No cyber blues on Super Tuesday.

CISA says Super Tuesday ran smoothly. The White House sanctions spyware vendors. The DoD launches its Cyber Operational Readiness Assessment program. NIST unveils an updated NICE Framework. Apple patches a pair of zero-days. The GhostSec and Stormous ransomware gangs join forces. Cado Security tracks a new Golang-based malware campaign. Google updates its search algorithms to fight spammy content. Canada's financial intelligence agency suffers a cyber incident. On our Industry Voices segment, our guest Amitai Cohen, Attack Vector Intel Lead at Wiz joins us to discuss cloud threats. Moonlighting on the dark side. 

Today is March 6th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CISA says Super Tuesday ran smoothly. 

A senior official from the Cybersecurity and Infrastructure Security Agency (CISA) reported no security issues during the close of Super Tuesday, marking a smooth day for the presidential primary calendar's biggest day. The official confirmed there were no known, credible, or specific threats to election operations, reinforcing confidence in the election process and its ongoing administration. With presidential nominating contests taking place in over a dozen states, Super Tuesday served as a crucial test of the U.S. election infrastructure ahead of the November general election. Despite prior warnings from national security officials about potential cyberattacks or influence operations by foreign adversaries, possibly using generative artificial intelligence, the day proceeded without any significant security disruptions.

The White House sanctions spyware vendors. 

The Biden administration sanctioned several software vendors, including individuals and companies within the Intellexa Consortium, accused of aiding repressive regimes in spying on US officials, journalists, and human rights activists. This marks the first US sanctions against sellers of commercial spyware, highlighting concerns over its use in privacy invasions and human rights abuses globally. The sanctions prevent US entities from engaging with the targeted individuals and companies. Intellexa's Predator spyware, sold to various governments, has been implicated in spying activities against US government officials and in facilitating human rights violations. The US aims to curb the commercial spyware industry, having previously banned federal agencies from using such technology and imposed visa restrictions on individuals involved in the spyware sector. This initiative emphasizes the US's commitment to combating the misuse of surveillance technologies worldwide.

The DoD launches its Cyber Operational Readiness Assessment program. 

The U.S. Department of Defense (DoD) has officially launched its Cyber Operational Readiness Assessment (CORA) program after a successful nine-month pilot. Transitioning from a compliance-based approach to one which emphasizes operational readiness, CORA aims to assure mission integrity by providing continuous, holistic assessments of cybersecurity within the DoD Information Network (DODIN). The program focuses on validating technologies and enhancing the DoD's ability to monitor, assess, and mitigate risks. CORA prioritizes minimizing adversarial risks by using MITRE ATT&CK mitigations and developing risk-based metrics to concentrate efforts on high-risk areas. The program is designed to enhance decision-making for commanders and directors by offering a more precise understanding of cyber terrain and security posture. Furthermore, CORA's agile process allows for adjustments based on new orders, policies, or the evolving threat landscape, ensuring a robust cybersecurity foundation across all DoD networks.

NIST unveils NICE Framework v1.0.0

NIST’s National Initiative for Cybersecurity Education, also known as NICE, unveiled the first official revision of its comprehensive workforce framework since 2017. The updated framework refines the structure of cybersecurity roles and the crucial task, knowledge, and skill statements that define professional requirements in the field. The update introduces 11 Competency Areas and updates the core 52 Work Roles.

The full overhaul aims to more accurately mirror the dynamic nature of cybersecurity work and talent insights. The revision saw over 2,000 task, knowledge, and skill statements refined, with a significant focus on removing redundancies and enhancing clarity. Such changes underscore a commitment to adaptability and precision in defining what cybersecurity professionals do and need to know. Accessibility and user-friendliness have also been prioritized, with the release of new Excel workbooks and a machine-readable JSON file planned for later this year. This approach signals a software-like versioning strategy for future updates, indicating ongoing refinement and responsiveness to our profession’s needs. 

For industry professionals, the NICE Framework serves as a critical tool in navigating the cyber talent landscape and enhancing workforce readiness. Stay tuned later this month when we publish a full length special edition with the leadership at NIST NICE about the new updated framework.

Apple patches a pair of zero-days. 

