Old school, new threat.
Blast-RADIUS targets a network authentication protocol. The US disrupts a Russian disinformation campaign. Anonymous messaging app NGL is slapped with fines and user restrictions. The NEA addresses AI use in classrooms. Gay Furry Hackers release data from a conservative think tank. Microsoft and Apple change course on OpenAI board seats. Australia initiates a nationwide technology security review. A Patch Tuesday rundown. Guest Jack Cable, Senior Technical Advisor at CISA, with the latest from CISA's Secure by Design Alert series. Our friend Graham Cluley ties the knot.
Today is Wednesday July 10th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Blast-RADIUS targets a network authentication protocol.
A newly discovered attack, dubbed "Blast-RADIUS," targets the Remote Authentication Dial-In User Service (RADIUS) protocol, used widely in network authentication. Developed in 1991, RADIUS remains crucial for VPNs, ISPs, Wi-Fi, and cellular networks. However, it relies on the outdated MD5 hash function, known for its susceptibility to collision attacks, where two different inputs produce the same hash output.
Researchers have shown that these MD5 collisions can be exploited to gain unauthorized administrative access to devices using RADIUS. The attack involves an adversary intercepting and manipulating RADIUS authentication packets to trick the server into granting access. This is made feasible by optimizing the attack process, reducing the required computational time from thousands of hours to mere minutes.
Despite the known weaknesses of MD5, RADIUS has not been updated to mitigate these vulnerabilities effectively. The recent research underscores the urgent need to transport RADIUS traffic over TLS or DTLS, ensuring encrypted and authenticated communications. In the interim, short-term mitigations include using HMAC-MD5 for packet authentication, although this might break compatibility with older implementations.
The vulnerability has prompted security bulletins and patches from over 90 vendors, urging users to implement recommended updates and check with manufacturers for specific guidance. This discovery highlights the importance of updating legacy protocols and adopting more secure cryptographic practices to protect critical network infrastructure.
The US disrupts a Russian disinformation campaign.
The US has disrupted Russian threat actors associated with RT (formerly Russia Today) who used AI features of the Meliorator software to create fake online personas spreading disinformation in the US, Germany, Israel, the Netherlands, Poland, Spain, and Ukraine, according to a joint advisory from government agencies. The US seized two domain names used to register these fake accounts, revealing the bot farm was managed by a Russian FSB officer and a private intelligence organization with Kremlin support.
Meliorator generates realistic social media profiles that post content, mirror disinformation, and formulate false narratives. It includes an administrator panel, Brigadir, and a seeding tool, Taras, to control the fake personas. RT has used this software since 2022 to support Russian interests. By June 2024, it created 968 accounts on X (formerly Twitter). The identified accounts have been suspended, and social media platforms are urged to help identify and reduce these fake personas.
Anonymous messaging app NGL is slapped with fines and user restrictions.
The anonymous messaging app NGL will no longer be available to users under 18 following a settlement with the Federal Trade Commission (FTC) and Los Angeles District Attorney’s Office. This agreement, pending judge approval, marks the FTC's intensified efforts to safeguard children's privacy. The settlement, distinctive for its age ban, contrasts with past actions under the Children’s Online Privacy Protection Act (COPPA).
NGL, an app for soliciting anonymous messages, faced accusations of misleading young users into buying a premium version by sending fake messages and promising identity reveals. Instead, users received vague hints. The FTC also claimed NGL falsely advertised effective AI content moderation, while cyberbullying was rampant. Additionally, NGL allegedly failed to obtain parental consent for users under 13, violating COPPA. The company agreed to pay $5 million and implement age restrictions.
The NEA addresses AI use in classrooms.
The nation’s largest teachers’ union, the NEA, has voted to address AI use in classrooms through policy actions. On July 4, the union’s 6,000 delegates approved a policy statement at their annual assembly. This policy focuses on ensuring AI is used safely and equitably, emphasizing the importance of human interaction in education. It highlights issues like equity, data protection, and environmental impact.
The NEA aims to guide educators on AI use, pushing for professional development and involvement in policy discussions. The policy calls for ethical AI development and equitable access, ensuring AI supplements rather than replaces human teaching. The NEA will advocate at various levels for these principles, recognizing the potential of AI to support but not replace educators in fostering meaningful student-teacher connections.
Gay Furry Hackers release data from a conservative think tank.
A cybercrime group known as SiegedSec released approximately two gigabytes of data from the Heritage Foundation, a conservative think tank. This release was in response to Heritage's Project 2025, which aims to provide policy proposals for a potential Donald Trump presidency. The leaked data includes Heritage Foundation blogs, material from The Daily Signal, and personal information of individuals associated with Heritage, including those with U.S. government email addresses. SiegedSec, identified as “gay furry hackers,” claims this leak is part of their “OpTransRights” campaign. The Heritage Foundation has not commented on the breach, which is the second cyber attack they've faced this year. SiegedSec also claims to possess over 200 gigabytes of additional data but say they have no plans to release it.
Microsoft and Apple change course on OpenAI board seats.
Microsoft has relinquished its observer seat on OpenAI's board, less than eight months after acquiring it. Apple, initially planning to join OpenAI’s nonprofit board, has also decided not to join. OpenAI confirmed Microsoft's decision following reports from Axios and the Financial Times. OpenAI expressed gratitude for Microsoft’s support and announced a new strategy under CFO Sarah Friar, involving regular stakeholder meetings with strategic partners like Microsoft and Apple and investors like Thrive Capital and Khosla Ventures. These changes coincide with growing antitrust concerns regarding Microsoft’s $10 billion investment in OpenAI. This investment, making Microsoft the exclusive cloud partner for OpenAI, powers all OpenAI workloads and enhances Microsoft’s AI capabilities across its products and services.
