CyberWire Daily - New malware, new threats.
Episode Date: January 19, 2024Microsoft warns of an Iranian cyberespionage group. The CyberSafety Review Board receives critical reviews of its own. VMWare warns of active product exploitation. Tax info gets leaked in accounting f...irm breach. Kansas State University reports a cyber incident. CISA adds Citrix Netscaler vulnerabilities to its Known Exploited Vulnerabilities catalog. Councils in the UK suffer online disruptions. Cyber insurance can be a double edged sword. More email security breaches lead to firings. In our Solution Spotlight, N2K President Simone Petrella speaks with Michelle Amante of the Partnership for Public Service With an update on the Cybersecurity Talent Initiative. And it’s shields up for Generation Z. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On the Solution Spotlight, N2K President Simone Petrella speaks with Michelle Amante of the Partnership for Public Service sharing an update on the Cybersecurity Talent Initiative and how federal agencies and early career existing talent that may be interested in the program’s offerings. Selected Reading Microsoft: Iranian hackers target researchers with new MediaPl malware (Bleeping Computer) Cyber Safety Review Board needs stronger authorities, more independence, experts say (Cyberscoop) VMware vCenter Server Vulnerability Exploited in Wild (SecurityWeek) ELO accounting data breach sparks tax fraud (Cybernews) Cyber attacks on Kent councils disrupt online services (BBC) Kansas State University suffered a serious cybersecurity incident (SecurityAffairs) CISA urges urgent patching of two actively exploited Citrix NetScaler vulnerabilities (Malwarebytes) Cyber Insurance in the Age of Ransomware: Protection or Provocation? (SOCRadar) Four-in-ten employees sacked over email security breaches as firms tackle “truly staggering” increase in attacks (IT Pro) Think boomers are most vulnerable to cybersecurity attacks? Wrong. It's actually Gen Z (CBC) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2024 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Microsoft warns of an Iranian cyber espionage group.
The Cyber Safety Review Board receives critical reviews of its own.
VMware warns of active product exploitation.
Tax info gets leaked in an accounting firm breach.
Kansas State University reports a cyber incident.
CISA adds Citrix Netscaler vulnerabilities to its known exploited vulnerabilities catalog.
Councils in the UK suffer online disruptions. Cyber insurance can be a double-edged sword. More email security
breaches lead to firings. In our Solutions Spotlight, N2K President Simone Petrella
speaks with Michelle Amante of the Partnership for Public Service with an update on the Cyber
Security Talent Initiative. And it shields up for Generation Z.
It's Friday, January 19th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us today. It is great to have you here.
Microsoft has identified a subgroup of the Iranian-backed APT35 cyber espionage group, also known as Charming Kitten and Phosphorus,
as being responsible for spear phishing attacks
against high-profile employees at research organizations
and universities in Europe and the U.S.,
Bleeping Computer reports.
This subgroup, associated with the Islamic Revolutionary Guard Corps,
uses sophisticated phishing emails via compromised accounts
to deploy new backdoor malware called MediaPy,
designed to mimic Windows Media Player for stealth.
The MediaPy malware features encrypted communication
with its command and control server
and is capable of auto-termination,
communication retries, and executing commands.
Additionally, a second PowerShell-based backdoor malware, MischiefTut, is used for reconnaissance,
executing commands, and transmitting data to attacker-controlled servers.
The primary goal of these attacks is to steal sensitive data from high-value targets with
knowledge in Middle Eastern affairs, security, and policy issues
that align with Iranian interests.
The campaign appears to seek insights on the Israel-Hamas war.
Previously, APT35 has targeted sectors including government,
healthcare, finance, engineering, technology, and telecommunications
using sponsor and knock-knock malware. Another
Iranian group, APT33, has also been active, targeting defense organizations and contractors
with password spray attacks and false front malware. The Cyber Safety Review Board, the CSRB,
was created via executive order in 2021 to investigate major cybersecurity
incidents. According to a panel of experts addressing Congress, the CSRB lacks sufficient
authority and independence. The CSRB, modeled after the National Transportation Safety Board,
faces criticism for its dependency on corporate participation and limited investigatory powers.
Experts, including cybersecurity CEO Tara Wheeler,
highlighted the board's composition of federal and tech company representatives,
raising concerns about conflicts of interest and insufficient time for thorough, independent investigations.
