ZScaler uncovers the largest ransomware payment to date. IBM says the average cost of a breach is closing in on five million dollars. Hackers exploited Proofpoint's email protection platform to send millions of phishing emails. NIST launches Dioptra to test ML models. AcidPour targets Linux data storage devices for wiping. WhatsApp for Windows allows Python to run wild. The White House releases the National Standards Strategy for Critical and Emerging Technology (USG NSSCET) Implementation Roadmap. A bipartisan Senate bill aims to fund cybersecurity apprenticeships. CISA adds three exploits to its vulnerability catalog. Ben Yelin joins us today to discuss a U.S. District Court judge’s recent dismissal of charges against SolarWinds. Loose lips sink ships, but leaky HDMI cables flood the airwaves with digital data.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
Ben Yelin, co-host of our Caveat podcast and Program Director, Public Policy & External Affairs at University of Maryland Center for Health and Homeland Security, joins us today to discuss the U.S. District Court judge dismissing most charges against SolarWinds. For more detail on the SolarWinds decision, check out this article.
Selected Reading
Zscaler just uncovered what could be the largest ransomware payment of all time (ITPro)
Hackers exploit Proofpoint to send millions of phishing emails (Tech Monitor)
Average data breach cost jumps to $4.88 million, collateral damage increased (Help Net Security)
NIST releases open-source platform for AI safety testing (SC Media)
AcidPour Malware Attacking Linux Data Storage Devices To Wipe Out Data (GB Hackers)
WhatsApp for Windows lets Python, PHP scripts execute with no warning (Bleeping Computer)
US government debuts Implementation Roadmap for national standards strategy on critical and emerging technologies (Industrial Cyber)
Bipartisan Senate bill would promote cybersecurity apprenticeship programs (CyberScoop)
CISA warns of three new critical exploited vulnerabilities (The Stack)
AI can reveal what’s on your screen via signals leaking from cables (New Scientist)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyberwire Network, powered by N2K. When it comes to music, everyone has a totally unique taste. So when a song comes on to perfectly fit your mood, it kind of feels like magic. And at Credit Karma, we do the same thing, but for your finances. We got tired of the financial system, giving broad, impersonal, and a relevant advice to everybody. So we created a way for you to cut through the noise and find offers and recommendations that make sense for your specific money goals. So you know the guidance you're getting is truly custom to you. Download into at Credit Karma today and get everything you need to outsmart the system. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's V-A-N-T-A.com/cyber for $1,000 off Vanta. Vscaler uncovers the largest ransomware payment to date. IBM says the average cost of a breach is closing in on $5 million. Packer's exploited Proofpoint's email protection platform to send millions of phishing emails. NIST launches Dioptera to test ML models. Acid poor targets Linux data storage devices for wiping. WhatsApp for Windows allows Python to run wild. The White House releases the national standard strategy for critical and emerging technology implementation roadmap. A bipartisan Senate bill aims to fund cybersecurity apprenticeships. CISA adds three exploits to its vulnerability catalog. Ben Yellen joins us to discuss a U.S. District Court judge's recent dismissal of charges against solar winds. And loose lips sink ships. But leaky HDMI cables flood the airwaves with digital data. It's Tuesday, July 30, 2024. I'm Dave Bittner and this is your CyberWire Intel Briefing. Thank you for joining us here. It is great to have you with us. The most recent report from Zscaler's Threat Labs has identified the largest ransomware payment ever recorded, amounting to $75 million. This payment made to the Dark Angels Group is almost double the previous record. The surge in ransomware attacks continues with an 18% increase in the volume of attacks from April 2023 to 2024. Additionally, the number of victim organizations listed on data leak sites has risen by nearly 58%. Bitt Labs' research also identified 19 new ransomware families, bringing the total to 391. This particular record-breaking payment signals the thriving state of digital extortion and may encourage other cyber criminal groups to adopt similar strategies. IBM's 2024 Cost of a Data Breach report reveals the global average breach cost hit $4.88 million, a 10% increase from last year. Breaches cause significant disruption for 70% of affected organizations driven by lost business and post-breach costs. Recovery took over 100 days for most fully recovered entities. Staffing shortages, which increased by 26%, raised breach costs by $1.76 million. AI-powered prevention helped reduce costs by $2.2 million, with 67% of organizations using security AI and automation. Breaches involving multi-environment data storage averaged over $5 million in costs. Internal detection of breaches improved, reducing the breach lifecycle to 258 days, the lowest in seven years. Equal property theft rose by 27% with costs per stolen record up nearly 