U.S. tightens the cybersecurity belt.
Biden bans Kaspersky over security concerns. Accenture says reports of them being breached are greatly exaggerated. SneakyChef targets diplomats in Africa, the Middle East, Europe and Asia. A serious firmware flaw affects Intel CPUs. More headaches for car dealerships relying on CDK Global. CISA Alerts Over 100,000 Individuals of Potential Data Breach in Chemical Security Tool Hack. SquidLoader targets Chinese organizations through phishing. A new nonprofit aims to establish certification standards in maritime cybersecurity. A sneak peek of our latest podcast, Only Malware in the Building. Using the court system for customer support.
Today is Friday June 21st 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Biden bans Kaspersky over security concerns.
The Biden administration announced plans to ban the sale of Kaspersky Lab’s antivirus software in the U.S. due to security concerns over Russia's influence on the company, Reuters reports. Commerce Secretary Gina Raimondo emphasized that Russia could exploit Kaspersky to steal sensitive data or install malware, especially given the software’s deep access to computer systems. Kaspersky's clientele includes critical infrastructure providers and local governments, raising further alarm.
Kaspersky claims the decision is politically motivated and intends to explore legal options. The Russian Embassy did not comment, and Kaspersky maintains it is privately managed without government ties.
The new rule will take effect on September 29, blocking new sales, downloads, and updates of Kaspersky software in the U.S. Additionally, three Kaspersky units will be added to a trade restriction list, complicating its international operations. This move aims to eliminate risks of Russian cyberattacks and continues the pressure on Moscow amid the ongoing conflict in Ukraine.
Senator Mark Warner supports the ban, arguing it’s unsafe to allow Russian software access to American systems. The new restrictions also prohibit the sale of white-labeled products containing Kaspersky software. Sellers and resellers violating these rules will face penalties. However, software users will not be penalized but will be encouraged to switch to alternatives.
Accenture says reports of them being breached are greatly exaggerated.
In a follow-up to our previous report, Accenture has addressed the claims made by BreachForums user "888," who alleged possession of data on just under thirty three thousand current and former employees. According to Accenture, their analysis of the published data set revealed only three employee names and email addresses, with no additional information linked to the company. Accenture reported no indications of system compromise but stated that investigations are ongoing. This response comes amid concerns raised by "888," a known leaker responsible for multiple high-profile cyber attacks.
SneakyChef targets diplomats in Africa, the Middle East, Europe and Asia.
A Chinese-speaking cyberespionage group, "SneakyChef," has targeted the ministries of foreign affairs and embassies in at least nine countries across Africa, the Middle East, Europe, and Asia, according to Cisco Talos researchers. Using non-public government documents as lures, the group aimed at Angola, Turkmenistan, Kazakhstan, India, Saudi Arabia, South Korea, Uzbekistan, the U.S., and Latvia. SneakyChef employs the SugarGh0st remote access tool and a new trojan, SpiceRAT, to conduct their operations. These findings indicate a rapidly evolving and aggressive hacking campaign targeting key geopolitical hotspots. There is currently no conclusive evidence linking the group to a specific government agency, though some activity aligns with Chinese state-sponsored groups.
A serious firmware flaw affects Intel CPUs.
A firmware vulnerability (CVE-2024-0762) in Phoenix SecureCore UEFI, affecting various Intel processors, allows local privilege escalation and arbitrary code execution within the firmware. This flaw, linked to an unsafe GetVariable UEFI service call, could lead to a stack buffer overflow. Discovered on Lenovo ThinkPad laptops, it affects multiple Intel processor families. Phoenix and Lenovo have issued updates. While no exploitation in the wild is reported, users should check for firmware updates.
More headaches for car dealerships relying on CDK Global.
Following up on this week’s reports of car dealerships in the US being unable to serve their customers due to cyberattacks targeting SaaS platform provider CDK Global, the company has issued a new warning to customers about scammers posing as CDK agents to gain unauthorized system access. This caution comes after two cyberattacks on June 18th and 19th forced the company to shut down its customer support channels and take most of its systems offline.
In response, CDK set up toll-free lines for status updates, but warns customers to avoid communications with anyone claiming to be a CDK representative seeking system access. Customers should not perform DMS tasks and stay alert for phishing attempts. CDK has no estimated resolution timeframe yet but assures that digital retail application data is secure.
