Right About Now with Ryan Alford - You Might Also Like: CyberWire Daily
Episode Date: November 29, 2024Introducing CISA issues urgent warning. from CyberWire Daily.Follow the show: CyberWire Daily CISA issues a warning about a critical security flaw in Palo Alto Networks’ Expedition tool. A f...ederal agency urges employees to limit phone use in response to Chinese hacking. Law enforcement is perplexed by spontaneously rebooting iPhones. A key supplier for oilfields suffers a ransomware attack. Hewlett Packard Enterprise (HPE) patches multiple vulnerabilities in its Aruba Networking access points. Cybercriminals use game-related apps to distribute Winos4.0. Germany proposes legislation protecting security researchers. The TSA proposes new cybersecurity regulations for critical transportation infrastructure. Our guest is Aaron Griffin, Chief Architect from Sevco Security, sharing the discovery of a significant Apple iOS bug involving iPhone Mirroring. AI tries to wing it in a Reddit group, but moderators put a fork in it. Remember to leave us a 5-star rating and review in your favorite podcast app.Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.CyberWire GuestOur guest is Aaron Griffin, Chief Architect from Sevco Security, sharing the discovery of a significant Apple iOS 18 and macOS Sequoia privacy bug that exposes employee personal iPhone apps and data to companies through iPhone Mirroring. Read Sevco’s blog on the topic.Selected ReadingCISA warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks (GB Hackers)U.S. Agency Warns Employees About Phone Use Amid Ongoing China Hack (Wall Street Journal)Host of House panels getting briefed on major Chinese hacker telecom breaches (CyberScoop)Police Freak Out at iPhones Mysteriously Rebooting Themselves, Locking Cops Out (404 Media)Texas-based oilfield supplier faces disruptions following ransomware attack (The Record)HPE Patches Critical Vulnerabilities in Aruba Access Points (SecurityWeek)Winos4.0 hides in gaming apps to hijack Windows systems (The Register)Germany drafts law to protect researchers who find security flaws (Bleeping Computer)TSA proposes new cybersecurity rule for surface transportation, seeks public feedback (Industrial Cyber)Reddit’s ‘Interesting as Fuck’ Community Rules That AI-Generated Video Is Not Interesting (404 Media)Share your feedback.We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show?You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices DISCLAIMER: Please note, this is an independent podcast episode not affiliated with, endorsed by, or produced in conjunction with the host podcast feed or any of its media entities. The views and opinions expressed in this episode are solely those of the creators and guests. For any concerns, please reach out to team@podroll.fm.
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Oh, interrupting their playlist to talk about defying gravity, are we?
That's right, Newton. With the Bronco and Bronco Sport, gravity has met its match.
Huh, maybe that apple hit me a little harder than I thought.
Yeah, you should get that checked out.
With standard 4 by four capability,
Broncos keep going up and up. Now get up to $6,000 in rebates on eligible 2024 Bronco family models.
Visit your Toronto area Ford store or ford.ca.
Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom.
You know, I started my first business back in the early 90s and oh, what I would have
done to have been able to have the services of an organization like LegalZoom back then.
Just getting all of those business ducks in a row, all of that technical stuff,
the legal stuff, the registrations of the business, the taxes, all of those things that
you need to go through when you're starting a business, the hard stuff, the stuff that
sucks up your time when you just want to get that business launched and out there.
Well, LegalZoom has everything you need to launch, run,
and protect your business all in one place.
And they save you from wasting hours
making sense of all that legal stuff.
Launch, run, and protect your business
to make it official today at LegalZoom.com.
You can use promo code Cyber10 to get 10% off
any LegalZoom business information product,
excluding subscriptions and renewals.
That expires at the end of this year.
Get everything you need from setup to success at LegalZoom.com and use promo code Cyber10.
That's LegalZoom.com and promo code Cyber10.
LegalZoom provides access to independent attorneys and self-service
tools. LegalZoom is not a law firm and does not provide legal advice except where authorized
through its subsidiary law firm, LZ Legal Services LLC.
CISA issues a warning about a critical security flaw in Palo Alto Network's expedition tool. A federal agency urges employees to limit phone use in response to Chinese hacking.
Law enforcement is perplexed by spontaneously rebooting iPhones.
