It’s always DNS, but that may just be FUD.

It’s always DNS, but that may just be FUD. The DoD notifies victims of a cloud email server leak. New Jersey cops sue online data brokers. Crooks use WiFi jammers to thwart security systems. A copyright case against OpenAI is partially dismissed. Patch Tuesday includes two actively exploited zero days. CharmingCypress gathers political intelligence. Ann Johnson from Microsoft Security’s Afternoon Cyber Tea podcast talks with Frank Cilluffo, Director for Cyber and Critical Infrastructure Security at the McCrary Institute of Auburn University, about cyber and critical infrastructure. And beware Cupid’s misleading arrow.

Today is February 14th, 2024. I AM your valentine, Dave Bittner. And this is your CyberWire Intel Briefing.

It’s always DNS, but that may just be FUD.

We begin today with word from our “It’s always DNS…” desk, that researchers have uncovered a critical DNSSEC flaw, called KeyTrap, which could potentially cripple the internet by exploiting a design vulnerability to exhaust CPU resources, SecurityWeek reports. Discovered by Germany's ATHENE National Research Center for Applied Cybersecurity, KeyTrap threatens over 31% of web clients using DNSSEC-validated DNS resolvers, risking the availability of essential services like web browsing, email, and instant messaging. Dubbed by some as the most severe DNS attack method, it affects major DNS implementations and providers, including Google and Cloudflare. While patches have been released, with the last update on February 13, fully mitigating KeyTrap's threat necessitates a redesign of DNSSEC's core principles. The flaw, present for over two decades, has yet to be exploited maliciously, and security advisories have been issued by major vendors such as Microsoft, BIND, PowerDNS, and NLnet (Unbound).

Also from SecurityWeek, and not completely unrelated, comes a report analyzing FUD — fear, uncertainty and doubt — in cybersecurity. FUD is a marketing strategy historically linked to IBM in the 1970s, implying that IBM products were safe, while others were risky. This tactic leverages large, often unverified numbers to instill fear, making it crucial to scrutinize such figures to avoid falling prey to social engineering. A report mentioning cybercrime costing the global economy $8 trillion highlights the challenges in verifying such claims. Critics argue that without clear economic and financial analysis expertise, such figures lack independent, evidence-based support and exaggerate the impact on the global economy. The discussion extends to the broader cybersecurity industry, suggesting FUD marketing persists due to its effectiveness, despite the need for a more nuanced understanding of cybersecurity risks and solutions. The debate underscores the importance of questioning and verifying sensational claims in cybersecurity, advocating for a more informed and critical approach to understanding and addressing cyber threats.

The DoD notifies victims of a cloud email server leak.

The U.S. Department of Defense (DoD) has informed approximately twenty thousand individuals of a data breach involving an unsecured government cloud email server that leaked sensitive emails to the public internet. This incident, caused by a misconfiguration on a server hosted on Microsoft's cloud for government customers, occurred between February 3 and February 20, 2023. The leaked information, discovered by security researcher Anurag Sen, included internal military emails, some related to U.S. Special Operations Command and sensitive personnel data. The DoD has addressed the server's security issue, removed it from public access, and is working with the service provider to enhance cybersecurity measures. The delay in notifying affected individuals has not been explained.

New Jersey cops sue online data brokers. 

In New Jersey, around 20,000 law enforcement personnel have filed class action lawsuits against 118 data brokers for failing to remove their personal information from the internet, violating a state law designed to protect their privacy. This law, known as Daniel's Law, mandates the removal of home addresses and phone numbers for law enforcement officials and their families within 10 days of a request, with non-compliance incurring a $1,000 fine per violation. The legal action could result in at least $2.3 billion in fines for the data brokerage industry, reflecting the scale of the alleged privacy breaches. The lawsuits were initiated after these brokers did not respond to removal requests, which officers say expose them to significant risks, including threats and attempted violence from criminal organizations. Data privacy advocates argue this situation underscores the broader need for stringent regulation of data brokers to protect all citizens.

Crooks use WiFi jammers to thwart security systems. 

