CyberWire Daily - National security in the digital age.
Episode Date: January 14, 2025A draft cybersecurity executive order from the Biden administration seeks to bolster defenses. Researchers identify a “mass exploitation campaign” targeting Fortinet firewalls. A Chinese-language ...illicit online marketplace is growing at an alarming rate. CISA urges patching of a second BeyondTrust vulnerability. The UK proposes banning ransomware payments by public sector and critical infrastructure organizations. A critical flaw in Google’s authentication flow exposes millions to unauthorized access.OWASP releases its first Non-Human Identities (NHI) Top 10. A Microsoft lawsuit targets individuals accused of bypassing safety controls in its Azure OpenAI tools. Our guest is Chris Pierson, Founder and CEO of BlackCloak, discussing digital executive protection. The feds remind the health care sector that AI must first do no harm. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Chris Pierson, Founder and CEO of BlackCloak, discussing digital executive protection. Selected Reading Second Biden cyber executive order directs agency action on fed security, AI, space (CyberScoop) Snoops exploited Fortinet firewalls with 'probable' 0-day (The Register) The ‘Largest Illicit Online Marketplace’ Ever Is Growing at an Alarming Rate, Report Says (WIRED) CISA Warns of Second BeyondTrust Vulnerability Exploited in Attacks (SecurityWeek) UK Considers Ban on Ransomware Payments by Public Bodies (Infosecurity Magazine) Google OAuth "Sign in with Google" Vulnerability Exposes Millions of Accounts to Data Theft (Cyber Security News) OWASP Publishes First-Ever Top 10 “Non-Human Identities (NHI) Security Risks (Cyber Security News) Microsoft Sues Harmful Fake AI Image Crime Ring (GovInfo Security) Feds Tell Health Sector to Watch for Bias in AI Decisions (BankInfo Security) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. A draft cybersecurity executive order from the Biden administration seeks to bolster defenses.
Researchers identify a mass exploitation campaign targeting Fortinet firewalls.
A Chinese-language illicit online marketplace is growing at an alarming rate.
CISA urges patching of a second beyond trust vulnerability.
The UK proposes banning ransomware payments by public sector and critical infrastructure
organizations.
A critical flaw in Google's authentication flow exposes millions to unauthorized access.
OWASP releases its first non-human identities top 10.
A Microsoft lawsuit targets individuals accused of bypassing safety controls in its Azure OpenAI
tools. Our guest is Chris Pearson, founder and CEO of Black Cloak, discussing digital executive
protection. And the feds remind the healthcare sector that AI must first do no harm.
It's Tuesday, January 14th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us. It is great to have you with us here today.
A draft cybersecurity executive order from the Biden administration seeks to bolster defenses
across federal agencies, contractors, and even outer space, CyberScoop reports.
Aimed at countering threats
like those from China and cyber criminals,
the order assigns agencies 53 tasks
over timelines spanning 30 days to three years.
Measures include encrypting federal mail,
strengthening contractor security oversight, and enhancing the cybersecurity and infrastructure security agency's ability to detect threats across federal systems.
The order also addresses broader issues like cybercrime, artificial intelligence, and quantum computing. It calls for using AI to protect critical infrastructure and directs agencies to advance post-quantum cryptography.
And directs agencies to advance post-quantum cryptography.
Space systems deemed vital to national security would undergo continuous cybersecurity assessments.
Recognizing the burden of minimum cybersecurity standards on private industry,
the Commerce Department is
tasked with developing guidance on common practices. While ambitious in scope, the order
underscores the urgency of addressing evolving cyber threats. Security researchers have identified
a mass exploitation campaign targeting Fortinet firewalls, likely using an unpatched zero-day vulnerability.
The attacks, which began in November of 2024 and peaked in December, involved gaining access to
FortiGate firewalls with exposed management interfaces. Arctic Wolf Labs observed tens
of intrusions, with attackers altering configurations, creating admin accounts, and exploiting SSL
VPN access to steal credentials and enable lateral movement.
The attacks used automated login attempts via spoofed IPs on web-based CLI ports, with
changes to firewall settings starting in late November.
Significant configuration changes occurred between December 4th and 7th.
While attackers were removed before completing their objectives,
researchers suggest ransomware may have been a motive.
Fortinet has acknowledged the issue is under investigation,
but has not confirmed the vulnerability or issued a patch.
Affected firmware includes versions released between February and October of 2024.
Security teams are advised to monitor systems and implement mitigations immediately.
The scam ecosystem is thriving, with Hion Guarantee emerging as a dominant player
in enabling online fraud. A story in Wired says this Chinese-language marketplace,
described as the largest illicit online marketplace,
has reportedly facilitated $24 billion in transactions,
doubling its activity in under a year.
