CyberWire Daily - Imitation game: LastPass vs LassPass.
Episode Date: February 9, 2024A LastPass imitator sneaks its way past Apple’s app store review. Bitdefender identifies a new macOS backdoor. The Air Force and Space Force collaborate for stronger cyber defense. CISA offers an el...ection security advisory program. The FCC bans AI robocalls. The Feds put a bounty on the Hive ransomware group. Senators introduce a bipartisan drone security act. Cisco Talos IDs a new cyber espionage campaign. Fighting the good fight against software bloat. On our Solution Spotlight, N2K President Simone Petrella talks with Amy Kardel, Senior Vice President for Strategic Workforce Relationships at CompTIA about the cyber talent gap. And sports fans check your passwords. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Solution Spotlight, N2K President Simone Petrella talks with Amy Kardel, Senior Vice President for Strategic Workforce Relationships at CompTIA about their perspectives and initiatives in response to the cyber talent gap. Selected Reading Fake LastPass App Sneaks Past Apple's Review Team (MacRumors) Warning: Fraudulent App Impersonating LastPass Currently Available in Apple App Store (LastPass) New Rust-Based macOS Backdoor Steals Files, Linked to Ransomware Groups (HACKREAD) New Department of Air Force partnership brings cyber, space and information units closer (DefenseScoop) Federal Cybersecurity Agency Launches Program to Boost Support for State, Local Election Offices (SecurityWeek) FCC votes to outlaw scam robocalls that use AI-generated voices (CNN Business) US offers $10 million for tips on Hive ransomware leadership (Bleeping Computer) New legislation would give NIST drone cybersecurity responsibilities (FedScoop) New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization (Talos Intelligence) Why Bloat Is Still Software’s Biggest Vulnerability (IEEE Spectrum) Super Bowl of Passwords: Chiefs vs. 49ers in the Battle of Cybersecurity (Security Boulevard) Taylor Swift's Influence on Cybersecurity (Enzoic) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A LastPass imitator sneaks its way past Apple's App Store review.
Bitdefender identifies a new macOS backdoor.
The Air Force and Space Force collaborate for stronger cyber defense.
CISA offers an election security advisory program.
The FCC bans AI robocalls.
The feds put a bounty on the Hive ransomware group.
Senators introduce a bipartisan drone security act. Cisco Talos IDs a new cyber espionage campaign. On our solution spotlight, N2K President Simone Petrella talks with Amy Cardell, Senior Vice President for Strategic Workforce Relationships at CompTIA, about the cyber talent gap.
And sports fans, check your passwords.
It's Friday, February 9th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Happy Friday, everyone, and thank you for joining us here today.
LastPass is alerting its users about a fraudulent
app named LastPass Password Manager, that's L-A-S-S on Apple's App Store, which closely
imitates the genuine LastPass app in name and icon design, potentially confusing customers.
Despite the clear resemblance, it's uncertain if the imposter app aims to steal
user data such as passwords, email accounts, and financial information, or merely seeks to profit
from subscription fees. They are offering a pro-upgrade for up to $49.99 for a lifetime
subscription. The presence of this kind of clone app, especially one that could access sensitive user information, raises concerns about the App Store's review process and Apple's security assurances, particularly as the company promotes the App Store's safety while preparing for the introduction of alternate app marketplaces in the European Union.
Mac journalist John Gruber was able to download and try the app before it was removed,
and in his estimation, it was not trying to steal legitimate LastPass credentials,
but rather was likely trying to piggyback off the password manager's brand recognition for financial gain. The app has been removed from the App Store.
Staying in the Apple ecosystem for a moment,
Staying in the Apple ecosystem for a moment,
Bitdefender has identified a new macOS backdoor named trojan.mac.rustdoor,
active since November of 2023.
This malware, written in Rust, mimics a Visual Studio update and targets both Intel and ARM architectures to steal and upload files to a command and control server.
ARM architectures to steal and upload files to a command and control server.
Its association with known ransomware groups like BlackBasta and Alfie BlackCat is suggested but not confirmed.
The backdoor has several variants with functionalities for persistence and data exfiltration, utilizing
a range of commands for controlling infected devices.
Despite its sophisticated design making detection
challenging, its communication with C2 servers currently returns not found.
The Department of the Air Force is enhancing its collaboration with the Space Force,
aiming to strengthen cyber defense capabilities and operational outcomes.
My N2K CyberWire colleagues Maria Vermasis and Brandon Karp
filed this report for the T-Minus Daily Space News podcast.
Okay, Brandon, thank you for joining me this morning.
Can you explain a little bit about what this all means?
Yeah, most definitely.
It'd probably be helpful to start with background.
