Podcasts
CyberWire Daily
Ep 2176
The CyberWire Daily Podcast 10.24.24
Ep 2176 | 10.24.24

A giant FortiJump for cybercriminals.

Show Notes
Transcript

Fortinet confirms a recently rumored zero-day. Officials investigate how restricted chips ended up in products from Huawei. The White House unveils a coordinated AI strategy for national security. Researchers jailbreak LLMs with Deceptive Delight. A new ransomware group exploits vulnerable device drivers. Sensitive documents from a UN trust fund are leaked online. Penn State pays over a millions dollars to settle allegations of inadequate security in government contracts. CISA adds a SharePoint vulnerability to its Known Exploited Vulnerabilities Catalog. A Microsoft report warns of growing election disinformation. On our industry voices segment, Eric Herzog, CMO of Infinidat, discusses merging cybersecurity and cyber storage resilience. China is shocked - shocked! - that its space program has drawn the attention of foreign spies. 

 

Today is Thursday October 24th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Fortinet confirms a recently rumored zero-day. 

For over a week, rumors of a zero-day vulnerability in Fortinet’s FortiManager have been circulating online. Today, the flaw, dubbed “FortiJump” (CVE-2024-47575), was officially disclosed by Fortinet, confirming it has been actively exploited since June 2024. The vulnerability, a missing authentication issue in the FortiGate to FortiManager Protocol (FGFM) API, allows attackers to execute commands on FortiManager servers and steal data from managed FortiGate devices.

Cybersecurity firm Mandiant revealed that a threat actor, tracked as UNC5820, has been exploiting the flaw in attacks affecting more than 50 servers. Attackers used their own FortiManager and FortiGate devices with valid certificates to register on vulnerable FortiManager servers. Once connected, even in an unauthorized state, these devices could access sensitive data, including configuration details and hashed passwords of managed devices.

Fortinet has released patches and advised customers to restrict IP connections and block unauthorized FortiGate devices. The company’s advisory includes mitigation measures, indicators of compromise, and logs to help detect affected systems. Organizations are urged to apply these patches and update credentials to prevent further breaches. So far, no additional malicious activity has been reported since the initial attacks.

Officials investigate how restricted chips ended up in products from Huawei. 

Taiwan Semiconductor Manufacturing Co. (TSMC) discovered this month that chips it made for a specific client ended up in Huawei Technologies products, potentially violating U.S. sanctions aimed at restricting technology to the Chinese company. TSMC halted shipments to the client in mid-October and notified both U.S. and Taiwanese authorities. It’s unclear if the client was working on behalf of Huawei or where they are based, but the incident raises questions about how Huawei accessed advanced chips despite sanctions.

Huawei, blacklisted since 2020, has relied on Semiconductor Manufacturing International Corp. (SMIC) for chip production. However, recent reports suggest Huawei’s latest AI servers contain processors made by TSMC. TSMC had previously stated it stopped all shipments to Huawei in 2020. U.S. officials are now investigating whether third-party distributors played a role in bypassing export restrictions. This development adds pressure on TSMC and the U.S. Bureau of Industry and Security to address potential loopholes in export controls.

The White House unveils a coordinated AI strategy for national security. 

The Biden-Harris administration has announced a coordinated strategy to harness the potential of artificial intelligence (AI) to strengthen U.S. national security. This initiative involves a multi-agency approach to managing AI’s risks and benefits, focusing on its application in defense, intelligence, and broader security contexts.

Key elements include a new National Security Memorandum that will guide the Department of Defense and intelligence agencies on AI use, emphasizing safety, governance, and risk management. The plan aims to ensure the U.S. remains a global leader in AI while safeguarding against adversarial threats. Additionally, the administration is encouraging public consultation to assess dual-use AI models, which could be repurposed for both civilian and military use.

These efforts align with broader strategies to ensure that AI development is responsible, transparent, and secure, positioning the U.S. to face emerging global AI challenges.

Researchers jailbreak LLMs with Deceptive Delight. 

Researchers from Palo Alto Networks’ Unit 42 have uncovered a new jailbreak method for large language models (LLMs) called “Deceptive Delight,” with a success rate of 65% after just three interactions. The method was tested on 8,000 cases across eight anonymized models. It works by asking the LLM to logically connect two benign topics with an unsafe one, like linking a family reunion and childbirth to creating a Molotov cocktail. A second step elaborates on these topics, often leading the model to generate harmful content. A third interaction further increases success rates and content harmfulness by over 20%.

While LLMs remain resilient even with content filters disabled, Unit 42 found that successful jailbreak attempts can increase the quality and relevance of harmful outputs. To counter such attacks, researchers recommend using robust content filters and clear system prompts to reinforce model boundaries and prevent unsafe outputs.

