CyberWire Daily - Nam3l3ss but not harmless.
Episode Date: December 3, 2024More than 760,000 see their personal data exposed on the BreachForums cybercrime forum. The new head of the UK’s NCSC warns against underestimating growing cyber threats. The Consumer Financial Prot...ection Bureau (CFPB) looks to prevent data brokers from selling Americans’ personal and financial information. A U.S. government and energy sector contractor discloses a ransomware attack. The “smoked ham” Windows backdoor is being actively deployed. A new report warns of overreliance on Chinese-made LIDAR technology. SmokeLoader malware targets companies in Taiwan. NIST proposes new password guidelines. South Korean police make arrests over 240,000 satellite receivers with built-in DDoS attack capabilities. On our Threat Vector segment, we preview this week’s episode where host David Moulton goes Behind the Scenes with Palo Alto Networks CIO and CISO. ChatGPT has a Voldemort moment. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment On our Threat Vector segment, we preview this week’s episode where host David Moulton goes “Behind the Scenes with Palo Alto Networks CIO and CISO Securing Business Success with Frictionless Cybersecurity.” Meerah Rajavel, CIO of Palo Alto Networks, and Niall Browne, CISO of the organization, join David to discuss the importance of aligning IT strategy with cybersecurity. You can catch new episodes of Threat Vector every Thursday here and on your favorite podcast app. Selected Reading 760,000 Employee Records From Several Major Firms Leaked Online (SecurityWeek) UK cyber chief warns country is ‘widely underestimating’ risks from cyberattacks (The Record) US agency proposes new rule blocking data brokers from selling Americans' sensitive personal data (TechCrunch) US government contractor ENGlobal says operations are ‘limited’ following cyberattack (TechCrunch) New Windows Backdoor Security Warning For Bing, Dropbox, Google Users (Forbes) Chinese LIDAR Dominance a Cybersecurity Threat, Warns Think Tank (Infosecurity Magazine) SmokeLoader Attack Targets Companies in Taiwan (FortiGuard Labs) Korea arrests CEO for adding DDoS feature to satellite receivers (Bleeping Computer) Do Your Passwords Meet the Proposed New Federal Guidelines? (Wall Street Journal) These names cause ChatGPT to break, and it's due to AI hallucinations ( TechSpot) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
More than 760,000 see their personal data exposed on the Breach Forum's Cybercrime Forum.
The new head of the UK's NCSC warns against underestimating growing cyber threats.
The Consumer Financial Protection Bureau looks to prevent data brokers from selling Americans' personal and financial information.
A US government and energy sector contractor discloses a ransomware attack.
The SmokePAM Windows backdoor is being actively deployed.
A new report warns of over-reliance on Chinese-made LiDAR technology.
Smoke loader malware targets companies in Taiwan.
NIST proposes new password guidelines.
South Korean police make arrests over 240,000 satellite receivers with built-in DDoS attack capabilities.
On our Threat Vector segment, we preview this week's episode where host David Moulton goes behind the scenes with Palo Alto Network's CIO and CISO.
And ChatGPT has a Voldemort moment.
moment. It's Tuesday, December 3rd, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us here today.
It is great to have you with us.
More than 760,000 employees across major organizations had their personal data exposed
after a threat actor, Nameless, posted it on the Breach Forum's Cybercrime Forum.
The data, tied to the 2023 MoveIt hack
orchestrated by the Klopp Ransomware Group,
includes names, emails, phone numbers,
job titles, and manager details.
Affected organizations include Bank of America,
Coke, Nokia, JLL, Xerox, Morgan Stanley, and Bridgewater.
The MoveIt breach exploited a zero-day vulnerability in Progress Software's file transfer tool,
impacting nearly 2,800 organizations and 100 million individuals.
Atlas Privacy, who analyzed the data, linked the breach to CLOP
and noted the information's value for social engineering.
Bank of America tops the list with over 288,000 affected employees.
Nameless, who recently leaked Amazon employee data,
appears to have filtered and repackaged terabytes of stolen data
for easier dissemination.
The breach underscores growing risks tied to large-scale
cyber extortion campaigns. The UK is underestimating growing cyber threats,
warns Richard Horne, the new head of the National Cyber Security Centre, part of GCHQ.
Speaking at the launch of NCSC's annual review, Horn highlights a widening gap between the
increasing sophistication of cyber threats and the UK's defenses, particularly around
critical national infrastructure.
Over the past year, NCSC has handled 430 incidents, 89 of which were nationally significant.
