The fight against exploiting Americans.
Biden prepares an executive order on foreign access to data. Britain’s NCSC warns of a significant ransomware increase, while Cisco Talos confirms a ransomware surge. BuyGoods.com leaks PII and KYC data. Fortra faces scrutiny over slow disclosure. AI fights financial fraud. Intel471 highlights bulletproof hosting. NSO Group lobbies to revamp their image. Tussling in Missouri over election security. Integrating cyber education. Our guests are N2K President Simone Petrella and WiCyS Executive Director Lynn Dohm talking about a new partnership for a comprehensive Cyber Talent Study. And the moral panic of Furbies.
Today is January 24th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Biden prepares executive order on foreign access to data.
We begin today with news from Bloomberg that the Biden administration is preparing an executive order to limit foreign access to sensitive U.S. data. This move, directed by the President, will involve the U.S. Attorney General and the Department of Homeland Security formulating new restrictions. The focus is on preventing foreign adversaries from acquiring Americans' personal data, including genetic and location information. This data is often accessed legally through intermediaries like data brokers, third-party vendors, and through various agreements.
The draft order highlights concerns about the legal avenues foreign entities use to obtain sensitive data. Observers note the Biden administration has not taken a strong stance against the data broker industry, which trades in such data and that the administration's primary concern seems to be the potential misuse of this data by political adversaries, not necessarily the privacy implications for American citizens.
Some suggest that the pending measures may not be sufficient. Since data brokers often cannot guarantee that their data is restricted to U.S. citizens, the proposed restrictions might not effectively prevent the flow of sensitive data. Perhaps a more effective approach would be to limit the collection of data at the source, thereby reducing the amount of data available for trade.
Britain’s NCSC warns of a significant ransomware increase.
The National Cyber Security Centre (NCSC) of Britain has issued a high-confidence warning that ransomware attacks will significantly increase in both frequency and impact over the next two years, driven by advancements in artificial intelligence (AI). This assessment, combining classified intelligence, industry insights, and academic research, highlights how AI technologies are enhancing cyber threats. Currently, AI is being used for more effective reconnaissance and social engineering, with future potential in malware development and vulnerability research.
However, these sophisticated AI applications in cybercrime are expected to be accessible mainly to well-resourced threat actors, with full realization unlikely before 2025. The effectiveness of AI in cyber operations heavily depends on access to high-quality exploit data for training models. Presently, this advanced capability is considered within reach primarily for highly capable states with extensive malware repositories.
The report also indicates a positive feedback loop in cyber threats: as successful data exfiltrations occur, the quality of data available for AI training improves, leading to more efficient and precise cyber operations. In 2023, the UK experienced a notable surge in ransomware attacks, with 874 incidents in the first three quarters, surpassing the total for the entire previous year.
Cisco Talos confirms ransomware surge.
Speaking of ransomware, in their most recent quarterly incident response report, Cisco Talos says ransomware emerged as the primary threat in cybersecurity, representing 28% of incidents handled by Cisco Talos Incident Response (Talos IR). This marks a significant 17% increase from the previous quarter. Talos IR's report highlights the first-time observation of specific ransomware variants like Play, Cactus, BlackSuit, and NoEscape.
Other prevalent threats included insider attacks and sophisticated phishing campaigns, one involving malicious QR codes. Notably, the education and manufacturing sectors were the most targeted, each comprising nearly half of all incident responses. Educational institutions are particularly vulnerable due to limited cybersecurity resources, making them targets for ransomware and data theft, including sensitive personal information.
BuyGoods.com leaks PII and KYC data.
Cybersecurity researcher Jeremiah Fowler discovered a misconfigured cloud database belonging to BuyGoods.com, a global ecommerce platform based in Wilmington, Delaware, which inadvertently exposed a wealth of sensitive customer data. This database, around 198.3 gigabytes in size, was publicly accessible without security authentication. It contained over 260,000 records, including details about affiliate payouts, refund transactions, invoices, and accounting records.
More alarmingly, the database exposed highly sensitive Personally Identifiable Information (PII) and Know Your Customer (KYC) data of customers and affiliates. This included personal identification documents like licenses, passports, and unredacted credit card details.
Fowler reported this security lapse to BuyGoods.com, and while the company acknowledged and claimed to have secured the data, Fowler found that the server remained accessible for days following his report.
Fortra faces scrutiny over slow disclosure.
Fortra is facing scrutiny over the delay in publicly disclosing a critical vulnerability in its GoAnywhere MFT (managed file transfer) software. The flaw, scoring 9.8 on the CVSS scale, allows remote creation of a new admin user. This vulnerability became known 12 months after the Clop ransomware gang exploited a zero-day in GoAnywhere MFT, impacting over 130 organizations.
Although Fortra informed its customers privately last month and released a patch on December 7, 2023, it did not issue a public advisory until January 22, over six weeks later.
Researchers at Horizon3.ai have closely monitored this vulnerability, even releasing a technical analysis and a proof of concept. Fortra recommends that customers urgently update to the fixed version and take measures to secure their administrative portals.
AI fights financial fraud.
