CyberWire Daily - When AI goes offline.
Episode Date: December 12, 2024ChatGPT and Meta face widespread outages. Trump advisors explore splitting NSA and CyberCom leadership roles. A critical vulnerability in Apache Struts 2 has been disclosed. “AuthQuake” allowed at...tackers to bypass Microsoft MFA protections. Researchers identify Nova, a sophisticated variant of the Snake Keylogger malware. Adobe addresses critical vulnerabilities across their product line. Chinese law enforcement has been using spyware to collect data from Android devices since 2017. A new report highlights the gaps in hardware and firmware security management. A Krispy Kreme cyberattack creates a sticky situation. N2K’s Executive Editor Brandon Karpf speaks with guest Mike Silverman, Chief Strategy and Innovation Officer at the FS-ISAC discussing cryptographic agility. Do Not Track bids a fond farewell. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, N2K’s Executive Editor Brandon Karpf speaks with guest Mike Silverman, Chief Strategy and Innovation Officer at the FS-ISAC discussing cryptographic agility. You can learn more in their new white paper "Building Cryptographic Agility in the Financial Sector." We will share the extended version of this conversation over our winter break. Stay tuned. Selected Reading ChatGPT Down Globally, Services Restored After Hours Of Outage (Cyber Security News) Facebook, Instagram and other Meta apps go down due to 'technical issue' (CNBC) Unfinished business for Trump: Ending the Cyber Command and NSA 'dual hat' (The Record) Apache issues patches for critical Struts 2 RCE bug (The Register) Microsoft MFA Bypassed via AuthQuake Attack (SecurityWeek) Nova Keylogger – A Snake Malware Steal Credentials and Capture Screenshorts From Windows (Cyber Security News) Adobe releases December 2024 patches for flaws in multiple products, including critical (Beyond Machines) Mobile Surveillance Tool EagleMsgSpy Used by Chinese Law Enforcement (SecurityWeek) Three-Quarters of Security Leaders Admit Gaps in Hardware Knowledge (Infosecurity Magazine) Krispy Kreme cyberattack impacts online orders and operations (Bleeping Computer) Firefox, one of the first “Do Not Track” supporters, no longer offers it (Ars Technica) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Chat GPT and Meta face widespread outages.
Trump advisors explore splitting NSA and cybercom leadership roles.
A critical vulnerability in Apache Struts 2 has been disclosed.
AuthQuake allows attackers to bypass Microsoft MFA protections.
Researchers identify Nova, a sophisticated variant of the snake keylogger malware.
Adobe addresses critical vulnerabilities across their product line.
Chinese law enforcement has been using spyware to collect data from Android devices since 2017.
A new report highlights the gaps in hardware and firmware security management.
A Krispy Kreme cyber attack creates a sticky situation.
N2K's executive editor Brandon Karpf speaks with guest
Mike Silverman, chief strategy and
information officer at the FSISAC,
discussing cryptographic
agility and do not
track bids of fond farewell.
It's Thursday, December 12th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us here today. Great to have you with us.
OpenAI's ChatGPT faced a global outage on Thursday morning,
impacting millions of users and businesses relying on its services. The disruption lasted nearly three hours and also affected OpenAI's API and Sora platforms.
Frustrated users flooded social media
with complaints about errors and degraded performance.
Over 28,000 reports were logged on DownDetector.
OpenAI quickly acknowledged the issue on ex-Twitter
and worked to resolve it,
restoring full functionality by mid-morning.
The outage highlighted growing reliance on AI tools and the operational challenges posed by such disruptions.
Meanwhile, Meta experienced a similar issue the day before,
with widespread outages affecting Facebook, Instagram, WhatsApp, and Threads for hours.
affecting Facebook, Instagram, WhatsApp, and threads for hours.
Both incidents underline vulnerabilities in digital infrastructure and the cascading effects on global users.
While OpenAI's swift response was appreciated,
it reinforces the need for robust reliability
as AI becomes central in modern life.
Advisors to President-elect Donald Trump are revisiting plans to separate U.S.
Cyber Command and the National Security Agency, currently led under a dual-hat structure.
This idea, previously explored during Trump's first term, has resurfaced within the transition
team and right-wing think tanks. Proponents argue the roles are too vast for one
leader, while critics warn of operational inefficiencies and risks to NSA's intelligence
gathering integrity. The arrangement, established in 2010, has sparked debates across administrations,
with President Biden's 2022 review favoring its retention. Legal hurdles exist, but Trump could bypass Congress with executive actions.
