CyberWire Daily - Vulnerabilities and security risks.
Episode Date: January 16, 2024Ivanti products are under active zero-day exploitation. Phemedrone is a new open-source info-stealer. Bishop Fox finds exposed SonicWall firewalls. GitLab and VMware patch critical vulnerabilities. Th...e Secret Service foils a phishing scam. Europol shuts down a cryptojacking campaign. Ransomware hits a Majorca municipality. RUSI looks at ransomware. Ben Yelin explains the New York Times going after OpenAI over the data scraping. And the sad case of an Ohio lottery winner. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest and partner Ben Yelin joins us today to discuss “The Most Critical Elements of the FTC’s Health Breach Rulemaking.” Ben is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security and Co-Host of N2K’s Caveat Podcast. Selected Reading Ivanti Connect Secure zero-days now under mass exploitation (Bleeping Computer) Windows SmartScreen flaw exploited to drop Phemedrone malware (Bleeping Computer) Over 178,000 SonicWall next-generation firewalls (NGFW) online exposed to hack (Security Affairs) GitLab Fixes Password Reset Bug That Allows Account Takeover (Security Boulevard) Patches Available for a Critical Vulnerability in VMware Aria Automation: CVE-2023-34063 (Malware News) US court docs expose fake antivirus renewal phishing tactics (Bleeping Computer) Hacker spins up 1 million virtual servers to illegally mine crypto (Bleeping Computer) Ransomware gang demands €10 million after attacking Spanish council (The Record) Ransomware: Victim Insights on Harms to Individuals, Organisations and Society (Royal United Services Institute) Cybersecurity incident delays payouts for big Ohio Lottery winners (Beacon Journal) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ivanti products are under active zero-day exploitation.
FEMA drone is a new open-source info-stealer.
Bishop Fox finds exposed sonic wall firewalls.
GitLab and VMware patch critical vulnerabilities.
The Secret Service foils a phishing scam.
Europol shuts down a crypto-jacking campaign.
Ransomware hits a Majorca municipality.
Roussi looks at ransomware.
Ben Yellen explains the New York Times going after OpenAI over data scraping.
And the sad case of an Ohio lottery winner.
It's Tuesday, January 16th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Hello, everyone.
Thanks for joining us here today. We're glad to have you with us.
Avanti's ConnectSecure VPN and PolicySecure Network Access Control appliances
are currently facing mass exploitation due to two zero-day vulnerabilities,
as reported by Veloxity, a threat intelligence company.
The vulnerabilities enable authentication bypass and command injection.
These have been actively exploited in widespread attacks since January 11th of this year,
affecting a range of organizations globally, including Fortune 500 companies across various industries.
Attackers have used a web-shell variant named Gifted Visitor to backdoor
systems. As of January 14th, over 1,700 Avanti ICS VPN appliances have been compromised worldwide.
Avanti has not yet released patches for these vulnerabilities, and administrators are advised
to implement vendor-provided mitigation measures on all ICS VPNs
and use Avanti's Integrity Checker tool.
Any data on compromised ICS VPN appliances should be considered breached.
Shadow Server's Threat Monitoring Service reveals over 16,000 exposed ICS VPN appliances online,
with nearly 5,000 in the United States.
Attackers, including a suspected Chinese state-backed group, are using these vulnerabilities
to execute arbitrary commands on defected devices. Mandiant has identified five custom malware
strains in these attacks, aimed at dropping web shells, deploying additional malicious payloads, and stealing
credentials. The most notable malware is called Zipline, a passive backdoor with extensive
capabilities like intercepting network traffic and creating reverse shells. Previous exploits
of Avanti's vulnerabilities in recent years have targeted government, defense, and financial organizations in the U.S. and Europe.
Bleeping Computer reports on a malware campaign using a new open-source info-stealer called
Femadrone, which exploits a Microsoft Defender smart screen vulnerability to bypass Windows
security prompts. Femadrone harvests data from web browsers, cryptocurrency wallets,
and applications like Discord, Steam, and Telegram, sending this information back to
attackers for further malicious use or sale. The exploited Microsoft Defender flaw was patched in
November 2023 but had been actively exploited in attacks. It allows attackers to compromise users through specially
crafted internet shortcut files or hyperlinks, bypassing usual Windows smart screen warnings.