A new ransomware group exploits vulnerable device drivers. 

A new ransomware group known as Embargo is developing advanced tools to bypass security defenses, including a method that exploits driver vulnerabilities to disable endpoint detection and response (EDR) systems. Discovered by ESET researchers, Embargo first emerged in April 2024 and uses a ransomware-as-a-service (RaaS) model, allowing affiliates to keep up to 80% of extortion payments.

The group employs two primary tools: MDeployer, a custom loader, and MS4Killer, which targets security systems by exploiting vulnerable drivers. Both tools are written in Rust, a language known for its efficiency and cross-platform capabilities, allowing the malware to target Windows and Linux systems. Embargo’s attacks involve rebooting compromised systems into Safe Mode, disabling most security protections. The group is actively refining its toolkit, with researchers noting multiple versions of these tools in various attacks. Embargo claims victims across several sectors, including healthcare and finance.

Sensitive documents from a UN trust fund are leaked online. 

Cybersecurity researcher Jeremiah Fowler discovered a major data leak exposing over 115,000 sensitive documents from the UN Trust Fund to End Violence against Women. The unprotected database, lacking password security, contained 228 GB of data, including personal information, financial records, and victim testimonies. This breach poses severe privacy risks, making individuals vulnerable to identity theft, phishing, and blackmail. The UN Women agency secured the database after being notified, but the incident underscores the importance of robust cybersecurity for humanitarian organizations.

Penn State pays over a millions dollars to settle allegations of inadequate security in government contracts. 

Pennsylvania State University (Penn State) has agreed to pay $1.25 million to settle allegations of failing to comply with cybersecurity requirements in over a dozen contracts with the Department of Defense (DoD) and NASA. The settlement stems from a qui tam lawsuit filed by Matthew Decker, a former CIO at Penn State’s Applied Research Laboratory, under the False Claims Act. The lawsuit claimed Penn State did not meet the Defense Federal Acquisition Regulation Supplement (DFARS) standards, including implementing required security controls under NIST SP 800-171. The university also allegedly misrepresented its compliance timelines and failed to use a NASA-compliant cloud service provider. As part of the settlement, $250,000 will go to Decker, and $150,000 will cover his legal fees. This case follows similar cybersecurity noncompliance allegations against Georgia Tech.

CISA adds a SharePoint vulnerability to its Known Exploited Vulnerabilities Catalog. 

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-38094, a Microsoft SharePoint deserialization vulnerability, to its Known Exploited Vulnerabilities Catalog. This flaw, disclosed in July 2024, has a CVSS score of 7.2 and is rated “Important” by Microsoft. It allows unauthorized remote code execution by exploiting deserialized untrusted data. CISA’s inclusion of this vulnerability highlights its potential risk, urging federal agencies to address it under Binding Operational Directive 22-01. 

A Microsoft report warns of growing election disinformation. 

Microsoft has warned that Russia, China, and Iran are actively targeting the 2024 U.S. elections with evolving disinformation campaigns. These efforts aim to undermine public trust in election integrity and destabilize U.S. politics. Russian operatives focus on character attacks, including AI-generated content like deepfakes, while China targets congressional races and critics of its policies. Iran is leveraging anti-Israel sentiment. Microsoft’s report emphasizes the risks in the final days before and after the election, urging vigilance against these sophisticated foreign influence operations .

For further insights into Disinformation and Misinformation in the U.S. election, check out our 3-part mini-series, DisMis. Rick Howard sits down with election experts to navigate the 2024 Presidential election's information storm, offering a toolkit to help you distinguish between deceptive narratives and legitimate content in today’s rapidly shifting election security landscape. It is worth your time. 
Today, we’ve got Infinidat’s Eric Herzog on our Industry Voices segment. Eric and I discussed merging cybersecurity and cyber storage resilience. 

We’ll be right back

Welcome back

China is shocked - shocked! - that its space program has drawn the attention of foreign spies. 

And finally, our T-Minus Space Daily desk informs us that China is now claiming that its space program is under relentless attack by foreign spies—an audacious and laughable assertion, given China’s own well-documented efforts to siphon off technology from other nations for years. This latest warning, coming from China’s Ministry of State Security, accuses foreign agents of trying to steal space-related information, supposedly jeopardizing its “peaceful” ambitions in space. The irony is thick: China, with its history of espionage targeting aerospace programs worldwide, is now playing the victim. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Infinidat
Sponsored by Infinidat

Infinidat is a leading provider of cyber resilient storage solutions. Infinidat provides comprehensive cyber storage resilience and recovery capabilities that improve the ability of an enterprise to combat and protect against ever-increasing cyberattacks and data breaches by combining automated cyber protection, immutable snapshots, logical air gapping, a fenced forensic environment, cyber detection, and virtually instantaneous data recovery. Learn more.