Safeguarding American data from foreign hands.

The House Unanimously Passes a Bill to Halt Sale of American Data to Foreign Foes. The U.S. Sanctions Russian Individuals and Entities for a Global Disinformation Campaign. China warns of cyber threats from foreign hacking groups. A logistics firm isolates its Canadian division after a cyber attack. Ivanti warns of another critical vulnerability. Researchers find hundreds of vulnerable Firebase instances. Microsoft phases out weaker encryption. Formula One fans fight phishing in the fast lane. Glassdoor is accused of adding real names to profiles without user consent. Our guest is Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, discussing how adversaries are attacking cloud environments and why it’s an increasingly popular attack surface. And Pwn2Own winners take home their second Tesla.

Today is March 21st, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

House Unanimously Passes Bill to Halt Sale of American Data to Foreign Foes. 

The U.S. House of Representatives unanimously passed a bill to prevent data brokers from selling Americans' sensitive information to foreign adversaries, including China. This legislation, part of a broader focus on data privacy, was expedited through the House, demonstrating a strong bipartisan stance on protecting national security and privacy. The bill, seen as a step toward addressing concerns over foreign exploitation of personal data, moves alongside efforts to force TikTok to sever ties with its Chinese owners. Despite this progress, privacy advocates call for the advancement of the more comprehensive American Data Privacy and Protection Act (ADPPA), which remains stalled. The ADPPA aims to offer wider protections by reducing the overall amount of data available online, rather than just limiting sales to specific entities. This legislative action aligns with a White House executive order to block foreign adversaries from accessing large swathes of American personal data. The focus now shifts to the Senate, with an emphasis on the importance of comprehensive data privacy protections.

U.S. Sanctions Russian Individuals and Entities for Global Disinformation Campaign. 

The U.S. Treasury's Office of Foreign Assets Control (OFAC) sanctioned two individuals, Ilya Gambashidze and Nikolai Tupikin, and their entities, Social Design Agency and Structura LLC, for their roles in a Russian malign influence campaign aimed at impersonating media outlets to mislead and undermine trust in democratic institutions globally, including U.S. elections. These actions, directed by the Russian government, form part of broader efforts to destabilize democracy using cyber activities and influence campaigns worldwide. The sanctions block any U.S. assets of the designated and prohibit transactions with them, reflecting OFAC's ongoing efforts to disrupt Russian disinformation tactics.

China warns of cyber threats from foreign hacking groups.

China's Ministry of State Security warns of significant cyber threats from foreign hacking groups targeting businesses and government networks, emphasizing the rampant nature of such attacks. The ministry detailed tactics like phishing and exploiting software vulnerabilities, urging heightened cybersecurity vigilance and reporting of incidents. Amidst increasing cyber espionage accusations between China and the U.S., China has bolstered its cybersecurity laws and measures, focusing on safeguarding national security and data integrity. This includes expanded counter-espionage efforts and forthcoming stricter penalties under the Cybersecurity Law, highlighting a growing emphasis on combating cyber threats and espionage. As we have highlighted here previously, it’s worth noting that these sorts of warnings from China, distributed through their own local media, tend to be comparatively short of specific details when contrasted with reports from the US and its allies. 

A logistics firm isolates its Canadian division after a cyber attack. 

International firm Radiant Logistics experienced a cybersecurity incident impacting its Canadian operations on March 14, leading to the isolation of these operations to prevent further unauthorized activity. Despite service delays in Canada, the company, specializing in logistics services like warehouse and distribution, assured that the attack would not significantly affect its financial condition. U.S. and international operations remain unaffected. The incident, which has not been claimed by any ransomware group, comes amid increasing ransomware attacks on the logistics sector, targeting essential services and causing significant disruptions. Radiant Logistics, with about $1 billion in annual revenue, has engaged cybersecurity professionals for assessment and remediation. This follows a pattern of cyberattacks on critical infrastructure companies, including Americold and Sysco, highlighting the growing threat to the logistics and distribution industry.

Ivanti warns of another critical vulnerability. 

Ivanti has issued a warning to customers about a critical remote code execution vulnerability with a CVSS score of 9.6 in its Standalone Sentry product. This flaw allows unauthenticated attackers to run arbitrary commands on the appliance's operating system if they are on the same network. The vulnerability was reported by experts from the NATO Cyber Security Centre. Although there are no known exploits in the wild at the time of disclosure, Ivanti emphasizes that the vulnerability cannot be exploited via the internet without a valid TLS client certificate. This announcement follows a joint advisory from the Five Eyes alliance about threat actors targeting known vulnerabilities in Ivanti's products.

Researchers find hundreds of vulnerable Firebase instances.

An independent group of security researchers scanning the internet for vulnerable Firebase instances discovered significant security lapses, finding 916 sites with improperly set up databases, exposing vast amounts of personal data. Owned by Google, Firebase is designed to aid app development and hosting. Alarmingly, many of these instances had security rules disabled, allowing unauthorized data modifications, including on a banking site. Over five million domains were scanned, revealing exposed details of millions, including names, emails, phone numbers, passwords (with nearly 20 million in plaintext), and billing information. Despite Firebase offering secure sign-in solutions, some administrators stored passwords insecurely. After notifying the affected companies, only a small fraction responded, but a quarter corrected the misconfigurations.