Offering services like escrow, money laundering,
victim data sales, and deepfake tools,
Huon has become a one-stop shop for scammers.
Its activities, mostly on Telegram, utilize the Tether stablecoin for transactions and include
gambling-like platforms suspected of laundering money. Despite efforts to expand with proprietary
tools like a stablecoin, crypto exchange, and messaging service,
Huon still relies heavily on centralized platforms like Telegram and Tether,
potential vulnerabilities for law enforcement.
Elliptic researchers stress the platform's critical role in industrializing online scams
and its growing influence, warning of the challenges posed if Huon becomes fully independent.
Suppressing its operations now could significantly disrupt global scam networks.
CISA is urging federal agencies to patch a second vulnerability in beyond-trust privileged remote access
and remote support solutions after evidence of active exploitation.
and remote support solutions after evidence of active exploitation.
The medium-severity flaw, allowing remote command execution,
was identified during an investigation into a Chinese state-sponsored attack on the U.S. Treasury,
attributed to the Silk Typhoon Group.
Agencies must patch by February 3rd per federal mandates, while organizations are advised to prioritize addressing this
and related vulnerabilities. The UK government has proposed banning ransomware payments by public
sector and critical infrastructure organizations to deter attacks on essential services like
hospitals, schools, and transportation. Part of a 12-week home office consultation,
the measures include mandatory reporting of ransomware incidents to boost intelligence sharing and assist international law enforcement efforts, such as Operation Kronos against the Lockbit gang.
to guide victims and block payments to criminal groups.
While the proposals aim to disrupt ransomware actors' financial incentives,
experts warn of unintended consequences,
such as increased targeting of private businesses and prolonged disruptions to critical services.
Ransomware remains the UK's most immediate cyber threat,
with attacks on public services causing significant disruptions,
data breaches, and economic losses in recent years.
A critical flaw in Google's sign-in-with-Google authentication flow exposes millions of accounts
to unauthorized access, particularly for users of failed startups. The vulnerability stems from Google's OAuth implementation, which ties access
claims to email domains. Attackers can exploit this by purchasing domains of defunct companies,
recreating email accounts, and accessing sensitive SaaS platform data like HR systems and private
chats. The issue is exacerbated by inconsistent unique user identifiers in Google's system,
leaving many platforms reliant on domain names for authentication.
Sensitive data such as social security numbers and pay stubs are at risk,
with over 100,000 vulnerable domains identified.
Initially dismissed by Google,
the case was reopened after a security researcher
demonstrated its impact. Google has promised a fix but provided no timeline. Meanwhile,
users are urged to enable SSO with 2FA for critical services.
OWASP has released its first non-human identities top 10, NHI, addressing cybersecurity risks tied
to automated systems like APIs, bots, and cloud services. With NHIs outnumbering human credentials
10 to 50 times in organizations, they represent a massive attack surface for cybercriminals.
Vulnerabilities such as secret leakage, overprivileged accounts, and insecure
cloud deployments are key risks. Recent breaches, including Microsoft's Midnight Blizzard attack
and Okta's support system compromise, highlight the need for stronger NHI management. OWASP's
guidance emphasizes mitigation strategies like ephemeral credentials, least privilege policies,
and advanced tooling for managing NHIs at scale. As automation expands, securing NHIs becomes
critical for resilience against cyber threats. The report provides a roadmap for prioritizing
actions and strengthening identity management in today's highly interconnected digital landscape.
Microsoft has filed a lawsuit against 10 unnamed individuals accused of using a hacking-as-a-service scheme
to bypass safety controls in its Azure OpenAI tools, including DALI.
The defendants allegedly exploited stolen API keys and custom tools to generate harmful content, violating Azure's AI safeguards.
Microsoft claims the individuals used software to mimic legitimate API requests, subverting checks designed to prevent abuse, such as generating violent or inappropriate images.
as generating violent or inappropriate images. The company first detected the exploitation in July 2024 and has since revoked access and implemented countermeasures. The lawsuit,
filed in a Virginia court, seeks to seize related infrastructure, including a domain hosting the
illicit service. Microsoft aims to disrupt the operation, gather evidence, and improve its AI security protocols.
Coming up after the break, Chris Pearson from Black Cloak discusses digital executive protection,
and the feds remind the healthcare sector that AI must first do no harm.
Stay with us.
Transat presents a couple trying to
beat the winter blues. We could
try hot yoga. Too
sweaty. We could go skating. Too icy. We could try hot yoga. Too sweaty. We could go skating. Too
icy. We could book a vacation.
Like somewhere hot. Yeah, with
pools. And a spa. And endless
snacks. Yes! Yes! Yes!
With savings of up to 40%
on Transat South packages, it's
easy to say, so long to winter.
