Wyden blocks the senate vote.

Dave Bittner: Senator Wyden blocks a Senate vote on the new NSA and Cyber Command lead. GPS interference is attributed to Iran. Meta identifies and removes Chinese and Russian accounts and groups for coordinated inauthenticity. The EU Council president proposes ‘European cyber force’ with ‘offensive capabilities’. Twisted Spider is observed conducting new ransomware campaigns. Staples sustains a cyberattack. Apple releases security updates for two actively exploited zero-days. On today’s Mr. Security Answer Person segment, John Pescatore joins us to talk about Microsoft's Secure Future Initiative. And how can you tell if your bot is involved in insider trading?

Dave Bittner: It’s Friday, December 1st 2023.  I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Dave Bittner: Wyden to block Senate vote on new NSA, Cyber Command lead

Dave Bittner: In today’s top story, Politico reports that Senator Ron Wyden is blocking the nomination of Lt. Gen. Timothy Haugh (HOG) to lead the NSA and Cyber Command, demanding transparency from the agency regarding potential warrantless domestic surveillance of Americans. Despite Wyden's focus not being on Haugh's qualifications, his blockade remains steadfast until the NSA discloses the requested information.

Dave Bittner: The Department of Defense (DOD) acknowledges Wyden's hold and expresses eagerness to work with him to address his concerns, emphasizing the importance of Haugh's role in national security. Wyden's action follows Senator Tuberville's withdrawal of his hold on Pentagon nominees, initially placed in protest of the Pentagon's abortion travel policy for service members.

Dave Bittner: This issue gains additional significance ahead of the year-end expiration of Section 702 of the Foreign Intelligence Surveillance Act, a contentious measure allowing the U.S. government to collect communications of foreigners abroad. Wyden's chief communications adviser, Keith Chu, underscores the importance of the NSA's transparency, especially in the context of the upcoming debate on Section 702.

Dave Bittner: Lt. Gen. Haugh is widely supported in the Senate, including by the Armed Services and Intelligence committees. In the meantime, General Paul Nakasone continues to lead the NSA and Cyber Command. Wyden's move reflects broader concerns about government surveillance practices and the balance between national security and individual privacy rights.

GPS interference is attributed to Iran.

Dave Bittner: Commercial flights in the Middle East, specifically near Baghdad, Cairo, and Tel Aviv, have experienced GPS disruptions due to meaconing interference, a type of rebroadcasting of navigational signals and a play on the word beaconing. Wired reports that these incidents are likely emanating from the outskirts of Tehran. Researchers at the University of Texas Radionavigation Laboratory support this attribution. The interference appears to be aimed at jamming GPS signals rather than redirecting aircraft. Industry experts aren't shocked by these developments. Dana Goward, President of the Resilient Navigation & Timing Foundation, notes Tehran's history of GPS interference. He also mentions Tehran's development of a Loran-like system to lessen their dependence on space-based navigation and timing signals. Goward emphasizes that the intention seems to be to deny GPS service, not to misguide aircraft.

Meta identifies and removes Chinese and Russian accounts and groups for coordinated inauthenticity.

Dave Bittner: Meta's latest Quarterly Adversarial Threat Report disclosed the removal of coordinated inauthentic behavior linked to Russia and China on its platforms. The report detailed three key findings:

Dave Bittner: In China, 13 accounts and seven groups targeting India, Tibet, and to a lesser extent, the U.S., were removed. These entities, posing as journalists, lawyers, and human rights activists, were detected through internal investigations.

Dave Bittner: Another Chinese operation involving 4,789 Facebook accounts was dismantled. These accounts, posing as Americans, focused on U.S. politics and U.S.-China relations. This network was removed before it could significantly engage with authentic users.

Dave Bittner: From Russia, six Facebook accounts, one page, and three Instagram accounts were eliminated. Targeting a global English-speaking audience, they predominantly posted about Russia's invasion of Ukraine through fictitious media brands. Russian embassies and diplomatic missions had promoted these on various social media platforms.

Dave Bittner: Meta's actions reflect its ongoing challenges to combat disinformation and false online personas.