A split would raise complex restructuring questions
and could dilute cybercoms and NSA's effectiveness.
Lawmakers remain skeptical, emphasizing the need for clear justification.
Critics also highlight the irony of Trump's anti-bureaucracy stance,
driving a move that could create new administrative challenges.
For now, the dual-hat structure remains intact. A critical vulnerability in Apache Struts 2
has been disclosed with a near-maximum severity score. This flaw allows remote code execution via malicious
file uploads and lacks a workaround, making patching to the latest version essential.
Applications not using the deprecated file upload interceptor are unaffected.
Updating requires rewriting actions for compatibility. Despite alternatives, Struts 2 remains popular
with significant downloads monthly.
This vulnerability underscores risks,
recalling Struts' role in the 2017 Equifax breach.
Oasis Security revealed details of a critical vulnerability
in Microsoft's multi-factor authentication system
dubbed AuthQuake, which allowed attackers to bypass MFA protections.
Reported in June, the flaw was temporarily patched within days,
with a permanent fix issued in October.
Exploiting the flaw required only the target's username and password,
enabling access to sensitive services like Outlook, OneDrive, Teams, and
Azure.
The attack method allowed repeated attempts to guess six-digit MFA codes within three-minute
validity windows.
By launching multiple simultaneous sessions, attackers could achieve over a 50% success
rate within 70 minutes without alerting victims.
success rate within 70 minutes without alerting victims. Oasis highlighted the severity given Microsoft's 400-plus million Office 365 seats. Microsoft's fix implemented stricter rate limits,
halting attempts after several failures for approximately half a day, mitigating brute force
risks. Security researchers from Any.run have identified Nova, a sophisticated variant of the Snake
Keylogger malware, showcasing advanced data stealing and evasion capabilities.
Built in VB.net, Nova employs techniques like process hollowing to inject payloads into
suspended processes alongside heavily obfuscated
code using tools like NetReactor Obfuscator. It targets credentials, captures screenshots,
monitors clipboards, and exfiltrates data via Telegram, FTP, and SMTP. Spreading through
phishing campaigns, Nova also employs geolocation tracking and browser password decryption.
Adobe has released security updates addressing critical vulnerabilities across various software, including Acrobat, Photoshop, Illustrator, and Substance 3D.
Flaws like buffer overflows, out-of-bounds writes, and use-after-free vulnerabilities
could enable remote code execution or privilege escalation.
Affected products include Substance 3D Painter, Animate, FrameMaker, Connect, and others,
impacting both Windows and macOS.
Users are urged to update to patched versions as no workarounds are available.
urge to update to patched versions as no workarounds are available. These vulnerabilities with CVSS scores up to 9.3 highlight the importance of timely updates.
Cybersecurity firm Lookout reports that Chinese law enforcement has been using spyware,
dubbed Eagle Message Spy, to collect extensive data from Android devices since 2017.
Developed by Wuhan ChinaSoft Token Information Technology,
the tool requires physical access to unlock devices for installation.
The spyware collects SMS messages, app communications,
call logs, contacts, and GPS data, and records screens and audio. Data is stored in a hidden directory,
encrypted, and sent to a command and control server with an admin panel.
While linked to local Chinese policy bureaus, Eagle Message Spy's source code suggests a
connection to surveillance tools like CarbonSteel, previously used to monitor minorities such as Uyghurs and Tibetans.
An iOS version has not been found.
A new report from H.P. Wolf titled
Securing the Device Lifestyle from Factory to Fingertips
highlights critical gaps in hardware and firmware security management
across global organizations.
critical gaps in hardware and firmware security management across global organizations.
Based on a survey of 6,000 workers and 800 IT and security decision makers, referred to in the report as ITSDMs, the findings reveal that procurement processes
rarely involve IT security teams, with 52% admitting limited collaboration with procurement to verify
supplier security claims. Over 79% acknowledge major gaps in hardware and firmware knowledge,
leaving organizations vulnerable throughout the device life cycles.
Key issues include weak BIOS password practices, delays in firmware updates, and blind spots in hardware threat detection.
Additionally, over 60% struggle to detect or remediate hardware vulnerabilities,
while frustrated employees sometimes resort to unauthorized repairs.
