CyberWire Daily - Massive malware cleanup.
Episode Date: January 15, 2025The FBI deletes PlugX malware from thousands of U.S. computers. Researchers uncover vulnerabilities in Windows 11 allowing attackers to bypass protections and execute code at the kernel level. A look ...at (a busy) Patch Tuesday. Researchers uncovered six critical vulnerabilities in a popular Linux file transfer tool. Texas sues Allstate for allegedly collecting, using, and selling driving data without proper consent. An executive order enables AI developers to build data centers on federal lands. On our Industry Voices segment, we are joined by Mike Hamilton, Chief Information Officer at Cloudflare, discussing how tech sprawl emulates the snake game. Meta profits while users suffer. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Industry Voices Segment On our Industry Voices segment, we are joined by Mike Hamilton, Chief Information Officer at Cloudflare, discussing how tech sprawl emulates the snake game. You can read Mike’s thoughts here. Selected Reading FBI deletes Chinese PlugX malware from thousands of US computers (Bleeping Computer) Windows 11 Security Features Bypassed to Obtain Arbitrary Code Execution in Kernel Mode (Cyber Security News) Microsoft Patches Eight Zero-Days to Start the Year (Infosecurity Magazine) Chrome 132 Patches 16 Vulnerabilities (SecurityWeek) Nvidia, Zoom, Zyxel Patch High-Severity Vulnerabilities (SecurityWeek) Ivanti Patches Critical Vulnerabilities in Endpoint Manager (SecurityWeek) Zoom Patches Multiple Vulnerabilities That Let Attackers Escalate Privileges (Cyber Security News) Apple Patches Flaw That Allows Kernel Security Bypassing (GovInfo Security) ICS Patch Tuesday: Security Advisories Published by Schneider, Siemens, Phoenix Contact, CISA (SecurityWeek) Linux Rsync File Transfer Tool Vulnerability Let Attackers Execute Arbitrary Code (Cyber Security News) Allstate car insurer sued for tracking drivers without permission (Bleeping Computer) Biden Opens US Federal Sites for AI Data Center Growth (BankInfo Security) Instagram Ads Send This Nudify Site 90 Percent of Its Traffic (404 Media) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. The FBI deletes PlugX malware from thousands of U.S. computers.
Researchers uncover vulnerabilities in Windows 11,
allowing attackers to bypass protections and execute code at the kernel level.
A look at a busy Patch Tuesday.
Researchers uncovered six critical vulnerabilities in a popular Linux file transfer tool.
Texas sues Allstate for allegedly collecting, using, and selling driving data without proper consent.
An executive order enables AI developers to build data centers on federal lands.
On our Industry Voices segment, we're
joined by Mike Hamilton, Chief Information Officer at Cloudflare, discussing how tech
sprawl emulates the old snake game and meta profits while users suffer.
It's Wednesday, January 15th, 2025.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thank you once again for joining us here today.
It is great as always to have you with us.
The U.S. Department of Justice announced that the FBI has deleted PlugX malware linked to the Chinese espionage group Mustang Panda from over 4,200 U.S. computers.
PlugX, active since 2008, is a powerful cyber espionage tool
capable of data theft, keystroke logging, and command execution.
This variant spread via USB drives,
infecting devices across governments, dissident groups, and companies worldwide.
The operation was part of a global effort led by French law enforcement and cybersecurity firm Sequoia,
which started dismantling the botnet in 2024.
U.S. authorities obtained court orders to delete PlugX from infected computers without collecting user data.
Notifications were sent to affected users.
Sequoia identified the botnet's command server,
which connected to 2.5 million devices globally with 100,000 daily pings.
PlugX's source code, potentially leaked in 2015,
complicates attribution as various threat actors continue to exploit it.
This takedown marks a significant win in combating cyber threats.