A key supplier for oil fields suffers a ransomware attack,
Hewlett Packard Enterprise patches multiple vulnerabilities in its Aruba networking access points,
cybercriminals use game related apps to distribute Windows 4.0,
Germany proposes legislation protecting security researchers, the TSA proposes new cybersecurity regulations for critical transportation
infrastructure, our guest is Aaron Griffin, chief architect from Sevco Security, The TSA proposes new cybersecurity regulations for critical transportation infrastructure.
Our guest is Aaron Griffin, chief architect from Sevco Security, sharing the discovery of a
significant Apple iOS bug involving iPhone mirroring. And AI tries to wing it in a Reddit group,
but moderators put a fork in it.
It's Friday November 8th, 2024. Intel briefing.
Thanks for joining us here today.
Happy Friday.
It is always great to have you with us.
The U.S. Cybersecurity and Infrastructure Security Agency has issued a warning about a critical
security flaw in Palo Alto Network's Expedition tool, used for firewall migration and configuration.
The flaw, classified as a Missing Authentication Vulnerability, enables attackers with network
access to potentially hijack the Expedition admin account.
This could grant cybercriminals access to sensitive configuration data, including credentials
and highly privileged information.
CISA stresses that the vulnerability poses a significant risk due to the level of access
it grants, although there is no confirmation yet of active exploitation.
Organizations using the Expedition tool are urged to apply Palo Alto's
recommended mitigations. If these aren't feasible, CISA advises discontinuing the tools used to
prevent potential compromise. The deadline for federal agencies addressing this vulnerability
is November 28th, as CISA emphasizes immediate action to mitigate any potential threat.
Following the recent hack of U.S. telecommunications infrastructure by suspected Chinese operatives,
the Consumer Financial Protection Bureau issued a directive urging employees to avoid using
mobile phones for work-related matters.
According to the Wall Street Journal, an email sent Thursday from the CFPB's Chief Information
Officer advised that sensitive internal and external meetings should be conducted only
on secure platforms like Microsoft Teams or Cisco WebEx, not via phone calls or texts
on either work-issued or personal devices.
While there's no evidence the CFPB was specifically targeted,
the guidance aims to reduce potential risk.
This directive reflects heightened concerns
among US officials about the hack severity,
which has reportedly impacted major telecommunications firms.
The guidance aims to reduce potential risk.
The Cybersecurity and Infrastructure Security Agency has yet to comment on the incident.
U.S. executive branch agencies briefed several House committees on Thursday about the hack
by a Chinese-linked group known as Salt Typhoon that targeted major telecommunications companies
and allegedly accessed the phones of Donald Trump's top campaign members and high-ranking
U.S. officials.
The House Energy and Commerce, Homeland Security, Intelligence, Judiciary, and Appropriations
subcommittees received updates from the FBI, CISA, and other security agencies.
The Senate will receive a similar briefing next week, with the Senate Intelligence Committee
already being
updated regularly. The breach, reportedly impacting numerous individuals, has drawn
increased congressional concern. Telecommunications companies like Lumen have responded, though AT&T
and Verizon redirected questions to the FBI. Federal agencies are investigating the incident, and the Cyber
Safety Review Board plans its own inquiry. Policy discussions now focus on whether Salt
Typhoon exploited telecom carriers' compliance with the Communications Assistance for Law
Enforcement Act to gain unauthorized access.
Law enforcement has reported an unusual issue where iPhones,
securely stored for forensic examination, are rebooting unexpectedly, making them
significantly harder to unlock. According to a document obtained by 404 Media,
these reboots may be due to a potentially new security feature in iOS 18, which could
cause iPhones disconnected from cellular networks to reboot after a certain time.
When these devices reboot, they shift from an after-first-unlocked state, which is easier
to access, to a before-first-unlocked state, which current forensic tools struggle to bypass.
Some officials speculate that iOS 18 devices communicate with each other in secure settings,
triggering reboots among nearby devices.
Experts, however, remain skeptical about this hypothesis.
The document advises forensic labs to isolate iOS devices and monitor any reboots closely
to avoid losing valuable data access.
This situation highlights the ongoing security tensions between law enforcement and phone
manufacturers.
New Park Resources, a key supplier for oil fields, reported a ransomware attack on October
29, causing
disruptions and limiting access to some internal systems.
