The CyberWire Daily Podcast 11.18.24
Ep 2192 | 11.18.24

A new era for CISA under Trump?

Transcript

CISA’s Director Easterly plans to step down in the coming year. DHS issues recommendations for AI in critical infrastructure.Palo Alto Networks confirms active exploitation of a critical zero-day vulnerability in its firewalls. Threat actors exploit Microsoft’s 365 Admin Portal to send sextortion emails. A China-based APT targets a zero-day in Fortinet’s Windows VPN. The EPA reports on vulnerabilities in drinking water systems. A critical authentication bypass vulnerability affects a popular WordPress plugin. Researchers track a rise in the ClickFix social engineering technique. An 18 year old faces up to twenty years behind bars for swatting. Our guest is Rob Boyce, Global Lead, Cyber Resilience at Accenture, discussing SIM swapping services targeting telcos. Nuisance calls are in decline. 

Today is Monday November 18th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CISA’s Director Easterly plans to step down in the coming year. 

Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), will step down on January 20, coinciding with the inauguration of President-elect Donald Trump. Deputy Director Nitin Natarajan is also set to depart. This is a routine transition during a change in administration, a CISA spokesperson confirmed.

Easterly, a West Point graduate and Rhodes Scholar, served two decades in the U.S. Army, helping establish U.S. Cyber Command in response to a major DOD malware incident in 2008. Her career also included senior roles at the NSA, the National Security Council, and Morgan Stanley. She became CISA director after an eight-month vacancy following Chris Krebs’ firing in 2020.

During her tenure, Easterly advanced CISA’s Secure by Design initiatives, pushing manufacturers to embed security into their products. She led the agency through major cyberattacks, including Chinese hacks targeting U.S. officials, and provided steady leadership during election cycles, reaffirming the integrity of election infrastructure. She also issued guidance on emerging technologies like AI and quantum cryptography.

Easterly’s departure leaves questions about CISA’s direction under Trump’s administration. GOP allegations of censorship against CISA and proposed budget cuts raise concerns over future cybersecurity priorities. Sen. Rand Paul, a CISA critic, is positioned to lead the Senate Homeland Security panel. Meanwhile, Ohio Secretary of State Frank LaRose is reportedly a candidate to succeed Easterly. The agency faces an uncertain future as these transitions unfold.

DHS issues recommendations for AI in critical infrastructure.

The US Department of Homeland Security (DHS) has issued voluntary recommendations for securely developing and deploying AI in critical infrastructure. The Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure outlines guidance for cloud providers, AI developers, critical infrastructure operators, civil society, and public-sector organizations.

The framework focuses on five key areas: securing environments, responsible system design, data governance, safe deployment, and performance monitoring. Cloud providers are urged to vet supply chains, protect data centers, and report anomalies. AI developers should adopt secure-by-design practices, address biases, and ensure privacy. Critical infrastructure operators must safeguard AI systems and provide transparency on their AI use.

DHS Secretary Alejandro Mayorkas emphasized the framework’s role in protecting essential services like water and power, calling it a “living document” that evolves with AI advancements.

Palo Alto Networks confirms active exploitation of a critical zero-day vulnerability in its firewalls. 

Palo Alto Networks has confirmed active exploitation of a critical zero-day vulnerability in its firewalls, affecting management interfaces exposed to the internet. The flaw, rated 9.3/10 in severity, allows unauthenticated remote command execution. While a patch is not yet available, Palo Alto Networks urges users to restrict access to management interfaces to internal, trusted IP addresses. This mitigation reduces the severity to 7.5 but still requires careful monitoring.

The company tracks vulnerable devices via its support portal, flagged under PAN-SA-2024-0015, and has observed malicious activity from specific IPs, including potential misuse of third-party VPN services. Malicious code was found on affected devices.

Separately, Palo Alto disclosed other vulnerabilities in its Expedition migration tool, including OS command and SQL injection flaws, which could expose sensitive firewall configurations.

Threat actors exploit Microsoft’s 365 Admin Portal to send sextortion emails. 

Threat actors are exploiting the Microsoft 365 Admin Portal to send sextortion emails, making them appear trustworthy and bypassing spam filters. Sextortion scams claim hackers accessed compromising images or videos of victims and demand $500–$5,000 in cryptocurrency to prevent their release. Though common since 2018, these scams can still alarm recipients.

Scammers abuse the Microsoft Message Center’s “Share” feature, which allows notifications to be forwarded with a “Personal Message.” While this field is limited to 1,000 characters, attackers bypass the restriction by manipulating browser developer tools to input longer messages. Microsoft lacks server-side checks to enforce the limit, enabling full extortion messages to be sent.

Microsoft is investigating but has not yet implemented fixes. 

A China-based APT targets a zero-day in Fortinet’s Windows VPN. 

The DeepData malware framework, linked to China-based APT41, is exploiting a zero-day vulnerability in Fortinet’s Windows VPN client to steal credentials, according to cybersecurity firm Volexity. DeepData uses plugins to extract sensitive data from browsers, communication apps, and password managers, and can record audio via the system’s microphone.

