An unprecedented surge in credential stuffing.

Okta warns of a credential stuffing spike. A congressman looks to the EPA to protect water systems from cyber threats. CISA unveils security guidelines for critical infrastructure. Researchers discover a stealthy botnet-as-a-service coming from China. The UK prohibits easy IoT passwords. New vulnerabilities are found in Intel processors. A global bank CEO shares insights on cyber security. Users report mandatory Apple ID resets. A preview of N2K Cyberwire activity at RSA Conference. Police in Japan find a clever way to combat gift card fraud.

Today is April 29th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Okta warns of a credential stuffing spike. 

Identity and access management company Okta warns of what they are describing as an “unprecedented” surge in credential stuffing attacks, where attackers use stolen usernames and passwords from previous breaches to access online services. These attacks often involve anonymizing proxies like TOR, and residential proxies including NSOCKS, Luminati, and DataImpulse, automated through scripting tools. Okta's observations align with recent findings by Duo Security and Cisco Talos on similar tactics used in brute force attacks. A significant percentage of identity-based incidents investigated by Expel in 2023 also involved malicious logins from such infrastructure. Okta advises customers to use Okta Identity Engine and enable ThreatInsight in Log and Enforce mode to block requests from these proxies before authentication, enhancing security against these attacks. Upgrading to Okta Identity Engine is recommended as it's free and includes additional features like CAPTCHA for risky sign-ins and passwordless authentication via Okta FastPass.

A congressman looks to the EPA to protect water systems from cyber threats. 

U.S. Representative Rick Crawford, a Republican from Arkansas,  has introduced a bill aiming to establish a Water Risk and Resilience Organization under the EPA. This body would develop risk and resilience requirements for water systems to safeguard against cybersecurity threats. The proposed regulations would help drinking water and wastewater systems enhance their resilience to cyber disruptions, including attacks aimed at compromising service delivery. The bill, co-introduced with Rep. John Duarte, comes in response to growing concerns about the vulnerability of U.S. water systems to cyberattacks, highlighted by recent incidents linked to foreign adversaries like Iran and China. Crawford emphasized the need for robust cybersecurity practices to protect critical water infrastructure and prepare operators at all levels to handle potential threats. The bill is currently under review by two House committees.

CISA unveils security guidelines for critical infrastructure. 

The Cybersecurity and Infrastructure Security Agency (CISA) released new safety and security guidelines for critical infrastructure, following the Department of Homeland Security’s (DHS) recent focus on the same area. These guidelines are in response to the Biden administration's executive order on artificial intelligence (AI) from October and aim to harness AI's potential while mitigating its risks across 16 sectors, including farming and IT. CISA’s guidelines encourage owners and operators to use the National Institute of Standards and Technology’s AI risk management framework to govern, map, measure, and manage AI usage. They emphasize understanding AI dependencies, inventorying AI use cases, reporting security risks, and regularly testing AI systems for vulnerabilities. The move is part of broader efforts to prepare for and mitigate AI-related threats in U.S. critical infrastructure.

Researchers discover a stealthy botnet-as-a-service coming from China. 

A comprehensive botnet-as-a-service network originating from China has been identified by researchers at EPCyber. It features multiple domains, over 20 active Telegram groups, and using domestic communication channels. This infrastructure supports a botnet capable of launching coordinated attacks, including denial-of-service (DDoS) strikes that can incapacitate systems despite advanced DDoS protections from services like CloudFlare. The botnet’s efficacy in bypassing current defenses poses significant threats. Particularly at risk are European companies, as attackers target their domain names, potentially redirecting users to harmful sites. This highlights vulnerabilities in the Domain Name System (DNS), underscoring the urgent need for robust DNS security to protect online operations and maintain customer trust.

The UK prohibits easy IoT passwords. 

The UK has become the first nation to prohibit default, easily guessable passwords on Internet of Things (IoT) devices, addressing a key vulnerability that had previously enabled large-scale cyberattacks, such as the Mirai botnet incident. This legislative move, under the Product Security and Telecommunications Infrastructure Act 2022, mandates unique default passwords and introduces minimum security standards for manufacturers. Companies must now disclose how long their products will be supported with security updates and provide contact details for reporting vulnerabilities. Non-compliance could result in fines up to £10 million or 4% of global revenue. The Office for Product Safety and Standards will oversee these regulations, ensuring manufacturers adhere to the new law aimed at safeguarding consumer data and devices from cyber threats. Similar initiatives are under consideration in other regions, including the EU, although no equivalent federal law exists in the U.S.

New vulnerabilities are found in Intel processors. 

Researchers from multiple universities, including UC San Diego and Purdue, along with industry partners such as Google, have discovered two new types of cyberattacks targeting the conditional branch predictor in Intel processors. These attacks, detailed in their upcoming presentation at the 2024 ACM ASPLOS Conference, exploit the Path History Register—a feature that tracks the order and addresses of branches, revealing more precise information than previous methods. The attacks allow for an unprecedented level of control and data extraction from affected processors, posing potential risks to billions of devices. These findings have prompted Intel and AMD to issue security advisories. The research showcases the ability to manipulate processor behaviors, potentially exposing confidential data through sophisticated techniques that outpace existing security measures.