The CSRB's use of members from companies like Google and Palo Alto
Networks poses challenges, especially when investigating their own technologies or
competitors. Wheeler stressed the need for the board to have full-time staff and subpoena power,
similar to the NTSB, to effectively investigate cyberattacks without industry or political influences.
The board's current investigations, including those into the Log4J vulnerability and
Lapsus cybercriminal group, have resulted in basic resolutions rather than detailed analyses.
The CSRB has not yet investigated the significant Sunburst supply chain attack,
with the Biden administration requesting subpoena powers for the board.
However, experts argue that transparency improvements are necessary
before granting these sorts of powers.
The Senate Homeland Security Committee is considering legislation to legally codify the CSRB,
but its chair, Senator Gary Peters,
is still evaluating the proposed changes.
VMware is warning customers
that a vCenter server vulnerability
is being actively exploited in the wild.
It can allow an attacker who has network access
to vCenter server remotely execute arbitrary code.
The issue, discovered by Grigory Dorodnov of
Trend Micro's Zero Day initiative, was deemed so critical that VMware decided to release patches
in October even for versions of the product that had reached end-of-life status. According to data
from the Shadow Server Foundation, there are currently hundreds of potentially vulnerable internet-exposed instances of VMware vCenter server.
A cyber attack on the accounting services company ELO left 15,000 clients with their
sensitive financial details, including tax documents, exposed.
The American company disclosed the breach on January 18.
The breach is believed to have occurred last March, but the American company disclosed the breach on January 18th. The breach is believed to have occurred last March,
but the American company disclosed the breach on January 18th of this year.
Several incidents of financial fraud, including fraudulent tax returns,
have already been reported using the stolen data.
ELO is conducting an investigation into the incident
and has committed to notifying affected individuals of any misuse of their personal information.
The company is also offering free credit monitoring services to the victims and emphasizes its dedication to safeguarding personal information.
Kansas State University experienced a cybersecurity incident on January 16th, affecting a portion of its networks and
services. The university responded by taking affected systems offline and launching an
investigation. K-State has advised its staff and students to report any suspicious activities.
While email services were expected to resume in a temporary format yesterday,
the KSU wireless remained unavailable.
The Cybersecurity and Infrastructure Security Agency has added two Citrix Netscaler vulnerabilities
to its known Exploited Vulnerabilities Catalog, setting a remediation deadline for federal
civilian executive branch agencies. These agencies typically have 15 days to fix internet-facing vulnerabilities and 25 days
for others. However, for these specific Citrix Netscaler issues, the deadline is January 24th.
The vulnerabilities affect customer-managed Netscaler ADC and Netscaler Gateway,
not Citrix-managed cloud services or Citrix-managed adaptive authentication.
The first is a code injection vulnerability with a CVSS score of 5.5,
allowing low-privileged authenticated remote code execution on the management interface.
It's advised to segregate network traffic to this interface and avoid exposing it to the Internet.
The second is a memory buffer operations
vulnerability with a CVSS score of 8.2, leading to unauthenticated denial of service. This issue
affects appliances configured as gateways or AAA virtual servers. In the UK, three councils in Kent,
including Canterbury City Council, Dover District Council, and
Thanet District Council, have experienced disruptions to their online services due to
cyber attacks.
All three councils are actively working with the National Cybersecurity Center to address
these incidents, which are classified as breaches of system security policies under the Computer
Misuse Act.
as breaches of system security policies under the Computer Misuse Act.
The council's email systems and websites have remained largely operational,
although some website functionalities may be affected.
As businesses grapple with the escalating threat of ransomware,
many rely on cyber insurance to mitigate financial risks. A report from SockRadar describes how the surge in ransomware attacks has prompted
insurers to recalibrate, raising premiums and tightening coverage conditions. They now demand
concrete evidence of cybersecurity measures like multi-factor authentication as a prerequisite for
policy approval. This shift emphasizes preventive cyber hygiene practices, aiming to lessen the frequency of cyber incidents.
Still, the situation poses ethical dilemmas, particularly if insurance payouts for ransoms inadvertently fuel the ransomware industry.
The dynamic between relying on insurance and investing in robust cybersecurity measures is complex and highlights the broader role of insurance in cybercrime prevention.
The relationship between cyberinsurance and ransomware remains intricate and continuously evolving,
requiring businesses to strike a balance between strong cyber defenses and suitable insurance coverage.
A report from security firm Egress reveals that nearly half
of the employees responsible for email security breaches over the past year have been fired,
reflecting a tougher stance by organizations amid rising cyber attacks. 94% of global
organizations experienced a serious email security incident in the past 12 months,
with a 10% increase in phishing attacks.
