CyberWire Daily - When exploits go wild and patches race the clock.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Microsoft confirms a critical Windows zero-day vulnerability. Global law enforcement agencies dismantled 27 DDoS platforms. Researchers compromise memory in AMD virtual machines. Ivanti reports multiple critical vulnerabilities in its cloud services application.

Starting point is 00:02:19 Group IB researchers expose a sophisticated global phishing campaign. A zero-day vulnerability in Clio's managed file transfer software is under active exploitation. The U.S. sanctions a Chinese firm for a 2020 firewall exploit. Congress looks to require the FCC to regulate telecom cybersecurity. Our guest is Malachi Walker, security strategist at Domain Tools, discussing their role in ODNI's newly established Sentinel Horizon program. And Spartan warriors dodge a telegram crackdown. It's Wednesday, December 11th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing.

Starting point is 00:03:21 Hello, and thank you for joining us here today. Great to have you with us, as always. Microsoft has confirmed a critical zero-day vulnerability impacting all Windows editions back to Server 2008, which is currently being exploited in the wild. The flaw, a heap-based buffer overflow in the Windows Common Log File System driver, poses significant risks, including full system compromise. With a CVSS score of 7.8, experts suggest treating this as a critical issue.

Starting point is 00:03:54 CISA has added the vulnerability to its known exploited vulnerabilities catalog, urging immediate patching. Cybercriminals, particularly ransomware groups, are expected to exploit this flaw, given their history of targeting CLFS vulnerabilities. While Microsoft included a fix in December's Patch Tuesday updates, experts emphasize that the aging CLFS codebase requires a complete overhaul to prevent future issues. All Windows users are strongly advised to update their systems promptly to mitigate the risks. And speaking of Patch Tuesday, in total, Redmond's update included fixes for 16 critical vulnerabilities, many targeting remote code execution. These include nine flaws in Windows Remote Desktop services, three in lightweight directory access protocol, and two in Microsoft message queuing.

Starting point is 00:04:51 One LDAP flaw stands out with a CVSS score of 9.8, allowing attackers to execute code via specially crafted LDAP calls. Microsoft advises restricting domain controller exposure to mitigate risks. Atlassian and Spunk released patches addressing over two dozen vulnerabilities across their products. Atlassian fixed 10 high-severity flaws in Bamboo, Bitbucket, and Confluence, impacting third-party components like Apache Commons Compress, AWS SDK, Hazelcast, and Bouncy Castle. No exploitation has been reported, but updates are strongly advised. Splunk resolved 15 vulnerabilities, including a high-severity deserialization flaw in Secure Gateway that allows remote code execution. Splunk Enterprise versions also received fixes

Starting point is 00:05:46 for additional bugs. No active exploitation of these flaws has been reported. Google has released a critical Chrome update to address three high-severity vulnerabilities. These include a type confusion flaw in the V8 JavaScript engine, a use-after-free bug in the Translate feature, and an undisclosed flaw to prevent exploitation during the rollout. The December 2024 ICS patch Tuesday brought critical security updates from CISA and major industrial automation companies. Schneider Electric addressed a critical flaw in Modicon controllers allowing unauthenticated disruption, a high-severity vulnerability in Harmony and ProFace HMI products enabling device control via malicious code, and a medium-severity denial-of-service bug in PowerChute serial shutdown. Shut down.

Starting point is 00:06:47 Siemens released 10 advisories, including high-severity issues in rugged COM ROCKS2 devices, SIMATIC S7 products, and engineering tools like TeamCenter visualization. Some vulnerabilities lack patches but offer mitigations. Rockwell Automation disclosed high-severity code execution flaws in its Arena software, while CISA issued seven advisories highlighting vulnerabilities in Horner Seascape, National Instruments LabView, and Mobitimes Network Master Clock. Phoenix Contact also warned of security issues in PLCnext firmware. Elsewhere, global law enforcement agencies have dismantled 27 platforms used for launching distributed denial-of-service attacks, arresting three administrators in France and

Starting point is 00:07:34 Germany, and identifying over 300 users. Dubbed Operation Power Off, the effort targeted booter and stressor websites used by cybercriminals and hacktivists to disrupt websites with illegal traffic. Europol provided analytical and forensic support, while prevention measures included online ad campaigns warning against DDoS activities, targeting potential offenders through YouTube and Google Ads. Over 250 warning letters and 2,000 emails were also issued to deter future misuse. Researchers have uncovered a vulnerability dubbed Bad RAM that

