New vulnerability packs a punch.
Dave Bittner: Unpacking LogoFAIL's threat to Windows and Linux, the US DHS's new healthcare cybersecurity strategy, and dual Russian influence campaigns. A look at supply chain risks, increased bot activity in retail, Meta's end-to-end encryption in Messenger and Android's Autospill vulnerability. On today’s Industry Voices segment, we welcome Todd Thorsen, CISO from CrashPlan, with insights on data resiliency. And the discovery of an alleged software 'kill switch' in Polish trains.
Dave Bittner: It’s Thursday, December 7th, 2023. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
LogoFAIL targets Windows and Linux firmware.
Dave Bittner: A newly discovered attack named LogoFAIL poses a significant threat to hundreds of Windows and Linux computer models from nearly all hardware makers, executing malicious firmware early in the boot process. This method allows infections that are hard to detect or remove with current defenses. LogoFAIL comprises around two dozen vulnerabilities in the Unified Extensible Firmware Interfaces (UEFI) that boot these devices. It can bypass major security mechanisms like Secure Boot and similar protections, gaining high-level control over affected machines.
Dave Bittner: Discovered by Binarly, these vulnerabilities have existed for years and impact a broad range of consumer and enterprise devices. The attack can often be executed remotely in post-exploit scenarios, undetectable by traditional endpoint security products. The vulnerabilities were disclosed in a coordinated mass release, involving UEFI suppliers like AMI, Insyde, Phoenix, device manufacturers such as Lenovo, Dell, HP, and CPU makers including Intel, AMD, and ARM CPU designers.
Dave Bittner: The LogoFAIL attack exploits critical vulnerabilities in UEFI image parsers by replacing legitimate hardware seller logos, displayed during the boot process, with specially crafted images. This allows malicious code execution in the DXE phase (Driver Execution Environment), leading to full control over the target device's memory and disk, including the OS.
Dave Bittner: A second-stage payload can be delivered by LogoFAIL, placing an executable on the hard drive before the OS starts. This was demonstrated in a proof-of-concept exploit on a Lenovo ThinkCentre M70s. Binarly's findings indicate that the attack can bypass endpoint security solutions and persist in a firmware capsule with a modified logo image. Affected parties are releasing advisories and security patches for vulnerable products.
Memory-safe coding practices.
Dave Bittner: The US Cybersecurity and Infrastructure Security Agency (CISA), along with the NSA, FBI, and cybersecurity authorities from Australia, Canada, the UK, and New Zealand, have jointly released a guide advocating memory-safe coding practices. This guide from the Five Eyes urges software manufacturers' executives to prioritize the use of memory-safe programming languages. It recommends the creation and publication of memory-safe roadmaps to modify their software development life cycle (SDLC). These roadmaps should outline steps to significantly reduce and eventually eliminate memory unsafe code in their products, thus enhancing customer protection. The guidance provides a detailed framework for what these memory-safe roadmaps should entail.
US DHS releases healthcare cybersecurity strategy.
Dave Bittner: The US Department of Health and Human Services (HHS) released a strategy document titled "Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services." This plan, aligning with the President's cybersecurity strategy, acknowledges the increasing cyber threats targeting healthcare facilities due to their size, data sensitivity, and reliance on technology. The HHS proposes a four-step approach to enhance cybersecurity: setting voluntary performance goals, providing resources for implementing cybersecurity practices, executing an HHS-wide strategy for enforcement and accountability, and developing a comprehensive cybersecurity resource hub within HHS.
Dave Bittner: The American Hospital Association (AHA) supports HHS's commitment but expresses concerns. It highlights the challenges posed by nation-state affiliated cyber threats, requiring a comprehensive government response. The AHA also warns against overly strict or punitive regulations, noting that many vulnerabilities stem from third-party systems outside the healthcare sector's direct control.
