The CyberWire Daily Podcast 11.20.24
Ep 2194 | 11.20.24

When location data becomes a weapon.

Transcript

A WIRED investigation uncovers the ease of tracking U.S. military personnel. Apple releases emergency security updates to address actively exploited vulnerabilities. Latino teenagers and LGBTQ individuals are receiving disturbing text messages spreading false threats. Crowdstrike says Liminal Panda is responsible for telecom intrusions. Oracle patches a high-severity zero-day vulnerability. Trend Micro has disclosed a critical vulnerability in its Deep Security 20 Agent software. A rural hospital in Oklahoma suffers a ransomware attack. A leading fintech firm is investigating a security breach in its file transfer platform. Researchers deploy Mantis against malicious LLMs. Ben Yelin from the University of Maryland Center for Health and Homeland Security discusses AI’s bias in the resume screening process. Tracking down a lost Lambo. 

Today is Wednesday November 20th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A WIRED investigation uncovers the ease of tracking U.S. military personnel. 

A contractor commuting from a home near Wiesbaden, Germany, to US military installations has inadvertently highlighted a serious national security risk posed by unregulated mobile location data sales. Investigative reporting by WIRED, Bayerischer Rundfunk, and Netzpolitik.org revealed how data brokers legally sell granular location information that can track US service members and contractors at sensitive sites. The revelations stemmed from a dataset obtained from Florida-based Datastream Group, containing billions of location signals tied to mobile advertising IDs.

For two months in 2023, the dataset tracked devices at critical installations, including Lucius D. Clay Kaserne, the US Army’s European headquarters, and Büchel Air Base, home to US nuclear weapons. Detailed movement patterns were observed, such as daily commutes, weekend activities, and even stops at local brothels. 

The risks are profound. Foreign adversaries or terrorists could exploit such data to identify personnel with sensitive access, uncover base vulnerabilities, or plan attacks. Patterns could reveal guard schedules or entry points, while personal habits might expose individuals to blackmail or coercion.

Efforts to regulate the data broker industry in the US have faltered. The Fourth Amendment Is Not For Sale Act, which would ban federal agencies from buying such data without a warrant, remains stalled in Congress. Meanwhile, the Federal Trade Commission (FTC) plans to file lawsuits recognizing US military installations as protected sites, but broader protections remain absent.

The Department of Defense acknowledges the risks of geolocation data but has largely deferred responsibility to service members through operational security protocols. Critics argue this approach is insufficient given the pervasive integration of mobile technology into daily life. Researchers emphasize that the systemic sale of mobile location data undermines privacy and creates substantial vulnerabilities for national security, with experts like Ron Wyden, a US senator from Oregon, calling the industry’s practices “outrageous.”

The investigation underscores the urgency of regulating data brokers, tightening operational security, and safeguarding the privacy of military and intelligence personnel. Without action, adversaries could exploit this data to threaten US personnel and operations, escalating the risk to national and international security.

Meanwhile, The U.S. Government Accountability Office (GAO) has urged Congress to establish a federal office to ensure consistent safeguards for civil rights and liberties in government use of personal data. A GAO report highlights uneven data protection practices across 24 federal agencies, with many lacking policies to address civil liberties. Emerging technologies like facial recognition and AI amplify privacy risks, including bias and misidentification. The GAO warns that without unified oversight, agencies risk violating citizens’ rights and recommends Congress develop comprehensive, technology-agnostic regulations.

Apple releases emergency security updates to address actively exploited vulnerabilities. 

Apple has released emergency security updates to address two actively exploited vulnerabilities, CVE-2024-44308 and CVE-2024-44309, affecting devices like iPhones, iPads, and Macs. These updates, included in iOS 18.1.1, iPadOS 18.1.1, Safari 18.1.1, visionOS 2.1.1, and macOS Sequoia 15.1.1, fix JavaScriptCore and WebKit flaws enabling code execution and cross-site scripting. Older devices receive updates via iOS 17.7.2 and iPadOS 17.7.2. Apple advises immediate patching to prevent malicious exploitation, as discovered by Google’s Threat Analysis Group experts. Older Macs with Intel processors are specifically called out in the update. 

Latino teenagers LGBTQ individuals are receiving disturbing text messages spreading false threats. 

Latino teenagers in Georgia and LGBTQ individuals nationwide are receiving disturbing, anonymous text messages spreading false threats and targeting their identities. Messages sent to Latino students claim they are “set to be deported” by Immigration and Customs Enforcement (ICE), while others tell LGBTQ individuals to report to “re-education camps.” ICE has denied involvement, stating these messages do not align with its operations.

Santiago Marquez of the Latin American Association reported multiple concerned calls from parents whose children received such texts. One screenshot detailed ICE enforcement via a “Brown Van.” LGBTQ individuals, including a lesbian business owner, received texts referencing discriminatory “re-education” under a fabricated presidential directive.

The FBI is investigating these incidents, which resemble earlier racist messages targeting Black Americans. Advocacy groups emphasize the harm caused, especially to vulnerable teens and marginalized communities.

