CyberWire Daily - Volt Typhoon’s stealthy threat to US critical infrastructure.
Episode Date: February 8, 2024A joint advisory warns of Volt Typhoon’s extended network infiltration. Check your Cisco devices for patches. Fortinet clarifies its latest vulnerabilities. Internet outages plague Pakistan on elect...ion day. Kaspersky describes the new Coyote banking trojan. Cyber insurance is projected to reach new heights. The White House appoints a leader for the AI Safety Institute, and sees pushback on proposed reporting regulations. Can we hold AI liable for its foreseeable harms? Joe Carrigan joins us with insights on the Mother of All Data Breaches. The potential of Passkeys versus the comfort of passwords. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Podcast partner and Hacking Humans co-host Joe Carrigan stops by today to discuss the mother of all data breaches. Selected Reading Chinese hackers hid in US infrastructure network for 5 years (BleepingComputer) Akira, LockBit actively searching for vulnerable Cisco ASA devices (Help Net Security) Cisco fixes critical Expressway Series CSRF vulnerabilities (SecurityAffairs) Fortinet warns of new FortiSIEM RCE bugs in confusing disclosure (BleepingComputer) Pakistani telcos suffer widespread Internet blackouts on election day (DCD) Coyote: A multi-stage banking Trojan abusing the Squirrel installer (Securelist) Cyber insurance market growing dramatically, Triple-I Finds (AI-TechPark) Biden Administration Names a Director of the New AI Safety Institute (SecurityWeek) No one's happy with latest US cyber incident reporting plan (The Register) DHS Is Recruiting Techies for the AI Corps (BankInfoSecurity) Can the courts save us from dangerous AI? (Vox) I Stopped Using Passwords. It's Great—and a Total Mess (WIRED) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A joint advisory warns of Volt Typhoon's extended network infiltration.
Check your Cisco devices for patches.
Fortinet clarifies its latest vulnerabilities.
Internet outages plague Pakistan on Election Day.
Kaspersky describes the new Coyote banking trojan.
Cyber insurance is projected to reach new heights.
The White House appoints a leader for the AI Safety Institute
and sees pushback
on proposed reporting regulations.
Can we hold AI liable
for its foreseeable harms?
Joe Kerrigan joins us
with insights on the mother
of all data breaches
and the potential of passkeys
versus the comfort of passwords.
of passwords. It's Thursday to have you here with us.
The Chinese cyber espionage group known as Volt Typhoon successfully infiltrated networks within the United States' critical infrastructure and managed to evade detection for at least five years. The discovery of this breach was announced through a joint advisory by CISA, the NSA, the FBI, and their
international partners from the Five Eyes Alliance. Volt Typhoon specializes in living off the land
techniques using legitimate tools already present in the environment for malicious purposes.
using legitimate tools already present in the environment for malicious purposes.
The group also leverages stolen account credentials and employs strong operational security measures.
These strategies enable them to remain undetected and maintain persistent access within compromised systems over long periods.
The primary targets of Volt Typhoon have been organizations within the communications,
energy, transportation, and water-wastewater sectors across the United States.
Their operations and tactics suggest a focus beyond typical cyber espionage.
Authorities believe the group's ultimate objective is to gain access to operational technology assets. This access could enable them to disrupt critical infrastructure,
especially in times of geopolitical tensions or military conflicts with the United States.
CISA has expressed concerns about Volt Typhoon's potential to exploit their access for disruptive
or destructive cyberattacks against U.S. critical infrastructure during significant crises.
against U.S. critical infrastructure during significant crises.
Rob Joyce, NSA's Director of Cybersecurity,
emphasized the ongoing efforts to understand the scope of Volt Typhoon's activities.
The U.S. has been improving its capabilities in identifying compromises,
hardening targets, and collaborating with partner agencies to counteract cyber threats from the People's Republic of China.
In response to these threats, a technical guide accompanied the advisory.
The guide provides information for network defenders on how to detect Volt Typhoon's techniques.
It also offers mitigation measures to secure networks against attackers
using living-off-the-land techniques.
Security researcher Kevin Beaumont warns that Akira and LockBit ransomware groups
are actively targeting Cisco ASA SSL VPN devices
by exploiting vulnerabilities that were patched in 2020 and 2023.
Despite the available patches,
the exploitation of these older vulnerabilities
is facilitated by organizations' slow patching practices.
Recent observations by Beaumont and TruSec researchers highlight an uptick in malicious scanning for Cisco AnyConnect VPN devices,
with a significant portion of the activity linked to known ransomware groups.
