A pivotal global menace.
The World Economic Forum names AI a top global threat. The SEC suffers social media breach. The FTC settles with a data broker over location data sales. A massive data leak hits Brazil. Chinese researchers claim and AirDrop hack. A major real estate firm suffers data theft. Pikabot loader is seeing use by spammers. Ukraine’s Blackhit hits Russia’s M9 Telecom. Stuxnet methods are revealed. A Patch Tuesday rundown. Our guest is Tim Eades from the Cyber Mentor Fund to discuss the growing prevalence of restoration as a part of incident response. And Hackers could screw up a wrench.
Today is January 10th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Thank you all for joining us today. It’s good to have you here.
World Economic Forum names AI a top global threat.
The World Economic Forum's latest Global Risks Report identifies AI-driven misinformation and disinformation as the most significant short-term risks to the global economy, democracy, and social stability. Released before the Davos summit, the report, based on a survey of 1,500 experts, highlights the adverse effects of rapidly advancing technology.
AI technologies, particularly generative AI chatbots, are facilitating the creation of sophisticated synthetic content, elevating concerns about manipulation and societal polarization. This risk is particularly acute as several countries with large economies, including the United States, Britain, and India, approach election periods.
Carolina Klint, a risk management leader at Marsh, who co-authored the report along with Zurich Insurance Group, emphasizes the potential of AI in exacerbating misinformation. She warns that AI-driven deepfakes and synthetic content could challenge the legitimacy of democratic processes and intensify societal divides. AI also poses risks in cybersecurity, enabling more accessible and sophisticated cyberattacks and embedding biases in AI models through tainted training data.
Generative AI is increasingly becoming a double-edged sword in the realm of cyber security. Rob Joyce, director of cyber security at the NSA told attendees at an event at Fordham University in New York, this technology significantly enhances the ability of security experts to detect and counteract cyber threats. It's particularly effective in identifying abnormal activities and potentially malicious actors hiding within networks, utilizing large-scale data analysis without the need for constant human oversight.
However, the same technology is also being exploited by cybercriminals. They use generative AI to sophisticate frauds, scams, and social engineering attacks, as noted by researchers at Mandiant and Darktrace. These advancements in AI-enabled cyber attacks pose a major challenge, enabling hackers to refine their techniques and launch more personalized and potent attacks.
Despite these threats, national security agencies and cyber security experts are leveraging AI to improve their defensive capabilities. AI is not a panacea, as Joyce points out, but it significantly bolsters the effectiveness of skilled practitioners. It assists in real-time detection of cyber attacks, monitors unusual login activities, and can proactively respond to potential threats. AI is even being trained to predict attacks before they occur.
SEC suffers social media breach.
The U.S. Securities and Exchange Commission (SEC) yesterday fell victim to a breach of their X(Twitter) account, leading to a false announcement of a Bitcoin Exchange Traded Fund, an ETF. Reports highlight the lack of two-factor authentication (2FA) on the SEC’s main social media account, and that the vulnerability was exploited through a SIM swap hack, where an attacker gained control of the phone number associated with the SEC's account. This type of attack involves convincing a telecom provider to transfer a victim’s phone number to the attacker, allowing them access to various accounts linked to that number.
U.S. Senators J.D. Vance and Thom Tillis have expressed serious concerns about the SEC's cybersecurity procedures, demanding an explanation and transparency about the incident.
FTC settles with data broker over location data sales.
The Federal Trade Commission (FTC) has reached a settlement with data broker X-Mode Social and its successor, Outlogic, to prohibit them from sharing or selling sensitive location data. This settlement addresses allegations that the companies sold precise location data which could track individuals to sensitive locations such as medical and reproductive health clinics, places of worship, and domestic abuse shelters. This marks the FTC’s first settlement with a data broker over the collection and sale of sensitive location information.
The FTC found that X-Mode Social and Outlogic failed to implement proper safeguards for the use of such data by third parties. They sold precise location data collected from third-party apps using their software, their own apps, and other data brokers. This data, linked to mobile advertising IDs and not anonymized, could potentially reveal personal and sensitive information about individuals.
The FTC’s complaint highlighted that until May 2023, there were no policies to exclude sensitive locations from the data sold. The practices exposed consumers to privacy violations, discrimination, and physical or emotional harm. The proposed order requires X-Mode/Outlogic to delete or destroy all collected location data unless consumers consent or the data is de-identified. They must also develop programs ensuring informed consumer consent, protect sensitive locations, and establish a comprehensive privacy program. The FTC will accept public comments on the agreement before finalizing the order.
Massive data leak hits Brazil.
