CyberWire Daily - Weeding out 'worms' for Window's users.
Episode Date: August 15, 2024Microsoft urges users to patch a critical TCP/IP remote code execution vulnerability. Texas sues GM over the privacy of location and driving data. Google says Iran’s APT42 is responsible for recent ...phishing attacks targeting presidential campaigns. Doppelgänger struggles to sustain its operations. Sophos X-Ops examines the Mad Liberator extortion gang. Fortra researchers document a potential Blue Screen of Death vulnerability on Windows. China’s Green Cicada Network creates over 5,000 AI-controlled inauthentic X(Twitter) accounts. Kim Dotcom is being extradited to the United States. Our guest is Rui Ribeiro, CEO at JScrambler, to discuss how the extensive use of first and third-party JavaScript is a blessing and a curse. Wireless shifting can really grind your gears. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s guest Rui Ribeiro, JScrambler's CEO, joins us to discuss how the extensive use of first and third-party JavaScript is both a blessing and a curse. Selected Reading Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled, patch now (Bleeping Computer) Texas sues General Motors over car data tracking (POLITICO) Google: Iranian Group APT42 Behind Trump, Biden Hack Attempts (Security Boulevard) Doppelgänger operation rushes to secure itself amid ongoing detections, German agency says (The Record) Palo Alto Networks Patches Unauthenticated Command Execution Flaw in Cortex XSOAR (SecurityWeek) A new extortion crew, Mad Liberator, emerges on the scene (The Register) Beware, Windows users. Newly-spotted CVE-2024-6768 vulnerability can cause blue screen (MSPoweruser) CyberCX Unmasks China-linked AI Disinformation Capability on X (Cyber CX) Kim Dotcom is being Megauploaded to the US for trial (The Verge) Want to Win a Bike Race? Hack Your Rival’s Wireless Shifters (WIRED) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Microsoft urges users to patch a critical TCPIP remote code execution vulnerability.
Texas sues GM over the privacy of location and driving data.
Google says Iran's APT42 is responsible for recent phishing attacks targeting presidential campaigns.
Doppelganger struggles to sustain its operations.
Sophos XOPS examines the mad liberator extortion gang.
Fortra researchers document a potential blue screen
of death vulnerability on Windows.
China's Green Cicada Network creates over 5,000
AI-controlled inauthentic ex-Twitter accounts.
Kim.com is being extradited to the United States.
Our guest is Rui Rubiero, CEO at Jscrambler,
to discuss how the extensive use of first- and
third-party JavaScript is a blessing and a curse, and wireless shifting can really grind your gears.
It's Thursday, August 15th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thank you for joining us here today.
It is great to have you with us.
Microsoft has urged users to patch a critical TCP IP remote code execution vulnerability
that affects all Windows systems with IPv6 enabled.
Discovered by Kunlun Lab, this wormable flaw could allow remote unauthenticated attackers to execute
arbitrary code by sending specially crafted IPv6 packets. Disabling IPv6 is a temporary mitigation,
but Microsoft advises against it due to potential system issues. Given its high likelihood of
exploitation, users are strongly advised to install the latest security updates immediately.
Texas Attorney General Ken Paxton has filed a lawsuit against General Motors,
accusing the automaker of violating the privacy rights of millions of Texans by selling their location and driving data.
The suit alleges GM misled drivers into sharing data,
which was then sold to data brokers and used to influence insurance rates without driver's consent.
This action marks the first state-level enforcement against an automaker for such
data practices. GM says they're currently reviewing the complaint and they've expressed a commitment to consumer privacy.
Google's threat analysis group TAG has identified APT42, an Iranian-backed group linked to the
Islamic Revolutionary Guard, as responsible for recent phishing attacks targeting the Biden-Harris
and Trump campaigns. These attacks aim to compromise the personal email accounts of
individuals connected to the campaigns, including former U.S. officials. TAG blocked many of these
attempts and reported the activity to law enforcement. APT 42 is known for using sophisticated
social engineering tactics, such as posing as journalists and event organizers to lure victims.