Despite this, New Park's manufacturing and field operations continue under established
downtime procedures.
In a regulatory filing, the company stated that financial reporting systems were impacted,
but that the attack is not expected to materially affect
its financial health. No group has yet claimed responsibility.
Hewlett Packard Enterprise, HPE, a major tech company specializing in enterprise hardware
and software, announced patches this week for multiple vulnerabilities in its Aruba
networking access points, widely used in business networks.
Among the vulnerabilities are two critical command injection flaws, which could allow
remote unauthenticated attackers to execute code as privileged users by sending a specially
crafted packet to UDP port 8211.
HPE advised that enabling cluster security and blocking access can mitigate
risks. Additionally, three high severity remote code execution vulnerabilities could allow
authenticated attackers to compromise system files and execute commands. Hatches were released
through Aruba's Bug Bounty program with no evidence of active exploitation.
Cyber criminals are using game-related apps to distribute WinOS 4.0, a malware framework
that grants full control over infected Windows systems.
Rebuilt from the Ghost Rat malware, WinOS 4.0 was detected in various gaming tools and optimization utilities, which
lure users into downloading the infection.
Similar to Cobalt Strike, the malware enables cyber-espionage, ransomware deployment, and
lateral movement.
Once executed, the malware downloads a fake BMP file from a malicious server, beginning
a multi-stage infection. The first DLL file establishes persistence and injects shellcode, while the second stage
connects to a command and control server.
Subsequent stages gather system details, check for antivirus software, and capture sensitive
information, including crypto-wallet data and screenshots.
This final stage sets up a persistent backdoor allowing the attacker long-term access.
Fortinet warns users to download apps only from trusted sources to mitigate risk.
Germany's Federal Ministry of Justice has proposed a law to legally protect security
researchers who responsibly report vulnerabilities.
The draft law aimed at fostering IT security exempts researchers from criminal liability
when they act within defined parameters to identify and report security risks to responsible
entities like system operators or the Federal Office for Information Security.
This protection requires that the researchers limit system
access strictly to what's necessary for vulnerability detection. The proposed amendment also imposes
stricter penalties, with sentences from three months to five years for malicious data spying
and interception, especially when targeting critical infrastructure or involving substantial financial damage, profit motives, or organized crime.
The bill's details are under review by German states and relevant associations until December 13,
after which it will be presented to the Bundestag.
This follows similar steps by the U.S. Department of Justice in 2022 to protect good faith security research.
The Transportation Security Administration, the TSA,
has proposed new cybersecurity regulations
for critical transportation infrastructure,
finalizing and expanding emergency directives
issued after the Colonial Pipeline ransomware attack in 2021.
This proposal, among the last cybersecurity policies of the Biden administration,
targets nearly 300 entities in freight rail, passenger rail, rail transit, and pipeline sectors,
requiring them to adopt mandatory cyber risk management programs, operational plans, and regular audits.
Covered entities must also report incidents to the Cybersecurity and Infrastructure Security
Agency and comply with CISA's Secure by Design and Secure by Default standards.
The proposed rule extends requirements to large hazardous liquid and carbon dioxide
pipelines, critical suppliers to the Pentagon, and over-the-road bus operators.
The TSA seeks public and industry feedback by February 5, 2025, aiming to build a more
permanent cybersecurity framework for transportation and align it across sectors like aviation
and pipeline infrastructure.
Coming up after the break, my conversation with Aaron Griffin from Sevco Security, we're discussing a significant Apple iOS bug involving iPhone mirroring.
Stay with us.
And now a word from our sponsor KnowBefore.
It's all connected, and we're not talking conspiracy theories.
When it comes to InfoSec tools, effective integrations can
make or break your security stack. The same should be true for security awareness training.
KnowBefore, provider of the world's largest library of security awareness training, provides
a way to integrate your existing security stack tools to help you strengthen your organization's
security culture. KnowBefore's Security Coach uses standard APIs to quickly and easily integrate with your existing security products
from vendors like Microsoft, CrowdStrike, and Cisco.
35 vendor integrations and counting.