The advice is clear. Patch your devices promptly to mitigate the risk of ransomware attacks.
Meanwhile, Cisco has patched several vulnerabilities
in its Expressway series collaboration gateways,
including two critical flaws which pose a risk of cross-site request forgery attacks.
These vulnerabilities stem from inadequate CSRF protections
in the web-based
management interface, enabling attackers to perform unauthorized actions on the affected systems
by deceiving a user into clicking a malicious link. The potential impacts include altering
system configurations and creating new accounts with administrative privileges.
Additionally, a third vulnerability could lead
to a denial of service by allowing attackers to overwrite system settings. Cisco recommends
that customers update their software to a secure release to mitigate these risks.
The past few days have seen some confusion over a series of security disclosures from Fortinet,
confusion over a series of security disclosures from Fortinet, and now the company has identified two new unpatched vulnerabilities as patch bypasses for a previously disclosed critical
remote code execution flaw in Fortisim, their security information and event management solution.
Initially, Fortinet mistakenly announced these as duplicates due to an API issue,
but later clarified that they are indeed distinct variants of the original vulnerability. Fortinet mistakenly announced these as duplicates due to an API issue,
but later clarified that they are indeed distinct variants of the original vulnerability,
allowing unauthenticated attackers to execute commands via crafted API requests.
These variants share the same description and severity score as the initial flaw.
Fortinet is working on fixes for these vulnerabilities in upcoming Fortisim
releases across several versions. Despite no current active exploitation, the critical
nature of the flaw means users should update their systems promptly to ensure network security,
especially given Fortinet devices' attractiveness to ransomware groups and other threat actors.
Fortinet plans to include reminders in its monthly advisory
to alert customers about the updated advisory and forthcoming patches.
It's Election Day in Pakistan,
and widespread Internet blackouts and mobile network disruptions
were reported across multiple regions.
This comes amid security concerns cited by Pakistan's interior ministry,
pointing to a recent surge in terrorist activities.
The election process has been overshadowed by digital censorship
targeting the political opposition, allegations of corruption, and poll rigging.
Imran Khan, the leader of the Pakistan Tariq-e-Insaf Party,
and his wife Bushra B, were jailed last week,
further complicating the political landscape.
The Pakistan Muslim League Nawaz is expected to win in an election anticipated to have lower-than-usual voter turnout,
despite heavy security presence.
Past incidents in 2022 also saw Internet services disrupted during protests,
with telecom providers attributing a partial outage to issues with the web filtering system,
suggesting state involvement in Internet shutdowns.
Kaspersky reports on a newly discovered banking trojan called Coyote,
which targets users of over 60 banking institutions
with a sophisticated
infection chain that distinguishes it from traditional banking trojans.
Utilizing the Squirrel installer for distribution, Coyote leverages advanced technologies including
Node.js and the NIM programming language for its loader, aiming to complete its infection
process more covertly.
Targeting mainly Brazilian banks, Coyote communicates with its command and control server using
SSL channels, performing actions based on received commands.
This evolution in the banking Trojan domain highlights the adoption of less common cross-platform
languages by cybercriminals, indicating a trend toward more sophisticated
malware development techniques. The Insurance Information Institute,
IIII, projects global cyber insurance direct written premiums to reach $23 billion by 2025,
with U.S. businesses contributing approximately 56% of this total. The growth is attributed to the
increasing threat of cyber attacks and data breaches, alongside improvements in policy
clarity and risk management by insurers. U.S. companies, major buyers of standalone cyber
insurance, are particularly vulnerable due to their heavy reliance on IoT technologies,
remote work, and cloud storage,
raising their exposure to cyber risks.
Standalone policies offer coverage for expenses not typically covered by general liability policies,
such as legal fees and data recovery costs.
Despite a 15% rise in the average data breach cost since 2020,
reaching $4.45 million in 2023, the cyber insurance market
has tripled in the past five years. The surge in demand and cost underscores the importance
of cyber insurance in today's digital economy, prompting heightened focus from insurance
regulators and cybersecurity agencies. The Biden administration has appointed Elizabeth Kelly, a senior White House economic policy advisor, to lead the newly created AI Safety Institute, which is part of NIST.
Kelly was instrumental in drafting the executive order that established the institute, which will focus on fostering safe AI technology development.
safe AI technology development. The Institute aims to implement red team testing standards by July for AI developers, ensuring system safety for consumer and business use.
