Seeking dismissal of SEC allegations.
Solarwinds seeks dismissal of SEC allegations. Urgent calls to implement fixes for Jenkins open-source software automation tools. A New Jersey township closes schools and offices after a cyberattack. The Centre for Cybersecurity Belgium warns of a critical vulnerability in GitLab. The FBI arrests a notorious swatter. HHS releases cybersecurity performance goals. The feds remind organizations to preserve online messaging. Mercedes-Benz exposes data after an authentication token was left unsecured. A dark web drug dealer pleads guilty. Our guest is Caleb Barlow from Cyberbit, discussing hacker celebrities and why yours truly did not make the list. And threats of airport terrorism on public WiFi is no joking matter.
Today is January 29th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Solarwinds seeks dismissal of SEC allegations.
SolarWinds Corp. has strongly denied any wrongdoing in handling a major cyberattack and is seeking to dismiss allegations by the U.S. Securities and Exchange Commission (SEC) that it defrauded investors and violated controls. In a court filing, SolarWinds argued it had adequately disclosed cybersecurity risks prior to the Russian state hack of its Orion platform and had properly informed investors about the breach's potential impact. This response challenges the SEC's unprecedented enforcement action, which alleges securities fraud and control violations.
The company, along with its Chief Information Security Officer Tim Brown, contends that the SEC is overreaching by demanding more detailed disclosures about cybersecurity programs, which they argue would be impractical and dangerous. SolarWinds asserts it provided sufficient warning to investors about the possibility of a nation-state cyberattack before the SUNBURST attack occurred.
The SEC's complaint criticized SolarWinds for vague risk disclosures and failure to reveal specific cybersecurity weaknesses. SolarWinds maintains that these were granular concerns not required to be disclosed to investors. The company also disputes the SEC's claim of failing to disclose the initial impact of the Orion vulnerability, arguing it was entitled to conduct a thorough investigation before drawing conclusions.
Furthermore, SolarWinds argues the SEC wrongly conflated financial accounting controls with cybersecurity controls. They state if Congress intended the SEC to oversee public companies' cybersecurity, it would have been explicitly mentioned in legislation.
Tim Brown, facing charges for his role in the alleged violations, argues that the statements he signed were not intended for investors and that he did not knowingly violate disclosure or internal accounting controls. The motion to dismiss describes his inclusion in the lawsuit as unwarranted and inexplicable. The case awaits a decision from Judge Paul A. Engelmayer.
Urgent calls to implement fixes for Jenkins open-source software automation tools.
Two significant security vulnerabilities in Jenkins, a widely used open-source software automation tool, have prompted urgent calls for organizations to implement fixes. Discovered by SonarSource, a code quality and security firm, these flaws could enable unauthenticated attackers to execute remote code and compromise the software.
The first vulnerability allows certain unauthenticated attackers to read parts of a file, while the second permits even those with "read-only" permissions to access entire files. More alarmingly, some attackers could potentially read binary files containing cryptographic keys integral to Jenkins' features, paving the way for a range of remote code execution (RCE) attacks.
These vulnerabilities were reported to Jenkins maintainers by SonarSource in November 2023, who also collaborated with them to confirm the effectiveness of the subsequent fix. The Jenkins team released an advisory last week detailing these security issues.
A New Jersey township closes schools and offices after a cyberattack.
The Freehold Township School District in New Jersey announced the closure of all its schools and offices on Monday due to a cybersecurity incident. The district informed families and staff about the situation through emails and voicemails, citing technical issues stemming from this incident. School officials are collaborating with external IT experts to address and resolve the issue. The specific cause of the cybersecurity incident has not been immediately identified.
The Centre for Cybersecurity Belgium warns of a critical vulnerability in GitLab.
The Centre for Cybersecurity Belgium warns that a critical vulnerability has been discovered in GitLab CE/EE, posing a significant security risk. This arbitrary write vulnerability allows an authenticated user to write files to arbitrary locations on the GitLab server during workspace creation. Malicious attackers could exploit this flaw to upload webshells or other malware, potentially compromising the GitLab server. Such a breach could lead to the exfiltration of sensitive data and further network infiltration, endangering the entire organization.
To address this vulnerability, the Centre for Cybersecurity Belgium (CCB) strongly advises immediate action, including patching vulnerable devices to versions that have dealt with the issue, temporarily disabling user sign-up to reduce the potential attack surface, and implementing a zero-trust network or VPN for all GitLab instances to provide a robust defense-in-depth strategy.
The FBI arrests a notorious swatter.
The FBI has reportedly arrested a 17-year-old from California, believed to be the prolific swatter known as Torswats. The teenager faces extradition to Seminole County, Florida, where he is charged with four felonies related to high-profile swatting incidents, including attacks on a mosque and a courthouse. He will be prosecuted as an adult under Florida law. Swatting, which involves making fake emergency calls to provoke a heavy police response, has surged nationwide. Torswats is accused of making numerous false reports, causing significant disruptions and financial losses.