So essentially, each of the military services this all means? Yeah, most definitely. It'd probably be helpful to start with the background.
So essentially, each of the military services have something called a service cyber component.
So this is the part of that service that is assigned to U.S. Cyber Command and typically is responsible for a number of things. And what's consistent across the service cyber components
and the 16th Air Force is the Air Force's service cyber component,
is that they tend to be responsible for cyber operations,
network operations often fall under there,
intelligence surveillance reconnaissance, cryptology.
These are all the different aspects of military operations and capabilities
that tend to fall under the purview of a service cyber component.
And so this recent article is basically the Air Force
saying that they are trying to closer align
their service cyber component, the 16th Air Force,
with the space operations.
When you think about space capabilities right now,
space capabilities are really network capabilities, right?
This is critical communications capabilities,
intelligence collection and information providing capabilities to the joint force.
And so aligning the 16th Air Force and the Space Operations Command together, or at least in a way that they communicate more clearly and more effectively in an operational way, will inherently support the missions of the 16th Air Force.
Be sure to check out T-Minus wherever you get your podcasts.
The U.S. Cybersecurity and Infrastructure Security Agency
has initiated an election security advisor program
to enhance election security nationwide,
aiming to support state and local officials and assure
voters of the integrity of the upcoming presidential elections. Program addresses
growing security concerns such as cyber attacks by foreign entities, ransomware, and election
misinformation. The initiative features 10 new hires with significant election experience,
complementing existing staff providing cyber and physical security assessments upon request.
State election officials have expressed appreciation for the program, highlighting its role in strengthening cybersecurity infrastructure against malicious activities.
The SEC has banned scam robocalls using AI-generated deepfake voices, expanding anti-robocall regulations to include these artificially created calls. This unanimous vote enhances the legal arsenal for state attorneys general to combat fraud and misinformation, specifically targeting AI voice manipulation for scams, voter misinformation, and impersonations.
AI voice manipulation for scams, voter misinformation, and impersonations.
This interpretation of the 1991 Telephone Consumer Protection Act demands prior consent for robocalls with AI-generated voices,
aligning penalties for these calls with those for traditional illegal robocalls.
Recent legislation proposals aim to double TCPA penalties for AI-involved violations.
Despite these measures, experts like Andrew Schwarzman of the Benton Institute for Broadband and Society
recognize the limitations in completely halting malicious actors,
but acknowledge the FCC's efforts as a significant deterrent.
The U.S. State Department is offering rewards of up to $10 million
for information leading to the identification, location, or arrest
of key members of the Hive ransomware gang.
Hive is responsible for extorting about $100 million
from over 1,300 companies in more than 80 countries
from June 2021 to November 2022. An additional reward of
up to $5 million is available for information resulting in the arrest or conviction of anyone
attempting to participate in Hive ransomware activities. This initiative is part of the
Transnational Organized Crime Rewards Program, which has paid over $135 million for actionable tips since 1986.
The announcement follows a successful law enforcement operation that infiltrated Hive's
network, providing victims with decryption keys and preventing $130 million in ransom payments.
Hive, known for its indiscriminate targeting, operates a ransomware-as-a-service model,
breaching organizations through phishing, exploiting vulnerabilities, and using purchased credentials.
Senators Mark Warner, Democrat from Virginia, and John Thune, Republican from South Dakota,
introduced the Drone Evaluation to Eliminate Cyber Threats Act, DETECT, aimed at enhancing drone cybersecurity within the federal government.
The bill mandates that NIST develop cybersecurity guidance for government-used drones, potentially leading to binding regulations.
It includes provisions for testing the guidelines with a federal agency, implementing reporting protocols for drone security vulnerabilities,
and prohibits federal agencies from purchasing drones
that do not comply with these guidelines, except with a waiver.
Warner and Thune have previously proposed legislation
to improve the Federal Aviation Administration's handling of drone technology,
advocating for a more transparent and efficient process.
Cisco Talos uncovered a sophisticated espionage campaign named Zardur, active since at least
March 2021, targeting an Islamic non-profit organization. The campaign, executed by an
advanced threat actor, utilized a custom backdoor, modified reverse proxy tools, and
living off the land binaries to evade detection, establish command and control, and ensure
persistence.
Despite only one compromised target being identified, the actor's prolonged undetected
network access hints at the possibility of additional victims.
The campaign's techniques bear some resemblance to tactics used by threat groups from China,
though the association with these groups is considered with low confidence
due to the non-exclusive use of the tools
and the unique choice of target not aligning with known objectives of Chinese-origin threat actors.