CISA Alerts Over 100,000 Individuals of Potential Data Breach in Chemical Security Tool Hack.
The US Cybersecurity and Infrastructure Security Agency (CISA) has notified participants of the Chemical Facility Anti-Terrorism Standards (CFATS) program about a data breach involving the Chemical Security Assessment Tool (CSAT), hacked in January 2024. Attackers exploited an Ivanti Connect Secure appliance zero-day vulnerability. The breach potentially affects over 100,000 individuals, with compromised data possibly including personal information, security assessments, and site security plans. Although no data exfiltration was confirmed, CISA advises impacted individuals to reset passwords. Facilities are requested to notify affected people or provide contact information to CISA. The breach, considered a major incident under FISMA, exposed sensitive information related to chemical security.
SquidLoader targets Chinese organizations through phishing.
Researchers have discovered a new malware loader, SquidLoader, targeting Chinese organizations through phishing emails. Disguised as a Word document, it employs advanced evasion techniques to avoid detection, such as obfuscation and using expired or self-signed certificates. SquidLoader downloads a malicious payload, often Cobalt Strike, via HTTPS, which achieves persistence on the victim's machine. The loader's sophisticated methods include encrypted code sections, dynamic API resolution, and complex control flow obfuscation, making it challenging for security analysts to detect and analyze.
A new nonprofit aims to establish certification standards in maritime cybersecurity.
The newly announced International Maritime Cybersecurity Standards Organization (IMCSO), a nonprofit supported by industry, aims to solve several key issues in maritime cybersecurity. Currently, ship captains lack the time to assist cyber auditors, and the variety of assessment methodologies creates unnecessary complexity, overheads, and delays in providing risk and technical audit results to port authorities and insurers. This inconsistency leads to confusion and inefficiency in evaluating and managing cyber risks.
IMCSO seeks to address these problems by standardizing cybersecurity assessments and certifications, ensuring that evaluations are conducted uniformly, safely, and effectively. This will streamline the risk assessment process, making it easier for stakeholders to understand a vessel’s cyber risk, and provide a reliable registry of certified cybersecurity suppliers and professionals. Ultimately, IMCSO aims to improve the overall resilience and compliance of the maritime sector to cyber threats.
Speaking of the maritime sector, The U.S. Department of Homeland Security (DHS) is enhancing maritime cybersecurity in the Indo-Pacific by partnering with Indonesia under initiatives from the U.S. Department of State and the Department of Defense. This agreement, part of the Comprehensive Strategic Partnership, aims to protect maritime critical infrastructure and improve the resilience of the international maritime transportation system. DHS and Indonesian authorities conducted a cybersecurity tabletop exercise and workshop to strengthen incident response capabilities. This collaboration emphasizes information sharing, operational coordination, and joint efforts to counter cyber threats, ensuring the safety and security of global maritime activities.
Using the court system for customer support.
And finally, last month, Ray Palena took drastic measures, flying from New Jersey to California to confront Meta in San Mateo's small claims court. After eight months and $700 in travel expenses, he managed to reclaim his hacked Facebook account—something Meta's customer support utterly failed to assist with.
Palena's story is part of a growing trend of frustrated Meta users turning to small claims court. Engadget found that out of five people who sued Meta in small claims, three successfully regained their accounts. Some even received financial compensation.
Why the courtroom drama? Meta's customer support is virtually non-existent. Their help pages send users on a wild goose chase through automated tools and dead-end links. It’s enough to drive anyone mad.
Valerie Garza, a massage business owner, faced similar exasperation. After her business's Instagram was hacked, Meta’s absence led her to court, where she won $7,268.65 in damages. Meta didn't even show up to the hearing. Their legal team tried to overturn the verdict, but Garza stood her ground and prevailed.
For those without a financial stake, like Palena, the frustration is still real. His hacked account was being used for scam listings, damaging his reputation. Small claims court became his last resort to get Meta’s attention and secure his profile.
Despite the hurdles, small claims court offers a beacon of hope for those exhausted by Meta's nonexistent support. Filing fees are low, and the process doesn’t require legal expertise, making it accessible for many. Users like Palena and Garza show that sometimes, you have to take matters into your own hands to get results from the tech giant.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.