Australia initiates a nationwide technology security review.
Australia has directed its government entities to review their entire technology estates and identify assets potentially controlled or manipulated by foreign states. This action addresses growing cyber threats, including repeated targeting by a state-sponsored Chinese hacking group. The Department of Home Affairs issued legally binding instructions for over 1,300 government entities to identify Foreign Ownership, Control, or Influence (FOCI) risks in their technology by June 2025. Additionally, they must assess internet-facing systems for security risks and collaborate with the Australian Signals Directorate (ASD) on threat intelligence sharing. This directive aims to enhance the visibility and security of Australia's government technology infrastructure. The new cybersecurity measures follow Australia's earlier ban on TikTok on government devices due to security concerns.
A Patch Tuesday rundown.
Yesterday was Patch Tuesday. This month's update from Microsoft addresses 142 security flaws, including two actively exploited and two publicly disclosed zero-day vulnerabilities. Among these, five critical vulnerabilities stand out, all of which are remote code execution flaws.
The breakdown of the vulnerabilities reveals a diverse array of threats: 26 elevation of privilege, 24 security feature bypass, 59 remote code execution, 9 information disclosure, 17 denial of service, and 7 spoofing vulnerabilities.
Highlighting the critical fixes, the first zero-day vulnerability, CVE-2024-38080, affects Windows Hyper-V. This elevation of privilege flaw allows attackers to gain SYSTEM privileges, posing a severe risk. The second actively exploited zero-day, CVE-2024-38112, targets the Windows MSHTML platform. This spoofing vulnerability requires the victim to execute a malicious file, after which the attacker can exploit the system.
In addition, two publicly disclosed zero-day vulnerabilities have been patched. The first, CVE-2024-35264, involves a remote code execution issue in .NET and Visual Studio, caused by a race condition in HTTP/3 stream processing. The second, CVE-2024-37985, known as the "FetchBench" side-channel attack, could allow attackers to view heap memory from a privileged process, compromising sensitive information.
This Patch Tuesday also coincides with updates from other major companies. Adobe has released security updates for Premiere Pro, InDesign, and Bridge. Cisco has disclosed an exploited CLI command injection vulnerability in NX-OS Software. Citrix has fixed flaws in its Windows Virtual Delivery Agent and Citrix Workspace app. Additionally, Fortinet, Mozilla, OpenSSH, and VMware have all issued updates addressing various vulnerabilities.
Coming up, I’m joined by CISA’s Senior Technical Advisor Jack Cable. Jack joins us to share an update on CISA's Secure by Design Alert series that launched today. We’ll be right back
Welcome back. Thanks to CISA’s Jack Cable giving us that update. We’ve got details on CISA’s Secure by Design alerts in our show notes.
Our friend Graham Cluley ties the knot.
And finally, our Matrimony desk reports that noted cybersecurity expert and podcast host Graham Cluley tied the knot earlier this week. As a regular guest on the Smashing Security podcast, I can only assume that my wedding invitation was somehow delayed in the international post.
What an event it must have been! I can almost imagine what it must have been like…
Ah, where to begin with this posh British wedding? Picture an event so lavish that even the royal family would feel a twinge of envy. The ceremony took place in a centuries-old cathedral, with more gold leaf and stained glass than you can shake a diamond-encrusted stick at. The bride was, of course, a vision of beauty—stunningly gorgeous and incredibly intelligent, the kind of woman who makes you question the fairness of the universe. She had a PhD in something so complex it made quantum physics look like a children’s book. And the groom? Well, he was a huge Doctor Who fan. Yes, you heard that right.
Now, imagine this: the aisle was flanked by life-sized Daleks. Yes, Daleks. Because nothing says "eternal love" like deadly extraterrestrial robots. The groom had somehow convinced his stunningly beautiful, highly intelligent bride to let his Whovian obsession infiltrate every aspect of their wedding. Kudos to her for her patience, I suppose.
The ceremony itself was officiated by a gentleman dressed as the Fourth Doctor. I kid you not, the man had the scarf, the hat, the whole shebang. When he said, “Do you take this man to be your husband?” I half expected him to add, “Allons-y!”
During the reception, the groom proudly displayed his TARDIS-shaped cake. It was an impressive confection, I'll give him that, but it looked somewhat out of place next to the elegantly draped tables and the floral arrangements that probably cost more than my car. The bride’s cake, a multi-tiered masterpiece covered in delicate sugar flowers, stood in stark contrast to the groom’s geeky creation.
And let’s not forget the wedding breakfast, which was a gastronomic journey so elaborate it would have made Heston Blumenthal weep with envy. Among the haute cuisine and deconstructed dishes, there was a small section of the menu dedicated to delicacies from Gallifren. Fish fingers and custard, anyone?
The speeches were another highlight. The bride's best friend gave a heartfelt speech that left everyone reaching for their monogrammed handkerchiefs. The groom, however, began his with, “As the Doctor would say, ‘We’re all stories in the end. Just make it a good one.’” And I suppose he did make it a good one—if you’re into time-traveling aliens, that is.
Then came the first dance. The bride looked like she floated on air in her exquisite gown. The groom, bless him, tried to keep up without stepping on her toes. The song? An orchestral version of the Doctor Who theme. I could practically hear the collective eye roll from the more traditional guests, but hey, at least they were happy.
As the evening progressed and the champagne flowed, the dance floor became a bizarre mix of posh people attempting to do the conga line with a Dalek. Yes, it was as ridiculous as it sounds. But in the end, the bride’s radiant smile and the groom’s childlike glee made it clear that, despite the oddities, they were in it for the long haul. And isn’t that what really matters?
Our best wishes to the happy couple. You can hear Graham Cluley on the Smashing Security podcast, as well as his latest show The AI Fix.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
