CyberWire Daily - No more “cyber Snorlax” naps.
Episode Date: October 18, 2024Microsoft describes a macOS vulnerability. A trio of healthcare organizations reveal data breaches affecting nearly three quarters a million patients. Group-IB infiltrates a ransomware as a service op...eration. Instagram rolls out new measures to combat sextortion schemes. Updates from Bitdfender address Man-in-the-Middle attacks. An Alabama man is arrested for allegedly hacking the SEC. In our Industry Voices segment, Gerry Gebel, VP of Strata Identity, describes how to ensure identity continuity during IDP disrupted, disconnected and diminished environments. CISOs want to see their role split into two positions. Game Freak’s Servers Take Critical Hit. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, we have our Industry Voices segment with Gerry Gebel, VP of Products and Standards at Strata Identity, discussing how to ensure identity continuity during IDP disrupted, disconnected and diminished environments. Resources to learn more: Identity Continuity™: How to have uninterrupted IDP access Resilience in extreme conditions: Why DDIL environments need continuous identity access Selected Reading macOS Vulnerability Could Expose User Data, Microsoft Warns (Infosecurity Magazine) Microsoft warns it lost some customer's security logs for a month (Bleeping Computer) 3 Longtime Health Centers Report Hacks Affecting 740,000 (GovInfo Security) Cicada3301 ransomware affiliate program infiltrated by security researchers (SC Media) Instagram Rolls Out New Sextortion Protection Measures (Infosecurity Magazine) Bitdefender Total Security Vulnerability Exposes Users to Man-in-the-Middle Attacks (Cyber Security News) Alabama Man Arrested in SEC Social Media Account Hack That Led the Price of Bitcoin to Spike (SecurityWeek) CISOs Concerned Over Growing Demands of Role (Security Boulevard) Pokémon video game developer confirms its systems were breached by hackers (The Record) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Microsoft describes a macOS vulnerability. A trio of healthcare organizations reveal data breaches affecting nearly three-quarters of a million patients.
Group IB infiltrates a ransomware-as-a-service operation.
Instagram rolls out new measures to combat sextortion schemes.
Updates from Bitdefender address man-in-the-middle attacks.
An Alabama man is arrested for allegedly hacking the SEC.
In our Industry Voices segment, Jerry Gable, VP of Strata Identity, describes how to ensure
identity continuity during IDP disruption, disconnection, or diminished environments.
CISOs want to see their roles split into two positions, and Game Freak servers take a critical
hit.
It's Friday, October 18th, 2024.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Intel briefing. Thanks for joining us here.
Happy Friday.
Great to have you with us.
Microsoft has discovered a vulnerability in macOS called HMSurf, which allows attackers to bypass Apple's Transparency
Consent and Control Protections, TCC. This flaw grants unauthorized access to sensitive user data,
including camera, microphone, location, and browser history. The vulnerability specifically
affects Safari, as its TCC entitlements can be exploited to bypass privacy
checks. Microsoft reported the issue to Apple, which released a fix in the September 2024 MacOS
Sequoia update. Users are urged to apply the update immediately, as Microsoft detected potential
exploitation by the Adload malware family.
Attackers could use this flaw to access a device's location, capture camera snapshots, record audio, or stream data without the user's knowledge.
While third-party browsers like Chrome and Firefox are not affected, Safari's default status makes this a significant threat. Staying with Microsoft, Redmond has warned enterprise customers of a bug
that caused critical security logs to be partially lost between September 2nd and October 3rd,
potentially leaving companies vulnerable to undetected threats.
The issue, which affected services like Microsoft Entra, Azure Logic Apps, and Microsoft Sentinel, hindered the ability to monitor suspicious activity and generate security alerts.
The bug stemmed from a fix to the log collection service, which inadvertently created a deadlock condition, preventing proper log uploads.
preventing proper log uploads.
Although the issue has been resolved, some companies did not receive notifications.
This follows previous criticism of Microsoft for requiring payment for advanced logging features,
which limited access to critical security data during major breaches.
Microsoft has since expanded its free logging capabilities for per-view audit standard customers.
Three healthcare organizations, Omni Family Health, Tri-City Medical Center, and New York Plastic Surgery, have reported major data breaches affecting around 740,000 patients and employees.
