CyberWire Daily - The great firewall breached: China's covert cyber assault on America exposed.
Episode Date: March 26, 2024An alleged sinister hacking plot by China. CISA and the FBI issued a 'secure-by-design' alert. Ransomware hits municipalities in Florida and Texas. The EU sets regulations to safeguard the upcoming Eu...ropean Parliament elections. ReversingLabs describe a suspicious NuGet package. Senator Bill Cassidy questions a costly breach at HHS. A data center landlord sues over requests to reveal its customers. On our Industry Voices segment, Jason Kikta, CISO & Senior Vice President of Product at Automox, discusses ways to increase IT efficiency while avoiding tool overload & complexity. And Google's AI Throws Users a Malicious Bone. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, Jason Kikta, CISO & Senior Vice President of Product at Automox, discusses ways to increase IT efficiency including automation & tool streamlining, IT automation/automated patching, and tool overload & complexity. You can learn more in Automox’s 2024 State of IT Operations Research Report. Selected Reading Millions of Americans caught up in Chinese hacking plot (BBC) US Government Urges Software Makers to Eliminate SQL Injection Vulnerabilities (SecurityWeek) CISA adds FortiClient EMS, Ivanti EPM CSA, Nice Linear eMerge E3-Series bugs to its Known Exploited Vulnerabilities catalog (Security Affairs) St. Cloud most recent in string of Florida cities hit with ransomware (The Record) Hackers demand $700K in ransomware attack on Tarrant Appraisal District (MSN) The impact of compromised backups on ransomware outcomes (Sophos News) EU sets rules for Big Tech to tackle interference in European Parliament elections (The Record) Suspicious NuGet package grabs data from industrial systems (ReversingLabs) Senator demands answers from HHS about $7.5 million cyber theft in 2023 (The Record) Data center landlord refuses Fairfax County demand for tenant information (Washington Business Journal) Google's AI-powered search feature recommends malicious sites, including scams and malware (TechSpot) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An alleged sinister hacking plot by China.
CISA and the FBI issue a secure-by-design alert.
Ransomware hits municipalities in Florida and Texas.
The EU sets regulations to safeguard the upcoming European Parliament elections.
Reversing labs describe a suspicious NuGet package.
Senator Bill Cassidy questions a costly breach at HHS.
A data center landlord sues over requests to reveal its customers.
On our Industry Voices segment, Jason Kitka, CISO and Senior Vice President of Product at Automox,
discusses ways to increase IT efficiency while avoiding tool overload and complexity.
And Google's AI throws users a malicious bone.
It's Tuesday, March 26, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
The Justice Department and FBI revealed what they've labeled a sinister hacking plot by China,
charging seven Chinese nationals for a cyber attack campaign spanning 14 years,
targeting U.S. officials, critics of China, businesses, and politicians globally.
Accused of sending over 10,000 malicious emails affecting thousands,
this operation, backed by China's government,
aimed at undermining U.S. cybersecurity and appropriating American innovations.
The U.S. State Department is offering a $10 million reward for information on the accused,
emphasizing the U.S.'s determination to combat cyber espionage. This follows similar accusations from the UK and New Zealand against China
for targeting electoral systems and parliament.
China, denying the allegations,
criticized them as baseless and slanderous.
The hacking involves sophisticated methods,
including compromising emails and electronic devices
to acquire sensitive information from government
officials, foreign dissidents, and industries crucial to U.S. defense and technology.
CISA and the FBI issued a Secure by Design alert urging organizations to check for and eliminate
SQL injection vulnerabilities in their software. Despite being well-documented with known mitigations,
SQLI remains a common security flaw,
risking customer data,
as seen in the cyber attack on Progress Software's
MoveIt transfer.
Authorities advise technology manufacturers
to review their code for SQLI vulnerabilities
and start immediate mitigations to remove such defects from all software products.
A secure-by-design approach,
starting from the design phase through the development and updates,
can prevent SQLI by separating SQL code from user-supplied data
using parameterized queries.
This strategy reduces cybersecurity burdens on customers
and minimizes public risk,
promoting proactive security practices over reactive measures.
Meanwhile, CISA has updated its known exploited vulnerabilities catalog
to include critical vulnerabilities affecting Fortinet FortiClient EMS,
Avante EPM CSA,
and Nice Linear eMERGE E3 series,
drawing particular attention
to a significant SQL injection flaw
in Fortinet software
that permits unauthorized code execution
through specially crafted requests.
