CyberWire Daily - Hijacking your heritage.
Episode Date: June 11, 202423andMe’s looming bankruptcy could pause class-action privacy lawsuits. The FCC focuses on BGP. The White House looks to big tech to help secure rural hospitals. Cylance confirms a data breach. Arm ...warns of GPU kernel driver vulnerabilities. The world's largest law firm faces class action over the MOVEit hack. SAP releases high priority patches. Apple redefines AI - literally - and offers up Private Cloud Compute at their developer’s conference. Guest Chris Novak, Senior Director of Cyber Security Consulting at Verizon, shares highlights and key takeaways of their recently published 2024 Data Breach Investigations Report (DBIR). Share your love — but not your passwords. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Chris Novak, Senior Director of Cyber Security Consulting at Verizon, shares highlights and key takeaways of their recently published 2024 Data Breach Investigations Report (DBIR). Selected Reading UK and Canada Launch Joint Probe Into 23andMe Breach While District Judge Says Bankruptcy Is Imminent (Metacurity) FCC Advances BGP Security Rules for Broadband Providers (bankinfosecurity) White House enlists Microsoft, Google for rural hospital cyberdefense (Beckers Health IT) Cylance confirms data breach linked to 'third-party' platform (bleepingcomputer) Arm warns of actively exploited flaw in Mali GPU kernel drivers (bleepingcomputer) Law firm Kirkland sued in class action over MOVEit data breach (Reuters) SAP Patches High-Severity Vulnerabilities in Financial Consolidation, NetWeaver (SecurityWeek) Here's how Apple's keeping your cloud-processed AI data safe (and why it matters) (ZDNET) When things go wrong: A digital sharing warning for couples (Malwarebytes) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. 23andMe's looming bankruptcy could pause class action privacy lawsuits.
The FCC focuses on BGP.
The White House looks to big tech to help secure rural hospitals.
Cylance confirms a data breach.
ARM warns of GPU kernel driver vulnerabilities.
The world's largest law firm faces class action over the MoveIt hack.
SAP releases high-priority patches.
Apple redefines AI, literally,
and offers up private cloud compute at their developers conference.
Our guest is Chris Novak,
Senior Director of Cybersecurity Consulting at Verizon, Thank you. It's Tuesday, June 11th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thank you for joining us here today.
It is great to have you with us.
In December 2023, 23andMe disclosed that hackers accessed the personal information of 5.5 million people using its DNA relatives feature. The stolen data included names, birth years, relationship labels,
ancestry reports, and self-reported locations.
Initially, back in October of 23,
the company had reported only 14,000 individuals affected.
An additional 1.4 million users also had their family tree profile information accessed,
totaling 14 million people impacted.
Hackers were in 23andMe's systems from April through September of 2023.
A class action lawsuit filed in January accused 23andMe of failing to notify customers of Chinese and Ashkenazi Jewish heritage that
they were specifically targeted, with their genetic information sold on the dark web.
U.S. District Judge Edward Chen indicated a potential pause in discovery in these lawsuits
as 23andMe faces bankruptcy. The company, already struggling financially, saw its net loss more than double from $311.7 million to $666.7 million between fiscal years 23 and 24.
Losing the lawsuits could push the company further toward bankruptcy, potentially resulting in damages exceeding $3 billion under the Illinois Genetic Information Privacy Act.
Despite these challenges, the value of 23andMe's DNA database might attract interest for drug
development deals. Additionally, the Information Commissioner's Office and the Office of the
Privacy Commissioner of Canada launched a joint investigation into the breach, scrutinizing
23andMe's data protection measures and breach notifications. 23andMe has stated its intention
to cooperate with these investigations. The U.S. Federal Communications Commission is advancing
security mandates for major internet providers focusing on border gateway protocol vulnerabilities.
The FCC approved a proposal
requiring the nine largest U.S. broadband providers
to create confidential BGP security risk management plans.
These plans must include route origin authorizations
via resource public key infrastructure
to enhance internet routing security.
This initiative follows warnings that hackers exploit BGP weaknesses to disrupt services.
The FCC's interest in BGP security intensified after a Russian-linked hijacking incident in
Ukraine in 2022. The proposed rules also demand that smaller providers maintain BGP security plans available within 48 hours upon request.
Public transparency and accountability are emphasized through public information on routing security actions.