Generative AI is revolutionizing fraud detection in banking, as highlighted by a report from the McKinsey Global Institute. This technology's advanced analytics capabilities are key to identifying and mitigating fraudulent activities, a critical concern in the financial sector. Banks are increasingly leveraging AI to analyze patterns and predict potential fraud risks, thereby enhancing the security and reliability of financial transactions. This adoption is part of a broader trend in the banking industry, where AI is expected to significantly impact operational efficiency and customer service. The technology's ability to process vast amounts of data quickly and accurately is proving invaluable in safeguarding against financial crimes, marking a pivotal shift in how banks manage risk and protect customer assets.
Intel471 highlights bulletproof hosting.
The rise of ransomware-as-a-service (RaaS) and bulletproof hosting (BPH) has significantly lowered the barrier to entry into cybercrime. BPH is a hosting service, often based in lenient jurisdictions, that facilitates various illegal online activities, including malware distribution and phishing attacks. Cyber threat intelligence firm Intel471 notes that BPH providers use complex techniques to evade law enforcement, such as fast-flux hosting and routing malicious traffic through shifting servers.
Three notable BPH suppliers identified by Intel471 are yalishanda, PQ Host, and ccweb. These providers support a range of cybercriminal activities, from ransomware attacks to data extortion. For example, yalishanda is linked to several high-profile cyber attacks and malware distributions, while PQ Host has hosted ransomware that impacted major companies like Colonial Pipeline.
NSO Group lobbies to revamp their image.
An article in Wired explains notorious spyware vendor NSO Group’s efforts to revamp its image and address US regulations harming its business. NSO Group released a transparency report claiming they investigated 19 potential product misuses, leading to six customer account suspensions or terminations. It includes a section on journalists, acknowledging they are among the many targeted by NSO’s Pegasus spyware.
NSO Group's image rehabilitation includes a multimillion-dollar lobbying campaign in Washington, aiming to position its spyware as vital for global security. However, experts remain skeptical of the company's commitments to human rights and ethical standards. As wired notes, the report repackages NSO Group's defenses rather than providing new transparency.
Following significant challenges, including US sanctions and financial struggles, NSO Group has been actively lobbying to reverse the ban on its products. Despite these efforts, changes in US policy towards NSO Group remain unlikely. The global spyware market, estimated at $12 billion, continues to thrive, with firms like NSO Group seeking to maintain their market presence despite increasing regulatory pressures.
Tussling in Missouri over election security.
A recent audit report from Missouri Auditor Scott Fitzpatrick accuses Missouri’s Secretary of State Jay Ashcroft of violating state law by refusing to share cybersecurity reviews of local election authorities. State law mandates biennial cybersecurity reviews for local election authorities, with reports submitted to the state auditor's office. Ashcroft's office contested the audit's findings, arguing that sharing the reviews could compromise confidential information. Additionally, the audit criticized Ashcroft's decision to withdraw Missouri from the Electronic Information Registration Information Center (ERIC) without proper planning for an alternative, potentially affecting the maintenance of accurate voter records. Despite Ashcroft's office viewing the audit as opinion-based and asserting no legal violation, the audit rated the secretary's office as "fair," raising concerns amidst Ashcroft's 2024 gubernatorial campaign. No legal action is currently sought against Ashcroft or his office.
Integrating cyber education.
In an age where 90% of children over 8 are online, the stark reality is that 72% regularly face cyber threats, yet only 40% of their parents are aware. The Global Cybersecurity Forum's report, "Why Children Are Unsafe in Cyberspace” highlights this gap and underscores the urgency of integrating cybersecurity education into children's daily lives.
The report envisions children learning cybersecurity through interactive play, where games become a gateway to understanding digital safety. Ethical education accompanies this learning, nurturing responsible, tech-savvy citizens. It’s essential for children to recognize the complexity of the cyber world, including the dual nature of hackers - from the malicious to the ethical 'White hats.'
Schools are crucial in this narrative, where cybersecurity education becomes as fundamental as any traditional subject. This knowledge extends to parents, ensuring a unified approach to digital safety at home. Teaching children about secure networks, the dangers of phishing, and the importance of strong passwords becomes a cornerstone of their digital interactions.
This isn't just about safeguarding children; it's about empowering them to navigate and thrive in a digital world responsibly.
Coming up next is my conversation with N2K President Simone Petrella and WiCyS Executive Director Lynn Dohm about a new partnership for a comprehensive Cyber Talent Study.
The moral panic of Furbies.
And finally, A story from 404media reminds us that In 1998-99, the NSA faced a peculiar situation involving Furbies, cute little interactive robotic toys. Initially, the agency banned the Furby from its offices, fearing it could be a potential spy device due to its alleged ability to "learn" from surroundings using an "artificial intelligent chip onboard." This decision, however, led to unwanted media attention and internal debates among employees about the toy's actual capabilities.
The situation came to light when an NSA employee leaked the ban to The Washington Post, sparking a discussion about the Furby's technological potential and security implications. The NSA's internal communication, revealed through a recent Freedom of Information Act request, shows employees questioning whether the Furby could record and store conversations. Despite some believing that Furby's capabilities were overestimated due to its nature as a simple toy, the discussions reflected genuine concern and confusion within the agency.
The released documents, now available on the Internet Archive, include listserv threads, internal memos, and responses to media coverage, offering a glimpse into the NSA's handling of what was dubbed "Furbygate." This episode not only highlighted the spy agency's cautious approach to potential security threats but also revealed the internal dynamics and reactions to public scrutiny over their decisions.
I remember the Furby fad, and I suppose one thing they shared with an actual leaker is that once you got them talking, it was nearly impossible to get them to shut up.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.