This initiative seeks to establish a universal set of standards for AI safety testing,
promoting broader trust and adoption of AI technologies. Kelly has a background in law
from Yale and experience in both the Obama
administration and the private sector, bringing a wealth of expertise to her new role.
The U.S. Department of Homeland Security is actively recruiting 50 artificial intelligence
experts this year to join its new AI Corps, leveraging AI in various government tasks, including cyber threat defense
and damage assessment with AI-powered computer vision. Meanwhile, the Biden administration is
seeing pushback from industry on proposed changes to procurement rules that require IT service
providers to the U.S. government to grant full access to their systems during security incidents.
U.S. government to grant full access to their systems during security incidents.
These updates to the Federal Acquisition Regulation, inspired by President Biden's 2021 executive order, aim to enhance security reporting standards for government contractors.
Other key provisions include an eight-hour deadline for reporting incidents to CISA
and maintaining a software bill of materials.
Organizations argue that the requirements are burdensome and the rapid reporting timelines are unrealistic.
Critics, including the Cloud Services Providers Advisory Board
and the Information Technology Industry Council,
express concerns over the SBOM requirements
and the potential impact on non-federal customer data.
The debate
emphasizes the growing complexity and inconsistency of cyber incident reporting regulations across
various federal agencies, leading to calls for a unified reporting process.
A story from Dylan Matthews in Vox points out that some AI experts have remarked on the unique nature of artificial
intelligence, highlighting its potential as a major shift in human history, akin to the creation
of a new species capable of surpassing human intelligence. This perspective raises questions
about the role of governments in regulating AI, especially given its potential to significantly impact
society. Proposed regulations focus on ensuring AI systems are tested for bias, security
vulnerabilities, weaponization potential, and unintended goals. However, the complexity of AI
poses challenges for regulatory efforts. Gabrielill suggests an alternative approach through tort law,
where AI companies could face strict liability for foreseeable harms caused by their products,
including catastrophic risks. This legal strategy could incentivize companies to prioritize safety
without the need for extensive government intervention, representing a novel method
to manage AI's transformative potential
while mitigating its risks.
Coming up after the break, Joe Kerrigan joins us with insights on the mother of all data breaches.
Stick around.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And it is my pleasure to once again welcome back to the show Joe Kerrigan.
He is from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hey, Joe.
Hi, Dave.
Interesting story that came by here about something that was claiming to be or assigned
the title the mother of all data breaches.
Right.
It's a biggie here. What's going on, Joe?
This was a biggie. It was found by some researchers over at Cyber News, or at least they published
it. And it had 26 billion records. And the breach included user information for LinkedIn, X Venmo, and more.
The problem with this, actually, is the way that it was reacted to, actually.
There are headlines like from Bazinga that say,
Mother of all data breaches, 26 billion records leaked.
Panic over increased
cybercrime risks. Mother of all data breaches, data leak reveals 26 billion account records from
Twitter, LinkedIn, and more. That's from the New York Post. Lots of panic. Now, Stu Showerman,
who is the CEO of KnowBe4, and also KnowBe4 is the sponsor of our show, Hacking Humans.
of our show, Hacking Humans.
Right.
Stu Sherriman has a pretty good blog post on this,
and he is comparing his current thinking on it to his initial thinking on it.
So in the initial,
and he actually puts the initial blog post up
and says it's really a big problem.
And then his later problem is,
no, these are all previously disclosed breaches.
That's what this has turned out to be.
And I'll get into that in a minute.
But either way, Stu comes to the conclusion that his advice is the same in both cases, right?
Phishing-resistant multi-factor authentication and user training.
Yeah.
Right? Which I would agree with, especially for corporations, user training or organizations.
You need to train your users. They're going to be your partners in
this cybersecurity problem.
But the owner of this data set has been found
to be a company called Leak Lookup.
And guess what, Dave? They sell
access to this via an API.
Well, that's convenient.
Yeah.
And they say, you know, the website says
check to make sure your data
is not in here. And then you get some
access. And you can get some access and you can
request up to 10,000 records at a time via this API for, I think, five requests a minute or
something like that. So 50,000 records every minute you can request from this service.
There's much more than just usernames and passwords in this breach. There are some parts
of it that contain significant PII.
And I want to pair this with our survey from a while back that I was talking about.
In our survey that we did of Maryland,
this is just Maryland residents,
we found-
This is a survey done at Hopkins.
This is a survey done at Hopkins, right.
Okay.
Right, correct.
