The CyberWire Daily Podcast 8.21.24
Ep 2134 | 8.21.24

Cyberattack cripples major American chipmaker.

Transcript

A major American chipmaker discloses a cyberattack. Cybercriminals exploit Progressive Web Applications (PWAs) to bypass iOS and Android defenses. Mandiant uncovers a privilege escalation vulnerability in Microsoft Azure Kubernetes Services. ALBeast hits ALB. Microsoft’s latest security update has caused significant issues for dual-boot systems. The DOE’s new SolarSnitch program aims to sure up solar panel security. Researchers uncover LLM poisoning techniques. An Iranian-linked group uses a fake podcast to lure a target. Our guest is Parya Lotfi, CEO of DuckDuckGoose, discussing the increasing problem of deepfakes in the cybersecurity landscape. Return to sender - AirTag edition.

Today is Wednesday August 21st 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A major American chipmaker discloses a cyberattack. 

Microchip Technology Incorporated, a major American chipmaker, has disclosed a cyberattack that disrupted operations across multiple manufacturing facilities. The company, headquartered in Chandler, Arizona, serves approximately 123,000 customers in various sectors, including industrial, automotive, and aerospace. The attack, detected on August 17, 2024, forced Microchip to shut down and isolate affected systems, resulting in reduced manufacturing capacity and impacting its ability to fulfill orders.

In a recent SEC filing, Microchip revealed that an unauthorized party had disrupted its use of certain servers and business operations. The company is currently assessing the damage with the help of external cybersecurity experts while working to restore normal operations. The full extent and impact of the attack are still unknown, and while the filing hints at a possible ransomware incident, no group has yet claimed responsibility. Microchip is also evaluating whether the breach will materially affect its financial condition.

Cybercriminals exploit Progressive Web Applications (PWAs) to bypass iOS and Android defenses. 

Cybercriminals are exploiting Progressive Web Applications (PWAs) to bypass iOS and Android defenses, launching a malicious campaign targeting users in Eastern Europe. These PWAs, which look like legitimate banking apps, are actually just malicious websites packaged as apps. Users are tricked into installing them through phishing links delivered via SMS, social media ads, and automated calls urging them to “update” their banking apps. Once installed, these fake apps mimic real ones but lead to phishing sites where login credentials are stolen. ESET researchers discovered that at least two threat actors are behind this campaign, using different command and control infrastructures. The campaign has primarily affected users in the Czech Republic, Poland, Hungary, and Georgia. ESET warns that this method could lead to more spyware PWAs, as browser APIs allow these fake apps to request access to sensitive device functions.

Mandiant uncovers a privilege escalation vulnerability in Microsoft Azure Kubernetes Services. 

A privilege escalation vulnerability in Microsoft Azure Kubernetes Services (AKS) could have allowed attackers to access sensitive information, such as service credentials used by the cluster, Mandiant reports. The issue affected AKS clusters using Azure CNI for network configuration and Azure for network policy. Attackers with command execution in a pod within the cluster could exploit this vulnerability to download cluster node configurations, extract TLS bootstrap tokens, and access all secrets in the cluster. The flaw could be exploited even without root privileges or hostNetwork enabled. Microsoft resolved the issue after being notified. Mandiant highlights the risk of Kubernetes clusters lacking proper configurations, as attackers could use this vulnerability to compromise the cluster, access resources, and even expose internal cloud services. The flaw also allowed attackers to use the TLS bootstrap token to gain broader access to cluster secrets.

ALBeast hits ALB. 

ALBeast is a critical vulnerability discovered by Miggo Research that allows attackers to bypass authentication and authorization in applications using AWS Application Load Balancer (ALB). This misconfiguration in ALB’s user authentication can lead to unauthorized access, data breaches, and data exfiltration. ALBeast affects applications relying on AWS ALB, especially those not following updated AWS documentation. Attackers can exploit this vulnerability by creating a malicious ALB, forging a token, and manipulating ALB configurations to bypass defenses. Miggo Research identified over 15,000 potentially vulnerable ALBs. AWS addressed the issue by updating authentication documentation and providing guidance to affected organizations. To mitigate the risk, organizations should verify token signers, restrict traffic to trusted ALB instances, and ensure security configurations are aligned with AWS recommendations.