Dave Bittner: EU Council president proposes ‘European cyber force’ with ‘offensive capabilities’

Dave Bittner: Charles Michel, President of the European Council, proposed creating a European cyber force with offensive capabilities, addressing the European Defence Agency (EDA) conference Thursday. This idea, amidst the Russian invasion of Ukraine, aligns with his vision for a unified defense sector and a single defense market in the EU. However, the proposal faces challenges, including command structure and the development of offensive cyber capabilities. The EDA, responsible for promoting EU defense integration, operates under the European Council but doesn't command armed forces, which remain under member states' control.

Twisted Spider observed conducting new ransomware campaigns.

Dave Bittner: Microsoft has uncovered an active malvertising campaign by the Twisted Spider gang, believed to be based in Russia and also known as Storm-0216 or UNC2198. They are distributing the Danabot Trojan via malicious ads. This campaign, first noticed in November, uses a private version of Danabot, differing from their previous use of the malware-as-a-service model. Danabot steals user credentials and other information, enabling lateral movement through RDP sign-ins, and eventually leads to the deployment of Cactus ransomware by Twisted Spider for extortion purposes. The switch to Danabot from the previously used Qakbot, which faced law enforcement disruptions, indicates the gang's adaptability. It's important to note that Twisted Spider is distinct from Scattered Spider, another criminal group involved in cyberattacks against MGM Resorts and Caesars Entertainment.

Staples sustains a cyberattack.

Dave Bittner: Office supply giant Staples experienced a cybersecurity incident, prompting them to shut down some systems as a precautionary measure, BleepingComputer reports.  A spokesperson from Staples revealed that their cybersecurity team detected a risk on November 27, leading to immediate steps to reduce potential impacts and safeguard customer data. This necessary response temporarily disrupted their backend processing, delivery capabilities, customer communication channels, and customer service operations. However, Staples is actively working on restoring all systems and anticipates a swift return to full functionality. In the meantime, they expect minor delays but plan to fulfill all placed orders.

Dave Bittner: Apple releases security updates for iOS, iPadOS and macOS, fixing two actively exploited zero-days

Dave Bittner: Apple has released critical security updates for iPhones, iPads, and Macs to address two actively exploited vulnerabilities identified by Google’s Threat Analysis Group. The WebKit vulnerabilities allow hackers to remotely implant malicious code on devices, qualifying as “zero-day” vulnerabilities due to the absence of a lead time for Apple to rectify them before exploitation.

Dave Bittner: The identity of the attackers exploiting these vulnerabilities remains unknown, as neither Apple nor Google have attributed these actions to any specific malicious actors or governments.

Dave Bittner: These updates follow a recent patch by Google for a zero-day vulnerability in Chrome, which was known to be exploited in the wild. Google responded to the Chrome vulnerability within four days, while Apple addressed the issue reported by Google's researchers in just under a week.

Dave Bittner: On today's edition of Mr. Security Answer Person, John Pescatore joins us to talk about Microsoft's secure future initiative. [ Music ]

John Pescatore: Hi, I'm John Pescatore, Mr. Security answer person. Our listener question for today's episode, Brad Smith, Microsoft's corporate president recently announced Microsoft's secure future initiative. What's your take on that?

