The CyberWire Daily Podcast 10.15.24
Ep 2169 | 10.15.24

A “must patch” list in the making.

Transcript

CISA adds a Fortinet flaw to its “must patch” list. Splunk releases fixes for 11 vulnerabilities in Splunk Enterprise. ErrorFather is a new malicious Android banking trojan. New evidence backs secure-by-design practices. CISA warns that threat actors are exploiting unencrypted persistent cookies. The FIDO Alliance standardizes passkey portability. Cybercriminals linger on Telegram. On our Industry Voices segment today, our guest is Matt Radolec, Vice President, Incident Response and Cloud Operations at Varonis, discussing how AI amplifies the need for data privacy regulation and opens doors for abuse. We mark the passing of the co creator of the BBS.

Today is Tuesday October 15th 2024.  I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CISA adds a Fortinet flaw to its “must patch” list. 

Around 87,000 IP addresses are potentially vulnerable to a critical Fortinet flaw, which the Cybersecurity and Infrastructure Security Agency (CISA) added to its “must patch” list due to active exploitation, according to the Shadowserver Foundation. 

CISA requires federal agencies to patch this remote code execution vulnerability by October 30, after rating it a 9.8 on the vulnerability scale. Fortinet discovered the flaw internally and issued a fix in February, warning it reduces, but doesn’t fully prevent, exploitation.

Most affected IPs are in Asia (37,778), followed by North America (21,262) and Europe (16,381). It’s unclear if the vulnerability has been used in ransomware attacks, though Fortinet vulnerabilities have been exploited before, including in a Chinese cyber espionage campaign reported by Dutch intelligence in June.

Speaking of Fortinet, their FortiGuard Labs has released a new Threat Intelligence Report that uncovers significant cyber threats targeting the 2024 U.S. Presidential election. The report reveals that phishing scams aimed at voters and donors are on the rise, with threat actors selling phishing kits on the darknet designed to impersonate presidential candidates. These scams seek to steal personal information like names, addresses, and credit card details.

Since the start of 2024, over 1,000 malicious domains related to the election have been registered, many mimicking legitimate fundraising sites. Meanwhile, darknet forums are flooded with U.S. personal data, including Social Security numbers and login credentials, posing a serious risk of fraud and phishing attacks.

Ransomware attacks against U.S. government agencies have spiked by 28%, threatening the integrity of the election process. Fortinet emphasizes the need for strong cybersecurity measures, including multi-factor authentication and regular software updates, to protect against these growing threats.

Splunk releases fixes for 11 vulnerabilities in Splunk Enterprise. 

Splunk has released fixes for 11 vulnerabilities in Splunk Enterprise, including two high-severity flaws leading to remote code execution on Windows systems. The most critical, CVE-2024-45733 (CVSS 8.8), affects Windows instances and allows remote code execution for users without ‘admin’ or ‘power’ roles. Another flaw, CVE-2024-45731 (CVSS 8.0), allows arbitrary file writing, potentially enabling malicious code execution. Recent Splunk Enterprise versions resolve these issues, along with other medium-severity flaws affecting JavaScript code execution, password exposure, and system crashes.

ErrorFather is a new malicious Android banking trojan. 

A new malicious campaign, dubbed “ErrorFather,” is deploying a Cerberus-based Android banking trojan, according to Cyble. From mid-September to late October 2024, Cyble’s research identified 15 malicious apps posing as Chrome and Play Store applications. The trojan uses a multi-stage infection chain to target financial and social media apps, leveraging keylogging, overlay attacks, and virtual network computing (VNC). Cerberus, first seen in 2019, is known for stealing banking credentials and personal information. Despite its age, ErrorFather has modified Cerberus’ code to evade detection. The campaign employs a Telegram bot for communication and uses a domain generation algorithm (DGA) for resilient command and control (C2) operations. Cyble recommends using official app stores, antivirus software, strong passwords, multi-factor authentication, and biometric security to mitigate the risk. The campaign remains active with its C2 server still operational.

In related news, Zimperium has identified 40 new variants of the TrickMo Android banking trojan, tied to 16 droppers and 22 command and control infrastructures. These variants feature Android PIN theft, OTP interception, screen recording, and data exfiltration. TrickMo, active since 2019, abuses the Accessibility Service to steal banking credentials through phishing overlays. A fake lock screen mimics the Android unlock prompt to capture PINs. At least 13,000 victims have been exposed, mostly in Canada, the UAE, Turkey, and Germany. TrickMo spreads via phishing, and Google Play Protect offers some defense.

New evidence backs secure-by-design practices. 

