Charting the course: Biden's blueprint for global cybersecurity.

Secretary of State Antony Blinken is set to unveil a new international cybersecurity strategy at the RSA Conference in San Francisco. Paris prepares for Olympic-sized cybersecurity threats. Wichita, Kansas is recovering from a ransomware attack. A massive data breach hits citizens of El Salvador. Researchers steal cookies to bypass authentication. Cuckoo malware targets macOS systems. Iranian threat actors pose as journalists to infiltrate network targets. A former Microsoft insider analyzes the company’s recommitment to cybersecurity. Guest Mark Terenzoni, Director of Risk Management at AWS, joins N2K’s Rick Howard to discuss the benefits of security lakes in a post-AI world. Ukrainian officials introduce an AI generated spokesperson.

Today is May 6th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Secretary of State Antony Blinken is set to unveil a new international cybersecurity strategy at the RSA Conference in San Francisco.

The Biden administration is set to introduce a new international cybersecurity strategy, marking the first U.S. global cyber strategy in over a decade, aimed at bolstering global cooperation against cyber threats. Secretary of State Antony Blinken will unveil the strategy at the RSA Conference in San Francisco. This strategic plan targets enhancing cybersecurity through four main pillars: establishing a secure digital ecosystem, promoting rights-respecting digital technology with allies, forming coalitions against cyberattacks, and boosting cybersecurity resilience among partner nations. A key element of this strategy is the allocation of $50 million to the newly formed Cyberspace and Digital Connectivity fund, aimed at supporting cybersecurity improvements in allied countries.

Additionally, the strategy emphasizes a proactive role in cyber diplomacy at the United Nations and seeks to develop global norms for emerging technologies like artificial intelligence (AI). The U.S. aims to foster international consensus on AI usage and cyber conduct. The strategy's implementation is considered urgent, with efforts intensifying in the months leading up to the November presidential election, reflecting the need for consistent U.S. leadership in global cybersecurity irrespective of potential administration changes.

It is RSA Conference week in San Francisco, the cybersecurity industry’s largest annual gathering. The show floor officially opens for a preview event this evening, and we’ve got N2K Cyberwire team members and partners we’ll be checking in with throughout the week, so stay tuned for that. 

Paris prepares for Olympic-sized cybersecurity threats. 

The Paris 2024 Olympics are preparing for an unprecedented cybersecurity challenge, expecting heightened threats from organized crime, activists, and state actors. The organizers, working closely with France's national agency for information security (ANSSI) and partners like Cisco and Eviden, aim to minimize the impact of cyberattacks. Despite not being able to prevent all attacks, efforts include employing "ethical hackers" to test security measures and utilizing artificial intelligence to prioritize threats. With a significantly higher number of cybersecurity events anticipated compared to the Tokyo 2021 Games, the preparation for Paris 2024 is extensive. ANSSI's director, Vincent Strubel, emphasized the rigorous security tests conducted on all 500 competition sites and related venues, expressing confidence in their preparedness for potential cyber threats during the Olympic and Paralympic Games.

Wichita Kansas is recovering from a ransomware attack. 

Wichita, Kansas, is facing significant service disruptions following a ransomware attack that encrypted city systems on Sunday. Officials had to shut down some systems to prevent further spread of the malware, resulting in online service outages, although the specific affected services were not detailed. The city is implementing business continuity measures to ensure that first responders continue providing essential services. Restoration of the systems will occur in stages to minimize further disruptions. The city is collaborating with third-party specialists and federal and local law enforcement to manage the situation securely. No details were provided on the ransomware group responsible or any data potentially stolen by the hackers. This incident makes Wichita the largest U.S. city affected by such an attack this year.

A massive data breach hits citizens of El Salvador. 

Researchers at Resecurity have uncovered a substantial data breach on the Dark Web, affecting over five million citizens of El Salvador—more than 80% of the country's population. The breach was orchestrated by an entity known as 'CiberinteligenciaSV' and involved a 144 GB data dump posted on Breach Forums. This leak includes highly sensitive personal information such as identification numbers, full names, birth dates, contact details, and high-definition photos linked to each individual's document identification number. This incident marks a significant compromise of biometric data, posing a serious risk of identity theft and fraud. The breach's scale and the inclusion of biometric data enable threat actors to create convincing deepfake identities, increasing the potential for widespread fraud in digital and financial services.

Researchers steal cookies to bypass authentication. 

Passwords and knowledge-based authentication continue to be security vulnerabilities, with nearly a third of breaches involving stolen credentials. Modern alternatives like FIDO2, using hardware-based cryptographic credentials, aim to enhance security by moving away from easily compromised passwords. CyberScoop reports on a new study by Silverfort which reveals potential weaknesses in these systems, particularly in session management post-authentication. FIDO2 and similar standards significantly reduce the risk of initial breaches but can be circumvented via person-in-the-middle attacks that hijack session tokens. These tokens can be replicated and used without geographic or numerical restrictions, posing a significant threat even after successful authentication. The research underscores the need for enhanced protection of session tokens, possibly through token binding, which adds an additional security layer by binding the session token to the TLS handshake, thus limiting its use to the authenticated session. This technique is not yet widely adopted, with major browsers like Chrome and Firefox discontinuing or not supporting it.