A global bank CEO shares insights on cyber security. 

The Record from Recorded Future has published a conversation with Bill Winters, CEO of Standard Chartered, one of the largest banks in the world. Winters highlights the growing importance of cybersecurity in the bank's operations, stressing that it has become a key focus in board meetings and overall company culture. As cyber threats evolve, the bank has prioritized significant investments in cybersecurity, from employee training to enhancing its technological defenses. Winters points out the integration of AI in handling large volumes of transaction data for compliance purposes, improving the bank's ability to detect and respond to potential illicit activities.

Standard Chartered has also adapted cautiously to advancements like generative AI, focusing on maintaining strict data privacy and cybersecurity protocols. The bank is particularly attentive to sanctions compliance, especially in light of recent geopolitical conflicts, which have heightened the complexity of managing international transactions.

On the topic of cryptocurrency, Winters describes Standard Chartered's cautious but innovative approach, including investments in secure crypto custody and trading services, emphasizing the importance of maintaining high cybersecurity standards in these ventures. He also underlines the potential of digital asset tokenization to transform financial markets by reducing costs and removing intermediaries.

Overall, Winters asserts that cybersecurity discussions at board meetings reflect both the bank's and regulators' prioritization of managing cyber risks, considering them crucial for maintaining the integrity and trustworthiness of banking operations. The bank continues to invest heavily in cybersecurity, anticipating more sophisticated threats and emphasizing the importance of robust defenses and compliance systems to safeguard against potential financial and operational disruptions.

Users report mandatory Apple ID resets.

Reports came in last Friday of a widespread Apple ID outage affecting numerous users, who report being unexpectedly logged out of their Apple IDs across multiple devices and forced to reset their passwords to regain access. Despite Apple's System Status page showing no issues, social media and direct reports indicate significant disruptions. The cause of these forced logouts and password resets remains unclear, and it is unknown if this incident is connected to ongoing password reset attack issues previously tracked. Users with Stolen Device Protection face additional challenges if logged out away from a trusted location. Furthermore, resetting the Apple ID password also resets any app-specific passwords set up through iCloud.

Meanwhile, in other Apple security news, Apple's XProtect has made significant strides in combating malware, notably with its recent update targeting Adload, a pervasive adware that has troubled macOS users since 2017. Initially introduced in 2009 with macOS X 10.6 Snow Leopard, XProtect started as a basic alert system for malware in installation files. It has since evolved into a robust anti-malware suite following the retirement of the Malware Removal Tool in April 2022. XProtect now consists of three components: the XProtect app, XProtectRemediator (XPR), and XProtectBehaviorService (XBS), utilizing minimal CPU impact. It employs Yara rules for dynamic malware detection, a method that allows for customized rule creation. Despite Apple's use of obfuscated malware names that complicate identification, resources like Phil Stokes' GitHub repository provide clarity by mapping these names to more commonly recognized industry terms. 

A quick program note - Over the weekend we dropped a special edition podcast in your Cyberwire feed. This features David Moulton and Andy Piazza, Sr. Director of Threat Intelligence at Unit 42, diving into the critical vulnerability found in PAN-OS software of Palo Alto Networks, emphasizing the importance of immediate patching and mitigation strategies for such vulnerabilities, especially when they affect edge devices like firewalls or VPNs. Do check it out. 

As many of you prepare for travels to the 2024 RSA Conference, I am joined by my N2K colleagues Rick Howard and Brandon Karpf to discuss N2K’s upcoming activities and where you can find our team.

We have some more detail about our team’s activities at RSA Conference in the show notes.

We’ll be right back

Welcome back

Police in Japan find a clever way to combat gift card fraud. 

Japanese police in Fukui [foo-koo-ee] prefecture have implemented a novel strategy to combat tech support scams targeting the elderly by placing fake payment cards in convenience stores. These cards, labeled "Virus Trojan Horse Removal Payment Card" and "Unpaid Bill Late Fee Payment Card," serve as an alert mechanism. When elderly customers, directed by fraudsters, attempt to purchase these cards, store employees intervene to inform them of the scam. This initiative, tested in 34 local stores, has proven effective, helping at least two elderly men realize they were being scammed. The police also reward employees who assist in preventing these scams, aiding further in scam identification and investigation. This approach not only prevents financial loss, which amounted to $7.5 million in the region last year due to online fraud, but also educates potential victims about such scams.

Here in the states, we need to stock the shelves with cards that read, “The errand your boss sent you on while they were in an important meeting and unavailable to chat” card. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Programming notes: 

Palo Alto Networks released a special edition of their Threat Vector podcast over the weekend about Understanding the Midnight Eclipse Activity and CVE 2024-3400. Host David Moulton and guest Andy Piazza dive into the critical vulnerability CVE-2024-3400 found in PAN-OS software of Palo Alto Networks. They emphasize the importance of immediate patching and mitigation strategies. You can find more info in our show notes.   

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.