This vulnerability poses a heightened risk for unpatched systems due to available proof-of-concept
exploits. Phenodrome targets data from various applications, including passwords and user information from Chromium and Gecko browsers,
crypto wallet data, Discord authentication tokens,
FTP details from FileZilla, and hardware and system information.
Trend Micro notes that other malware families have also targeted this Windows flaw,
including ransomware.
malware families have also targeted this Windows flaw, including ransomware.
Researchers from Bishop Fox discovered that over 178,000 internet-exposed SonicWall next-generation firewalls are vulnerable to exploitation. These vulnerabilities affect
SonicWall NGFW Series 6 and 7 devices. They are unauthenticated denial-of-service vulnerabilities
that could potentially lead to remote code execution. Although a proof of concept is public,
there have been no reported attacks exploiting these vulnerabilities.
The researchers used binary edge data to locate SonicWall firewalls with exposed management interfaces, finding that 76% of the
just under 234,000 firewalls they analyzed were vulnerable to one or both issues. SonicOS,
SonicWall's operating system, reboots after a crash, but if it crashes three times in a short
period, it enters maintenance mode, requiring administrative action.
The latest firmware addresses these vulnerabilities, and administrators are advised to upgrade and
ensure the management interface is not publicly accessible. Despite the theoretical potential for
remote code execution, the likelihood of such exploitation remains low due to challenges in
bypassing security measures and the difficulty
in remotely determining specific firmware and hardware versions of targeted devices.
GitLab is releasing patches for a critical vulnerability in its email verification process
that could allow attackers to reset user passwords and take over accounts.
to reset user passwords and takeover accounts.
This flaw, with a maximum severity score of 10.0 on the CVS system, was introduced in May 2023 with GitLab version 16.1.0
due to a change allowing password reset via a secondary email address.
Attackers could exploit this vulnerability to send password reset messages
to unverified email addresses,
potentially leading to account takeovers.
However, users with two-factor authentication are less vulnerable,
as attackers won't be able to bypass the 2FA method.
GitLab has not observed any exploitation of this flaw on its managed platforms, including GitLab.com.
VMware has addressed a critical vulnerability in its ARIA automation platform with a CVSS score
of 9.9. ARIA automation is an infrastructure automation platform used for managing multi-cloud
environments with an emphasis on governance and DevOps-based delivery.
The vulnerability, if exploited, could allow unauthorized access to remote workflows and
organizations, posing a significant risk to integrity and availability with a lesser impact
on confidentiality. The exploitation risk is heightened due to the low complexity of the attack,
which can be carried out by an authenticated attacker
with low privileges and without user interaction.
The U.S. Secret Service has uncovered a scam
where fraudsters stole $34,000
using fake Norton antivirus renewal emails.
These phishing emails tricked victims into calling a number
and inadvertently granting the scammers remote access to their computers and bank accounts.
The funds were traced to a Chase bank account owned by Bingsong Zhao.
The Secret Service, through a seizure warrant, aims to recover the funds, considering them as proceeds from criminal activity.
from criminal activity. Zhao faces charges of wire fraud and involvement in the phishing scam,
with potential additional charges related to money laundering and bank fraud.
A 29-year-old Ukrainian man was arrested for orchestrating a large-scale cryptojacking scheme,
as reported by Europol. The suspect allegedly hacked accounts to create 1 million virtual servers for cryptocurrency mining, illegally generating about $2 million.
The scheme involved hijacking cloud computing resources to mine cryptocurrency, significantly impacting the performance of compromised organizations' CPUs and GPUs and increasing their power usage. A 2022 Sysdig report estimated that cryptojacking costs organizations about $53 for every dollar of Monero mined. The investigation began in January
of 2023 after a cloud service provider reported compromised accounts. Collaborative efforts by
Europol, Ukrainian police, and the cloud provider
led to the development of intelligence to track and identify the hacker.
Authorities arrested the suspect on January 9, seizing computer equipment, bank and SIM cards,
and other evidence. The Ukrainian cyber police revealed that the suspect had been active since 2021, using brute force attacks to access 1,500 accounts of a major e-commerce entity's subsidiary.
The individual now faces criminal charges under Ukraine's criminal code for unauthorized interference in electronic communications networks.
The municipality of Calvia on the Spanish island of Mallorca has experienced a ransomware attack,
leading to an extortion demand of approximately 10 million euros.