Visit Transat.com or contact your
Marlin travel professional for details. Conditions
apply. Air Transat.com or contact your Marlin travel professional for details. Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
It is always my pleasure to welcome to the show Dr. Christopher Pearson.
He is the CEO and founder of Black Cloak.
Chris, welcome back.
Hey, it's great to be here, Dave.
I know a lot of us have responded and seen the terrible news of the killing of the UnitedHealthcare CEO.
And I wanted to check in with you on that because obviously
you and your colleagues at Black Cloak are in the middle of protecting executives.
I wanted to get your insights. After that event happened, what were the phone calls you were getting? Was there a mandate coming to you from CEOs and boards saying, find us better protection for ourselves?
Yeah.
So, I mean, you know, unfortunately, massively tragic events.
But, I mean, what this has really shown is that, you know, the risks have changed.
What people wanted to talk about, both chief information security officers
and chief security officers after that point in time, what they really wanted to focus on is
how can we go ahead and mitigate some of the risks to our executives, board members,
and their families? How can we mitigate the digital breadcrumbs that are out there that
lead folks to where they might be in terms of their location,
in terms of their presence, in terms of their residences, even in terms of their personal,
private email addresses and phone numbers. And what types of steps can we, security professionals
on the inside of the company, do to kind of reduce this inherent risk to an acceptable level of risk.
And it went beyond your traditional physical security,
review of the home, alarms, professional drivers,
into an area which is, hey, what types of threat intelligence is out there?
How can we go ahead and assess the privacy better?
How can we go ahead and help reduce that attack surface?
So it really has become something that
huge amount of incoming from boards of directors, from executives, and from both CISOs and CSOs.
And, you know, I'm obviously happy to field the call, but, you know, it does seem like a lot of
those risks and the risk appetite in this area has dramatically changed. Have things settled down from the initial,
is it fair to say, emotional response to this?
Not so much, not so much at all.
I think that this is one of those things that,
you know, our kind of take on things has always been
that the home is the next battleground.
The home is the new battleground.
And so what this has done is,
just like COVID opened up people's eyes to the fact that the home network
is an actual attack vector for cybercriminals
in nation states into corporate devices
that are being used at home,
and then into the network,
this has also opened up people's eyes
to the fact that the personal lives
of the executives and their family members is
something that needs to be safeguarded. You're not safeguarding Jennifer, the CEO, or Bob, the CFO,
or Larry, who's the CTO. You're not safeguarding them per se. You're safeguarding the role and the
position that they have. And that's what the boards care about. That's what the executives
and the protection teams care about.
I think eventually what's going to happen
is that's what the SEC is going to care about.
Are you taking care of those things?
And so I think this is going to usher in a new era
of executive protection for those persons.
So perhaps these things become table stakes?
Absolutely. I think that this is
just going to become, number one, it's going to become a corporate mandate. First of all,
boards of directors, corporations, the enterprise risk management committees,
these are all going to be asking questions about what are we doing? What are we doing to protect
our executives? What are we doing to protect those people that are kind of on the About Us,
the leadership page of our website? But also, I have a feeling that what we're doing to protect those people that are kind of on the About Us, the leadership page of our website.
But also I have a feeling that what we're going to do
is just like public reporting documents,
how are you compensating folks?
What are you doing that are the key level officers
of the company?
It's going to be a,
how are you protecting not just the company
from a cybersecurity or personal protection perspective,
but how are you actually going ahead
and mitigating those risks
and protecting them that fall 24-7?
How do you counsel people on when they've crossed that threshold?
I'm thinking specifically of physical security here.
At what point do I need someone to come with me to my kid's baseball game?
I mean, a lot of it can be gleaned from an executive threat assessment. So literally a risk profile on that individual and their family. It
also can and should include the kids. And that's really a conversation that needs to be had between
the security folks, the security professionals that are on the inside of the company and that
executive. But there's some things that are just going to be table stakes and mandated as a result
of you being the CEO, CFO. We will have a driver for you. You will have an armed driver in other
countries. We will have kidnap and ransom. You will have the Mayo Clinic executive physicals,
once a year type of thing. And that's really where digital executive protection
is headed. You will have personal protection, cyber protection for you and your family as a
result of your role. And that really is something that I think is going to be baked in more and more.
But that executive threat assessment is a great first step. And it's a great first step at
awareness. And also the key to this is you want
a willing participant. You want the executive to understand and to participate in their protection
because you're going to have greater success. This is a sunk cost for most companies. You don't,
you know, you don't make money off of your executive protection. What's the budgeting
component here? How do you dial it in
to make it make sense? Well, I mean, in some cases, I think, you know, it was reported in prior years,
it's like Facebook spends $17 million a year on Mark Zuckerberg's personal privacy detail for him
and his family and all the rest, because they're just big, big targets. You know, the fact of the
matter is, is that the costs of digital executive protection for those persons is going to be dwarfed by the legal costs, remediation costs, incident response costs, investor relation costs, filing costs for SEC stuff.
