Biden's cyber splash in protecting the nation's water systems.
The White House Mobilizes a National Effort to Shield Water Systems from Cyber Threats and Announces Major Investment in U.S. Chip Manufacturing. The U.S. and Allies Issue Fresh Warnings on China's Volt Typhoon Cyber Threats to Critical Infrastructure. Microsoft Streamlines 365 Services with a Unified Cloud Domain. Ukrainian authorities take down a credential theft operation. LockBit claims another pharmaceutical company. A popular Wordpress plugin puts tens of thousands of websites at risk. A breach at Mintlify compromises GitHub tokens. An Idaho man pleads guilty to online extortion. The SEC fines firms for AI washing. We’ve got part two of our continuing Learning Layer series with Joe Carrigan and Sam Meisenberg logging Joe’s journey toward his CISSP certification. And password stuffing Pokemon.
Today is Wednesday March 20, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
The White House Mobilizes National Effort to Shield Water Systems from Cyber Threats and Announces Major Investment in U.S. Chip Manufacturing.
The White House is rallying state environmental, health, and homeland security agencies for a critical meeting aimed at bolstering the cybersecurity defenses of the nation's water and wastewater systems. Scheduled for March 21, this one-hour virtual gathering will spotlight the U.S. government's initiatives to enhance cybersecurity in the water sector, identify existing gaps, and encourage swift action from states and water systems. The initiative comes in response to increasing cyberattacks, notably from Iranian and Chinese state-sponsored actors, targeting vital water infrastructure, which pose a significant threat to the provision of clean and safe drinking water. In response, the Biden-Harris administration is urging collaboration to fortify the cybersecurity of water critical infrastructure, with a particular emphasis on the Environmental Protection Agency's leadership role. Furthermore, the establishment of a Water Sector Cybersecurity Task Force is on the agenda, aimed at devising strategies to mitigate these risks.
The Biden administration has also announced a substantial investment in Intel, to boost U.S. semiconductor production across Arizona, Ohio, New Mexico, and Oregon, committing up to $8.5 billion in direct funding and $11 billion in loans. This financial support aims to fuel a leap from manufacturing zero to 20% of the world's most advanced chips by 2030. The deal, negotiated by Commerce Secretary Gina Raimondo, is seen as crucial for national security and economic stability, addressing the U.S.'s current incapacity to manufacture advanced chips domestically. Intel's initiative, fueled by the bipartisan 2022 CHIPS and Science Act, represents the largest investment under the law to date, expected to generate 30,000 jobs and entail $100 billion in capital investments over five years, covering construction and equipment for new and modernized facilities across the four states.
The U.S. and Allies Issue Fresh Warnings on China's Volt Typhoon Cyber Threats to Critical Infrastructure
Meanwhile, The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the National Security Agency (NSA), FBI, and international partners, issued a warning about potential cyber attacks from China's Volt Typhoon group targeting critical infrastructure. This follows a February alert about the group compromising U.S. networks, highlighting the threat of disruptive or destructive attacks. The latest advisory aims to guide senior non-technical leaders, emphasizing the use of intelligence-informed tools for cyber defense, like the Cybersecurity Performance Goals (CPGs). It stresses the importance of implementing cybersecurity best practices, developing incident response plans, conducting exercises, and securing the supply chain by enforcing strict security standards and managing risks, including foreign influences. This guidance seeks to bolster defenses against sophisticated tactics, including "living off the land" techniques used by attackers to evade detection.
A bit of quick followup on Monday’s story where we highlighted a breach affecting Fujitsu, the global brand with headquarters in Japan. A listener sent in a kind note to remind us that the Fujitsu - UK Horizons scandal, the one we mentioned about the UK post office, is out of Fujitsu UK, and not associated with other Fujitsu locations around the world like Ireland, Poland or Spain. Thanks to our listener for the clarification.
Microsoft Streamlines 365 Services with Unified Cloud Domain.
Microsoft is consolidating its Microsoft 365 services under the unified domain "cloud.microsoft" to enhance user experience and streamline administration. This move will simplify domain management for authenticated apps and services, bolster security, and facilitate tighter ecosystem integration. Specifically, Teams, Outlook, and Microsoft 365 web applications will transition to this new domain. Developers must update Teams apps to the latest TeamsJS client library (version 2.19 or higher) before June 2024 to ensure functionality on the new "teams.cloud.microsoft" domain, which will feature a dynamic list of trusted domains. Those unable to update in time will remain on the existing domain until updates can be made. The shift to a dynamic trust list is aimed at reducing maintenance and supporting seamless app functionality across Microsoft 365 services. Of course, any time there’s a major transition like this the baddies step in to take advantage of the potential confusion, so heads up for that.
