The CyberWire Daily Podcast 5.2.24
Ep 2059 | 5.2.24

Dropbox sign breach exposes secrets.

Transcript

Dropbox’s secure signature service suffers a breach. CISA is set to announce a voluntary pledge toward enhanced security. Five Eyes partners issue security recommendations for critical infrastructure. Microsoft acknowledges VPN issues after recent security updates. LockBit releases data from a hospital in France. One of REvil’s leaders gets 14 years in prison. An Phishing-as-a-Service provider gets taken down by international law enforcement. China limits Teslas over security concerns. In our Threat Vector segment, David Moulton from Unit 42 explores Adversarial AI and Deepfakes with two expert guests, Billy Hewlett, and Tony Huynh. NightDragon founder and CEO Dave Dewalt joins us with a preview of next week’s NightDragon Innovation Summit 2024 at RSAC. And celebrating the 60th anniversary of the BASIC programming language. 

Today is May 2nd, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Dropbox’s secure signature service suffers a breach. 

Dropbox has reported a significant security breach impacting its Dropbox Sign service, previously known as HelloSign. The breach, identified on April 24, led to unauthorized access to users' emails, usernames, phone numbers, hashed passwords, API keys, and OAuth tokens. Notably, attackers could bypass security measures due to the theft of authentication data. The breach did not affect the contents of user accounts or payment information and was confined to the Dropbox Sign platform. The intrusion originated from a compromised service account within Dropbox Sign's backend. In response, Dropbox has reset passwords, logged out users from connected devices, and rotated relevant security credentials. The company is contacting affected users with further instructions and emphasizes ongoing efforts to enhance cybersecurity resilience. No financial impact on the company has been reported, and the investigation continues.

CISA is set to announce a voluntary pledge toward enhanced security. 

WIRED reports that the Biden administration, via the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), is urging major technology companies to voluntarily commit to enhancing the security of their software and cloud services. This initiative, part of the Secure by Design campaign, is set to be officially announced at the RSA cybersecurity conference. Companies that sign the pledge will agree to implement seven cybersecurity improvements, including expanding multi-factor authentication and improving vulnerability disclosure programs. The response from the tech industry has been cautious, with only a few companies like Okta confirming their participation. The initiative aims to shift cybersecurity responsibilities from users to vendors, following numerous security incidents that have affected essential services. CISA’s approach emphasizes collaboration with the industry to refine these commitments, moving towards measurable cybersecurity enhancements in software products.

Meanwhile, CISA has added a critical vulnerability from GitLab Community and Enterprise Editions to its Known Exploited Vulnerabilities catalog.This flaw involves an account takeover through a password reset mechanism that could send reset emails to unverified addresses. This vulnerability affects multiple versions of GitLab, with patches now available. CISA mandates federal agencies to remediate this issue by May 22, 2024, and recommends that private organizations also check their systems. ShadowServer reports that thousands of instances, particularly in the US, Germany, and Russia, are still exposed online and vulnerable to this exploit.

Five Eyes partners issue security recommendations for critical infrastructure. 

U.S., Canadian, and UK cybersecurity agencies have issued recommendations for critical infrastructure organizations in response to attacks by pro-Russia hacktivists on industrial control systems (ICS) and operational technology (OT) systems. These attacks have targeted sectors such as water, energy, and agriculture, often exploiting human-machine interfaces (HMIs) with weak security, like default passwords and outdated software. Recent incidents involve manipulation of HMIs leading to minor operational disruptions, such as tank overflows, although most systems were quickly restored to manual control. While these attacks have generally caused only nuisance effects, there is potential for significant physical threats due to the capabilities of these hackers. The alert suggests some hacktivists could be linked to sophisticated Russian government hacking units like Sandworm. Recommendations for enhancing security have been provided for network defenders and OT device manufacturers.

Microsoft acknowledges VPN issues after recent security updates. 

Microsoft has acknowledged that the April 2024 security updates have caused VPN connection failures on various Windows versions including Windows 11, Windows 10, and Windows Server platforms dating back to 2008. The issue affects both client and server versions with specific updates identified for each. Microsoft is currently investigating the problem and has not yet offered a solution but suggests uninstalling the problematic updates as a temporary fix. This action will remove all security fixes included in those updates, potentially exposing systems to vulnerabilities. Microsoft has advised those affected to seek assistance through the Windows Get Help app or the "Support for Business" portal, depending on their user category.

