CyberWire Daily - Klue me in on the breach.

Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. AI is making fishing attacks faster, more convincing, and harder for people to spot, and traditional security awareness and fishing training weren't designed for this level of attack. Hawkshunt helps security teams prepare employees for the attacks they face every day, with personalized fishing training that adapts to each employee and reduces risky behavior over time. For IT and security leaders looking to strengthen their human layer of defense without adding more manual work, visit hoxhunt.com slash cyberwire to learn more. That's hoxhunt.com slash cyberwire. Last Pass says Clue breach affected customer information, but passwords remain secure.

Starting point is 00:01:08 Attackers begin exploiting Cisco Unified CM vulnerability. Sisa flags actively exploited, ubiquity, and Landtron. flaws urges rapid patching. Diffy-tap flaws could expose private AI conversations across tenants. Researchers find AI plug-in registry let unofficial tools masquerade as trusted software. Exploiters launches leak site, signaling shift towards full-service cyber extortion. Ransomware attack hits Indian auto-giant Bajajajad, U.S. presses meta to submit AI models for national security reviews. alleged criminal marketplace administrator extradited to the U.S.

Starting point is 00:01:47 The United States expands sanctions against Cambodian scam network tied to cyber fraud operations. On today's industry voices segment, we are joined by Mike Mashuli, managing director of migration products and services at Semperis, discussing RC4 and AD migration, the break scenarios hiding in your source domain, and a lesson in access control. Today is Wednesday, June 24th, I'm Maria Vermazes in for Dave Bittner, and this is your Cyberwire Intel Briefing.

Starting point is 00:02:34 Thank you for joining me today. Let's get into it. The password manager provider LastPass has disclosed that the clue supply chain attack breached personal information and customer support case records belonging to LastPass customers, according to a report from TechCrunch. The company stressed that LastPass products, services, and infrastructure were not impacted in any way, and customer vaults remain secure. The breach involved business contact information from the company's Salesforce environment, including customer names, phone numbers, email addresses,

Starting point is 00:03:19 physical addresses, and support case information. Meanwhile, Clue has shared additional details surrounding the breach during which attackers stole Oath tokens and gained access to a number of Clues' corporate customers. Clue stated, Our investigation determined that an attacker gained access through a compromised legacy credential associated with an integration service.

Starting point is 00:03:41 The attacker used that access to obtain Oath tokens used to connect Clue with certain third-party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments. A Clue spokesperson told TechCrunch

Starting point is 00:03:56 that the compromised legacy credential was originally provided to a third-party in 2022 for a limited pilot. Attackers are now exploiting a high-severity flaw in Cisco Unified Communications Manager Server that was patched on June 3rd, according to a report from Leaping Computer. The vulnerability can allow an unauthenticated remote attacker to conduct server-side request forgery attacks through an affected device and later use this access to elevate privileges to root. SISA has added four vulnerabilities affecting Ubiquity Unify OS and

Starting point is 00:04:31 Lantronics EDS-5,000 devices to its known exploited vulnerability. capabilities catalog, indicating that they are being actively abused in real-world attacks. The flaws include authentication bypass, path traversal, command injection, and code injection vulnerabilities that could allow attackers to gain unauthorized access or execute commands with elevated privileges. Federal agencies have been ordered to remediate the issues on an accelerated timeline, while private sector organizations are also being urged to patch affected systems immediately and review networks for signs of compromise.