We found that fewer than one half of the respondents
knew that their data had been breached.
Okay.
And that was really shocking because we were really anticipating close to 100% of people knowing that their data has been breached.
Now, this is a collection of just previously existing data breaches.
Like, you know, Collection 1, you remember Collection 1?
Yeah.
That's part of this leak lookup collection.
It's a big aggregation of lots of previous breaches.
It is.
Yeah.
The other thing is that more than half of the people
that responded to our survey reported using passwords,
reusing passwords or using very similar passwords
on multiple sites.
Okay.
This kind of points to what everybody needs
to understand about this.
These data sets are out there.
The fact that this company runs a service
that you can go out and just subscribe to it. And the only reason that this data breach happened
was because they had a misconfigured firewall, according to a Twitter feed, right? They allowed
somebody to go into the backend and just request the data without using the API through their configuration error.
So these data sets are out there,
and this one is just one
that these researchers happened to find
because it was exposed.
There are other data sets out there
that are probably larger
and may not have disclosed breaches in them.
People that have been breached
may not even know that they've been breached
and these guys have this information.
So your data is out there.
I almost guarantee it.
Yeah.
In fact, the only way I would say
that your data is not out there
is if you've been totally off the internet
for the past 30 years.
Right.
In which case, you're not hearing this message.
Right.
Yeah, that's exactly right.
Right, right.
If you can hear the sound of my voice, your data is in one of these data sets.
Right.
Good way to say it.
Right, right.
So what do you do personally if you're just an individual?
You need to use a password manager to make sure that you use different passwords on every single site that you go to that's important to you.
site that you go to that's important to you. I've talked before about how there are some sites where I will use different passwords, but I don't care if, you know, easy to remember passwords, but I
don't care if I lose access to those servers or those sites, right? So I have a risk model,
my own personal risk model. The other thing is use multi-factor authentication on every site
that offers it to you. That'll stop a lot of these account takeovers that are going to result
from this data being out there. If you're organizationally, if you're an organization, I'm going to say pretty much exactly what Stu Schauerman said,
and that is enforce multi-factor authentication, preferably with a FIDO key,
and then that will go a long way in protecting your organization and the user training as well.
We frequently talk about the Google finding that once they enforced the Google Titan,
made everybody have,
all Google employees had to use Google Titan.
Right.
Their email compromises,
their account takeovers went to zero.
Yeah.
And they're a big company.
Yeah.
But everybody has to use this now.
Twitter now, or X, I guess,
after their breach,
before they sold off to Elon Musk, they switched and forced
everybody to go to a YubiKey. They bought two YubiKeys for everybody and just gave them to them.
Yeah. So that's how you solve this problem. There's another article I found while looking
into this that said, and it was disheartening, 25% of your employees use the same password on
everything. Yeah. Right? Which means that of your employees use the same password on everything.
Yeah.
Right?
Which means that your employees are using the same passwords they use on their Netflix account.
And if they have a breached Netflix account, that puts your organization at risk.
You can secure that with multi-factor authentication.
Yeah.
All right.
Well, good information.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
With TD Direct Investing, new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%...
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31, 2025. Visit td.com slash dioffer to learn more.
And finally, Matt Burgess writes in Wired about the promise and frustrations of trying to adopt a passwordless lifestyle online. He shares several frustrations related to the use of traditional passwords
and the transition to pass keys, including annoyances with complex passwords,
as anyone who has ever tried to enter their Netflix password on a TV screen keyboard has surely experienced.
Password managers are great when they work, but they can be complex and inconvenient,
especially when managing a large number of passwords. Burgess met several hurdles in his attempt to transition to
PassKeys, the technology supported by major tech entities like Google, Apple, and Microsoft.
PassKeys promised a more secure alternative, leveraging public key cryptography to facilitate logins via fingerprints, facial
recognition, or pins. Troubles included incompatibility issues with their work laptop's
operating system, glitches with the PayPal app, challenges in creating a passkey for TikTok
due to the use of a work Google account, and limitations with their password manager, Bitwarden, not supporting
passkeys on mobile initially.
There's little doubt we're headed for a passwordless future, but for now, passwords are kind of
like X's.
You know you should move on, but you keep going back, because it's just so familiar.
because it's just so familiar.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
As I mentioned at the top of the show,
this is our 2,000th episode of The Cyber Wire Daily Podcast.
A heartfelt thanks to everyone who's had a hand in making this possible. Thank you. make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Ivan and Brandon Karp. Our executive editor is Peter
Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Pure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.