventually, and I will say inevitably, establish a PME or Professional Military Education Curriculum.
We're also looking to instate and or establish across one or multiple U.S.-based universities a U.S. degree program that specifically focuses on national security, innovation, and entrepreneurship.
So the beginning of the conversation will occur during our celebration Q2 2025.
occur during our celebration Q2 2025.
Very curious about any intel you can share about how organizations might get involved or individuals.
There's a lot of folks here in this audience that you're speaking with who are very committed
to professional education and certification and development, especially around workforce
initiatives and those educational pursuits that you were mentioning? We are interested in any academics or universities that would be interested in contributing to developing PME,
professional military education curriculum, that goes for both private and public institutions,
so public and private universities.
The door is open specifically for individuals that, like yourself,
actually, Brendan, I know that we've actually talked about how we might engage
the Navy specifically, and I know you're doing some great work there in delivering H-4
at a very specific university. So we're very interested in military institutions,
public and private institutions playing their part and having a
stake and a say in the type of curriculum that is developed, as well as the U.S.-based degree
program that I had mentioned. So Intel, I will say, we are just on the coattails of having delivered
our sixth annual Red Queen Innovation Conference. This is an executive level conference that is
annual. Steve Blank and Pete Newell, along with myself and a few other individuals,
delivered this conference just a few weeks ago, and we had an incredible contingent of the Ministry of Defense presence from the UK, DIU, and other U.S.-based defense organizations,
as well as NATO present. So it's one of the first moments in recent history in which all of these
stakeholders are in the same room making decisions about what defense innovation and what defense education could look
like. So when you ask about Intel, I would say it's very likely that the same individuals that
attend our executive level convenings, some of which are private, some of which are public,
will be with us during spring of 2025 for this upcoming anniversary and event.
Great. Well, everyone should keep an eye out
then for those announcements. It does sound like a great event. Moving into your second decade
of these Hacking4 programs, what is the vision? Where does Common Mission Project go from here?
What is the impact that you're looking to have in your second decade of running this?
I love this question. There's so much that I'm excited to gain traction on and to
deliver in the next 10 years. Very specifically, I would say the linchpin here is ensuring that
what I know to be our greatest asset, not only in America, but across allied nations, is ensuring that we are preserving and protecting
the spirit of innovation and entrepreneurship. And where does that lie specifically? We know
that retention within our defense organizations and government organizations is at an all-time low.
We also know that incoming individuals that are right now in university, that will be exiting new talent, but talent right now that needs to
be retained within these organizations does remain within those organizations. So my main focus,
one of three, I'd say there are three pillars of focus. One, again, ensuring that our ecosystem
is steady, our ecosystem is well-fortified, and that we're
preserving the spirit of innovation and entrepreneurship across different stakeholders,
which includes all of that new and current talent. It includes all of our academics who
need consistent training and consistent access to really interesting problems and really interesting and challenging curriculum
that they can then deliver in the classroom,
as well as, I'll say this,
the second tier very specifically
is scaling our programs across allied nations.
We have an incredibly high level of interest from multiple countries,
NATO allies specifically from Estonia and Germany, etc. And we need to ensure that our
hacking for programs are run across these countries. And there's a number of reasons. One, we know that the nature of the
problems across defense and government organizations are duplicative. We know, as far as what I have
actually seen, we know that these same problems are looking to be solved across different countries.
We need to ensure that we are not wasting money and wasting time
solving the same problems. So one of the biggest opportunities that I see Common Mission Project
having a very unique stance on is the ability to actually make the invisible visible,
meaning we're able to take specific problems
from across our allied nations,
identify those through the data that we hold,
and ensure that those nations are working together
to solve the same problems.
And there's a number of different ways
that we will do this.
It's through some of our executive convenings. It
is through our programming that is delivered across universities. It's actually through
deploying from our student fund to ensure that our donor dollars are going to solve the right
problems. So I'd say that's our third pillar. It's really ensuring that
our students have the capital that they need to do the research, to do the customer discovery,
to do the travel that is needed so that they can validate those problems and go back to the
government with an interesting solution. Fantastic. And it sounds like a functional
approach. I love that, taking advantage
of the lessons learned and applying that broadly across all of the global partners. So, well,
you know, if folks are interested to learn more, to get involved somehow, whether they're at a
university or one of these government stakeholders, where can people go to learn more about Common
Mission Project? Commonmission.us is the global instance, and they can reach out directly to me through there.
Great. Well, the organization is the Common Mission Project.
The program is Hacking4, and specifically Hacking4 Defense.
Maria, thank you so much for joining us today.
Thank you so much, Brandon. It was such a pleasure.
That's our own Brandon
Karp speaking with Maria Tranquilli, Executive Director at the Common Mission Project.
For more information, we'll have links in our show notes.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And finally, our Sisyphus desk tells us that Microsoft's red team took a hard look at over 100 of its own generative AI products and walked away with a humbling realization.
AI security is a moving target that's never fully secure.
Their paper, Lessons from Red Teaming 100 Generative AI Products,
outlines eight key lessons with one undeniable truth.
AI doesn't just amplify existing security risks,
it invents new ones.
Lesson 1. Know what your AI does.
Larger models follow instructions better, but that means they're also better at following malicious ones.
Great for hackers, less so for defenders.
Lesson 2. Fancy gradient-based attacks are overrated when simpler tricks like phishing or UI manipulation works just fine.
Lesson three, red teaming is about uncovering novel risks, not just checking benchmarks.
Microsoft developed Pirate, an open-source toolkit to automate red teaming tasks, but human input remains vital.
to automate red teaming tasks, but human input remains vital.
Experts not only spot subtle vulnerabilities,
but also handle AI-generated horrors that would make anyone's eyes water.
And yes, red teamers need mental health care too.
AI's harms, lesson six notes, are tricky to quantify, like bias baked into image prompts showing male bosses and female secretaries, reinforcing stereotypes.
Finally, Lesson 7 slams home.
Feed AI bad inputs, and it'll gleefully produce bad outputs, including spilling sensitive data.
The takeaway? AI isn't just a security headache, it's the whole migraine.
AI isn't just a security headache, it's the whole migraine.
But hey, at least it's job security for InfoSec folks,
because every new AI risk is another reason to hire a defender. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
A programming note, we will not be publishing on Monday, January 20th, in observance of Martin Luther King Jr. Day, check out your CyberWire Daily podcast feed for some crossover with our T-Minus Space Daily team
for an interview with Cayenne Space about data automation and space domain awareness.
Don't miss it.
Be sure to check out this weekend's Research Saturday and my conversation with Nati Tal, head of Guardio Labs.
Their research is titled Cross Barking,
exploiting a zero-day opera vulnerability
with a cross-browser extension store attack.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com. This episode was produced by Liz Stokes. Our mixer is
Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is
Jennifer Iben. Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Thank you.