CyberWire Daily - When it rains, it pours.
Episode Date: March 22, 2024Advanced wiper malware hits Ukraine. Nemesis gets dismantled. Apple deals with an unpatchable vulnerability. FortiGuard rises to the rescue. CISA and FBI join forces against DDoS attacks. US airlines ...data security and privacy policies are under review. Hackers hit thousands in Jacksonville Beach. Geoffrey Mattson, CEO of Xage Security sits down to discuss CISA's 2024 JCDC priorities. And Hotel keycard locks can’t be that hard to crack. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Geoffrey Mattson, CEO of Xage Security, joins us to discuss CISA's 2024 JCDC priorities. You can connect with Geoff on LinkedIn and learn more about Xage Security on their website and read about the JCDC 2024 Priorities here. Geoff’s interview first appeared on March 21st’s episode of T-Minus Space Daily. Check out T-Minus here. Selected Reading Sandworm-linked group likely knocked down Ukrainian internet providers (The Record) AcidPour wiper suspected to be used against Ukrainian telecom networks (SC Media) Never-before-seen data wiper may have been used by Russia against Ukraine (Ars Technica) AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine (SentinelOne) F5, ScreenConnect vulnerabilities leveraged in global Chinese cyberattacks (SC Media) Nemesis darknet marketplace raided in Germany-led operation (The Record) Unpatchable vulnerability in Apple chip leaks secret encryption keys (Ars Technica) Exploit Released For Critical Fortinet RCE Flaw: Patch Soon! (GBHackers on Security) CISA & FBI Released Guide to Respond for DDoS Attacks (Cyber Security News) CISA, FBI, and MS-ISAC Release Update to Joint Guidance on Distributed Denial-of-Service Techniques (CISA) US airlines’ data security, privacy policies to be under federal review (SC Media) Jacksonville Beach and other US municipalities report data breaches following cyberattacks (The Record) Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds (WIRED)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Advanced wiper malware hits Ukraine.
Nemesis gets dismantled.
Apple deals with an unpatchable vulnerability.
Port-A-Guard rises to the rescue. CISA and FBI join forces against DDoS attacks.
U.S. Airlines data security and privacy policies are under review.
Hackers hit thousands in Jacksonville Beach.
Jeffrey Batson, CEO of Zage Security, sits down with me to discuss CISA's 2024 JCDC priorities. And hotel keycard locks can't be that hard to crack.
Today is March 22nd, 2024.
I'm Maria Varmasis, host of N2K's T-Minus Space Daily,
sitting in for Dave Bittner today.
And this is your CyberWire Intel Briefing.
Happy Friday, everybody. Thanks for joining us.
Researchers at Sentinel-1 have discovered a new version of Acid Rain,
a wiper malware that was used against modems across Ukraine at the beginning of the Russian invasion in February 2022.
The researchers have dubbed the new variant Acid Poor, clever,
noting that it expands upon Ac acid rain's capabilities and destructive potential
to now include Linux unsorted block image and device mapper logic, better targeting
RAID arrays and large storage devices. Sentinel-1 adds that the discovery of acid-poor
coincides with the disruptions of four Ukrainian internet providers that began on March 13th. Sentinel-1 commented
that they cannot confirm ACIDPOR was used to disrupt the Ukrainian ISPs. They added this,
though, the longevity of the disruption suggests a more complex attack than a simple DDoS or nuisance
disruption. ACIDPOR, uploaded three days after this disruption started, would fit the bill for the requisite toolkit.
If that's the case, it could serve as another link between this hacktivist persona and specific GRU operations.
Following up on our reporting on China from yesterday exploiting vulnerabilities in F5 Screen Connect,
Chinese cyber attackers have launched global campaigns.
Screen Connect, Chinese cyber attackers have launched global campaigns. Mandiant published a report on UNC-5174, a suspected Chinese threat actor that appears to work as an initial access
broker for China's Ministry of State Security, or MSS. Back in October 2023, the threat actor exploited a remote command execution vulnerability, CVE-2023-46-747,
affecting F5 BIG-IP traffic management user interface. Mandiant notes this,
China Nexus actors continue to conduct vulnerability research on widely deployed
edge appliances like F5 BIG-IP and ScreenConnect to enable espionage operations at scale.
These operations often include rapid exploitation of recently disclosed vulnerabilities
using custom or publicly available proof-of-concept exploits.
UNC-5174 and UNC-302 operate within this model,
and their operations provide insight into the initial access broker
ecosystem leveraged by the MSS to target strategically interesting global organizations.