Microsoft phases out weaker encryption. 

Microsoft is phasing out support for Windows RSA encryption keys under 2048 bits to enhance cybersecurity, aligning with internet standards that discourage the use of weaker encryption. This move, aimed at preventing advanced cryptographic attacks, necessitates organizations to update their machine identity management, especially for server authentication via Transport Layer Security (TLS). The change underlines the importance of longer key lengths and shorter validity periods for reducing brute force attack risks. However, this transition may challenge enterprises without a sophisticated approach to managing machine identities, potentially leading to operational disruptions if depreciated identities aren't replaced promptly. Microsoft has yet to announce the start date for this deprecation but anticipates a grace period similar to previous updates.

Formula One fans fight phishing in the fast lane. 

On March 17, 2024, hackers compromised the official email of Belgium's Circuit de Spa-Francorchamps, sending phishing emails to Formula 1 fans with fake €50 vouchers for the Grand Prix. The counterfeit site, designed to mirror the official Spa Grand Prix website, solicited personal and banking information. Identifying legitimate emails became challenging as the scammers utilized the event's official email. Spa GP quickly alerted its customers to the scam and engaged its IT security subcontractor to prevent future incidents. Prioritizing data confidentiality and integrity, Spa GP filed a complaint with cybercrime authorities on March 18, initiating a criminal investigation to uncover the breach's causes and prevent recurrence.

Glassdoor is accused of adding real names to profiles without user consent. 

Glassdoor, the popular online platform for anonymous employee reviews, has initiated a controversial practice of adding real names to user profiles without their consent. This development came to light when a Glassdoor user named Monica, a Midwest-based software professional, discovered her real name added to her profile following an interaction with Glassdoor's support team. Monica had reached out for assistance in removing information from her account, only to find her privacy compromised instead.

Monica's discovery sparked immediate concern, leading her to caution the Glassdoor community through a blog post, urging users to reconsider their membership on the platform. 

The root of this issue lies in Glassdoor's acquisition of Fishbowl, a professional networking app requiring users to verify their identities. This acquisition, which led to an automatic signup of Glassdoor users to Fishbowl, marked a significant shift in Glassdoor's operational policies, including changes to its terms of service that now require user verification. While Glassdoor insists that anonymity can still be maintained, the integration with Fishbowl has introduced potential risks to user privacy.

The EFF, known for defending Glassdoor users against employer retaliation, expressed concerns that Glassdoor's new policy of storing real names increases the likelihood of users being linked to their reviews if the platform's data is ever subpoenaed or leaked. This development is particularly troubling for users who rely on Glassdoor to speak candidly about their workplace experiences without fear of backlash.

In response to the outcry, Glassdoor offered a statement emphasizing its commitment to user anonymity and the option to remain anonymous while using its services, including Fishbowl. However, Monica's experience and the ensuing public debate raise questions about the practical implications of Glassdoor's policy changes and their alignment with the company's longstanding principles.

Glassdoor's recent actions serve as a cautionary tale about the delicate balance between expanding services and safeguarding the foundational values that attract and retain users. For many, the incident underscores the importance of vigilance and advocacy in protecting digital privacy in an interconnected online ecosystem.

 

Coming up, we’ve got Adam Meyers of CrowdStrike discussing how adversaries are attacking cloud environments and why it’s an increasingly popular attack surface – especially as more companies implement AI.

 

Pwn2Own winners take home their second Tesla. 

At Pwn2Own Vancouver 2024, French security researchers from Synacktiv won a Tesla Model 3 and $200,000 by exploiting a zero-day vulnerability in the car's electronic control unit (ECU) via an integer overflow flaw. This achievement placed them at the top of the leaderboard on the first day of the competition organized by Trend Micro’s Zero Day Initiative (ZDI). The competition's first day saw $732,500 awarded for 19 zero-day vulnerabilities across various products, aiming to enhance vendor security. Other notable achievements included Manfred Paul's remote code execution on Apple Safari and South Korean Team Theori's exploit on VMware Workstation, demonstrating the high level of skill and innovation among participants. The event, which offers $1.3 million in cash and prizes, underscores the critical role of ethical hacking in identifying and patching vulnerabilities.

This is the second time Synactktiv’s team has won a Tesla at Pwn2Own, which leaves us wondering if they’ll use some of their prize money to build a bigger garage. Our automotive desk tells us there’s no truth to the rumor that Tesla is considering offering a special Model 3 Synacktive Edition.

Congrats to all the winners!

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

Hey CyberWire listeners, as we near the end of the year, it’s the perfect time to reflect on your company’s achievements and set new goals to boost your brand across the industry next year. We’d love to help you achieve those goals. We’ve got some unique end-of-year opportunities, complete with special incentives to launch 2024. So tell your marketing team to reach out! Send us a message to sales@thecyberwire.com or visit our website so we can connect about building a program to meet your goals.

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.