The CyberWire Daily Podcast 2.21.24
Ep 2008 | 2.21.24

Anchoring security for US ports.


President Biden to sign EO to bolster maritime port security. Apple announces post-quantum encryption for iMessage. Malwarebytes examines the i-Soon data leak. Law enforcement airs LockBit’s dirty laundry. Varonis highlights vulnerabilities affecting Salesforce platforms. An appeals court overturns a $1 billion piracy verdict. NSA’s Rob Joyce announces his retirement. Anne Neuberger chats with WIRED. A leading staffing firm finds its data for sale on the dark web. In our sponsored Industry Voices segment, Navneet Singh, VP of Marketing Network Security at Palo Alto Networks, discusses the transition to the cloud and shares some examples from healthcare. Hackers and hobbyists push back on the proposed Flipper Zero ban. 

Today is February 21st, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

President Biden to sign EO to bolster maritime port security. 

President Joe Biden is set to issue an executive order to bolster the cybersecurity of U.S. maritime ports, granting the Coast Guard new powers to tackle cyber threats and initiating a rulemaking process for enhanced cyber requirements in the maritime sector. This move, which includes over $20 billion in port infrastructure investments over five years, aims to fortify the nation's supply chains and national security in response to threats like the China-linked Volt Typhoon hacking group. The order mandates maritime entities to improve digital defenses and report cyber incidents to the Coast Guard. Additionally, it addresses concerns over Chinese-manufactured cranes' vulnerability to hacking, imposing specific security requirements. The initiative reflects the critical economic and security role of ports, which facilitate over 90% of U.S. overseas trade and are integral to the country's $5.4 trillion annual economic activity.

Apple announces post-quantum encryption for iMessage.

Apple introduced a new post-quantum cryptographic protocol for iMessage they call PQ3, designed to offer post-quantum encryption. Touted as the most significant cryptographic upgrade in iMessage history, PQ3 claims to elevate secure messaging with its state-of-the-art encryption and defense mechanisms, surpassing the security features of other widely used messaging apps. PQ3 aims to safeguard against "Harvest Now, Decrypt Later" attacks by future quantum computers, ensuring end-to-end encryption that secures both key establishment and message exchange, achieving what Apple defines as "Level 3" security. The protocol will eventually replace the current cryptographic standards across all supported iMessage conversations.

Malwarebytes examines the i-Soon data leak. 

Malwarebytes has published an early analysis of the leak from i-Soon, a Chinese cybersecurity firm believed to be an Advanced Persistent Threat (APT)-for-hire for China's Ministry of Public Security. The leaked information has revealed a wide array of hacking tools and services, likely exposed by a disgruntled employee. The data includes complaints, chat records, financial details, product information, employee data, and evidence of infiltration into government departments across India, Thailand, Vietnam, South Korea, and NATO. The tools showcased include a Twitter (now X) stealer capable of real-time monitoring and posting tweets, custom Remote Access Trojans (RATs) for various operating systems with extensive surveillance capabilities, portable network-attacking devices, special equipment for operatives, a user lookup database for social media correlation, and frameworks for targeted penetration testing. Further analysis of the comprehensive data is ongoing.

Law enforcement airs LockBit’s dirty laundry. 

Following up on yesterday’s reporting, Western law enforcement agencies have taken down the infamous LockBit ransomware group's infrastructure, and have done so with a flourish, turning the criminals' own dark-web platform against them. Coined Operation Cronos, this audacious takedown has seen the UK's National Crime Agency (NCA) not only seize but also sassily repurpose LockBit's site to dish out the gang's dirty laundry. With a touch of British bravado, the NCA has kept the site's original layout but replaced nefarious content with tantalizing teasers of LockBit's exposed secrets, complete with countdown timers for when the next bombshell will drop.

This follows the successful infiltration of LockBit's operations, leading to the arrest of two of its affiliates, further tightening the noose around the syndicate known for its multi-million-dollar extortion schemes. Demonstrating a swagger rarely seen in law enforcement announcements, the NCA has effectively slapped LockBit with its own modus operandi, potentially signaling a bold new approach to cybercrime takedowns.

The operation has not only nabbed affiliates and frozen over 200 cryptocurrency accounts but has also gathered a treasure trove of intelligence, including decryption keys and the gang's source code. This wealth of data stands as a testament to the coordination of global authorities, delivering a clear message: they're not just on LockBit's trail; they're steps ahead, ready to dismantle and mock the cybercriminals' efforts with relentless and tenacious resolve.

Varonis highlights vulnerabilities affecting Salesforce platforms. 

Varonis Threat Labs uncovered serious vulnerabilities and misconfigurations in Apex, a programming language akin to Java used for customizing Salesforce platforms.  The misconfigurations were found within several Fortune 500 companies and government agencies. These issues pose a risk not just to large organizations but to any entity utilizing Apex in "off-the-shelf" applications, potentially leading to data leaks, corruption, and harm to business operations. Varonis emphasizes the importance of securing Apex classes, especially those running "without sharing," to prevent unauthorized data access and maintain the security of Salesforce instances.