Mandiant believes that UNC 5174 will continue to pose a threat to organizations in the academic,
NGO, and government sectors, specifically in the United States, Canada, Southeast Asia,
government sectors, specifically in the United States, Canada, Southeast Asia, Hong Kong,
and the United Kingdom. Moving on to the next one, in a significant win against cybercrime,
German authorities dismantle the Nemesis Marketplace, a hub for illegal activities like selling stolen data and malware. German police seized the server infrastructure along with
94,000 euros worth of cryptocurrency,
according to the record.
I'm going to mess this pronunciation up, but the Bundeskriminalamt, BKA, said in a press release,
the measures carried out in a concerted action on March 20th, 2024,
were preceded by extensive investigations that have been conducted by the BKA,
investigations that have been conducted by the BKA, the ZIT, as well as the FBI,
the Drug Enforcement Administration, and the IRS-CI since October 2022.
Hackers have discovered a vulnerability in Apple's Mac chips, enabling them to extract secret encryption keys. And the flaw can't be patched directly because it stems from the design
of the silicon itself.
It can only be mitigated by building defenses into third-party cryptographic software,
but that could degrade M-series performance.
Researchers have named the attack GoFetch.
It uses an application that doesn't require root access,
only the same user privileges needed by most third-party applications installed on macOS.
Mitigating the effects of the vulnerability falls on the people developing code for Apple
hardware. Apple failed to comment on the GoFetch research. Concerned users should
check for GoFetch mitigation updates that become available for macOS software.
A critical remote code execution flaw in Fortinet VPN appliances has been identified, posing a severe risk to organizations.
Attackers can exploit this vulnerability to compromise network security.
This vulnerability was found to be exploited by threat actors in the wild.
However, FortiGuard has acted swiftly upon this vulnerability and has released patches to fix it.
The CISA and FBI have released a comprehensive
guide to combat distributed denial of service or DDoS attacks. While they have been around for what
seems like forever, DDoS attacks are still common tactics used by cyber criminals to disrupt
services. The guide provides invaluable insights and strategies to defend against DDoS attacks,
emphasizing proactive
mitigation measures. Bottom line, educate your teams, implement robust DDoS protection solutions,
and collaborate with law enforcement to strengthen cyber resilience.
The U.S. Department of Transportation intends to review data security and privacy policies
of U.S. airlines, reflecting growing concerns about privacy and data monetization
in the aviation sector. This move underscores the need for stringent cybersecurity measures
to protect passenger information and ensure air travel safety. Senator Ron Wyden of Oregon,
who previously warned about the threat posed by data brokers, will work in concert with the
Department of Transportation to carry out the investigation.
Stay tuned for that one.
And Jacksonville Beach is one of the latest U.S. municipalities
to have fallen victim to cyber attacks.
It underscores a national issue here.
These attacks on local governments disrupt services,
compromise sensitive data,
and highlight the need for improved cybersecurity measures at all levels of government.
That's it for our briefing today.
Coming up next, we are talking with Zage Security's CEO, Jeffrey Mattson.
In a crossover from our T-minus Space Daily, which I host,
by the way, we spoke with Jeff about CISA's 2024 JCDC priorities. Shameless plug,
you can find a link for T-minus in today's show notes. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off. And now a message from Black Cloak. Did you know the easiest way for cyber
criminals to bypass your company's
defenses is by targeting
your executives and their families
at home? Black Cloak's
award-winning digital executive protection
platform secures their personal
devices, home networks, and
connected lives. Because when
executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
I sat down with Jeff Mattson, CEO of Zage Security, to discuss CISA's 2024 JCDC priorities. I think the awareness on the commercial side of the importance of cybersecurity in space is growing.
But I think it's something that we need to reemphasize with that community.
But I think it's something that we need to reemphasize with that community. with protecting the satellite system in the US and for our partners is to be able to leverage
the commercial satellite system, in particular, the proliferation of low orbit satellites
to create a much larger potential attack surface
for our near peer competitors who would like
to impact our ability to operate our satellite system.
So rather than having a few very high-orbit military satellites provide all of our command and control, for instance,
we'd like to be able to leverage the proliferation of commercial satellites, low-orbit,
to be able to provide redundant functions
for command and control.
And it's much harder to take out 4,000 commercial satellites that are buzzing all over the stratosphere
than it is to take out four or five high orbit military ones.
So it's very important that our commercial partners understand the strategic importance of cybersecurity in their systems because, by extension, our near-peer competitors will use cyber attacks against them, as well as the military satellites, in order to go after the soft underbelly of our strategic operations, which is we've grown extremely dependent as a military force
on satellites and satellite communication.