The Biden-Harris administration has secured commitments from Microsoft and Google to enhance cyber defenses for rural hospitals. Microsoft
will extend its non-profit program, offering grants and up to a 75% discount on security
products for critical access and rural emergency hospitals. Larger rural hospitals using eligible
Microsoft solutions will receive advanced security suites free for one year.
Microsoft will also provide free cybersecurity assessments,
training, and extend Windows 10 security updates
for a year at no cost.
Google will offer free endpoint security advice
for funding support for software migration,
launching a pilot program for a tailored security package
for rural hospitals.
These efforts aim to strengthen healthcare sector resilience amid a 128% surge in cyber attacks from
2022 to 2023. Security firm Silance confirmed that data being sold on a hacking forum is
information stolen from a third-party platform. The threat actor
Spider is selling the data, which includes 34 million customer and employee emails and
personally identifiable information, for $750,000. Researchers believe the data is old marketing
information used by Cylance. BlackBerry Cylance stated that no current customers are affected
and no sensitive information is involved. The data appears to be from 2015 through 2018
before BlackBerry's acquisition of Cylance. Additionally, Spyder is selling data from
advanced auto parts linked to a Snowflake account breach. Recent breaches at other companies have also been
linked to Snowflake attacks by the threat actor UNC-5537, who uses stolen credentials to target
accounts without multi-factor authentication. ARM has issued a security bulletin about a
memory-related vulnerability in Bifrost and Valhall GPU kernel drivers
that's being exploited in the wild. This use-after-free flaw affects all driver versions
from R34PO to R40PO and can lead to information disclosure and arbitrary code execution.
A non-privileged user can exploit this to access freed memory improperly.
The vulnerability was fixed in version R41PO released on November 24th of 2022.
However, due to Android's complex supply chain, updates may be delayed for end users.
Bifrost GPUs are found in smartphones, tablets, and embedded systems, while Valhall GPUs are in high-end devices and smart TVs.
Some impacted devices may no longer receive security updates.
Kirkland & Ellis, the world's largest law firm by revenue, is facing a proposed class action over a data breach linked to the MoveIt transfer file management software hack in May 2023.
The lawsuit accuses Kirkland and other companies, including Humana and Progress Software, of failing to protect personal information.
The breach affected millions and led to numerous lawsuits, now centralized in Massachusetts federal court under U.S. District Judge Allison
Burroughs. Kirkland represented Trilogy Home Health Care in its acquisition by Humana's
Center Wealth Home Health, transferring files with private information using MoveIt. The lawsuit,
filed on behalf of at least 4,700 people, claims Kirkland delayed notifying Trilogy of the breach until October,
with customers informed in March of 2024.
The ransomware gang CLOP claimed responsibility for the hack.
SAP announced the release of 10 new and 2 updated security notes
for its June 2024 security patch day.
This includes two high-priority patches,
a cross-site scripting vulnerability in financial consolidation and a denial-of-service
vulnerability in SAP NetWeaver AS Java. The cross-site scripting flaw can manipulate website
content, severely impacting confidentiality and integrity, while the denial of service issue
allows attackers to disrupt service by exploiting unrestricted access to meta-model repository
services. Eight medium-severity vulnerabilities affect various SAP products, leading to potential
denial of service conditions, file uploads, information disclosure, or data tampering. Two low-severity issues in BusinessObject's business intelligence platform
and central finance infrastructure components were also addressed.
Organizations are urged to update their systems promptly.
Yesterday, at their Worldwide Developers Conference,
Apple addressed user concerns about sharing personal data with AI companies
by introducing the Apple Intelligence System,
which uses private cloud compute
to protect data processed on cloud servers.
Yes, you heard that right.
As far as Apple is concerned,
AI no longer stands for artificial intelligence.
It stands for artificial intelligence. It stands for Apple
intelligence. Craig Federighi, Apple's senior VP of software engineering, emphasized that users
shouldn't have to hand over personal details to AI clouds. Many of Apple's generative AI models
can run on-device, eliminating data transmission risks. When Apple's AI determines that cloud processing is necessary,
it will use Apple's silicon servers with built-in Swift security tools,
sending only relevant data and ensuring it's not stored or used for further training.
Federighi assured that this system is verifiable,
with server code publicly accessible for inspection by independent experts.
