Whistleblower warns of profit over protection.

A whistleblower claims that Microsoft prioritized profit over security. U.S. warnings of global election interference continue to rise. Cyber insurance claims hit record levels. Location tracking firm Tile suffers a data breach. A new phishing kit creates Progressive Web Apps. Questioning the government’s cyber silence. On today’s Threat Vector segment, host David Moulton, Director of Thought Leadership at Unit 42, is joined by Data Privacy Attorney Daniel Rosenzweig. Together, they unravel the complexities of aligning data privacy and cybersecurity laws with technological advancements. AI powered cheating lands one student in hot water. 

Today is Thursday June 13th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A whistleblower claims that Microsoft prioritized profit over security. 

An investigation by ProPublica claims that Microsoft prioritized profit over security, leaving the U.S. government vulnerable to a major cyberattack. 

In 2016, Andrew Harris, a cybersecurity expert at Microsoft, uncovered a severe flaw in the company's Active Directory Federation Services (AD FS), a product used by millions to log into cloud-based services. The flaw allowed attackers to forge Security Assertion Markup Language (SAML) tokens, enabling them to masquerade as legitimate users and access sensitive data without detection. SAML is a computer language used to authenticate users, and this flaw meant that hackers could generate a valid token, bypassing security measures.

Harris, who had extensive experience with the Defense Department, recognized the profound security implications of this vulnerability, particularly for the federal government. The flaw allowed attackers to exploit AD FS's single sign-on (SSO) feature, which permits users to access multiple applications with one login. By forging SAML tokens, attackers could gain access to sensitive data, including national security secrets and corporate intellectual property, without leaving a trace.

Despite Harris' repeated warnings and proposed interim solution—disabling the SSO feature to mitigate the risk—Microsoft's management dismissed his concerns. They were wary of the potential financial impact, fearing that acknowledging the flaw could jeopardize a multibillion-dollar contract with the federal government and affect their competitive position in the cloud market.

In August 2020, Harris left Microsoft, frustrated by the company's inaction. Just months later, the SolarWinds cyberattack, one of the largest in U.S. history, occurred. Russian hackers exploited the very flaw Harris had identified, using the forged SAML tokens to breach multiple federal agencies, including the National Nuclear Security Administration and the National Institutes of Health. This breach allowed the attackers to steal sensitive data, including information related to COVID-19 research and the U.S. nuclear weapons stockpile.

Despite Harris' prior warnings, Microsoft publicly insisted that its products were not at fault. Brad Smith, Microsoft President, assured Congress that no vulnerabilities in Microsoft products were exploited in the SolarWinds attack and suggested that customers could have done more to protect themselves. However, ProPublica's investigation, supported by interviews with Harris and former colleagues, contradicts this narrative, highlighting how Microsoft's profit-driven decisions compromised security.

Following the SolarWinds breach, Microsoft implemented measures to address the SAML vulnerability, but many of these advancements were only available through paid services, drawing further criticism. This incident underscores the tension between Microsoft's business priorities and the imperative to protect customers from emerging cybersecurity threats.

Microsoft president Brad Smith will testify before a US House of Representatives panel on homeland security later today. We will have coverage of that session in tomorrow's daily briefing. 

Programming note: While Microsoft is an N2K partner and sponsor, we cover them the same way we do any other company.

U.S. warnings of global election interference continue to rise. 

The U.S. Foreign Malign Influence Center has issued a record number of warnings about election interference over the past year, coinciding with the 2024 presidential race. The center, established in 2021 and part of the Office of the Director of National Intelligence, targets foreign threats, especially from Russia, China, and Iran, leveraging new technologies like generative AI. Despite leadership changes, including Jessica Brandt's appointment as head, some lawmakers remain concerned about the center’s preparedness. The center uses an interagency consortium to assess threats and coordinates with agencies like the FBI for further action. Preparations for the upcoming election include exercises with various federal entities and enhanced collaboration with state and local levels.