Ransomware remains the most immediate threat,
with state-linked actors now targeting industrial control systems. Two major vulnerabilities exploited by state-backed hackers were identified, linking Iran and ransomware groups to UK
infrastructure risks. Horn criticized the lack of adoption of the government-backed
cyber essentials scheme, with only 31,000
organizations certified out of 5 million eligible. He called for urgent improvements in resilience,
emphasizing rising risks from state and non-state actors, especially Russia and China.
The Consumer Financial Protection Bureau has proposed a rule to prevent data brokers from selling Americans' personal and financial information, such as Social Security numbers and phone numbers, under the Fair Credit Reporting Act.
This proposal, following President Biden's executive order to limit private data sales, aims to close loopholes that allow data brokers to evade FCRA regulations. CFPB
Director Rohit Chopra stated the rule would address the widespread evasion of federal privacy laws
and hold data brokers to the same standards as credit bureaus and background check companies.
It would restrict brokers from selling sensitive identifying information, reinforcing FCRA protections.
The move highlights growing scrutiny of data brokers for profiting from personal data sales and poses significant regulatory changes.
The proposal will be open for public comment until March 2025 amidst uncertainty over its future under potential regulatory rollbacks.
N Global Corporation, a contractor for the U.S. government and energy sector,
has restricted its operations following a ransomware attack that encrypted some of its
data files. The Texas-based company disclosed the breach in an SEC filing, noting it became aware of the incident
on November 25th. N-Global, whose clients include the Departments of Defense and Energy,
is investigating the attack but has not determined its financial impact.
Full restoration of IT systems remains uncertain.
Cyber researchers at Track Labs have analyzed a renewed threat from UNC-2465,
a cybercriminal group once affiliated with the now-defunct DarkSide ransomware.
The group is actively deploying the Smoked Ham Windows Backdoor,
which facilitates initial access and persistence in targeted networks.
UNC-2465 uses trojanized installers disguised as legitimate tools
and spreads malware through phishing emails, malicious ads,
and cloud services like Google Drive and Dropbox.
The back door allows for reconnaissance, lateral network movement
using tools like Mimikatzatz and credential harvesting. Despite the disruption
of some ransomware groups, UNC-2465 remains a significant threat, adapting its tactics
and ransomware partnerships to continue operations. The non-profit Foundation for Defense of Democracy's
think tank warns that U.S. reliance on Chinese-made LiDAR technology poses a significant national, economic, and cybersecurity risk.
LiDAR, critical for creating 3D maps and models, supports autonomous navigation, infrastructure monitoring, and military applications like enemy detection.
and military applications like enemy detection.
However, Chinese LiDAR systems' integration into U.S. critical infrastructure,
such as public safety, transportation, and utilities,
could expose users to espionage and sabotage by Beijing.
The report highlights the risk of Chinese intelligence exploiting LiDAR systems, similar to previous cases involving Huawei's communication technology.
Additionally, China could disrupt LiDAR supply chains, as it has with rare earth elements,
to exert strategic pressure. The report recommends reducing reliance on untrusted vendors,
implementing rigorous cybersecurity standards, and boosting domestic LiDAR production to secure vital systems.
Legislative action, like a proposed ban on purchasing Chinese LiDAR,
underscores growing concerns over these vulnerabilities.
Researchers at FortiGuard Labs uncovered a smoke-loader malware campaign targeting companies
in Taiwan across manufacturing, healthcare, IT, and other
sectors. Known for its modular design and advanced evasion techniques, SmokeLoader acted both as a
downloader and a direct attacker by fetching plugins from its command and control servers.
The malware was delivered via phishing emails, exploiting vulnerabilities in Microsoft Office.
The malware's plugins were used for credential theft, key logging, browser injections,
and persistence across systems. It leveraged sophisticated techniques, including steganography
and obfuscated scripts, to avoid detection. Attackers exploited cloud services like Google
Drive to host payloads and used malicious advertising campaigns to spread infections.
This campaign highlights Smoke Loader's adaptability and the persistent threat it poses.
FortiGuard advises organizations to remain vigilant and strengthen defenses against such advanced malware operations.
such advanced malware operations.
The Wall Street Journal looks at NIST's proposed updated password guidelines aimed at improving security and usability.
The draft, settled for finalization in 2025,
advises organizations to eliminate outdated practices
like frequent password changes and overly complex requirements.
Instead, NIST emphasizes longer passwords,
recommending a minimum of eight characters, ideally 15 or more, with support for special
characters like emojis. The guidelines also promote tools such as password managers and
passkeys, which use biometrics to authenticate without passwords. Research shows that strict
password rules often backfire, leading users to create predictable patterns. NIST also recommends
block lists to prevent the use of compromised or common passwords. While pass keys offer strong
security against phishing, vulnerabilities remain if devices aren't properly secured.
against phishing. Vulnerabilities remain if devices aren't properly secured. These new standards aim to balance user-friendliness with robust protections, reshaping password
practices across government and industry. South Korean police arrested a CEO and five
employees for manufacturing over 240,000 satellite receivers with built-in or update-enabled DDoS attack capabilities.
