WhatsApp's legal triumph cracks the spyware vault.

A court orders NSO Group to hand over their source code. The Five Eyes reiterate warnings about Ivanti products. Researchers demonstrate a generative AI worm. Fulton County calls LockBit’s bluff. SMS codes went unprotected online. Golden Corral serves up a buffet of personal data. Ransom demands continue to climb. A US Senator calls on the FTC to investigate auto industry privacy practices. Dressing up data centers. Our guest is Dominic Rizzo, founder and director of OpenTitan and CEO at zeroRISC, discussing the first open-source silicon project to reach commercial availability. And Cops can’t keep their suspects straight.

Today is March 1st, 2024, the first day of Women’s History Month. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A court orders NSO Group to hand over their source code. 

A US court has mandated Israeli firm NSO Group, creators of the Pegasus spyware, to hand over its source code to WhatsApp. Back in 2019, WhatsApp accused NSO of targeting 1,400 of its users with Pegasus, which allows for extensive surveillance without detection. Despite NSO's appeal citing US and Israeli restrictions, the court ordered the disclosure of all spyware active from April 29, 2018, to May 10, 2020, excluding client identities or server details. This ruling  markes a significant legal win for the Meta-owned app. NSO Group has been widely criticized for enabling the surveillance of activists and journalists worldwide, and was blacklisted by the Biden administration in 2021. The administration has also introduced global visa restrictions to combat the misuse of spyware like Pegasus, reflecting concerns over national security and privacy.

The Five Eyes reiterate warnings about Ivanti products. 

The Five Eyes intelligence agencies from Australia, Canada, New Zealand, the UK, and the US have issued an urgent warning about the ongoing exploitation of vulnerabilities in Ivanti products. Cyber threat actors are targeting Ivanti Connect Secure and Ivanti Policy Secure gateways. The vulnerabilities, rated from high to critical, could allow attackers to bypass authentication, craft malicious requests, and execute commands with elevated privileges. The advisory also highlights that Ivanti's Compromise Detection Tools failed to detect breaches, advising users to assume compromised credentials, hunt for malicious activity, and follow Ivanti's patching guidance. 

Observers have noted that these ongoing notifications from intelligence organizations amount to an indirect recommendation to discontinue use of the affected Ivanti products. 

Meanwhile, CISA has added a Microsoft Streaming Service vulnerability with a CVSS score of 8.4 to its known exploited vulnerabilities catalog, due to its exploitation for SYSTEM privileges. Discovered by Thomas Imbert from Synacktiv through the Trend Micro Zero Day Initiative, this flaw has seen widespread abuse following the release of Proof of Concept code. Federal agencies must remediate this vulnerability by March 21, 2024, and CISA recommends private entities also address this issue in their systems.

Researchers demonstrate a generative AI worm. 

Researchers have demonstrated a novel cyber threat with the creation of a generative AI worm capable of spreading across AI systems, such as OpenAI's ChatGPT and Google's Gemini. This AI worm, termed Morris II, can autonomously propagate from one system to another, stealing data or deploying malware. Developed by Ben Nassi and colleagues at Cornell Tech, Morris II can exploit AI email assistants to exfiltrate data from emails and disseminate spam, circumventing some security measures of ChatGPT and Gemini. The exploit utilizes "adversarial self-replicating prompts," akin to traditional cyberattack methods, to manipulate AI responses for malicious purposes. This research, conducted in controlled settings, underscores the emerging security risks within AI ecosystems, especially as AI applications gain autonomy in performing tasks. The researchers have reported their findings to Google and OpenAI.

Fulton County calls LockBit’s bluff.

The LockBit ransomware group claimed online that Fulton County, Ga., had paid a ransom to prevent the publication of stolen data. County officials insist no payment was made.Now, security experts suggest LockBit was bluffing, likely having lost the data during recent U.S. and U.K. law enforcement seizures of the gang's servers. Originally threatening to release Fulton County's data, LockBit removed the county from its victim list without clear explanation. The FBI and U.K.'s National Crime Agency had earlier disrupted LockBit's operations, casting doubt on the group's capabilities. Despite reemerging with new domains, LockBit's credibility is questioned, with analysts suggesting this episode could signify the end of the LockBit brand, pointing to possible desperation or an attempt to maintain affiliate confidence after significant operational setbacks.

SMS codes went unprotected online. 