So it's the harm there and the amount of money being spent there on the latter end.
It just absolutely, absolutely towers over the costs of getting in protection to mitigate,
right? Not that it's going to be 100%, but to mitigate those risks on the front end.
Are there common blind spots that folks have when you meet with people to talk about this
sort of thing? What are the things that come up where they'll say, you know, I never thought of
that? Yeah, that's a great, great question. The first
thing I would say is the extent to which their home network and home devices play.
In a lot of cases, the things that actually gave them better security. So, hey, we have cameras
all around the house that are professionally installed or professionally installed managed
firewall system. You know, a lot of those things that were for good security purposes have actually
introduced more holes and vulnerabilities into their systems. So that's always an interesting
takeaway. The second is going to be the role that the other persons in the home, especially the kids,
play in this. We actually just had one CEO have their teenage son poke a hole in through their corporate firewall that was at home
and literally open up a port so that they could have and host a gaming server at the home,
which of course, I know we both are chuckling, Dave.
No, well, I mean, to make this about me, when my wife and I were bringing up our two boys,
we agreed that we may be able to outsmart our kids, but there's no way we're
going to outsmart our kids and all of our kids' friends. Right. Well, that's right. But I mean,
it's one of those stories where, right, the home security was great, but, you know, spared no
expense. And then, right, you have the, well, the kids are at least home, they're gaming. So this
is a positive attribute. They're not down by the river doing
something else. But all of a sudden, you have a hole in the firewall that the corporate laptop
comes into each night. And then third, the exposure of the personal accounts. So the personal Gmail,
Yahoo, whatever it is that they're using, they do a great job at work. Yep, I've got dual-factor
authentication. I've got the YubiKey.
I've got the authenticator.
But then they say, I got nothing interesting on my Gmail.
Well, you got all your personal financial communications, banking communications, legal communications, where you're actually traveling because a lot of those airline reservations come back to centralized email.
It exposes a lot of information. So it's always interesting when the team is meeting with people after the fact of being onboarded in terms of what we're able to find, the exposures, and then obviously needs a solution for.
I suppose there's a certain amount of letting go that they have to do when it comes to tradeoffs with privacy, right?
Like if you've got a team of people keeping an eye on your stuff,
that's a trusted relationship. You gotta, it starts all with a trusted relationship,
all, always. The nice thing is, you know, you know, speaking, you know, for us and our platform
is that since it's built from the ground up, it's built with privacy in mind. And Dave, as you know,
I mean, you know, former chief privacy officer,
you got to instill that in the company and the people, the value, the product, all the rest,
and build it with privacy, you know, in there by design. I think overall, what we've seen on the
corporate side is corporate executives, board members have had trusted relationships with
their professional
drivers, the private jets, with the folks that are in charge of kidnapping, ransom, or medical,
and all the rest, and even financial. I mean, sometimes corporations have financial and tax
experts that are hired by the company to help and assist those executives so they don't have
to worry as much about that personal side of things.
And so what we've seen is those relationships grow over time. I think it's a trend that's going to continue, especially as those are value enhancing for the executive,
but also provide real value and real mitigation into the company.
Dr. Christopher Pearson is CEO and founder of Black Cloak.
Chris, thanks so much for joining us.
Hey, thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, federal regulators are giving the healthcare sector a friendly nudge, or maybe a firm shove, to ensure that AI and other tech marvels don't accidentally play favorites,
or worse, discriminate. In a letter, HHS Office for Civil Rights Director Melanie Fontes Rainier reminded providers and insurers to align their AI use with Section 1557 of the ACA, which prohibits discrimination based on race, age, sex, disability, and other factors.
This isn't just a polite suggestion.
The law's affirmative requirements kick in May 1st of this year,
compelling healthcare entities to proactively root out potential biases in their AI tools.
That's easier said than done.
Many organizations rely on third-party AI systems with complex, opaque algorithms,
making it tricky to peek under the hood and spot issues. Experts recommend auditing AI systems and ensuring diverse datasets during training,
but even that's a tall order when the tech feels like a black box.
And don't forget HIPAA.
Fontes Rainier stressed that safeguarding patient privacy while navigating AI's complexities is non-negotiable.
Adding to the mix, HHS rolled
out a 200-page strategic AI plan aiming to improve healthcare efficiency, equity, and safety while
addressing AI-driven cybersecurity risks. Whether this ambitious vision survives a pending leadership
change remains to be seen. For now, healthcare providers are urged to plan ahead
because ignoring AI compliance isn't just legally risky, it might also hurt patients.
After all, the ultimate goal is tech that heals The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver
the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Ivan.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you.