CyberWire Daily - New vulnerability packs a punch.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Unpacking logo fails threat to Windows and Linux, the U.S. DHS's new healthcare cybersecurity strategy, and dual Russian influence campaigns, a look at supply chain risks,

Starting point is 00:02:12 increased bot activity in retail, Meta's end-to-end encryption in Messenger, and Android's auto-spill vulnerability. On today's Industry Voices segment, we welcome Todd Thorson, CISO from CrashPlan, with insights on data resiliency and the discovery of an alleged software kill switch in Polish trains. It's Thursday, December 7th, 2023. I'm Dave Bittner, and this is your CyberWire Intel Briefing.

Starting point is 00:02:49 A newly discovered attack named Logo Fail poses a significant threat to hundreds of Windows and Linux computer models from nearly all hardware makers, executing malicious firmware early in the boot process. This method allows infections that are hard to detect or remove with current defenses. hard to detect or remove with current defenses. Logo Fail comprises about two dozen vulnerabilities in the unified extensible firmware interfaces that boot these devices. It can bypass major security mechanisms like Secure Boot and similar protections,

Starting point is 00:03:37 gaining high-level control over affected machines. Discovered by Binarly, these vulnerabilities have existed for years and impact a broad range of consumer and enterprise devices. The attacks can often be executed remotely in post-exploit scenarios, undetectable by traditional endpoint security products. The vulnerabilities were disclosed in a coordinated mass release involving UEFI suppliers like AMI, Inside, and Phoenix, device manufacturers such as Lenovo, Dell, and HP, and CPU makers including Intel, AMD, and ARM. The logo fail attack exploits critical vulnerabilities in UEFI image parsers by replacing legitimate hardware seller logos displayed during the boot process with specially crafted images.

Starting point is 00:04:30 This allows malicious code execution in the driver execution environment phase, leading to full control over the target device's memory and disk, including the OS. A second stage payload can be delivered by logo fail, placing an executable on the hard drive before the OS starts. This was demonstrated in a proof-of-concept exploit on a Lenovo ThinkCentre M70S. Binarly's findings indicate that the attack can bypass endpoint security solutions and persist in a firmware capsule with a modified logo image. Affected parties are releasing advisories and security patches for vulnerable products.

Starting point is 00:05:11 The U.S. Cybersecurity and Infrastructure Security Agency, along with the NSA, FBI, and cybersecurity authorities from Australia, Canada, the UK, and New Zealand, have jointly released a guide advocating memory-safe coding practices. This guide from the Five Eyes urges software manufacturers' executives to prioritize the use of memory-safe programming languages. It recommends the creation and publication of memory-safe roadmaps to modify their software development lifecycle. These roadmaps should outline steps to significantly reduce and eventually eliminate memory unsafe code in their products, thus enhancing customer protection. The guidance provides a detailed framework for what these

Starting point is 00:05:56 memory-safe roadmaps should entail. The U.S. Department of Health and Human Services released a strategy document titled Healthcare Sector Cybersecurity, Introduction to the Strategy of the U.S. Department of Health and Human Services. This plan, aligning with the President's cybersecurity strategy, acknowledges the increasing cyber threats targeting healthcare facilities due to their size, data sensitivity, and reliance on technology. HHS proposes a four-step approach to enhance size, data sensitivity, and reliance on technology. HHS proposes a four-step approach to enhance cybersecurity, setting voluntary performance goals, providing resources for implementing cybersecurity practices, executing an HHS-wide strategy for enforcement and accountability, and developing a comprehensive cybersecurity resource hub within HHS.

Starting point is 00:06:45 The American Hospital Association supports HHS's commitment but expresses concerns. It highlights the challenges posed by nation-state-affiliated cyber threats requiring a comprehensive government response. The AHA also warns against overly strict or punitive regulations, The AHA also warns against overly strict or punitive regulations, noting that many vulnerabilities stem from third-party systems outside the healthcare sector's direct control. Coincidentally, former HHS officials Jose Arrieta and Janet Vogel revealed details of a significant cyberattack on HHS networks on March 15, 2020, coinciding with the onset of the COVID pandemic. Reported by Bloomberg Businessweek, the attack, believed to be state-sponsored, involved an unusually large DDoS attack, leading to the temporary shutdown of HHS systems.

