Blue screen blues.

CrowdStrike’s Adam Meyers testifies before congress. The State Department is set to provide nearly $35 million in foreign aid to strengthen global cybersecurity. Foreign adversaries claim ongoing access to presidential campaign documents. Researchers warn of critical vulnerabilities in fuel tank monitoring systems. Hackers claim a Chrome 2FA feature bypass takes less than ten minutes. Exploiting ChatGPT’s long-term memory. Politicians and staffers find personal data exposed on the dark web. A critical vulnerability in Ivanti’s Virtual Traffic Manager is being actively exploited. On our CertByte segment, Chris Hare is joined by resident Microsoft SME George Monsalvatge to break down a question from N2K’s CompTIA Project+ Practice Test. Don’t click the PDiddy links. 

Today is Wednesday September 25th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CrowdStrike’s Adam Meyers testifies before congress. 

Yesterday, CrowdStrike’s VP Adam Meyers testified before a U.S. congressional committee to address the July 19 incident where a faulty update to its Falcon sensor software disabled approximately 8.5 million Windows PCs, causing widespread “blue screen of death” (BSOD) errors. The problem arose from a mismatch between input parameters and the Falcon sensor’s rules engine, which led to system failures until the issue was corrected.

CrowdStrike apologized for the disruption, acknowledging that the incident impacted customers like Delta Airlines, which claims $500 million in losses due to flight cancellations. Meyers detailed CrowdStrike’s efforts to restore affected systems, including deploying automated remediation techniques and providing physical support to reboot machines.

To prevent future incidents, CrowdStrike has implemented enhanced validation and testing processes, phased rollouts of updates, and added runtime safeguards. They have also hired third-party security vendors to review Falcon sensor code and quality control.

Congress also questioned the necessity of granting kernel access to software like Falcon. Meyers defended its importance, emphasizing that kernel-level visibility is essential for detecting threats and preventing tampering. He warned that restricting access could weaken cybersecurity solutions.

CrowdStrike is facing multiple lawsuits as a result of the outage, including from Delta and its own shareholders.

The State Department is set to provide nearly $35 million in foreign aid to strengthen global cybersecurity. 

The U.S. State Department’s Bureau of Cyberspace and Digital Policy is set to provide nearly $35 million in foreign aid to strengthen global cybersecurity, particularly among U.S. allies, according to exclusive reporting from The Record.  Created in 2022, the bureau aims to lead in international cyber norms, especially as nations like China exert influence. This funding boost, part of a broader strategy outlined in the Biden administration’s national cyber strategy, will support rapid cyber incident response, counter spyware misuse, and enhance undersea cable and cloud security in the Pacific.

The bureau’s flagship project, FALCON, enables rapid deployment of private sector tools to address cyber vulnerabilities for U.S. allies within 48 hours of a request. Additionally, a Pacific Islands undersea cable project, supported by Google and regional governments, will expand digital connectivity and cloud migration.

As demand for cybersecurity assistance grows, the bureau has shifted toward more strategic, flexible funding to improve global resilience against cyber threats and bolster U.S. cyber diplomacy.

Foreign adversaries claim ongoing access to presidential campaign documents. 

Hackers linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) reportedly continue to target the Trump campaign. On Sept. 18, the group shared stolen campaign material with journalists, including a letter dated Sept. 15, suggesting ongoing access to campaign documents. The group, tracked as APT42, has previously targeted U.S. political figures, including officials connected to both the Trump and Biden campaigns. Google’s Threat Analysis Group confirmed blocking attempts to access personal emails of high-profile individuals, but at least one political consultant’s Gmail account was compromised.

Meanwhile, The Federal Election Commission (FEC) has expanded rules allowing federal campaign funds to cover physical and cybersecurity measures for candidates, their families, and staff. Approved unanimously on Sept. 19, the new rules enable funds to be used for cybersecurity tools, alarm systems, and other security upgrades. This move responds to increasing digital and physical threats, including recent cyberattacks on Donald Trump’s and Kamala Harris’s campaigns by foreign hackers. The FEC emphasized that spending must be legitimate, avoiding potential abuse of campaign funds for personal gain.

Researchers warn of critical vulnerabilities in fuel tank monitoring systems. 