Researchers from HN Security uncovered vulnerabilities in Windows 11's
virtualization-based security, VBS, and hypervisor-prot Code Integrity, HVCI, allowing attackers to bypass protections
and execute code at the kernel level. VBS isolates memory for OS security,
while HVCI prevents unauthorized drivers from loading. An exploit transforms an arbitrary
pointer dereference vulnerability into a read-write primitive,
enabling attackers to manipulate kernel memory
and execute data-only attacks
without triggering security mechanisms.
The techniques allow privilege escalation,
disabling of endpoint detection and response,
and manipulation of protected process light features.
These vulnerabilities affect Windows 11 and Windows Server 2016 through 2022.
While Microsoft has addressed some kernel vulnerabilities, others remain exploitable.
Researchers emphasize the importance of layered security beyond built-in OS features,
as sophisticated attackers can still bypass advanced protections.
Microsoft's January 2025 Patch Tuesday addressed eight zero-day vulnerabilities,
three of which were actively exploited. These included elevation of privilege flaws in Windows
Hyper-V with a CVSS score of 7.8. Despite the moderate score, experts warned these
vulnerabilities allow attackers to escalate privileges, disable security tools, and pivot
within enterprise networks. Additionally, five publicly disclosed zero days, including EOP and
spoofing vulnerabilities, were patched. Other critical updates addressed issues in Windows NTLM,
multicast drivers, and OLE,
with CVSS scores as high as 9.8.
Experts emphasize the importance of automated patch management
due to the 150 vulnerabilities fixed this month.
Google released Chrome 132, fixing 16 security flaws, including high-severity issues
in its V8 engine and Skia graphics library. Researchers earned $37,000 in bug bounties.
Meanwhile, NVIDIA, Zoom, and ZyZle released patches for high-severity vulnerabilities,
urging users to update to mitigate risks.
Ivanti resolved critical path traversal flaws in Endpoint Manager, while Apple patched a
MacOS vulnerability, allowing attackers to bypass system integrity protection. This exploit posed
significant risks by enabling rootkits and privileged malware installations.
by enabling rootkits and privileged malware installations. Turning to industrial control systems,
Schneider Electric, Siemens, Phoenix Contact, and CISA
issued ICS security advisories for January 2025.
Schneider addressed nine vulnerabilities,
including high-severity flaws in PowerLogic,
SCADA PAC-TMX70, and Modicon products,
with risks like privilege escalation, remote
code execution, and information disclosure. Siemens published five advisories covering
vulnerabilities in Mendix, CiproTec5, and Somatic S7-1200, some lacking patches.
Phoenix Contact disclosed a cryptographic issue in CM Dongle and a privilege
escalation flaw in some of their controllers. CISA released four ICS advisories, including
critical vulnerabilities in Hitachi Energy Foxman UN and a denial of service flaw in Linfone Desktop.
The updates underscore the need for proactive
security practices, timely updates, and layered defenses to counter evolving threats.
Organizations should prioritize patching critical vulnerabilities to prevent potential exploitation.
Researchers uncovered six critical vulnerabilities in rsync, a popular Linux file transfer tool,
with the most severe flaw allowing remote code execution on rsync servers with anonymous read
access. Other issues include information leakage, path traversal, and privilege escalation
vulnerabilities. The flaws affect all rsync versions prior to 3.4.0, released on January 14th of this year. Given rsync's
widespread use in backups and software distribution, experts urge immediate updates or
mitigation by disabling checksum options in server configurations. Texas Attorney General Ken Paxton
has sued Allstate and its subsidiary Arity for allegedly collecting, using, and selling driving data from over 45 million Americans without proper consent.
The companies reportedly embedded tracking software in popular apps like Life360 and GasBuddy to collect location and movement data every 15 seconds. This data was used to
profile driving habits, adjust insurance premiums, and sold to other insurers. The lawsuit claims
violations of the Texas Data Privacy and Security Act, the Data Broker Law, and the Texas Insurance
Code. It alleges deceptive practices, including purchasing
location data from automakers like Toyota and Mazda to refine pricing. The suit seeks civil
penalties, consumer restitution, data destruction, and an injunction to halt these practices.
Allstate denies the allegations, asserting compliance with laws.
Allstate denies the allegations, asserting compliance with laws.