APT41, also associated with the LightSpy malware, has targeted journalists, politicians, and activists in Southeast Asia. The zero-day vulnerability, reported to Fortinet in July, remains unpatched and lacks a CVE identifier. Volexity attributes the malware’s development to BrazenBamboo, a state-sponsored group.

DeepData and LightSpy share technical similarities, including plugin designs and infrastructure. A new Windows variant of LightSpy has also been identified, showcasing BrazenBamboo’s broad, multi-platform surveillance capabilities.

The EPA reports on vulnerabilities in drinking water systems. 

A report by the EPA’s Office of Inspector General (OIG) reveals cybersecurity vulnerabilities in over 300 U.S. drinking water systems serving 110 million people. The assessment highlighted risks such as service disruptions, denial-of-service (DoS) attacks, and compromised customer data. Critical or high-severity issues were identified in 97 systems serving 27 million individuals, while medium and low-severity weaknesses, like open portals, affected 211 systems covering 83 million people.

The vulnerabilities span email security, IT hygiene, and threat detection. OIG warns that exploiting these flaws could lead to significant damage to water infrastructure. Additionally, the EPA lacks a cybersecurity incident reporting system and relies on CISA for coordination, raising concerns about emergency response and mitigation strategies. 

A critical authentication bypass vulnerability affects a popular WordPress plugin. 

A critical authentication bypass vulnerability, CVE-2024-10924, has been identified in the WordPress plugin Really Simple Security (formerly Really Simple SSL), affecting versions 9.0.0 through 9.1.1.1. This plugin, used on over four million websites, provides SSL configuration, two-factor authentication (2FA), and security monitoring.

Discovered by Wordfence on November 6, 2024, the flaw stems from improper handling of the login_nonce parameter in the plugin’s two-factor REST API. If login_nonce verification fails, the code incorrectly authenticates users based on their user_id alone, allowing attackers to gain administrative access to vulnerable sites. The flaw is particularly severe because it can be exploited at scale with automated scripts.

Fixes were released in version 9.1.2 on November 12 (Pro) and November 14 (free). Hosting providers and administrators are urged to update immediately, as millions of sites remain at risk.

Researchers track a rise in the ClickFix social engineering technique. 

Researchers at Proofpoint have observed a rise in the ClickFix social engineering technique, which manipulates users into executing malicious PowerShell scripts by disguising them as solutions to fabricated problems. Initially linked to campaigns by TA571 and ClearFake, this method has now been adopted by various financially motivated and espionage-focused threat actors.

ClickFix exploits trust by presenting fake error messages or software update prompts, directing users to copy and run PowerShell commands that ultimately deliver malware. Recent campaigns leveraged fake CAPTCHA verifications, GitHub notifications, and spoofed emails from platforms like Microsoft Word and ChatGPT. Malicious payloads observed include AsyncRAT, NetSupport, Lumma Stealer, and XWorm.

The technique bypasses traditional security controls by relying on human error, preying on users’ desire to independently resolve issues. To mitigate these threats, organizations must train users to recognize such tactics and avoid manually executing unverified commands. The technique’s popularity underscores the evolution of social engineering strategies.

An 18 year old faces up to twenty years behind bars for swatting. 

An 18-year-old, Alan Filion, has pleaded guilty to making over 375 fake emergency threats, a practice known as “swatting.” Filion targeted religious and educational institutions, government officials, and individuals across the U.S. between 2022 and 2024, beginning at age 16. Swatting involves falsely reporting emergencies to prompt police SWAT team responses, often causing chaos and endangering lives.

Filion admitted to using social media to offer swatting services for a fee. On one occasion, he boasted about causing police to detain victims and search their homes for fabricated crimes.

Facing up to five years in prison for each of four felony counts, Filion’s sentencing is set for February. 

 

Our longtime friend of the podcast, Accenture’s Global Lead for Cyber Resilience Rob Boyce joins us to discuss SIM swapping services targeting telcos. We’ll be right back.

Welcome back.

Nuisance calls are in decline. 

And finally, our called-ID desk brings some good news: the FTC is winning the fight against scam and nuisance calls. According to the agency’s latest report, complaints about these pesky interruptions have dropped by more than half since 2021. It’s a huge win for the 254 million Americans who’ve signed up for the National Do Not Call Registry—and who probably wish telemarketers would stop ignoring it.

In 2024, the FTC logged two million complaints, with most gripes focused on medical/prescription scams. Imposter calls came in a close second, proving scammers are still bad actors—literally. Robocalls dominated the complaint charts at 53%, while 37% were old-school humans trying to sell you something you didn’t want.

The FTC isn’t just sitting back and letting the registry do the work. New rules and initiatives, like the Impersonation Rule and Operation Stop Scam Calls, are cracking down on both scammers and the companies profiting from them. And for the cherry on top, the agency is tackling deepfake phone scams with a Voice Cloning Challenge, because AI scammers are a thing now.

Sam Levine, head of the FTC’s Bureau of Consumer Protection, sums it up: “Illegal calls remain a scourge, but we’re making progress.” With scams still costing consumers over $1 billion last year, there’s plenty more work ahead. For now, though, it’s still best to let that unknown number go straight to voicemail.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.