Police in Edina, Minnesota have reported a series of burglaries involving criminals using Wi-Fi jammers to temporarily disable homeowners' connected security systems. Over the past six months, it's believed that perpetrators have employed this technique in nine robberies targeting affluent neighborhoods where homes are unoccupied during the day. The criminals steal high-end luxury items such as safes and jewelry once inside. Despite being illegal under federal law, Wi-Fi jammers can still be purchased online from outside the United States, and there have been cases of these devices being used to evade connected home security systems in the past. Some ways to mitigate risks include using hardline cameras that connect directly to local storage and installing security alarms and lights that do not rely on wireless networks. 

A copyright case against OpenAI is partially dismissed. 

A California court has partially dismissed a copyright case against OpenAI, involving six authors including comedian Sarah Silverman, who accuse OpenAI's ChatGPT of copyright infringement. The allegations include direct copyright infringement, vicarious infringement, violation of the Digital Millennium Copyright Act (DMCA), negligence, and unjust enrichment. OpenAI requested to have all counts except for the main claim, which alleges direct copyright infringement, dismissed. Judge Araceli Martínez-Olguín agreed with OpenAI's request and threw out claims of vicarious copyright infringement, DMCA violations, negligence, and unjust enrichment. The court found no evidence of unlawful business practices or fraudulent conduct related to unfair competition.

The remaining claims hinge on proving direct infringement. 

Patch Tuesday includes two actively exploited zero days. 

Microsoft's February 2024 Patch Tuesday addresses 73 security vulnerabilities, including two actively exploited zero-days and five critical issues spanning denial of service, remote code execution, information disclosure, and elevation of privilege. The updates fix a range of flaws, notably 30 remote code execution and 16 elevation of privilege vulnerabilities, alongside others. Notably fixed are two zero-days: a Windows SmartScreen bypass, and an Internet Shortcut File bypass. Additionally, other tech giants like Adobe, Cisco, and Google, released patches.

Digging into the Microsoft Defender SmartScreen zero day, Trend Micro reports that the Water Hydra threat group, also known as DarkCasino, exploited this zero-day vulnerability to target financial traders. This campaign utilized the flaw to bypass security checks and deploy DarkMe malware through Internet Shortcut Files. The attack involved convincing victims to click on malicious URLs disguised as stock chart images on forex forums, leading to a complex infection chain that evaded SmartScreen's protections. 

CharmingCypress gathers political intelligence. 

Iranian threat group CharmingCypress, also known as Charming Kitten, APT42, or TA453, has been actively gathering political intelligence on international targets, focusing on journalists, think tanks, and NGOs. Security firm Veloxity says the group employs innovative social engineering and phishing techniques, engaging in extended conversations before sending malicious links. A notable tactic includes the use of malware-infected VPN applications to facilitate access to a bogus webinar platform, effectively deploying backdoors in victims' systems. This approach was highlighted in campaigns where individuals were lured into downloading a VPN client under the pretense of attending a webinar, only to install malware, such as POWERLESS for Windows users and NOKNOK for macOS users, enabling CharmingCypress to control and access their devices. This operation reflects the group's sophisticated methods of targeting and exploiting individuals for intelligence-gathering purposes.

 

Coming up, we have Ann Johnson of the Afternoon Cyber Tea podcast talking with Frank Cilluffo of the McCrary Institute at Auburn University about cyber and critical infrastructure. You can hear the full interview on the latest episode of Afternoon Cyber Tea. The link is in the show notes. 

 

Beware Valentine’s Day scams.

And finally, it’s Valentine's Day, which means one thing — online scams.

An analysis from Bitdefender's reveals that a quarter of Valentine’s Day-themed spam emails are scams targeting online shoppers with fraudulent offers on gifts like jewelry and flowers. Originating mostly from the U.S., these scams pose a significant risk of financial loss, employing sophisticated phishing techniques, including the use of AI to create highly personalized and convincing messages. Scammers set up fake websites and offer too-good-to-be-true deals or contests to win cash prizes or vouchers. Experts warn of the importance of recognizing phishing signs, such as unsolicited links or requests for sensitive information, and advise against interacting with suspicious emails. They also highlight the increasing use of QR codes in scams, urging caution and recommending measures like inspecting URLs, avoiding unexpected QR scans, and securing accounts with strong passwords and multifactor authentication to protect against such threats.

Seems like Cupid's arrows have been replaced with phishing hooks this Valentine's.

Roses are red, violets are blue, phishing scams are rampant, don't let them catch you.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.