Starting point is 00:07:49 This assault is retrospectively viewed as a diversion for a more targeted attempt to infiltrate U.S. networks crucial to the pandemic response. Arrieta noted the attackers' detailed knowledge of the HHS network, including the locations of large data repositories, indicating a deliberate effort to extract specific information. The attack was part of a global trend where intelligence services exploited the pandemic to target vulnerable networks. Arietta and Vogel suspect China to be the most likely perpetrator of this attack. Swifties, beware! Russia's military intelligence service, the GRU, is reportedly using a disinformation strategy involving the misuse of celebrities' images paired with fabricating quotes criticizing Ukraine, as detailed by Wired. This campaign, aimed primarily at European audiences, falsely features celebrities like Taylor Swift, Selena Gomez, and Cristiano Ronaldo

Starting point is 00:08:41 portraying Ukraine as responsible for the war and misusing Western aid. The GRU's doppelganger operation, sophisticated in its dissemination methods, exploits Facebook's ad and content moderation systems to spread these false narratives. Additionally, the UK government has confronted Russia over the FSB's Cold River campaign aimed at influencing UK elections. Described as a highly targeted operation, it involves selective leaks of information obtained through cyber espionage, aligned with Russia's geopolitical aims. The campaign, known by various names including Star Blizzard, employs detailed spear phishing and impersonation attacks. This includes creating fake social media profiles and using event invitations as lures,

Starting point is 00:09:32 showing a stark contrast to the GRU's broader automated approach in the doppelganger campaign. Blue Voyant's State of Supply Chain Defense report highlights an increased focus on cybersecurity in supply chains. Key findings include that 85% of organizations have raised their budget for third-party cyber risk management in the past year, with 51% enhancing internal resources and 46% adding external ones. adding external ones. Monitoring of supply chain cyber risks has grown, with 47% of respondents doing so at least monthly in 2023, up from 41% in 2022. Additionally, there's a rise in reporting frequency to senior management about supply chain and cyber risk, with 44% doing so monthly or more in 2023 compared to 38% in 2022. Kasada's 2023 Holiday Bot Activity Report reveals a 198% increase in bot traffic compared to 2022. The peak of this traffic occurred the day before Thanksgiving, attributed to bots accessing pre-holiday sales ahead of shoppers.

Starting point is 00:10:45 Interestingly, bot traffic was higher in October than in November, indicating that both humans and bots were actively engaging in early bird holiday sales. Furthermore, there was a significant 251% spike in login fraud attempts on November 25th, Cyber Monday, and the day after, highlighting the growing cybersecurity challenges during major retail events. Meta has begun implementing default end-to-end encryption for Messenger, a significant enhancement in user privacy. Lauren Donna Crisson, head of Messenger, emphasized in a blog post that this development required years of effort involving the collaboration of engineers, cryptographers, designers, policy experts, and product managers. Meta initially tested end-to-end encryption in 2016 through a secret conversations mode and later extended it to voice and video calls in 2021.

Starting point is 00:11:43 and later extended it to voice and video calls in 2021. The feature was made available for group chats and calls in early 2022, and individual chats began testing in August 2022. Meta aims to complete the default end-to-end encryption rollout by the end of 2023. The engineering team faced challenges in adapting certain features like the sticker library and chat storage, necessitating a complete overhaul, as stated in their engineering blog. This move marks a significant step toward enhancing privacy and security in digital communications on the platform. Researchers at IIIT Hyderabad discovered a vulnerability named autospill in popular mobile password managers, affecting their autofill functionality on Android apps. This flaw allows user credentials saved in

Starting point is 00:12:33 these password managers to be exposed when an Android app loads a login page in WebView. WebView, which is a Google engine, enables web content display within apps, confusing password managers about the target destination for user login information. Consequently, credentials can be inadvertently disclosed to the app's native fields. Tests on updated Android devices using well-known password managers like 1Password, LastPass, Keeper, and NPass revealed widespread susceptibility to credential leakage, even with JavaScript injection disabled. With JavaScript injection enabled, all tested password managers were vulnerable to auto-spill. 1Password has acknowledged the issue and is working on a fix. Keeper confirmed being notified about a potential vulnerability but did not comment on specific remedies.

