The CyberWire Daily Podcast 1.12.24
Ep 1982 | 1.12.24

Casting a wider hiring net.

Transcript

The Feds look to cast a wider hiring net. Legislators focus on deepfakes. Cookie stealers bypass MFA on Google accounts. A Fast food hiring chat bot got hacked. Medusa casts her gaze toward extortion. Akira ransomware is active in Finland. GitLab patches critical vulnerabilities. Bosch thermostats are vulnerable to some hot firmware. CSAM vendors’ crypto sophistication grows. CISA released ICS advisories. On our Solution Spotlight, N2K’s Simone Petrella speaks with Kim Jones, Director of Intuit's CyberCRAFT team, about the SEC's heightened focus on cybersecurity. And a little listener feedback, Karaoke style.

Today is January 12th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Hello and thank you for joining us. We are glad to have you with us. 

Feds look to cast a wider hiring net. 

National Cyber Director Harry Coker is working to change federal cybersecurity hiring practices. Collaborating with the Office of Management and Budget (OMB), the plan is to revise educational requirements for some federal cybersecurity contracting jobs, opening these positions to skilled individuals without four-year degrees. These changes are part of the Biden administration's effort to strengthen cybersecurity. Coker aims to diversify the workforce, historically underrepresented by women and people of color.

The federal government will conduct hiring sprints later this year. These will involve recruitment events in previously overlooked areas, including community colleges. This is all part of the Biden administration's strategy to bolster the cybersecurity workforce, enhance education and skills, expand the workforce, and increase federal cybersecurity employees. Over half a million cybersecurity positions are vacant and urgently need filling.

Legislators focus on deepfakes. 

Staying with policy news, the New York Times reports on a recent state legislators' conference, where a panel demonstrated the rapid advancement of AI-generated deepfakes. Initially, legislators chuckled at a primitive deepfake of former Presidents Trump and Obama playing basketball. However, a more realistic video created a year later caused alarm. This spurred state lawmakers to consider regulating false or misleading political ads made by AI, especially with the 2024 primary elections approaching.

Tim Storey, from the National Conference of State Legislatures, emphasized the need for regulatory guardrails. Cautionary tales from overseas, like Slovakia's election influenced by deepfake recordings, highlight the urgency. In the U.S., the campaign of Governor Ron DeSantis of Florida released fake AI images involving President Trump and Dr. Fauci.

As of early 2023, only California and Texas had laws regulating AI in campaign advertising. Since then, Washington, Minnesota, and Michigan have passed similar laws with bipartisan support, mandating disclaimers for AI-made ads.

Kentucky's proposed bill is notable, making first-time violations a felony with up to five years in prison. By January, 11 more states introduced similar legislation. These bills focus on disclosure requirements for misleading AI ads, particularly during critical pre-election periods.

In Congress, Senators Amy Klobuchar and Josh Hawley lead AI bill initiatives. State Representative Julie Olthoff's bill requires disclaimers for AI-altered media. The broader legislative effort aims to combat the challenge of rebutting convincing fake videos or recordings, addressing First Amendment concerns by focusing on disclosure rather than outright bans.

Cookie stealers bypass MFA on Google accounts.

Turning to threats and vulnerabilities, researchers at Malwarebytes report on a method to gain unauthorized access to Google accounts, circumventing multi-factor authentication (MFA). Hackers achieve this by stealing and extending the lifespan of authentication cookies, which remain effective even if the account password is changed. Since this exploit's discovery, both white and black hat security researchers have examined it, leading to its incorporation into various information-stealing malware. This exploit abuses a Google API, meant for syncing accounts across Google services, to reactivate expired authentication cookies. 

According to BleepingComputer, Google considers the API to function as intended and doesn't view this as a vulnerability, suggesting no permanent fix is forthcoming.

To check for unauthorized access, users can review recent device logins in their Google Account settings. If compromised, signing out of all browsers and resetting the password is recommended to invalidate old session tokens. For administrators managing Google Workspace or Cloud Identity, they can reset sign-in cookies in the Google Admin console.

Fast food hiring chat bot hacked.

Hackers infiltrated the backend of Chattr, an AI chatbot used by fast food franchises for automating hiring, 404 Media reports. The breach was discovered by a group of researchers who utilized a script to scan for exposed Firebase credentials, focusing on companies using the .ai top-level domain. The script identified a Firebase configuration for fast food chain KFC. Using Firepwn, a GitHub tool for testing Firebase app security, the researchers gained read and write access to Chattr's database after creating a new user account.

This access revealed sensitive data including names, phone numbers, email addresses, branch locations, messages, work shifts, and some passwords. The data pertained to franchisee managers, job applicants, and Chattr employees. The breach extended beyond KFC, allowing access to an administrator dashboard with oversight over multiple organizations using Chattr. This granted the ability to accept or reject job applicants and manage financial transactions.

The researchers have reported the vulnerability to Chattr, which markets itself as a comprehensive AI-powered hiring tool for the hourly workforce, handling tasks like application review, interview scheduling, and background checks.

Medusa casts her gaze toward extortion.

Palo Alto Networks' Unit 42 Threat Intelligence analysts report an increase in Medusa ransomware attacks, with a notable shift towards extortion tactics. In early 2023, the Medusa group launched a dedicated leak site, the Medusa Blog, to publish sensitive data from victims who refuse to pay ransoms. This multi-extortion approach offers victims various paid options on their leak site, including time extensions, data deletion, or downloading the compromised data, with costs varying based on the affected organization. 