The mayor has firmly stated that the city council will not pay the ransom,
aligning with Spain's stance as a signatory of the counter-ransomware initiative,
which discourages government institutions from paying ransomware demands. The cyberattack was discovered on Saturday and has prompted the formation of a
crisis cabinet to assess and manage the situation. Due to the attack, all administrative deadlines
in Calvia, such as the submission of civil claims and requests, have been temporarily suspended until the end of
January. The Council has informed its approximately 50,000 residents of these disruptions and is
striving to restore normality as swiftly as possible. A research paper from the UK's RUSI,
the Royal United Services Institute for Defence and Security Studies,
the Royal United Services Institute for Defense and Security Studies,
delves into the multifaceted impact of ransomware attacks,
painting a vivid picture of their extensive reach.
It reveals that organizations of all sizes are at risk,
with ransomware posing a significant threat not just to their financial stability,
but also their reputations. The consequences of these attacks stretch far
beyond mere financial losses. Individuals, ranging from employees to healthcare patients and students,
are subjected to both physical and psychological trauma, highlighting the human cost of ransomware.
Furthermore, the study underscores the broader societal implications of ransomware.
the study underscores the broader societal implications of ransomware. These attacks disrupt supply chains, erode public trust in law enforcement and public services,
and contribute to the normalization of cybercrime. They also provide strategic advantages to hostile
states that harbor the cybercriminals responsible for these disruptions. One critical finding is
the differentiation in the severity of harm
based on the attack's nature. Attacks that encrypt IT infrastructure inflict more severe
damages compared to those involving data theft and leakage. The research highlights that the
ransomware ecosystem currently finds less profitability in exploiting stolen data for
fraud compared to direct extortion tactics.
The report provides a comprehensive picture of ransomware's pervasive and multi-layered impact,
setting the stage for future research focused on developing strategies to mitigate these wide-ranging harms.
Coming up after the break, Ben Yellen explains the New York Times going after OpenAI over data scraping.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of
new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
And it is always my pleasure to welcome back to the show Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security and also my co-host on the Caveat podcast.
Hey there, Ben.
Hello, Dave.
Interesting news this week about the New York Times coming after OpenAI
over, I guess, is it fair to say the scraping of their data?
Yeah, we have a major copyright case upon us here from the old gray lady, as they call it.
Right.
So the New York Times, and I think they're not going to be alone in filing this lawsuit.
They were just the first one, filed suit against both OpenAI and Microsoft,
who operate the biggest generative AI platforms at the moment.
And the cause of action is copyright infringement.
Basically, the idea is that people are typing things into chat GPT,
like, what did the New York Times have to say about X?
How would the New York Times describe X?
And that is essentially taking somebody else's intellectual property, the work of New York
Times writers, editors, etc., and presenting it as their own, either without attribution or without
any monetary benefit. So this gets into really complicated areas of the law. We have this
doctrine called the Fair Use Doct doctrine, where if you add your own
editorial element to it, if you're writing a book review, for example, and you include a passage
from the book, but you're adding to that by offering your own viewpoint on it, or if it's
something like a parody, we consider that fair use. That's not a copyright violation. Sure.
But I think the allegation here is there really isn't any fair use because in a lot of these cases,
it's basically the equivalent of copying and pasting
what might be an article that's behind a paywall, for example.
So ChatGPT, so OpenAI and Microsoft have yet to even respond to this lawsuit.
That's how new it is.
I'm interested to see how they present their defense,
if they're going to file some type of motion to dismiss.
I know you and I talk about the molasses-esque speed of our legal system.
And this just especially stood out to me.
The New York Times article, it's self-referential,
about their own lawsuit basically said,
this is such a novel legal issue that it might not get figured out for a decade.
Wow.
Because we're going to have dueling motions and perhaps a case if they don't settle.
And then, well, you know, that's a federal district court case.
And we go to a circuit court and then maybe the U.S. Supreme Court.
Yeah.
And they talked to an expert in this field in the article.
And he said, a decade is an eternity in the market that we're currently living through.
Right. I think that's true. And I think this is a great example of, I wish there were
some way to expedite our legal system so that we could resolve this issue before it's too late.
One of the interesting things that caught my eye in this lawsuit was that the New York Times is
making the point that when these large language models do the thing that's often described as hallucinating, where they make up things, that that could be detrimental to the Times because it could be attributing things to the Times that the Times didn't actually say.
Right. I mean, you could have a defamation suit there very clearly, especially if the Times would suffer reputational harm.