Endpoint risks persist at device retirement, with 70% of employees keeping old devices, risking data leaks.
The report underscores the need for prioritizing hardware and firmware security
to enhance resilience, sustainability, and cost efficiency.
Krispy Kreme experienced a cyber attack on November 29th,
disrupting its online ordering system in the United States,
but leaving in-person orders and deliveries unaffected.
The company immediately engaged cybersecurity experts
to contain and investigate the breach,
although the full scope and nature remain unclear.
Digital sales, which account for just over 15% of Krispy Kreme's revenue,
are significantly impacted,
leading to a reasonable financial loss from
decreased revenue and recovery costs. The company's stock fell 2% following the disclosure.
Krispy Kreme has not confirmed whether ransomware was involved, and no groups have claimed
responsibility. The company continues to restore operations while working to mitigate further
impact. Despite the disruption, global operations and partnerships,
such as with McDonald's, remain unaffected.
Recovery efforts are ongoing, but no timeline for resolution has been provided.
Even donuts can't escape the sticky fingers of cybercriminals.
Is nothing sacred.
Coming up after the break,
Brandon Karp speaks with Mike Silverman from the FSI SAC,
and Do Not Track bids a fond farewell.
Stay with us. Do you know the status of your compliance controls right now? Like, right now? We know that
real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Mike Silverman is Chief Strategy and Innovation Officer at the FSISAC.
He recently sat down with N2K's Executive Editor, Brandon Karpf, to discuss cryptographic agility.
And we are joined today by Mike Silverman, Chief Strategy and Innovation Officer at the FS
ISAC. Good friends of the podcast. Mike, so great to have you on the show. It's a pleasure. Thank
you for having me here. So what we're talking today about is a recent publication from FS ISAC
on building cryptographic agility in the financialector, just published in October 2024.
And this is coming out, I imagine, for a few reasons.
But before we get into the details of this publication, Mike, I'd be really curious,
what is cryptographic agility?
You know, it's a funny question.
I run the Post-Quantum Cryptography Working Group at FSISAC, which is 30 or so cryptography
and cybersecurity
experts at financial services firms from around the globe, all working together for this common
cause. And actually, the genesis of the paper was there was no definition of cryptographic agility.
That's why we actually came together. And it took us three months to actually come up with
a concise enough definition that made us feel comfortable to share with others.
Okay.
I'll say it's two parts.
One, there's the direct piece, which is to be able to swap out a cryptographic algorithm
and all of its components, certificates, and other sort of things
when needed as a result of a vulnerability or a cryptanalysis attack or some sort of reason for needing
to switch this cryptographic infrastructure.
But the other part is that cryptographic agility is a design principle.
It's a maturity that you try to obtain.
Today, none of us are cryptographically agile.
If we had to switch, it'd be a one-off manual effort.
The idea here is that the goal would be, over time, build the capability so that when you switch these cryptographic algorithms and infrastructure, you do so with no or very minimal disruption to the business.
That's the ultimate goal.
And you have to design for that.
That is not something that you can just wave a magic wand
or just ask one developer to do.
This is an ecosystem, infrastructure, process,
and people change to make this happen.
So I think back to when I was doing cryptographic type work
and how many pieces of our technical
and operational infrastructure were touched
by our use of cryptology and cryptographic systems?
So when you talk about crypto agility, I mean, what are some of these key challenges that organizations face in of a cryptographic system, for an organization to actually change their use of a system
or change their system entirely,
what are they going to be confronted with?
Everything gets touched when it starts to come to crypto agility.
It is the code written in applications.
If we're thinking digital signatures or symmetric cryptography,
we're thinking of all of those keys that need to be rotated
or chained from the old to the new.
There's questions.
Do you preserve the old and put the new on top of that?
Do you decrypt and then re-encrypt with the new?
There's a lot of challenges to think about that way.
There's certificates and where you store these keys
and the parameters you use on
these things. There's some consideration of the endpoint. Is this a point of sale device that's
very limited in hardware versus a full-blown server? Your point of sale systems may not be
able to embrace the newest, latest, biggest algorithms that you want to use elsewhere in your ecosystem.
I could keep going, but I think you get the idea. This is a very holistic sort of approach.
This is hard. Yeah, this is hard. And so, you know, why now? What was the genesis, right? Sure,
needing a definition of crypto agility, but why is the FSISAC publishing this work today?
