CyberWire Daily - Seeking dismissal of SEC allegations.
Episode Date: January 29, 2024Solarwinds seeks dismissal of SEC allegations. Urgent calls to implement fixes for Jenkins open-source software automation tools. A New Jersey township closes schools and offices after a cyberattack. ...The Centre for Cybersecurity Belgium warns of a critical vulnerability in GitLab. The FBI arrests a notorious swatter. HHS releases cybersecurity performance goals. The feds remind organizations to preserve online messaging. Mercedes-Benz exposes data after an authentication token was left unsecured. A dark web drug dealer pleads guilty. Our guest is Caleb Barlow from Cyberbit, discussing hacker celebrities and why yours truly did not make the list. And threats of airport terrorism on public WiFi is no joking matter. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Podcast partner Caleb Barlow, CEO of Cyberbit, discusses hacker celebrities and why our own Dave Bittner did not make the list. Selected Reading SolarWinds Seeks Dismissal of ‘Unfounded’ SEC Cybersecurity Suit (Bloomberg Law) Fix Available for Critical Jenkins Flaw That Leads to RCE Attacks (Security Boulevard) Freehold Township district: All schools and offices closed Monday due to cybersecurity incident (News12 New Jersey) WARNING: CRITICAL ARBITRARY FILE WRITE VULNERABILITY IN GITLAB CE/EE, PATCH IMMEDIATELY! (Centre for Cybersecurity Belgium) Police Arrest Teen Said to Be Linked to Hundreds of Swatting Attacks (WIRED) HHS debuts voluntary cybersecurity performance goals to enhance healthcare sector resilience (Industrial Cyber) Don’t Delete Slack or Signal Chats, US Agencies Warn Companies (Bloomberg Law) How a mistakenly published password exposed Mercedes-Benz source code (TechCrunch) Dark Web Drugs Vendor Forfeits $150m After Guilty Plea (Infosecurity Magazine) ‘On My Way to Blow Up the Plane’: Teen Faces Huge Fine After Joke Leads to Fighter Jets Scrambling (Gizmodo) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
SolarWinds seeks dismissal of SEC allegations.
Urgent calls to implement fixes for Jenkins' open-source software automation tools.
A New Jersey township closes schools and offices after a cyber attack.
The Center for Cybersecurity Belgium warns of a critical vulnerability in GitLab.
The FBI arrests a notorious swatter.
HHS releases cybersecurity performance goals.
The feds remind organizations to preserve online messaging,
Mercedes-Benz exposes data after an authentication token was left unsecured,
a dark web drug dealer pleads guilty,
our guest is Kayla Barlow from Cyberbit,
discussing hacker celebrities and why yours truly did not make the list,
and threats of airport terrorism on public Wi-Fi is no joking matter.
It's Monday, January 29th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
A good Monday to you. It is great to have you with us here today.
SolarWinds Corporation has strongly denied any wrongdoing in handling a major cyber attack
and is seeking to dismiss allegations by the U.S. Securities and Exchange Commission
that it defrauded investors and violated controls.
In a court filing, SolarWinds argued it had adequately disclosed cybersecurity risks
prior to the Russian state
hack of its Orion platform and had properly informed investors about the breach's potential
impact. This response challenges the SEC's unprecedented enforcement action, which alleges
security fraud and control violations. The company, along with its chief information security officer, Tim Brown, contends that the SEC is overreaching by demanding more detailed disclosures about cybersecurity programs, which they argue would be impractical and dangerous.
SolarWinds asserts it provided sufficient warning to investors about the possibility of a nation-state cyber attack before the sunburst attack occurred.
The SEC's complaint criticized SolarWinds
for vague risk disclosures
and failure to reveal specific cybersecurity weaknesses.
SolarWinds maintains that these were granular concerns
not required to be disclosed to investors.
The company also disputes the SEC's claim
of failing to disclose the initial impact
of the Orion vulnerability,
arguing it was entitled to conduct a thorough investigation
before drawing conclusions.
