CyberWire Daily - Renewed surveillance sparks controversy.
Episode Date: April 22, 2024Section 702 gets another two years. MITRE suffers a breach through an Ivanti VPN. CrushFTP urges customers to patch an actively exploited flaw. SafeBreach researchers disclose vulnerabilities in Win...dows Defender that allow remote file deletion. Ukrainian soldiers see increased attention from data-stealing apps. GitHub’s comments are being exploited to distribute malware. VW confirms legacy Chinese espionage and data breaches. CISA crowns winners of the President’s Cup Cybersecurity Competition. Cecilia Marinier, Director, Innovation and Programs at RSA Conference, and Niloo Razi Howe, Senior Operating Partner at Energy Impact Partners & judge, review the top Innovation Sandbox contest finalists in anticipation of RSAC 2024. Targeting kids online puts perpetrators in the malware crosshairs. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We have two guests today. Cecilia Marinier, Director, Innovation and Programs at RSA Conference, and Niloo Razi Howe, Senior Operating Partner at Energy Impact Partners & judge, review the top Innovation Sandbox contest finalists and what to look for on the innovation front at RSAC 2024. For 18 years, cybersecurity's boldest new innovators have competed in the RSAC Innovation Sandbox contest to put the spotlight on their potentially game-changing ideas. This year, 10 finalists will once again have three minutes to make their pitch to a panel of judges. Since the start of the contest, the Top 10 Finalists have collectively seen over 80 acquisitions and $13.5 billion in investments. Innovation Sandbox will take place on Monday, May 6th at 10:50am PT. Selected Reading Warrantless spying powers extended to 2026 with Biden’s signature (The Record) MITRE breached by nation-state threat actor via Ivanti zero-days (Help Net Security) CrushFTP File Transfer Vulnerability Lets Attackers Download System Files (Infosecurity Magazine) Researchers Claim that Windows Defender Can Be Bypassed (GB Hackers) Ukrainian soldiers’ apps increasingly targeted for spying, cyber agency warns (The Record) GitHub comments abused to push malware via Microsoft repo URLs (Bleeping Computer) Presumably Chinese industrial spies stole VW data on e-drive technology (Bleeping Computer) CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading (Industrial Cyber) Malware dev lures child exploiters into honeytrap to extort them (Bleeping Computer) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Thank you. actively exploited flaw. Safe breach researchers disclose vulnerabilities in Windows Defender that allow remote file deletion.
Ukrainian soldiers see increased attention
from data-stealing apps.
GitHub's comments are being exploited
to distribute malware.
VW confirms legacy Chinese espionage and data breaches.
CISA crowns winners
of the President's Cup cybersecurity competition.
Our guests, Cecilia Marignier, Director of Innovation and Programs at RSA Conference,
and Nilu Razihal, Senior Operating Partner at Energy Impact Partners,
review the top innovation sandbox contest finalists in anticipation of RSAC 2024.
And Targeting Kids Online puts perpetrators in the malware crosshairs.
It's Monday, April 22, 2024.
I'm Dave Bittner, and this is great to have you here with us. Over the weekend,
President Biden signed a bill reauthorizing Section 702 of the Foreign Intelligence Surveillance Act
for two more years
amid heated debates over the controversial surveillance program.
The Senate passed the bill with bipartisan support in a 60-34 vote
right before the statute was set to expire.
Supporters of Section 702 claim it's been essential for U.S. intelligence
since its 2008 inception, aiding in the disruption
of terror activities, cyber threats, and foreign espionage by allowing the warrantless collection
of foreign communications, albeit sometimes including those of Americans. The reauthorization
journey was tumultuous, marked by disagreements between privacy advocates and national security proponents.
Despite the looming deadline and potential non-cooperation from major U.S. communication
providers, the bill was passed, incorporating reforms to safeguard American privacy and civil
liberties, as emphasized by Attorney General Merrick Garland. However, the push for more stringent changes,
including a warrant requirement for the FBI to access Americans' communications,
faced resistance.
Critics argued for amendments to address civil liberty concerns,
but these proposals failed to gain sufficient support.
The debate highlighted a balancing act between upholding civil liberties
and addressing national security needs,
with officials warning that warrant requirements could impede rapid response to security threats.
MITRE Corporation suffered a breach through two zero-day vulnerabilities in Avanti's ConnectSecure VPN devices,
leading to the compromise of its VMware network infrastructure.
devices, leading to the compromise of its VMware network infrastructure. The not-for-profit organization confirmed the breach as orchestrated by a foreign nation-state actor,
detected through suspicious activity on its research network NERV. Despite adhering to
best practices and government advice for securing Avanti systems, MITRE failed to notice the
attacker's lateral movement into their VMware
environment. The attackers conducted reconnaissance, exploited VPNs via Avanti Zero Days,
moved laterally, hijacked sessions, utilized compromised accounts, and exfiltrated data.