Between 2019 and 2024, 98,000 devices shipped with pre-installed DDoS modules,
while others were updated later.
These devices, sold at the request of a purchasing company starting in 2018,
enabled illegal attacks targeting external systems,
allegedly to counter a rival's actions.
Users of the receivers were unknowingly involved in these attacks,
potentially experiencing degraded device performance. The scheme was uncovered after intelligence from Interpol
revealed the involvement of a Korean manufacturer and a foreign broadcaster.
Authorities seized the company's assets, totaling about $4.35 million, and charged the suspects under Korea's Information Protection Act.
While the purchasing company's operators remain at large. Korean police are seeking international cooperation
to apprehend them. Coming up after the break on our Threat Vector segment,
Dave Moulton goes behind the scenes with Palo Alto Network's CIO and CISO,
and ChatGPT has a Voldemort moment.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
In this week's Threat Vector segment, we preview this week's episode where host David Moulton goes
behind the scenes with Palo Alto Network's CIO and CISO. Here's David
Moulton. Here's a quick preview of this week's Threat Factor. Tune into the full show on Thursday
and don't forget to subscribe so you never miss a single episode. Let's get into it.
AI is real. It's absolutely real because we are seeing value already through that. We are seeing
meaningful business impact, which we can quantify the outcomes that we are able to get.
Welcome to Threat Vector, the Palo Alto Network's podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends.
I'm your host, David Moulton, Director of Thought Leadership for Uni42.
Today, I'm thrilled to introduce two exceptional leaders from Palo Alto Networks
who are at the forefront of driving both technology and security strategies for our company.
Mira is an experienced technology executive with a passion for business outcomes.
She's worked at top companies like Citrix, McAfee, and Cisco, where she championed digital
transformation and diversity initiatives. Nile brings over 25 years of cybersecurity experience
before joining Palo Alto Networks. Together, Mira and Nile will discuss their unique partnership
and how they balance innovation with security to drive growth.
We'll explore their approach to incident response, how they leverage AI for productivity, and the importance of trust in cybersecurity.
Niall, with all the constant new threats, how do you ensure that the team here at Palo Alto Network stays ahead of the curve in terms of both security technologies
and skills. First of all, I'm going to partner closely with Enterprise 2. It's partnering with
Wendy Whitmore in Unit 42. I think, Mira, you've got a Unit 42 mug over there that I saw earlier
on. Yeah, those of you who can't see us on the podcast, she's got her Don't Panic mug.
Go Unit 42. Actually, Mira showed me earlier on today, so I think it's cool.
So we work closely with BASIC
on Unit 42. Generally, they see
like for most power-hunting networks,
generally, they see things before
the vast majority of
our organizations out there.
Certainly, Wendy and the Unit 42 team,
they get called into multiple different incidents.
If we see something externally that's interesting,
we'll generally ping them and say,
oh, by the way, for such and such a threat actor,
can you tell me who they are?
What's their motivation?
What's their IOCs?
And we'll partner with that back and forth.
So I think the great thing about working in Palo Alto
is one is we've got a really good team.
Basically, we've got a really good platform.
Both Mir and I can leverage Unit 42
for threat intel itself when we need them in some of those incidents.
Mir, I'm sure there's times when you and Niall will have disagreements on how to prioritize risk.
Walk us through that process of discussing the risk and figuring out where to take a risk and where to back off and how do you mitigate those sorts of things.
So, David, when you talk about, you know, I mean,
I call it the business outcomes and security sometimes is a healthy friction
that you need to talk through.
To me, always it's the way we need to resolve it is in the how, not the what.
I always tell my team it's not an option to say no to a security control
that we need. I want to go fast, so I can't cut down on my break. I just need to figure out how
I'm going to get that break, the strength I need, and that may be the place that we get into the
friction. So I always tell my team, ask for the what, don't get hung up on the how.
We have smart people around. When you put them together, they'll figure out the how. It's rather
a matter of figuring out the how together, not compromising on the what of the security.
Niall, when you're thinking about those risk conversations, how do you coach your team to go in
and not necessarily be prescriptive
of you have to use this control,
but we have to get to this outcome?
Yeah, good question.
I think for the most part,
like I'm very execution driven.
When I look at this,
it's generally like,
what's the set of priorities we have?
What's the business value?
What's the set of priorities against those?
