CyberWire Daily - Unveiling the Shadow Strike: A zero-day assault on Ivanti VPN users.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. A zero-day hit Zivanti VPN customers. Sysa highlights an active MS SharePoint server flaw. Cisco patches a critical vulnerability. Atomic Stealer gets updates.

Starting point is 00:02:12 Sensitive school emergency planning documents are exposed online. The FCC reports on risky communications equipment. The White House will introduce new cybersecurity requirements for hospitals. Mandiant explains their ex-Twitter hack. Our guest is Palo Alto Network's Unit 42's David Moulton, host of the new Threat Vector podcast. And we are shocked, shocked, to learn that an online sex-for-money scheme is a scam.

Starting point is 00:02:51 It's Thursday, January 11, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thank you all for joining us. It is great to have you here. We begin today with word that the Cybersecurity and Infrastructure Security Agency has issued a warning to users of Avanti's IT products, specifically the ConnectSecure VPN tool, to patch two actively exploited vulnerabilities. Avanti reported that at least 10 of its customers were affected by these security flaws. The first vulnerability allows a hacker to bypass control checks and access restricted resources, while the second enables attackers to send commands to a device. The vulnerabilities are being exploited together. Cybersecurity firms Veloxity and Mandiant played key roles in identifying the issues. Veloxity's investigation into suspicious network activity

Starting point is 00:03:57 led to the discovery of these exploits being used for data theft, file alteration, and more. They attribute the attacks to a potential Chinese nation-state threat actor, UTA-0178. This is not the first instance of Chinese hackers targeting Avanti's products, as similar incidents were reported in April 2021 involving breaches of U.S. government and private sector systems.

Starting point is 00:04:24 Avanti is still working on a patch, urging customers to apply available mitigations and monitor their networks for suspicious activity. They also noted that their internal integrity checker might not detect all threat actor activities. Indicators of compromise will be shared with affected customers, and patches will be released in a staggered schedule from late January to mid-February. Cybersecurity experts emphasize the widespread use of Ivanti's ConnectSecure in enterprises and government,

Starting point is 00:04:56 highlighting the need for swift action and possible compromise assessments. Over 15,000 instances of the tool have been found exposed online. CISA also warns of active exploitation of a critical vulnerability in Microsoft SharePoint server, identified as CVE-2023-29357, with a CVSS score of 9.8. The flaw, patched in June 2023, is an elevation of privilege issue, allowing unauthenticated attackers to gain administrator privileges by sending a spoofed JSON web token. The vulnerability enables attackers to bypass authentication. In September of 23, a technical write-up and proof-of-concept code were published, showing its use in a remote code execution exploit on SharePoint. Federal agencies now have 21 days to patch affected SharePoint instances. CISA also advises all organizations to promptly apply patches or discontinue vulnerable products if patches are not available.

Starting point is 00:06:03 Cisco has addressed a critical vulnerability in its Cisco Unity Connection software, a unified messaging and voicemail solution. This vulnerability allows a remote unauthenticated attacker to upload arbitrary files and gain root privileges on the affected system. The flaw exists in the web-based management interface of Cisco Unity Connection and stems from a lack of authentication in a specific API and inadequate validation of user supplied data. Customers are advised to upgrade to the patched versions as no workarounds are available. As of the advisory, there were no reports of public disclosure or malicious exploitation of this vulnerability. Researchers at Malwarebytes have detected an upgraded version

Starting point is 00:06:52 of the atomic stealer macOS Information Stealer, which they say indicates its developers are actively improving it, adding features like payload encryption to evade detection. it, adding features like payload encryption to evade detection. Originating in April of 2023 and initially priced at $1,000 per month, Atomic Stealer can now extract a wide range of sensitive data, including passwords and crypto wallets, and its rental fee has risen to $3,000 per month. Distributed via malvertising and fake websites, it often appears as legitimate software updates. The malware also employs obfuscation to hide its command and control server. Security researcher Jeremiah Fowler discovered a massive leak of over 800 gigabytes of files

Starting point is 00:07:40 from Raptor Technologies, a software provider for over 5,300 U.S. school districts, Wired reports. These files, found in unsecured web buckets and not resulting from a hack, included highly sensitive school emergency planning documents for scenarios like active shooter situations, the leak-exposed evacuation plans, threat reports, medical records, court documents, and personal details of staff, students, and their families. About 75% of the documents pertain to threat assessments and emergency procedures. Although there's no evidence of malicious access, the detailed information could be exploited for harmful purposes. Raptor Technologies was informed in December and quickly secured the data. The company is investigating the incident,

Starting point is 00:08:31 emphasizing the safety of children and community members as their top priority. The FCC is seeing progress in their efforts to remove national security risks from communications networks. The Wireline Competition Bureau reported to Congress that five recipients in the reimbursement program have completed removing, replacing, and disposing of risky communications equipment in their networks. The program, part of the Secure and Trusted Communications Networks Act of 2019, reimburses providers for costs incurred in removing equipment posing national security risks. The Bureau's third report details ongoing