Microsoft’s latest security update has caused significant issues for dual-boot systems. 

Microsoft’s latest security update has caused significant issues for dual-boot systems running both Windows and Linux. Intended to fix a two-year-old vulnerability in the GRUB boot loader, the update inadvertently affected dual-boot devices, preventing Linux installations from booting properly. Users have reported “security policy violation” and “something has gone seriously wrong” errors across various Linux distributions, including Ubuntu, Debian, and Linux Mint. The patch was meant to enhance Secure Boot by blocking vulnerable Linux boot loaders, but Microsoft claimed it wouldn’t affect dual-boot systems. Despite this, many users are facing problems, and Microsoft has yet to comment. 

The DOE’s new SolarSnitch program aims to sure up solar panel security. 

The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has introduced SolarSnitch, a cybersecurity technology developed by Sandia National Laboratories. SolarSnitch is designed to protect communications within photovoltaic (PV) systems at the grid’s edge by analyzing cyber and physical data in PV smart inverters and using machine learning (ML) to detect potential cyber threats. Funded with $490,000 from DOE’s CESER and the Solar Energy Technologies Office (SETO), the project aims to mature SolarSnitch for commercialization over the next 24 months through real-world testing. The technology is part of a broader effort to secure Distributed Energy Resources (DER) like rooftop solar systems, which are increasingly critical to grid reliability. SolarSnitch is among 50 clean energy projects selected in the Fiscal Year 2024 Technology Commercialization Fund.

Researchers uncover LLM poisoning techniques. 

Developers are increasingly using AI programming assistants to write code, but new research highlights the risks of blindly accepting AI-generated code. A team of researchers from University of Tennessee, Knoxville, Singapore Management University and University of Connecticut uncovered a technique called “CodeBreaker,” which can poison AI models like large language models (LLMs) to suggest vulnerable code that appears benign. This method bypasses static analysis tools and hides malicious code in ways that make it difficult to detect, potentially leading to serious security risks.

The research underscores the importance of developers carefully reviewing AI-generated code, not just for functionality but for security. Developers are urged to maintain a critical approach and to learn prompt engineering techniques to generate secure code. The study builds on previous work showing that AI models can be poisoned by inserting malicious examples into their training data. As AI becomes more integrated into development processes, ensuring the security of these tools and the code they produce is crucial.

An Iranian-linked group uses a fake podcast to lure a target. 

In July 2024, the Iranian-linked threat group TA453 impersonated the Research Director of the Institute for the Study of War (ISW) to target a prominent Jewish figure with a phishing campaign. The attackers used a fake podcast invitation to lure the target, eventually sending a malicious link through DocSend and GoogleDrive. The final payload, delivered via a ZIP file, included the BlackSmith toolset and the AnvilEcho PowerShell Trojan, designed for intelligence collection. TA453, which overlaps with groups like Microsoft’s Mint Sandstorm and Mandiant’s APT42, uses sophisticated social engineering tactics to build trust with targets before delivering malware. Their advanced toolset, AnvilEcho, consolidates previous malware capabilities into a single script, highlighting the group’s ongoing efforts to refine their cyber espionage techniques in support of Iranian government interests.

A fake podcast…is nothing sacred?

Coming up, we’ve got DuckDuckGoose’s CEO Parya Lotfi talking about the increasing relevance of deepfakes in the cybersecurity landscape.We’ll be right back

Welcome back

Return to sender - AirTag edition. 

And finally, our Philately (/fɪˈlætəli/; fih-LAT-ə-lee) desk tell us the sad tale of a pair of postal mail thieves in Santa Maria Valley California who thought they were scoring more checks and credit cards, but instead nabbed a package containing an Apple AirTag. A clever and fed-up resident, tired of her mail being stolen, decided to track down the culprits herself by mailing the AirTag to her own address. When the device inevitably disappeared, she promptly alerted the Santa Barbara County Sheriff’s Office, who followed the AirTag’s trail right to the unsuspecting crooks.

The thieves were found with a treasure trove of stolen goods, leading to charges of identity theft and fraud. The Sheriff’s Office praised the victim’s ingenuity, while the thieves likely learned crime really doesn’t pay—especially when your loot comes with a GPS tracker.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.