This issue, actively exploited in the wild,
was highlighted after security researchers released a proof-of-concept exploit.
The exploit demonstrates potential for remote code execution utilizing SQL Server functionalities.
Fortinet, having initially reported no known wild exploitation, updated their advisory to confirm the active exploitation.
updated their advisory to confirm the active exploitation.
CISA has set a compliance deadline of April 15th for federal agencies to remediate these vulnerabilities
and recommends private organizations do the same to protect their networks.
St. Cloud, Florida has become the latest city to report a cyber attack
joining Pensacola and Jacksonville Beach in facing similar
incidents. The ransomware attack disrupted various city services, forcing some to operate in cash-only
modes, though essential services like police, fire rescue, and trash collection continue as normal.
The attack did not affect the Escuela County Tax Collector's Office or
external utilities. With no group claiming responsibility and state officials yet to
comment, the attack reflects the growing trend of ransomware incidents targeting state and local
governments. In 2023, 256 attacks were reported, up from 196 the previous year.
Florida, having experienced numerous attacks across different sectors,
has a law prohibiting government entities from paying ransom demands
and mandates rapid incident reporting.
The Toront County Appraisal District in Texas is dealing with a ransomware attack,
with hackers demanding $700,000.
Following the March 21st attack, the district held an emergency meeting to address the ransom
demand and explore data recovery options. The suspected group behind this is Medusa.
The district is considering the impact on personal taxpayer information and has initiated steps to
bolster security, including purchasing Office 365 and SentinelOne software and hiring a cyber
consultant. Residents express their concerns about the district's preparedness and transparency.
The district has yet to decide on paying the ransom. Staying with ransomware, a Sophos-commissioned survey of nearly 3,000 IT professionals
reveals significant insights on ransomware attacks, particularly the compromise of backups.
In attacks where backups were compromised, organizations were nearly twice as likely to pay the ransom,
facing recovery costs eight times higher than those with intact backups.
94% of affected organizations reported attempts to compromise their backups, with a success rate of 57% across industries.
The energy and education sectors experienced the highest rates of successful backup compromise, while IT and
retail were more resilient. Compromised backups led to higher encryption rates,
doubled ransom demands, and nearly doubled the rate of ransom payments compared to unaffected backups.
The European Commission has introduced new regulations under the Digital Services Act for major tech platforms,
targeting those with over 45 million users in the EU to safeguard the upcoming European
Parliament elections in June against misinformation and interference. These rules mandate the setup
of internal teams to monitor interference risks and require a publicly accessible repository of political ads
for enhanced transparency. The initiative responds to concerns over potential Russian
meddling and the rise of far-right nationalism. Platforms are also urged to promote official
electoral information and adapt their systems to counteract content that compromises electoral integrity,
including the use of generative AI to create fake content.
Violations could result in fines up to 6% of a company's global turnover.
Researchers at Reversing Labs discovered a suspicious NuGet package,
Squeezer Framework 480, potentially aimed at developers using technology
from the China-based Boson Precision Industry Technology Company Limited.
The package, flagged for behaviors associated with malicious files,
raised concerns about a possible malicious software supply chain campaign
targeting industrial espionage.
The Squeezer Framework 480.dll,
responsible for various functions including GUI management and robot movement settings,
exhibited alarming behaviors like screenshot taking, ping packet sending, and data transmission
over open sockets. Despite the lack of definitive evidence linking the package to a broader espionage
group, its potential for data exfiltration and continuous operation hints at malicious intent.
The discovery underscores the growing risk of supply chain threats in open source repositories,
urging developers to exercise caution and apply rigorous scrutiny to third-party code.
Senator Bill Cassidy is questioning a breach at the Department of Health and Human Services
where $7.5 million was fraudulently stolen through a grant payment platform between March and November of 2023.
Hackers compromised email accounts of about five grantees, redirecting funds to their own bank accounts.
Cassidy's concern emphasizes the impact on at-risk populations in healthcare facilities,
accusing HHS of failing to notify Congress, thereby undermining public trust
and highlighting government unpreparedness against cyber threats.