This group's activities reflect Iran's efforts to influence political outcomes and support its
military objectives. Recent months have seen increased targeting of U.S. and Israeli entities,
with ABT42 adapting its methods to exploit various platforms like Google Meet, OneDrive, and WhatsApp.
Other security firms, including Microsoft, have also reported heightened activity from
Iranian threat groups as the 2024 U.S. elections approach.
The Russian disinformation network Doppelganger is struggling to sustain its operations following
a crackdown on its infrastructure,
triggered by reports that European hosting companies were unknowingly supporting the Kremlin-linked campaign.
The Bavarian State Office for the Protection of the Constitution revealed
that doppelganger operators hastily backed up systems and secured data after the exposure.
backed up systems and secured data after the exposure. Active since May 2022, the network created fake social media profiles, websites, and news portals to spread propaganda across Germany,
France, the U.S., Ukraine, and Israel. German authorities confirmed the network's Russian ties,
noting operations aligned with Moscow's time zones and holidays.
Palo Alto Networks has issued patches for several vulnerabilities, including a high-severity issue
which affects the Cortex-X SOAR product. This flaw allows unauthenticated attackers to execute
commands within certain configurations. Patches are available, starting with version 1.12.33.
Additionally, updates were released for Prisma Access Browser,
addressing over 30 vulnerabilities in the Chromium-based browser.
Two medium-severity flaws were also patched,
impacting PanOS and the Global Protect app.
Palo Alto Networks is not aware of any active exploitation of these vulnerabilities.
A report from Sophos XOps examines the Mad Liberator extortion gang.
Emerging in mid-2023, the group uses social engineering and the AnyDesk remote access tool
to steal data from organizations and demand ransom.
Unlike traditional ransomware,
it primarily focuses on data exfiltration but may also encrypt files as part of a double extortion strategy. The group operates a leak site to pressure victims into paying by threatening
to release stolen data. Victims are tricked into granting any desk access, often believing the request is
from legitimate IT staff. The attacks last several hours, with files stolen and ransom
notes deployed before the session ends. Researchers from security firm Fortra document
a newly discovered vulnerability that can cause a blue screen of death on Windows 10, 11, and Server 2022, even with all updates installed.
This flaw, due to improper input validation,
allows attackers with physical access to repeatedly crash the system
by manipulating a BLF file.
Fortra reported the issue to Microsoft in December of 2023, but it was initially dismissed.
Fortra published the vulnerability in August 2024 after successfully reproducing the problem.
The issue poses a risk of denial of service and data loss. CyberCX Intelligence has been tracking the Green Cicada network,
a group of at least 5,000 AI-controlled inauthentic ex-Twitter accounts,
likely part of an emerging information operation linked to China.
This network primarily amplifies divisive U.S. political issues
with potential intentions to interfere in the upcoming presidential election.
The system, associated with Chinese AI research,
has shown increasing activity since July 2024
and has been refining its operations to avoid detection.
CyberCX warns of the growing use of generative AI in malicious activities
and urges organizations to update their threat models accordingly.
Kim Dotcom, the German-born internet entrepreneur, is being extradited to the United States to face
criminal charges linked to his defunct file-sharing platform, Mega Upload. The U.S. Department of
Justice accuses Dotcom of enabling widespread piracy,
costing entertainment companies over $500 million.
After moving to New Zealand in 2010, Dotcom's Auckland mansion was raided in 2012,
following an FBI request.
Since then, he has fought extradition while promoting conspiracy theories online.
New Zealand's justice minister recently signed the order for his extradition. Two former mega-upload
officers have already been sentenced after avoiding extradition through plea deals.
Coming up after the break, our guest, Rui Rubiero, CEO at Jscrambler,
discusses how the extensive use of first- and third-party JavaScript is a blessing and a curse.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Rui Ribeiro is CEO at Jscrambler,
and I recently sat down with him to discuss
how the extensive use of first- and third-party JavaScript
is a blessing and a curse.