Starting point is 00:08:15 compromises AMD's secure encrypted virtualization secure nested paging feature in its EPYC processors, nested paging feature in its EPYC processors, designed to protect memory in virtual machines. Using only $10 of hardware, attackers can exploit the vulnerability by tampering with the SPD chip on DRAM modules, tricking the CPU into accessing unauthorized memory areas. BadRAM allows attackers to bypass memory protections, expose sensitive data, and compromise SEV-protected virtual machines, including faking remote attestation reports and inserting backdoors. While primarily a concern for cloud environments, insider threats or unlocked BIOS settings could enable attacks without physical access. BIOS settings could enable attacks without physical access. AMD has worked with researchers to mitigate the issue,

Starting point is 00:09:11 releasing firmware updates to validate memory configurations at boot. Organizations are urged to update their processors. Ivanti has issued a security advisory for three critical vulnerabilities in its cloud services application, including a maximum 10 rated flaw, which allows unauthenticated attackers to gain administrative privileges via authentication bypass in the admin web console. Two additional vulnerabilities, both rated 9.1, include a command injection flaw enabling remote code execution and an SQL injection bug that allows arbitrary SQL commands. Patches are available. Avanti stated there is no evidence of exploitation but urges immediate updates to prevent potential risks. This follows previous high-profile CSA vulnerabilities flagged

Starting point is 00:10:01 by CISA due to active exploitation risks. A sophisticated phishing campaign is targeting employees of over 30 companies across 12 industries, including energy, finance, and government sectors. Using trusted domains, dynamic company branding, and document platform impersonation, attackers bypass email security to steal login credentials via over 200 malicious links. Stolen credentials are sent in real-time to attackers via C2 servers or Telegram bots. Group IB researchers expose the campaign

Starting point is 00:10:39 and urge organizations to implement multi-factor authentication, advanced email filters, and employee training to mitigate risks. Hackers are actively exploiting a zero-day vulnerability in Clio's managed file transfer software, impacting products like Harmony, VLTrader, and Lexicom. The flaw allows unrestricted file uploads and remote code execution bypassing a prior patch from October of this year. Attackers use PowerShell commands to steal data, deploy web shells, and compromise systems. With over 390 exposed servers globally, most in the U.S.,

Starting point is 00:11:21 researchers at Huntress recommend immediate mitigations, including firewall restrictions, disabling autorun features, and checking for malicious files. Clio plans to release a patch soon. The U.S. government has sanctioned Chinese firm Sichuan Silence and employee Guan Taifeng for exploiting a firewall vulnerability in a 2020 attack affecting 81,000 devices globally, including U.S. critical infrastructure. The attackers employed the Asnarok Trojan to steal credentials and attempted to install Ragnarok ransomware, risking serious damage and potential loss of life, such as oil rig malfunctions. Sichuan's silence linked to Chinese intelligence specialized in offensive cyber techniques. Sanctions freeze their U.S. assets, and a $10 million reward is offered for further information.

Starting point is 00:12:21 Senator Ron Wyden introduced legislation to require the FCC to regulate telecom cybersecurity under the 1994 Communications Assistance for Law Enforcement Act, CALEA. This response follows the Salt Typhoon breach, where Chinese-linked hackers infiltrated U.S. telecom networks, compromising calls and messages in a years-long espionage campaign. The proposed bill mandates FCC action within a year with input from CISA and the Office of the Director of National Intelligence and includes annual testing of telecom systems for vulnerabilities. It also requires independent audits to ensure compliance. Wyden criticized the FCC

Starting point is 00:13:07 for previously allowing telecom companies to self-regulate cybersecurity, calling it a failure that enabled foreign spying. The legislation builds on FCC efforts to strengthen telecom security and Wyden's broader push to address Salt Typhoon's devastating impact on national security. Coming up after the break, my conversation with Malachi Walker, security strategist at Domain Tools, and Spartan warriors dodge a telegram crackdown. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.

Starting point is 00:14:15 But get this. More than 8,000 companies, like Atlassian and Quora, have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.

Starting point is 00:14:47 Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.

Starting point is 00:15:37 Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. Malachi Walker is security strategist at Domain Tools. I recently caught up with him to discuss their role in ODNI's newly established Sentinel Horizon program. So it's really a landmark program where it's combining a lot of the intelligence that's being seen across the private sector with the capabilities and the reach of the public sector. And this is going to be a great program to foster some more of those public-private partnerships,

Starting point is 00:16:24 to get more information on cybersecurity incidents, and really collect information on every niche of cybersecurity to better inform policy decisions, track malicious adversaries, and then even protect America from state-sponsored level threats. Well, I know you and your colleagues there at Domain Tools have been selected as one of the foundational partners here with this program. What does that mean for you all? What sort of things will you be contributing? Absolutely.

