The CyberWire Daily Podcast 8.20.24
Ep 2133 | 8.20.24

Cybersecurity on the ballot.

Transcript

The Dem’s 2024 party platform touches on cybersecurity goals. The feds warn of increased Iranian influence operations. A severe security flaw has been discovered in a popular WordPress donation plugin. The Lazarus Group exploits a Windows zero-day to install a rootkit. Krebs on Security takes a closer look at the significant data breach at National Public Data. Toyota confirms a data breach after their data shows up on a hacking forum. A critical Jenkins vulnerability is added to CISA’s Known Exploited Vulnerabilities catalog. Cybercriminals steal credit card info from the Oregon Zoo. Guest CJ Moses, CISO at Amazon, discussing partnership and being a good custodian of the community in threat intel and information sharing. CISA gets new digs.

Today is Tuesday August 20th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The Dem’s 2024 party platform touches on cybersecurity goals. 

The Democratic Party kicked off their presidential nominating convention last night, and just ahead of that they released The Democratic Party’s 2024 platform, which includes three key cybersecurity goals. Despite a late-stage switch in the presumptive nominee from President Biden to Vice President Harris, the platform remains largely unchanged. It mentions combating cyber threats within the context of criminal justice, protecting children online, and bolstering military cyber capabilities. Although the platform is brief on cybersecurity, both Harris and her running mate, Governor Tim Walz, have significant records in this area. Harris has focused on cybersecurity in foreign policy, AI safety, and space security, while Walz has issued cybersecurity executive orders and supported data privacy measures. The Harris-Walz campaign hasn’t detailed their cybersecurity strategy yet, but they’re expected to continue the Biden administration’s initiatives. 

The feds warn of increased Iranian influence operations. 

The U.S. government has issued a warning about increased cyber efforts from Iran aimed at influencing upcoming elections. A joint statement from the ODNI, FBI, and CISA revealed that Iran is conducting cyberattacks to access sensitive election-related information, intending to undermine trust in U.S. democratic institutions. The advisory highlights Iran’s heightened interest in this election due to its potential impact on Tehran’s national security, leading to more aggressive cyber activities targeting Presidential campaigns and the public. Recent incidents include an Iranian breach of former President Trump’s campaign, and increased misinformation efforts using platforms like ChatGPT. Microsoft and Meta reports confirm elevated Iranian cyber activities, with Iran being the second most frequent source of foreign interference, following Russia. U.S. authorities urge stakeholders to report suspicious activity and assure the public that election infrastructure remains secure.

A severe security flaw has been discovered in a popular WordPress donation plugin. 

A severe security flaw has been discovered in the popular WordPress donation plugin GiveWP, which has over 100,000 active installations. The vulnerability, classified as an unauthenticated PHP Object Injection leading to Remote Code Execution (RCE), was reported through the Wordfence Bug Bounty Program on May 26th, 2024, and has been assigned CVE-2024-5932 with a maximum CVSS score of 10.0. The flaw allows attackers to inject malicious PHP objects via the ‘give_title’ parameter, potentially leading to remote code execution and file deletion. After attempts to contact the plugin’s developers, StellarWP, Wordfence escalated the issue to WordPress.org. A patched version, 3.14.2, was released on August 7th, 2024. WordPress site administrators are strongly urged to update immediately and perform security audits to mitigate the risk of exploitation.

The Lazarus Group exploits a Windows zero-day to install a rootkit. 

The North Korean Lazarus hacking group exploited a zero-day flaw in the Windows AFD.sys driver, tracked as CVE-2024-38193, to install the FUDModule rootkit on targeted systems. This vulnerability, part of a Bring Your Own Vulnerable Driver (BYOVD) attack, allowed the attackers to gain kernel-level privileges and evade detection by disabling Windows monitoring features. Microsoft patched the flaw during its August 2024 Patch Tuesday, addressing it alongside seven other zero-day vulnerabilities.

The AFD.sys flaw was discovered by Gen Digital researchers, who reported that Lazarus exploited it as a zero-day to infiltrate systems without needing to install older, detectable drivers. The vulnerability’s severity lies in its presence on all Windows devices by default. This attack is believed to be related to a broader campaign targeting Brazilian cryptocurrency professionals. Lazarus is infamous for high-profile cyberattacks, including the 2014 Sony Pictures hack and the 2017 WannaCry ransomware campaign.