Starting point is 00:09:13 efforts and challenges, including supply chain delays and labor shortages. As of December 2023, the Bureau has processed most of the 126 approved applications, dispersing just under $400 million. Further updates are expected in July of this year, following calls from lawmakers to fund the FCC's Rip and Replace program to protect U.S. communications networks. The Biden administration is set to introduce new cybersecurity requirements for hospitals to combat a surge in cyber attacks affecting healthcare providers. The Centers for Medicare and Medicaid Services will soon propose rules mandating hospitals to implement basic digital security measures to qualify for federal funding. These measures are expected to take effect by the end

Starting point is 00:10:05 of the year and include using multi-factor authentication and timely software vulnerability remediation. The new requirements are part of a broader array of standards that hospitals must meet to receive Medicare and Medicaid reimbursements. The administration believes these fundamental cybersecurity practices will significantly reduce cyber incidents in healthcare. The American Hospital Association is expected to fight any new regulations in court. Mandiant has published a report on the recent brief takeover of their social media account on XTwitter. Their investigation concludes that the hijack likely resulted from a brute force password attack, specifically targeting their primary XTwitter account,

Starting point is 00:10:53 with no evidence of further malicious activity or compromise of Mandiant or Google Cloud systems. Mandiant highlighted issues with XTwitter's 2FA configuration changes as a contributing factor. These changes, making 2FA exclusive to premium subscribers, had disabled the text message SMS 2FA method for non-subscribers since February 2023. Mandiant acknowledged some responsibility, but also cited these policy changes at ex-Twitter as partially to blame. Coming up after the break, my conversation with David Moulton from Palo Alto Networks about Threat Vector. That's Unit 42's new podcast. Stay with us.

Starting point is 00:12:05 Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key

Starting point is 00:12:34 workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their

Starting point is 00:13:37 families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. It is my pleasure to welcome back to the show David Moulton. He is the host of the Threat Vector segment and soon-to-be podcast here on the N2K CyberWire podcast network. David, it's great to have you here. Thanks, Dave. Enjoying being back in the studio with you. So myself and our listeners have been enjoying the ThreatVector segments here on the CyberWire. And exciting news that ThreatVector, in addition to continuing as a segment on CyberWire,

Starting point is 00:14:23 is going to be its own program here on the CyberWire network. Explain to us what was the motivation here for adding this extra expanded content? So since the start, we wanted to be able to bring ThreatVector stories as segments to life on the CyberWire daily. In the six months that we've been out, we've heard over and over, people want us to go deeper. They want the story to not just be five minutes. They want us to get to that second tier of questions, that level of depth.

Starting point is 00:14:57 And after proving to ourselves that we could build audio files and send them out into the world on a regular cadence cadence and that people were interested in it, we made the decision that we would go to a full podcast, still staying with our CyberWire daily audience as a segment, and then finding time to go deeper on topics. And as we think about what that gives us, and thinking about this as season two, it's an opportunity to explore the pressures on the SOC, the pressures on the analysts that are coming from the outside, and to go deeper into some of the research that our threat intel teams are doing.

Starting point is 00:15:36 Well, let's dig into this together, maybe provide our audience with a bit of a preview here. I mean, what are some of the areas of discussion that you're looking forward to digging into? Absolutely. So here in what I'm thinking of as season two is those pressures on the outside. So you could think about those as the technology. You may have run across an article or two about artificial intelligence. And there's a lot of hype. There's a lot of smoke around that topic. And we've got some really smart engineers. We've got some researchers, folks that are dealing with AI problems with clients, and they tend to have a different perspective than what you're going to see hyped up in the media. I'd love to bring some of those stories to life. Another area is going to be the attacker. Of course, that continues

Starting point is 00:16:26 to be a focus of our business, our industry. And here in the next month or so, we're going to be releasing some of our deep research reports. And I'd like to bring the people that are behind the report into the studio and put them on mic and talk about the insights, the findings that we found. And then finally, you can think about another pressure that is going on would be from regulators, the SEC. What does it mean when a breach occurs and how do you have to respond? And we're working through those things right now in real time. And I think that Unit 42 has an interesting perspective, has a thoughtful approach to things that are unfolding in real time.

Starting point is 00:17:13 And we should talk about that. One of the things that I'm looking forward to is that you're going to expand your sourcing, if it as it were, beyond just the team there at Unit 42 itself. I mean, obviously, Palo Alto Networks has a huge amount of expertise underneath that roof. That's right. So you can think about Unit 42 as a space of expertise going into our...