Starting point is 00:13:26 Google and Enpass have not responded to inquiries about the issue. Coming up after the break, my conversation with Todd Thorson, Chief Information Security Officer from CrashPlan. We're talking data resiliency. Stick around. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,

Starting point is 00:14:12 but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster

Starting point is 00:14:46 with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform Thank you. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. In an era where ransomware and malicious attacks are relentless, even the most secure organizations are not immune.

Starting point is 00:16:04 These attacks can cripple organizations financially, operationally, and damage their reputation and compliance standing. My guest today is Todd Thorson, Chief Information Security Officer at CrashPlan. In this sponsored Industry Voices segment, we delve into crucial strategies for bolstering data resiliency. into crucial strategies for bolstering data resiliency. Data resiliency is really important. And in its essence, it's making sure that you've got backups of your data and that those backups are recoverable when you need them.

Starting point is 00:16:37 So when things go wrong, tools fail, are you able to recover data, resume operations in a timely fashion? Are there any common misunderstandings that you find that people have when it comes to data resiliency? There are, one of which is really the mechanism or the tools that you're using to backup and recover data. So, for instance, what I see often is tools are misused. So like cloud collaboration platforms, for example, are often misused for data recovery and resilience. They have some inherent limitations for the duration

Starting point is 00:17:17 that data is stored and is recoverable. And they also have scaling issues. So if you need to recover data at scale across your organization in the wake of an outage or, you know, God forbid, a breach, you're going to be challenged to be able to recover quickly and holistically. Can we touch on corporate policies, things that organizations should put in place to make sure that there isn't too much friction here when it comes to having a resiliency plan? Yeah, I think it's really important to sort of think through, and every organization is different, but think through where within your organization does critical data reside.

Starting point is 00:17:58 So the systems, the endpoints, servers, cloud, where is that data traversing and what are your capabilities for that from a recovery standpoint, from a backup standpoint, where do you want to put those efforts around? Policies are certainly important to articulate what the plan is, document that, what are the expectations for end users, and then executing those initiatives to make sure things are working appropriately. So policies are fine from, you know, a corporate governance perspective. But when you get into introducing a user requirement to enforce a policy, that's where it can become a challenge and you may have gaps. And that's where, you purpose-built backup and recovery solutions in place that are automated, they're just taking that action in the increments that you want to have coverage for is really important.

Starting point is 00:18:57 What about testing? I mean, an organization puts a plan in place. What's the process by which they know that it's actually going to work? Yeah, testing is really important. Running through scenarios, they can take a variety of avenues from a testing perspective. Certainly, you can run through tabletop exercises as an organization. So throwing out a scenario like, hey, we've been hit with ransomware. Now we're going to execute our incident response plan. So the incident response plan is really important because it should lay out the steps that everyone needs to take, the roles and responsibilities. So people have an idea of who is doing what, what are the expectations for the organization from a recovery standpoint.

Starting point is 00:19:42 But then it's not just documenting those, it's actually running through those scenarios in a real realistic scenario. And then as you're going through those, inevitably what you're going to find are things that you could do better. And so having sort of a debrief after you're running through those testing scenarios, what worked well, what didn't,

Starting point is 00:20:04 where do we need to make refinements from a policy or ownership standpoint? Where do we have challenge from a technology standpoint or administrative standpoint? Can you kind of walk us through the process when you and your colleagues there at CrashPlan work with someone for the first time? How do you go through establishing where they are, what their needs are, and where they need to go looking forward? Yeah, it's really, again, it's going back to, in every organization it's different,

Starting point is 00:20:33 but understanding your risk environment and aligning that with the organization's risk tolerance. And so understanding where critical data to the organization resides, that's always the place to start. Understanding where that sits, how it's being accessed, and who's accessing it. And then making sure that you're getting the right coverage. Again, everything is sort of a risk-based approach, but making sure that you're getting those critical areas, the critical data, you have a good understanding of where that resides, and then executing and implementing tools and process to protect that so that it is available and recoverable when needed. You know, the organizations that are finding success here,