Crowdstrike says Liminal Panda is responsible for telecom intrusions. 

CrowdStrike has identified a new Chinese cyber espionage group, Liminal Panda, responsible for telecom intrusions previously attributed to LightBasin. Active since 2020, Liminal Panda targets telecom providers in countries linked to China’s Belt and Road Initiative, gathering network telemetry and subscriber data for intelligence, not financial gain. Using advanced tools and exploiting telecom interconnectivity, the group breached networks in Asia and Africa. While linked to Chinese state-sponsored tactics, definitive attribution remains inconclusive. CrowdStrike recommends enhanced network access controls, password policies, and monitoring to mitigate risks.

Oracle patches a high-severity zero-day vulnerability. 

Oracle has released patches for CVE-2024-21287, a high-severity zero-day vulnerability in Agile Product Lifecycle Management (PLM) version 9.3.6, which has been exploited in the wild. The flaw, with a CVSS score of 7.5, allows unauthenticated attackers to remotely access files under the application’s privileges via HTTP. Oracle credited CrowdStrike researchers Joel Snape and Lutz Wolf for identifying the issue. Oracle urges customers to apply updates immediately to mitigate the risk of critical data exposure or full system access.

Trend Micro has disclosed a critical vulnerability in its Deep Security 20 Agent software. 

Trend Micro has disclosed a critical vulnerability, CVE-2024-51503, in its Deep Security 20 Agent software. The flaw, rated 8.0 (CVSS 3.0), allows attackers with low-privileged access to inject remote commands and execute arbitrary code. Trend Micro has released patches to address the issue and urges immediate updates. Organizations should also review access policies to prevent exploitation.

A rural hospital in Oklahoma suffers a ransomware attack. 

Great Plains Regional Medical Center in Oklahoma suffered a ransomware attack in September, compromising the personal data of 133,149 individuals. The attack, which impacted the hospital’s systems between September 5 and 8, led to partial restoration but left some patient data unrecoverable. Exposed data included names, health details, and Social Security numbers. Rural hospitals like Great Plains face heightened risks due to limited cybersecurity resources, making them targets for attackers. Experts urge increased federal support and public-private partnerships to bolster defenses against such threats.

A leading fintech firm is investigating a security breach in its file transfer platform. 

Finastra, a leading fintech firm serving top global banks, is investigating a security breach in its file transfer platform, potentially exposing sensitive client data, Krebs On Security reports. Hackers, operating under the alias “abyss0,” claimed to have stolen over 400GB of data and listed it for sale on cybercrime forums, targeting Finastra’s banking clients. Detected on November 7, the breach involved credential compromise but no malware deployment. Finastra assured customers its operations remain unaffected, launching an alternative secure file-sharing platform. Investigations continue to determine the scope of the theft, and impacted customers will be notified directly. The cybercriminal, who initially listed data for $20,000, abruptly vanished, with their online accounts deactivated. Finastra had previously been hit with ransomware back in 2020. 

Researchers deploy Mantis against malicious LLMs. 

Researchers at George Mason University have developed a novel defensive system, “Mantis,” to counter cyberattacks conducted by large language models (LLMs). Mantis uses deceptive techniques to lure malicious LLMs into engaging with decoy services, such as fake FTP servers. The system embeds prompt-injection attacks in responses to manipulate and disrupt the attacker’s strategy. By exploiting the iterative process used by attacking LLMs, Mantis can redirect their actions, waste resources, and even create reverse shells to compromise the attacking system.

Mantis employs both passive and active defenses, achieving a success rate above 95%. Passive strategies raise the cost of attacks, while active defenses target the attacking AI directly. The vulnerability exploited—prompt injection—is a fundamental weakness in LLMs, difficult to patch without diminishing their utility. This innovation highlights the potential for using AI’s own methods against it, marking a significant step in AI-driven cybersecurity defenses.

 

My Caveat co-host Ben Yelin stops by the CyberWire Daily today to discuss AI’s racial and gender bias in the resume screening process. And, stay tuned after the interview to hear how an MLB star’s new Lambo took a digital detour.  We’ll be right back.

Welcome back. There’s a link to the article Ben discussed in our show notes. 

Tracking down a lost Lambo. 

And finally, our exotic motoring desk tells us that Kris Bryant, the Colorado Rockies’ third baseman, had a rough offseason when his flashy 2023 Lamborghini Huracan went AWOL en route to his Las Vegas home. The saga began on October 2, when the supercar mysteriously vanished, sparking a multi-agency investigation. Turns out, the transport company fell victim to a “business email compromise,” a high-tech scam that rerouted Bryant’s Lambo to an unauthorized Las Vegas destination.

Thanks to license plate recognition cameras, police tracked the car’s journey, recovering it on October 7 and nabbing multiple suspects. The bust revealed a jackpot of criminal goodies: fake VINs, key fobs, fraudulent docs, and other stolen vehicles. One bonus car even turned up in California.

Though police didn’t name-drop Bryant, the Denver Post did, with Detective Justin Smith quipping, “We’d treat it the same if it were a Ford F-150… but hey, a Lamborghini does make for a cool case!”

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.