A snapshot of security woes.

Microsoft's recall raises red flags. Ukraine's CERT sounds alarm. Russian hacktivists cause trouble in EU elections. DEVCORE uncovers critical code execution flaw. LastPass leaves users locked out. Apple commits to five years of iPhone security. An AI mail fail. Inside the FCC's plan to strengthen BGP protocol. Dave sits down with our guest Camille Stewart Gloster, Former Deputy National Cyber Director at the White House, as she shares a retrospective of her public service career. And let’s all Cheers to cybersecurity.

Today is June 7th, 2024. I’m Maria Varmazis, host of N2K’s T-Minus Space Daily sitting in for Dave Bittner. And this is your CyberWire Intel Briefing. 

Microsoft's recall raises red flags. 

Microsoft's new Recall feature, which captures desktop screenshots every five seconds for AI analysis, is being criticized by cybersecurity experts as highly insecure and a privacy risk. Initially, accessing Recall's data required administrator privileges, providing a level of protection. However, James Forshaw, a researcher from Google's Project Zero, identified methods to bypass this safeguard, allowing data access without admin privileges. Forshaw exploited Windows access control lists and identified simpler techniques to grant user-level access to Recall data.

Cybersecurity strategist Alex Hagenah confirmed these vulnerabilities, integrating Forshaw's methods into a tool demonstrating how easily hackers can access a user’s entire desktop history. This revelation highlights Recall as a significant security risk, potentially acting as pre-installed spyware. Critics argue that Recall was rushed to market without proper security review, undermining Microsoft’s commitment to prioritizing security. The feature's default integration into upcoming Copilot+ PCs exacerbates these concerns, presenting a severe threat to enterprise security.

And, we note that Microsoft is an N2K CyberWire sponsor.

 

Ukraine's CERT sounds alarm.

The Computer Emergency Response Team of Ukraine (CERT-UA) has outlined a cyberespionage campaign by the UAC-0020 threat actor that's using SPECTR malware to target the Defense Forces of Ukraine. The malware is distributed via spearphishing emails with malicious RAR archive attachments. CERT-UA says the malware is used to "download stolen documents, files, passwords and other information from the computer." 

 

Russian hacktivists stir trouble in EU elections.

Russian hacktivist groups are targeting the European Union elections. They’re attempting to disrupt the electoral process by launching cyberattacks aimed at EU election infrastructure and disseminating disinformation. These actions are part of a broader strategy to undermine democratic institutions and sow discord within the EU. The attacks involve sophisticated methods, including DDoS attacks and attempts to manipulate public opinion through social media and other online platforms.

 

CoinMiner botnet falls victim to ransomware.

Sometimes cyberattacks target not only companies but also threat actors. Recently, CoinMiner group’s proxy server was exposed, allowing a ransomware actor’s RDP scan attack to infiltrate and infect the botnet with ransomware.  

 

DEVCORE uncovers critical code execution flaw.

Researchers at DEVCORE have discovered a critical remote code execution vulnerability affecting PHP. The researchers explain, "While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system. This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack." PHP's development team released a patch for the flaw yesterday.

 

LastPass leaves users locked out.

A LastPass outage yesterday left users (including at least 2 members of the N2K production team) unable to access their password vaults, causing widespread frustration. The issue, which lasted several hours, affected both individual and enterprise customers. The company has since resolved the problem but faced criticism over the lack of communication and transparency during the incident.

 

Apple commits to five years of iPhone security.

Apple has announced that iPhones will receive security updates for at least five years to comply with new UK regulations. This commitment applies to iPhones released after September 2023, running iOS 17 or later. The move follows the UK's new security requirements for consumer connectable products. Despite this, Apple's update period is shorter than Google's and Samsung's seven-year commitments for their Android devices.

 

An AI mail fail.

EmailGPT, a tool designed to assist users writing emails within Gmail using AI, has been found vulnerable to prompt injection attacks. The flaw allows attackers to manipulate the AI's responses by embedding malicious prompts in emails, potentially compromising sensitive data. 

 

FCC's plan to strengthen BGP protocol.

The FCC has proposed requiring broadband providers to enhance Border Gateway Protocol (BGP) security and submit quarterly progress reports. This initiative aims to mitigate BGP-related risks, including data theft and espionage, by implementing Resource Public Key Infrastructure (RPKI) measures. The proposal highlights the need for robust security in internet routing to protect national security and public safety.

 

Coming up after the break, we share an excerpt of Dave’s conversation from our Caveat podcast with Former Deputy National Cyber Director at the White House Camille Stewart Gloster (Gloss-ter). Dave and Camille spoke about her public service career. We’ll be right back

Welcome back. You can hear Dave’s full conversation with Camille on yesterday’s Caveat episode. We’ll have the link in our show notes. 

Cheers to cybersecurity. 

And finally, picture this, a classy wine-tasting invite from the Ambassador of India lands in your inbox. Intrigued, you click on it, only to find yourself trapped in a sinister spearphishing campaign orchestrated by the infamous APT29, aka NOBELIUM or COZY BEAR. ARC Labs dives deep into the details of this cunning scheme, unraveling the secrets of Wineloader, a crafty backdoor making waves in the cybersecurity world. This sneaky tool, first spotted by ZScaler and later dissected by Mandiant, is a master of deception. The infection chain kicks off with a seemingly innocuous email invitation to a wine-tasting event hosted by the Ambassador of India. The email redirects victims to a malicious site that downloads a ZIP file containing an obfuscated HTA file. When executed, this file downloads another ZIP with the Wineloader payload. In short, APT29’s Wineloader is like a crafty sommelier serving up a vintage blend of cyber mischief. But with a little caution, you're equipped to sniff out and thwart their next attack. I think we can cheers to that!

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Be sure to tune into Research Saturday tomorrow, where Dave is joined by Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes, and he is discussing their work on "Threat actors ride the hype for newly released Arc browser." That’s Research Saturday, check it out.

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Maria Varmazis. Thanks for listening.