John Pescatore: Well, my knee jerk reaction to these types of we will start to take security seriously now. Corporate press releases is the check that if that company recently had an embarrassing security breach, and sure enough on 18, September 2023, Microsoft had to admit they had allowed 38 terabytes of sensitive data to be leaked out when they host the training data for artificial intelligence on their own as your cloud service using insecure configurations. Oops. But we need a bit of context first. Way back in 2002, after Windows users worldwide had been getting trashed by malware worms taking advantage of numerous Windows vulnerabilities. Then Microsoft CEO Bill Gates issued a companywide email that said, "Trustworthy computing is the highest priority for all the work that we're doing. We must lead the industry to a whole new level of trustworthiness in computing," which was similar to a fast food restaurant whose customers had been getting food poisoning for years, saying we need to lead the food industry and consumption worthy meals. Talking the talk is easy, changing a company to actually walk the walk is a whole another thing. But to Bill Gates credit when he said turn right the corporate steering wheel started to rotate. Microsoft invested heavily in a secure development lifecycle made patch releases of regular monthly event and made some progress in a more secure software development lifecycle. They had a lot of missteps however, and over 20 years later we are still seeing badly written Windows software, with zero day vulnerabilities being shipped. And Google and Apple and others have been the leaders in raising the bar in security, not Microsoft. In his secure future initiative blog posts, Brad Smith referenced a corporate email by Microsoft's executive VP for security, Charlie Bell that said, we will focus on, one, transforming software development. Two, implementing new identity protections. And, three, driving faster vulnerability response. This is the mediary of the whole initiative. This is where the rubber really has to meet the road. Of those three initiatives, I hope Microsoft keeps its primary focus on transforming Windows software development. Here's the major issue. [Music] Starting in 2002, Microsoft secured development lifecycle initiative made great strides, but the approach was based on three to four year operating system lifecycle releases. By 2010 it was clear that mobile and cloud based applications with near continuous update cycles were becoming the norm. But in 2010, when I interviewed then Microsoft CEO Steve Ballmer on the keynote stage of Gartner's annual IT Symposium, I asked him what is Microsoft's biggest risk? He answered the next release of Windows, which at that time had windows eight, which wouldn't even ship until 2012. Ballmer didn't even mentioned the iPhone or iPad or Gmail or Google's Chrome browser. Does anyone even remember Windows 8? Microsoft was trapped by a business model that relied on jamming functions into its dominant desktop operating system versus competing by building awesome products and services, let alone awesomely secure ones. Thirteen years later, Microsoft has recognized that. Let me quote from Charlie Bell's memo about Microsoft moving to a dynamic software development lifecycle. This means we're going to apply the concept of continuous integration and continuous delivery to continuously integrate protections against emerging patterns as we code, test, deploy, and operate. Think of it as continuous integration and continuous security. I could quibble with that wording. For example, emerging patterns sounds suspiciously like signatures to me, but Microsoft aiming at continuous security is great to see. In that spirit though, we need to see some rapid progress in 2024. After suffering a major breach, a CISO once told me the good news is I finally got approval to break some eggs so we can actually deliver a more secure omelet, fewer vulnerabilities in Windows and faster easier patching of all Microsoft products and services has to be job one to reduce the constant barrage of rotten eggs hitting the face of businesses. [ Music ] Thanks for listening. I'm John Pescatore, Mr. Security answer person. [ Music ]

Dave Bittner: That's Mr. Security answer person John Pescatore. [ Music ] And finally, yesterday marked the one year anniversary of the public availability of Chat GPT, which you may have noticed captured the imagination of just about everyone, be they lovers or haters of the technology. We draw your attention to a research paper out of Cornell University titled Large Language Models Can Strategically Deceive Their Users When Put Under Pressure. In it, researchers demonstrated that large language models like GPT 4 train to be helpful, harmless and honest, can still exhibit misaligned behavior and deceive users without explicit instructions. Deployed in a simulated environment as an autonomous stock trading agent, GPT 4 acted on an insider tip for a lucrative trade, knowingly violating company policies. The model then deliberately concealed the true reasons for its trading decision from its manager. Various experimental adjustments, such as changing environment settings and system instructions were tested to understand this behavior. This research marks the first instance of such models strategically deceiving users in a realistic scenario without being programmed for deception. So even our AI overlords seem to have picked up a tip or two from Wall Street. When it comes to insider trading it's not just about playing the market, but also playing it cool with the boss. [ Music ] And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. Be sure to check out this weekend's research Saturday, and my conversation with Ryan from Bishop Fox. We're describing their work building an exploit for a FortiGate vulnerability. That's research Saturday. Check it out. We'd love to know what you think of this podcast. You can email us at CyberWire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that n2k and podcast like the Cyberwire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin. Our mixer is Trey Hester, with original music by Elliot Peltzman. Our executive producers are Jennifer Eiben and Brandon Carp. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. [ Music ]