HHS, however, describes the incident as a targeted fraud campaign, not a cyber attack, and claims to have been in contact
with Congress, assuring efforts to fully compensate affected grantees. The issue raises broader
concerns about cybersecurity and healthcare, evidenced by recent legislation
and inquiries following a ransomware attack on UnitedHealth Group.
Our Mind Your Own Business desk reports that CoreSight LLC, a Denver-based data center company,
has sued Fairfax County, Virginia, for overstepping its authority by demanding tenant information for tax assessment purposes.
The suit, filed on March 8th in Fairfax County Circuit Court,
challenges the county's requests for tenant contact details from Corsight's four data centers
and one office in Reston, Virginia, where it serves approximately 300 customers.
Corsight argues such demands are
arbitrary and exceed legal boundaries, asserting that tax disputes should be directly between the
county and the tenants, not involving the landlord. The company seeks judicial relief from compliance
and protection against penalties while the case is ongoing. The county's stance, supported by Virginia law, aims at assessing tax liabilities
based on the valuable computer equipment housed in data centers.
But Corsight contends disclosing tenant information could breach customer confidentiality
and impose undue burdens.
undue burdens.
Coming up after the break, on our Industry Voices segment, Jason Kitka, CISO and Senior Vice President of Product at Audimox, discusses ways to increase IT efficiency while avoiding
tool overload and complexity.
Stay with us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
In today's sponsored Industry Voices segment, my conversation with Jason Kikta, CISO and Senior Vice President of Product at Automox.
We're discussing ways to increase IT efficiency all while avoiding tool overload and complexity.
So I think we've reached a bit of an inflection point in the industry because, you know, I,
you know, I started in IT back in the 90s when the buzzword was adoption, right? And everyone was focused on adoption and, you know, moving people, literally moving people off of typewriters
and other, you know, extremely manual systems, non-networked computers into things that were
networked and then eventually on the internet. And so, you know, that was a big push. And then,
you know, the industry kind of shifted once we hit the 2000s into things like reducing the amount of touch labor,
where you would literally walk around and do things on a system that we wanted to have
virtual touch labor instead, because it was much faster if you didn't have to walk between
offices.
And coupled with that, we saw this big push for IT efficiency, right?
We needed to deliver those IT services,
but we needed to balance it with cost savings,
you know, and that was efficiency
because, you know,
IT had simply grown too much as a cost center
for what the industry was willing to bear.
And now we've entered this new phase
in the last several years
where there's this big focus on automation.
And I think that's just, in some respects, it's just the latest phase of IT efficiency.
But in other respects, it's a bit of a paradigm shift.
And we see it in everything from simple scripting to the adoption of AI,
of thinking about that optimization and how do we
have computers do the things that they are really good at, things at scale, repetition, precision,
and have humans do what we are best at, which is experience, intuition, judgment. And finding that
right balance is a challenge for a lot of teams.
And I think that's where a lot of current thought and focus is being placed.
Can you share some insights as to kind of the contrast between the aspirational promise of
automation versus the reality of what a team faces when they go to implement it.
When people think about automation,
what so many of us picture in our heads initially
is just the challenge of getting it automated.
How am I going to automate this?
How do I account for those edge cases?
How do I make sure that it's reliable? And, you know, much like a doctor, the first rule is do no harm.
And it is something that you have to deal with and overcome.
But where you really hit the pinnacle of skill with automation is, and I like to liken this to a security concept because I'm also a security person and my mind goes there.
You know, in security, there's a lot of focus on IOCs.
And so everyone wants to think that detection is about having the most IOCs and focus on IOCs. And so everyone wants to think that detection
is about having the most IOCs and the best IOCs
and if I just have just a few more IOCs
and a thing that detects it at the right spot
that's how I'll really find that badness.
And anyone who's ever been a detection engineer
or even done incident response
will tell you that's not
where the real skill set is. The real skill set is in tuning it. And it's much the same way in
automation. It's not so much getting the initial automations set up. That can be a little daunting,
but there are so many good tools out there today to make it simple and so many
playbooks, pre-built things. We have our own catalog that we've spent years building
that make it straightforward. But then the real skill is in tuning and adjusting. How do you
optimize? And optimizing is, I think, where a lot of people can struggle because they don't know what metrics to look at to base that optimization on.
What are you trying to adjust?
And also, businesses change over time.
Organizational demands change over time.
