Pentagon’s cybersecurity roadmap.

The Pentagon unveils its cybersecurity roadmap. A major Massachusetts health insurer reveals a massive data breach. Hot Topic reports credential stuffing. Cisco warns of password spraying targeting VPNs. The FS-ISAC highlights the risk of generative AI to financial institutions. The FEC considers efforts to combat deceptive artificial intelligence. A look at Thread Hijacking attacks. Guests Linda Gray Martin and Britta Glade from RSA Conference join us to discuss what's new and what to look forward to at this year’s big show. Plus my conversation with Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, with insights on their recent Notice of Proposed Rulemaking. And Baltimore’s tragic bridge collapse lays bare the degeneration of X-Twitter. 

Today is March 29th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

 

The Pentagon unveils its cyber security roadmap. 

The Pentagon has unveiled its inaugural cybersecurity strategy to shield its vast defense industrial base (DIB) from cyber threats. This roadmap, spanning fiscal years 2024-2027, aims to bolster cybersecurity and the resilience of the supply chain, which includes hundreds of thousands of entities working with the Pentagon. It sets out four main goals, such as adopting best practices, and includes objectives like recovery from cyberattacks. The strategy incorporates the Cybersecurity Maturity Model certification program to enhance standards and ensure compliance among contractors. This move comes in response to growing concerns over digital vulnerabilities within the critical infrastructure of the supply chain, underscored by past breaches, notably the 2009 hack into an F-35 Joint Strike Fighter contractor by suspected Chinese hackers. With ongoing cyber intrusions, the Pentagon emphasizes the constant threat from hackers and plans to develop detailed implementation guidelines for DIB entities.

 

A major Massachusetts health insurer reveals a massive data breach. 

Point32Health, Massachusetts' second-largest health insurer, has revealed that In April 2023 they experienced a ransomware attack compromising the personal data of over 2.8 million people. Detected on April 17, the breach targeted systems of the Harvard Pilgrim Health Care brand, affecting members, accounts, brokers, and providers from March 28 to April 17, 2023. The leaked data includes sensitive information like Social Security numbers, medical histories, and financial details. Despite the breach, there's no reported misuse of the stolen information. Initially reporting over 2.55 million affected, Point32Health has updated this number to over 2.86 million and is offering free credit monitoring and identity protection services. Formed in 2021 by merging with Tufts Health Plan, Point32Health also operates in Connecticut, Maine, and New Hampshire.

 

Hot Topic reports credential stuffing. 

Hot Topic, Inc., a U.S. fast-fashion retailer focused on counterculture clothing and licensed music, reported credential stuffing attacks on its website and mobile app on November 18-19 and November 25, 2023. The attacks used valid credentials from an unknown third party to access Hot Topic Rewards accounts, aiming for account takeover and data theft. The company, unable to confirm if the logins were unauthorized or legitimate, noticed use of customer account credentials during the attack period. Potentially accessed data includes names, email addresses, phone numbers, birthdates, mailing addresses, order history, and the last four digits of payment card numbers for those with saved cards. Following the incident, Hot Topic strengthened its cybersecurity measures and advised customers to change their passwords.

 

Cisco warns of password spraying targeting VPNs. 

Cisco has issued a warning about ongoing password spraying attacks targeting VPN services, including Cisco's own products and other third-party VPN. Password spraying is a tactic used by hackers to gain unauthorized access to multiple accounts by attempting common passwords across various user accounts. This method is particularly effective against VPN services, which provide remote access to internal networks, making them prime targets for unauthorized entry. Successful attacks can lead to access to sensitive information and further compromise within an organization's network. The attacks have been noted to potentially cause DoS-like conditions and are part of reconnaissance efforts. Cisco recommends several protective measures, such as enabling logging, securing VPN profiles, leveraging TCP shun, and using certificate-based authentication for remote access VPNs. 

 

The FS-ISAC highlights the risk of generative AI to financial institutions. 

The cybersecurity community recognizes that adversarial use of generative AI (GenAI) poses significant risks, particularly in crafting sophisticated phishing attacks. However, more advanced threats include the potential for malware creation and the manipulation of large language models (LLMs) used in GenAI training, leading to data exfiltration or injection of false data. Experts from the FS-ISAC warn that such compromised outputs could seriously impact financial institutions, risking legal, reputational, or operational fallout. Additionally, the data sources for LLM training may inadvertently include sensitive or biased information, threatening the trust financial firms hold with regulators and clients. As cyber threats evolve, notably with the rise in DDoS attacks targeting the financial sector, the industry must adapt quickly. This includes addressing vulnerabilities from zero-day exploits in the supply chain and preparing for the impact of quantum computing on cryptography. The FS-ISAC stresses the importance of global information sharing, proactive cyber hygiene, and robust incident response strategies to maintain sector integrity and trust amidst these emerging challenges.