Starting point is 00:16:54 We're very excited to kind of contribute our data into DNS, into malicious domains, and just domains in general as they're being spun up. We have a view of infrastructure as that infrastructure is being developed. So before it even enters the network, there's going to be some visibility there into different domains, their associated IP addresses, and how they might relate to known malicious infrastructure. And this knowledge will be incredibly helpful in combined with the amazing tools that are also incorporated with this program to gain more visibility and make more informed decisions when related to keeping America safe from state-sponsored threats,

Starting point is 00:17:37 even financially motivated adversaries, and just overall bettering the security posture as a whole. So your organization and other organizations as well are going to be feeding information into this program. What's your understanding of what happens once it gets there and gets blended and analyzed and then put out the other side? How exactly do you suppose that's all going to work? Well, I don't want to speculate because everything is still in the early stages and there are a lot more informed individuals on the day-to-day

Starting point is 00:18:12 working with CTEK, who's spearheading this effort from the domain tool side. But what I can say is that this will be an IC-wide approach. So this will help collectively prioritize and build different intelligence on cybersecurity-related matters. And you can see that with the other companies that have announced their participation in this program and the different efforts they work towards.

Starting point is 00:18:39 There's truly a large breadth of capabilities involved in this program that are ultimately going to lead to more intelligence that can help make more informed decisions that ultimately protect the American people from these outsider risks. And what was it about this program that made you all decide that this is something you wanted to be part of? It was something you wanted to pursue? We're deeply in line with the mission of ODNI, and we've been supporting the IC for as long as we've been involved in cybersecurity in general.

Starting point is 00:19:15 So we see ourselves as an essential component to the IC's effort in protecting the nation from state-sponsored adversaries and malicious threats. And we see that these efforts are going to be a continuous priority. And we want to make sure that we're doing everything in our power with the data that we're seeing, with the domains that we see as they're being spun up to help inform and not operate in a silo. We want to make sure that we can do our part to foster that collaboration between the public sector,

Starting point is 00:19:44 the private sector, different private sector organizations, and allow that intelligence to be the rising tide that lifts all boats. Yeah, you know, the conversations that I have with folks in the IC, one of the things that comes up time and time again is this desire and need for public-private partnerships. Can you speak to that element of this? I mean, why is that the way forward here? It's going to take all of us. When you think about a cybersecurity incident, even down to an individual organization's level,

Starting point is 00:20:18 you're only as strong as the area that's being exploited. strong as the area that's being exploited. And so if there is a gap in visibility from one part of a company, then it doesn't matter that everything else is being put in place, all these different controls. The adversary only needs to be right one time. And so public-private partnerships take that concept at the organizational level and expand it to a countrywide level where there's going to be more visibility into what threats should be prioritized. There's going to be less blind spots because information is going to be shared better. And so this will be helpful for private sector organizations in protecting themselves, but

Starting point is 00:21:01 also public sector organizations in protecting the American people. And everyone who's involved in a private sector organization that's an American citizen is going to be benefited from being in this country and protected from these other threats on the public side as well. So it's really mutually beneficial for public and private sector organizations to be sharing information, understanding that intelligence, and protecting each other and giving that visibility. So if there's anything that might not be seen on one end, having that other visibility on the other side will be incredibly essential to paint a full picture and better inform different decision makings without opening up either American citizens or even an organization in general to different cybersecurity risks.

Starting point is 00:21:53 That's Malachi Walker from Domain Tools. Thank you. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And finally, Spartan Warriors, with a Z, a prolific phishing scam group, is proving it takes more than a telegram channel shutdown to stop their operation. Known for selling and distributing over 300 phishing kits targeting brands across industries like financial institutions, retail, delivery services, and social

Starting point is 00:23:19 media, they lost their telegram channel on November 21st, which had 5,300 subscribers. Within hours, they launched a new one, inviting old subscribers while scouting for fresh recruits. The group's kits, while not the flashiest, are highly effective. They enable phishing campaigns with features like credential theft, captcha prompts, and redirections to Google or fake 404 pages. They even let criminals exfiltrate stolen data through Telegram's API. Spartan warriors also provide access to compromised websites and email spamming tools, solidifying their foothold in the phishing ecosystem. Though Telegram promised a crackdown on criminal channels

Starting point is 00:24:06 following the arrest of its CEO Pavel Durov in August, Spartan Warriors has adapted, taking precautions to avoid further disruptions. Their persistence and willingness to distribute free kits for popular brands have cemented their reputation as determined operators in the criminal world. For now, Spartan warriors remain a thorn in the side of cybersecurity professionals, showing that while they might not reinvent the fishing wheel, they've mastered the art of persistence and adaptability. And that's the Cyber Wire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.

Starting point is 00:25:06 If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman.

Starting point is 00:25:50 Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

CyberWire Daily - When exploits go wild and patches race the clock.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.