The CyberWire Daily Podcast 9.26.24
Ep 2159 | 9.26.24

Salt Typhoon’s cyber storm.

Transcript

Salt Typhoon infiltrates US ISPs. Researchers hack the connected features in Kia vehicles.WiFi portals in UK train stations suffer Islamophobic graffiti. International partners release a joint guide for protecting Active Directory. A key house committee approves an AI vulnerability reporting bill. India’s largest health insurer sues Telegram over leaked data. HPE Aruba Networking patches three critical vulnerabilities in its Aruba Access Points. OpenAI plans to restructure into a for-profit business. CISA raises the red flag on Hurricane Helene scams. Our guest is Ashley Rose, Founder & CEO at Living Security, on the creation of Forrester’s newest cybersecurity category, Human Risk Management. The FTC says “Objection!” to the world’s first self-proclaimed robot lawyer.

Today is Thursday September 26th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Salt Typhoon infiltrates US ISPs. 

A Chinese government-linked threat group, Salt Typhoon, has reportedly compromised U.S. internet service providers (ISPs) to collect sensitive information and potentially launch cyberattacks. According to The Wall Street Journal, Salt Typhoon has infiltrated several ISPs’ IT environments in recent months. The Washington Post previously reported similar attacks on major U.S. providers, comparing the tactics to those of another China-linked group, Volt Typhoon, known for targeting critical infrastructure.

Salt Typhoon’s goal is to maintain persistence within ISP networks, enabling long-term access for cyber espionage. This is part of a broader Chinese strategy to infiltrate critical infrastructure and gather valuable information, from user data to communication records. U.S. agencies like CISA, the FBI, and NSA recently disrupted another Chinese botnet, Flax Typhoon, used for DDoS attacks and malware deployment.

Experts warn that Salt Typhoon is just one of many such groups. Cybersecurity leaders expect more nation-state threats targeting ISPs, highlighting the need for enhanced cybersecurity defenses.

Researchers hack the connected features in Kia vehicles.

Security researchers have uncovered a vulnerability in Kia’s web portal, allowing hackers to remotely take control of the connected features in millions of modern Kia vehicles. Exploiting a simple flaw in the portal’s backend, the researchers could reassign control of vehicles from the owner’s smartphone to their own devices. By using this method, they could track the car’s location, unlock doors, honk the horn, or even start the ignition—all by accessing the vehicle identification number (VIN) through the license plate.

While this hack didn’t compromise critical driving functions like steering or brakes, it posed significant privacy, theft, and safety risks. Kia patched the vulnerability after being alerted in June 2023, though the researchers highlight that such security gaps are common across many automakers’ web systems. Similar vulnerabilities have been found in other brands like Honda, Toyota, and Hyundai, exposing a broader issue in the automotive industry’s web security practices.

WiFi portals in UK train stations suffer Islamophobic graffiti. 

Network Rail, the UK body responsible for train infrastructure, is investigating a cybersecurity incident after Islamophobic messages were displayed on Wi-Fi portals at major train stations. The compromised landing page referenced the 2017 Manchester Arena bombings. The issue has affected Wi-Fi services at 20 stations, including London’s major hubs and key stations like Manchester Piccadilly and Birmingham New Street.

Network Rail, British Transport Police (BTP), and Telent, the company managing the Wi-Fi, are investigating. Initial findings suggest the attack involved unauthorized access to a legitimate administrator account at Global Reach, which manages the landing pages. Telent confirmed that no personal data was affected. Experts emphasize the vulnerability of public Wi-Fi and the need for stronger security, especially in critical national infrastructure. The incident remains under investigation by BTP.

International partners release a joint guide for protecting Active Directory. 

The Australian Signals Directorate, CISA, and international partners have released a joint guide titled Detecting and Mitigating Active Directory Compromises, providing strategies to address common techniques used by malicious actors to exploit Active Directory (AD). As the most widely used authentication and authorization system in enterprise IT networks, AD is frequently targeted for privilege escalation and access to sensitive user data. Organizations are urged to review the guide and implement its recommended mitigations to enhance security and reduce the impact of AD compromises.

A key house committee approves an AI vulnerability reporting bill. 