President Biden signed an executive order enabling AI developers to build gigawatt-scale data centers powered by clean energy on federal lands. The Departments of Defense, Energy, and Interior will identify suitable locations with minimal community impact and accessible transmission infrastructure.
Developers must fully fund and match data center electricity demand with clean energy
to avoid burdening consumers with higher energy costs. This initiative addresses skyrocketing
energy needs for AI, highlighted by a 2024 DOE report noting grid strain from hyperscale facilities.
Agencies will evaluate AI infrastructure's impact on energy prices
and explore ways to integrate new clean energy sources.
The order also includes safeguards for computing hardware on federal sites,
aiming to maintain U.S. leadership in AI and clean energy as competition with China intensifies.
Implementation challenges may arise with the upcoming Washington transition.
Coming up after the break, Mike Hamilton from Cloudflare joins us to discuss how TechSprall emulates the snake game and meta profits while users suffer.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Mike Hamilton is Chief Information Officer at CloudFlare,
and on today's sponsored
Industry Voices segment,
we discuss how tech sprawl
emulates the old SNCC game.
I think the main challenge
that all CTOs face these days is how to leverage artificial intelligence,
just in general. I think that that's the burning
thought on everybody's mind right now. There has not been a... This is exactly
as transformational as the invention of the computer was to
business. If you rewind 30 plus years and you think about
what businesses faced back then, it's like, hey, there's this new thing called a computer. We should probably
get one of those. And then you bring the computer
into the business and try to understand how do we make this work and do something transformational
because our competitors are probably doing the same thing.
Coming back to the present time, we're in the same situation today where we've
got to figure out how do we transform businesses around artificial intelligence? How do we think about this?
What is our competitive advantage for leveraging artificial intelligence? And I don't think that
there's any way around that. But I think CTOs, and quite frankly, anybody in the C-suite also
has to worry quite a lot about security still, and it never goes away. Security is always something we're thinking about.
But in particular, security is a way of investing in your business
to protect it from people who are also using a budget.
So I think that the nature of adversaries in the security space
is shifting as well.
We're not just talking about someone who's trying to be a nuisance
or experimenting with something. We're talking just talking about someone who's trying to be a nuisance or
experimenting with something. We're talking about organized crime at this point. The adversarial
relationship that businesses have with cybercrime has shifted into, hey, these people have budgets.
They have economic models where they're using one attack to raise money to fund a different
type of attack. And so that's top of mind as well.
For every dollar that you put into security, where does that dollar need to go? How do I know that
dollar is actually being as effective as it needs to be? And how are my adversaries spending money
to attack, basically? Can we touch on the issue of complexity here? I mean, it strikes me that
as organizations grow, the complexity isn't necessarily linear.
You know, a doubling in the number of employees, it could be an exponential growth in the complexity of your network and all the different interconnections.
Is that an accurate way to look at it?
I think there's really two.
It is an accurate way, and I think that there's two lenses we can put on that.
The first would be internal infrastructure and sort of company scalability. Every company faces, how do we get our systems
to work well together? How do we have our infrastructure serving our business? That's
a challenge that everybody faces. And there's a natural sprawl that comes along with that.
But then I think from an external perspective, we also have the nature of the industry itself.
So in the security space, a lot of companies have popped up
to address a problem that they see coming.
Like security works a little bit differently
than, say, Salesforce or a product
that's serving a different part of the business.
Security products tend to work around
very smart people founding companies
to solve very specific problems
because they see the demand emerging.
But what that creates is a landscape of products
that are only solving individual problems and only solving individual area domains of risk.
What that means over time, though, is that companies find themselves with a myriad of
applications that are providing some value in theory, but it's difficult to articulate how much.
And comparing and contrasting with business for a second, business applications,
the sprawl that happens there
is largely due to the way
that the buying cycle changed.
It used to be that companies sold
to the CIO or to the IT department
because somebody would have to figure out
how to run this application
behind the firewall.
How many servers is it going to take?
How much is it going to operational overhead?
