From secure to clone-tastic.

Researchers find Yubikeys vulnerable to cloning. Google warns of a serious zero-day Android vulnerability. Zyxel releases patches for multiple vulnerabilities. D-Link urges customers to retire unsupported vulnerable routers. Hackers linked to Russia and Belarus target Latvian websites. The Federal Trade Commission (FTC) reports a sharp rise in Bitcoin ATM-related scams. Dutch authorities fine Clearview AI over thirty million Euros over GDPR violations. Threat actors are misusing the MacroPack red team tool to deploy malware. CISA shies away from influencing content moderation. Our guest is George Barnes, Cyber Practice President at Red Cell Partners and Fmr. Deputy Director of NSA discussing his experience at the agency and now in the VC world. Unauthorized Wi-Fi on a Navy warship Leads to Court-Martial.

Today is Wednesday September 4th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Researchers find Yubikeys vulnerable to cloning. 

The YubiKey 5, a widely used two-factor authentication device, contains a cryptographic vulnerability that allows it to be cloned if an attacker gains temporary physical access. The flaw, called a side-channel attack, exists in the microcontroller used in YubiKeys and other security devices like smartcards and passports. Researchers from NinjaLab found that YubiKeys running firmware versions before 5.7 are vulnerable due to issues in Infineon’s cryptographic library. This flaw allows attackers to extract secret keys by measuring electromagnetic radiation during authentication.

Cloning the device requires specialized equipment, costing about $11,000, and physical access to the key, making it a highly sophisticated attack. While Yubico has updated its firmware, affected YubiKeys can’t be patched, leaving them permanently vulnerable. The attack is unlikely to be widespread but poses a significant risk in targeted, high-stakes scenarios. Despite the flaw, FIDO-compliant authentication remains one of the most secure methods when used carefully.

Google warns of a serious zero-day Android vulnerability. 

Google has released the September 2024 Android security update, warning users of a serious zero-day vulnerability, CVE-2024-32896. This high-severity flaw affects the Android framework and could lead to local privilege escalation, allowing attackers to gain elevated access without additional execution permissions. The vulnerability was first identified in the June Pixel security update and has since been exploited in limited, targeted attacks. It’s now been added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog. Google urges all Android users to update their devices immediately to mitigate the risk. In total, the September update addresses ten high-severity vulnerabilities within the Android framework and system.

Zyxel releases patches for multiple vulnerabilities. 

Zyxel has released patches for multiple vulnerabilities in its networking devices, including a critical OS command injection flaw (CVE-2024-7261) affecting 28 access points and one security router model. This flaw, with a CVSS score of 9.8, allows remote, unauthenticated attackers to exploit the devices via crafted cookies. Additionally, Zyxel fixed seven vulnerabilities in its firewall products, with some requiring authentication. A high-severity buffer overflow issue (CVE-2024-5412) impacting over 50 products was also addressed. Patches are available, but some users must contact support for updates.

D-Link urges customers to retire unsupported vulnerable routers. 

D-Link has issued a warning about four remote code execution (RCE) vulnerabilities affecting all hardware and firmware versions of its DIR-846W router. These flaws, three of which are critical and require no authentication, will not be fixed as the product has reached end-of-life (EOL) and is no longer supported. Although no proof-of-concept exploits have been published yet, D-Link advises users to retire the router immediately due to security risks. If replacement is not feasible, users should update the firmware, use strong passwords, and enable WiFi encryption. These vulnerabilities could be exploited by malware botnets like Mirai, making it crucial to secure devices before further exploitation.

Hackers linked to Russia and Belarus target Latvian websites. 

Latvian government and critical infrastructure websites are facing increased cyberattacks from politically motivated hackers linked to Russia and Belarus, according to Latvian cybersecurity officials. The goal is to disrupt access, primarily through distributed denial-of-service (DDoS) attacks, rather than steal sensitive data. The attacks have surged since Latvia’s recent aid package to Ukraine, which includes drones and air defense systems. Hacktivist groups like NoName057(16) have claimed responsibility, openly supporting Russian aggression. Latvia has been targeted frequently since Russia’s invasion of Ukraine, with attacks on government, critical infrastructure, and businesses. Despite being well-prepared, Latvia’s CERT acknowledges the challenge as attackers frequently adapt. These cyberattacks are part of a broader hybrid war aimed at destabilizing society and undermining trust in state institutions.

The Federal Trade Commission (FTC) reports a sharp rise in Bitcoin ATM-related scams. 