Apple has issued a security update for iOS and iPadOS to address two exploited zero-day vulnerabilities, allowing attackers to bypass memory protections and potentially gain complete control over targeted iPhones. These vulnerabilities were used alongside an unpatched flaw or malicious app for exploitation. Users are advised to update to iOS 17.4 or iPadOS 17.4. The vulnerabilities involved memory corruption issues addressed with improved validation, affecting Apple's real-time operating system, RTKit, across various devices.

The GhostSec and Stormous ransomware gangs join forces. 

Cisco Talos researchers report that the GhostSec and Stormous ransomware gangs have partnered to launch a global ransomware campaign via a new ransomware-as-a-service (RaaS) operation named STMX_GhostLocker. Targeting multiple countries, this collaboration offers a range of services to affiliates, including paid, free, and data sale or publication options. The campaign has impacted organizations across numerous countries, including Israel where GhostSec has targeted industrial systems and critical infrastructure. The GhostLocker 2.0 ransomware, developed in Go, marks an evolution in their tools, threatening data leakage if victims do not engage within seven days. The operation's command and control server was located in Moscow, Russia, and the ransomware builder provided to affiliates includes features for persistence, target selection, and detection evasion. 

Cado Security tracks a new Golang-based malware campaign. 

Hackers are exploiting misconfigured servers using Apache Hadoop YARN, Docker, Confluence, or Redis through a new Golang-based malware campaign, discovered by Cado Security. This malware automates the identification and exploitation of vulnerable hosts, leveraging old vulnerabilities, notably in Atlassian Confluence, for code execution. The campaign involves bash scripts and Golang ELF binaries for initial compromise, leading to cryptocurrency mining, persistence, and reverse shell setup. Four novel Golang payloads, designed to scan for and exploit services on specific ports, have been identified. Notably, the malware includes debug information and unobfuscated strings, simplifying reverse engineering. Despite this, these payloads remain largely undetected by antivirus engines on Virus Total. The campaign, potentially starting in December 2023, highlights the importance of securing server configurations to prevent such intrusions. Cado Security has provided a detailed analysis and indicators of compromise for further protection against this threat.

Google updates its search algorithms to fight spammy content. 

Google is implementing updates to its search ranking algorithms aimed at reducing what it describes as "unhelpful content" by up to 40%. They say the updates specifically target content that merely summarizes other content, a common practice in SEO and increasingly produced by AI tools, as well as tactics that manipulate search rankings. Google's adjustments focus on three types of spammy behavior: the mass production of low-quality articles, "site reputation abuse" where reputable sites host spammy content, and "expired domain abuse," where high-ranking but abandoned domains are filled with poor content to exploit their search rankings. Google is providing a 60-day grace period for sites engaged in reputation abuse to amend their practices, while other changes are effective immediately. 

Canada's financial intelligence agency suffers a cyber incident. 

FINTRAC, Canada's financial intelligence agency, took its corporate systems offline following a cyber incident this past weekend. The incident, which didn't involve FINTRAC's intelligence or classified systems, has prompted the agency to collaborate with federal partners, including the Canadian Centre for Cyber Security, to safeguard and restore its systems. As a precaution, the agency disconnected its corporate systems to protect their integrity. The nature and motivation behind the cyber incident remain undisclosed, similar to recent cyberattacks on the Royal Canadian Mounted Police and Canada's foreign ministry, which also experienced breaches involving personal information.

 

Coming up on Industry Voices, guest Amitai Cohen of Wiz joins us to discuss cloud threats. 

Welcome back. You can learn more about Amitai, Wiz and their podcast Crying Out Cloud in our show notes. 

 

Moonlighting on the dark side. 

And finally, research from the Chartered Institute of Information Security (CIISec) reveals an alarming trend of cybersecurity professionals potentially moonlighting as cybercriminals to supplement their incomes. This insight was obtained by analyzing dark web job adverts with the assistance of a former police officer. The study highlighted three groups on underground sites: experienced IT and cybersecurity experts, newcomers seeking work and training, and professionals from non-IT industries, all offering services for illicit activities. The research warns that stress and inadequate compensation in cybersecurity roles might drive skilled individuals towards cybercrime, citing Gartner's prediction that 25% of security leaders will exit the industry by 2025 due to work-related stress. To combat this, CIISec's CEO, Amanda Finch, urges the industry to improve salaries and working conditions to retain talent and prevent a potential increase in the workforce joining cybercriminal activities.

Stay in school, friends. Straighten up and fly right. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.