Is this going to add to our business, etc.?
But when SaaS came on the scene and took away that complexity,
then the problem shifted to like, hey, I don't really need to sell to IT anymore.
I'll just sell directly to the line of business. But it changed the expectation the line of business has as well.
They're like, oh, I need five applications for this. I need 10 applications.
And not really getting them in the door with necessarily an integrated
strategy or a way that these applications would work together.
And so sprawl on the business application side is just really due to the number of applications
available and the fact that buyers are enticed by hopefully solving problems of buying a
bunch of applications.
On the security side, the sprawl is caused by emerging demand based on the changing landscape
of cyber threats in the cybersecurity space.
And that creates a natural fragmentation, but it's largely the factor of companies trying
to address being ahead of the curve.
Like, can I get ahead of some of these threats as they're emerging by buying something that's
innovative that gets me there?
And it's tough.
It's really difficult for businesses to manage this.
And it's tough. It's really difficult for businesses to manage this.
Talking about that old classic snake game where the more you eat, the longer the snake gets.
And it strikes me that that's a comparison with folks adding more and more point solutions here.
That over time, it becomes more and more cumbersome and it's hard for you to navigate.
Absolutely.
And I like the analogy for that reason.
In fact, there's two factors of the snake game that remind me of the world that we live in.
The snake gets longer.
So every time a new product gets adopted,
the complexity of our tech environment increases.
But the snake also goes faster.
Our ability to handle, to pay attention to all these different things
also comes into play.
And how do we focus on the right things at the right times
to make sure that we're getting the value out of all these point solutions
that we're buying?
And the reality is it's just very difficult to do
because what's also happening,
and the thing that makes the snake go faster in a lot of ways is that for every point security solution I've purchased, that company is trying to find its next feature or its next capability that keeps them relevant for longer.
merge into a new space. And the Venn diagram of what a security application covers just keeps getting bigger, which means not only am I dealing with having a lot of solutions, but these solutions
are starting to overlap with each other. And they're not intended to work together. They're
actually direct competitors in some cases. The more these solutions overlap with each other,
the more they're actually competing with each other. And I'm not getting the benefit necessarily
as the buyer. When you talk about purchasing and that cycle, can we talk a little bit about
the timing? Why is it important to time these things with each other? And I suppose there
are a lot of challenges there as well. I think timing is best managed by really being honest
about prioritization. If everything's a fire, then nothing's a fire. If everything's a P0,
nothing's a P0 is something you'll hear a lot of people in the industry say. And I think that that's
true. At the same time that emerging security products are often truly addressing an emerging
threat, sometimes they're also a solution looking for a problem. And as buyers, we can be convinced
that this is the most important thing. But I think it's really important to sort of take the solutions out of the landscape for a second and ask a really
simple question. What's my security strategy? What's the biggest attack surface area that I
need to deal with and how do I have to address? As an example, for all of the products that we
can buy in the world, the most common threat vector is actually compromising someone's
credentials with phishing. It's still one of the most effective ways to do actually compromising someone's credentials with phishing.
It's still one of the most effective ways to do it.
It's one of the cheapest ways to compromise something.
So that's an inherent way to play a great place to start. It's an excellent place to start in terms of like, hey, let's protect our users first.
And then the next threat landscape, it may be somewhere between how many servers are you running
or it could be your entire laptop fleet.
Like how do we protect this laptop fleet?
How do we make sure that it's safe
and that our users are protected?
And so it's really important
to have these hard conversations with yourself.
I like to think about it as crown jewels.
Like, where are the crown jewels of the company
and where is the biggest attack surface area?
And how do I leverage a strategy
to protect both equally well?
Help me understand here.
I mean, I certainly get that folks want to minimize the number of point solutions they
have to decrease that level of complexity and to be able to stay nimble.
At the same time, I could understand someone being hesitant to put all their eggs in one
basket,
to have one platform that does everything. How do you recommend that people balance those two
impulses? I like to start with the idea of what's our user experience. So let's go back to human
beings as being the weakest link in terms of any security strategy because they're the easiest thing to compromise
and they have the most access.