Security Coach analyzes your security stack alerts to identify events related to any risky security behavior
from your users. Use this information to set up real-time coaching campaigns
targeting risky users based on those events from your network, endpoint,
identity, or web security vendors. Then, coach your users at the moment the
risky behavior occurs with contextual security tips delivered via Microsoft Teams,
Slack or email. Learn more at knowbefore.com slash security coach. That's knowbefore.com
slash security coach. And we thank Know Before for sponsoring our show.
Imagine this, your primary identity provider goes down, whether it's a cloud outage, network issue or even a cyber attack.
Suddenly your business grinds to a halt.
But what if it didn't have to?
Meet Identity Continuity from Strata, the game-changing solution that keeps your business
running smoothly no matter what.
Whether your cloud IDP crashes or your on-prem system faces a hiccup, Identity Continuity
seamlessly shifts authentication to a secondary or even tertiary IDP, automatically and without
disruption. Powered by the Mavericks Identity
Orchestration Platform, Identity Continuity uses smart health checks to
monitor your IDP's availability and instantly activates failover strategies
tailored to your needs. When the coast is clear, it's a seamless switchback. No more
downtime, no lost revenue, no frustrated customers, just
continuous secure access to your critical applications every single time.
Protect your business from the high costs of IDP outages with identity
continuity from Strata. Downtime is a thing of the past.
Visit strata.io slash cyberwire to learn how strata's identity continuity can
provide seamless enhanced capabilities to your existing identity fabric and
receive a free set of AirPods Pro.
Aaron Griffin is chief architect at Sevco Security.
I recently caught up with him to discuss their discovery of a significant Apple iOS bug involving
iPhone mirroring.
What we found is that in the new iOS mirroring feature that they launched as part of iOS
18 and macOS Sequoia, that it appears that there's a data leak for application inventory from your phone
due to a technical detail.
I think of the way that those applications get replicated
to your Mac to do things like notifications,
little bits of the feature that they drive.
It inadvertently augmented your Mac's software
inventory with every application that exists on your iOS device
when the feature is enabled.
So for folks who may not be familiar with it,
what exactly is iPhone Mirroring?
Yeah, so that's actually one of the cooler features
of the new version of iOS that you can essentially
mirror everything that you're doing on your phone to your Mac.
So if you're on the go, you're going to send a text, you've got a browser tab open, something
like that.
You come back to your computer and sit down, you can open up this iOS mirroring feature
and continue your work from your computer.
In some ways, it gives somewhat ironically extra privacy because maybe you can send text
messages over iMessage in a way that doesn't get replicated to your MacBook rather than
using iMessage on the Mac side.
I see. So what is under the hood here that you all suspect has gone wrong? Yeah. So our suspicion is that in order to drive
the notification flow that they have on the Mac,
they're creating a stub inventory of all of the applications.
What I mean by stub inventory is a bunch of files that look like apps,
they register themselves with
the Mac's indexing service as applications,
which is why they get picked up.
But if you crack them open,
they actually don't contain any form of executable code at all.
It's really just icon sets and metadata.
And so that's what does it,
and that's what ends up with augmented inventory.
So help me understand what the potential problem here is.
How could personal information be exposed, for example?
Yeah, so from an employee perspective, I think the risk would be that you have an app that
you don't necessarily want to disclose to your employer that you have installed because
it doesn't really affect their security posture at all.
Example might be that you live somewhere where VPNs are prohibited and you have that installed
or a dating app that reveals a sexual orientation
Something that reveals a health condition all of those being present in your corporates
Corporate software inventory could be a pretty significant breach of your privacy. I see
So it's the it's that inventory of apps that are existing on your phone that gets revealed on the Mac that is the problem here.
Yeah, that's exactly right.
It'll appear to your employer in their EDR console
or whatever is doing this collection
as though you have the Apple Watch app
installed on your MacBook
or anything else that you have installed.
They'll be associated in that way.
I see.
So you all have alerted Apple
and they've been responsive here?
Yeah, that's exactly right.
We reached out to them same day
and they were great about it.
They treated it with urgency
and let us know that there was going to be
a fixed issued fall of this year.
And actually that was the patch that Apple pushed out,
I think it was Monday earlier this week.
And we've confirmed that the issue,
while parts of it are still present,
the real dangers of it have been mitigated.
They've updated the stub inventory on the Macs
with a flag that stops them from being indexed.
So while an EDR or a tool like that
may be able to find that data,
if it went looking, it should stop incidental collection.
I see.