Although the core enterprise network appears unaffected, the breach's full scope remains
under investigation.
MITRE responded by taking down the compromised environment,
initiating an inquiry, and issuing advice for defenders,
including traffic monitoring, user behavior analysis,
network segmentation, and enhanced security measures.
The exploit has been previously linked to a Chinese attack group by security firms.
Crush FTP has issued an urgent advisory for customers to patch a vulnerability in versions
before 11.1 of its software after discovering an actively exploited flaw that permits attackers
to download system files by escaping the virtual file system.
CrowdStrike observed this vulnerability being exploited for intelligence gathering,
suggesting political motives behind the attacks on U.S. entities.
They advise CrushFTP customers to monitor updates from the vendor closely and prioritize patching.
This incident underscores the broader trend of file transfer software vulnerabilities
being targeted for widespread compromise,
as evidenced by past attacks on MoveIt and Fortra GoAnywhere MFT software.
At the Black Hat Asia conference,
Safe Breach cybersecurity researchers Tomer Barr and Shmuel Cohen
discovered vulnerabilities in Windows Defender
that allowed remote file deletion on Windows and Linux servers,
risking data loss and system instability.
By inducing false positives in security systems,
they demonstrated the potential to bypass security controls
and delete crucial files without authentication.
The researchers developed a Python tool to discover unique byte signatures in endpoint
detection and response systems, exploiting these for remote deletions of significant files,
including Windows event logs and Microsoft's own detection logs.
Despite Microsoft's attempt to fix the vulnerability, SafeBreach found the patch
partially effective, leaving some attack vectors open and discovering another vulnerability as a
bypass. Microsoft acknowledged the findings, implementing measures to minimize false positives
and allowing configurations to quarantine remediation actions by default.
allowing configurations to quarantine remediation actions by default.
Ukraine's Computer Emergency Response Team, CERT-UA,
reports a rise in attempts to implant data-stealing malware on messaging apps used by Ukrainian armed forces.
This activity, mainly attributed to the hacker group UAC-0184,
aims at espionage and has been observed since February. CERT-UA warns soldiers of the heightened risks of online activity, such as sharing photos in military uniform, which could
aid attackers in identifying targets for cyber and physical attacks. The group uses a mix of
custom and open-source malware, including Hijack Loader and Remcos,
a legitimate remote access tool misused for malicious purposes, to infiltrate systems.
Other malware types identified include Viato Keylogger, Xworm, Tusk, and SigTop,
the latter specifically targeting Signal app data.
Despite previous considerations for a secure military app,
many Ukrainian soldiers continue using common messaging platforms like Telegram and Signal.
Google's Mandiant and Cert.ua have noted similar espionage campaigns by Russia-backed hackers,
including Sandworm and Terla groups, targeting military communications.
including Sandworm and Terla groups targeting military communications.
Bleeping Computer highlights a vulnerability or potentially a design oversight in GitHub that's being exploited by cybercriminals to distribute malware through URLs
that seem to originate from legitimate Microsoft repositories,
thereby enhancing the perceived trustworthiness of the malicious files.
This issue leverages GitHub's feature allowing users to attach files to comments,
which are then hosted on GitHub's CDN, associating them with the project's URL.
Notably, the malware has been camouflaged as legitimate software updates or new drivers,
exploiting repositories of reputable companies.
Despite the possibility of abuse across any GitHub repository,
there seems to be no direct method for repository owners
to manage or remove files attached to their projects,
aside from disabling comments, which could hinder project development.
Although GitHub removed the malware linked to Microsoft's repositories following the discovery,
similar malicious content in other repositories remains accessible, indicating an ongoing threat.
German media outlets, citing new access to internal company documents,
are reporting that between 2010 and 2015,
Volkswagen experienced a significant cyber attack by suspected Chinese state hackers, with around 19,000 confidential files stolen.
The data theft extended across VW, Audi, and Bentley, focusing on proprietary information
related to drive technologies, including petrol engines, gearboxes, dual
clutches, electromobility, and fuel cells. The cyberattack also targeted transmission
control software and technical manuals. VW confirmed the breach, noting it occurred a
decade ago, and since then, IT security has been significantly enhanced. The attack began with espionage activities in 2010,
leading to successful data breaches between 2011 and 2014. Cybersecurity experts linked the attack
to China, citing IP addresses near Chinese military intelligence and the use of espionage
software like PlugX and China Chopper. The Chinese embassy denied these accusations.
VW detected the hackers in 2014 due to an error and countered in 2015
by shutting down its network and clearing over 90 servers.
