The CyberWire Daily Podcast 4.12.24
Ep 2045 | 4.12.24

Privacy, power, and the path forward.


Section 702 edges closer to a vote. CISA provides guidance on Sisense and Microsoft breaches. A major conservative think tank reports a breach. Obsolete D-Link devices are under active exploitation, and Palo Alto warns of a zero-day. Raspberry Robin grows more stealthy. A lastpass employee thwarts a deepfake phishing attempt. Are AI models growing more persuasive? Our guest Kevin Magee from Microsoft Canada joins us to talk about cross domain prompt injection and AI. Floppies keep the trains running on time.

Today is Month Day, Year. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Section 702 edges closer to a vote. 

In a crucial development in the House, section 702 of the Foreign Intelligence Surveillance Act was revived through strategic compromise. Speaker Mike Johnson proposed shortening the bill's extension from five years to two, aiming to pacify hard-right Republicans influenced by former President Donald J. Trump's opposition. Trump had criticized FISA, especially Section 702, for alleged misuse against him. This maneuver, reducing the extension period, was seen as a bid to address concerns among Republicans who anticipate Trump's return to office.

The House narrowly agreed to take up the revised bill, with a vote of 213 to 208, setting the stage for a detailed debate on its provisions and a final vote. This bill aims to reauthorize warrantless surveillance powers under Section 702, allowing the collection of communications from noncitizens abroad, a capability deemed essential by national security officials. However, the proposal has sparked a broader debate over privacy and surveillance, particularly regarding the warrantless collection of Americans' communications. Critics, including some lawmakers, call for stricter safeguards, including a warrant requirement for queries involving Americans' data, arguing for the protection of civil liberties alongside national security.

The legislative effort reflects ongoing tensions between ensuring national security and upholding privacy rights, with the outcome potentially reshaping U.S. surveillance practices. As the House moves towards a final vote, the bill's implications for privacy and security remain a contentious issue.

CISA provides guidance on Sisense and Microsoft breaches. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is investigating a breach at Sisense, a business intelligence firm. Sisense, used by companies to aggregate third-party service statuses into a single dashboard, has advised customers to reset shared credentials and secrets. The breach, revealed on April 10 by Sisense's CISO Sangram Dash, reportedly began with unauthorized access to the company's Gitlab code repository, leading to the exfiltration of several terabytes of customer data from Sisense’s Amazon S3 cloud storage. This data includes millions of access tokens, email passwords, and SSL certificates. Sisense stated the incident didn't interrupt their operations but urged customers to rotate credentials within the Sisense application, as well as resetting numerous tokens and other security credentials. 

Separately,  CISA has issued an Emergency Directive mandating affected agencies to reset compromised credentials and secure authentication tools for privileged Microsoft Azure accounts. This is after the Russian cyber group Midnight Blizzard compromised Microsoft corporate email accounts, exfiltrating email exchanges between Federal Civilian Executive Branch (FCEB) agencies and Microsoft. The breach, disclosed by Microsoft, involved using authentication details from the emails to attempt further access to customer systems. Agencies are required to report on their remediation actions by specific deadlines, and CISA will support agencies lacking internal capabilities to comply with the Directive. 

A major conservative think tank reports a breach. 

The Heritage Foundation, a conservative think tank, reported experiencing a cyberattack earlier this week. Remediation efforts are underway, but it remains unclear if any data was compromised. Following the incident, Heritage shut down its network to halt further malicious activity while the incident is under investigation. Politico's report suggests the attack might have originated from nation-state hackers, though no evidence was provided to support this claim. Heritage, a significant influencer in Republican politics and conservative issues, declined to comment on the attack. Think tanks like Heritage are often targeted for their government and policy connections, with Heritage itself suffering a data breach in 2015 involving stolen emails and donor information.

Obsolete D-Link devices are under active exploitation, and Palo Alto warns of a zero-day.

Earlier this week we told you about vulnerabilities in D-Link NAS devices related to hardcoded credentials and command injection. Despite D-Link's acknowledgment and advisory, no patches will be released due to the affected products being end-of-life, and users are advised to replace their devices. Now, researchers are seeing a significant uptick in exploitation attempts since the vulnerabilities were revealed. Initially observed attacks were minimal, stemming from a single IP, but the threat landscape has quickly escalated. Currently, over 150 unique IPs have been detected attempting to exploit these flaws, with some linked to Mirai-like botnets aiming to hijack IoT devices for DDoS attacks. Although initially it was reported that over 92,000 devices could be at risk, further analysis from GreyNoise and Shadowserver indicates the number of potentially impacted devices is closer to 5,500 and 2,400, respectively. 

