Breaking Bad (records).

ZScaler uncovers the largest ransomware payment to date. IBM says the average cost of a breach is closing in on five million dollars. Hackers exploited Proofpoint's email protection platform to send millions of phishing emails. NIST launches Dioptra to test ML models. AcidPour targets Linux data storage devices for wiping. WhatsApp for Windows allows Python to run wild. The White House releases the National Standards Strategy for Critical and Emerging Technology (USG NSSCET) Implementation Roadmap. A bipartisan Senate bill aims to fund cybersecurity apprenticeships. CISA adds three exploits to its vulnerability catalog. Ben Yelin joins us today to discuss a U.S. District Court judge’s recent dismissal of charges against SolarWinds. Loose lips sink ships, but leaky HDMI cables flood the airwaves with digital data.

Today is Tuesday July 30th 2024.  I’m Dave Bittner. And this is your CyberWire Intel Briefing.

ZScaler uncovers the largest ransomware payment to date. 

The most recent report from Zscaler’s ThreatLabz has identified the largest ransomware payment ever recorded, amounting to $75 million. This payment, made to the Dark Angels group, is almost double the previous record. The surge in ransomware attacks continues, with an 18% increase in the volume of attacks from April 2023 to 2024. Additionally, the number of victim organizations listed on data leak sites has risen by nearly 58%. ThreatLabz’s research also identified 19 new ransomware families, bringing the total to 391. This record-breaking payment signals the thriving state of digital extortion and may encourage other cybercriminal groups to adopt similar strategies.

IBM says the average cost of a breach is closing in on five million dollars. 

IBM's 2024 Cost of a Data Breach Report reveals the global average breach cost hit $4.88 million, a 10% increase from last year. Breaches caused significant disruption for 70% of affected organizations, driven by lost business and post-breach costs. Recovery took over 100 days for most fully recovered entities. Staffing shortages, which increased by 26%, raised breach costs by $1.76 million.

AI-powered prevention helped reduce costs by $2.2 million, with 67% of organizations using security AI and automation. Breaches involving multi-environment data storage averaged over $5 million in costs. Internal detection of breaches improved, reducing the breach lifecycle to 258 days, the lowest in seven years. Intellectual property theft rose by 27%, with costs per stolen record up nearly 11%. Critical infrastructure sectors like healthcare and financial services saw the highest breach costs, with healthcare averaging $9.77 million.

Hackers exploited Proofpoint's email protection platform to send millions of phishing emails. 

Hackers exploited Proofpoint's email protection platform to send millions of phishing emails daily from January to June 2024 in a campaign dubbed 'EchoSpoofing.' By manipulating vulnerabilities, they impersonated major companies like IBM, Coca Cola, and Disney. Proofpoint confirmed that these vulnerabilities have been patched and no customer data was exposed. The unidentified attackers used compromised Proofpoint servers to make phishing emails appear legitimate. Proofpoint and Guardio Labs quickly collaborated to mitigate the threat, implementing measures to ensure only authorized emails are relayed. 

NIST launches Dioptra to test ML models. 

The National Institute of Standards and Technology (NIST) has launched Dioptra, an open-source tool to test the resilience of machine learning (ML) models against various attacks. Released alongside new AI guidance, Dioptra fulfills requirements from President Biden’s Executive Order on AI safety. Available on GitHub, Dioptra features a web-based interface, user authentication, and experiment provenance tracking to ensure reproducibility.

Dioptra addresses three main attack types: evasion, poisoning, and oracle. Initially designed for image classification models, it can be adapted for other ML applications. The tool helps users measure attack impacts and test defenses like data sanitization. It supports Unix-based systems and requires significant computational resources. NIST says they plan to continue improving Dioptra based on user feedback. Additionally, NIST released new AI safety guidance, focusing on risks associated with generative AI and dual-use models, accepting public comments until September 9.

AcidPour targets Linux data storage devices for wiping. 

In March 2024, a new variant of the AcidRain wiper malware, named “AcidPour,” emerged, targeting Linux data storage devices and rendering them inoperative by permanently erasing data. According to researchers at Splunk, AcidPour targets crucial sectors like SCSI SATA, MTD, MMC Storage, DMSETUP, and UBI devices, making data recovery nearly impossible. Unlike AcidRain, which attacked MIPS-based modems and routers, AcidPour has a defense evasion technique, overwriting itself with random bytes and a command line message. It employs a time-based evasion technique using the select() function. AcidPour systematically wipes important directories, including “/boot,” and replaces files with 32KB of random data. It overwrites designated device paths with 256KB buffers, making systems unbootable after a reboot. AcidPour's destructive methods are similar to AcidRain and VPNFilter but focus on data destruction rather than data exfiltration or code injection.