I think that's
going to be a whole other venue for legal challenges. I think this one is more about
appropriating copyrighted material, material that the New York Times have put their writers on,
et cetera. What about this argument that, you know, if I walk into a museum and look at all
the paintings on the walls, and then I, you know, leave the museum and a museum and look at all the paintings on the walls,
and then I, you know, leave the museum
and come up with my own painting,
but I'm clearly influenced by all the paintings that I've seen,
that's not a violation of copyright.
Right. I mean, I think we're going to have to delineate the line
between being influenced by something
and copying and pasting,
or what's essentially copying and pasting directly from
the suit itself. And I don't know if we've developed a proper dividing line there. And
I'm not sure there is a way to do it. I mean, you could have something that's in the style of the
New York Times. But if it's so close to the actual content that the Times created, then I think even
if it's not word for word, it is a copyright violation.
You know, what some of these media companies have done
and I think will do is come up with licensing agreements
with companies like OpenAI,
where they get together and say,
let's avoid litigation.
We'll come up with an agreement.
Whatever that agreement is, you pay us X amount of money.
So we're licensed to reprint to a certain extent
material that's been drafted
from your news source.
I think that's the best
short-term solution here.
It's going to require
intense negotiations
and maybe the sides
won't be able to reach an agreement,
but it has happened already.
I think they mentioned this article
that a couple of news sources
have already come up
with these data licensing agreements
with OpenAI.
One of them is Axel Springer, which owns outlets like Politico have already come up with these data licensing agreements with OpenAI. Yeah.
One of them is Axel Springer,
which owns outlets like Politico and Business Insider,
and then the Associated Press as well.
I think the New York Times
wants to have these conversations
with Microsoft and OpenAI,
and I think the threat of a lawsuit
would be a way to spur those conversations.
That'll certainly get their attention.
Absolutely. You know, I've seen criticism of a lawsuit would be a way to spur those conversations. It'll certainly get their attention. Absolutely.
You know, I've seen criticism of this lawsuit
where in order to get the chat GPT, for example,
to spit out something verbatim,
they had to put in such a specific prompt,
basically, you know, luring the system into spitting out things
or putting such tight guardrails on the system
that it had very little choice
but to spit out something verbatim from the original
and that this isn't what the large language model
attempts to do under normal circumstances.
This is a bit of an edge case.
Right, but in some cases,
if I asked you to print a copy of something that was copyrighted,
and my direct ask was give me an exact copy of it, and I presented it as my own produced work,
I mean, that would still be a copyright violation, even if it was not something done in the normal course of business.
Like, I still think there is a problem in these limited circumstances where somebody says
what would David Brooks
say about X subject?
And
the answer is going to be pretty
directly cribbed from something that
David Brooks himself wrote, if not
his exact op-ed.
I just don't think we've figured out
a way to solve this problem yet. I think the
best way to do it is these types of licensing agreements, which can only be spurred by this type of litigation, I think.
Well, we'll hold on to the bar for a decade-long rollercoaster ride.
That means you're going to have to keep me around for the next decade, so I'll take it.
All right, fair enough.
Ben Yellen, thanks so much for joining us.
Thank you. Cyber threats are evolving every second and staying ahead is more than just
a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
And finally, the Akron Beacon Journal in Ohio shares the sad case of Edward Riley, an 85-year-old Ohio resident who encountered difficulties cashing in his $1,000 lottery scratch-off win due to a cybersecurity incident at the Ohio Lottery.
A recent cyberattack on the Ohio Lottery's systems on Christmas Eve has disrupted services, affecting the processing
of winnings over $599. With limited options, Riley faced the choice of either mailing his
winning ticket to the Ohio Lottery Central Office in Cleveland, risking loss or theft,
or using the Ohio Lottery smartphone app for direct deposit into his bank account.
using the Ohio Lottery smartphone app for direct deposit into his bank account.
Opting for the app, Riley, who is not tech-savvy,
struggled for hours to set it up and now faces a 10-day wait for his winnings.
The investigation into the cyber attack is ongoing,
with no clear timeline for when normal service will resume.
Riley, a longtime lottery player since 1974,
commented on the importance of the lottery in his life,
especially after the passing of his wife.
It turns out, in Ohio, hitting the jackpot isn't nearly as hard as cashing out your winnings.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent
intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the
value of your biggest investment, your people. We make you smarter about your team while making
your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer
is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.