We've had superiority there for a long time,
and we've had very little vulnerability for a long time,
but that's changed with the potential for kinetic attacks.
But also we've seen in the real world,
for kinetic attacks, but also we've seen, you know, in the real world, cyber attacks,
such as Viasat 2022 was used in an actual combat situation to prevent command and control in real time.
And we'll see more of those types of attacks in the future.
So we are, you know, very eager to work with Space Force and with the extended satellite community to be able to
harden our satellite systems and prevent a cyber attack.
The good news is that the technologies that are available to protect these systems, they
really have matured recently.
And it is possible to deploy them very quickly and at a relatively low cost.
And they are very, very resilient to cyber attacks.
Secure by design is a principle that is said a lot in cybersecurity.
It makes a lot of sense.
When we talk about space assets, though, especially when we have assets that are quite old in some cases,
my mind just kind of goes, how is that going to work? Excellent question, right? Because secure by design is becoming the major focus in cyber security, as you're probably aware.
And what we've seen is we have security devices and security appliances that are being targeted and exploited by malicious actors as a way to hack into enterprises
and into the military.
So for instance, right now,
well, last year you saw Citrix bleed
and it was an attack on a VDI solution from Citrix.
But even recently,
CISA has put out a directive to,
it's very alarming with regard to Avanti VPN servers,
which are very, very popular VPN server
in Fortune 500 companies.
It says that basically certain vulnerabilities within them
have caused them to be susceptible to attacks
that are undetectable and very persistent.
And so their customers are strongly advised
to consider whether they want to go forward with them in the future.
And the reason for this is,
looking at the code base in some of these appliances,
like not to pile on Avanti,
but they're a pretty good example,
is that some of the code,
if you look at the execute that was running,
they're over 20 years old.
So they've accumulated, in many look at the executables running, they're over 20 years old. So they've accumulated.
In many cases, these appliances have millions and millions of lines of software.
And a lot of it has been accumulated over time.
And it's really just impossible to do that type of development without creating vulnerabilities in the process.
And so a lot of these devices are insecure by design.
In the past,
there wasn't as much of a problem
because hackers were going after
things like going after
vulnerabilities in your PC, right?
Or in your web browser.
And we've put up
pretty good defenses against those.
And so now they've found
that these security devices
and access devices
are soft targets and really easy to exploit.
So they're going after them.
So anything we deploy in space or to defend space
has to have a very long life, has to be extremely secure,
and has to be built with secure software design principles
in the design process,
and then hardening through vulnerability testing.
And then it has to have sort of architecturally
have built-in security.
So for instance, a lot of these security devices like ours,
they aren't trusted to store the keys of certain applications
or certain assets they're talking to.
And some of these systems have centralized key stores,
which is huge huge
problem because if you're able to compromise one system you have access you have the keys to the
kingdom essentially so for instance what we do is we have a way of polynomial based algorithm that
allows us to shard the keys over a certain number of distributed systems so that you would have to
you know compromise every one of them and that way we consider ourselves to be even quantum proof
in terms of decryption.
So a lot goes into creating this type of modern stack,
but then you talk about the assets that we're protecting
and the fact that they can't really be patched
and the fact that they were developed
over a longer period of time
and some of them are legacy.
And bear in mind that when you're
protecting the satellites you're protecting really three things one is the network itself that the
satellite is a part of so that's the terrestrial network the modems and bias that the modems were
attacked and the satellite links and then we're also protecting the assets, the satellite assets, any type of industrial or military equipment that's part of that network.
And then finally, we're also protecting the data streams.
So the data that's streaming off of the satellite is extremely valuable and extremely sensitive.
We have to make sure that it's available to our partners. We have to make
sure it's not tampered with. We have to make sure that it is not available to parties that we don't
want it to be available to. And we have to do this in real time, essentially. So it's kind of a tall
order. However, the way our system works and the way a modern zero trust overlay works is the principle of zero trust is an evolution in the concept of
protection and cybersecurity. Protection used to be things like firewalls and certain types of VPNs
or jump posts. Protection used to be, let's sort of put some roadblocks in the way that would keep
attackers out. The principle of zero trust is saying, look, we're mature enough now that what we should do is, if you need to access something,
we'll make sure you are exactly who you say you are. We'll give you access to only that thing,
only for the period of time you're supposed to have it. And if it's something very sensitive,
we'll also limit what you can do, and we'll record what you can do. And so that's the principle of zero trust.
