Volt Typhoon’s stealthy threat to US critical infrastructure.
A joint advisory warns of Volt Typhoon’s extended network infiltration. Check your Cisco devices for patches. Fortinet clarifies its latest vulnerabilities. Internet outages plague Pakistan on election day. Kaspersky describes the new Coyote banking trojan. Cyber insurance is projected to reach new heights. The White House appoints a leader for the AI Safety Institute, and sees pushback on proposed reporting regulations. Can we hold AI liable for its foreseeable harms? Joe Carrigan joins us with insights on the Mother of All Data Breaches. The potential of Passkeys versus the comfort of passwords.
Today is February 8th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
A joint advisory warns of Volt Typhoon’s extended network infiltration.
The Chinese cyber-espionage group known as Volt Typhoon successfully infiltrated networks within the United States' critical infrastructure, and managed to evade detection for at least five years. The discovery of this breach was announced through a joint advisory by CISA, the NSA, the FBI, and their international partners from the Five Eyes alliance.
Volt Typhoon specializes in "living off the land" (LOTL) techniques, using legitimate tools already present in the environment for malicious purposes. The group also leverages stolen account credentials and employs strong operational security measures. These strategies enable them to remain undetected and maintain persistent access within compromised systems over long periods.
The primary targets of Volt Typhoon have been organizations within the communications, energy, transportation, and water/wastewater sectors across the United States. Their operations and tactics suggest a focus beyond typical cyber espionage. Authorities believe the group's ultimate objective is to gain access to Operational Technology (OT) assets. This access could enable them to disrupt critical infrastructure, especially in times of geopolitical tensions or military conflicts with the United States.
CISA has expressed concerns about Volt Typhoon's potential to exploit their access for disruptive or destructive cyber activities against U.S. critical infrastructure during significant crises. Rob Joyce, NSA's Director of Cybersecurity, emphasized the ongoing efforts to understand the scope of Volt Typhoon's activities. The U.S. has been improving its capabilities in identifying compromises, hardening targets, and collaborating with partner agencies to counteract cyber threats from the People's Republic of China (PRC).
In response to these threats, a technical guide accompanied the advisory. This guide provides information for network defenders on how to detect Volt Typhoon's techniques. It also offers mitigation measures to secure networks against attackers using living off the land techniques.
Check your Cisco devices for patches.
Security researcher Kevin Beaumont warns that Akira and Lockbit ransomware groups are actively targeting Cisco ASA SSL VPN devices by exploiting vulnerabilities that were patched in 2020 and 2023. Despite the available patches, the exploitation of these older vulnerabilities is facilitated by organizations' slow patching practices. Recent observations by Beaumont and Truesec researchers highlight an uptick in malicious scanning for Cisco AnyConnect VPN devices, with a significant portion of the activity linked to known ransomware groups. The advice is clear: patch your devices promptly to mitigate the risk of ransomware attacks.
Meanwhile, Cisco has patched several vulnerabilities in its Expressway Series collaboration gateways, including two critical flaws which pose a risk of cross-site request forgery (CSRF) attacks. These vulnerabilities stem from inadequate CSRF protections in the web-based management interface, enabling attackers to perform unauthorized actions on the affected system by deceiving a user into clicking a malicious link. The potential impacts include altering system configurations and creating new accounts with administrative privileges. Additionally, a third vulnerability could lead to a denial of service (DoS) by allowing attackers to overwrite system settings. Cisco recommends that customers update their software to a secure release to mitigate these risks.
Fortinet clarifies its latest vulnerabilities.
The past few days have seen some confusion over a series of security disclosures from Fortinet, and now the company has identified two new unpatched vulnerabilities as patch bypasses for a previously disclosed critical remote code execution flaw in FortiSIEM, their security information and event management solution. Initially, Fortinet mistakenly announced these as duplicates due to an API issue but later clarified that they are indeed distinct variants of the original vulnerability, allowing unauthenticated attackers to execute commands via crafted API requests. These variants share the same description and severity score as the initial flaw. Fortinet is working on fixes for these vulnerabilities in upcoming FortiSIEM releases across several versions. Despite no current active exploitation, the critical nature of the flaw urges users to update their systems promptly to ensure network security, especially given Fortinet devices' attractiveness to ransomware groups and other threat actors. Fortinet plans to include reminders in its monthly advisory to alert customers about the updated advisory and forthcoming patches.
Internet outages plague Pakistan on election day.
It’s election day in Pakistan, and widespread Internet blackouts and mobile network disruptions were reported across multiple regions. This comes amid security concerns cited by Pakistan's interior ministry, pointing to a recent surge in terrorist activities. The election process has been overshadowed by digital censorship targeting the political opposition, allegations of corruption, and poll rigging. Imran Khan, the leader of the Pakistan Tehreek-e-Insaf party, and his wife Bushra Bibi were jailed last week, further complicating the political landscape. The Pakistan Muslim League-Nawaz is expected to win in an election anticipated to have a lower-than-usual voter turnout, despite heavy security presence. Past incidents in 2022 also saw Internet services disrupted during protests, with telecom providers attributing a partial outage to issues with the web filtering system, suggesting state involvement in Internet shutdowns.