Krebs on Security takes a closer look at the significant data breach at National Public Data. 

Krebs on Security takes a closer look at the significant data breach at National Public Data (NPD), a consumer data broker, exposed the Social Security Numbers, addresses, and phone numbers of hundreds of millions of Americans. The breach, dating back to December 2023, was first exploited by a cybercriminal named USDoD, who began selling the stolen data in April 2024. By July, over 272 million records were leaked online. Further investigation revealed that a sister site, RecordsCheck.net, accidentally published usernames and passwords to its back-end database, exposing sensitive information. The breach involved the mishandling of credentials and outdated site versions, further compromising security. The incident underscores the importance of freezing credit files to protect against identity theft, as stolen data is now widely available to cybercriminals. 

Toyota confirms a data breach after their data shows up on a hacking forum. 

Toyota confirmed a data breach after a threat actor, ZeroSevenGroup, leaked 240GB of data on a hacking forum. The stolen data includes information on Toyota employees, customers, contracts, financial details, and network infrastructure, which the attackers reportedly accessed using the ADRecon tool. Toyota acknowledged the breach but stated it was limited in scope and not a system-wide issue. They are working with affected individuals but have not disclosed when the breach occurred or how it happened. The files were likely stolen on December 25, 2022. This breach follows several other incidents involving Toyota, including a Medusa ransomware attack in 2022 and multiple data leaks due to cloud misconfigurations, prompting the company to implement automated monitoring systems.

A critical Jenkins vulnerability is added to CISA’s Known Exploited Vulnerabilities catalog. 

A critical vulnerability in the Jenkins CI/CD automation server, tracked as CVE-2024-23897, has been added to CISA’s Known Exploited Vulnerabilities catalog due to its potential for remote code execution (RCE) and theft of sensitive information. The flaw, with a CVSS score of 9.8, was exploited by the RansomEXX ransomware group in a supply chain attack against Brontoo Technology Solutions, impacting C-Edge Technologies’ customers, primarily rural banks in India. Discovered in January 2024 and affecting Jenkins versions 2.441 and earlier, the vulnerability allows attackers to read files on the Jenkins controller system and potentially escalate privileges to execute arbitrary code. Despite the patch released in January, over 28,000 Jenkins servers remain vulnerable as of August 2024. The flaw can also lead to decrypting secrets, deleting items, and accessing sensitive information through various RCE conditions.

Cybercriminals steal credit card info from the Oregon Zoo. 

Cybercriminals stole credit card information from over 100,000 individuals by compromising the Oregon Zoo’s website. The attack, which redirected online transactions to unauthorized actors, occurred between December 20, 2023, and June 26, 2024. The breach was discovered in late June, leading the zoo to decommission its site and investigate. The compromised data includes names, payment card numbers, CVV codes, and expiration dates. In total, nearly 118,000 people were affected, (but no animals) and the zoo has notified federal law enforcement and offered credit monitoring services to victims. This incident is part of a broader trend in payment-skimming attacks, where hackers embed malware on e-commerce sites to steal credit card information. The Oregon Zoo is one of several zoological organizations targeted recently, highlighting the ongoing threat posed by e-skimming to online payment systems.

 

Coming up, we’ve got a conversation that N2K’s Brandon Karpf had with Amazon CISO CJ Moses at re:Inforce 2024. The speak about partnership and being a good custodian of the community in threat intel and information sharing. We’ll be right back

Welcome back

CISA gets new digs. 

And finally, the US General Services Administration (GSA) and the Department of Homeland Security (DHS) just handed out a healthy $524 million to build a shiny new headquarters for the Cybersecurity and Infrastructure Security Agency (CISA). Nestled in Washington, DC’s St. Elizabeths West Campus, this new CISA HQ is set to be the crown jewel of cybersecurity, with all the bells and whistles, including a $115 million boost from the Inflation Reduction Act to ensure it’s eco-friendly.

Clark Construction is on the job, with $80 million earmarked for low-carbon materials like eco-friendly asphalt and steel, and another $35 million to hit those high-performance green building standards. The result? A 630,000-square-foot energy-efficient cyber fortress that’ll make other federal buildings green with envy. With features like chilled beams, advanced lighting controls, and a building envelope that’s basically a high tech blanket, CISA’s new digs are setting the bar high—because even cybersecurity needs a swanky, sustainable home.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.