So let's focus on a specific use of JavaScript,
which was exactly what it was created for.
It's the language that basically is used by every browser to drive
every possible interaction out to make rich interfaces and proper interfaces for the end
users. So we're talking about the client side. It's executed mainly on the client side for the
purposes that we are talking here. And it's also a way for companies
to add functionality to their websites.
So as you understand,
when you're building an e-commerce web store,
you are focused on delivering
the best experience to your users.
And you might not even be
a very technically savvy company,
but you want to make sure
that they have the possibility
to interact with a support desk, savvy company, but you want to make sure that they have the possibility
to interact with the support desk.
They have a chat that we can show videos about your product, that you can even show
through the experiences, that you have proper payment, that you have proper shipping
calculation, like all of those things are brought through partners.
Most of the time, these integrations are done by JavaScript on the client
side. So this is code that's running on your browser and it's doing all those functionalities.
And so what are some of the challenges here? What's the potential security implications of this?
All of these third parties, so the company that's providing the chat, the company that's providing the payment,
the company that's providing the monitoring capabilities, the analytics, Facebook, Google,
like all of these companies. And on average, you have about 70 companies there. So 70 vendors
are there. All of them can access all the data that's either being displayed or typed on a page.
So this means that when you're typing a credit card, many of them could be eavesdropping.
That doesn't mean that they are, but they could be because there's nothing limiting.
So if you look at it, all of the information that ever exists on a database today from
a company has either been typed in, most likely through a browser or a mobile application,
because it's there and it's useful for you as an end user, it can be displayed.
So it's a very big problem if exploited.
And it has been exploited many times.
The most known one, of course, is credit card skimming,
so stealing credit cards from checkout pages.
And that's what drove the PCI Council to create a new directive
that, among other things, the PCI DSS v4 requires companies that provide
checkout pages to know the third parties that are there and also to make sure that they are not
stealing your credit cards. So this is a problem that has existed for a long time, but it is a problem that became much more relevant by the fact that today we have accepted and we built websites by bringing in lots of third parties into the experience.
experience. So help me understand here. I mean, suppose I'm relying on a third party to be able to have a credit card functionality on my website. But then I've got another third party who's taking
care of my chat functionality. Is it possible that the folks who are taking care of the chat
functionality would have a view into what's going on in the credit card functionality?
Not only a possibility, it has happened several times exactly on the chat example. I think that
Newegg was the case. I think Forbes also had a similar case. So it has happened many times
already. And in some situations, it was due to some form of attack. In some other situations, it's just like
misconfiguration. I'm going to give you like another example on that. So you know that when
you are engaging with a website, someone is trying to see if everyone is having a very good
experience. So they have tools that track the users and see where they are clicking,
where they are stopping engaging with the website, that kind of thing.
Most of them are designed to capture all the information that's being displayed
because that's how they can then make business decisions.
If they are incorrectly configured and they are on the checkout page,
which they are because a company has invested a lot of money to get you to
buy a product.
So they want to know when you're on the checkout page, if you're having any issues in buying
that product.
If it's not correctly configured, it will capture all that credit card information.
Because it was a tool designed to do so.
Right, right.
So, I mean, it strikes me that what we're talking about here
is kind of vulnerability from two directions.
I mean, there's the consumer themselves
who want to protect themselves against a website
that they're interacting with
that potentially has these sort of vulnerabilities taking place.
But then on the other side,
you've got the folks who are building the websites
who want to make sure that they're not inadvertently is taking place. But then on the other side, you've got the folks who are building the websites who
want to make sure that they're not inadvertently falling victim to something like this on their end.
Yes, but I would say the consumers, they shouldn't be concerned by the fact that if we build the
experience properly, if we build the websites properly, the consumer doesn't need to, or we
cannot put that burden on the consumer. We have to put that burden on the company that's providing
the service. And it's clear today that this is exactly what is going to be done by all the
governments, at least the EU, European Union and the US,
I've clearly stated, like, you are providing the website,
you are providing all these third parties,
it's your responsibility if any of them misstep.