Kaspersky describes the new Coyote banking trojan.
Kaspersky reports on a newly discovered banking Trojan, dubbed "Coyote,"which targets users of over 60 banking institutions with a sophisticated infection chain that distinguishes it from traditional banking Trojans. Utilizing the Squirrel installer for distribution, Coyote leverages advanced technologies including NodeJS and the Nim programming language for its loader, aiming to complete its infection process more covertly. Targeting mainly Brazilian banks, Coyote communicates with its command and control server using SSL channels, performing actions based on received commands. This evolution in the banking Trojan domain highlights the adoption of less common, cross-platform languages by cybercriminals, indicating a trend towards more sophisticated malware development techniques.
Cyber insurance is projected to reach new heights.
The Insurance Information Institute (Triple-I) projects global cyber insurance direct written premiums to reach $23 billion by 2025, with U.S. businesses contributing approximately 56% of this total. This growth is attributed to the increasing threat of cyberattacks and data breaches, alongside improvements in policy clarity and risk management by insurers. U.S. companies, major buyers of standalone cyber insurance, are particularly vulnerable due to their heavy reliance on IoT technologies, remote work, and cloud storage, raising their exposure to cyber risks. Standalone policies offer coverage for expenses not typically covered by general liability policies, such as legal fees and data recovery costs. Despite a 15% rise in the average data breach cost since 2020, reaching $4.45 million in 2023, the cyber insurance market has tripled in the past five years. This surge in demand and cost underscores the importance of cyber insurance in today's digital economy, prompting heightened focus from insurance regulators and cybersecurity agencies.
The White House appoints a leader for the AI Safety Institute, and sees pushback on proposed reporting regulations.
The Biden administration has appointed Elizabeth Kelly, a senior White House economic policy adviser, to lead the newly created AI Safety Institute, which is part of NIST. Kelly was instrumental in drafting the executive order that established the institute, which will focus on fostering safe AI technology development. The institute aims to implement "red team" testing standards by July for AI developers, ensuring system safety for consumer and business use. This initiative seeks to establish a universal set of standards for AI safety testing, promoting broader trust and adoption of AI technologies. Kelly has a background in law from Yale and experience in both the Obama administration and the private sector, bringing a wealth of expertise to her new role.
The U.S. Department of Homeland Security (DHS) is actively recruiting 50 artificial intelligence (AI) experts this year to join its new AI Corps, leveraging AI in various government tasks including cyberthreat defense and damage assessment with AI-powered computer vision.
Meanwhile, the Biden administration is seeing pushback from industry on proposed changes to procurement rules that require IT service providers to the U.S. government to grant full access to their systems during security incidents. These updates to the Federal Acquisition Regulation (FAR), inspired by President Biden's 2021 executive order, aim to enhance security reporting standards for government contractors. Other key provisions include an eight-hour deadline for reporting incidents to CISA, and maintenance of a software bill of materials. Organizations argue that the requirements are burdensome and the rapid reporting timelines are unrealistic. Critics, including the Cloud Service Providers Advisory Board and the Information Technology Industry Council, express concerns over the SBOM requirements and the potential impact on non-federal customer data. The debate emphasizes the growing complexity and inconsistency of cyber incident reporting regulations across various federal agencies, leading to calls for a unified reporting process.
Can we hold AI liable for its foreseeable harms?
A story from Dylan Matthews in VOX points out that some AI experts have remarked on the unique nature of artificial intelligence, highlighting its potential as a major shift in human history, akin to the creation of a new species capable of surpassing human intelligence. This perspective raises questions about the role of governments in regulating AI, especially given its potential to significantly impact society. Proposed regulations focus on ensuring AI systems are tested for bias, security vulnerabilities, weaponization potential, and unintended goals. However, the complexity of AI poses challenges for regulatory efforts. Gabriel Weil suggests an alternative approach through tort law, where AI companies could face strict liability for foreseeable harms caused by their products, including catastrophic risks. This legal strategy could incentivize companies to prioritize safety without the need for extensive government intervention, representing a novel method to manage AI's transformative potential while mitigating its risks.
The potential of Passkeys versus the comfort of passwords.
And finally, Matt Burgess writes in Wired about the promise and frustrations of trying to adopt a passwordless lifestyle online.
He shares several frustrations related to the use of traditional passwords and the transition to passkeys, including annoyances with complex passwords, as anyone who has tried to enter their Netflix password on a TV screen keyboard has surely experienced. Password managers are great when they work, but they can be complex and inconvenient, especially when managing a large number of passwords.
Burgess met several hurdles in his attempt to transition to Passkeys, the technology supported by major tech entities like Google, Apple, and Microsoft. Passkeys promise a more secure alternative, leveraging public key cryptography to facilitate logins via fingerprints, facial recognition, or PINs. Troubles included incompatibility issues with their work laptop's operating system, glitches with the PayPal app, challenges in creating a passkey for TikTok due to the use of a work Google account, and limitations with their password manager, Bitwarden, not supporting passkeys on mobile initially.
There’s little doubt we’re headed for a passwordless future, but for now, passwords are kind of like exes – you know you should move on, but you keep going back because it's just so familiar.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. You can email us at firstname.lastname@example.org—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.