Omni Family Health, a network of 40 clinics in California, disclosed that roughly 470,000 individuals were impacted after sensitive data, including social security numbers and medical information, was leaked on the dark web.
Tri-City Medical Center in San Diego County reported a breach affecting about 108,000 people, exposing patient data from suspicious network activity.
New York Plastic Surgery's breach impacted nearly 162,000 individuals with compromised data,
including social security numbers, biometric data, and medical records.
Ransomware groups are suspected in that incident.
These breaches highlight the growing trend of healthcare cyberattacks
often involving data theft,
as attackers increasingly target the abundant
and accessible sensitive data in the healthcare sector.
The Cicada 3301 ransomware-as-a-service group
had its affiliate program infiltrated by Group IB researchers,
revealing new details about the gang's operations. Active since June of this year, Cicada 3301 has claimed at least 30 victims,
mainly in the U.S. and U.K. The group shares similarities with the defunct Alf V. Black Cat
ransomware, although it's unclear if they rebranded or bought its source code.
Cicada 3301's affiliate panel, accessible via Tor, allows affiliates to customize attacks,
manage victims, and negotiate ransom payments. Affiliates earn a 20% commission and can adjust
encryption methods and landing page types. The ransomware is written in Rust, targeting Windows, Linux,
and even older systems like PowerPC. Cicada 3301 avoids attacking Commonwealth of Independent
States countries and communicates in both Russian and English. Group IB's findings
highlight the professionalism and evolving threats posed by modern ransomware groups.
violate the professionalism and evolving threats posed by modern ransomware groups.
Instagram has introduced new security measures to combat sextortion scams,
which have surged by over 300% from 2021 through 2023.
The platform now hides follower lists, prevents screenshotting of sensitive images in direct messages,
and expands its nudity protection feature globally.
Alongside these updates, Instagram is partnering with the National Center for Missing and Exploited Children
to create educational resources to help teens recognize sextortion scams.
Additionally, Instagram launched teen accounts,
offering built-in protections such as private profiles by default, restricted messaging settings, and time management features.
Parents will also have greater oversight through supervision tools, allowing them to monitor messages and set daily limits.
Bitdefender Total Security was found vulnerable to multiple man-in-the-middle attacks due to improper certificate validation in its HTTPS scanning feature.
These vulnerabilities, identified under several CVEs, allow attackers to intercept and alter communications between users and websites.
Issues include trusting self-signed and insecure certificates and failing to verify certificate chains and hash functions. All vulnerabilities received a high CVSS score of 8.6,
signaling significant risks to user data confidentiality and integrity.
Bitdefender has released an update to fix these issues.
Bitdefender has released an update to fix these issues.
Eric Council Jr., a 25-year-old from Alabama, was arrested for his alleged involvement in the January hack of the U.S. Securities and Exchange Commission's social media account.
The hack falsely announced the approval of Bitcoin exchange-traded funds, causing Bitcoin's price to briefly spike by over $1,000.
Authorities say Mr. Counsel used a SIM swap technique to impersonate someone with access to the SEC's account, allowing hackers to post the fake announcement. The SEC quickly denied the post,
clarifying no approval had been granted. Mr. Counsel is charged with conspiracy to commit
aggravated identity theft and access device fraud. Following the hack, Bitcoin's price surged to
nearly $48,000 before falling back to around $45,200 after the SEC's clarification.
after the SEC's clarification.
A survey by Trellix and Vanson Bourne found that 84% of CISOs advocate for splitting their role into two positions,
technical and business-focused,
due to the growing complexity and cybersecurity threats and regulatory demands.
With 98% of CISOs concerned about keeping up with evolving regulations
and 79% finding the compliance burden unsustainable,
many are seeking external insights,
with 87% preferring peer discussions over solo research.
CISOs are also under pressure to maintain frequent communication with leadership,
with nearly half reporting to the board weekly.
The expanding scope of the role has led to burnout,
with half of CISOs not seeing a long-term future in the position.
Coming up after the break on our Industry Voices segment,
Jerry Gable from Strata Identity describes how to ensure identity continuity.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Jerry Gable is Vice President at Strata Identity, and in today's sponsored Industry Voices segment, he describes
how to ensure identity continuity during IDP disruption, disconnection, and diminished
environments. I would love to start off with some high-level stuff here. When people find themselves
in this situation, in this time that we live in, where I think most people think of us as having great uptime percentages, things work most of the time.
