Your Daily Decrypt

8/15/2023 - Today’s news and insights for cybersecurity pros and leaders

📰 Top Stories 

Summary

Who's Behind the Attacks: The Storm-0558 threat group, linked to Chinese state-sponsored hackers.

What They Did: Acquired and used a private encryption key to access cloud-based email accounts of more than 25 organizations, including U.S. State and Commerce departments.

How They Did It: Forged authentication tokens by compromising Microsoft's encryption methods.

Why It Matters: Highlights significant vulnerabilities in cloud security and encryption, affecting government, industry, and cloud service providers.

Why it’s important to you

Stay Alert: The incident emphasizes the need to safeguard cloud-based identity management and authentication.

Be Prepared: Cybersecurity practices must adapt to emerging threats like these, particularly in encryption and cloud security.

Think Globally: The review and findings by the CSRB can guide global cybersecurity practices and foster collective trust in critical systems.

Summary

Who's Behind the Attacks: The threat actor "Royal."

What They Did: Launched a ransomware attack on Dallas, taking most services offline and disrupting operations for weeks.

How They Did It: Intruded the city's network and exfiltrated data between April 7 and May 4, compromising personal data of over 26,000 individuals.

Why It Matters: The attack caused significant disruption, privacy concerns, and a financial cost of nearly $8.6 million for emergency response and recovery.

Why it’s important to you

Stay Alert: The incident highlights the need to have robust cybersecurity measures in place to protect against ransomware attacks.

Be Prepared: Ensuring timely detection and response is key to minimizing damage; Dallas didn't confirm the compromise until over a month after the intrusion.

Think Globally: The attack on a major city like Dallas underscores the potential scale and impact of cyber threats, and the importance of coordinated efforts in prevention and recovery.

Summary

Who's Behind the Attacks: The Clop ransomware gang, linked to Russia, claims responsibility for the mass attacks, though this hasn't been confirmed.

What They Did: Exploited a zero-day vulnerability in MOVEit software, affecting systems operated by IBM and leading to the exposure of sensitive medical and health information of millions of Americans.

How They Did It: Raided IBM's MOVEit systems, specifically targeting Colorado’s Department of Health Care Policy and Financing (HCPF) and Missouri’s Department of Social Services (DSS), accessing data files in the normal course of business.

Why It Matters: The breach exposed the data of over four million patients in Colorado alone, including personal details, Social Security numbers, medical data, and insurance information. Other entities, including PH Tech and Colorado State University, were also affected.

Why it’s important to you

Stay Alert: The exploitation of a zero-day vulnerability in widely-used software underscores the need for constant vigilance and timely patching.

Be Prepared: With healthcare providers being targeted, understanding the specific risks and implementing robust security measures for sensitive health data is crucial.

Think Globally: The scale of the breach, affecting multiple states and millions of individuals, emphasizes the importance of collaboration and shared responsibility between vendors, state agencies, and private companies.

🚨 Threat Alerts

Summary

Who's Behind the Vulnerabilities: Security flaws discovered in AudioCodes desk phones and Zoom's Zero Touch Provisioning (ZTP).

What They Did: Exposed vulnerabilities that could potentially allow an attacker to gain full remote control of the devices.

How They Did It:

  • Zoom's ZTP: Lack of client-side authentication during configuration file retrieval, leading to potential downloading of malicious firmware.

  • AudioCodes VoIP Desk Phones: Improper authentication in cryptographic routines, allowing decryption of sensitive information.

Why It Matters: These vulnerabilities could lead to eavesdropping, attacks on corporate networks, and the creation of a botnet of infected devices. The combined weaknesses pose a significant security risk.

Why it’s important to you

Stay Informed: Awareness of these vulnerabilities is essential if you use AudioCodes desk phones or Zoom's ZTP.

Take Action: Monitor updates and security enhancements from Zoom and other relevant providers to ensure your devices are protected.

Understand the Risks: The disclosed vulnerabilities underline the complex nature of security in connected devices and the importance of proper authentication mechanisms.

Summary

What's Happening: AdLoad, a malware targeting macOS, has been discovered delivering a new payload that enlists infected systems into a residential proxy botnet.

How It Works:

  • AdLoad's Functionality: AdLoad operates as adware, redirecting users' web traffic to hijack search engine results and insert specific ads. It also serves as a downloader for additional payloads.

  • Proxy Creation: The malware gathers system information, connects to an AdLoad server, downloads a proxy app, and configures the host to function as a proxy server.

  • Evasiveness: Known for being highly evasive, AdLoad hides from built-in macOS security tools and persists through system restarts.

Why It Matters:

  • Potential Scale of Infection: Over 10,000 IPs have been identified reaching out to proxy servers each week, indicative of a potential global infection.

  • Increasing Target on Macs: With the rise in Mac usage in enterprises, specialized malware targeting macOS is increasing, including infostealer strains, exploits, and ransomware variants.

Why it’s important to you

Stay Vigilant: If you are using macOS systems, it's essential to be aware of the new threat posed by AdLoad and its ability to turn systems into proxies.

Implement Security Measures: Follow the latest security protocols, monitor for any suspicious activities, and consider implementing the recommendations provided by researchers to remove AdLoad samples if needed.

Understand the Evolving Threat Landscape: The intensification of macOS-targeting activities highlights the need for continuous adaptation to new and emerging cyber threats, particularly for businesses relying on Mac devices.