Ukrainian authorities take down a credential theft operation.
Ukrainian authorities have dismantled a significant cybercrime operation, arresting three individuals linked to the theft and sale of 100 million email and Instagram accounts on the dark web. Utilizing brute-force attacks to obtain login credentials, the suspects offered these accounts to other cybercriminals, facilitating scams and fraudulent activities. The enforcement operation involved extensive searches across multiple cities, resulting in the seizure of computer equipment, phones, and cash. The ongoing investigation also explores potential collaborations with foreign entities, particularly those benefiting Russian interests.
LockBit claims another pharmaceutical company.
Crinetics Pharmaceuticals is probing a cybersecurity breach after the LockBit ransomware gang claimed it had stolen data from the Nasdaq-listed firm. The company noticed suspicious activity in an employee's account, which was promptly disabled, triggering a comprehensive incident response, including engaging cybersecurity experts and notifying law enforcement. Despite the incident, Crinetics asserts that its operations and key databases remain unaffected. The company is determined to conduct a thorough investigation and fulfill any legal obligations. This incident coincides with LockBit's attempt to recover from a significant law enforcement crackdown that disrupted its operations. LockBit has been notorious for targeting pharmaceutical firms among other global entities, with demands for a $4 million ransom from Crinetics, adding to the pharmaceutical industry's ongoing challenges with cybersecurity threats.
A popular Wordpress plugin puts tens of thousands of websites at risk.
The popular WordPress plugin, Automatic, developed by ValvePress, has been found to have critical security flaws affecting over 40,000 websites. The identified vulnerabilities expose sites to unauthenticated SQL queries and potential file download or SSRF attacks, respectively. ValvePress responded by removing the compromised component and adding security checks, including a nonce requirement for privileged user actions.
A breach at Mintlify compromises GitHub tokens.
A security breach at software documentation platform Mintlify compromised 91 GitHub tokens, potentially exposing private repositories. The breach, attributed to a system vulnerability identified by a bug bounty hunter, led to unauthorized access. Mintlify, which links to customers' GitHub repositories for creating software documentation, acted swiftly by revoking the affected tokens, enhancing security protocols, and patching the vulnerability. Initial investigations suggest limited unauthorized repository access, with ongoing efforts to ascertain the full impact. In response, Mintlify has notified users, tightened security measures, and initiated collaborations with GitHub and cybersecurity vendors to prevent future incidents. Users are urged to update their passwords, activate 2FA, and review API key permissions.
An Idaho man pleads guilty to online extortion.
Robert Purbeck from Idaho has pleaded guilty in U.S. Federal Court to computer fraud and abuse charges. Purbeck was accused of hacking medical clinics and a police department, impacting over 130,000 individuals. Using stolen dark web credentials, he infiltrated networks in Georgia and targeted additional victims nationwide. Purbeck, who went by the hacker names "Lifelock" and "Studmaster," threatened extortion using sensitive personal data, including information about an orthodontist's child. Scheduled for June sentencing, Purbeck agreed to a $1 million restitution for his crimes.
The SEC fines firms for AI washing.
The SEC has fined two companies, Delphia (USA) Inc. and Global Predictions Inc., a combined $400,000 for making false claims about their artificial intelligence (AI) capabilities in investment strategies. This practice, referred to as “AI washing,” involves companies overstating their use of AI to attract clients with the promise of data-driven decisions. The crackdown reflects the SEC's stance on transparency and honesty, as these sorts of misleading claims can harm investors. Both firms, without admitting or denying the allegations, agreed to penalties and cease-and-desist orders. Additionally, the SEC issued an investor alert on AI and investment fraud, stressing the importance of integrity in the burgeoning AI finance sector and the regulatory role in protecting investors from deceptive practices.
We are shocked…shocked!....that anyone out there would overstate the capabilities of artificial intelligence.
Password stuffing Pokemon.
And finally, the Pokémon Company detected hacking attempts targeting some user accounts, leading to a proactive reset of passwords for those potentially affected. An official alert on their support website initially highlighted the issue but was later removed, with a spokesperson clarifying that there was no system breach, merely attempts to access certain accounts. To safeguard customers, password resets were enforced for a small fraction (0.1%) of users actually compromised by these attempts, likely credential stuffing attacks where stolen usernames and passwords are tried on various platforms. Unlike some companies that have adopted mandatory two-factor authentication in response to similar incidents, the Pokémon Company currently does not offer this security option to its users.
Our gaming desk suggests the hackers thought they could Pikachu-se some accounts. Nice try, but no Pika for you!
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.