Dave Bittner: Coincidentally, former HHS officials, Jose Arrieta and Janet Vogel, revealed details of a significant cyberattack on HHS networks on March 15, 2020, coinciding with the onset of the COVID pandemic. Reported by Bloomberg Businessweek, the attack, believed to be state-sponsored, involved an unusually large distributed denial-of-service (DDoS) attack, leading to the temporary shutdown of HHS systems. This assault is retrospectively viewed as a diversion for a more targeted attempt to infiltrate US networks crucial to the pandemic response. Arrieta noted the attackers' detailed knowledge of the HHS network, including the locations of large data repositories, indicating a deliberate effort to extract specific information. The attack was part of a global trend where intelligence services exploited the pandemic to target vulnerable networks. Arrieta and Vogel suspect China to be the most likely perpetrator of this attack.
Two Russian influence and collection campaigns, one mass-market, the other tailored.
Dave Bittner: Swifties, beware…
Russia's military intelligence service, the GRU, is reportedly using a disinformation strategy involving the misuse of celebrities' images paired with fabricated quotes criticizing Ukraine, as detailed by WIRED. This campaign, aimed primarily at European audiences, falsely features celebrities like Taylor Swift, Selena Gomez, and Cristiano Ronaldo, portraying Ukraine as responsible for the war and misusing Western aid. The GRU's Doppelgänger operation, sophisticated in its dissemination methods, exploits Facebook's ad and content moderation systems to spread these false narratives.
Dave Bittner: Additionally, the UK government has confronted Russia over the FSB's "Cold River" campaign, aimed at influencing UK elections. Described as a highly targeted operation, it involves selective leaks of information obtained through cyber espionage, aligning with Russia's geopolitical aims. The campaign, known by various names including "Star Blizzard," employs detailed spearphishing and impersonation tactics. This includes creating fake social media profiles and using event invitations as lures, showing a stark contrast to the GRU's broader, automated approach in the Doppelgänger campaign.
Supply chain threats.
Dave Bittner: BlueVoyant's State of Supply Chain Defense report highlights an increased focus on cybersecurity in supply chains. Key findings include that 85% of organizations have raised their budget for third-party cyber risk management in the past year, with 51% enhancing internal resources and 46% adding external ones. Monitoring of supply chain cyber risks has grown, with 47% of respondents doing so at least monthly in 2023, up from 41% in 2022. Additionally, there's a rise in reporting frequency to senior management about supply chain and cyber risk, with 44% doing so monthly or more in 2023, compared to 38% in 2022.
Retail bot activity in the shopping season.
Dave Bittner: Kasada's 2023 Holiday Bot Activity Report reveals a 198% increase in bot traffic compared to 2022. The peak of this traffic occurred the day before Thanksgiving, attributed to bots accessing pre-holiday sales ahead of actual shoppers. Interestingly, bot traffic was higher in October than in November, indicating that both humans and bots were actively engaging in early bird holiday sales. Furthermore, there was a significant 251% spike in login fraud attempts on November 25th, Cyber Monday, and the day after, highlighting the growing cybersecurity challenges during major retail events.
Meta rolling out end to end encryption in Messenger.
Dave Bittner: Meta has begun implementing default end-to-end encryption for Messenger, a significant enhancement in user privacy. Loredana Crisan, Head of Messenger, emphasized in a blog post that this development required years of effort, involving the collaboration of engineers, cryptographers, designers, policy experts, and product managers. Meta initially tested end-to-end encryption in 2016 through a "secret conversations" mode and later extended it to voice and video calls in 2021. The feature was made available for group chats and calls in early 2022, and individual chats began testing it in August 2022. Meta aims to complete the default end-to-end encryption rollout by the end of 2023. The engineering team faced challenges in adapting certain features like the sticker library and chat storage, necessitating a complete overhaul, as stated in their engineering blog. This move marks a significant step towards enhancing privacy and security in digital communications on the platform.
Autospill affects Android apps.