11%. Critical infrastructure sectors like health care and financial services saw the highest breach costs, with health care averaging $9.77 million. Hackers exploited Proofpoint's email protection platform to send millions of phishing emails daily from January to June of this year in a campaign dubbed Echo spoofing. By manipulating vulnerabilities, they impersonated major companies like IBM, Coca-Cola and Disney. Proofpoint confirmed that these vulnerabilities have been patched and no customer data was exposed. The unidentified attackers used compromised Proofpoint servers to make phishing emails appear legitimate. Proofpoint and Guardian Labs quickly collaborated to mitigate the threat, implementing measures to ensure only authorized emails are relayed. The National Institute of Standards and Technology, NIST, has launched Dioptera, an open-source tool to test the resilience of machine learning models against various attacks. Released alongside new AI guidance, Dioptera fulfills requirements from President Biden's executive order on AI safety. Available on GitHub, Dioptera features a web-based interface, user authentication and experiment provenance tracking to ensure reproducibility. Dioptera addresses three main attack types, evasion, poisoning and oracle. Initially designed for image classification models, it can be adapted for other ML applications. The tool helps users measure attack impacts and test defenses like data sanitization. It supports Unix-based systems and requires significant computational resources. NIST says they plan to continue improving Dioptera based on user feedback. Additionally, NIST released new AI safety guidance focusing on risks associated with generative AI and dual-use models, accepting public comments until September 9th. In March of this year, a new variant of the Acid Rain Wiper malware named Acid Poor emerged, targeting Linux data storage devices and rendering them inoperative by permanently erasing data. According to researchers at Splunk, Acid Poor targets crucial sectors like SCSI SATA, MTD, MMC Storage, DM Setup and UBI devices, making data recovery nearly impossible. Unlike Acid Rain, which attacked MIPS-based modems and routers, Acid Poor has a defense evasion technique, overwriting itself with random bytes and a command line message. It employs a time-based evasion technique using the Select function. Acid Poor systematically wipes important directories, including the boot directory and replaces files with 32 KB of random data. It overwrites designated device paths with 256 KB buffers, making systems unbootable after a reboot. Acid Poor's destructive methods are similar to Acid Rain and VPN filter, but focus on data destruction rather than data exfiltration or code injection. A security flaw in the latest version of WhatsApp for Windows allows execution of Python and PHP attachments without warning when opened, leaping computer reports. This primarily affects users with Python already installed, like developers and researchers. The issue is similar to a previous Telegram vulnerability. Despite blocking several risky file types, WhatsApp does not block Python scripts, which can be executed directly from the app. Security researcher Samyajit Das discovered this vulnerability and reported it to Meta but the issue was dismissed as non-applicable. Das criticized this decision, suggesting that simply adding the relevant file extensions to WhatsApp's block list could prevent exploitation. WhatsApp advises users not to open files from unknown sources and has no plans to fix the issue, leaving users vulnerable to potential attacks. The US government has released the National Standards Strategy for Critical and Emerging Technology Implementation Roadmap, detailing actions to support private sector-led standards development. The roadmap emphasizes immediate and long-term efforts for standards coordination, partnering with stakeholders to address challenges in critical and emerging technology standards. Key areas of focus include enhancing federal private sector coordination, improving standards policy collaboration with foreign governments, and incentivizing federal engagement in standardization. The roadmap also highlights the importance of supporting research and development and education in standards. Immediate actions involve increasing government pre-standardization R&D, tracking CET standards education programs, and evaluating technology cooperation agreements. Long-term goals aim to sustain funding, engage academia, and enhance communication about standards. The CyberReady Workforce Act, a bipartisan Senate bill by Senators Jackie Rosen, a Democrat from Nevada, and Marsha Blackburn, Republican from Tennessee, aims to address cybersecurity workforce shortages through competitive grants awarded by the Department of Labor. These grants will support the creation and expansion of registered apprenticeship programs in cybersecurity, providing technical instruction, workplace training, and industry recognized certifications. The apprenticeships will prepare participants for various cybersecurity careers, such as computer support specialists and security specialists, offering training in CompTIA, Microsoft programs, certified network defender, and certified ethical hacker. The