Starting point is 00:21:19 who have a good plan in place and are finding that it's working for them. Are there things that they have in common? Are there best practices here that you see that are consistent? Yeah. I mean, one of the things that I find personally the most valuable is my network of fellow security practitioners, CISOs, and learning from them, having discussions, leveraging that network, what's worked well, what has been a challenge, how those challenges have been overcome, and then applying those into your organization. You know, it's hard to create an effective process in a vacuum. Certainly, you want to take your organization into account, but

Starting point is 00:22:02 it's also important not to recreate the wheel. So that's where having that sort of network of peers that you can lean on, share information with, and leverage as you're building out your program. It's never a one-and-done opportunity. It's ongoing. So you're going to make changes. You're going to make iterations. You're going to make continual you're going to make iterations, you're going to make continual improvements as you go through time. So one of the challenges I sort of always let people know is don't feel like you have to solve every problem right out of the gate. And

Starting point is 00:22:37 it's not the 10 commandments. So it's not carved in stone. Your policy is going to evolve, your capabilities are going to evolve, risks are going to evolve to the organization. So it's not carved in stone. Your policy is going to evolve. Your capabilities are going to evolve. Risks are going to evolve to the organization. So being able to pivot and iterate on that process over time is really important. And that's where the testing piece comes back to it, right? And so you're testing those capabilities. You're making narrative changes to improve your capabilities over time. So keep it simple. Don't feel like you have to account for every single potential contingency that could come around, but really start out knowing that you're going to iterate over time. Our thanks to Todd Thorson, Chief Information Security Officer at CrashPlan, for joining us.

Starting point is 00:23:38 Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.

Starting point is 00:24:21 We close today with details from a presentation given a few days ago at the Oh My Hack conference by members of the hacking team we're about to tell you about. In spring 2022, the Polish company SPS faced a baffling situation. After performing maintenance on Newegg's Impulse 45 WE commuter trains, the vehicles wouldn't operate despite all diagnostics indicating that they were functional. on Newegg's Impulse 45WE commuter trains, the vehicles wouldn't operate despite all diagnostics indicating that they were functional. The issue grew serious when multiple trains,

Starting point is 00:24:53 post-maintenance, experienced the same problem, severely disrupting regional railway services. Faced with escalating costs and contractual penalties, SPS sought unconventional help and hired the Dragon Sector Hacker Group. The team faced numerous challenges, including a lack of documentation and difficulties in accessing and understanding the train's computer system. However, they persevered, uncovering startling facts. Their investigation revealed the train's software contained GPS

Starting point is 00:25:26 coordinates of various Polish maintenance centers, including NUAG's own facility. The software was programmed to disable train functionality after spending 10 days in these centers, a feature not documented in the 20,000-page manual. Additionally, the software contained mechanisms to lock the train if certain parts were replaced, and to simulate breakdowns under specific conditions, like reaching a million kilometers. The discovery of a remote communication device in the trains added to the intrigue, hinting at potential external control capabilities.

Starting point is 00:26:04 Dragon Sector's efforts not only revived the immobilized trains, but also brought to light concerning alleged practices by the manufacturer, Nuag. Despite the magnitude of these findings, the response from Polish regulatory bodies remained limited, with only Cert Polska taking action by notifying law enforcement. The situation raises significant questions about manufacturer ethics, consumer protection, and the adequacy of regulatory oversight in the railway industry. Who knew trains could play hide-and-seek with their functionality?

Starting point is 00:26:39 Turns out, when it comes to mysterious breakdowns, sometimes you need more than a mechanic. You need a hacker with a knack for digital detective work. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. As we near the end of the year, it is the perfect time to reflect on your Thank you. So tell your marketing team to reach out. Send us a message at sales at thecyberwire.com or visit our website so we can connect about building a program to meet your goals. We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com. We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.

Starting point is 00:28:03 We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin. Our mixer is Trey Hester with original music by Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon Karp. Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.

Starting point is 00:29:10 Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com. That's ai.domo.com.

CyberWire Daily - New vulnerability packs a punch.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.