Research from Cybernews have uncovered a massive data leak affecting Brazilian individuals, with over 223 million records exposed, possibly affecting that country’s entire population. The leak was found in a publicly accessible Elasticsearch instance and contained sensitive personal data such as full names, dates of birth, gender, and taxpayer identification numbers. The source of the leak has not yet been identified as the data wasn't linked to any specific company or organization. The data is no longer publicly available, but the potential impact of the leak remains concerning.
Chinese researchers claim AirDrop hack.
Chinese researchers, presumably backed by the state, claim to have developed a method to identify users of Apple's AirDrop, the encrypted service that allowing content sharing between nearby Apple devices without internet. This service was popular during the 2019 Hong Kong pro-democracy protests for its ability to bypass government surveillance. The Beijing municipal government stated that this new technique can uncover an iPhone's encrypted log, revealing the user's phone number and email. Apple limited AirDrop for Chinese users in 2022, introducing a 10-minute time limit for receiving files from unknown contacts. This move aligns with China's extensive digital surveillance efforts, which include mandatory real-name registration for social media and communication services. Apple is often criticized for complying with Chinese regulations. They previously removed a map app used by Hong Kong protesters in 2019, citing safety concerns.
Real estate firm suffers data theft.
Fidelity National Financial (FNF), a major real estate services company, has revealed a cyberattack from November of last year, leading to the theft of data from 1.3 million customers and causing a week-long system outage. The firm disclosed in a regulatory filing that an unauthorized party accessed their systems, deployed non-self-propagating malware, and extracted data. The specific nature of the stolen data wasn't detailed, but FNF is offering credit monitoring and identity theft services to affected customers, indicating the data was personal and sensitive. The ransomware group ALPHV, also known as BlackCat, claimed responsibility for the attack. FNF managed to contain the attack by November 26.
Pikabot loader is seeing use by spammers.
Pikabot, a loader malware used by the threat group Water Curupira, has seen increased activity in spam campaigns, especially after the takedown of Qakbot from June to September 2023. Cybersecurity researchers at Trend Micro have noted a surge in these phishing campaigns targeting Windows machines. Pikabot gains initial access through spam emails, using thread-hijacking to appear legitimate and prompt users to open attachments that seem authentic.
Ukraine’s Blackhit hits Russia’s M9 Telecom.
In an apparent response to Russia's attack on Kyivstar, a Ukrainian hacking group linked to the SBU spy agency attacked a Moscow ISP, M9 Telecom. The group, known as "Blackjack," deleted 20TB of data, disrupting internet service in parts of Moscow. They claimed the attack as a "warm-up" retaliation on their Telegram page. M9 Telecom's website is operational despite claims of complete data destruction.
Stuxnet methods revealed.
A two-year investigation by Dutch newspaper De Volkskrant has revealed a Dutch engineer, Erik van Sabben, was reportedly recruited by the Netherlands' intelligence agency, AIVD, to deploy the Stuxnet malware in an Iranian nuclear facility back in 2010. Stuxnet targeted Iran’s nuclear program, infecting and damaging numerous devices and centrifuges. It's believed Van Sabben planted Stuxnet using a water pump at Natanz's nuclear complex, although the exact method remains uncertain. Van Sabben died in a motorcycle accident two weeks after the Stuxnet attack. Former CIA chief Michael Hayden, while not confirming specifics due to classified information, hinted at the high cost of developing Stuxnet, estimated between $1 and $2 billion.
Yesterday was patch Tuesday, and Microsoft released 49 Patch Tuesday updates for Windows, including two critical flaws. Additionally, Microsoft Edge received patches for four high-severity Chrome flaws. Adobe fixed six important vulnerabilities in Substance 3D Stager, while SAP addressed various security issues, including two new HotNews Notes. Cisco updated two privilege escalation CVEs in its Identity Services Engine, but one remains unpatched. Google's Android Security Bulletin covered 59 CVEs, with the most severe in the Framework components, posing a risk of local escalation of privilege.
Hackers could screw up a wrench.
And finally, researchers at Nozomi discovered 23 vulnerabilities in the Bosch Rexroth Handheld Nutrunner, a network-connected wrench used in factories around the world. These flaws could let hackers sabotage or disable the wrench, crucial for assembling sensitive instruments with precise torque levels. Nozomi says these vulnerabilities could allow unauthorized remote code execution with root privileges. In a wrench. Hackers could potentially install ransomware. In a wrench. They could alter torque settings while displaying normal values to operators. In a wrench. Bosch Rexroth acknowledged the issue and is working on a patch, due for release in January 2024. While mass exploitation is unlikely, the risk of work stoppages or tampering with critical settings warrants installing patches when available.
It seems, in this case, it’s the wrench’s security that needs a little tightening.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. You can email us at email@example.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.