So what are your recommendations then?
Is it as simple as just making sure that you're up to date
with the latest patches?
Yeah, that's for sure the first step.
Making sure that you're up to date with the last patches.
For the employer side, you should go through the inventory and make sure that you haven up to date with the last patches. For the employer side, you should go through the
inventory and make sure that you haven't incidentally collected any of this data that you don't want.
Make sure that it gets cleaned out. That's a liability that you probably don't want to have.
And it's a good opportunity to have a conversation with your users about the privacy boundary that
exists between work devices and personal devices.
This particular privacy breach only
happens if you're signed in on your personal iCloud tool
work computer.
It's common for there to be policies that don't really
spell that out.
And users will log in with their iCloud account
to get all these cool features.
Maybe they want to use Apple Music or the podcast.
They want messages to sync, anything like that.
It's a good opportunity to talk with them about
the risks that that potentially can convey
when they intermingle them that way.
Our thanks to Aaron Griffin,
Chief Architect from Sevco Security, for joining us. The IT world used to be simpler.
You only had to secure and manage environments that you controlled.
Then came new technologies and new ways to work.
Now employees, apps
and networks are everywhere. This means poor visibility, security gaps and added risk.
That's why CloudFlare created the first ever connectivity cloud. Visit cloudflare.com
to protect your business everywhere you do business.
What do Ontario dairy farmers bring to the table? A million little things.
But most of all, the passion and care that goes into producing the local, high-quality milk we all love and enjoy every day.
With 3,200 dairy-firming families across Ontario sharing our love for milk, there's love in every glass.
Dairy Firmers of Ontario. From our families to your table, everybody milk.
Visit milk.org to learn more.
And finally, friends, buckle up.
We're about to dive into a tale that's as interesting as fork.
But let's keep it family-friendly by saying fork whenever we mean that other word.
Reddit's legendary community, Interesting As Fork, just faced an AI invasion, and boy,
were they having none of it.
Last Friday a post titled Mother's Love is Universal showing a heartwarming scene of
a parrot sheltering chicks from the rain.
Aww, right?
Well not so forking fast.
Redditors with eagle eyes, or should we say parrot eyes, quickly spotted telltale glitches, dodgy lighting,
shadow errors, and the classic signs of AI trickery. The Post raked in 12,000 upvotes
before moderators yanked it, declaring, Fork, no! This doesn't even meet our species standards.
With 13 million members, Interesting as Fork is one of Reddit's biggest and oldest subreddits,
and the moderators take Interesting very seriously.
One mod noted that AI-generated content not only misleads viewers, but can undermine genuine,
curiosity-sparking content.
The AI parrot wasn't tagged as AI, it wasn't a real bird behavior, and not even the species the title
claimed.
Here's the real kicker.
Reddit's loose policy on AI content lets communities decide their own rules.
Some subs embrace the bots, others boot them to the curb.
Interesting as fork keeps the standards high, while other sites online like, oh, I don't
know, Facebook, are awash in AI spam.
So what are the stakes?
As AI becomes more realistic, the line between real and fake gets blurrier.
So the next time you see a parrot doing people-level parenting, maybe pause and think, is this real
or just interesting as for?
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at
the cyberwire.com. A quick program note, we are not publishing Saturday through Monday in observance of the
Veterans Day holiday.
We'll have a special edition for you on Sunday and Rick Howard's Veterans Day episode of
CSO Perspectives for All on Monday in your CyberWire Daily Feed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential
leaders and operators in the public and private sector, from the Fortune 500 to many of the daily routine of the most influential leaders and operators in the public and private sector? From the Fortune 500 to many of the world's preeminent intelligence and law enforcement
agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams, while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester, with original music
and sound design by Elliot Peltzman, our executive producer is Jennifer Iben, our executive editor
is Brandon Karp, Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave
Bittner.
Thanks for listening, we'll see you back here next week. And now, a word from our sponsor, NordPass.
NordPass is an advanced password manager from the team behind NordVPN, designed to help
keep your business safe from data leaks and cyber threats.
It gives your IT professionals control over who has access to your company's data, and
makes it easy for everyone else on your team to use strong passwords.
Right now you can go to www.nordpass.com slash cyberwire for 35% off the NordPass business
yearly plan. Don't miss out on that.