The CyberWire Daily Podcast 7.31.24
Ep 2119 | 7.31.24

When DDoS and defense collide.

Transcript

A global Microsoft outage takes down Outlook and Minecraft. The US Senate passes The Kids Online Safety and Privacy Act. Lame Duck domain names are targets for takeovers. A GeoServer vulnerability exposes thousands to remote code execution. China proposes a national internet ID. Email attacks surge dramatically in 2024. Columbus Ohio thwarts a ransomware attack. When it comes to invading your privacy, the Paris 2024 Olympics app goes for the gold. Our guest is Rakesh Nair, Senior Vice President of Engineering and Product at Devo, discussing the issues that security teams face when dealing with data control and data orchestration. Was it really Windows 3.1 that saved Southwest Airlines?

Today is Wednesday July 31st 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A global Microsoft outage takes down Outlook and Minecraft.

Microsoft experienced a global outage impacting services like Outlook and Minecraft, lasting nearly 10 hours. The company attributed the issue to a cyber-attack compounded by a defense implementation error. This incident follows a similar outage two weeks prior, caused by a flawed update from CrowdStrike, affecting 8.5 million systems.

The Distributed Denial-of-Service (DDoS) attack overwhelmed Microsoft's defenses, amplifying the outage's impact. Services like Azure, Microsoft 365, Intune, and Entra were affected, along with external services relying on Microsoft's platforms.

Microsoft issued an apology, implemented a fix, and continues monitoring to ensure recovery. The outage occurred just before Microsoft's financial update, revealing slower growth in its Azure cloud services, leading to a 2.7% drop in after-hours trading. Despite this, the company reported a 21% rise in intelligent cloud revenue and a 15% overall revenue increase, totaling $64.7 billion.

Additionally, Microsoft has warned of ransomware gangs exploiting a VMware ESXi authentication bypass vulnerability (CVE-2024-37085). Discovered by Microsoft researchers and fixed in a June 25 update, the flaw allows attackers to create an 'ESX Admins' group with full administrative privileges on the ESXi hypervisor. Exploitation requires high privileges and user interaction but leads to full admin access, data theft, lateral network movement, and encryption of the hypervisor's file system.

Ransomware groups like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have exploited this flaw, deploying Akira and Black Basta ransomware. These attacks have targeted ESXi hypervisors, causing significant outages and disrupting business operations. Microsoft noted a doubling of such incidents in the past three years.

The US Senate passes The Kids Online Safety and Privacy Act. 

 With a 91-3 vote the U.S. Senate passed a bill aimed at protecting children from harmful online content. The Kids Online Safety and Privacy Act (KOPSA), prompted by parents of children harmed by online bullying, mandates that tech companies take steps to safeguard minors. This includes requiring platforms to default to the safest settings and exercise a “duty of care.”

The House has not yet acted on the bill, but strong Senate support may prompt action. President Biden has urged the House to pass the legislation quickly.

The bill would be the first major tech regulation in years, potentially paving the way for future privacy and AI laws. It requires companies to prevent harm from bullying, violence, and other dangers, and to offer minors protections like disabling addictive features and opting out of personalized recommendations.

While some tech companies support the bill, others, like Meta Platforms, prefer different approaches. Critics, including the ACLU, warn of potential censorship and privacy risks.

Lame Duck domain names are targets for takeovers. 

Research from Infoblox has revealed that over a million domain names, including those registered by major companies, are vulnerable to takeover due to authentication weaknesses in several web hosting providers and domain registrars. According to Krebs on Security, this issue involves so-called "lame" DNS records, where authoritative name servers lack sufficient domain information, making these domains easy targets for cybercriminals.

Attackers can exploit these weaknesses to hijack domains, potentially using them for phishing, spreading malware, or impersonating brands. Infoblox and Eclypsium researchers found that some compromised domains, originally registered by brand protection firms, were hijacked due to misconfigured DNS settings.

This problem persists despite previous exposure, with domain takeover facilitated by weak or non-existent verification processes. Some providers, like Digital Ocean and Hostinger, are working on solutions, but broader cooperation and improved practices are necessary to mitigate these vulnerabilities and protect domain registrants and internet users.

A GeoServer vulnerability exposes thousands to remote code execution. 

A critical vulnerability in GeoServer, an open-source Java-based software server, exposes thousands of servers to remote code execution (CVE-2024-36401). Hackers can exploit this by sending malicious POST requests, gaining full control over affected servers. Approximately 6,635 GeoServer instances are at risk, impacting sectors like urban planning and emergency response. GeoServer has released patches, and recommends users update immediately.

China proposes a national internet ID. 

In China, anonymity online is already challenging due to mandatory phone number verification tied to personal IDs. Now, the government proposes a national internet ID to simplify verification and enhance privacy, aiming to prevent fraud and limit personal data collection by companies. This proposal by the Ministry of Public Security and Cyberspace Administration would be voluntary for websites and apps and open for public comment until August's end.

While some support reduced data collection by multiple apps, critics fear increased government control and surveillance. Legal scholars warn of excessive monitoring, likening the system to the COVID-19 health code app. Concerns include potential harm and fear of using the internet. This proposal has sparked significant online debate, highlighting the tension between privacy protection and social control.

Email attacks surge dramatically in 2024. 