Furthermore, SolarWinds argues the SEC
wrongly conflated financial accounting controls
with cybersecurity controls.
They state if Congress intended the SEC to oversee
public companies' cybersecurity, it would have been explicitly mentioned in legislation.
Tim Brown, facing charges for his role in the alleged violations, argues that the statements
he signed were not intended for investors and that he did not knowingly violate disclosure or internal accounting
controls. The motion to dismiss describes his inclusion in the lawsuit as unwarranted and
inexplicable. The case awaits a decision from Judge Paul A. Engelmeyer. Two significant security
vulnerabilities in Jenkins, a widely used open-source software automation tool,
have prompted urgent calls for organizations to implement fixes.
Discovered by SonarSource, a code quality and security firm,
these flaws could enable unauthenticated attackers to execute remote code and compromise the software.
The first vulnerability allows certain unauthenticated attackers
to read parts of a file,
while the second permits even those with read-only permissions
to access entire files.
More alarmingly, some attackers could potentially read binary files
containing cryptographic keys integral to Jenkins' features,
paving the way for a range of remote code execution attacks. These vulnerabilities were reported to Jenkins' features, paving the way for a range of remote code execution attacks.
These vulnerabilities were reported to Jenkins' maintainers by SonarSource in November of 2023,
who also collaborated with them to confirm the effectiveness of the subsequent fix.
The Jenkins team released an advisory last week detailing these security issues.
The Freehold Township School District in New Jersey
announced the closure of all its schools and offices on Monday due to a cybersecurity incident.
The district informed families and staff about the situation through emails and voicemails
citing technical issues stemming from the incident. School officials are collaborating
with external IT experts to address and resolve the issue. School officials are collaborating with external IT experts
to address and resolve the issue.
The specific cause of the cybersecurity incident
has not been immediately identified.
The Center for Cybersecurity Belgium warns
that a critical vulnerability has been discovered in GitLab CEEE,
posing a significant security risk.
This arbitrary write vulnerability allows an
authenticated user to write files to arbitrary locations on the GitLab server during workspace
creation. Malicious attackers could exploit this flaw to upload web shells or other malware,
potentially compromising the GitLab server. Such a breach could lead to the exfiltration of sensitive data
and further network infiltration, endangering the entire organization.
To address this vulnerability, the Center for Cybersecurity Belgium strongly advises immediate
action, including patching vulnerable devices to versions that have dealt with the issue,
temporarily disabling user sign-up to reduce the potential attack
surface, and implementing a Zero Trust Network, or VPN, for all GitLab instances to provide a
robust defense-in-depth strategy. The FBI has reportedly arrested a 17-year-old from California,
believed to be the prolific swatter known as Tor Swats. The teenager faces extradition
to Seminole County, Florida, where he is charged with four felonies related to high-profile swatting
incidents, including attacks on a mosque and a courthouse. He will be prosecuted as an adult
under Florida law. Swatting, which involves making fake emergency calls
to provoke a heavy police response,
has surged nationwide.
Tor Swats is accused of making numerous false reports,
causing significant disruptions and financial losses.
Private investigator Brad Dennis,
who assisted the FBI in the case,
played a key role in identifying Tor Swats
by capturing the suspect's IP address.
The investigation revealed Tor Swats methods, which included using commercial VPNs and Google Voice for swatting schools and public facilities.
U.S. Senator Rick Scott has proposed legislation to increase penalties for swatting, reflecting the growing seriousness with which these crimes are
viewed. It's unclear whether the Tor SWAT's online persona was run by a single person,
and there are indications that multiple people may have been involved.
The U.S. Department of Health and Human Services has released Voluntary Cybersecurity Performance
Goals, CPGs, for the healthcare sector aiming to enhance
cybersecurity measures. These CPGs, structured for healthcare organizations, focus on strengthening
cyber preparedness, enhancing resiliency, and protecting patient information. Developed from
CISA's CPGs and informed by common cybersecurity frameworks,
they address attack vectors identified in the 2023 Hospital Cyber Resiliency Landscape Analysis.