Dave Bittner: Researchers at IIIT Hyderabad discovered a vulnerability named AutoSpill in popular mobile password managers, affecting their autofill functionality on Android apps. This flaw allows user credentials saved in these password managers to be exposed when an Android app loads a login page in WebView. WebView, a Google engine, enables web content display within apps, confusing password managers about the target destination for user login information. Consequently, credentials can be inadvertently disclosed to the app's native fields.
Dave Bittner: Coming up after the break, my conversation with Todd Thorson, Chief Information Security Officer from CrashPlan. We're talking data resiliency. Stick around. [ Music ] [ Music ] In an era where ransomeware and malicious attacks are relentless, even the most secure organizations are not immune. These attacks can cripple organizations financially, operationally, and damage their reputation and compliance standing. My guest today is Todd Thorson, Chief Information Security Officer at CrashPlan. In this sponsored "Industry Voices" segment, we delve into crucial strategies for bolstering data resiliency.
Todd Thorson: Data resiliency is really important and in its essence, it's making sure that you've got backups of your data, and that those backups are recoverable when you need them. So when things go wrong, tools fail, are you able to recover data, resume operations in a timely fashion?
Dave Bittner: Are there any common misunderstandings that you find that people have when it comes to data resiliency?
Todd Thorson: There are. One of which is really the mechanism or the tools that you're using to backup and recover data. So for instance what I see often is tools are misused. So like, cloud collaboration platforms for example are often misused for data recovery and resilience. They have some inherent limitations for the duration that data is stored as recoverable. And they also have scaling issues. So if you need to recover data at scale across your organization, in the wake of an outage or you know, God forbid, a breach, you're going to be challenged to be able to recover quickly and holistically.
Dave Bittner: Can we touch on corporate policies, you know, the things that organizations should put in place to make sure that there isn't too much friction here when it comes to having a resiliency plan?
Todd Thorson: Yes, I think it's really important to sort of think through -- and every organization is different -- but think through where within your organization does critical data reside? So the systems, the endpoints, servers, cloud. Where is that data traversing, and what are your capabilities for that? From a recovery standpoint, from a backup standpoint? Where do you want to put those efforts around? Policies are certainly important to articulate, you know, what the plan is. Document that. What are the expectations for end users? And then executing those initiatives to make sure things are working appropriately. So policies are fine from, you know, a corporate governance perspective, but when you get into introducing a user requirement to enforce a policy, that's where it can become a challenge, and you may have gaps. And that's where, you know, having a purpose-built, you know, back up and recovery solutions are in place, that are automated, that are just taking that action in the increments that you want to have coverage for is really important.
Dave Bittner: What about testing? I mean, an organization puts a plan in place, what's the process by which they know that it's actually going to work?
Todd Thorson: Yes. Testing is really important. You know, running through scenarios, they can take a variety of avenues from a testing perspective. Certainly you can run through tabletop exercises as an organization, so throwing out a scenario, like hey, we've been hit with ransomware. Now we're going to execute our incident response plan. So the incident response plan is really important, because it should lay out the steps that everyone needs to take, the roles and responsibilities, so people, you know, have an idea of who's doing what. What are the expectations for the organization from a recovery standpoint? But then, it's not just documenting those. It's actually running through those scenarios. You know, you have, you know, real -- realistic scenario. And then as you're going through those, inevitably what you're going to find are things that you could do better. So having sort of a debrief after running through those testing scenarios: what went well? What didn't? What do we need to make refinements from a policy or ownership standpoint? Where do we have challenge from a technology standpoint or administrative standpoint?
Dave Bittner: Can you kind of walk us through the process when you and your colleagues there at CrashPlan work with someone, you know, for the first time. How do you go through establishing where they are, what their needs are, and where they go looking forward?
Todd Thorson: Yes, you know, it's really, yes -- going back to -- and every organization is different, but understanding your risk environment and aligning that with the organization's risk tolerance, right? And so understanding where critical data to an organization resides, that's always the place to start. Understanding where that sits, how it's being accessed, and who's accessing it. And then making sure that you're getting the right coverage. Again, everything is sort of a risk-based approach, but making sure that you're getting those critical areas, the critical data, you have a good understanding where that resides. And then executing and implementing tools and process to protect that so that it is available and recoverable when needed.