Email attacks and ransomware incidents have surged dramatically in 2024, with a 293% rise in email attacks and a 47% increase targeting organizations, according to research published by Acronis. Ransomware remains a critical threat, particularly to SMBs in government and healthcare, with a 32% rise in detections from Q4 2023 to Q1 2024. LockBit, Black Basta, and PLAY are major culprits. Experts advise adopting a zero-trust model, network segmentation, and AI-driven threat detection. Cybercriminals are increasingly using AI for social engineering and automation attacks, making traditional defenses less effective. Acronis recommends enhanced security measures and continuous monitoring to counter these evolving threats.

Columbus Ohio thwarts a ransomware attack. 

City officials in Columbus Ohio say they thwarted an overseas ransomware attack, shutting down much of the city’s technology for 10 days to prevent data encryption. Mayor Andrew Ginther revealed that the attack involved a "sophisticated threat actor" and resulted in potential data theft. The city's Department of Technology, with the FBI and Homeland Security, recommended severing affected systems from the internet, mitigating the risk. The cyber outage affected email, website updates, and emergency dispatch systems. Columbus is restoring services and has strengthened its tech defenses to prevent future attacks.

When it comes to invading your privacy, the Paris 2024 Olympics app goes for the gold. 

The Paris 2024 Olympics app is raising significant privacy concerns due to its invasive data collection practices. While marketed as a personal companion for the games, providing schedules, breaking news, medal results, and event insights, the app's capabilities extend far beyond these functions. It tracks users extensively, collecting web browsing history and sharing it with advertisers and big tech companies.

Downloaded over 10 million times, the app requires multiple dangerous permissions, granting it access to deeply personal data on Android devices. The International Olympic Committee (IOC) openly acknowledges collecting personal data, building user profiles, and sharing information with advertisers, including major companies like Facebook, Google, and Apple. This extensive data collection is justified by the IOC as necessary for providing “the best possible experience” for users.

Permissions requested by the Paris 2024 Olympics app include access to precise location, camera, audio, media files, and high sampling rate sensors. These permissions can track detailed user activity and movements, painting a comprehensive picture of the user. The app’s privacy policy outlines extensive use cases for collected data, including fan analysis, marketing activities, user profiling, and targeted advertising.

Security researchers and privacy advocates emphasize the need for users to remain vigilant about the permissions they grant and to revoke unnecessary ones. The widespread use of these invasive apps, combined with state-sponsored threat actors targeting the Olympics, increases the risk of unauthorized access, identity theft, data breaches, and other cyber threats. Users are urged to prioritize their privacy and be cautious about the data they share with apps, especially during high-profile events like the Olympics.

 

Next on the show, I’m joined by Devo’s Senior Vice President of Engineering and Product Rakesh Nair. We discuss the issues that security teams face when dealing with data control and data orchestration. We’ll be right back

Welcome back. You can learn more about Devo’s work in this area in the show notes and if you are out at Black Hat, look them up! 

Was it really Windows 3.1 that saved Southwest Airlines?

And finally, our fact-checking desk insisted we check out the story of one man’s journey to debunk a popular rumor that had come to be accepted as fact. 

Thom Holwerda, managing editor at OSNews, was scrolling through the latest tech news when a particular story caught his eye. The headline boldly claimed that Southwest Airlines had escaped the recent CrowdStrike event because they were still using Windows 3.1. The story fit perfectly with the current tech narrative—suggesting that sometimes, older technology is more reliable. Yet, something about it seemed off to Thom.

He delved into the details. The story was widely reported by reputable news outlets and shared extensively on social media. However, Thom’s instincts told him to question its veracity. He began by tracing the claim to its origins—a tweet from Artem Russakovskii stating, “the reason Southwest is not affected is because they still run on Windows 3.1.” The tweet, though widely referenced, provided no sources or additional information.

Digging deeper, Thom found a follow-up tweet from Russakovskii admitting it was a troll: “To be clear, I was trolling last night, but it turned out to be true. Some Southwest systems apparently do run Windows 3.1. lol.” However, this claim was also unsupported by evidence. Thom continued his investigation, tracing the origins further.

His search led him to an article by The Dallas Morning News discussing Southwest’s scheduling system issues around Christmas. The article mentioned that Southwest uses internally built systems like SkySolver and Crew Web Access, which “look historic like they were designed on Windows 95.” These paragraphs had been misinterpreted to suggest that Southwest was still using outdated operating systems.

Thom realized the misunderstanding had snowballed. The article didn’t say Southwest’s systems ran on Windows 3.1 or 95, merely that they appeared outdated. Additionally, these systems were available as mobile apps, indicating they were not based on decades-old technology.

Determined to set the record straight, Thom documented his findings. He highlighted how a single, unsourced tweet had sparked widespread misinformation, compounded by hasty and inaccurate reporting. His fact-checking revealed that, contrary to the viral story, Southwest Airlines’ systems were not running on ancient operating systems.

Thom’s investigation underscored a critical issue in online journalism—reputable sites had failed to perform even basic fact-checking. His thorough, yet straightforward fact-checking process had debunked a widely believed myth in minutes. As he published his findings, Thom hoped his efforts would encourage others to question sensational stories and prioritize accuracy over clicks.

In the end, Thom Holwerda's dedication to truth illuminated the pitfalls of modern media and the importance of diligent journalism, reminding readers that sometimes, the truth is just a few clicks away.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.