CISA issues urgent warning.
CISA issues a warning about a critical security flaw in Palo Alto Networks’ Expedition tool. A federal agency urges employees to limit phone use in response to Chinese hacking. Law enforcement is perplexed by spontaneously rebooting iPhones. A key supplier for oilfields suffers a ransomware attack. Hewlett Packard Enterprise (HPE) patches multiple vulnerabilities in its Aruba Networking access points. Cybercriminals use game-related apps to distribute Winos4.0. Germany proposes legislation protecting security researchers. The TSA proposes new cybersecurity regulations for critical transportation infrastructure. Our guest is Aaron Griffin, Chief Architect from Sevco Security, sharing the discovery of a significant Apple iOS bug involving iPhone Mirroring. AI tries to wing it in a Reddit group, but moderators put a fork in it.
Today is Friday November 8th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
CISA issues a warning about a critical security flaw in Palo Alto Networks’ Expedition tool.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a critical security flaw (CVE-2024-5910) in Palo Alto Networks’ Expedition tool, used for firewall migration and configuration. The flaw, classified as a “Missing Authentication” vulnerability (CWE-306), enables attackers with network access to potentially hijack the Expedition admin account. This could grant cybercriminals access to sensitive configuration data, including credentials and highly privileged information.
CISA stresses that the vulnerability poses a significant risk due to the level of access it grants, although there is no confirmation yet of active exploitation. Organizations using the Expedition tool are urged to apply Palo Alto’s recommended mitigations. If these aren’t feasible, CISA advises discontinuing the tool’s use to prevent potential compromise. The deadline for federal agencies addressing this vulnerability is November 28, as CISA emphasizes immediate action to mitigate any potential threat.
A federal agency urges employees to limit phone use in response to Chinese hacking.
Following a recent hack of U.S. telecommunications infrastructure by suspected Chinese operatives, the Consumer Financial Protection Bureau (CFPB) issued a directive urging employees to avoid using mobile phones for work-related matters. According to the Wall Street journal, an email sent Thursday from the CFPB’s chief information officer advised that sensitive internal and external meetings should be conducted only on secure platforms like Microsoft Teams or Cisco WebEx—not via phone calls or texts on either work-issued or personal devices. While there is no evidence the CFPB was specifically targeted, the guidance aims to reduce potential risk. The Cybersecurity and Infrastructure Security Agency has yet to comment on the incident.
U.S. executive branch agencies briefed several House committees on Thursday about the hack by a Chinese-linked group, known as Salt Typhoon, that targeted major telecommunications companies and allegedly accessed the phones of Donald Trump’s top campaign members and high-ranking U.S. officials. The House Energy and Commerce, Homeland Security, Intelligence, Judiciary, and Appropriations subcommittees received updates from the FBI, CISA, and other security agencies. The Senate will receive a similar briefing next week, with the Senate Intelligence Committee already being updated regularly.
The breach, reportedly impacting numerous individuals, has drawn increased congressional concern. Telecommunications companies like Lumen have responded, though AT&T and Verizon redirected questions to the FBI. Federal agencies are investigating the incident, and the Cyber Safety Review Board plans its own inquiry. Policy discussions now focus on whether Salt Typhoon exploited telecom carriers’ compliance with the Communications Assistance for Law Enforcement Act to gain unauthorized access.
Law enforcement is perplexed by spontaneously rebooting iPhones.
Law enforcement has reported an unusual issue where iPhones, securely stored for forensic examination, are rebooting unexpectedly, making them significantly harder to unlock. According to a document obtained by 404 Media, these reboots may be due to a potential new security feature in iOS 18, which could cause iPhones disconnected from cellular networks to reboot after a certain time. When these devices reboot, they shift from an After First Unlock (AFU) state, which is easier to access, to a Before First Unlock (BFU) state, which current forensic tools struggle to bypass.
Some officials speculate that iOS 18 devices communicate with each other in secure settings, triggering reboots among nearby devices. Experts, however, remain skeptical about this hypothesis. The document advises forensic labs to isolate iOS 18 devices and monitor any reboots closely to avoid losing valuable data access. This situation highlights the ongoing security tensions between law enforcement and phone manufacturers.
A key supplier for oilfields suffers a ransomware attack.
Newpark Resources, a key supplier for oilfields, reported a ransomware attack on October 29, causing disruptions and limiting access to some internal systems. Despite this, Newpark’s manufacturing and field operations continue under established downtime procedures. In a regulatory filing, the company stated that financial reporting systems were impacted but that the attack is not expected to materially affect its financial health. No group has yet claimed responsibility.
Hewlett Packard Enterprise (HPE) patches multiple vulnerabilities in its Aruba Networking access points.
Hewlett Packard Enterprise (HPE), a major tech company specializing in enterprise hardware and software, announced patches this week for multiple vulnerabilities in its Aruba Networking access points, widely used in business networks. Among the vulnerabilities are two critical command injection flaws (CVE-2024-42509, CVE-2024-47460), which could allow remote, unauthenticated attackers to execute code as privileged users by sending specially crafted packets to UDP port 8211. These flaws impact Aruba devices running Instant AOS-8 and AOS-10, including some end-of-life versions.
