Podcasts
CyberWire Daily
Ep 2179
The CyberWire Daily Podcast 10.29.24
Ep 2179 | 10.29.24

Securing democracy.

Show Notes
Transcript

Chinese hacking into US telecoms draws federal scrutiny. ESET examines Evasive Panda’s CloudScout toolset. A new ChatGPT jailbreak bypassed security safeguards. Nintendo warns users of a phishing scam. The Five Eyes launch the Secure Innovation initiative for startups. CISA releases “Product Security Bad Practices” guidelines. Apple’s new bug bounty program offers a million bucks for critical vulnerabilities. The City of Columbus drops its suit of a cybersecurity researcher. On our Solution Spotlight today, N2K’s Simone Petrella speaks with Chris Porter, CISO at Fannie Mae, on cultivating cybersecurity culture and talent. Spooky spam is back.

Today is Tuesday October 29th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Chinese hacking into US telecoms draws federal scrutiny. 

The U.S. Cyber Safety Review Board (CSRB) will investigate Chinese hacking into U.S. telecom networks, which may have targeted presidential campaign communications ahead of the 2024 elections. This scrutiny follows reports of a Chinese state-sponsored operation, “Salt Typhoon,” focused on surveillance of U.S. political figures, including Republican presidential nominee Donald Trump and his running mate, JD Vance. The Washington Post recently reported that hackers collected unencrypted call and text data but may not have breached encrypted channels like Signal.

This inquiry will be the CSRB’s fourth major investigation, building on its April 2023 report that criticized Microsoft’s cybersecurity lapses. Federal agencies, including the FBI and CISA, swiftly notified affected telecom companies to mitigate further risks. Despite the probe, officials have not confirmed if these intrusions were intended to influence election outcomes.

Security concerns are intensifying as the election approaches, with threats also reportedly emerging from Iran and Russia. Congress has demanded accountability from telecom giants, urging them to address systemic vulnerabilities. Homeland Security has warned that risks to election security may persist through 2025, with the potential for adversaries to exploit any perceived election irregularities

ESET examines Evasive Panda’s CloudScout toolset. 

Research from ESET examines the CloudScout toolset, used by the Chinese state-aligned group Evasive Panda, targeted Taiwanese entities in 2022–2023, including a government body and a religious organization. CloudScout, integrated with the group’s MgBot malware, hijacks authenticated sessions through stolen browser cookies to access data from cloud services such as Google Drive, Gmail, and Outlook. Analysis revealed three CloudScout modules designed for these services, while several additional modules likely target other platforms.

Evasive Panda’s long history of cyberespionage, especially in regions opposing Chinese interests, reflects their advanced capabilities. The group frequently uses sophisticated tactics like watering-hole attacks and supply-chain compromises to gain access to sensitive data. CloudScout modules leverage hardcoded details and are tailored to the Taiwanese context, making their activity highly specific and potentially difficult to counter. Security advances in Chrome, like App-Bound Encryption, could eventually limit CloudScout’s effectiveness by preventing cookie theft.

A new ChatGPT jailbreak bypassed security safeguards. 

Mozilla’s 0Din bug bounty program recently revealed a new jailbreak that bypasses ChatGPT’s safeguards by encoding malicious instructions in hexadecimal. Disclosed by Marco Figueroa, 0Din’s manager, the jailbreak could allow ChatGPT to produce unauthorized content, such as a Python exploit for a CVE vulnerability, despite standard restrictions. Mozilla’s 0Din, launched in June 2024, rewards researchers for identifying vulnerabilities in AI models, such as prompt injection and data poisoning, with bounties up to $15,000 for critical findings.

This jailbreak involved not only hexadecimal encoding but also alternative techniques like emoji encoding to produce restricted outputs, highlighting AI’s limitations in recognizing encoded threats. OpenAI appears to have patched these vulnerabilities, as attempts to reproduce the jailbreak failed.

Apple’s new bug bounty program offers a million bucks for critical vulnerabilities. 

Apple has launched an ambitious bug bounty program, offering up to $1 million for identifying vulnerabilities in its Private Cloud Compute (PCC) servers, which power intensive AI tasks for Apple Intelligence. This initiative focuses on strengthening the security of Apple’s PCC architecture, which Apple claims to be the most advanced cloud AI security infrastructure at scale. In addition to the bug bounty, Apple introduced a Virtual Research Environment (VRE) that provides researchers access to PCC software, enabling in-depth security analysis. Apple’s detailed security guide and rewards structure support the program, with payouts ranging from $50,000 for minor data disclosure issues to $250,000 for sensitive data access violations and $1 million for severe vulnerabilities. Apple’s aim is to engage the security community actively in safeguarding its AI cloud services.