Department of Labor will oversee registration and assist employers with training costs and connections to education providers. At least 85 percent of grant funds must be used for program management with 15 percent for marketing and outreach. This legislation is part of broader congressional efforts to fill the estimated half million cybersecurity job gap, including initiatives targeting community colleges, disadvantaged communities, and veterans. SISA has updated its vulnerability catalog to include three new exploits in ServiceNow and Acronis Cyber Infrastructure. The ServiceNow vulnerabilities both involve input validation issues, allowing unauthenticated remote code execution with CVSS ratings of 9.3 and 9.2. These have been patched, but were actively exploited, affecting over 105 databases and exposing 42,000 instances. The third vulnerability affects Acronis Cyber Infrastructure due to insecure default passwords with a CVSS score of 9.8. Acronis has also issued patches for this exploit. Coming up after the break, Ben Yellen joins us to discuss the recent U.S. District Court judges dismissal of charges against solar winds. And now, a word from our sponsor, no before. Where would infosec professionals be without users making security mistakes? Doing less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed Security Coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach. Learn more at nobefore.com/securitycoach. That's nobefore.com/securitycoach, and we thank no before for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. One came new technologies and new ways to work. Now, employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. Joining me once again is Ben Yellen. He is from the University of Maryland Center for Health and Homeland Security, and also my co-host over on the caveat podcast. Ben, welcome back. Good to be with you, Dave. I want to touch base with you and get your take on this recent dismissal we saw from a judge about the SEC charges against solar winds. Unpack what's going on here, Ben. The Security and Exchange Commission had filed a lawsuit against solar winds for the infamous cyber incident that took place in late 2020. It was seen as a groundbreaking legal challenge to hold a large company accountable for such a cybersecurity breach, and not just the company itself, but high-ranking executives. This went to a district court in the southern district of New York, and the district court has dismissed the vast majority of the case. The judge in this case, Paul Englemeyer, claims that the Security and Exchange Commission does not plausibly plead actionable deficiencies in the company's reporting of the cybersecurity hack. They impermissibly rely on hindsight and speculation. Okay. So in English, Ben, in English, basically there are not enough facts in evidence in the initial pleadings in this case to show that the company violated the law and the regulations as it related to reporting requirements of the hack. To the extent that there are reporting requirements, there's not enough evidence that solar winds violated those requirements. Basically, the pleading on behalf of the SEC relies on what the judge calls hindsight and speculation, basically Monday morning quarterbacking, if we're going to put it colloquially. The one claim that the judge does sustain is related to one of solar winds pre-sunburst statements about Orion's security, but it dismissed a bunch of other claims about separate cybersecurity assertions. So solar winds isn't completely out of the woods here, but much of what they were concerned about this judge has said the SEC can't pursue. Yeah. The vast majority of the suit and the potential repercussions on behalf of solar wind have been thrown out. There is this remaining claim. A spokesperson for solar winds said that they are pleased that the judge has largely granted their motion to dismiss, and that they will have the opportunity to present their own evidence and demonstrate why this remaining claim is factually inaccurate. I think the broader lesson here is that our court system is hesitant to go along with the administration through the SEC's effort to hold companies and senior executives accountable for these hacks, these cyber incidents. I think this was part of a broader effort to inspire the industry to take proactive measures with the threat of potential legal action hanging over them. And what the judge here is saying is we can't sustain one of those claims unless there is clear and convincing evidence of some type of legally actionable decision making on the part of these hiring executives, and that just doesn't exist in this case. And I think from what analysts have said is if they can't prove it in this case, at least in the pleading stage, it's going to be much harder for lower profile cases where we don't have a body of evidence the way we do in solar winds. So I think the industry is very pleased. They were concerned that the threat of these lawsuits would prevent companies from probing their vulnerabilities because by revealing those vulnerabilities, if there is an attack, then there can be a claim that's approved in court that they had prior knowledge of it and they failed to act and that was negligence in some legally actionable way. And now