The CyberWire Daily Podcast 4.22.24
Ep 2051 | 4.22.24

Renewed surveillance sparks controversy.


Section 702 gets another two years. MITRE suffers a breach through an Ivanti VPN. CrushFTP urges customers to patch an actively exploited flaw. SafeBreach researchers disclose vulnerabilities in Windows Defender that allow remote file deletion. Ukrainian soldiers see increased attention from data-stealing apps. GitHub’s comments are being exploited to distribute malware. VW confirms legacy Chinese espionage and data breaches. CISA crowns winners of the President’s Cup Cybersecurity Competition. Cecilia Marinier, Director, Innovation and Programs at RSA Conference, and Niloo Razi Howe, Senior Operating Partner at Energy Impact Partners & judge, review the top Innovation Sandbox contest finalists in anticipation of RSAC 2024. Targeting kids online puts perpetrators in the malware crosshairs. 

Today is April 22, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Section 702 gets another two years. 

Over the weekend, President Biden signed a bill reauthorizing Section 702 of the Foreign Intelligence Surveillance Act (FISA) for two more years, amid heated debates over the controversial surveillance program. The Senate passed the bill with bipartisan support in a 60-34 vote, right before the statute was set to expire. Supporters of Section 702 claim it’s been essential for U.S. intelligence since its 2008 inception, aiding in the disruption of terror activities, cyber threats, and foreign espionage by allowing the warrantless collection of foreign communications, albeit sometimes including those of Americans.

The reauthorization journey was tumultuous, marked by disagreements between privacy advocates and national security proponents. Despite the looming expiry and potential non-cooperation from major U.S. communication providers, the bill was passed, incorporating reforms to safeguard American privacy and civil liberties, as emphasized by Attorney General Merrick Garland. However, the push for more stringent changes, including a warrant requirement for the FBI to access Americans' communications, faced resistance. Critics argued for amendments to address civil liberty concerns, but these proposals failed to gain sufficient support. The debate highlighted a balancing act between upholding civil liberties and addressing national security needs, with officials warning that warrant requirements could impede rapid responses to security threats.

MITRE suffers a breach through an Ivanti VPN. 

MITRE Corporation suffered a breach through two zero-day vulnerabilities in Ivanti’s Connect Secure VPN devices, leading to the compromise of its VMware network infrastructure. The not-for-profit organization confirmed the breach as orchestrated by a foreign nation-state actor, detected through suspicious activity on its research network, NERVE. Despite adhering to best practices and government advice for securing Ivanti systems, MITRE failed to notice the attackers' lateral movement into their VMware environment. The attackers conducted reconnaissance, exploited VPNs via Ivanti zero-days, moved laterally, hijacked sessions, utilized compromised accounts, and exfiltrated data. Although the core enterprise network appears unaffected, the breach's full scope remains under investigation. MITRE responded by taking down the compromised environment, initiating an inquiry, and issuing advice for defenders, including traffic monitoring, user behavior analysis, network segmentation, and enhanced security measures. The exploit has been previously linked to a Chinese attack group by security firms.

CrushFTP urges customers to patch an actively exploited flaw. 

CrushFTP has issued an urgent advisory for customers to patch a vulnerability in versions before 11.1 of its software, after discovering an actively exploited flaw that permits attackers to download system files by escaping the virtual file system (VFS). CrowdStrike observed this vulnerability being exploited for intelligence gathering, suggesting political motives behind the attacks on U.S. entities. They advise CrushFTP customers to monitor updates from the vendor closely and prioritize patching. This incident underscores the broader trend of file transfer software vulnerabilities being targeted for widespread compromise, as evidenced by past attacks on MOVEit and Fortra GoAnywhere MFT software.

SafeBreach researchers disclose vulnerabilities in Windows Defender that allow remote file deletion. 

At the Black Hat Asia conference, SafeBreach cybersecurity researchers Tomer Bar and Shmuel Cohen disclosed vulnerabilities in Windows Defender that allow remote file deletion on Windows and Linux servers, risking data loss and system instability. By inducing false positives in security systems, they demonstrated the potential to bypass security controls and delete crucial files without authentication. The researchers developed a Python tool to discover unique byte signatures in Endpoint Detection and Response (EDR) systems, exploiting these for remote deletions of significant files, including Windows event logs and Microsoft's own detection logs. Despite Microsoft's attempt to fix the vulnerability, SafeBreach found the patch partially effective, leaving some attack vectors open and discovering another vulnerability as a bypass. Microsoft acknowledged the findings, implementing measures to minimize false positives and allowing configurations to quarantine remediation actions by default.

Ukrainian soldiers see increased attention from data-stealing apps. 

