From deadlock to debate on a revised Section 702 bill.

The House moves forward on Section 702 reauthorization. Ukraine suspends a top cybersecurity official. A Wisconsin health coop suffers a data breach. Sophos uncovers a malicious backdoor. Fortinet issues patches for critical and high severity vulnerabilities. A Microsoft server exposed employee passwords, keys, and credentials. LG releases patches to secure smart TVs. The IMF warns of cyberattacks potential to trigger bank runs. It was a busy patch Tuesday. On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's CISSP study journey and how to avoid frustration when you get a practice question wrong. X marks the spot where Elon’s impulsiveness turns chaotic. 

Today is April 10th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The House moves forward on Section 702 reauthorization. 

The House Rules Committee has moved forward a revised bill to reauthorize the controversial Section 702 of the Foreign Intelligence Surveillance Act, breaking a long deadlock among Republicans. This program permits warrantless surveillance of foreigners' communications outside the U.S. but can also inadvertently collect Americans' data. The vote was 9-2, setting the stage for a House vote on several amendments, including one requiring warrants to search Americans' information—a provision opposed by the Biden administration. Additionally, the bill proposes using Section 702 data for foreign traveler vetting and formalizes a ban on certain types of digital communication collection. Despite progress, uncertainty remains, especially after former President Trump's call to "kill" FISA, as well as discontent over not voting on closing data brokers' loopholes, which might be addressed separately.

Ukraine suspends a top cybersecurity official. 

The head of Ukraine’s Security Service cybersecurity department, Illia Vitiuk, has been suspended and reassigned to combat duty following an investigative report by a Ukrainian news organization. The report questioned the affordability of a property owned by Vitiuk's family, suggesting his official salary wouldn't cover the cost. Following the story, there were allegations of retaliatory actions against the journalist responsible, with claims of military draft enforcement being used as punishment. The SBU is investigating these allegations but has not commented on Vitiuk's case. Vitiuk is generally well respected for his insights into cybersecurity. This incident follows the dismissal of other Ukrainian cybersecurity officials for suspected financial misconduct.

A Wisconsin health coop suffers a data breach. 

Group Health Cooperative of South Central Wisconsin (GHC-SCW) is notifying over 530,000 individuals about a data breach from a ransomware attack on January 25. Although no ransomware was deployed to encrypt files, attackers exfiltrated personal and health information including Social Security and Medicare numbers. The breach was revealed when a foreign ransomware gang claimed responsibility. GHC-SCW, which has worked with the FBI and CISA, has no evidence the stolen information has been misused. In response, the organization says they have enhanced their security measures. The BlackSuit ransomware gang, potentially linked to the Royal ransomware group known for targeting over 350 organizations, listed GHC-SCW as a victim on its site. The US Health Department has warned healthcare entities about BlackSuit, emphasizing its aggressive focus on the healthcare sector.

Sophos uncovers a malicious backdoor. 

The team at Sophos X-Ops discovered a malicious file signed with a valid Microsoft Hardware Publisher Certificate, masquerading as "Catalog Authentication Client Service" by "Catalog Thales." Initial suspicions were raised due to typos in the file's version info. Further investigation linked the file to LaiXi Android Screen Mirroring software, described as marketing software capable of controlling mobile phones en masse. The file, identified as a malicious backdoor, was originally published by Hainan YouHu Technology Co. Ltd. Sophos X-Ops found no direct evidence of LaiXi's deliberate involvement but advised caution when downloading or using their product. The malware included a proxy server, 3proxy, indicating intent to monitor and intercept network traffic. Sophos X-Ops reported the backdoor and related findings to Microsoft, leading to the revocation of the compromised files. This incident underscores the ongoing abuse of Microsoft's Windows Hardware Compatibility Program by threat actors.

Fortinet issues patches for critical and high severity vulnerabilities. 

Fortinet has issued patches and advisories for critical and high severity vulnerabilities across its FortiOS, FortiProxy, and FortiClient products, targeting Linux and Mac platforms. The most critical issue found in FortiClient for Linux, allows remote code execution through a code injection vulnerability when a user is lured to a malicious website. This affects multiple versions of FortiClientLinux. Another significant flaw in FortiOS and FortiProxy, could let attackers obtain administrator credentials under specific conditions via an SSL-VPN. Additionally, two high severity vulnerabilities in FortiClient for Mac, could allow local execution of arbitrary code or commands by manipulating the installation process. Fortinet has not reported if these vulnerabilities have been exploited in the wild.

A Microsoft server exposed employee passwords, keys, and credentials. 