The U.S. Cybersecurity and Infrastructure Security Agency recently concluded
the fifth annual President's Cup Cybersecurity Competition,
crowning team Artificially Intelligent as this year's winners. The team, comprising members
from the Department of Defense, U.S. Army, and U.S. Air Force, includes veterans from past winning
teams. Individual accolades went to U.S. Army Major Nolan Miles in Track A and U.S. Marine Corps Staff Sergeant Michael Torres in Track B, with Torres also securing second place in Track A and becoming the first to repeat a win in the competition.S. government and military's cybersecurity talent, featuring challenges in cyber defense,
exploitation, and more, based on the NICE cybersecurity workforce framework.
This year's competition began in January and saw over 1,400 individual participants and 312 teams.
Winners will be honored at a White House awards ceremony,
highlighting the event's significance in recognizing federal cybersecurity expertise.
Coming up after the break, a preview of this year's Innovation Sandbox in anticipation of RSAC 2024.
Stay with us.
Transat presents
a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating. Too icy. We could try hot yoga. Too sweaty. We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply. Air Transat.com or contact your Marlin travel professional for details. Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Cecilia Marignier is Director of Innovation and Programs at RSA Conference,
and Nilou Razi Howe is Senior Operating Partner at Energy Impact Partners and a judge of this year's Innovation Sandbox at RSAC 2024.
Here's my conversation with them in anticipation of this year's competition.
my conversation with them in anticipation of this year's competition. So I must admit that talking about the Innovation Sandbox is one of my favorite things that we get to do every year. In
fact, it is one of my favorite parts of RSA Conference every year because I feel as though
it's kind of a little window into the future as to what we're heading for here with these folks, these
hopefuls who are looking to take their place and make their mark on the industry. Cecilia, let me
start with you, just in terms of some of the trends that you've been tracking here when it
comes to the folks who've been submitting to be part of the Innovation Sandbox? So I actually am going to push that question over to Nilou and just give you a
great idea about how powerful Innovation Sandbox contest has been. Because this contest has had,
for the past 19 years, had top 10 finalists. And there have been 80 acquisitions,
over $13.5 billion in investments. I mean, when we say that it is the
leading contest in the industry, it really does help elevate and amplify these really important
entrepreneurs. So we're really excited to have somebody, our judging panel, who gets to select
amazing companies every year into our top 10. But I'm going to let the judge who actually made those
decisions actually talk a little bit more about the trends.
Fair enough. Nilo, what have you been seeing here?
First of all, let me start by underscoring what you said. For me as well, this is my most favorite
thing I do each year, both in terms of reviewing the companies, the incredible submissions,
the entrepreneurs and all the work they put against it, but also the event itself, the energy in the room is incredible. So it's a
really exciting time. There were two big trends I would say that I noticed this year. The first one
is around funding. And what was really interesting to see is that great startup companies continue to receive large rounds of funding, both with
respect to seed rounds and A rounds. And given what's been going on in the economy, everyone
assumed that there was going to be a retrenchment from an investment perspective. And based on the
submissions we saw this year and the number of companies that have successfully raised, I would say the great companies continue to get investments to build and grow and scale. From a tech perspective,
what was interesting about this year is that it wasn't about new threat vectors necessarily,
but it was about the next generation of security technologies that are solving really important
problems in a scalable, agile, and effective way. So a lot of it, of course, is focused on the cloud and
whether it's data, identity, incident response, a lot of it had to do with application of artificial
intelligence to solve and scale these security solutions. So that was the big trend. We do continue to see companies focusing on the adversarial side use of AI. So companies in the misinformation, disinformation space, as well as deep fakes. But there weren't as many as I thought there were going to be. So it's really about next generation security technology, next generation applications.
Cecilia, what have you all been seeing in terms of the number of applications
here and the general interest in this program? It has been very, very consistent and consistently
in a great way. We keep on getting a lot of companies, which gives me a lot of excitement
about where our industry is going in general because it demonstrates that
there is still a lot of innovation happening and these innovators are out there wanting to get in
front of the different audiences to showcase how they're actually solving the problems.
So numbers are great. I never give out the real number, Dave, but I give out like, oh my gosh.
And poor Nilou knows because she is part of the crew that had
to actually sift through all those companies that submitted. But we did consistently. We are on the
same as last year and last year was a blowout year. And one thing I would add to that is I
always think we've reached the apex in terms of quality of submissions. And every year it gets harder. I mean, the number of quality companies
that submitted was fantastic.
It was huge and it makes our job a little bit harder.
Neelu, I'm curious, you mentioned earlier
that the great companies are still getting the funding.
What are the boxes that those companies have to check
for the investors to consider them to be a great company?
Generally speaking, solving an important problem with an innovative approach and a team that has the background and experience to do it.
And the team is actually, it's a qualitative assessment, but it's a key part of making a decision about whether to
fund a company or not, because we're solving an existential problem in cyber, and the entrepreneurs
really need to understand what they're doing. And one of the things we're seeing is that this is an
ecosystem that works with each other really well. And something I've seen in cyber that I haven't seen in any other industry
is the number of repeat entrepreneurs we have
who start successful company
after successful company
after successful company
and then become investors
and then become advisors and board members.