LockBit releases data from a hospital in France. 

The LockBit ransomware gang has released data it claims to have stolen from the Simone Veil hospital in Cannes, France, following a ransomware attack on April 16. This incident is part of a broader pattern of cyber attacks targeting the French healthcare sector. Recently, a cyberattack compromised data on nearly half of France's population. The hospital has rejected the ransom demand and has involved the police and France’s cybersecurity agency ANSSI. The impact on hospital operations has not been disclosed. The hospital plans to inform patients and stakeholders about the specifics of the stolen data after a thorough review. This attack comes amid efforts to revive LockBit's operations following significant law enforcement actions that disrupted its infrastructure and led to arrests and account closures. Despite these setbacks, LockBit's administrators are trying to minimize the damage and continue their operations.

One of REvil’s leaders gets 14 years in prison. 

Yaroslav Vasinskyi, a 24-year-old Ukrainian hacker, has been sentenced to nearly 14 years in prison for his involvement with the REvil ransomware attacks, which infected thousands of computers worldwide and demanded over $700 million in ransoms. Vasinskyi was also ordered to pay over $16 million in restitution. His notable crimes include the 2021 attack on Kaseya, a software provider, which significantly impacted many companies globally. Arrested while crossing from Ukraine into Poland, Vasinskyi was extradited to the U.S. and pleaded guilty to multiple charges, including fraud and money laundering. This sentencing, part of a broader U.S. Justice Department effort, underscores a committed international approach to combatting cybercrime.

An international Phishing-as-a-Service provider gets taken down by law enforcement. 

Global law enforcement agencies have successfully cracked down on LabHost, a significant Phishing-as-a-Service (PhaaS) provider, in a coordinated operation named PhishOFF and Nebulae. This crackdown led to the arrest of 37 individuals across multiple countries, including Australia and the U.K., where key operators were detained. LabHost was notorious for offering sophisticated phishing tools used to steal sensitive data like banking credentials and credit card details. The service had over 170 fake websites and supported cybercriminals in executing extensive phishing operations, bypassing security measures such as two-factor authentication. The operation showcased remarkable international collaboration, with involvement from 19 countries.

China limits Teslas over security concerns. 

Tesla vehicles are increasingly being banned from government-affiliated buildings in China due to security concerns, expanding beyond previous restrictions limited to military bases. According to Nikkei Asia, the bans now include meeting halls, exhibition centers, highway operators, local authority agencies, and cultural centers. Specific incidents include the Grand Halls conference center in Shanghai banning Tesla vehicles entirely, even for passage. This escalation follows prior incidents, such as an airport in Yueyang prohibiting Tesla parking over fears the car's sentry mode could capture sensitive information. In response, Tesla has established a local data center in China to ensure all vehicle-generated data is stored locally and emphasized that data from the sentry mode is stored internally and cannot be accessed remotely.

First up, we’ve got David Moulton on our Threat Vector segment talking about Adversarial AI and Deepfakes with two expert guests, Palo Alto Networks’ Billy Hewlett and Tony Huynh who specialize in AI and deepfakes. 

We are also joined by NightDragon Founder and CEO Dave Dewalt with a preview of next week’s NightDragon Innovation Summit 2024 at RSAC including a look into his “State of the Cyber Union” keynote.

We’ll be right back

Welcome back

And celebrating the 60th anniversary of the BASIC programming language. 

And finally, our eight-bit computing desk reminds us that

Sixty years ago, John G. Kemeny and Thomas E. Kurtz introduced the BASIC programming language at Dartmouth College, initiating a revolution in computing accessibility. BASIC, designed for ease of use with its simple syntax and line-by-line execution, democratized programming by making it accessible to non-engineers. It rapidly became popular across educational institutions and significantly shaped early personal computing. Programs in BASIC could be simple, from creating loops to handling user inputs, which facilitated learning and experimentation for new programmers. The language evolved over the decades, influencing the development of many modern programming tools and environments. Despite its reduced use in professional applications today, BASIC's legacy persists in educational tools and hobbyist communities, continuing to make programming accessible to novices.

I vividly remember the first time I laid hands on a personal computer, a TRS-80 Model I in my middle school library. Typing in -
10 print “Dave is Cool.”
20 goto 10

set me on the path to where I am today. It’s fashionable these days for developers to turn up their noses at the simplicity and lack of sophistication of the BASIC programming language, but for a lot of us of a certain age, it was a gateway into a whole new world. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.