Are they putting proper planning in place for the potential of an identity disruption?
The answer is probably no, because whenever there is some kind of significant outage happening,
and it doesn't have to be an IDP outage per se, an identity provider outage.
I think the recent CrowdStrike example raised people's focus and or awareness again
that are we doing enough planning?
And I think typically the answer is no.
And so then you go back to the drawing board and go through whatever your standard procedures are and try to highlight, okay, where did something go wrong?
And can we do something to improve it or to avert that outage in the future?
So, I mean, that would be my perspective on that question.
It seems to me like it would be easy for folks
to kind of take their cloud identity providers for granted.
You know, when they're doing their planning
to maybe not consider or put that towards the bottom of the list
of things that could go wrong.
Is that a fair way to think about
how many folks approach the situation?
I think it's easy for you to get into that mindset.
And maybe not realizing how much effort it took to get to an availability level of five nines when you were running your own software in your own data center environment.
when you were running your own software in your own data center environment.
And now you've outsourced that to a cloud provider and they can provide, say, four nines.
And that sounds pretty close, but it's not quite up to the same par
that you were doing on your own.
So there is that significance in that different SLA, if you will.
But also it's now out of your control.
And maybe you're thinking, well, they're telling me that they're the experts at this, and it's
not something that me, the customer, should worry about anymore.
And so, yeah, you could be lulled into that sense of security, certainly.
Before we get to some of your suggestions for how folks can protect themselves against this,
can we go through some of the potential causes of an IDP outage?
What sort of things are people up against here?
Well, again, the software is out of your control, right?
So a SaaS identity provider is managing that environment.
So you don't control the change control process anymore.
So they could introduce an error
when they do their own change control on their side.
So that could result in an outage.
Or there could be some misconfiguration
that you do on your own side that results in an outage.
It could be the backhoe hits the fiber for one of the
data centers where they're located and that causes an outage. So, you know, so there's different ways
that this can happen. Well, let's go through some of the best practices here together. What are the
recommendations that you and your colleagues there make? Well, I like to, you know to play on words a little bit here and say, categorize, prioritize, and improvise.
Really categorize is getting a catalog of all the different identity components because it's not just your identity provider.
There could be other components within the identity infrastructure that are part of enabling an application to operate.
That could include other sources of attribute information, risk metrics,
multi-factor authentication, and so on.
So there are multiple moving parts likely involved in a typical application deployment.
So you need to understand what is that full inventory,
that full catalog of different components?
How do they interrelate?
And is there a single point of failure somewhere?
So that's what I think is one of the first places to start
so that you truly understand your environment.
What about things like failover,
like having backup systems
that you can sort of seamlessly switch over to a secondary system if need be?
That's right. That would be one way to handle a failing situation.
And maybe you don't do this for the entire user population.
Maybe you only do this for higher priority applications.
Maybe you only do this for higher priority applications.
We like to say that maybe the inventory or the finance app is more important than the cafeteria menu app for the week.
So we don't necessarily have to replicate every single application.
But part of prioritizing is knowing, okay, which ones do I really need to keep running to keep my business going,
you know, to keep manufacturing automobiles or to keep dispensing medicine and so on.
For those systems, if possible, yes, you want to have failover scenarios for each of those components I mentioned or a collection of them, you know, that support those critical
business applications.
And help me understand here, I mean, the way these systems work, if I lose connectivity with my cloud provider, are there systems available where things can run locally in the meantime and then reconcile what happened when we get our connection back?
Yes, I think so. Most organizations, most large enterprises are still running in a hybrid mode.
So they're not 100% cloud-based. Or even if they are 100% cloud-based, they're not using
one single cloud provider. So there could be alternatives to
failover to an on-premises system for authentication and access, for example,
or potentially to a secondary cloud provider's IDP and similar capabilities so that you can
keep operating during these scenarios. What about the physical connections themselves?
You know, I think about, oh gosh, you know, how often in a work situation where everyone's running around because the internet's down and people fall back to their portable mobile devices, you know, those kinds of things.