So let's start with the principle that the easy thing to do
or the simple thing for a user to do is the most secure thing that they can do.
So if I'm asking people to jump through 60 hoops
just to authenticate, people are going to find a way around it
and it's going to be painful and we're somehow going to be less secure.
Think of all of the different authentication sequences you've been through
your entire life, especially over the last 20 years,
where logging in could be as simple as just,
I entered my password and I'm logged in.
Or it could be as complex as, well, I've had to do multiple multi-factor methodologies
depending on the application, depending on the time.
Maybe I had a smart card at some point. From a user perspective, the simple thing is not
necessarily the thing that they're asked to do. And so if we start with the principle of let's
keep users' lives simple, let's try to provide security transparently to them, then that to me
is the first order of defense. And that's what things like, hey, how do we protect them from
phishing attacks? How do we make authentication as secure as possible while also driving still the authentication
that we need to see?
And that being a key part of the strategy.
And then I think the next layer of it is
which parts of the business are the most vulnerable?
So thinking about what system being down
or which bit of data that would be inaccurate would cause
you the most headache and the most pain, that's the thing you need to protect the most. That's
the crown jewels. A typical company these days has hundreds of SaaS applications. And hundreds,
if you were to rewind in time and go back 20 years and go, hey, Mike, someday you're going to work
for a company that will have hundreds of applications running, you know, and be like,
wow, how am I going to run that? You know, because SaaS didn't exist 20 years ago in the same state that it is today.
Now it's normal. People don't even think twice about it, hundreds of applications.
But really out of those hundreds of applications, the business is only really running on about 10
to 20 of them. Like that's really it. Those are the core applications and thinking about how do
we circle the wagons around these 10 to 20 applications and make sure that those are secure,
such that we have a high confidence that we know those are secure.
So let's start in really two categories of things then.
Let's make the user experience positive and such that the easy thing to do is the secure thing to do.
And that's where I think zero trust, a good zero trust implementation is a big part of that.
Good anti-phishing is a big part of that.
Trust implementation is a big part of that. Good anti-phishing is a big part of that.
And then the next layer is from an application security perspective, how do I secure my applications as much as I possibly can within reason to give me confidence
that the business is safe?
That's Mike Hamilton, Chief Information Officer at CloudFlare.
We'll have a link to a blog post with more of Mike's thoughts in our show notes.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a
default-deny approach can keep your company safe and compliant.
And finally, an article from 404 Media examines Meta's uneven moderation policies and how they enable harm on a massive scale.
The company profits from ads promoting Crushmate,
an AI app that creates non-consensual nude images.
Despite banning explicit content, meta platforms like Facebook
and Instagram have allowed Crushmate to run thousands of ads featuring doctored videos of
real women, including influencers and OnlyFans creators like Sophie Raine and Michaela Demeter.
These ads violate meta's policies, yet they remain live, exploiting loopholes that allow the app to evade detection.
Crushmate's ads account for 90% of the app's traffic, according to SimilarWeb.
They show how easily Meta's systems can be manipulated by bad actors who create fake profiles and redirect URLs.
who create fake profiles and redirect URLs.
Although flagged repeatedly,
hundreds of similar ads remain active,
amplifying the app's reach and harm.
Disturbingly, while individual users uploading explicit images face swift removal,
advertisers like Crushmate are held to laxer standards
when they pay Meta.
This double standard prioritizes profit over safety of those victimized by the app,
including minors, as generative AI tools like this make it easy to target anyone.
Meta's failure to proactively address this issue
raises serious questions about its commitment to user safety.
The harm extends beyond privacy violations.
By allowing ads that promote the app,
Meta not only facilitates exploitation but actively profits from it,
making a mockery of its supposed community standards.
Victims deserve better safeguards from platforms that claim to protect them. And that's the Cyber Wire. For links to all of today's
stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that
keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show,
please share a rating and review in your favorite podcast app. Please also fill out the survey in
the show notes or send an email to cyberwire at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Bye.