New malware, new threats.
Microsoft warns of an Iranian cyberespionage group. The CyberSafety Review Board receives critical reviews of its own. VMWare warns of active product exploitation. Tax info gets leaked in accounting firm breach. Kansas State University reports a cyber incident. CISA adds Citrix Netscaler vulnerabilities to its Known Exploited Vulnerabilities catalog. Councils in the UK suffer online disruptions. Cyber insurance can be a double edged sword. More email security breaches lead to firings. In our Solution Spotlight, N2K President Simone Petrella speaks with Michelle Amante of the Partnership for Public Service With an update on the Cybersecurity Talent Initiative. And it’s shields up for Generation Z.
Today is January 19th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Microsoft warns of an Iranian cyberespionage group.
Microsoft has identified a subgroup of the Iranian-backed APT35 cyberespionage group, also known as Charming Kitten and Phosphorus, as responsible for spearphishing attacks against high-profile employees at research organizations and universities in Europe and the US, Bleeping Computer reports. This subgroup, associated with the Islamic Revolutionary Guard Corps (IRGC), uses sophisticated phishing emails via compromised accounts to deploy new backdoor malware called MediaPl, designed to mimic Windows Media Player for stealth. The MediaPl malware features encrypted communication with its command-and-control server, and is capable of auto-termination, communication retries, and executing commands.
Additionally, a second PowerShell-based backdoor malware, MischiefTut, is used for reconnaissance, executing commands, and transmitting data to attacker-controlled servers. The primary goal of these attacks is to steal sensitive data from high-value targets with knowledge in Middle Eastern affairs, security, and policy issues that align with Iranian interests. The campaign appears to seek insights on the Israel-Hamas war.
Previously, APT35 has targeted sectors including government, healthcare, finance, engineering, technology, and telecommunications, using Sponsor and NokNok malware. Another Iranian group, APT33, has also been active, targeting defense organizations and contractors with password spray attacks and FalseFont malware.
The CyberSafety Review Board receives critical reviews of its own.
The Cyber Safety Review Board (CSRB) was created via executive order in 2021 to investigate major cybersecurity incidents. According to a panel of experts addressing Congress, the CSRB lacks sufficient authority and independence. The CSRB, modeled after the National Transportation Safety Board (NTSB), faces criticism for its dependency on corporate participation and limited investigatory powers. Experts, including cybersecurity CEO Tarah Wheeler, highlighted the board's composition of federal and tech company representatives, raising concerns about conflicts of interest and insufficient time for thorough, independent investigations.
The CSRB's use of members from companies like Google and Palo Alto Networks poses challenges, especially when investigating their own technologies or competitors. Wheeler stressed the need for the board to have full-time staff and subpoena power, similar to the NTSB, to effectively investigate cyber attacks without industry or political influences. The board's current investigations, including those into the Log4J vulnerability and Lapsus$ cybercriminal group, have resulted in basic resolutions rather than detailed analyses.
The CSRB has not yet investigated the significant Sunburst supply chain attack, with the Biden administration requesting subpoena powers for the board. However, experts argue that transparency improvements are necessary before granting such powers. The Senate Homeland Security Committee is considering legislation to legally codify the CSRB, but its chair, Sen. Gary Peters, is still evaluating the proposed changes.
VMWare warns of active product exploitation.
VMware is warning customers that a vCenter Server Vulnerability is being actively Exploited in the Wild. C It can allow an attacker who has network access to vCenter Server to remotely execute arbitrary code.
The issue, discovered by Grigory Dorodnov of Trend Micro’s Zero Day Initiative, was deemed so critical that VMware decided to release patches in October even for versions of the product that have reached an end-of-life (EoL) status. According to data from the Shadowserver Foundation, there are currently hundreds of potentially vulnerable internet-exposed instances of VMware vCenter Server.
Tax info gets leaked in accounting firm breach.
A cyberattack on the accounting services company ELO left 15,000 clients with their sensitive financial details, including tax documents, exposed. The American company disclosed the breach on January 18th, which is believed to have occurred last March. Several incidents of financial fraud, including fraudulent tax returns, have already been reported using the stolen data. ELO is conducting an investigation into the incident and has committed to notifying affected individuals of any misuse of their personal information. The company is also offering free credit monitoring services to the victims and emphasizes its dedication to safeguarding personal information.
Kansas State University reports a cyber incident.
Kansas State University (K-State) experienced a cybersecurity incident on January 16, 2023, affecting a portion of its network and services. The university responded by taking affected systems offline and launching an investigation.
K-State has advised its staff and students to report any suspicious activities. While email services were expected to resume in a temporary format on January 18, the KSU Wireless remained unavailable.