Private investigator Brad Dennis, who assisted the FBI in the case, played a key role in identifying Torswats by capturing the suspect's IP address. The investigation revealed Torswats' methods, which included using commercial VPNs and Google Voice for swatting schools and public facilities. U.S. Senator Rick Scott has proposed legislation to increase penalties for swatting, reflecting the growing seriousness with which these crimes are viewed. It is unclear whether the Torswats online persona was run by a single person, and there are indications that multiple people may have been involved.
HHS releases cybersecurity performance goals.
The U.S. Department of Health and Human Services (HHS) has released voluntary Cybersecurity Performance Goals (CPGs) for the healthcare sector, aiming to enhance cybersecurity measures. These CPGs, structured for healthcare organizations, focus on strengthening cyber preparedness, enhancing resiliency, and protecting patient information. Developed from the CISA's CPGs and informed by common cybersecurity frameworks, they address attack vectors identified in the 2023 Hospital Cyber Resiliency Landscape Analysis.
The CPGs feature 'Essential Goals' to mitigate vulnerabilities and improve response to cyberattacks, and 'Enhanced Goals' to further advance cybersecurity capabilities. They emphasize email security, multi-factor authentication, cybersecurity training, strong encryption, and prompt revocation of credentials for departing workforce members. Incident planning, unique credentials, vendor cybersecurity, and network segmentation are also highlighted.
The feds remind organizations to preserve online messaging.
Federal antitrust enforcers have issued a warning that companies under investigation must preserve and submit instant messaging records, including those from platforms like Slack, WhatsApp, and Signal. The Justice Department and Federal Trade Commission are modifying their communication to companies to clarify this requirement. Failure to comply could result in fines or criminal charges for document destruction. This announcement follows concerns about the deletion of chats in recent antitrust cases. The Justice Department is seeking sanctions against Google for not preserving internal communications, while the FTC has alleged that Amazon employees, including Jeff Bezos, used Signal to conceal communications during an antitrust investigation. Amazon denies these claims, stating it has collected and allowed inspection of Signal conversations by the FTC.
Mercedes-Benz exposes data after an authentication token was left unsecured.
Mercedes-Benz inadvertently exposed its internal data, including source code, due to an employee's authentication token being left in a public GitHub repository. Shubham Mittal of RedHunt Labs, who discovered this breach during a routine internet scan, reported that the token provided unrestricted access to Mercedes’s GitHub Enterprise Server. This lapse allowed anyone to download the company's private source code repositories, containing intellectual property, cloud access keys, design documents, passwords, and other critical information.
Evidence showed that the repositories included Microsoft Azure and Amazon Web Services keys, a Postgres database, and Mercedes source code. It's unclear if any customer data was compromised. TechCrunch, after being alerted by Mittal, informed Mercedes of the security issue. The company confirmed the accidental publication of internal source code due to human error and took immediate action to revoke the API token and remove the public repository.
A dark web drug dealer pleads guilty.
Banmeet Singh, a 40-year-old dark web drug vendor from India, pleaded guilty to trafficking controlled substances like fentanyl, LSD, and ecstasy. His arrest led to the largest single seizure by the US Drug Enforcement Administration (DEA), amounting to $150m. Operating since at least mid-2012, Singh managed distribution centers across the US and shipped drugs internationally. He laundered millions in cryptocurrency and was designated a priority target by the US attorney general in 2018. Arrested in April 2019, Singh faced extradition delays until 2023. He has now pleaded guilty to conspiracy charges related to drug trafficking and money laundering and will serve an additional eight years in prison.
No jokes on public WiFi.
And finally, we’ve all seen the signs while waiting our turn at airport security that say something along the lines of, “No jokes! All security threats are taken seriously!”
Here’s a reminder that even a private joke might not be so private, and could land you in hot water.
18-year-old Aditya Verma was making his way through the UK’s Gatwick Airport, preparing to board his flight to Spain. He jokingly messaged a friend on Snapchat about being a Taliban member and planning to blow up his plane to Spain. However, he was using the airport’s public WiFi, and his message was intercepted by British security, leading to his arrest upon landing in Spain and two days in jail. Just in case, Spanish authorities scrambled F-18 jets to escort the plane. After his release, Verma faced interrogation by British intelligence agencies but was not deemed a national security threat. However, he's charged with causing public disorder in Spain and now faces a potential fine of up to $120,000, partially to cover the cost of scrambling the fighter jets. His lawyer defended the private nature of the joke.
It’s never a good idea to make jokes about terrorism, and evidently even more so when using public WiFi.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. You can email us at email@example.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.