Human error is a significant factor in these breaches,
and over 50% of employees involved in phishing incidents
face disciplinary actions,
with 40% being fired and about 25% leaving voluntarily.
Additionally, two-thirds of those involved
in outbound email incidents were
disciplined, terminated, or left their roles. These strict measures reflect the substantial
financial losses, customer churn, and reputational damage these sorts of breaches can cause.
Additionally, security leaders are increasingly worried about the use of AI tools by cyber
criminals, anticipating more sophisticated attacks in the future.
Coming up after the break, in our Solutions Spotlight,
N2K President Simone Petrella speaks with Michelle Amante
of the Partnership for Public Service
with an update on the Cybersecurity Talent Initiative.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
In the latest edition of our Solutions Spotlight, our own N2K president, Simone Petrella,
checked in with Michelle Amante from the Partnership for Public Service with an update on the Cybersecurity
Talent Initiative. I want to start by saying how excited I am to have you on with us today. And I
say that in a completely biased way because we work with the partnership really since the inception
of the Cyber Talent Initiative program. So it's very near and dear to our hearts. So just thank
you for joining today. We're so excited to have this conversation. Well, thank you for asking me. The feeling is mutual. N2K has been such
a fundamental part of the success of this program. So I appreciate you inviting me on to talk about
it. Yeah. To kick things off, tell us a little bit about yourself and the Partnership for Public
Service. Not everyone's familiar. Yeah. So I've been with the partnership for seven years. The majority of my background was in labor
and workforce development. And I came to the partnership originally to work on their business
development portfolio. And then it really grew as our federal talent work started to really scale
in a way that was exciting. And the Partnership for Public Service is over 20 years old, and its founding mission
was really focused on bringing young talent into government. Over the last 20 years, our mission
has really expanded. And right now, our mission statement is to build a more effective federal
government and a stronger democracy. But a core part of that work is still very focused on federal
talent. So we're always thinking about how do we
make these jobs more attractive? How do we open the aperture of young people so that they know
what is available? And then we also work on the federal agency side to try to help them make their
jobs more marketable, help them better understand the current generation and think about retention
in new and different ways. That's amazing. And,
you know, again, to give everyone who's listening the background, the Cyber Talent Initiative is a
selective program within the partnership. So it's one of many programs. And that's for students who
are specifically in cybersecurity related fields or programs to gain access to that public specter
work experience and develop that kind of professional
cyber network and build leadership skills at the same time. Obviously, when you give that figure
of 7%, that's endemic and chronic across the entire federal workforce landscape, which is
troubling. But why was it important for the partnership to build a program focused on
cybersecurity specifically in the public sector as well? That figure that I stated is for overall jobs.
When you look at the tech space, it's less than 3%.
So it's even more dire.
And so when we started thinking about this initiative over five years ago,
MasterCard at the time came to us and said,
hey, we want to build a partnership.
We recognize that this is a cross-sector problem.
I think the latest figures
that Federal Times was reporting is over 700,000 open cybersecurity jobs across all sectors. So
this is a problem that is continuing to grow. And so at the time, we knew that there was a huge need
in the federal space for these jobs. Federal agencies were really grappling with how best to
recruit and retain this talent.
And this was a space where we had a lot of experience. We have a network of over a thousand colleges and universities that we work with. We know how to recruit young people. And we also
have a network of federal agencies that we work with in the management space. So it just seemed
like it was a perfect opportunity for us to put together the best and the brightest across sectors to think about how to help solve this problem.
Yeah.
I imagine with a mandate as ambitious as that, it doesn't come without its challenges.
So I'm curious, what are some of the challenges that you have when you think about working with the public sector that are unique to their kind of situation when it comes to recruiting
and retaining this cybersecurity talent. I mean, we know that we've heard about the salary
difference, things like that. Yeah. And the salary difference is usually the one that people go to
first because it's, you know, people are graduating and they see these very drastic,
different offers. And so you understand why that's the one that people think of initially.
But there are also other challenges, things like hiring timelines, where
the fastest you're probably going to get an offer in federal government is 100 days.
When someone is waiting to find out if they've got an offer and they're sitting on three other
offers, it's not a difficult choice for them. They're going to take the offer in hand.
So the hiring timelines are difficult. The private sector, honestly, is just so much better at marketing their jobs.
