Taking a bite out of Apple.

A security researcher has been charged in an alleged multi-million dollar theft scheme targeting Apple. A House committee hearing explores OT security. Fortinet withdraws accidental CVEs. 2023 saw record highs in ransomware payments. A youtuber finds a cheap and easy bypass for Bitlocker encryption. Political pressure proves challenging for the JCDC. New Hampshire tracks down those fake Biden robocalls. European security agencies bolster warnings about Ivanti devices. HHS fines a New York medical center millions over an identity theft ring. On our sponsored Industry Voices segment, Navneet Singh, Vice President of Marketing Network Security at Palo Alto Networks, shares some practical examples of healthcare organizations transitioning to the cloud. Giving that toothbrush story the brushoff.

Today is February 7th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A security researcher has been charged in a multi-million dollar theft scheme targeting Apple.

404 Media reports that security researcher Noah Roskin-Frazee and an alleged co-conspirator, Keith Latteri, have been charged in a sophisticated hacking scheme that targeted Apple, resulting in the fraudulent acquisition of $2.5 million worth of gift cards and electronics. The charges, detailed in court records that were recently made public, accuse the duo of exploiting a system connected to Apple’s backend to place over two dozen fraudulent orders, attempting to obtain more than $3 million in products and services from the tech giant.

Despite Roskin-Frazee's arrest and the serious allegations against him, Apple had acknowledged his contributions to identifying security vulnerabilities in a security update released on January 22, nearly two weeks after his arrest. This recognition highlights the complex relationship between Roskin-Frazee’s legitimate security research and the criminal activities he is now accused of.

The indictment describes a meticulously planned operation that began in December 2018 and continued until at least March 2019. The defendants allegedly gained initial access through a password reset tool, compromising an employee account of a company which provided customer experience solutions to Apple. This breach allowed them to further access employee credentials and subsequently, Apple’s systems.

With this unauthorized access, Roskin-Frazee and Latteri are said to have manipulated Apple’s "Toolbox" program, which is used to manage product orders. They allegedly altered the monetary values of orders to zero, added expensive products to existing orders without cost, and extended service contracts fraudulently. The indictment also details the use of malicious scripts to maintain access to compromised systems and the deployment of accounts with shipping services under false names to receive the fraudulently obtained goods.

Many of the acquired items, including electronic gift cards and high-value electronics like laptops, were reportedly resold to third parties, converting the stolen digital assets into cash. The court documents suggest a deep familiarity with Apple's internal systems and processes, leveraging this knowledge to conduct the fraud at a grand scale.

This case not only underscores the challenges in securing corporate backend systems but also the thin line between legitimate security research and criminal activity. 

A House committee hearing explores OT security.

The U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection held a hearing yesterday to discuss the threats to operational technology (OT) in critical infrastructure sectors and evaluate the Cybersecurity and Infrastructure Security Agency’s (CISA) role in enhancing OT security. Chairman Andrew Garbarino emphasized the national imperative of securing OT systems vital for functions like water and electricity delivery. He highlighted the need for Congress to strengthen CISA’s support for infrastructure security, especially in light of recent cyber activities against OT devices by Iranian-affiliated actors.

Experts testified on the unique challenges of OT security compared to IT security, noting that OT requires specific cybersecurity controls. 

Dragos CEO Robert M. Lee offered this testimony - 

The water sector was identified as particularly vulnerable, with a need for dedicated funding to upgrade technology and enhance cybersecurity. Testimonies emphasized the importance of collaboration, the implementation of best practices, and the establishment of cybersecurity standards for critical infrastructure to mitigate risks and protect public health and safety.

For more of Robert M. Lee’s testimony and additional insights on OT security, be sure to check out the most recent Control Loop podcast, right here on the CyberWire network. 

Fortinet withdraws accidental CVEs.

The National Vulnerability Database (NVD) erroneously published advisories for two critical command injection vulnerabilities in Fortinet's FortiSIEM, which were actually duplicates of a previously disclosed vulnerability. Fortinet confirmed that these were mistakenly generated due to an API issue and clarified there are no new vulnerabilities in FortiSIEM for 2024. The company is working to correct and withdraw the incorrect CVE entries. The original vulnerability, disclosed last year, allowed unauthenticated remote attackers to execute commands via crafted API requests but has since been patched. Fortinet advises those who have addressed the original vulnerability need not take further action but should review the latest advisory for confirmation.

2023 saw record highs in ransomware payments. 

A new study from Chainalysys reveals that in 2023, victims paid over $1 billion to ransomware attackers, marking a record high in payments and highlighting the lucrative nature of cyber extortion. Despite international efforts to combat these crimes, including sanctions and law enforcement actions, ransomware groups, many of which are Russian-speaking, continue to operate with relative impunity. The high payments, often exceeding a million dollars, reflect both the sophistication of some attackers and the sheer volume of attempts by others. Efforts to counteract ransomware have seen some progress, yet the problem escalates, with costly consequences for victims like MGM Resorts, which faced around $100 million in losses due to a refusal to pay a ransom.

A youtuber finds a cheap and easy bypass for Bitlocker encryption.

YouTuber stacksmashing exposed a significant security vulnerability in Windows Bitlocker encryption, demonstrating how to bypass the popular encryption tool in under a minute using a sub-$10 Raspberry Pi Pico. This exploit targeted a flaw in systems using an external Trusted Platform Module (TPM) for storing encryption keys. By intercepting unencrypted communications between the CPU and the TPM during boot-up, the YouTuber successfully extracted the master key from a laptop's LPC bus, which is accessible through an unpopulated connector on the motherboard. This attack, however, is specific to configurations with external TPMs; devices with CPUs that have an integrated TPM, such as modern Intel and AMD processors, are not affected by this vulnerability due to internal TPM communications being encrypted within the CPU itself.