⚖️ Regulatory Updates

Summary

What's Happening: The Department of Defense (DOD) has released an implementation plan for its Cyber Workforce Strategy, aiming to create a capable cyber workforce.

Key Components:

  • Workforce Size: About 225,000 civilians, military, and contractors.

  • Four Goals: Capability assessment, talent management, cultural shift in personnel management, and collaboration enhancement.

Why It Matters:

  • National Security: Protects against cyber threats.

  • Innovation: Focuses on reforming recruitment, development, and retention.

Why it’s important to you

Stay informed about national cyber defense and embrace the shift towards a more agile cyber workforce. The ongoing threat of cyberattacks requires constant awareness.

👀 Curated Finds

Summary

Who's Behind the Discussion: Craig Martell of the U.S. Defense Department, addressing the DEF CON security conference.

What They Discussed: Martell emphasized that Large Language Models (LLMs) are not sentient and cannot reason. He stressed the need for rigor in development to limit risks of hallucinations and false information and called for increased research into LLM vulnerabilities.

How They Explained It: Martell treated the session like a lecture, explaining that LLMs are just statistical models relying on past context. He expressed concerns about the lack of reasoning in LLMs and the difficulty of identifying hallucinations.

Why It Matters: The talk highlights the DoD's interest in understanding and enhancing the potential of generative AI and LLMs. Martell called for "five nines" (99.999%) of accuracy and outlined the need for clear acceptability conditions for deploying LLMs in various contexts.

Why it’s important to you

Stay Alert: Understanding the limitations and vulnerabilities of LLMs, such as hallucination and lack of reasoning, is critical for cybersecurity professionals.

Be Prepared: The call for more rigorous testing and development reflects the growing importance of AI and LLMs in various sectors, including defense, requiring careful consideration of accuracy and reliability.

Think Globally: Martell's appeal to the global hacker community for help in understanding how LLMs break emphasizes the collaborative nature of security research and the shared responsibility in building robust AI systems.

Summary

11 Requirements for Mobile Network Security:

  1. Visibility: Identifying devices, tracking data, and detecting unusual activities.

  2. Access Control: Implementing strong controls to ensure only legitimate devices connect.

  3. Signaling Attack Detection & Prevention: Analytics to detect and block signal disruptions.

  4. Supply Chain Attack Detection & Prevention: Ensuring software sources are secure.

  5. Zero Trust Architecture: No device is deemed secure by default.

  6. Data Encryption: Enhancing encryption, especially with 5G.

  7. Network Isolation & Slicing Security: Continuous monitoring and intelligent design of network slices.

  8. Firewalls, IDS/IPS, and Anti-DDoS: Classic solutions adapted for mobile networks.

  9. Monitoring & Automation: Automatic detection and remediation of threats.

  10. Vulnerability Management: Scanning and isolating devices with risks.

  11. Secure Upgrades & Patching Policies: Constantly updating and patching software.

Why it’s important to you

Stay Alert: With the growing complexity of mobile networks, the understanding of potential vulnerabilities and threats is essential for cybersecurity professionals.

Be Prepared: Implementing robust security measures in line with evolving technology and regulatory requirements is critical.

Think Globally: Mobile networks are foundational for global innovations and smart infrastructure; hence, security is a shared responsibility across stakeholders.

Summary

Why Passwordless Matters: Passwords have been a traditional means of authentication but are prone to attacks. Passwordless authentication, which eliminates the need for passwords, is gaining traction as a more secure and user-friendly option.

Survey Insights: A survey by Axiad found that 92% of respondents are concerned about credential compromise, 82% consider moving to passwordless among top priorities, and 85% expect to adopt it within one to two years.

FIDO Alliance's Role: The FIDO (Fast Identity Online) Alliance provides standards for passwordless authentication, such as FIDO2 and passkeys, ensuring strong, cryptographically secured authentication.

Passkeys: Gaining rapid adoption by companies like Apple and Google, passkeys offer multiple authentication workflows, though some limitations still exist.

10 Passwordless Services for Enterprises:

  1. AuthID Verified Workforce: Focuses on biometric certainty and AI-backed matching.

  2. Axiad Cloud: Offers a holistic approach through passwordless orchestration.

  3. Beyond Identity: Couples passwordless with continuous risk-based authentication.

  4. CyberArk Workforce Identity: Supports all passwordless use cases, including endpoint authentication.

  5. Duo: Offers tools for desktop, web apps, VPN, and remote desktop.

  6. HYPR: Embraces the passkey standard and supports integration into existing IAM tools.

  7. Okta: Provides full-featured IAM capabilities and MFA.

  8. Ping Identity: Offers risk-based authentication policies and progressive securing of authentication.

  9. Secret Double Octopus: Focuses on MFA and passwordless across various use cases.

  10. Yubico: Known for Yubikey hardware tokens and supports various connectivity standards.

Why it’s important to you

Stay Alert: Understanding the shift toward passwordless authentication is crucial as it's becoming a prominent trend in enhancing security.

Be Prepared: Knowing the key players and available services helps in making informed decisions for implementing passwordless authentication in your organization.

Think Ahead: The progressive adoption of passwordless technology signifies a new direction in cybersecurity. Embracing this trend aligns with modern security demands.

Please let me know if you have any comments or feedback by replying to this email or messaging me on twitter!

Thank you 🙏
Ali Abidi