The AI Incident Reporting and Security Enhancement Act aims to push the National Institute of Standards and Technology (NIST) to establish a formal process for reporting security vulnerabilities in AI systems. Introduced by Reps. Deborah Ross, Jay Obernolte, and Don Beyer, the bill passed the House Science, Space, and Technology Committee. It directs NIST to include AI systems in the National Vulnerability Database and consult with other agencies to standardize AI security incident reporting. However, implementation depends on available funding, and NIST faces challenges with resource constraints and an increasing number of vulnerabilities. Despite passing by voice vote, concerns were raised about clearly defining AI-related terms and excluding foreign standards organizations from adversarial nations. Proponents plan to push for a full House vote later this year.

India’s largest health insurer sues Telegram over leaked data. 

Indian insurer Star Health has filed a lawsuit against Telegram and a hacker called XenZen after personal data and medical records of policyholders were leaked through chatbots on the messaging platform. The lawsuit also targets U.S.-based Cloudflare, alleging its services were used to host the leaked data. A court in Tamil Nadu granted Star Health a temporary injunction to block chatbots distributing the data in India. This case follows increasing scrutiny of Telegram’s content moderation, with further hearings set for October 25.

HPE Aruba Networking patches three critical vulnerabilities in its Aruba Access Points.

HPE Aruba Networking has patched three critical vulnerabilities (CVE-2024-42505, CVE-2024-42506, CVE-2024-42507) in the Command Line Interface (CLI) of its Aruba Access Points. These flaws could allow unauthenticated attackers to gain remote code execution by sending specially crafted packets to the PAPI management protocol (UDP port 8211). The vulnerabilities affect Aruba Access Points running Instant AOS-8 and AOS-10. Administrators are urged to apply the latest security updates, with temporary workarounds available. No active exploitation or public exploit code has been reported. Other Aruba products remain unaffected.

OpenAI plans to restructure into a for-profit business. 

OpenAI plans to restructure its core business into a for-profit benefit corporation, removing control from its non-profit board to attract investors, sources told Reuters. The non-profit will retain a minority stake, and CEO Sam Altman will receive equity for the first time. The restructuring could raise OpenAI’s valuation to $150 billion and remove the cap on investor returns. While the change may appeal to investors, it raises concerns about the company’s commitment to AI safety and governance in its pursuit of artificial general intelligence (AGI).

Three top leaders at OpenAI resigned on Wednesday amid the company’s ongoing restructuring and funding negotiations. Chief Technology Officer Mira Murati, VP Research Barret Zoph, and Chief Research Officer Bob McGrew announced their departures on X-Twitter. It’s unclear if these executive exits will impact the funding process.

CISA raises the red flag on Hurricane Helene scams. 

As Hurricane Helene bears down on the gulf coast of Florida, CISA is raising the red flag about potential cyber threats. After major natural disasters, scammers love to take advantage, sending out fraudulent emails or social media messages loaded with malicious links or attachments. If you see hurricane-related subject lines, emails, or links—think twice before clicking! Also, keep an eye out for sketchy social media posts, texts, or even door-to-door solicitations about storm relief. Stay cautious and keep your cybersecurity guard up!

 

Up next, my conversation with guest Living Security’s Founder & CEO Ashley Rose about the creation of Forrester’s newest cybersecurity category, Human Risk Management. We’ll be right back.

Welcome back. You can find a link to the Forrester report in our show notes. 

The FTC disbars the world’s first self-proclaimed robot lawyer. 

And finally, an online service named DoNotPay, the self-proclaimed creator of the “world’s first robot lawyer,” has agreed to a $193,000 settlement with the FTC after, well, over-promising on its AI’s legal prowess. Part of the FTC’s new “Operation AI Comply,” the case revealed DoNotPay’s claims—like replacing human lawyers and handling serious legal cases—were more hype than fact. The FTC said DoNotPay hadn’t tested its AI on actual laws or trained it to provide accurate legal advice. Even worse, the company claimed consumers could use its AI to sue for assault or check small business websites for legal violations, but these features didn’t hold up.

In addition to the settlement, DoNotPay must now warn customers about its limitations and can’t claim to replace professional services without evidence. It’s a reminder from the FTC: there’s no “AI loophole” when it comes to deceptive practices, as they also crack down on fake reviews and other AI-powered scams.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.