Apple claims this transparency
aims to establish a new standard
for privacy and AI.
Coming up after the break,
I catch up with Chris Novak, Senior Director of Cybersecurity Consulting at Verizon, about this year's DBIR.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional
for details. Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak.
Learn more at blackcloak.io.
It is always my pleasure to welcome back to the show Chris Novak.
He is a Senior Director of Cybersecurity Consulting at Verizon.
Chris, welcome back.
Thanks, Dave. It's always a pleasure to be here.
I have been wanting to get you on the line for a little while now to talk shop about this year's edition of the DBIR.
This is, by my count, this is number 17, I believe.
That's right. Your count is correct. 17 years and going strong.
Well, I mean, let's dig in together here. Can we start off with some high-level stuff? I mean, was there any particular theme that kind of bubbled to the top as you and your colleagues put together this year's edition?
Yes. I mean, we've got more data than we've ever had before. So this year, as you mentioned,
17 years, we've got data across 94 countries. So it's, I think, more global than we've ever done
before. And then in terms of just the amount of incidents we have
data on, it's exceeding 30,000. And the number of data breaches is exceeding 10,000. So we're
looking at a much bigger sample set to draw from and hopefully have better conclusions for you all.
Well, let's dig into some of the specifics here. Where should we begin? What really caught your
eye this year? I'd say one that really jumped out was around exploitation of vulnerabilities.
When we looked at the data there, we looked at the CISA known exploited vulnerabilities catalog,
and we looked at it through the lens of how long is it typically taking organizations to patch these vulnerabilities
and kind of compare and contrast that with how long does it typically
take before we see substantial scanning for the vulnerabilities, kind of implying that there might
be exploitation that follows. And that timeline is actually really interesting. For example,
if you look at 55 days out from the point in which that vulnerability is known,
the point in which that vulnerability is known.
Most organizations are only at about 50% patched.
That means there's still a substantial amount of these vulnerabilities that are still out there exposed.
I don't know if you want to take a guess at how quickly the threat actors are moving on
scanning for these vulnerabilities.
Oh, gosh.
Are we measuring in days, hours, or minutes?
Days. We're looking at five days. So compare that to at 55 days, we're only 50% patched. And at five days, we are already starting to see kind of mainstream scanning. And so there's a picture that I think that paints, and it's the first time we've
done it in the DBIR. We call it our survival probability chart, which I think is maybe a bit
of an ominous sounding visualization, but it really kind of tells the story of, hey, we need to get on
the patching, but it's not just about patching quicker. Obviously, if that was the case, everyone
would be out there doing it. It's not that simple,
right? You've got finite resources, finite budget. There's compliance requirements you may need to go
through in order to be able to even just patch a system. So we're looking at it more now through
a lens, I'd say, of kind of risk quantification and more of a risk-based approach. That's interesting.
Let's talk ransomware and extortion. You all gathered up some
pretty interesting information when it comes to that. Absolutely, yeah. So it's interesting when
you look at it through the lens of what we historically looked at ransomware, and we saw
a giant kind of hockey stick up in the chart over the last several years. And then over the course
of the last two years, we saw it kind of start to plateau.
And in fact, if you look at the last two years, it's actually been now a slight decline.
And it's interesting, for the first time, we broke that out further.
You mentioned that extortion, and obviously ransomware is always kind of a form of that.
But what we started to do was maybe kind of play with the data a little bit and say, what else can we kind of tease out of this?
Because we weren't convinced that threat actors were just closing up shop and going home.
And what we saw was that while ransomware started to decline, they really kind of pivoted over
towards kind of more pure extortion attacks. So I'll give you an example, a DDoS. They'll conduct
a more lightweight DDoS to show that they can take you down and then say
if you don't pay this ransom we're going to hit you with another one a bigger one a worse one
and we're going to hit you on a day that we know is is really critical for you it's a
a new product release date an investor day there's something big going on that it would be a really
embarrassing day for you to be completely down. And so things
like that, or the other thing that we're also seeing is extortion attacks around, for example,
targeting executives, where they will look to get data on executives of an organization and then say,
look, if you don't pay the ransom, we're going to expose this information about the executive,
the executive team, or the organization that will put you in a
precarious situation, either personally or operationally from a business perspective.
So they're trying to find other ways to monetize their attacks. But again, kind of coming back to
that broader narrative of they're still very much focused on what kind of attacks can they
leverage for financial gain?