Are those wireless networks a viable option for some organizations?
Well, I mean, it could even be viable for us
on this podcast, right?
If I lose my ISP,
then potentially I can log in through my mobile phone
and maybe have an interruption,
but keep on going.
So absolutely.
And that's another way to think about
improvising your recovery or
failover scenarios. What are the alternate paths that I can take to get to my identity systems as
well as to my application? So absolutely. What are the tips that you would share with folks who are
in the early stages of this journey? They want to get a better handle on this.
Any words of wisdom, you know,
the things that you and your colleagues
have learned along the way to make this a smoother process
as folks are getting going here?
Yeah, I think it goes a little bit back
to a comment I made earlier
is about really understanding
the different identity components in your environment
because even those systems
are fairly complex.
So understanding what components are supporting each of your, let's say, your high-priority
business applications, and then their interdependencies, and therefore, where are the failure points?
So really understanding the environment to that degree
really helps not only manage for failures,
but also it helps in just general problem determination
when some error condition occurs.
It makes it much faster in your response
so that you can more quickly go through your decision,
your problem determination tree,
and figure out, okay, what is the actual cause of this problem?
Is it the identity provider?
Is it some attribute source that's failing or slowing down?
Is the multi-factor authentication system still working properly. So having the metrics and the operational awareness of these
different components will help you in failure situations. It'll help you recognize what parts
of your environment potentially are slowing down at different points. And then also, like I said,
for problem determination. So I think that's a key aspect of this.
And then to look at
how to isolate
those high priority applications
and business functions
that you need to support,
regardless of the availability
of your primary identity components.
How can we arrange
for a failover scenario that even if it's not full
function, that we can continue to operate those business systems until the primary systems are
fully back up and running? The folks that you work with who've seen success here,
what are the stories that you hear from them in terms of you know adopting a system an integrated
system the types of things that you and your colleagues provide versus trying to roll your own
you know trying to go it go it alone what are some of the benefits that you hear them share with you
yeah i think a couple of things come to mind. Well, actually, a few things. The first two are interrelated. One is the cost involved with rolling your own and the as well as deep expertise in how those particular identity products work.
Now, it works very well in their environment for their scenario, but it was a tremendous amount of time and cost to get it up and running.
amount of time and cost to get it up and running.
But the third aspect I would point out is the increase in flexibility that you have when you properly architect your environment,
you know, just for general operation, but also for how to handle these failover scenarios.
You know, if you can implement an architecture that in and of itself allows you the flexibility
to more easily switch between environments, that is a tremendous benefit in multiple ways.
It's faster to set up, a lot cheaper to purchase and maintain, but also it enables you to more quickly react
to different failure scenarios.
Do you want them to be automated
so that when a primary system is offline
for a specific period of time,
we automatically switch to a secondary?
Or do you want us to manually control that
based on different signals that the customer is managing from other risk sources, for example?
So, yeah, I'd say cost, time, and flexibility are the important aspects there that we've heard about.
Our thanks to Jerry Gable, VP of Strata Identity, for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And finally, our Pokedex Chronicle desk reports that it looks like Team Rocket isn't the only one causing trouble for Game Freak.
The co-owner of the Pokemon franchise confirmed a cyber attack earlier this year,
resulting in a major data leak.
Hackers allegedly nabbed over one terabyte of data, including personal information of 2,600
employees, names, emails, and potentially some unreleased evolutions of upcoming projects,
although Game Freak isn't saying. Fans were quick to jump on the leaks, with design documents and Pokemon art surfacing on platforms like XTwitter and Reddit.
Game Freak has since patched up its systems and is training hard to boost security,
promising it won't let another cyber-snorlax nap on their servers again.
In a heartfelt apology, the company expressed regret for the inconvenience caused.
Looks like this breach hit harder than a hyperbeam, but Game Freak's ready to catch them all.
All the cyber threats, that is.
So next!
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this week's Research Saturday. This week we've got Chester Wisniewski, Global Field CTO from Sophos XOPS team, sharing his team's work on the return of Chinese cyber espionage campaign Crimson Palace.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the
daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement
agencies. N2K makes it easy for companies to optimize your biggest investment,
your people.
We make you smarter about your teams
while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester
with original music and sound design
by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.