Meanwhile, Palo Alto Networks are alerting users of a critical zero-day in some of their projects. A vulnerability in Palo Alto Networks' PAN-OS software, specifically within the GlobalProtect feature, could allow unauthenticated attackers to execute arbitrary code with root privileges on the firewall. Palo Alto says fixes are underway, with release anticipated by April 14, 2024.

Raspberry Robin grows more stealthy. 

Security researchers have identified a new threat where attackers use a modified Raspberry Robin worm to distribute malware via Windows Script Files (WSF). This technique is so far undetectable by antivirus scanners on VirusTotal. HP Wolf Security's Patrick Schläpfer has highlighted the campaign's prevalence, emphasizing Raspberry Robin's sophisticated obfuscation and anti-analysis capabilities. Initially spread through USB drives, threat actors have now diversified their methods, employing archive files on Discord and malvertising campaigns to deploy the worm. The malware prepares the system for the infection by manipulating Windows Management Instrumentation (WMI) and disabling Microsoft Defender's scanning on the main drive. The infection culminates in the download and execution of Raspberry Robin, potentially paving the way for ransomware attacks. 

A lastpass employee thwarts a deepfake phishing attempt. 

A LastPass employee was targeted in a phishing attack using deepfake technology to impersonate the company’s CEO, but the attempt failed due to the employee's skepticism towards the urgency and social engineering signs of the communication. The incident, involving calls, texts, and voicemails via WhatsApp outside normal business hours, was reported to the security team, leading to no impact on LastPass. The company highlighted the incident to raise awareness of the growing use of deepfakes in executive impersonation fraud, beyond sophisticated nation-state actors. This case underscores the importance of employee training and verifying suspicious contacts through established communication channels to prevent deepfake-based attacks.

Are AI models growing more persuasive? 

Anthropic, an AI startup, has claimed that its language models have significantly improved in "persuasiveness" to the point where their arguments are indistinguishable from those made by humans. This advancement has potentially ominous implications for disinformation and influencing actions against personal interests. Despite the models' effectiveness, the study concentrated on less controversial topics, leaving the impact on polarized issues unclear. Anthropic views this research as the beginning of exploring their models' emerging abilities, acknowledging the challenges of translating lab findings to real-world applications. 

Coming up after the break, we’ve got podcast partner Kevin Magee of Microsoft Canada joining me to talk about cross domain prompt injection and AI. 


Floppies keep the trains running on time. 

And finally, our “if it ain’t broke don’t fix it” desk brought our attention to a story from Ars Technica about a situation decades in the making. 

The San Francisco Municipal Transportation Agency (SFMTA) is tackling significant technical debt as it plans to upgrade its train control system, currently reliant on outdated 5¼-inch floppy disks. This system, essential for operating the Muni Metro light rail, began its overhaul planning in 2018, with completion targeted between 2029 to 2030, delayed by COVID-19. The existing Automatic Train Control System (ATCS) was installed in 1998, and faces challenges due to its obsolete technology, posing risks of data degradation and potential system failure. The SFMTA's initiative, a comprehensive overhaul beyond floppy disk migration, aims to modernize the entire train control infrastructure. This includes updating onboard computers, servers, and communications technology.  

I mean, I guess it could have been worse. Could have been 8’ floppies. Or punch cards. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

N2K is excited to share the launch of Cyber Talent Insights, a new three-part special series podcast, which explores cybersecurity workforce development from three different perspectives: the enterprise employer, the cyber practitioner, and cyber talent pipelines. Join Dr. Heather Monthie, Dr. Sasha Vanterpool, and Jeff Welgan each Friday for a dynamic discussion that guides listeners through effective strategies to develop cybersecurity teams in the constantly changing landscape of the industry. Be sure to check out the Research Saturday podcast this weekend and my conversation with Tomer Peled, a Security & Vulnerability Researcher at Akama, where we discuss their work on "What a Cluster: Local Volumes Vulnerability in Kubernetes."

We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.