WhatsApp for Windows allows Python to run wild. 

A security flaw in the latest version of WhatsApp for Windows allows execution of Python and PHP attachments without warning when opened, Bleeping Computer reports.  This primarily affects users with Python already installed, like developers and researchers. The issue is similar to a previous Telegram vulnerability. Despite blocking several risky file types, WhatsApp does not block Python scripts, which can be executed directly from the app. Security researcher Saumyajeet Das discovered this vulnerability and reported it to Meta, but the issue was dismissed as non-applicable. Das criticized this decision, suggesting that simply adding the relevant file extensions to WhatsApp's blocklist could prevent exploitation. WhatsApp advises users not to open files from unknown sources and has no current plans to fix the issue, leaving users vulnerable to potential attacks.

The White House releases the National Standards Strategy for Critical and Emerging Technology (USG NSSCET) Implementation Roadmap. 

The U.S. Government has released the National Standards Strategy for Critical and Emerging Technology (USG NSSCET) Implementation Roadmap, detailing actions to support private sector-led standards development. The roadmap emphasizes immediate and long-term efforts for standards coordination, partnering with stakeholders to address challenges in critical and emerging technology (CET) standards.

Key areas of focus include enhancing federal-private sector coordination, improving standards policy collaboration with foreign governments, and incentivizing federal engagement in standardization. The roadmap also highlights the importance of supporting research and development (R&D) and education in standards.

Immediate actions involve increasing government pre-standardization R&D, tracking CET standards education programs, and evaluating technology cooperation agreements. Long-term goals aim to sustain funding, engage academia, and enhance communication about standards.

A bipartisan Senate bill aims to fund cybersecurity apprenticeships. 

The Cyber Ready Workforce Act, a bipartisan Senate bill by Sens. Jacky Rosen (D-Nev.) and Marsha Blackburn (R-Tenn.), aims to address cybersecurity workforce shortages through competitive grants awarded by the Department of Labor. These grants will support the creation and expansion of registered apprenticeship programs in cybersecurity, providing technical instruction, workplace training, and industry-recognized certifications.

The apprenticeships will prepare participants for various cybersecurity careers, such as computer support specialists and security specialists, offering training in CompTIA, Microsoft programs, Certified Network Defender, and Certified Ethical Hacker. The Department of Labor will oversee registration and assist employers with training costs and connections to education providers.

At least 85% of grant funds must be used for program management, with 15% for marketing and outreach. This legislation is part of broader congressional efforts to fill the estimated half-million cybersecurity job gap, including initiatives targeting community colleges, disadvantaged communities, and veterans.

CISA adds three exploits to its vulnerability catalog. 

CISA has updated its vulnerability catalog to include three new exploits in ServiceNow and Acronis Cyber Infrastructure. The ServiceNow vulnerabilities, CVE-2024-4879 and CVE-2024-5217, both involve input validation issues allowing unauthenticated remote code execution, with CVSS ratings of 9.3 and 9.2. These have been patched, but were actively exploited, affecting over 105 databases and exposing 42,000 instances. The third vulnerability, CVE-2023-45249, affects Acronis Cyber Infrastructure due to insecure default passwords, with a CVSS score of 9.8. Acronis has also issued patches for this exploit.

 

Next up, I’m joined by my Caveat podcast co host Ben Yelin to discuss the U.S. District Court judge dismissing most charges against SolarWinds. 

We’ll be right back

Welcome back, You can find more detail on the SolarWinds decision in our show notes. 

 

Loose lips sink ships, but leaky HDMI cables flood the airwaves with digital data. 

And finally, our signals intelligence desk tells us that Hackers may have a sneaky new trick up their sleeves: intercepting electromagnetic radiation from your HDMI cable and decoding what’s on your screen with - wait for it -  AI. Imagine a digital spy lurking outside your window, antenna in hand, ready to steal your Netflix binge secrets or online banking info. But don't panic—this is more like a spy movie plot for most of us.

In the past, analogue connections were easier targets for such snooping. Today’s digital HDMI cables leak less readable data, but still enough for Federico Larroca and his team at the University of the Republic in Uruguay to develop an AI model that can reconstruct what’s on your screen from a few meters away. Their AI, trained on pairs of original and intercepted signals, managed to accurately recover about 70% of the text. While this might sound scary, it’s mainly a concern for high-security environments where even the walls have shields.

So, unless you’re guarding national secrets, rest easy knowing the hackers are probably more interested in juicier targets than your cat videos. Still, if you’re the paranoid type, maybe keep that tinfoil hat handy.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.