But why is the FSISAC publishing this work today?
The biggest reason why we're starting now is, and it's FSISAC's raison d'etre, is to preserve trust within the financial services sector.
Our system is built on trust, right?
You need to know that as a customer of a financial institution, you put money in, you get the right amount of money back out. Institutions need to be able to trade with one another and know that they're going to take the other side of that trade, good or bad, positive or negative.
That's the only way this system works, right?
So we, let me go back to the basics.
We use cryptography for confidentiality, for integrity, for non-repudiation, for authentication, right? Authenticity. The
basics of that is all of those aspects help build to preserve the trust within the ecosystem.
So introduce this attack vector of quantum computers. Now, quantum computers have an
amazing upside. They will help research in chemistry and risk analysis in many different
dimensions, solving huge mathematical problems we can't do on classic computers today.
There's the downside risk, though, which is when a quantum computer becomes sufficiently large,
or a cryptographically relevant quantum computer, or CRQC, it will be able to factor huge prime numbers. And factoring huge
prime numbers is the basis for asymmetric cryptography today. RSA is built on that.
That is the public-private key on how we establish most web sessions today.
If that gets compromised, essentially anyone could be listening in at the start of a web session and be monitoring that traffic going forward.
And so for us, that is a huge problem, and we need to get ahead of it.
Now, financial services has been through quite a few cryptographic transitions before.
Single DES, the triple DES, Triple DES, the AES.
RSA 1024 to 2048, right?
There have been these things,
but we have always been treating these as one-offs.
Just get to the next one,
and this algorithm will work for our lifetime.
Get to the next one, this will work for a lifetime.
And what we're realizing over and over and over again is
we should not be taking that as fait accompli anymore.
These transitions
are going to keep coming.
And the size
of these transitions are just growing
in speed, in complexity.
The number of endpoints are growing.
The amount of electronic
transactions that occur versus
physical transactions, the speed.
Every transition has been bigger and bigger,
exponentially bigger and bigger than
the last one.
And once we're realizing we can
no longer take our
algorithms to last 30 years,
we need to think differently. We need to
design for
the fact that these algorithms are
going to change, which is a new concept
for us, but we have to design for that.
That's what cryptographic agility does,
to design, expect these things to maybe fail
so that we can preserve the trust within the ecosystem.
I love that approach and that way of thinking
that let's make this modular,
let's build or design or engineer
what you all have termed the crypto agility into our systems.
Well, the report is Building Cryptographic Agility in the Financial Sector,
published by the FSISAC. We, of course, will have a link to that in the show notes. It's a
great report. There is a lot in here. Mike, so great having you on the show. We will have you
back soon. Oh, my pleasure. Thank you so much for having me, Brian.
That's Mike Silverman from the FSISAC
speaking to N2K Executive Editor, Brandon Karp.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And finally, in a bittersweet farewell, Firefox has decided to retire its Do Not Track or DNT feature in the latest version, signaling the final unraveling of an
idealistic privacy movement born over a decade ago. Once hailed as the browser world's equivalent of
a no trespassing sign, DNT was meant to give users a simple way to say hands off to advertisers.
Sadly, it turns out that advertisers did not read the sign,
or they just ignored it. Mozilla championed DNT early on, hoping the advertising industry would
voluntarily respect user privacy preferences. But like a New Year's resolution to go to the gym,
compliance waned. Other browsers like Chrome and Edge still offer this setting,
although they admit it's mostly symbolic.
Meanwhile, Apple abandoned Do Not Track years ago,
pointing out it did more to enable tracking via fingerprinting than to stop it.
So why the failure?
No teeth.
Without enforcement, Do Not Track was a polite suggestion in a world of ruthless data mining.
Advertisers preferred to define their own privacy-friendly practices, and even industry pledges fizzled.
Eventually, newer technologies like global privacy control emerged,
while users turned to VPNs and cookie blockers to navigate the tracking minefield.
turn to VPNs and cookie blockers to navigate the tracking minefield.
Mozilla's move to axe Do Not Track is less a tragedy and more a long-overdue acknowledgement of reality. While people clearly value privacy, they've learned they can't rely on advertisers
to protect it. The dream of Do Not Track may be dead, but the fight for privacy continues, just with sharper tools.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Carr.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Bye.