David Moulton is host of the Threat Vector podcast from Unit 42, and on their most recent episode they discussed this very issue with Principal Threat Researcher Doel (Dough-elle) Santos. You can find a link to the full episode in the show notes.  

Medusa threat actors also use a public Telegram channel named “information support” to share files from compromised organizations. This method provides broader access than traditional onion sites. The Unit 42 Incident Response team's involvement in a Medusa ransomware incident has revealed additional tactics, tools, and procedures employed by these threat actors.

Akira ransomware active in Finland. 

The Finnish National Cybersecurity Center (NCSC-FI) reported increased activity of Akira ransomware in Finland, especially towards the end of 2023. Twelve attacks were reported in 2023, with three occurring during the Christmas holidays. In December, six out of seven ransomware cases in Finland involved Akira.

Attackers targeted organizations with vulnerable Cisco ASA or FTD devices, either using leaked credentials or brute force attacks exploiting a specific Cisco firewall vulnerability. Victims typically lacked multi-factor authentication (MFA), allowing attackers to enter networks, delete backups, and encrypt servers.

The report notes that attackers meticulously destroyed backups, including network-attached storage (NAS) servers and automatic tape backup devices, resulting in almost complete loss of backups.

To counter such threats, NCSC-FI recommends implementing MFA, updating Cisco devices, creating offline backups at different physical locations, and adhering to the 3-2-1 backup rule (three backups in two different places, with one copy entirely off the network).

GitLab patches critical vulnerabilities.

GitLab has issued security updates to address two critical vulnerabilities, including a severe flaw (CVE-2023-7028) with a CVSS score of 10.0. This vulnerability could enable account takeovers by sending password reset emails to an unverified email address, due to a bug in the email verification process. It affects self-managed instances of GitLab Community Edition (CE) and Enterprise Edition (EE).

The issue affects all authentication mechanisms. Users with two-factor authentication (2FA) are vulnerable to password reset but not full account takeover. Another critical vulnerability patched in the update allows abuse of Slack/Mattermost integrations to execute slash commands as another user. GitLab recommends upgrading to a patched version and enabling 2FA, especially for users with elevated privileges, to mitigate potential threats.

Bosch thermostats are vulnerable to hot firmware. 

A vulnerability in Bosch smart thermostats has been identified by Bitdefender. The issue is rated as 'High' severity, and allows attackers to send commands to the thermostat and replace its firmware. The flaw is in the unit’s Wi-Fi microcontroller, which acts as a network gateway for the thermostat’s logic microcontroller.

The vulnerability enables malicious commands to be sent to the thermostat, indistinguishable from legitimate cloud server commands. 

CSAM vendors’ crypto sophistication grows. 

Journalist Andy Greenberg writes in Wired that ​​Cryptocurrency tracing firm Chainalysis has reported an increase in sophistication among online child sexual abuse material (CSAM) vendors using cryptocurrencies. The Chainalysis annual crime report reveals that while total revenue and the number of new CSAM sellers accepting cryptocurrency have declined since 2021, the use of advanced privacy tools by these vendors has risen. Approximately 46% of CSAM sellers utilized cryptocurrency mixers in 2023, up from 22% in 2020, to obfuscate transaction trails.

CSAM vendors are also increasingly using instant exchanger services to trade bitcoin for privacy coins like Monero and Zcash, which make tracing more difficult. This shift to more sophisticated methods has resulted in CSAM vendors operating online for longer periods. On average, active CSAM vendors in 2023 remained online for 884 days, significantly longer than in previous years.

Chainalysis' study correlates the use of Monero-friendly instant exchangers with the increased survival rates of CSAM vendors. Despite these developments, the overall scale of CSAM transactions for cryptocurrency seems to be decreasing, potentially due to increased awareness of traceability in cryptocurrency. The report suggests that while more cautious CSAM sellers are emerging, advances in blockchain analysis could still pose a significant threat to their operations.

CISA released ICS advisories. 

CISA yesterday released nine Industrial Control Systems (ICS) advisories, covering equipment from Rapid Software, Horner Automation, Schneider Electric and Siemens. As usual, update ‘em if ya got ‘em. 

Coming up next on our Solution Spotlight, we have N2K’s Simone Petrella talking about a possible hurdle with Kim Jones, Director of Intuit's CyberCRAFT team. They discuss the SEC's heightened focus on cybersecurity.

 

“And finally, a message to our most recent reviewer on apple podcasts. Thank you for the excellent feedback, Lola. We love to hear from our fans and audience. To address your specific concerns… She walked up to me and she asked me to dance, I asked her her name and in a dark AI voice she said, ‘Robot.’ R-o-b-o-t robot, ro ro ro ro robot…”

If you have feedback about the show, and want a call-out on air just like Lola, you can always email us at cyber@n2k.com or submit a review in your favorite podcast app. And as always, thanks for being a part of our community.”

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Don’t forget to check out the “Grumpy Old Geeks'' podcast where I contribute to a regular segment on Jason and Brians’s show, every week. You can find “Grumpy Old Geeks'' where all the fine podcasts are listed. 

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.