And then for those set of priorities,
which of those require a significant amount of resources?
So there's no point in saying,
hey, there's a large project we want to do
and we want it all done in Q1.
That's not going to work from there.
Many of them are multi-year and multi-threaded projects.
So for each of those, it's really like,
at what phase are we in that project?
Are we in the inception mode?
Are we in documentation? Are we in the sign-off mode? Which part of the phase are we in that project? Are we in the inception mode? Are we in documentation?
Are we in the sign-off mode?
Which part of the phases are we at?
And then kind of working closely on the team
to align in relation to what do we do?
What do we build?
What do we get across the road in Q1?
What do we get across the road in Q2?
What do we get across the road in Q3?
That's critically important.
Firmly believe once the plan is locked and loaded,
it's locked and loaded. After that, then it's execution, execution, execution. And with that,
I think it's critically important to understand probably two things. One is that there's normal
projects in the normal course of the business that you need to insert. And then two, what will
happen is naturally over time, kind of going back to incidents and issues, every company will have
an incident or an issue.
And then with that, they'll say, oh, by the way, we have 32 controls that worked and we have two controls that didn't work, basically.
We need to implement those.
So I think for the most part, it's that healthy conversation of what's the business value?
What's the prioritization?
How much resources is going to require?
And then if a team can get generally aligned on that, after that, then I find it's a pretty smooth process from there.
Thanks for listening to this segment of the Threat Vector podcast.
If you want to hear the whole conversation,
you can find the show in your podcast player.
Just search for Threat Vector by Palo Alto Networks.
Each week, I interview leaders from across our industry and from Palo Alto Networks to get their insights on
cybersecurity, the threat landscape, and the constant changes we face. See you there.
Be sure to check out the complete Threat Vector podcast right here on the N2K Cyber Wire network or wherever you get your favorite podcasts.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And finally, the curious case of ChatGPT's meltdown moments.
It seems that this AI wunderkind has its limits,
and certain names are enough to send it into a digital tailspin.
What do David Meyer, Jonathan Zetrain, and Jonathan Turley have in common? Well, aside from
being accomplished individuals with impressive credentials, they've all managed to trigger
ChatGPT's I'm unable to produce a response feature. It turns out that these names are connected to some rather awkward AI hallucinations.
For example, ChatGPT falsely claimed that Jonathan Turley had been involved in a non-existent sexual harassment scandal.
The chatbot even cited a Washington Post article as evidence, which, it turned out, was also made up by the AI itself.
Jonathan Zetrain's name is also on the list of banned names, but there's no obvious reason why.
He recently wrote an article in The Atlantic called We Need to Control AI Agents Now,
which might have something to do with it, but it's unclear. What's more, his work has been cited in a New York Times
copyright lawsuit against OpenAI and Microsoft, but entering the names of other authors whose
work is also cited in the suit doesn't cause ChatGPT to break. And then there's David Mayer,
who was initially blocked by ChatGPT before being unblocked for reasons that are still unclear.
by ChatGPT before being unblocked for reasons that are still unclear.
Some speculate it might be connected to David Mayer de Rothschild,
a member of the wealthy and influential Rothschild family,
but there's no evidence to support this theory.
Ars Technica points out that these hard-coded filters can cause problems for ChatGPT users.
It's been shown how an attacker could interrupt a session using a visual prompt injection of one of the names rendered in a barely legible font
embedded in an image. Moreover, someone could exploit the blocks by adding one of the names
to a website, thereby potentially preventing chat GPT from processing data it contains,
preventing ChatGPT from processing data it contains, though not everyone might see that as a bad thing. I can't help wondering if OpenAI could simply have ChatGPT whisper the names that
cannot be named. You know, like Voldemort. And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
This holiday season, only malware in the building returns
with a festive A Christmas Carol-inspired twist. In this special episode, Selina Larson,
Proofpoint intelligence analyst and host of Discarded, Rick Howard, and yours truly,
embark on a ghostly journey through the most pressing cybersecurity threats of the season.
In this festive adventure, we dive into key cybersecurity risks like two-factor authentication pitfalls,
social engineering scams, and the frightening return of consumer-targeted attacks. From the
echoes of past cyberattacks to the threats hidden behind holiday merriment, we're here to bring you
practical wisdom with a dash of holiday spirit.
That's only malware in the building. Check it out. That is the Cyber Wire. We'd love to know
what you think of this podcast. Your feedback ensures we deliver the insights that keep you
a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share
a rating and review in your favorite podcast app. Please also fill
out the survey and the show notes or send an email to cyberwire at n2k.com. We're privileged
that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in
the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence
and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams
while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester
with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Bye.