Well, some of the data that you all captured here digs into financially motivated attacks,
which of course ransomware and extortion are.
There's some interesting numbers here
that you all were tracking.
Can you share some of those findings with us?
Yeah, so we see that the majority of the events
in the 90 plus percent are financially motivated.
And it's interesting because if you look at it also typically by region, you'll also typically see some other nuances that will pop out as well.
So, for example, that kind of global basis financially motivated attacks lead the charge.
Espionage related events that are typically targeting things like intellectual property and trade secrets, single-digit percentages.
But where that really starts to flip is when you start looking at it at the global or more
the regional level. For example, in EMEA, we see more insider activities than we see externally
threat actors on that global basis. We see a bit of a shift there where insiders play a bigger role
than what we see on the global landscape.
The other one that's interesting is if you look at the APAC cut of the data, we see a much higher percentage of nation-state threat actors than we see in any of the other data sets as well.
So it's interesting to see almost more of a regional breakdown view than I think what we've seen historically in the past, where it's been
maybe a bit more homogenous. And I think part of this also gives rise to maybe there are some
different reporting differences. For example, in EMEA, we see more mandatory reporting and
disclosure elements around attacks. And so that might give rise to why we're seeing more information
around, say, some of these insider-related elements. But I think the APAC one is probably much more related to geopolitical tensions.
We see a lot that's changing in that landscape, and that's really bearing out in terms of cyber being kind of a proxy for other types of kind of broader-scale political actions.
You know, at the outset of our conversation here, you were talking about balancing risk and using some of this data to inform companies making those kinds of decisions. I mean, looking at all the information you have this year in this year's report, what are your recommendations for folks to approach that notion of balancing their risk?
that notion of balancing their risk.
Yeah, so I'd say one of the big things that we're really recommending organizations look at
is a form of cyber risk quantification.
And I think it's starting to also naturally take shape
from the perspective of things like the new SEC regulations
are now starting to encourage organizations
or maybe even mandates, a better word,
of looking at what their risk posture is. The wording, for example, in some of these regulations are
saying they need to disclose in the event of a material breach. What does that mean? How do you
quantify that, right? And so what we're saying is organizations need to start looking at
your assets, your applications, your data, all of your systems, you need to be able to actually tag and understand what they do, how they operate, and what the risk would be associated
at a very individualized level so that you have the ability to say, look, if there is another
event that happens like MoveIt or Log4j or some other event out there, you can quickly understand
what the risk is or for that matter, to the earlier part of our
conversation around patching, if there is a new vulnerability disclosed and you want to understand
the risk of patching something today versus tomorrow or next week or next month, or you need
resources or money to change the outcome, you actually have the ability to go to the rest of
the C-suite or the board and say, if we do it, it's going to cost this much to fix the problem.
If we don't do it, this is the risk we have to accept in the form of dollars.
And I think for a lot of organizations, it makes cyber more real.
All right. Well, Chris Novak is Senior Director of Cybersecurity Consulting at Verizon.
Chris, thanks so much for joining us.
Thanks, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And finally, our affairs of the heart desk
reminds us that sharing is caring right up until the moment it isn't.
Malwarebytes has new research that shows that love and digital life don't always mix well.
Couples often share passwords, locations, and devices.
But this can lead to anything from Netflix mooching to serious privacy invasions,
like spying through smart doorbells.
Malwarebytes surveyed 500 committed partners,
30% regretted location sharing, 27% worried about being tracked,
and 23% feared unauthorized account access.
These concerns highlight that trust in a relationship doesn't mean sharing every digital
detail. Breakups make this messier. Ever had an ex binge-watch on your Netflix? Annoying.
But shared shopping accounts? Well, that's risky. They can expose your location and payment
information. And of course, for domestic abuse survivors, any data leak can be
dangerous. Smart home devices add another layer of risk. Exes have been known to misuse these gadgets
for spying, turning what should be convenient tech into tools for harassment. Ultimately, while tech
can enhance relationships, it's crucial to know the risks. Sharing should be based on trust, not pressure,
and proper measures can help ensure your digital life remains private and secure.
For those in harmful situations, resources like the National Network to End Domestic Violence
are available for support.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with
original music by Elliot Peltzman. Our executive producers are Jennifer Ivan and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.