And so something that may have worked for you six months, a year ago, three years
ago, might not be effective today. And so you have to be able to, you know, identify those changing
needs and be able to shift your automation to match it. How do you recommend that folks build
in that kind of feedback loop so that they can check in regularly to make sure that
what is being delivered to them is appropriate? I like to do basically a three-part strategy to
accomplish this. I think the first one is just like you're automating IT tasks,
you should automate some of your reporting around that. Have some automation to gather the necessary data points, display them for you, automated
reports, work with your security team because a lot of times they also have the tooling
that you want to be able to correlate events and that sort of thing.
So that there are things even outside of your IT tools
that you can use to really enhance your automated reporting.
The second part is, you know, the sort of spot checking, right?
You know, we used to have an old saying back in the old days
when I was still on active duty in the Marine Corps,
we had this saying called, expect what you inspect.
And so if you're not inspecting it from
time to time, then you shouldn't expect it to be working or be in the state that you want it to be.
And so some periodic spot checking and going around and looking and doing some of that
human-based correlation is also necessary on top of whatever you may have automated. And then the third piece is that walk-around aspect
of get out and talk to folks in your company.
Even if you're fully remote, get out virtually.
Go take a stroll around some Slack channels
or set up some meetings with people
that you don't normally encounter
and ask them how it's working for them.
What is their quality of service like?
Are they having a good user experience?
Does the machine perform the way that they expect it to?
Do, you know, are trouble tickets getting answered in a timely fashion?
There is no substitute for that sort of, you know, human interaction,
because even the challenge being that you might perceive through your automated means, the first two that I discussed, you know, that sort of automated collection, that something is working very well, but the user may perceive it in an entirely different way.
And they're the ones who really matter because they're the ones who have their job to do and their own productivity to provide to the business.
And so you need to get them in your feedback loop as well to make sure that you're really hitting the mark.
We've seen a lot of reporting and also just anecdotally that there's a lot of what I would categorize as overload.
You know, people, they're trying to use these tools.
There's so many tools that they feel overloaded with information.
They're struggling and grappling with the complexity of these tools.
Is this an area where smartly applied that automation can help lift a little of that burden as well?
Absolutely.
And I think there also needs to be consideration of,
you need to think about your tech stack holistically.
I have a lot of things in my tech stack.
Pretty much all of them have some ability to automate things.
And if the automation is self-contained within that application
or that bit of technology, okay, fine, I'll use that.
But if it's going to be cross-technologies, if it's doing a little bit more of that
synchronization, that orchestration bit across multiple things, then I want to think very
carefully about what product is best suited to do that, and where am I going to place it,
and is that a stable part of
my tech stack? And so I have a lot of automation in my network and we build a lot of it around
Automox, around Rapid7, around Okta. Those things in our network that are going to be there a long
time that already have the necessity and the ability to touch a lot of systems
and are designed to interoperate with other things.
And they're sort of the natural place
to land those automations.
So thinking through where you want that automation to live
is almost as important as building the automation itself.
Our thanks to Jason Kitka from Automox for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
With TD Direct Investing, new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%!
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31st,
2025. Visit td.com slash dioffer to learn more.
And finally, Google's recently launched Search Generative Experience, or SGE, feature,
designed to provide users with text summaries and site recommendations for complex queries,
has come under scrutiny for inadvertently recommending malicious websites.
SEO consultant Lily Ray highlighted instances
where she was searching for pit bull puppies on Craigslist,
but SGE suggested sites involved in scams, malware, and fake giveaways.
These dubious sites, often sharing the same.online domain and HTML templates,
appear to be part of an SEO poisoning campaign.
Users clicking on these links were led through redirects to scam sites,
encountering fake captchas, spam
ads, and affiliate scams. Google has since removed the questionable SGE results and emphasizes its
ongoing efforts to refine its systems and algorithms to combat spam. This incident follows
another recent controversy where Google paused its Gemini AI image generation
feature due to concerns over producing historically inaccurate and offensive images.
Seems Google's AI was like, forget the pit bull puppy, here's a Trojan horse instead.
Yes, those results were positively unforgivable.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about
your team while making your team smarter. Learn more at n2k.com. This episode was produced by
Liz Stokes. Our mixer is Trey Hester with original music by Elliot Peltzman. Our executive producers Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.