A lot of federal agencies don't even have professional recruiters. So it's often kind
of like an other duty as assigned for an HR professional. So they're competing against
private sector companies that have recruitment teams that know how to go after this talent.
And then also when you think about retention, depending on the agency, the professional
development piece can be really challenging, which is why the Cybersecurity Talent Initiative
is so unique because we offer that within the program. But if you go into an agency directly,
they may not have all of the technical training that N2K provides or the leadership development
that the partnership provides. When you put a young person into an agency and they don't see anyone like them
around themselves and they lack any kind of cohort experience or the professional development that we
just spoke about, they may not want to stay, even if salary isn't like the number one thing
they're thinking about. Yeah. Well, and I can say on the recruiting side, anyone who has had the experience of going through USA jobs, it's not the most pleasant.
No, no. It's challenging. And even if you figure out the navigation, I think the job descriptions
are very confusing. It's very hard to understand if you've actually got the job or the skills to
be successful in the job. So it's very
difficult to navigate that whole process, particularly if you're a 21. One thing that I
found so interesting and dynamic, not only about the CTI program, but really all of the partnerships
programs is the focus that you have in your cohorts on really making well-rounded individuals
who come out of the experience and kind of giving them exposure to technical
development, leadership development, things that they may not have had when you're just coming out
of an academic environment. What was sort of the model to do that? Because I think that's one thing
that, you know, private sector and public sector, we don't always do that well. This is another
place where we were able to capitalize on a lot of programming that we do across government.
We have specified leadership training programs because we recognize that a lot of programming that we do across government. We have specified leadership
training programs because we recognize that in a lot of these tracks across government,
people continue to get promoted based on their technical skills. And then they're never given
that leadership development they need to be successful as they move up the ladder.
So we're trying to get ahead of that at a younger age, at an earlier stage in their career.
So at least they have
that great foundation upon which to build as they continue on. Yeah. Could you explain a little bit
about, I should have asked you this in the beginning, how does a partnership work? You
know, you have all these relationships with the agencies. Is that something that's kind of
centralized across the executive branch for you all? Is that, you know, independent relationships
that you are then managing
independently? Is it something that's kind of spearheaded through the White House? Where does
that kind of genesis start? Yeah, it's a great question. And I would say we work at all levels.
So we have great relationships with what we would call center of government, which would be
office of management and budget, office of personal management. We're always in communication
with them,
talking through new policies and learning from them and what they're doing.
But we also have relationships across the entire federal space
and are working with Chief Human Capital Officers
and Chief Information Officers to better help
and support them and their needs.
Yeah, totally.
Well, I think everyone should check it out
because it really is inspiring.
Well, thank you, Michelle.
Really love this conversation.
I love what the program is doing.
I cannot believe that we're in cohort five.
I know.
It's fantastic.
Thank you for your support.
You know, the technical training, as I mentioned,
is really critical to the development of these fellows.
That's Michelle Amante from the Partnership for Public Service speaking with our own N2K president, Simone Petrella.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And finally, from our Every Generation Blames the One Before desk,
cybersecurity experts caution that Gen Z, despite being more digitally savvy,
is in fact more vulnerable to cyber attacks compared to older
generations like boomers. This increased risk is attributed to Gen Z's higher online presence,
extensive app usage, and sharing of personal information. Jane Arnett from Checkpoint reveals
that Gen Z individuals are three times more likely to be targeted and breached. Their frequent online activities and tendency to overshare make them easier targets for cybercriminals.
The World Economic Forum predicts Gen Z will compromise 26% of the global workforce by 2025.
Arnett urges young people to adopt better cybersecurity practices to protect themselves
and critical services,
like hospitals, which can be severely impacted by ransomware attacks stemming from compromised
personal credentials. As a Gen Xer, I'm going to stay out of the middle of this one. We tend to
approach cybersecurity like we do our music. Classic, slightly outdated, but somehow it still works.
And that's the Cyber Wire.
Today marks the eighth anniversary of the Cyber Wire podcast.
Hard to believe that it's been that long and that our scrappy little team took this crazy idea
of a daily cybersecurity news brief
and made it into something that so many people all over the world have come to trust and rely on.
A heartfelt thanks to all of you for your support over the years.
We're excited for what's yet to come.
Be sure to check out this weekend's Research Saturday
and my conversation with John Williams from Bishop Fox.
We're discussing their research. It's 2024 and
over 178,000 sonic wall firewalls are publicly exploitable. That's Research Saturday. Check it
out. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music by
Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon Karp. Our executive editor is
Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.