Despite nearly a decade of warnings, critical vulnerabilities in automatic tank gauge (ATG) systems, used in gas stations and critical infrastructure like military bases and airports, remain unaddressed. These systems monitor fuel tank parameters such as volume and temperature, but cybersecurity firm Bitsight recently identified 10 vulnerabilities in six ATG systems from various vendors. Seven of the flaws are rated as critical, including authentication bypass and OS command execution issues, allowing full system access. Bitsight warned that attackers could cause physical damage, such as fuel leaks or relay damage, and monitor or manipulate fuel levels. Thousands of vulnerable ATG devices remain exposed, particularly in the U.S. and Europe. Although some vendors have responded with patches, others have not, leaving these systems at risk. CISA has released advisories, but progress on addressing these vulnerabilities remains limited.

Hackers claim a Chrome 2FA feature bypass takes less than ten minutes. 

Google introduced application-bound encryption in Chrome 127 for Windows to prevent cookie-stealing hackers from bypassing two-factor authentication (2FA) using infostealer malware. This security feature ties encrypted data to app identity, making it harder for hackers to access sensitive information. However, multiple infostealer malware developers, including those behind Lumma, Vidar, and Rhadamanthys, claim to have quickly bypassed this new protection. Reports from Bleeping Computer confirm that these malware updates can break Chrome’s cookie encryption, effectively rendering 2FA protections useless. Once attackers steal session cookies, they can bypass authentication and gain full access to users’ accounts and sensitive data. 

Exploiting ChatGPT’s long-term memory. 

Security researcher Johann Rehberger recently uncovered a vulnerability in ChatGPT’s long-term memory feature that could let attackers store false information or malicious instructions. Initially, OpenAI dismissed it as a safety issue rather than a security concern, but Rehberger pressed on, developing a proof-of-concept exploit that grabbed the attention of OpenAI engineers.

ChatGPT’s long-term memory is a feature that remembers user details to provide more personalized responses. Rehberger discovered that attackers could exploit this memory by planting false details—like claiming a user was 102 years old or lived in the Matrix—and ChatGPT would incorporate this into future conversations.

The exploit used indirect prompt injection, allowing malicious content, such as a simple web link, to trigger the attack. OpenAI has since issued a partial fix to prevent data exfiltration, but prompt injections can still manipulate memory. Users should regularly review their ChatGPT memories and be alert for any suspicious changes during sessions to avoid unwanted memory tampering.

Politicians and staffers find personal data exposed on the dark web. 

An investigation by Constella Intelligence and Proton revealed that the email addresses and sensitive information of over 4,100 British MPs, EU Parliament members, French politicians, and U.S. political staffers were exposed on the dark web. The data included names, email addresses, home addresses, social media accounts, and 2,545 passwords—some in plaintext. British MPs had the highest exposure, with 68% of their email addresses compromised. The leaks stemmed from breaches of third-party websites like LinkedIn and Dropbox, where politicians used their official emails. 

A critical vulnerability in Ivanti’s Virtual Traffic Manager is being actively exploited.

A critical vulnerability in Ivanti’s Virtual Traffic Manager (vTM), CVE-2024-7593, is being actively exploited, marking the third flaw Ivanti customers have been warned about in two weeks. The vulnerability allows remote, unauthenticated attackers to create administrator accounts. Ivanti released patches on August 12 and later acknowledged the existence of a proof-of-concept exploit. Although there have been no public reports of attacks, CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog. Ivanti has provided fixes, recommendations, and indicators of compromise for customers.

 

We’ve got our CertByte segment up next. N2K’s Chris Hare and George Monsalvatge break down a question from N2K’s CompTIA Project+ (PK0-005) Practice Test.

We’ll be right back

Welcome back. You can find links in our show notes. 

Don’t click the PDiddy links. 

And finally, Cybercriminals are capitalizing on the latest Sean “Diddy” Combs scandal by spreading a malware strain dubbed PDiddySploit, targeting curious social media users, particularly on X.com (formerly Twitter). Lured by the promise of “deleted” Diddy posts, users are tricked into downloading files that infect their devices with this Trojan. PDiddySploit, a variant of the PySilon RAT malware, allows attackers to steal sensitive data, record screen activity, and remotely control systems.

As usual, cybercriminals know people can’t resist celebrity drama. So, instead of satisfying their curiosity, these users end up with a digital mess on their hands. The scheme is reminiscent of past attacks, where hackers used everything from Oscar movie downloads to nude celebrity leaks as bait. The moral of the story? Think twice before clicking on files promising “exclusive” scandal content—you might get more than you bargained for.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.