The CPGs feature essential goals to mitigate vulnerabilities and improve response to cyber
attacks and enhanced goals to further advance cybersecurity capabilities.
They emphasize email security, multi-factor authentication,
cybersecurity training, strong encryption,
and prompt revocation of credentials for departing workforce members.
Incident planning, unique credentials, vendor cybersecurity,
and network segmentation are also highlighted.
Federal antitrust enforcers have issued a warning that companies under investigation
must preserve and submit instant messaging records,
including those from platforms like Slack, WhatsApp, and Signal.
The Justice Department and Federal Trade Commission are modifying their communication to companies
to clarify this requirement.
Failure to comply could result in fines or criminal charges for document destruction.
This announcement follows concerns about the deletion of chats in recent antitrust cases.
The Justice Department is seeking sanctions against Google for not preserving internal
communications, while the FTC has alleged that Amazon employees, including Jeff Bezos,
used Signal to conceal communications during an antitrust investigation. Amazon denies these
claims, stating it has collected and allowed inspection of Signal conversations by the FTC.
Mercedes-Benz inadvertently exposed its internal data, including source code, due to an employee's authentication token being left in a public GitHub repository.
Shubham Mittal of RedHunt Labs, who discovered this breach during a routine internet scan, reported that the token provided unrestricted access to Mercedes' GitHub Enterprise server.
that the token provided unrestricted access to Mercedes' GitHub Enterprise server.
This lapse allowed anyone to download the company's private source code repositories containing intellectual property, cloud access keys, design documents, passwords, and other critical information.
Evidence showed that the repositories included Microsoft Azure and Amazon Web Services keys,
a Postgres database, and Mercedes source code.
It's unclear if any customer data was compromised.
TechCrunch, after being alerted by Mittal,
informed Mercedes of the security issue.
The company confirmed the accidental publication
of internal source code due to human error
and took immediate action to revoke the API
token and remove the public repository. Banmeet Singh, a 40-year-old dark web drug vendor from
India, pleaded guilty to trafficking controlled substances like fentanyl, LSD, and ecstasy.
His arrest led to the largest single seizure by the U.S. Drug Enforcement
Administration, amounting to $150 million. Operating since at least mid-2012, Singh managed
distribution centers across the U.S. and shipped drugs internationally. He laundered millions in
cryptocurrency and was designated a priority target by the U.S. Attorney General in 2018.
Arrested in April 2019, Singh faced extradition delays until 2023. He has now pleaded guilty to
conspiracy charges related to drug trafficking and money laundering and will serve an additional
eight years in prison.
Coming up after the break,
Caleb Barlow from Cyberbit discusses hacker celebrities
and why I didn't make the list.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000
off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Thank you. about some of the phishing emails that we see. And it strikes me that we're seeing a lot of celebrities are being used in these phishing emails.
I know this is something you've looked into recently.
What have you found?
Well, as you can imagine,
anytime there's a big news event in the world,
phishing emails garner around that.
But there's this great,
and it's actually really kind of fun report
just to throw out an attaboy to McAfee Labs.
You know, they produce,
and they've been doing this for years,
this really cool survey of, you know,
what are the celebrities that kind of make the top list
of most likely to be used for phishing emails?
And of course, you know, more recently,
it's kind of what you'd expect.
You know, you'd always got like the Tom Hanks in there and the J-Los and things like that.
But this year, you saw a movement towards the stars in Barbie, such as Ryan Gosling.
Well, Dave, you weren't on the list this year, I'm sorry to say.
Have I ever? I don't think I've ever.
Thankfully, I don't think I've ever been on the list.
Okay, well, we won't talk about that.
No, no.
Okay, so like Kevin Costner's there.
I kind of get that with, you know, the Yellowstone series.
Okay.
What's up with number seven, Al Roker?
Okay, like I like Al Roker, the weather guy from the Today Show.
But seriously, this is who you're using for fish bait?
Is Al Roker the weather guy?
Yeah.