An editorial in IEEE Spectrum written by Bert Hubert makes the case
that software bloat represents a serious security threat. According to Hubert, the cybersecurity
landscape is in a dire state with rampant use of excessive code and dependencies in software
development leading to significant security vulnerabilities. He highlights the
absurdity of current software practices, including the use of millions of lines of code for simple
tasks and the integration of numerous external libraries of dubious origin. The situation is
further exacerbated by the industry's reluctance to prioritize security due to economic incentives and the rapid pace of development.
Notably, legislation in the European Union aims to address these issues by mandating
improved software security. Hubert shares a personal project, Trifecta, as an example of
minimalistic yet modern and secure software, demonstrating the feasibility of creating
efficient and reliable applications
with a lean approach to coding and dependencies.
The article is a thoughtful call to action for a return to simpler, more secure coding
practices.
Ah, the good old days when cloud computing meant daydreaming about shapes in the sky
while your program compiled.
Coming up after the break, N2K President Simone Petrella speaks with Amy Cardell, Senior Vice President for Strategic Workforce Relationships at CompTIA, about the cyber talent gap.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Our own N2K president, Simone Petrella, recently got together with Amy Cardell,
Senior Vice President for Strategic Workforce Relationships at CompTIA.
Their conversation focuses on efforts by CompTIA to narrow the cyber talent gap.
So back in November, the White House hosted a workshop to discuss improving the collection of accurate data with respect to the nation's cyber workforce.
I was there along with Amy Cardell, Senior Vice President of Strategic Workforce Relationships at CompTIA.
Amy, thank you so much for reconnecting now that we're in the new year.
Yes, it is a new year. 2024 is upon us. And it was great to meet you there for the first time.
And I'm excited to continue the conversation that we started in the executive office building.
Yes, me too. You know, just to kick things off, I know CompTIA has been heavily involved in the cyber workforce issues and has done quite a number of commitments over the years to expand
the national cyber workforce, whether it's increasing diversity, expand access to education
and training, and the list goes on. My first question to you is what role do certification
and training bodies play as it pertains to those national strategies and how will that help us grow
and sustain the workforce?
Well, cybersecurity certifications are not just a nice-to-have.
Those professional certifications and ongoing training are probably the most effective ways to shrink skills gaps.
That's what employers look to to understand competencies,
and that competency-based education is really what hiring managers are saying that they want to see. So 70% of tech hiring managers say
they regard them as necessary for security professionals because those are the proof.
You know, when you think about CompTIA and its role, and I know that you have all done a number
of things around assessing, you know, the state of the cyber workforce and how do we think about
how employers can kind of
better contribute to growing the cyber workforces in their own organization.
What's CompTIA's perception on the current state of the cyber workforce? And what are the major
challenges that you all see facing the industry today for those of us on the employer side?
It's a huge problem. I guess the easiest way to say it is that the stakes for cybersecurity
and the challenges in crafting cybersecurity policy and solving this problem with practices
is that it's grown dramatically. The problem is there and it's growing fast.
So from a threat landscape perspective, companies can see that the number of cyber criminals is
skyrocketing and the potential damage from a cyber attack can be catastrophic. From an information security perspective, there's far
more data being captured. So that means that more privacy implications for customers and operational
risk is there for internal workflows and for national security as well, of course.
So from a product perspective, also we have the threats from generative AI
that's accelerating the capabilities of attackers,
but of course also defense
and making that skills gap at organizations even wider.
So that's why certification and training
are so critical to a robust cyber defense
to bring it back full circle.
Yeah.
Do you find, and I ask this question
because I know one of my personal frustrations is that sometimes organizations, whether they be private sector or even agencies, are often quick to talk about the emerging threat landscape. integral cybersecurity is to their overall operations. And there's definitely an acknowledgement
of the challenge in the experience and the talent pipeline as it pertains to cyber talent.
Do you find that the walk is meeting the talk? Are we really stepping up as organizations to sort of
put our money where our mouths are and take the action to build workforces that are sustainable and resilient
like we say they are supposed to be?
That's a great question
because talk is cheap and action is everything.
So are we seeing more conversations
that are bringing stakeholders together to take action?
I would say yes.
And I think the meeting we met at was an example of that
because at a national level,
it's raised to the level that there's a national cybersecurity workforce strategy.
So conversations are happening where implementation can happen across the ecosystem, I think, at a faster pace.
Coordination at that scale is difficult and duplication of efforts are almost inevitable.
So I think it's raised to the level of attention at the highest levels.
Action's been taking to forward those connections
and implementation in terms of uptake is increasing,
but we're not done.
And interestingly, last week,
I had a lot of conversations with four-year universities
who have not thought about
maybe their students being in certification pathways and cybersecurity traditionally,
but are starting to ask that question because they see the value it adds to their students as well.
So I think there's the traditional ecosystem in our industry,
but there's also curiosity from the adjacency of even the four-year university space.