Starting point is 00:05:08 Researchers at Zafran have disclosed four vulnerabilities collectively dubbed DiffyTap, affecting Diffy, a popular open-source AI application platform used to build more than one million AI-powered apps. Two of the flaws are rated critical, and several could allow attackers to access private AI conversations, preview documents belonging to other customers, and make unauthorized cross-tenant API calls. Some attacks require no authentication at all. Diffy has released patches for most of the vulnerabilities and is working on fixes for the remainder. Researchers at Manifold Security discovered 23 AI agent plugins on the Claw Hub registry

Starting point is 00:05:50 that appeared to come from official OpenClaw and Claw Hub organizations, but were actually published by unrelated accounts. This issue is known as scope squatting and exploited weak enforcement of namespace ownership rules, allowing plugins to inherit the credibility of trusted brands. While investigators found no malicious code in the affected plugins, many had the ability to execute code, access APIs, and perform privileged actions on behalf of AI agents. Following disclosure, Claw Hub unlisted the plugins and introduced stronger namespace controls. Data Minor is warning that the financially motivated cybercrime group called Exploiters has launched a

Starting point is 00:06:33 dedicated data leak site, marking a significant evolution in its operations. The group claims access to more than a dozen billion-dollar companies and is advertising the sale of compromised corporate networks through encrypted channels. Researchers say that the move consolidates the group's access brokering and extortion activities into a single platform, potentially accelerating the public exposure of victims. In a follow-on to yesterday's coverage of Tata electronics, Indian motorcycle and vehicle manufacturer Bajaj Auto has also disclosed a ransomware attack that affected systems at both the company and its subsidiary Bajajad auto technology. The company says it immediately activated incident response protocols and has brought in cybersecurity experts to contain the threat.

Starting point is 00:07:19 According to Bajajaj, mitigation efforts have so far been successful, and it has not reported any major operational disruptions. The Trump administration is reportedly pressing META to join a voluntary government program that reviews advanced AI models for national security risks before public release. Meta is currently the only major U.S. AI developer that has not signed such an agreement. OpenAI, Anthropic, Google DeepMind, Microsoft, and XAI already participate in the review process, which evaluates risks ranging from cyber attacks to potential military misuse. An Algerian national who was arrested in Spain has been extradited to the U.S., to face charges related to his alleged operation of two cybercriminal marketplaces,

Starting point is 00:08:07 according to a report from Security Week. 26-year-old Abdullah Belmilly is accused of running the Market Zero Day and Spoxy criminal markets, as well as developing fishing kits that targeted major American banks. The U.S. Justice Department said in a press release, During the course of the conspiracy, Belmilly is accused of defrauding multiple institutions, including American Express, Bank of America, J.P. Morgan Chase, Wells Fargo, as well as financial institutions in the United Kingdom. Between January 2020 and January 2023, approximately $900,000 U.S. dollars was deposited into an account controlled by Belmilly.

Starting point is 00:08:45 The investigation has also identified approximately 5,600 U.S. and international victims. Belmilly is facing a maximum of 30 years in prison for conspiracy to commit bank fraud. The United States has imposed new sanctions on nine individuals and 26 entities linked to Cambodians' Prince Group, which U.S. officials accuse of operating large-scale cyber fraud and scam compounds targeting Americans. The action builds on previous sanctions against the organization, which authorities say used online investment scams, cyber-enabled fraud, money laundering, and human trafficking to generate billions of dollars in illicit proceeds. The Treasury Department said the latest measures target. key leaders, investors, and front companies connected to the network as part of an ongoing

Starting point is 00:09:31 effort to disrupt transnational cybercrime operations originating in Southeast Asia. And this week's executive order does have major implications for space cybersecurity. With more on that, here's T-minus producer Ethan Cook. Thanks, Maria. Earlier this week, President Trump signed a new executive order focused on quantum computing. In the executive order, ushering in the next frontier for quantum computing, innovation, the White House is looking to prepare the nation for quantum computing by maintaining its tactical advantage in quantum technologies while also creating a trusted quantum ecosystem.

Starting point is 00:10:06 Within Section 5, the White House directed the administrator of NASA to create a five-year plan for developing and extending civilian quantum sensing and networking for space applications. Alongside this effort in Section 4, the White House directed the assistant to the president for science technology to work with NASA, the NSA, and other relevant agencies to identify additional actions that would enhance the quantum computer for application development and discovery science effort. For the T-minus space cyber briefing, this is producer Ethan Cook. Back to you, Maria.