Dave Bittner: You know, the organizations that are finding success here, who have a good plan in place and are finding that it's working for them, are there things that they have in common? Are there best practices here that you see that are consistent?
Todd Thorson: Yes. One of the things that I find personally the most valuable is my network of, you know, fellow security practitioners, CISOs, and learning from them. Having discussions, leveraging that network. What's worked well, what has been a challenge, and how those challenges have been overcome, and then applying those into your organization. You know, it's hard to create effective process in a vacuum. Certainly you want to take your organization into account, but it's also important to not to recreate the wheel. So that's where having that sort of network of peers that you can, you know, lean on, share information with, and leverage as you're building out your program. It's never a one-and-done opportunity. It's ongoing. So you're going to make changes. You're going to make iterations. You're going to make continual improvements as you go through time. So one of the challenges I sort of always let people know is don't feel like you have to solve every problem right out of the gate. And it's not, you know, the Ten Commandments. It's not carved in stone. Your policy's going to evolve. Your capabilities are going to evolve. Risks are going to evolve to the organization, so being able to pivot and iterate on that process over time is really important. And that's where the testing piece comes back to it, right? So you're testing those capabilities. You're making iterative changes to improve your capabilities over time. So keep it simple. Don't feel like you have to account for every single potential contingency that could come around. But really start out knowing that you're going to iterate over time. [ Music ]
Dave Bittner: Our thanks to Todd Thorson, Chief Information Security Officer at CrashPlan, for joining us. [ Music ] We close today with details from a presentation given a few days ago at the Oh My Hack conference by members of the hacking team we're about to tell you about. In Spring 2022, the Polish company SPS faced a baffling situation. After performing maintenance on Newag's Impuls 45WE commuter trains, the vehicles wouldn't operate, despite all diagnostics indicating that they were functional. The issue grew serious when multiple trains, post-maintenance, experienced the same problem, severally disputing regional railway services. Faced with the escalating costs and contractual penalties, SPS sought unconventional help and hired the Dragon Sector hacker group. The team faced numerous challenges, including a lack of documentation and difficulties in accessing and understanding the train's computer system. However, they persevered, uncovering startling facts. Their investigation revealed the train's software contained GPS coordinates of various Polish maintenance centers, including Newag's own facility. The software was programed to disable train functionality after spending 10 days in these centers, a feature not documented in the 20,000-page manual. Additionally, the software contained mechanisms to lock the train if certain parts were replaced, and to simulate breakdowns under specific conditions, like reaching a million kilometers. The discovery of a remote communication device in the trains added to the intrigue, [inaudible 00:21:32] at external control capabilities. Dragon Sector's efforts not only revived the immobilized trains, but also brought to light concerning alleged practices by the manufacturer, Newag. Despite the magnitude of these findings, the response from Polish regulatory bodies remain limited, with only CERT Polska taking action by notifying law enforcement. The situation raises significant questions about manufacturer ethics, consumer protection, and the adequacy of regulatory oversight in the railway industry. Who knew trains could play hide-and-seek with their functionality? Turns out, when it comes to mysterious breakdowns, sometimes you need more than a mechanic. You need a hacker with a knack for digital detective work. [ Music ] And that's the Cyberwire. For links to all of today's stories, check out our "Daily Briefing" at thecyberwire.com. As we near the end of the year, it is the perfect time to reflect on your company's achievements and set new goals to boost your brand across the industry next year. We'd love to help you achieve those goals. We've got some unique end-of-year opportunities complete with special incentives to launch 2024. So tell your marketing team to reach out. Send us a message at email@example.com or visit our website so we can connect about building a program to meet your goals. We 'd love to know what you think of this podcast. You can email us at cyberwire@n2K.com. We're privileged that N2K and podcasts like the Cyberwire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at N2K.com. This episode was produced by Liz Irvin. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]