That's fantastic. Now, correct me if I'm wrong, but I think that a lot of CompTIA's work
really even transcends being a certifying body and providing the training in that I know there's
been a lot of work that you all have done in job skills and what are the actual skills required for jobs for folks to be successful
in cybersecurity. And I know I'm throwing you a little bit of a curveball because I didn't,
like it just, but it came up as you were talking and I was thinking to myself,
can you share any of those things that you're all doing even beyond certifications? And I think it's
an important component of the conversation because while those certifications are so, so critical on so many levels, sometimes we kind of get blindsided by looking at the certification and ignoring the fact that it's really representative of a set of skills underlying a job.
Yeah, I think where you're going with this question is, obviously, our certifications are all around the hard skills in cybersecurity.
question is, obviously our certifications are all around the hard skills in cybersecurity.
And, you know, after I came from industry and so after decades of hiring and unfortunately sometimes having to fire some cybersecurity professionals, it never really came down to
the hard skills being where the rub was. And so, you know, this last week here in mid-January,
we're really excited to drop a free rubric that we did in partnership with America Succeeds on durable skills.
and energy along with some really powerful third parties to think about all the equity
and really big issues around soft skills
not being a code for class or status,
but really thinking about what are those knowledge,
skills, and abilities in an objective way.
That rubric, we put a stake in the sand
with the input of over 800 employers
and a partner called America Succeeds on durable skills.
So that rubric is now out there for high schools, community colleges, employers to look at
and see the different levels of what it means to be good in it and a wheel of 10 different
durable skills, formerly known as soft skills, that help professionals succeed and help bridge
kind of the silo between employers and educators.
We wrote national guideline standards for apprenticeship that embed the skills that we would consider necessary to be competent in these five pathways to careers that are being apprenticed nationally.
And we want to enable the ecosystem to move forward.
We have a lot of fantastic data. The reason we met was the data
report out. So our research department is always publishing a tech jobs outlook. And we want that
to be well known because that's another case of, you know, we want to let you know that we partner
with Lightcast and we use BLS data and that data is there. So please consume it. And we don't
charge for that. We just want to make sure that our industry data is helpful to those in every
zip code who are making decisions about what workforce training needs to happen or what their
employment options are. So we see ourselves as an ecosystem partner beyond, like you said, the
certification piece. We've covered a lot today,
but my kind of parting question to you is,
you know, we're hicketing off into a new year.
It's 2024.
What are you most excited about for CompTIA moving forward?
I am most excited about the platform we have
to share across silos.
So I really feel just a huge aha, especially maybe
last week talking to universities that education is so siloed, especially higher education. They're
their own special silo called Ivory Tower. It even looks like a silo. And then of course,
we have employers in their silo and we have training partners in their silo. And we have training partners in their silo. And I think our cross-cutting ability
at CompTIA to help with solutions at scale that cut across those silos is more valuable than ever.
So I'd like to say, and I'm an eternal optimist about this, that CompTIA is in a great place
to be an enabler across those silos. Fantastic. Well, Amy, thank you so much for joining me today.
It was a fantastic conversation and really appreciate all your insights.
It is a pleasure to speak with you, Simone. Thank you so much for the invitation and here's
to a great year. That's Amy Cardell from CompTIA speaking with N2K President Simone Petrella.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
With TD Direct Investing,
new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%.
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31st, 2025. Visit td.com slash dioffer to learn more.
And finally, our sports ball desk tells us that this Sunday is Super Bowl 58.
I'm told that's the game with the pointy ball featuring the Kansas City Chiefs versus the San Francisco 49ers.
With professional sports-related passwords being common, security firm Enzoic analyzed a commonly used breach database and found that SF-49ers and KC Chiefs are among the most exposed team-related
passwords, with over 119,000 and nearly 50,000 instances, respectively.
Their analysis of the top 10 passwords for each team showcases the simplicity and predictability
of these passwords, making them vulnerable to cyberattacks. And yes, we know what you're
thinking. What about Taylor Swift? Not to worry, Swifties. And Zoic did an
analysis of Taylor Swift-derived passwords as well. We'll have a link in the show notes.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with John DiMaggio,
Chief Security Strategist for AnalystOne.
We're discussing their research, Ransomware Diaries, Volume 4,
Ransom and Exposed, The Story of Ransomed VC.
That's Research Saturday. Check it out.
We'd love to know what you think of this
podcast. You can email us at cyberwire at n2k.com. We're privileged that N2K and podcasts like the
Cyber Wire are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector, as well as the critical security teams supporting
the Fortune 500 and many of the world's preeminent
intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by
Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon Karp. Our executive
editor is Peter Kilby and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.