Starting point is 00:10:37 Stay with us after the break. Mike Micheuli, managing director of migration products and services at Semperis, is discussing RC4 and AD migration. The break scenarios hiding in your source domain. And a lesson in access control. When it comes to mobile application security, Good enough is a risk. A recent survey shows that 72% of organizations reported at least one mobile application security

Starting point is 00:11:23 incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market, or user experience. Discover how Guard Square provides industry-leading security for your Android and iOS. apps at www.gardesquare.com. What's the one thing in business that's spreading as fast as AI? AI risk. Every new tool your team signs up for.

Starting point is 00:12:04 Every vendor that turns on AI features, every new integration, each one creates another opportunity for something to go wrong. And most security programs just weren't built for AI's pace of growth. Enter Vanta. Vanta is the number one. agentic trust platform, used by more than 16,000 fast-moving companies like RAMP, Cursor, and Harvey to help ensure they're always audit-ready. And now Vanta is helping companies watch for the risks that show up between audits, across vendors, AI tools, and their entire environment.

Starting point is 00:12:41 The Vanta agent works like a 24-7 GRC engineer in the background, finding issues, drafting fixes, and cutting vendor assessment time by up to 50%. Whether you're a fast-growing startup or a global enterprise, Vanta is here to help you automate your security and compliance and earn and prove trust. Get started today at vanta.com slash cyber. That's V-A-N-T-A-com slash cyber. On today's industry voices segment,

Starting point is 00:13:23 host Dave Bittner sits down with Mike Mashuli, managing director of migration products and services at Semperis, discussing RC4 and AD migration. The break scenarios hiding in your source domain. Here's their conversation. Most enterprises have known that they should get off of RC4 for over a decade, and the reason that they haven't done and isn't technical, there's really no forcing function around RC4 deprecation. And RC4 specifically is a legacy encryption algorithm.

Starting point is 00:13:55 that's being used today to do a variety of things. Microsoft's been deprecating it slowly, and there was no specific moment that demanded action. And then in July, the July 2026, specifically enforcement is that moment. So for organizations running migrations through that window, the migration itself becomes the moment of cleanup. And you're already touching every service account,

Starting point is 00:14:20 every key tab, every trust. You might as well fix the encryption story while you're in there. Most of the coverage that I've seen of RC4 deprecation has been focused on auditing existing environments. Why do you think migration projects have been missing from the conversation? Well, that's a really good point. So most of the RC4 coverage out there focuses on what's happening to running environments, auditing the accounts, finding the dependencies, finding the dependencies, hardening the configuration. What almost nobody's covered is what happens when you take an account that's authenticating fine today, and then you move it to a new, domain during the migration.

Starting point is 00:14:57 So standard migration tooling moves NTLM hashes, but not AES keys. The receiving domain tries the AES keys. It can't find the keys and the authentication fails silently. The first time anybody's noticing this is usually during that cutover. And the failures, they look like gap errors, not encryption errors. And that's the gap. So it's getting people in trouble and that's what we've been working on. Is this one of those situations where somebody starts getting phone calls in the middle of the night that, hey, stuff's not working?

Starting point is 00:15:30 Absolutely. And that's what we're trying to advocate for is doing the preparation tasks that lessen the dependencies, right? So if we can get in there proactively and less than those dependencies, we have less surprises and more repeatable and successful migrations. What is it that makes an RC4-related migration problem look like? like an application issue instead of an encryption issue? It's the way that it's coming through. It's the way that it's presenting itself. So the AD attribute actually lies and the key tells the truth. So the accounts MSDS support and encryption types can advertise AES support

Starting point is 00:16:09 while the underlying key itself, the key material is RC4 only because the password predates the domain functional level of 2008 upgrade in the AES keys were never generated. The KDC trusts the attribute, tries AES, finds no key, and then the authentication fails. So you can't catch this by reading attributes. You can catch it by correlating accounts where AD says AES keys, but the 4768 and 4769 Kerberos event logs show RC4 tickets actually being issued. In steady state, they work on cash tickets. cut over invalidates every cash ticket.