CISA adds Citrix Netscaler vulnerabilities to its Known Exploited Vulnerabilities catalog.
The Cybersecurity and Infrastructure Security Agency (CISA) has added two Citrix NetScaler vulnerabilities to its Known Exploited Vulnerabilities catalog, setting a remediation deadline for Federal Civilian Executive Branch (FCEB) agencies. These agencies typically have 15 days to fix internet-facing vulnerabilities and 25 days for others. However, for these specific Citrix NetScaler issues, the deadline is January 24.
The vulnerabilities affect customer-managed NetScaler ADC and NetScaler Gateway, not Citrix-managed cloud services or Citrix-managed Adaptive Authentication.
The first is a code injection vulnerability with a CVSS score of 5.5, allowing low-privileged, authenticated remote code execution on the management interface. It's advised to segregate network traffic to this interface and avoid exposing it to the internet.
The second is a memory buffer operations vulnerability with a CVSS score of 8.2, leading to unauthenticated denial of service. This issue affects appliances configured as gateways or AAA virtual servers.
Councils in the UK suffer online disruptions.
In the UK, three councils in Kent, including Canterbury City Council, Dover District Council, and Thanet District Council, have experienced disruptions to their online services due to cyber attacks. All three councils are actively working with the National Cyber Security Centre (NCSC) to address these incidents, which are classified as breaches of system security policies under the Computer Misuse Act. The councils' email systems and websites have remained largely operational, although some website functionalities may be affected.
Cyber insurance can be a double edged sword.
As businesses grapple with the escalating threat of ransomware, many rely on cyber insurance to mitigate financial risks. A report from SOCradar describes how the surge in ransomware attacks has prompted insurers to recalibrate, raising premiums and tightening coverage conditions. They now demand concrete evidence of cybersecurity measures, like multifactor authentication, as a prerequisite for policy approval. This shift emphasizes preventive cyber hygiene practices, aiming to lessen the frequency of cyber incidents. Still, the situation poses ethical dilemmas, particularly if insurance payouts for ransoms inadvertently fuel the ransomware industry. The dynamic between relying on insurance and investing in robust cybersecurity measures is complex and highlights the broader role of insurance in cybercrime prevention. The relationship between cyber insurance and ransomware, therefore, remains intricate and continuously evolving, requiring businesses to strike a balance between strong cyber defenses and suitable insurance coverage.
More email security breaches lead to firings.
A report from security firm Egress reveals that nearly half of the employees responsible for email security breaches over the past year have been fired, reflecting a tougher stance by organizations amid rising cyber attacks. 94% of global organizations experienced a serious email security incident in the last 12 months, with a 10% increase in phishing attacks. Human error is a significant factor in these breaches, and over 50% of employees involved in phishing incidents faced disciplinary actions, with 40% being fired and about 25% leaving voluntarily. Additionally, two-thirds of those involved in outbound email incidents were disciplined, terminated, or left their roles. These strict measures reflect the substantial financial losses, customer churn, and reputational damage these sorts of breaches can cause. Additionally, security leaders are increasingly worried about the use of AI tools by cybercriminals, anticipating more sophisticated attacks in the future.
Next on our Solution Spotlight, N2K’s President Simone Petrella is joined by Michelle Amante of the Partnership for Public Service for an update on the Cybersecurity Talent Initiative.
Gen Z needs to keep their shields up.
And finally, from our “every generation blames the one before” desk, cybersecurity experts caution that Gen Z, despite being more digitally savvy, is more vulnerable to cyberattacks compared to older generations like boomers. This increased risk is attributed to Gen Z's higher online presence, extensive app usage, and sharing of personal information. Jane Arnett from Check Point reveals that Gen Z individuals are three times more likely to be targeted and breached. Their frequent online activities and tendency to overshare make them easier targets for cybercriminals.
The World Economic Forum predicts Gen Z will comprise 26% of the global workforce by 2025. Arnett urges young people to adopt better cybersecurity practices to protect themselves and critical services like hospitals, which can be severely impacted by ransomware attacks stemming from compromised personal credentials.
As a Gen Xer I’m going to stay out of the middle of this. We tend to approach cybersecurity like we do our music. Classic, slightly outdated, but somehow it still works.
And that’s the CyberWire.
Today is the eighth anniversary of the CyberWire podcast! It is hard to believe it’s been that long, and that our scrappy little team took this crazy idea of a daily cybersecurity news brief and made it into something that so many people all over the world have come to trust and rely on. A heartfelt thanks to all of you for your support over the years. We are excited for what’s yet to come.
We’d love to know what you think of this podcast. You can email us at email@example.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.