Cyber insurance claims hit record levels. 

Cyber insurance claims in North America hit record levels in 2023, with insurance firm Marsh reporting over 1,800 claims, driven by sophisticated cyber-attacks, the MOVEit file transfer incident, privacy claims, and more organizations purchasing insurance. Approximately 21% of clients reported a cyber event, up slightly from 18% in 2022. The healthcare sector submitted the most claims (17%), followed by communications (16%), education (9%), retail/wholesale (8%), and financial institutions (8%). Cyber extortion incidents, including ransomware, surged, with 282 events reported and median extortion payments rising from $335,000 to $6.5 million. Despite effective negotiations reducing final payments, the percentage of demands paid increased, though fewer companies paid ransoms compared to previous years.

Location tracking firm Tile suffers a data breach. 

A hacker accessed internal tools of location tracking company Tile, stealing customer data, including names, addresses, email addresses, and phone numbers, according to 404 Media. The breach didn't include location data of Tile devices but highlighted significant vulnerabilities in internal tools intended for employee use. The hacker claimed access to everything, including tools for law enforcement data requests, and demanded payment from Tile, which was ignored. Tile confirmed the breach after 404 Media provided data samples, revealing compromised admin credentials led to unauthorized access of the customer support platform. Tile claims to have since taken steps to prevent further unauthorized access.

A new phishing kit creates Progressive Web Apps. 

A new phishing kit enables cybercriminals and red teamers to create Progressive Web Apps (PWAs) mimicking corporate login forms to steal credentials. PWAs, made using HTML, CSS, and JavaScript, appear as desktop applications but run in a browser with hidden standard controls. These apps can be deceptively convincing, featuring fake address bars showing legitimate URLs.

The phishing toolkit, created by security researcher mr.d0x, demonstrates how these PWAs can display fake login forms for various services. While persuading users to install PWAs might be challenging, attackers can create fake software distribution sites to promote these malicious apps. Once installed, the PWA can prompt users for credentials, making this a potentially effective phishing technique. The PWA phishing templates are available on GitHub for testing and modification.

Questioning the government’s cyber silence. 

Gavin Wilde is a senior fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace. In a piece for CyberScoop, he examines the Biden administration’s silence in the face of certain controversies. 

Cybersecurity advocates praise initiatives like the "secure-by-design" partnership to improve software security and an international coalition to limit commercial spyware. However, recent events show significant challenges. Experts say Microsoft’s “Recall” feature, which tracks all device activity, poses serious privacy and security risks, directly contradicting secure-by-design principles.

Despite these concerns, the Biden administration and key cyber officials have remained silent. Critics argue that this lack of response undermines efforts to promote secure software and curb spyware proliferation. Pressure from cybersecurity experts forced Microsoft to make Recall opt-in and add security features, but Wilde believes this should have been addressed proactively by regulators.

He says the administration’s silence highlights the need for stronger regulatory policies and active oversight to ensure tech companies adhere to cybersecurity commitments. This episode shows that despite good intentions, more robust action is needed to secure the digital ecosystem.

Coming up on our biweekly Threat Vector segment, Palo Alto Unit 42’s David Moulton speaks with Data Privacy Attorney Daniel Rosenzweig about the complexities of aligning data privacy and cybersecurity laws with technological advancements. We’ll be right back

Welcome back. You can catch the full discussion David had with Daniel on Threat Vector. There’s a link in our show notes. 

AI powered cheating lands one student in hot water. 

And finally, Turkish police nabbed a student who used an AI-powered cheat system during a university entrance exam in Isparta. The student's high-tech kit included a camera disguised as a shirt button and a cellular modem hidden in a shoe, all linked to AI software. The clever setup scanned exam questions and fed the answers to the student via an earpiece.

Authorities became suspicious of the student's behavior, leading to the arrest. 

If only the student had used their time and energy for studying, instead of cheating. I know, it’s a lot less fun. But still. Stay in school, friends. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.