Microsoft secured an Azure-hosted server last month that inadvertently exposed employee passwords, keys, and credentials. SOCRadar researchers found that this server, linked to Microsoft's Bing, was accessible online without password protection, containing various security credentials within scripts, codes, and configuration files. This vulnerability could have led to significant data leaks or compromises of Microsoft's services. Although Microsoft addressed this issue on March 5th after being notified on February 6th, it's uncertain if the server was accessed by unauthorized parties. This incident adds to Microsoft's recent security challenges, including criticism for its security practices and previous breaches. Microsoft is reportedly overhauling its security measures in response to these concerns.

LG releases patches to secure smart TVs. 

Researchers from Bitdefender discovered four vulnerabilities in LG TVs running WebOS versions 4 through 7, with three rated as severe. These flaws could enable hackers to add unauthorized users, gain elevated access, deploy malware, and potentially infiltrate smart home networks. One allows attackers to bypass PIN verification in the LG ThinkQ app to create privileged profiles, enhancing their access and attack capabilities. Another facilitates full device takeover, while others could be exploited to insert malware or monitor traffic. Initially, over 91,000 devices were reportedly exposed globally. LG has confirmed these vulnerabilities, and released patches on March 22. 

The IMF warns of cyberattacks potential to trigger bank runs. 

The International Monetary Fund (IMF) reports that cyberattacks have cost the financial sector about $12 billion over the past two decades, highlighting the growing threat these incidents pose to global financial stability. The IMF's Global Financial Stability Report reveals that "extreme losses" from cyber incidents have increased fourfold since 2017 to $2.5 billion. Financial institutions, particularly banks, are highly vulnerable due to the vast amounts of sensitive data and transactions they process. The sector has experienced over 20,000 cyberattacks, leading to significant economic and reputational damage. The IMF warns of potential 'bank runs' following cyberattacks, suggesting that even the perception of insecurity can lead to destabilizing customer actions, like mass withdrawals. The report emphasizes the need for improved cybersecurity strategies and regulations, especially with the increasing reliance on third-party IT and emerging technologies like AI.

It was a busy patch Tuesday. 

Yesterday was Patch Tuesday, and among the best reviews of Microsoft’s monthly release comes from our partner and Dean of Research at the SANs Technology Institute, Johannes Ulrich. This update addresses 157 vulnerabilities, including seven affecting Microsoft Edge through Chromium, with three deemed critical. Notably, one vulnerability, a proxy driver spoofing issue, was previously disclosed and exploited. A trio of critical vulnerabilities affect Microsoft Defender for IoT, enabling remote code execution. Additionally, the update patches around 40 important-rated remote code execution vulnerabilities in Microsoft OLE Driver for SQL Server, targeting clients that connect to malicious SQL servers. Furthermore, seven important vulnerabilities in the DNS Server Service were patched, requiring "perfect timing" for exploitation to achieve remote code execution. We will have a link to Johannes’ rundown in our show notes. 

 

Coming up next on our Learning Layer segment, Sam Meisenberg and Joe Carrigan continue their discussion of Joe's CISSP study journey and cover note-taking best practices and how to avoid getting frustrated when you get a practice question wrong.. 

We’ll be right back

Welcome back. Thanks Sam and Joe. 

X marks the spot where Elon’s impulsiveness turns chaotic. 

And finally, Elon Musk, in what we can only speculate was a characteristic spur-of-the-moment decision, renamed Twitter to "X" last summer. Despite this, the world, including official pages on the platform itself, stubbornly clings to "Twitter" as its name. We refer to it as X-Twitter, trying to straddle clarity and practicality. Attempting a forceful push towards the new branding, X's iOS app started covertly changing mentions of "Twitter.com" to "X.com" in user posts, without user consent.

This hasty move spiraled into a debacle. Imagine, for a moment, someone owns "NetfliTwitter.com." Under Musk's erratic change, posting this on X morphs it into "Netflix.com" in the post, a golden ticket for phishing scams. Realizing the potential havoc, vigilant users quickly snagged such domains to avert disaster, one even setting up a warning page on "NetfliTwitter.com."

X scrambled to patch this mess, but the fix was partial, leaving many references still forcibly changed from "Twitter.com" to "X.com." This not only oversteps by modifying user content without permission but also underlines a risky underestimation of the change's implications, demonstrating yet another instance of Musk's impulsive decision-making wreaking unnecessary confusion. The irony? "X.com" still directs to "Twitter.com," a fitting emblem of this chaotic rebranding effort.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.