Ukraine's computer emergency response team, CERT-UA, reports a rise in attempts to implant data-stealing malware on messaging apps used by Ukrainian armed forces. This activity, mainly attributed to the hacker group UAC-0184, aims at espionage and has been observed since February. CERT-UA warns soldiers of the heightened risks of online activity, such as sharing photos in military uniform, which could aid attackers in identifying targets for cyber and physical attacks. The group uses a mix of custom and open-source malware, including HijackLoader and Remcos, a legitimate remote-access tool misused for malicious purposes, to infiltrate systems. Other malware types identified include ViottoKeylogger, XWorm, Tusc, and Sigtop, the latter specifically targeting Signal app data. Despite previous considerations for a secure military app, many Ukrainian soldiers continue using common messaging platforms like Telegram and Signal. Google's Mandiant and CERT-UA have noted similar espionage campaigns by Russian-backed hackers, including the Sandworm and Turla groups, targeting military communications.

GitHub’s comments are being exploited to distribute malware. 

Bleeping Computer highlights a vulnerability, or potentially a design oversight in GitHub, that’s being exploited by cybercriminals to distribute malware through URLs that seem to originate from legitimate Microsoft repositories, thereby enhancing the perceived trustworthiness of the malicious files. This issue leverages GitHub's feature allowing users to attach files to comments, which are then hosted on GitHub's CDN, associating them with the project's URL. Notably, the malware has been camouflaged as legitimate software updates or new drivers, exploiting repositories of reputable companies. Despite the possibility of abuse across any GitHub repository, there seems to be no direct method for repository owners to manage or remove files attached to their projects, aside from disabling comments, which could hinder project development. Although GitHub removed the malware linked to Microsoft's repositories following the discovery, similar malicious content in other repositories remains accessible, indicating an ongoing threat.

VW confirms legacy Chinese espionage and data breaches. 

German media outlets, citing new access to internal company documents, are reporting that between 2010 and 2015, Volkswagen experienced a significant cyberattack by suspected Chinese state hackers, with around 19,000 confidential files stolen. The data theft extended across VW, Audi, and Bentley, focusing on proprietary information related to drive technologies, including petrol engines, gearboxes, dual clutches, electromobility, and fuel cells. The cyberattack also targeted transmission control software and technical manuals. VW confirmed the breach, noting it occurred a decade ago and since then, IT security has been significantly enhanced. The attack began with espionage activities in 2010, leading to successful data breaches between 2011 and 2014. Cybersecurity experts link the attack to China, citing IP addresses near Chinese military intelligence and the use of espionage software like "PlugX" and "China Chopper." The Chinese embassy denied these accusations. VW detected the hackers in 2014 due to an error and countered in 2015 by shutting down its network and clearing over 90 servers. 

CISA crowns winners of the President’s Cup Cybersecurity Competition. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently concluded the fifth annual President’s Cup Cybersecurity Competition, crowning team Artificially Intelligent as this year's winners. The team, comprising members from the Department of Defense, U.S. Army, and U.S. Air Force, includes veterans from past winning teams. Individual accolades went to U.S. Army Major Nolan Miles in Track A and U.S. Marine Corps Staff Sergeant Michael Torres in Track B, with Torres also securing second place in Track A and becoming the first to repeat a win in the competition's history. The President’s Cup aims to showcase and celebrate the U.S. government and military's cybersecurity talent, featuring challenges in cyber defense, exploitation, and more, based on the NICE Cybersecurity Workforce Framework. This year's competition began in January and saw over 1,421 individual participants and 312 teams. Winners will be honored at a White House awards ceremony, highlighting the event's significance in recognizing federal cybersecurity expertise.

Coming up, we have two guests today. Cecilia Marinier of the RSA Conference and Niloo Razi Howe from Entergy Impact Partners & judge preview the 2024 Innovation Sandbox contest. 

We’ll be right back

Welcome back. You can find more details about RSA Conference’s Innovation Sandbox in our show notes. 

Targeting kids online puts perpetrators in the malware crosshairs. 

In an unexpected turn of events within the darker corners of the internet, individuals seeking child exploitation material are finding themselves the targets of a malware campaign that exploits their illicit activities for ransom. Traditionally, sextortion malware posed as government warnings to extort money from users under the guise of illegal CSAM possession. However, a recent discovery by cybersecurity researchers reveals a more targeted approach.

A malware known as 'CryptVPN' has emerged, specifically preying on those attempting to access such material through a decoy website masquerading as UsenetClub, a platform purportedly offering "uncensored" content for a fee. Intrigued by the promise of free access via a downloadable VPN software, victims find themselves in a trap. Upon installation, the malware changes the desktop wallpaper to an extortion message and drops a ransom note demanding $500 in Bitcoin within ten days, under the threat of exposing the victim's activities.

The perpetrator behind 'CryptVPN' cleverly named the malware "PedoRansom," signaling a clear intent to target individuals seeking CSAM. Despite the sophisticated setup, the bitcoin wallet linked to this campaign has seen minimal financial success, suggesting a potential decline in the efficacy of sextortion as a lucrative method for cybercriminals.

This shift in tactics reflects a disturbing but intriguing change in the landscape of online exploitation and cybercrime, where even those engaged in unlawful behavior are not immune to becoming victims themselves. If there was an award for 'Most Unlikely to Elicit Sympathy,' targets of this malware targeting child exploiters would win, hands down.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.



We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.