 

The FEC considers efforts to combat deceptive artificial intelligence. 

The Federal Elections Commission (FEC) is considering leading efforts to combat deceptive artificial intelligence, including deepfakes, in political advertisements. This follows a public petition and extensive feedback, signaling potential amendments to its regulations to address deliberately misleading AI campaign ads. The FEC's current remit, focused on campaign finance, was highlighted by Commissioner Dara Lindenbaum, who noted the agency's narrow jurisdiction might limit its regulatory power unless expanded by Congress. The push for regulation comes amidst concerns over AI's unregulated status in the U.S. and the potential for its misuse in elections, underscored by incidents like fake robocalls in New Hampshire's presidential primary. With bipartisan discussions underway, there's momentum for changes that could significantly impact how AI is used in federal campaigns, indicating a growing consensus on the need for oversight in this area.

 

A look at Thread Hijacking attacks. 

Krebs on Security takes a look at Thread hijacking attacks, where hackers compromise an email account to insert malicious links or attachments into ongoing conversations.  In a notable case, LancasterOnline.com's Brett Sholtis was targeted with phishing emails posing as from Adam Kidan, a subject of his reporting with a contentious history. The emails, simulating legitimate correspondence with attachments, led to a fake Microsoft Office 365 login page designed to capture credentials. Sholtis, recognizing the threat, alerted his IT team, avoiding compromise. This incident, part of a broader pattern of such cyberattacks, underscores the sophistication of phishing tactics that bypass traditional warning signs by embedding malicious links or files in seemingly innocuous email threads. Cybersecurity experts stress the importance of vigilance, advising against clicking unsolicited links or attachments and verifying authenticity through direct access to websites or services.

 

Coming up, we’ve got our annual update from the team that makes the RSA Conference happen, Linda Gray Martin and Britta Glade. We talk about what to expect at this year’s event. We’ll be right back

Welcome back. You can find more information about the RSA Conference in our show notes. 

Next up, we’ve got some information from CISA. Their Executive Assistant Director for Cybersecurity Eric Goldstein joins me to share the latest on the CIRCIA Notice of Proposed Rulemaking.

You can check out the details on CIRCIA NPRM in our show notes. 

Since it’s Friday, I wanted to share a quick programming note on tomorrow’s Research Saturday episode. Don’t miss my conversation with Elad, a Senior Security Researcher from Cycode, as we discuss their research on "Cycode Discovers a Supply Chain Vulnerability in Bazel."

 

Baltimore’s tragic bridge collapse lays bare the degeneration of X-Twitter. 

The conversation around this week’s Baltimore bridge collapse on X-Twitter quickly degenerated into a quagmire of conspiracy theories and misinformation, highlighting the platform's declining reliability as a source of accurate news. In the aftermath of the tragedy, the same figures who have historically spread conspiracy theories about mass shootings and the Covid-19 pandemic used the incident to propagate baseless claims, including attributing the collapse to "DEI" policies and launching racist attacks against Baltimore's leadership. This scenario echoed past remarks by former President Trump, underscoring how swiftly unverified and provocative content can drown out factual information online.

The incident underscored the shifting landscape of social media, where X-Twitter, once a hub for real-time news, has increasingly become a source of misinformation. With changes under its new ownership and the advent of generative AI tools, the platform has facilitated the spread of misleading narratives more efficiently than ever. For Baltimore's residents and journalists, this shift hit close to home, turning a local disaster into the latest target for online disinformation campaigns.

As the city grappled with the real-world consequences of the bridge collapse, the discourse on X-Twitter served as a painful reminder of the platform's role in amplifying harmful misinformation. For those of us on the ground in Baltimore, the focus remained on addressing the community's needs and looking forward to a time when the current wave of online disinformation would pass.

I have to say I am left scratching my head at the number of highly respected and influential people in infosec who are still using X-Twitter as their primary social media platform. I get it, you’ve built a following and that’s hard to walk away from. But at what cost? Why support a platform that has so clearly lost its utility and lost its way. 

Anyway, if you need me I’ll be right over here checking my Mastodon feed.

 

And that’s the CyberWire.

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.