You know what? I wonder with this,
and again, this is something Joe and I were talking about just recently, that I wonder if you Google a list of most trusted celebrities. To me, that's where an Al Roker lands. The person who,
while you're brushing your teeth in the morning and he's telling you
what the weather's going to be and he's been telling you for the past 20 years.
So you don't even think twice about trusting good old Al Roker.
Well, then how does Bad Bunny make it at number nine?
I have no idea.
Because that's definitely not using the same calculus, right?
Until a couple of weeks ago when he hosted Saturday Night Live,
I had no idea who he was.
So that would not work on me.
But, you know, I think the Elon Musks of the world,
they used to be Bill Gates all the time, right?
Is he on the list anymore?
Not in the top 10.
Okay.
You know, but Elon's still in there, you know.
And interestingly enough, you know,
Elon's been a subject of a lot of deepfake content, right? Right. But I think there's a couple of
things that we can underscore with this. First of all, as kind of silly as this report is, I mean,
again, shout out to McAfee, I think this is a great thing to use for security education, right?
Because a lot more fun than, oh, can you please have your password be 14
characters long and here's why. It at least starts to show what people are clicking on. Frankly, in
some cases, it even gives you the ability to search on things. I mean, if you're a financial firm and
you start seeing people doing searches on Bad Bunny, you probably got something else going on,
right? Right, right. early process here. We've got various candidates and all kinds of interesting stories that may
surround around them. It demonstrates both the crazy stuff we're going to click on, but also a
little bit of how we can get various types of misinformation spread on candidates. It just
goes to show you how easy it is to get people to click on a lot of this stuff if it's somebody
they want to hear more about. Yeah. I really like your
point about using this for security awareness training. Now, I can imagine an organization,
you know, in the corporate slack saying, hey, everybody, you know, don't look it up,
but what do you guess are the top 10 celebrities used in phishing emails?
That's the kind of thing people would jump in on and have fun collaborating on.
Well, not only that, but just like we were
talking about here, you kind of get into the, why on earth did you choose this person?
Right. But here's the other thing that I think is very interesting about this, right? Is remember,
in most of the places where these phishing emails are getting written, English is not the native
language. And I think historically, we would see these phishing emails
written around people that you really knew about, like whoever the president of the United States
was, people like Bill Gates and Elon Musk and things like that. You would also see soccer stars
listed often because soccer is a little more international, if you will, than let's say NFL
football players. But the other thing I really wonder about is how much
is AI helping these fraudsters really shape both the email they send as well as what celebrities
they target by using those tools to do exactly that? Who's the most trusted? Who's the most
clicked on? I mean, you can see all of that now coming out of these social media networks,
and it becomes really powerful to build these tools. Yeah, absolutely. All right, fun stuff. Caleb Barlow,
thank you so much for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And finally, we've all seen the signs while waiting our turn at airport security
that say something along the lines of,
No jokes. All security threats are taken seriously.
Here's a reminder that even a private joke might not be so private
and could land you in hot water.
18-year-old Aditya Verma was making his way through the UK's Gatwick Airport,
preparing to board his flight to Spain.
He jokingly messaged a friend on Snapchat about being a Taliban member
and planning to blow up his plane to Spain.
However, he was using the airport's public Wi-Fi, and his message was intercepted by British security,
leading to his arrest upon landing in Spain and two days in jail.
Just in case, Spanish authorities scrambled F-18 jets to escort the plane.
After his release, Verma faced interrogation by British intelligence agencies,
but was not deemed a national security threat.
However, he's charged with causing public disorder in Spain
and now faces a potential fine of up to $120,000,
partially to cover the cost of scrambling the fighter jets.
His lawyer defended the private nature of the joke.
It's never a good idea to make jokes about terrorism,
and evidently even less so when using public Wi-Fi.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
We'd love to know what you think of this
podcast. You can email us at cyberwire at n2k.com. We're privileged that N2K and podcasts like the
Cyber Wire are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector, as well as the critical security teams supporting
the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Ivan and Brandon Karp.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.