I haven't seen that anywhere else.
That's pretty amazing.
And they really do help filter through
identifying the great companies.
So Nilou, can you give us a little bit of a preview of where we stand and what people can
expect when it comes to this year's Innovation Sandbox? I mean, what are some of the things that
led us to where we find ourselves today? Well, to reiterate some of what Cecilia has said, what you should expect to see on stage
is incredible entrepreneurs, many of whom have been there, done that, solving a wide set of
really important problems related to cloud security, data security, the application of AI,
the protection of AI. And it's a diverse set of
companies, both from a geographic perspective, from a market segment perspective. And it's,
you know, one of the things we do as judges, every company submits a video and we watch every single
video. Sometimes we watch them multiple times. And what we're really looking for is
entrepreneurs who can, in a very concise way, describe the problem, describe the solution,
describe why they're going to win. I think folks are going to be blown away by this year's
crew of entrepreneurs. So let me add two little tidbits on top of that. One is that the goal is that they are prepared. They will be prepared.
I have seen the videos as well as Nilou. And this is a really strong crop of entrepreneurs.
And so I am very confident that this show will be great. But in addition, as a judge,
they're going to be choosing that one product that's going to make a huge impact on
cybersecurity in the next 12 months. And that's the goal, is to get the one company that's really
going to affect in a positive way the good fight. And if I can layer on that for a second,
I would say the top 10 are all winners. It is an incredibly strong set of companies
that made the top 10 this year.
And every single one of them could be a winner.
So it's going to be an interesting judging process
in the back room.
Cecilia, let me give you the last word here.
For folks who may be RSA Conference first-timers and they're trying to
map out how they're going to spend their time, what can they expect from this particular event?
This is one, and we always say this, and Nilou kind of mentioned it, I can promise you that
Hugh Thompson, who is our program chair and who actually also emcees the Innovation Sandbox Contest, this is one of the favorites for RSA Conference.
It is a really fun experience.
It's about an hour and a half of very intense pitching.
And there's a buzzer at the end.
So each of the top 10 get three minutes to pitch in front of these five judges
that are incredibly important and a group of like 800
of their peers behind them and others that are sitting in other areas watching. So it's very,
very time. There's a pressure on it. There's a buzzer at the end if you don't make it in three
minutes. And so it's a fun way to hear about the new innovation coming out in the overall industry.
And then what I would say is the judges are there to kind of really help contextualize
and also just dig in a little bit deeper so that people can understand what they can't cover in
three minutes. It's such a short window to give these guys to stand up there on the stage.
And it's fun. In the end, it's just fun. Yeah, it absolutely is. I concur. It is, as I said at the outset,
it is a highlight of the event.
There's a real palpable energy in the room there.
And it's fun.
It's also educational
and kind of a window of what's yet to come.
Cecilia Marignier is Director of Innovation and Programs
with RSA Conference.
And Nilou Razi-Hau is Operating Partner with Capital Meridian
Partners and a judge of this year's Innovation Sandbox. Ladies, thank you so much for joining us.
Our thanks to Cecilia Marignier from RSA Conference and Nilu Razihal from Energy Impact
Partners for joining us. If you are headed to RSAC this year, be sure to check out the Innovation
Sandbox.
It's worth your time.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And finally, in an unexpected turn of events within the darker corners of the Internet,
individuals seeking child exploitation material are finding themselves the targets of a malware campaign that exploits their illicit activities for ransom.
Traditionally, sextortion malware posed as government warnings to extort money
from users under the guise of illegal CSAM possession. However, a recent discovery by
cybersecurity researchers reveals a more targeted approach. A malware known as CryptVPN has emerged,
specifically preying on those attempting to access such material through a decoy website
masquerading as Usenet Club, a platform purportedly offering uncensored content for a fee.
Intrigued by the promise of free access via a downloadable VPN software, victims find themselves
in a trap. Upon installation, the malware changes the desktop wallpaper to
an extortion message and drops a ransom note demanding $500 in Bitcoin within 10 days,
under the threat of exposing the victim's activities. The perpetrator behind CryptVPN
cleverly named the software PedoRansom, signaling a clear intent to target individuals seeking CSAM.
Despite the sophisticated setup, the Bitcoin wallet linked to the campaign has seen minimal
financial success, suggesting a potential decline in the efficacy of sextortion as a lucrative
method for cybercriminals. This shift in tactics reflects a disturbing but intriguing change in the landscape
of online exploitation and cybercrime, where even those engaged in unlawful behavior are not immune
to becoming victims themselves. If there was an award for most unlikely to elicit sympathy,
targets of this malware targeting child exploiters would win.
Hands down.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.