Starting point is 00:16:53 And that's the moment that the issue surfaces. And what do organizations see in terms of operational impact here? Well, the operational impact is going to be anything that's associated with the account. So the mileage is going to vary. And that's specifically in environments where they haven't done some of the best practice things around rotating passwords and things of that nature. the at-risk population by environment varies too. And again, we're not saying that the sky is falling, right?

Starting point is 00:17:24 But we're saying that there are things that you can do proactively to get in front of it. When you look at the at-risk population in a greenfield environment after 2010, you may see a couple of accounts, maybe up to 10. If you're looking at a mid-to-large enterprise, a decade-plus of active directory use in history, you may see, you know, counts in accounts around 20 to 200. And then in more modern or MA built environments with no subsequent identity consolidation, you can see several hundred to low thousands. So you mentioned that Microsoft has this July 26 enforcement milestone that's coming up quickly.

Starting point is 00:18:06 What's going to happen between now and then? What should organizations be focused on? organization should be focused on a variety of things to proactively identify the issue. Specifically, I would follow the four discovery steps. So what we did when we saw kind of the gap in coverage, you know, what we were seeing in industry was we put together a couple of different pieces of information, a few blog posts and things around preparatory tasks. And what we would recommend, and these are well documented in those posts, is to first document

Starting point is 00:18:40 and make sure that the domain functional level of every domain inside of the environment or environments is updated in the source and target. And then look for or verify that the Kerberos auditing is enabled on all the DCs. Then you can run an event log correlation so you can find the AES configured accounts that are getting RC4 tickets issued. And that's that 4768 and 4769 entry. And this is the step that surfaces the attributes there are essential. lying to you. And then schedule application owner conversations for every Linux, Java, and

Starting point is 00:19:16 network appliance hosts using AD-based Kerberos, because those dependencies you're going to have to get an inventory of. Microsoft is doing the deprecation run in three phases across 2026. In January, they started with the audit in the initial phase, right? So they tied the January change specifically to CVE 2026-2033 and they use that security update as the entry point to begin the deprecation. In April

Starting point is 00:19:45 they're pushing a default shift to AES so the default Kerberos ticket issuance behavior is changing to AES, SHA1 for accounts without explicit encryption settings. So RSE4 can still be used or it's enabled but again you have to

Starting point is 00:20:03 have it specifically enabled. And then in July, they're reporting final enforcement. But as we know, Microsoft doesn't always go ahead and do those configurations that have the potential to break environments. Sometimes they advocate for the changes that are necessary to remove the dependency, and then they soft roll it. So am I correct in my understanding that there's kind of a hidden architecture element here? One of the points you make in your research is that every migration is going to need a plain text password material to generate these new AES keys. Why is that an important concept for organizations to understand? So the most secure migration would be creating the accounts in the target and then regenerating the passwords in the target and not synchronizing the passwords between the source and the target.

Starting point is 00:21:02 If you need to do it another way, we used to be able to copy the hashes, or specifically a hash of a hash, to synchronize that password over to the target environment. And that would essentially preseater salt in the target environment, the hash which would enable the user to log in with the same password. That's not available to us anymore with the addition of the AES key. The only way to be able to proactively generate an AAS key in the target

Starting point is 00:21:30 would be to capture plain text password information, presumably in the source environment because that's where it lives, and then set it in the target environment for that user account. Now, in order to do that, you have to put a filter on all the domain controllers inside of the source environment, and at the same time, you have to go ahead and generate a password change event inside of that source environment, and then ensure everybody that's in scope for migration hits one of those domain controllers, and then you have to take that information over in a secure manner into the target environment and essentially inject it programmatically into that target,

Starting point is 00:22:07 active directory environment in order to keep that usability. Now, we can do all that, right? And that's what some people are doing in industry. Or we can take a new approach or a different approach. And we can say in today's new world, the internet being as volatile as it is, we're going to need to force a password reset. And if we're going to do a password reset, we should probably fix it forward and do it in that target environment so that we know that we land in the most secure environment that's available to