The Federal Trade Commission (FTC) reports a sharp rise in Bitcoin ATM-related scams, with consumer losses jumping nearly tenfold since 2020, reaching over $110 million in 2023. In the first half of 2024 alone, scam losses exceeded $65 million, with older adults being particularly targeted. Scammers impersonate government or business officials and pressure victims to deposit cash into Bitcoin ATMs, which then transfers the money directly to the scammers. The median loss in these scams is $10,000. The FTC urges caution and provides tips to avoid falling victim.

Dutch authorities fine Clearview AI over thirty million Euros over GDPR violations. 

The Dutch Data Protection Authority (DPA) has fined Clearview AI €30.5 million for violating the General Data Protection Regulation (GDPR) by building an illegal facial recognition database with billions of photos, including those of Dutch citizens. Clearview automatically scraped these photos from the internet without individuals’ consent and converted them into unique biometric codes. The DPA also issued penalties for non-compliance, potentially adding €5.1 million. The DPA warns Dutch organizations against using Clearview’s services, stating it’s illegal under GDPR. Despite previous fines from other authorities, Clearview has not changed its practices. The Dutch DPA is investigating holding Clearview’s management personally responsible for the violations. 

Threat actors are misusing the MacroPack red team tool to deploy malware. 

Cisco Talos researchers have found that threat actors are misusing a red team tool, MacroPack, to deploy malware via malicious Microsoft documents. These documents, uploaded to VirusTotal between May and July 2024, originated from various countries including China, Pakistan, and Russia. MacroPack, originally intended for red team exercises, generates payloads that can evade anti-malware tools by obfuscating code and renaming variables. The malicious files delivered payloads like the Havoc and Brute Ratel frameworks and a variant of the PhantomCore remote access trojan (RAT). While MacroPack is designed for legitimate security testing, its free version is being exploited for malicious purposes. The documents used different lures, including military themes, leading researchers to conclude that multiple threat actors are leveraging MacroPack to deploy their malware.

CISA shies away from influencing content moderation. 

In a briefing with reporters Tuesday, CISA leaders expressed confidence in the security of U.S. election infrastructure for the 2024 elections, citing significant improvements since 2016. However, the agency will no longer petition social media platforms to remove false or misleading posts about elections. CISA Director Jen Easterly clarified that their role is to address threats to election infrastructure, not content removal. Instead, CISA will focus on collaborating with tech companies and election officials on security measures, while directing voters to accurate information sources. This marks a shift from previous efforts, as the agency faced criticism and legal challenges regarding content moderation. CISA now emphasizes proactive communication by election officials to combat misinformation, citing recent successful coordination in New Hampshire as a model for responding to disinformation campaigns.

 

Today’s guest is George Barnes. He is Cyber Practice President and Partner at Red Cell Partners, former Deputy Director of NSA, and judge of the 2024 DataTribe Challenge. We discuss his experience on both sides, having been at NSA and now in the VC world. 

We’ll be right back.

Welcome back. You can learn more about the DataTribe Challenge through the link in our show notes. Submit your startup to potentially be selected to be part of a startup competition like no other by September 27, 2024.

 

Unauthorized Wi-Fi on a Navy warship Leads to Court-Martial. 

And finally, Imagine being stuck on a Navy ship in the middle of the ocean with no Wi-Fi. For most sailors, that’s a harsh reality during deployment, but for the chiefs aboard the combat ship Manchester, that wasn’t a problem—they had their own secret Wi-Fi network, lovingly named “STINKY.”

In a plot that sounds straight out of a bad sitcom, senior enlisted leaders, led by then-Command Senior Chief Grisel Marrero, secretly installed a Starlink satellite dish for their private use. While everyone else onboard endured internet deprivation, the chiefs enjoyed streaming, texting, and checking sports scores.

The covert operation involved sneaking the dish onto the ship, setting up payment plans, and even renaming the Wi-Fi to look like a harmless printer network when suspicions arose. But eventually, the jig was up, thanks to a nosy civilian tech installing authorized Navy equipment.

When the truth surfaced, Marrero tried to cover her tracks, even doctoring data charts to hide her internet use. However, she finally confessed and was court-martialed, stripped of rank, and sentenced for her “egregious misconduct.” In the end, the unauthorized Wi-Fi may have helped the chiefs catch up on Netflix, but it posed serious risks to the ship’s security. 

They say “loose lips sink ships,” but in this case, it was loose internet connections that torpedoed the chiefs.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.