Political pressure proves challenging for the JCDC.

Politico reports that several of the nation's leading cybersecurity experts are stepping back from the Joint Cyber Defense Collaborative (JCDC), a prominent government initiative led by the Cybersecurity and Infrastructure Security Agency (CISA). The JCDC was established in 2021 with the goal of enhancing the United States' defense against cybercriminals and state-sponsored hackers, catalyzed by a series of significant security breaches. It functions as a threat-sharing platform, enabling swift communication of potential cybersecurity threats between the government and key economic defenders, including tech corporations like Microsoft, Amazon, and Google, as well as infrastructure operators and foreign governments.

Despite the critical importance of this collaboration, Politico reports that dissatisfaction with the JCDC's management and apprehension due to political pressures have led to a notable decrease in participation from external cybersecurity professionals. Contributors, including those from billion-dollar security firms and nonprofit defense groups, have either ceased their involvement or significantly reduced their contributions. This diminishing engagement is partly attributed to the broader political climate, particularly backlash from conservatives against CISA over its actions to counter disinformation around the 2020 election, despite JCDC's non-involvement in content moderation.

The controversy surrounding CISA has inadvertently implicated JCDC partners, creating a chilling effect within the cybersecurity community. Fears of becoming targets in a perceived political "witch hunt" have contributed to the reluctance among cybersecurity experts to engage with government-led initiatives. This development is concerning for U.S. digital defense efforts, especially given recent warnings from Washington's top cybersecurity officials about aggressive Chinese hacking activities aimed at American infrastructure. The collaboration between the private sector and the government, as facilitated by the JCDC, is deemed essential for addressing such threats.

CISA has acknowledged the importance of maintaining strong external partnerships for effective threat detection and is actively seeking ways to ensure that contributors can participate without compromising their safety. The JCDC was conceived as a means to leverage the private sector's technical prowess alongside the government's legal and intelligence capabilities to strengthen the nation's cybersecurity posture. The current challenges highlight the delicate balance between political influences and the imperative need for robust, apolitical cybersecurity defenses.

Our “this is why we can’t have nice things” desk will be following this story. 

New Hampshire tracks down those fake Biden robocalls. 

New Hampshire's Attorney General John Formella announced a criminal investigation into a Texas telecom company, Life Corp., suspected of distributing AI-generated robocalls impersonating President Joe Biden, advising Democrats not to vote in the presidential primary. This effort, traced with the help of the Federal Communications Commission and a private industry group, aimed to mislead voters ahead of the January primary, potentially affecting 5,000 to 25,000 people. The calls, which could violate election laws and federal telecom statutes, were part of a campaign to undermine the electoral process, with the state seeking to deter similar future attempts. Life Corp., linked to Walter Monk, and Lingo Telecom were identified in connection with the robocalls, which have drawn bipartisan law enforcement attention to safeguard election integrity.

European security agencies bolster warnings about Ivanti devices. 

European cybersecurity agencies issued a joint statement addressing vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure Gateway products, following a CISA emergency directive. These commercial VPN solutions have been found susceptible to attacks allowing unauthorized command execution. Four vulnerabilities have been disclosed, with broad exploitation observed. The agencies recommend continuous monitoring, the use of Ivanti's external Integrity Checker Tool, and adherence to guidance from CSIRTs Network members and CERT-EU. The upcoming EU Cyber Resilience Act will mandate security-by-design principles for these kinds of  products.

HHS fines a New York medical center millions over an identity theft ring. 

The U.S. Department of Health and Human Services' Office for Civil Rights fined Montefiore Medical Center in New York City $4.75 million to settle potential HIPAA violations linked to a 2013 incident where an employee sold patient data to an identity theft ring. This fine accompanies a corrective action plan addressing data security failures that allowed the theft and sale of thousands of patients' protected health information. The investigation revealed Montefiore's failure to adequately assess risks, monitor health information systems, and implement necessary policies for examining system activity. The settlement includes a comprehensive review and update of Montefiore's privacy and security procedures, enhanced training for staff, and improved monitoring and technical safeguards. Montefiore has taken steps to bolster system security and reinforce patient information protection since the incident.

Next up on our Industry Voices segment, Navneet Singh from Palo Alto Networks discusses the transition to the cloud.

 

Giving that toothbrush story the brushoff.

And finally, we got an urgent memo from our corrections desk that yesterday’s extremely fun story about a botnet made up of over three million IoT toothbrushes is almost certainly not true.

Originating from comments made by a Fortinet engineer to a Swiss publication, the story's credibility has been questioned by industry veterans like Kevin Beaumont and Robert Graham. Further investigation into the original Swiss article revealed no specifics about the toothbrushes, victim, perpetrator, or motive, suggesting the story might be an exaggerated cautionary tale about IoT device security. While smart toothbrushes typically use Bluetooth Low Energy and not all connect via WiFi, the feasibility of such a large-scale hack remains doubtful without concrete evidence. 

My personal claims of superhuman resistance to tooth decay are unaffected by these revelations, and remain as true as ever. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Write your comments on the box of an Apple Vision Pro and send it to me, Dave Bittner, care of the CyberWire, Fulton Maryland. 

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.