Starting point is 00:22:36 us based on today's standards. What's your guidance for the various stakeholders here? I mean, you've got the executives in the organization. You've got the folks who are tasked with the migration. You've got the security team. What sort of collaborations or conversations should they be making as they're, or should they be having as they're prioritizing their actions? over the next few months. Have the conversations internally with your infrastructure teams. Try to understand the genesis of your source active directory environments. If there's any gaps in that knowledge,

Starting point is 00:23:13 try to build them out as best as you possibly can, and then run the process. So four things in order. Document the patch state and domain functional level of all the domains in the environment. Verify the Kerberos auditing that it's enabled on all DCs, run an event log correlation looking for AES configured accounts, getting those RC4 tickets issued, for scheduled conversations with the app owners. Again, understand that application infrastructure, and that's for every Linux, Java, and network appliance hosts that's using AD-based Kerbros.

Starting point is 00:23:47 Those first steps surface most of the actual break list. What's your advice for organizations that are headed down this path? What can they do to put themselves in a position where they're most likely to see success here? I mean, today, they can go out today. They can read the blog post that Soperus has put up, and we can start by doing the documentation steps inside of that blog post. And it's a pretty well-detailed process that you can run through to see exactly what exposure you have.

Starting point is 00:24:19 At the same time, if they don't have staff internally or they don't have the appetite to do it internally, they can reach out to a service provider or even Semperus professional services, and we can assist them that way as well. That was Mike Mashuli, managing director of migration products and services at Semperis, sitting down with host Dave Bittner discussing RC4 and AD migration. The break scenarios hiding in your source domain. Most environments trust far more than they should, and attackers know it. Threat Locker solves that.

Starting point is 00:25:05 by enforcing default deny at the point of execution. With Threat Locker Allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with Threat Locker DAC, Defense Against Configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. Threat Locker is the simplest way to enforce zero-trust principles without the operational pain. It's powerful protection that gives SISO's real visibility, real control, and real peace of mind.

Starting point is 00:25:41 Threat Locker make zero trust attainable, even for small security teams. See why thousands of organizations choose Threat Locker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo at Threatlocker.com slash N2K today. This episode is brought. to you by L'Oreal Group. Beauty is a powerful force that moves us. That's why L'Oreal Group has built a business that is inclusive at its heart with 100% of its brands, championing diversity.

Starting point is 00:26:20 With 25,000 professional opportunities for people under 30 worldwide and 54% of leading positions held by women, diversity is a strength that helps L'Oreal Group create the best beauty products for all people. Visit L'Oreal.com to learn more. And finally, META has paused a controversial employee monitoring program after an internal security issue exposed data collected from workers' laptops to people across the company. The program was designed to help train AI models and collect information including keystrokes, mouse clicks, screen content, prompts, and transcriptions.

Starting point is 00:27:03 What could possibly go wrong? Well, according to an internal security notice reviewed by Wired, data across 45,000 internal tables was left accessible because of misconfigured access controls. Yeah, the incident comes after months of employee concerns about the program. More than 1,600 workers had already signed a petition, warning that collecting this kind of data could create security and privacy risks. Well, Meta says it is no indication that the data was improperly accessed and has paused the program while it investigates.

Starting point is 00:27:35 It is the kind of story that cybersecurity professionals hear all the time, a project built to collect massive amounts of data runs into trouble because that massive amount of data now needs protecting. Or as some meta employees might put it, the AI training exercise unexpectedly became a security awareness exercise. And that's the Cyberwire Daily brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill up a survey in the show notes or send an email to Cyberwire at n2K.com. N2K's lead producer is Liz Stokes.

Starting point is 00:28:31 We are mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Eibin. Peter Kilpie is our publisher, and I'm Maria Varmazes in for host Dave Bittner this week. Thank you for listening. We'll see you tomorrow.

CyberWire Daily - Klue me in on the breach.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.