HPE advised that enabling cluster security on AOS-8 and blocking access to UDP/8211 for AOS-10 can mitigate risks. Additionally, three high-severity remote code execution (RCE) vulnerabilities could allow authenticated attackers to compromise system files and execute commands. The patches, included in AOS-10.7.0.0, AOS-10.4.1.5, Instant AOS-8.12.0.3, and Instant AOS-8.10.0.14, were released through Aruba’s bug bounty program, with no evidence of active exploitation.
Cybercriminals use game-related apps to distribute Winos4.0.
Cybercriminals are using game-related apps to distribute Winos4.0, a malware framework that grants full control over infected Windows systems. Rebuilt from the Gh0strat malware, Winos4.0 was detected in various gaming tools and optimization utilities, which lure users into downloading the infection. Similar to Cobalt Strike, the malware enables cyber espionage, ransomware deployment, and lateral movement.
Once executed, the malware downloads a fake BMP file from a malicious server, beginning a multi-stage infection. The first DLL file establishes persistence and injects shellcode, while the second stage connects to a command-and-control server. Subsequent stages gather system details, check for anti-virus software, and capture sensitive information, including crypto wallet data and screenshots. This final stage sets up a persistent backdoor, allowing the attacker long-term access. Fortinet warns users to download apps only from trusted sources to mitigate risk.
Germany proposes legislation protecting security researchers.
Germany’s Federal Ministry of Justice has proposed a law to legally protect security researchers who responsibly report vulnerabilities. The draft law, aimed at fostering IT security, exempts researchers from criminal liability when they act within defined parameters to identify and report security risks to responsible entities like system operators or the Federal Office for Information Security (BSI). This protection requires that researchers limit system access strictly to what’s necessary for vulnerability detection.
The proposed amendment also imposes stricter penalties, with sentences from three months to five years, for malicious data spying and interception, especially when targeting critical infrastructure or involving substantial financial damage, profit motives, or organized crime. The bill’s details are under review by German states and relevant associations until December 13, 2024, after which it will be presented to the Bundestag. This follows similar steps by the U.S. Department of Justice in 2022 to protect “good-faith” security research.
The TSA proposes new cybersecurity regulations for critical transportation infrastructure.
The Transportation Security Administration (TSA) has proposed new cybersecurity regulations for critical transportation infrastructure, finalizing and expanding emergency directives issued after the Colonial Pipeline ransomware attack in 2021. This proposal, among the last cybersecurity policies of the Biden administration, targets nearly 300 entities in freight rail, passenger rail, rail transit, and pipeline sectors, requiring them to adopt mandatory cyber risk management programs, operational plans, and regular audits. Covered entities must also report incidents to the Cybersecurity and Infrastructure Security Agency (CISA) and comply with CISA’s secure-by-design and secure-by-default standards.
The proposed rule extends requirements to large hazardous liquid and carbon dioxide pipelines, critical suppliers to the Pentagon, and over-the-road bus operators. The TSA seeks public and industry feedback by February 5, 2025, aiming to build a more permanent cybersecurity framework for transportation and align it across sectors like aviation and pipeline infrastructure.
Next up, we’ve got guest Aaron Griffin, Chief Architect from Sevco Security, sharing the discovery of a significant Apple iOS 18 and macOS Sequoia privacy bug that exposes employee personal iPhone apps and data to companies through iPhone Mirroring. We’ll be right back
Welcome back. You can find a link to Sevco Security’s blog on the topic in our show notes.
AI tries to wing it in a Reddit group, but moderators say Fork No!
Alright, friends, buckle up—we’re about to dive into a tale that’s as interesting as fork, but let’s keep it family-friendly by saying “fork” whenever we mean that other word.
Reddit’s legendary community, Interesting as Fork, just faced an AI invasion, and boy, were they having none of it. Last Friday, a post titled “Mother’s love is universal…” showed a heartwarming scene of a parrot sheltering chicks from the rain. Aww, right? Not so fork-ing fast. Redditors with eagle eyes (or should we say “parrot eyes”) quickly spotted telltale glitches—dodgy lighting, shadow errors, and all the classic signs of AI trickery. The post raked in 12,000 upvotes before moderators yanked it, declaring, “Fork no! This doesn’t even meet our species standards!”
With 13 million members, Interesting as Fork is one of Reddit’s biggest and oldest subreddits, and the moderators take “interesting” very seriously. One mod, abrownn, noted that AI-generated content not only misleads viewers but can undermine genuine, curiosity-sparking content. The AI parrot? Not tagged as AI, not a real bird behavior, and not even the species the title claimed.
Here’s the real kicker: Reddit’s loose policy on AI content lets communities decide their own rules. Some subs embrace the bots; others boot them to the curb. Interesting as Fork keeps its standards high, while other sites like Facebook are awash in AI spam.
The stakes? As AI becomes more realistic, the line between “real” and “fake” gets blurrier. So the next time you see a parrot doing people-level parenting, maybe pause and think: Is this real—or interesting as fork?
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.