An appeals court overturns a $1 billion piracy verdict. 

A federal appeals court has overturned a $1 billion piracy verdict against Cox Communications, originally decided in 2019, for copyright infringement by its users. The court dismissed Sony's argument that Cox directly profited from these infringements. This verdict necessitates a new trial for damages, likely reducing the compensation amount. Despite rejecting the vicarious liability claim, the court upheld the finding of Cox's willful contributory infringement. The case, initiated by Sony and other music copyright holders, accused Cox of not adequately combating piracy on its network. This ruling has implications for how ISPs manage copyright infringement claims and could alleviate concerns that harsh penalties might compel ISPs to disconnect users based on mere accusations of infringement, a scenario that advocacy groups like the Electronic Frontier Foundation have warned against. The case now returns to the US District Court for the Eastern District of Virginia for a new damages trial.

NSA’s Rob Joyce announces his retirement. 

Rob Joyce, the NSA Cybersecurity Director, will retire at the end of March after 34 years of service. Joyce's tenure was marked by significant engagements, including shaping a Trump-era executive order for greater cybersecurity accountability. His departure coincides with heightened security concerns due to potential cyber threats from countries like China and Russia, especially with the upcoming presidential election. Additionally, the NSA seeks Congress's reauthorization of Section 702 for national security, a tool recently utilized to uncover Russian nuclear capabilities in space. Joyce's career also included leading the NSA's Tailored Access Operations unit, focusing on cyber warfare and intelligence gathering. General Timothy Haugh praised Joyce's leadership and contributions to the NSA's cybersecurity mission. David Luber, the Cybersecurity Directorate’s second-in-command, will take his place.

Anne Neuberger chats with WIRED.  

In a comprehensive interview with WIRED, Anne Neuberger, Deputy National Security Adviser for Cyber and Emerging Technology, discusses her critical role in steering the United States' cybersecurity and emerging technology policies under the Biden administration. Drawing on her decade-long tenure at the National Security Agency and her experience leading the cybersecurity directorate, Neuberger outlines her office's achievements and ongoing efforts to safeguard national security amid evolving cyber and technological threats. She touches on several key initiatives, including the government's response to the Colonial Pipeline ransomware attack, the development and implementation of major executive orders on cybersecurity and artificial intelligence, and strategies to protect critical infrastructure. Neuberger also delves into the challenges and opportunities presented by emerging technologies, such as AI, autonomous vehicles, and quantum computing, emphasizing the importance of international cooperation and proactive policy-making to address these issues. The interview provides insight into Neuberger's vision for a secure and technologically advanced future, reflecting her commitment to leveraging technology for societal benefit while mitigating its risks.

VMware warns users to uninstall an insecure plugin. 

VMware has issued a warning for users to uninstall the deprecated Enhanced Authentication Plugin (EAP) due to a high-risk vulnerability with a CVSS score of 9.6. This flaw enables attackers to manipulate domain users with the EAP installed in their browsers into relaying service tickets for any Active Directory Service Principal Names (SPNs), leading to potential arbitrary authentication relay and session hijacking incidents. No workarounds are available for this vulnerability, highlighting the need for immediate removal of the plugin. Discovery of the issue has been credited to Ceri Coburn of Pen Test Partners.

A leading staffing firm finds its data for sale on the dark web. 

Hackread reports that  Robert Half International Inc., a leading global staffing and consulting firm, has fallen victim to a data breach orchestrated by hackers known as IntelBroker and Sanggiero. This breach involves the theft of significant amounts of sensitive data, including confidential records, employee and customer information, and configuration details for services like OpenAI and Twilio. The information is now being sold on Breach Forums for $20,000 in Monero cryptocurrency, with screenshots of the stolen data showing a client list with comprehensive contact details. The extent of the breach and the total number of affected individuals remain unclear, and Robert Half International has yet to issue a formal response. They previously fell victim to a similar data breach back in 2022.


Next up on our Industry Voices segment, I talk with Navneet Singh of Palo Alto Networks about the transition to the cloud with an eye toward healthcare.


Hackers and hobbyists push back on the proposed Flipper Zero ban. 

And finally, Cybersecurity professionals have started an online petition opposing the Canadian government's proposed ban on the Flipper Zero, the portable device which features all sorts of clever ways to interact with other devices using RF protocols like RFID, NFC and radio remotes. The Canadian government claims the ban is aimed at combating vehicle theft. Opponents believe the policy is based on outdated technological assumptions and will not effectively prevent thefts but could instead stifle innovation and harm the economy. Furthermore, it may conflict with recent legislative support for the right to repair and interoperability, penalizing legitimate analysis and repair activities. They suggest that resources would be better spent collaborating with cybersecurity experts and industry stakeholders to enhance automotive security and establish minimum security standards for keyless entry systems.

We don’t question the Canadian government’s good intentions here, but their proposal does seem to lack nuance. When all you have is a legislative hammer, everything looks like a nail.  

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.


We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.