A new report from Secure Code Warrior reveals that training developers in secure-by-design practices can reduce software vulnerabilities by over 50%. Analyzing data from 600 enterprises over nine years, the report found organizations with more than 7,000 developers saw a 47% to 53% decrease in vulnerabilities. This supports the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) push for secure-by-design development, part of a broader national cybersecurity strategy. The report also highlights that secure-by-design practices are more effective when mandated by executives or regulations. While the financial services sector leads in adopting these practices, other critical infrastructure sectors like healthcare and defense are progressing. However, the energy and communications sector wasn’t included due to fewer active developers. The National Institute of Standards and Technology notes that fixing software defects during testing can be up to 100 times more costly than secure-by-design approaches.

CISA warns that threat actors are exploiting unencrypted persistent cookies. 

CISA warns that threat actors are exploiting unencrypted persistent cookies in F5 BIG-IP’s Local Traffic Manager (LTM) to map out internal network devices. These cookies, used for session persistence in load balancing, contain encoded IP addresses and other sensitive details about internal servers. When unencrypted, attackers can identify vulnerable devices, potentially leading to network breaches. F5 BIG-IP administrators are urged to encrypt these cookies, a feature available since version 11.5.0. Encryption prevents attackers from leveraging the cookie data for network discovery. CISA also recommends using F5’s diagnostic tool, BIG-IP iHealth, to identify misconfigurations. Administrators can enforce AES-192 encryption to secure all persistent cookies, reducing the risk of exploitation during cyberattacks.

The FIDO Alliance standardizes passkey portability. 

The FIDO Alliance, in collaboration with companies like 1Password, Bitwarden, Dashlane, Google, Microsoft, Apple, and Samsung, is standardizing how password managers can make passkeys portable across providers. This effort aims to accelerate passkey adoption, improving security and user experience. With over 12 billion online accounts now accessible via passkeys, the benefits are significant: passkeys reduce phishing, prevent credential reuse, and improve sign-in success rates by 20%, while being 75% faster than traditional passwords or SMS-based two-factor authentication.

Cybercriminals linger on Telegram. 

Despite Telegram founder Pavel Durov’s arrest and his commitment to combat illegal activities on the app, many cybercriminals are expected to remain on the platform, according to Intel 471 researchers. While some hacker groups are exploring alternatives like Jabber, Tox, and Signal, Telegram’s convenience and extensive reach make it hard to leave. Its robust features, such as large group chats, bots, and customizable tools, are unmatched by other platforms. Though Durov pledged increased cooperation with law enforcement and stricter moderation, a mass exodus of criminals hasn’t occurred. Some groups, like Bl00dy ransomware, have left, but most are still using Telegram due to its popularity. Researchers will continue tracking cybercriminal activity across various platforms, while Telegram prepares to handle an influx of law enforcement requests targeting the worst offenders.

 

On our Industry Voices segment today, our guest is Matt Radolec, Vice President, Incident Response and Cloud Operations at Varonis. Matt shares how AI amplifies the need for data privacy regulation and opens doors for abuse.

We’ll be right back

Welcome back. 

We mark the passing of the co creator of the BBS. 

Ward Christensen’s passing feels like the closing of a chapter for those of us who remember the early days of online communication. Ward, alongside his friend Randy Suess, invented the first computer bulletin board system (BBS) in 1978, and with that, they gave many of us our first taste of the online world. Before the internet became what it is today, BBSes were the gateway to connect with others, share files, and explore early online communities. Ward’s creation was a lifeline for hobbyists, gamers, and tech enthusiasts, opening up a world where you could dial in, leave a message, and feel a part of something larger.

Born out of a snowstorm, the idea for the first BBS came when travel to their Chicago computer club was impossible. Ward’s technical brilliance combined with Randy’s hardware expertise, and in a matter of weeks, they built the system that would change the way people communicated. Ward wrote the software, which allowed users to dial into a dedicated machine, leave messages, share files, and even play games—a virtual push-pin board for the digital age. And they didn’t keep it to themselves; they openly shared the concept, sparking a wave of innovation that led to the development of countless other BBSes.

For those of us who were there, these BBS systems weren’t just technical achievements—they were community. They introduced us to the power of connecting with others across distances, and for many, they were the first brush with what would later become the internet. Ward’s influence can still be felt today in everything from multiplayer gaming to online forums.

Ward never sought fame or recognition, even as his creation laid the groundwork for so much of our digital world. While he enjoyed a long career at IBM, Ward never flaunted his role in shaping online communication. He was quiet, unassuming, and content to let others shine, despite his monumental contributions. Jason Scott, who interviewed Ward for BBS: The Documentary, said it best: “Ward was the quietest, pleasantest, gentlest dude.”

Though he’s gone, Ward’s spirit of openness and sharing will live on. His decision to make his work freely available to others is a legacy we should all honor. He didn’t just create technology; he created a culture of generosity that still influences how we think about the digital world. As we say goodbye to Ward, we remember him not just as an innovator, but as a pioneer who made the online world a little more connected, a little more generous, and a lot more fun. Rest in peace, Ward—you’ve earned it.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.