Nintendo warns users of a phishing scam. 

Nintendo has warned users about a phishing scam involving emails that mimic official communications from the company. These fraudulent emails, sent from third-party addresses, contain links to malicious sites aimed at stealing user information. Nintendo advises users to delete suspicious emails immediately and avoid clicking any embedded links. If users suspect their accounts are compromised, they should change their passwords and enable two-factor authentication. 

The Five Eyes launch the Secure Innovation initiative for startups. 

The Five Eyes alliance—comprising the UK, US, Canada, New Zealand, and Australia—has launched the Secure Innovation initiative to help tech startups bolster their cybersecurity in response to increasing state-backed cyber threats. Originally a UK project by the National Cyber Security Centre (NCSC) and MI5, Secure Innovation now extends to all Five Eyes members. This program offers startups personalized action plans for protecting technology and reputation, along with guidance for founders and investors.

Prompted by escalating cyber-espionage risks from countries like China, the program aims to counteract intellectual property theft targeting innovative tech ventures. MI5’s director, Ken McCallum, emphasizes that this collaboration with international allies strengthens global cybersecurity for startups. The UK reports that over 500 startups have already used Secure Innovation to create tailored security plans.

CISA releases “Product Security Bad Practices” guidelines.

At the ACT-IAC’s Imagine Nation ELC 2024 conference in Hershey PA, CISA’s Rina Rakipi highlighted the agency’s progress on the secure-by-design initiative, emphasizing its success in signing over 230 vendors who committed to bolstering cybersecurity in software development. Rakipi shared the agency’s enthusiasm for the year-and-a-half-old program, noting its focus on eliminating common software vulnerabilities, like default passwords and limited multi-factor authentication (MFA).

Rakipi’s session introduced CISA and the FBI’s new “Product Security Bad Practices” guidelines, which outline critical vulnerabilities in product properties, security features, and organizational policies. She explained that this guide is open for public comment and is intended to help developers avoid security pitfalls in software creation. Keelan Sweeney, CISA’s IT sector chief, expanded on this by advocating for memory-safe languages, citing their potential to prevent up to 70% of vulnerabilities.

Both Rakipi and Sweeney underscored the agency’s proactive stance, with Rakipi likening secure software to essential car safety features like airbags, which should be built-in and not added as an afterthought.

The City of Columbus drops its suit of a cybersecurity researcher.

After being sued by the City of Columbus over revealing a data leak, cybersecurity researcher Connor Goodwolf reached an agreement that led to the case’s dismissal. The city had initially sought over $25,000 in damages, accusing Goodwolf of violating confidentiality after he exposed unencrypted sensitive data on the dark web, contrary to Mayor Andrew Ginther’s assurances. The lawsuit will now be dropped with prejudice, preventing future claims on the same grounds. However, Goodwolf must adhere to a permanent injunction that limits sharing data to public records approved by the city. Following the dismissal, Goodwolf expressed hope for better communication methods in Columbus for handling security disclosures, noting that the city’s response had strained its relationship with the cybersecurity community.

On our Solution Spotlight today, N2K’s Simone Petrella speaks with Chris Porter, CISO at Fannie Mae, on cultivating cybersecurity culture and talent. We’ll be right back

Welcome back. You can hear Simone and Chris’ full conversation in our special edition podcast. There’s a link in our show notes. 

Spooky spam is back. 

And finally,  Halloween-themed spam is back, and it’s out for more than candy. Bitdefender reports that 40% of these spooky emails contain tricks instead of treats, with phishing links ready to swipe personal info faster than you can say “Boo!” In early October, spam surged 18% as cyber scammers dressed up as costume stores and giveaway hosts. Emails boasting “mystery box giveaways” or “frightening discounts” entice eager shoppers to click, only to find themselves caught in a web of malicious links.

Bitdefender’s Alina Bizga warns that, while shoppers hunt for last-minute costume deals, cyber spooks are lurking, ready to grab credit card details. The U.S. is the haunted house of Halloween spam, sending 83% of this junk mail, with 71% landing in American inboxes.

Meanwhile, Sean McNee of DomainTools jokes that scammers “trick” customers with fake discounts from familiar stores like Spirit Halloween, only to swap their costumes for malware. So, remember: if it seems too good to be true, it might be a ghostly scam in disguise!

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.