YX International, an Asian tech company providing global SMS routing services, inadvertently exposed a database without password protection, revealing one-time security codes and password reset links for users' accounts on platforms like Facebook, Google, and TikTok. Discovered by security researcher Anurag Sen, the database contained sensitive information, including two-factor authentication (2FA) codes and internal email addresses. Despite the inherent security benefits of 2FA, SMS-based codes can be less secure, susceptible to interception or accidental exposure. The database, with records dating back to July 2023, was secured after TechCrunch alerted YX International, but the company couldn't confirm the duration of the exposure or if unauthorized access occurred.

Ransom demands continue to climb. 

A report from Arctic Wolf reveals a 20% year-over-year increase in median initial ransom demands in 2023, reaching $600,000. Sectors like legal, government, retail, and energy face demands of $1 million or more. Manufacturing, business services, and education/non-profit top the victim list. The report underscores cybercriminals' growing aggression, exploiting mainly pre-2022 vulnerabilities. Arctic Wolf notes that by focusing on 10 specific vulnerabilities, organizations could significantly enhance cybersecurity. The silver lining is improved organizational resilience, with 71% managing partial recovery from backups, aiding negotiation leverage. Insurance mandates for modern data protection and law enforcement's increasing adeptness at identifying cyber syndicates also contribute to a proactive stance against ransomware. 

Golden Corral serves up a buffet of personal data. 

Golden Corral, an American buffet restaurant chain, and my father’s favorite place in the world to eat out, announced a data breach affecting over 180,000 individuals after a cyberattack in August. Hackers accessed the company's systems between August 11 and 15, compromising data of current and former employees and their beneficiaries. The breach disrupted corporate operations, prompting notification to federal law enforcement and efforts to enhance security measures. The stolen data includes names, Social Security numbers, financial and medical information, among others. Golden Corral has begun notifying affected individuals and advises vigilance against identity theft. The breach's details were disclosed in a filing with Maine's Attorney General.

A US Senator calls on the FTC to investigate auto industry privacy practices. 

Sen. Edward Markey criticized major automakers for their vague responses to his questions regarding data privacy practices, and has called on FTC Chair Lina Khan to investigate. Markey's dissatisfaction stems from inadequate transparency on how these companies handle privacy protections, consent for data collection, and data sharing for commercial benefits. Despite automakers claiming to offer consent options to consumers, only one disclosed the consent rate, and most only delete data when legally required. Concerns were also raised about excessive data collection, potential loss of vehicle functionality without consent, and past cyberattacks. The industry's practice of sharing data with law enforcement under legal orders was noted, but the criteria for such sharing remain ambiguous for some. Markey's appeal to the FTC coincides with the FCC's increased scrutiny over connected car services.

Dressing up data centers. 

Data centers, essential yet often unobtrusive components of the digital infrastructure, face growing scrutiny over their appearance and integration into local communities. Author Dan Swinhoe has taken a closer look at this issue on the Data Center Dynamics web site. As these facilities proliferate, there's increasing pressure from local authorities and residents for developers to invest in aesthetic improvements to make these large, typically windowless structures more visually appealing and less of an eyesore. Efforts include adding glass facades, incorporating green living walls, and using vibrant murals to soften their imposing presence. Despite these aesthetic enhancements, security remains paramount, with developers balancing the need to make data centers less fortress-like while ensuring they meet stringent security standards. Innovations in design and security, such as utilizing environmental features for protection and employing smart technology, are helping to integrate these critical facilities more harmoniously into their surroundings. This shift not only addresses community concerns but also reflects a broader trend towards branding and visibility in the industry, marking a departure from the traditionally stealthy presence of data centers.

 

Coming up, we’ve got Dominic Rizzo, the founder/director of OpenTitan and CEO at zeroRISC. Dominic and I discuss the OpenTitan Project, the first open-source silicon project to reach commercial availability. (Link in show notes for more info)

 

Cops can’t keep their names straight. 

And finally, West Midlands Police (WMP) found itself under the scrutiny of the UK's Information Commissioner's Office for mixing up the personal data of two individuals sharing the same name and birthdate, violating the Data Protection Act of 2018. The errors, including sending officers to incorrect addresses and schools, and sharing sensitive victim information with the wrong person, resulted from failure to distinguish between the data of crime victims and suspects, which seems like a pretty fundamental distinction to get right.  The police force launched a new Data Quality Policy, a "Think before you link" campaign, and compensated one of the affected individuals. The force has accepted the reprimand, implemented most recommendations, and continues to focus on data protection training and policy improvements.

When I was a teenager back in the 80s there was another Dave Bittner who attended the next high school over from mine. We would regularly get each other’s phone calls. He was an avid golfer and I was a theater kid, so I would field questions about his tee times and he would get asked about rehearsal schedules. Each of us had the other’s phone number memorized, so we could help each other’s friends connect with the right Dave Bittner. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.