Cuckoo malware targets macOS systems. 

Cybersecurity researchers at Kandji have identified a new malware called Cuckoo targeting Apple macOS systems. It's designed as a universal Mach-O binary, compatible with both Intel and ARM-based Macs, and found on websites offering music ripping and MP3 conversion tools. Cuckoo establishes persistence via a LaunchAgent and employs a locale check to avoid execution in Russia or Ukraine. It tricks users into providing system passwords through fake password prompts for escalated privileges and performs extensive data harvesting. This includes capturing hardware information, running processes, installed apps, screenshots, and sensitive data from iCloud Keychain, Apple Notes, web browsers, crypto wallets, and various applications like Discord and Steam. The associated malicious application bundles are signed with a valid developer ID.

Iranian threat actors pose as journalists to infiltrate network targets. 

The Iranian state-backed threat actor known as APT42 is using social engineering, including posing as journalists, to infiltrate the networks of targets in the West and Middle East, Bleeping Computer reports.  Active since 2015, APT42, linked to Iran's Islamic Revolutionary Guard Corps Intelligence Organization, has targeted NGOs, media, academia, activists, and legal sectors across 14 countries. Their tactics involve spear-phishing emails from typosquatted domains resembling legitimate organizations. These emails, purporting to be from entities like the Washington Post or The Economist, eventually direct victims to phishing sites that capture credentials and multi-factor authentication tokens. Using custom backdoors "Nicecurl" and "Tamecat," APT42 executes commands and exfiltrates data, focusing on maintaining access through normal cloud tool features and using VPNs and ephemeral servers to avoid detection.

A former Microsoft insider analyzes the company’s recommitment to cybersecurity. 

Microsoft has announced a commitment to heightened cybersecurity measures in response to critiques highlighted in a recent Cyber Safety Review Board report backed by the US Department of Homeland Security. These improvements are detailed in a blog post by Kevin Beaumont, a security researcher and former Microsoft employee, who shared his perspectives and historical criticisms of the company's security practices.

According to Beaumont, Microsoft is re-prioritizing cybersecurity as its top concern, focusing on six strategic pillars designed to bolster protection across various facets of the organization. These pillars target the protection of identities, isolation of production systems, network security, engineering systems security, enhanced threat monitoring, and accelerated response to security incidents. Beaumont highlights the importance of these measures in a blog from Charlie Bell, Microsoft's Executive Vice President of Security, and an all-company email from CEO Satya Nadella emphasizing security as everyone's top priority.

Beaumont's detailed account sheds light on past security challenges within Microsoft and suggests that while the company has always employed some of the smartest security personnel, certain practices have normalized risky behaviors. He notes Microsoft's unique position in impacting both individual users and global infrastructure, making their security measures critically important.

Furthermore, Beaumont discusses new governance strategies being implemented at Microsoft to unify security practices across different business units. This includes linking leadership compensation to security outcomes and enhancing the role of threat intelligence within the company's security operations.

While acknowledging the steps Microsoft is taking, Beaumont remains cautiously optimistic about their implementation and effectiveness, noting that true security enhancement will require continuous commitment and may take time to fully realize. His insights reflect a mix of technical understanding and personal experience within the company, offering a comprehensive look at Microsoft's efforts to improve its cybersecurity stance.

Coming up next, we’ve got N2K’s Rick Howard talking with AWS’s Director of Risk Management Mark Terenzoni about the benefits of security lakes and other security considerations for a post-AI world.

We’ll be right back

Welcome back

Ukrainian officials introduce an AI generated spokesperson. 

Ukrainian officials have unveiled what they claim is a groundbreaking initiative in its communication strategy by introducing an AI-generated spokesperson named Victoria Shi.. This digital spokesperson, a first-of-its-kind in diplomatic circles, will deliver official statements on behalf of the Ukrainian foreign ministry. Although the AI will handle the presentation, the content of the statements will still be crafted and verified by human diplomats.

Foreign Minister Dmytro Kuleba emphasized that this initiative represents a significant technological advancement, noting, with a straight face, that it's a move no other diplomatic service around the world has yet made. He highlighted the practical benefits of this innovation, explaining that the main motivation behind adopting an AI spokesperson was to conserve time and resources for the ministry's diplomats.

Visually and vocally, the digital spokesperson is modeled after Rosalie Nombre, a singer and former contestant on the Ukrainian version of the reality show "The Bachelor." She participated in this project without charge, and the ministry has clarified that Nombre and Shi are distinct entities, with only the AI figure designated to give official statements.

To mitigate the risk of misinformation, the foreign ministry will accompany Shi’s statements with a QR code. This code will link directly to text versions of the statements on the ministry's official website, ensuring authenticity and transparency. 

What could possibly go wrong with an AI spokesperson? Famous last words…

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.