Starting point is 00:17:41 We've actually got a massive research team behind our Cortex product that feeds threat intel in. And then the list of contacts across government agencies, law enforcement, and even into the private sector. This gives us an opportunity to talk to some of the friends of the business, some of our customers that are doing really interesting things. And it's a space to bring those real-world stories to life here on a podcast. Can you give us some insights as to what makes up the team there at Unit 42 and really what you and your colleagues are charged with doing there on a day-to-day basis? For sure. So you think about Unit 42's history, it's a threat intel powerhouse. And I like to say that we've got the best in the business and it's backed by the

Starting point is 00:18:31 fact that we're able to take that threat intelligence and turn it into a constant cadence of information that an analyst or folks in the security industry can refer to. That's on our Threat Research Center. But it goes beyond that. We're also an incident response powerhouse. We've got former investigators out of the government. We've got folks that have deep experience as, you know, deeper consultants that are part of Unit 42. And if you're having a bad day, that's who you want to have on retainer or give us a call. And then before something goes awry, before there's a breach, and you want to make sure that you've hardened your systems and that you're protected, you want to be proactive. And Unit 42 provides all kinds of consultative services, tabletopping, purple teaming, red teaming,

Starting point is 00:19:25 those sorts of things, so that maybe you don't need to pick up the phone and call. We find a weakness, a vulnerability, even just an error in your playbook before you need to make a call for an incident response or report a breach. And that three legs of the stool make up what Unit 42 is all about.

Starting point is 00:19:46 I'm curious, you know, for folks who are coming up in the industry and aspire to a position in an organization like Unit 42, can you give us an idea of the breadth of skills that make up that sort of organization? There's a lot of variety there. I think if you're coming up, and we just talked about this in one of our recent podcasts, is to reach out and look for

Starting point is 00:20:12 those in the industry that are willing and able to help to mentor. That was what Garrett was talking about last week. And I think if you look at what Unit 42 does, there's work like I do, publishing, taking stories and bringing them to life. sort of their signatures and build that threat intel into a consumable asset that we can take in and give to our consultants, our customers, turn it into part of what gives our products differentiation. They're going to be the deeper researchers that are part of the consulting team that goes out and is side by side with a customer when they're going through a breach. And then you think about our proactive side. That's the dreamers and the visionaries that are sitting down and going, what would it look like for us to go test a problem?

Starting point is 00:21:16 I was talking with a colleague here about artificial intelligence. And companies are coming up with all kinds of LLMs and valuable data and systems to help them accelerate. How do you build something that analyzes that process, that data, and make sure that you've found a way to protect it, that you've not introduced vulnerabilities or bias into it? They're biased into it. And that's an engineer. That's an inventor. That's somebody with incredible creativity. And all of them have a home inside of Unit 42. Yeah, I think it's a good reminder. I mean, obviously, both for your organization, but really the broader cybersecurity world as well,

Starting point is 00:21:58 that there's such a need for so many different mindsets and ways of thinking and areas of expertise that, you know, people should not self-select themselves out of positions. Like, you know, take a shot. You never know. We need everybody. That's right. So I'm an avid eater. And one of the things that I love is when I see different cultural mashups. And there's a place here in Austin that does a nice job of mixing Korean and Mexican food. It is fantastic. And then they went and put it over fries. Really healthy for you stuff, Dave. And I look at security as one of those places where we need the mashup.

Starting point is 00:22:42 And here in a couple weeks, I'm going to be talking to Jacqueline Wakata on our side. And she's at the intersection of security and law. I think that's a really interesting mashup that she's so focused on those two things. But that mashup can be, if you're a great investigator, are you thinking about systems? I've met an investigator that is a former mechanic. He thinks in systems and is tremendous at the work. So it isn't to say that some of the traditional pathways and skills aren't needed. Absolutely are. But that creativity and that broadness on the team, such that you don't have groupthink or bias and gaps in what you're able to understand is key. And security is a great place to go execute that creativity.

Starting point is 00:23:32 David Moulton is the host of Threat Vector from Palo Alto Network's Unit 42, which is both a segment here on the Cyber Wire and now its own standalone podcast. You can find that wherever you get your podcasts. David, thank you so much for joining us. Always a pleasure, David. Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And finally, our friend Graham Cluley brought to our attention a BBC story about a man in Bihar, India, who fell victim to an online scam after encountering a video from the All India Pregnant Job Service on Facebook. The fraudulent scheme promised

Starting point is 00:25:07 significant financial rewards for having intimate relations with a woman with the goal of helping her conceive a baby. The victim, lured by the promise of nearly three years' wages, lost 16,000 rupees to the scammers who exploited his financial desperation. The fraud involved fake documents, including a baby birth agreement, and continued demands for money under various pretexts. The deputy superintendent of police of the victim's district reported numerous victims of this elaborate con, with his team arresting eight men and searching for others. Victims hesitated to come forward, likely due to shame. Cases like this highlight how easy it can be to blame the victim, which of course we should not do.

Starting point is 00:25:57 Still, if it's too good to be true, it probably is. It probably is. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com. We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.

Starting point is 00:26:41 N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music by Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon Karp. Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,

Starting point is 00:27:59 helping you gain insights, receive alerts, and act with ease through guided apps tailored to Thank you.

CyberWire Daily - Unveiling the Shadow Strike: A zero-day assault on Ivanti VPN users.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.