Now, the way we can bring that to these legacy assets is ZH has a fabric overlay.
So basically, it's like a virtual network that we can put right in front of any of these assets, completely surrounding and protecting them.
And it sort of acts as a proxy in front of those assets that can provide that type of modern security access.
It can control what's going into the asset,
and it can control what's going out of the asset.
So controlling what goes in will make sure that nobody can take over the asset
or tamper with the data on the asset.
Controlling what goes out means that if the asset goes rogue for any reason or is compromised, that compromise will be contained and the spread will be limited, right?
So we're able to, by using this modern software approach, we can plop ourselves in front of anything and provide that type of zero-trust architecture.
And when I say plopping in front of an overlay, that's also very important for this strategy
of leveraging commercial satellites.
We're going to have to work with a proliferation of partners,
and we have to have a solution that is very easy to deploy
and can be managed across the satellite system
from a single control center
without burdening, operationally burdening these satellite
partners. So this basic simplicity of this solution is one of the reasons I think that
Space Force was so attracted to it, given that we have to extend it into the commercial satellite
as well. A topic that gets discussed in the space world sometimes is possible designation by the U.S.
gets discussed in the space world sometimes is possible designation by the U.S. federal government of space as critical infrastructure. People kind of aren't sure in the space world sometimes about
whether or not that would actually be helpful or a hindrance if space was called that. I'm just
curious what your take is on that. Like, is space critical infrastructure, does it help calling space
critical infrastructure to sort of move the needle on the cyber side?
That's a really interesting point, Maria. I think space is probably the most critical infrastructure to consider its strategic importance.
As I said, our military has become dependent on having superiority in space for command and control.
And it is an enormous advantage for us.
And even if we strategically decided to move away from that, that would be a long evolution,
a long transition. So it is extremely critical, I would say. Also, even regardless of the military applications, if someone for some purpose, were to take out GPS system,
for instance, that would impact world economy in a very serious way, right? So, you know, I think,
as I reiterate that, I think it's the most critical of systems. Absolutely. I think that,
enough said on that one. So, it's not often I get to talk to somebody on the cyber side about
sort of the space cyber landscape, and you have a great perspective on it.
I would just love to know your take on sort of the current landscape for space cyber.
Your impressions of it, like how it's evolving, how it's changed, what you hope to see more of, that kind of thing.
You've seen a lot of news recently about both potential cyber attacks and potential kinetic attacks on our satellite infrastructure. And I think that the public is becoming much more aware of the importance of our space infrastructure from a critical infrastructure point of view.
And I think they're aware, they're becoming more aware of the potential for cyber attacks on it. And these cyber attacks are likely to come from the best hackers in the world,
nation state level, near peer competitors to the US. And they're likely to happen with the
most malicious intent. So I'm very pleased to see that there's a broadening awareness of this critically important issue. And I think I'm very impressed, actually, with the speed with which the federal government has been moving to create partnerships in this area, commercial military partnerships that we're a part of, and to be able to address this vulnerability very quickly.
That's Jeff Mattson, CEO of Zage Security.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
Wired reporter and friend of the show, Andy Greenberg,
shared the disturbing story of how hackers discovered a way to open hotel rooms that are equipped with key cards. And that would mean pretty much all of the hotel rooms these days.
And not only that, they do it in a matter of just seconds. The SafeLock hotel lock,
which just happens to be used in thousands upon thousands of hotels worldwide,
faces a serious security flaw that was discovered when hackers were invited to hack a Vegas hotel room at Hacker
Summer Camp, aka DEF CON, in 2022. The vulnerability known as unsafe lock, haha, enables unauthorized
access to hotel rooms, underscoring the importance of robust cybersecurity in the hospitality industry
to protect guest safety and privacy. The company behind the SafeLock brand, DoorLocks, is offering a fix,
but it may take months or years to reach some hotels, and that's being optimistic.
Yeah, better use that deadbolt, everybody.
And that's the CyberWire.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out our newest episode of Research Saturday Tomorrow,
where Dave Bittner sits down with Liv Yu Arseen from CrowdStrike,
and they're discussing research titled,
Hijack Loader Expands Techniques to Improve Defense Evasion.
Check it out.
And as always, we'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. Your feedback helps us ensure that we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your
people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jen Iben and Brandon Karp.
Our executive editor is Peter Kilby. And I'm not Dave Bitt are Jen Iben and Brandon Karp. Our executive editor is
Peter Kilby. And I'm not Dave Bittner. I'm Maria Farmazes. Thanks for listening, everyone. Have a
great weekend. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.