This is pretty clear.
And we have recently seen an example,
which is totally different than the ones that I've shared moments ago,
which is the example of the hospital that added the Facebook pixel to every web page.
And when you were booking an oncology appointment, basically Facebook would know that you had some oncology problem.
And then it would start feeding you ads about miracle cures.
So if you look at it, that type of information was, again,
it was not a vulnerability.
It was a misconfiguration, like the Facebook pixel shouldn't be on that page
or knowing that Facebook does this,
the hospital must make sure that Facebook is never on any page
where it could infer something about your health status.
It was the hospital that had to do the settlement, not Facebook,
because it was the hospital that brought in Facebook
into that page.
So if you look at it, things are starting to make sense in the way that I'm providing
the service, I bring all these partners, I am responsible for all of them.
But that means that these companies must have ways to control these partners.
And that's where we come in as Chase Cranramble, because you provide with a way for you to continue to innovate,
to add the Facebook,
to add the video,
to add the AI chatbot,
to add all of these features that you need to provide a very good experience,
but still sandbox them and make sure that
none of them is accessing information from your users.
Because it's not just about the privacy of your users,
it's also about the privacy of your own business.
Because all of these third parties,
they have access,
could have access to all your user data.
And if they could have access to all your user data,
they can sell it, they can abuse it in some way,
so they could really hurt your business model.
So what we are saying is, yes, innovate,
but at least put the controls in place.
Because today, it's incredibly dangerous for a company.
They are exposing a lot of data to third parties.
Well, help me understand, you know,
what are the types of options that are available?
I mean, I know you mentioned you and your colleagues at Jscrambler.
You're doing some kind of sandboxing there.
Describe to me how that sort of thing works.
So the idea here is that every piece of JavaScript that's there
or every vendor that's there, we are sandboxing them.
So we know that this, for example, chat application, it's designed to just communicate and never access credit card information.
So we can set policies and say, we are ringing in this vendor.
He can only communicate with this server.
He can only do this type of actions.
And he's not able to access credit cards, social security, or whatever information.
If the script misbehaves because it's badly configured or because it is under attack or
it's a vulnerability that has been implemented or its supply chain has been compromised in
any way and it's behaving differently, we were able to detect it and block it.
So looking at the example of a mage card,
like stealing a credit card information,
imagine that that experience,
you have that chat application,
and that chat application starts misbehaving
and starts accessing credit card information.
If we are there, a solution like Jscramble,
which is sandboxing and monitoring that third party,
what we can do is
after we can either block it from day one or we will notice the behavior change and after
verifying that it has in fact been compromised in some way, we can start blocking it or remove that vendor altogether. So this means that for a company,
you have reduced the impact for that attack
or for that vulnerability to a few credit cards
instead of hundreds of thousands of credit cards
that would be left there to be stolen for months and months.
So this is like the idea that the problem
will happen. The question is
how big it's going to be for you.
And
with tooling such as ours,
we can really make sure that it is
zero to
naturally but for a company.
That's Rui Ribeiro,
CEO at Jscrambler.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, in the world of professional cycling, where cheating has taken many forms,
a new high-tech threat has emerged, gear-shifting sabotage.
Researchers recently revealed that hackers could exploit Shimano's wireless shifting systems
to disrupt races by forcing bikes to shift gears at critical moments.
The attack is surprisingly simple, requiring only off-the-shelf hardware,
and could wreak havoc during events like the Tour de France.
While Shimano is rushing to patch the vulnerability, the incident highlights the unintended risks of adding wireless features to everyday tech, including bikes.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review in your podcast app.
Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire
is part of the daily routine of the most influential leaders and operators in the public and private sector. Thank you. smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode was
produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot
Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp.
Simone Petrella is our president. Peter Kilby is our publisher. And I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.