that we have this decision here, I think that abates the concern of these companies that they're going to be punished for doing their due diligence. >> So as part of the idea here that perhaps the SEC was trying to make an example out of solar winds? >> Totally. I think that we're making an example out of solar winds. It's not a coincidence that this is the most high-profile case, is probably the most high-profile hack in the last five years, would you say? >> Yeah. >> I mean, if we go back further than that, we can talk about OPM and Equifax and that sort of thing. But at least in the early 2020s, this is the hack of all hacks. And the SEC made it a policy, a central organizing principle, to pursue executive or aggressive policies to hold companies accountable for lack of cybersecurity practices. This is the first time they had ever pursued court action against the target of a nation-state attack for claims made to investors about cybersecurity practices. And for the most part, this challenge fell on its face. From the perspective of the SEC, they're going to have to go back to the drawing board and figure out a way to hold these companies accountable by getting past the district court gatekeepers here, who are going to be looking for clear and convincing evidence that companies did not comply with cybersecurity standards. >> Now, at the risk of crossing the streams here or perhaps mixing metaphors, does the recent Supreme Court case with Chevron deference, does that have any impact here? What the SEC could do in the future? >> I think it does. It doesn't have a direct impact on this case. I think this case was drafted without Chevron in mind. And probably before the decision came out several weeks ago, overturning Chevron. I do think Chevron is implicated in future cases, because as we talked about on the caveat podcast a couple of weeks ago, the SEC doesn't have statutory authority to take action on cybersecurity-related matters. It is the Securities and Exchange Commission. It is about the actions of private companies that potentially mislead their investors. And in a world with Chevron deference, courts would defer to the SEC as to what they would consider defrauding investors. If the SEC decided that defrauding investors was some type of cyber security incident was within their jurisdiction, they would defer to the SEC's interpretation. But without Chevron in place, it will now be up to courts to determine whether abating cybersecurity risks is within the statutory authority of the SEC. To me, it's very clearly if you look at the letter of the law, it's not in there. So it would have to be a strained judicial interpretation looking at legislative history, looking at other things, to make a finding that SEC has the authority to regulate on cybersecurity matters. So it's definitely something that's going to come up in future cases. I think it'll come up in future cases where a company has been fined, or there's been a lawsuit against the company, and they might anticipate that they would lose on the merits. So they'll bring up a Chevron argument and say, "Hey, you can't even regulate us in the first place." And we're in a new post-loper bright era where you've lost the authority to regulate us. So I think that's definitely something we can see in the future. All right. Well, Ben Yellen, thanks so much for joining us. Thank you. Last of our listeners who deal with legacy privileged access management products know they tend to be expensive, difficult to deploy, and hard to use. Keeper Security is the answer. Keeper's Zero Trust solution delivers password, secrets, and connection management in one easy-to-use platform. It's fast to deploy, agentless, clientless, and has no implementation fees. Plus, Keeper is FedRAMP authorized. That's why we trust Keeper to prevent breaches and gain full control over privileged users. Visit keeper.io/cyberwire to schedule a quick demo. That's keeper.io/cyberwire, and thanks to Keeper Security for supporting our podcast. This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify. The global commerce platform that supercharges you're selling, wherever you sell. With Shopify, you'll harness the same intuitive features, trusted apps, and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at shopify.com/tech, all lowercase. That's shopify.com/tech. And finally, our Signals Intelligence desk tells us that hackers may have a sneaky new trick up their sleeves, intercepting electromagnetic radiation from your HDMI cable and decoding what's on your screen with, wait for it, AI. Imagine a digital spy lurking outside your window antenna in hand, ready to steal your Netflix binge secrets or online banking information. But don't panic, this is more like a spy movie plot for most of us. In the past, analog connections were easier targets for such snooping. Today's digital HDMI cables leak less readable data, but still enough for Federico Laraca and his team at the University of the Republic in Uruguay to develop an AI model that can reconstruct what's on your screen from a few meters away. Their AI, trained on pairs of original and intercepted signals, managed to accurately recover about 70 percent of the text. While this might sound scary, it's mainly a concern for high-security environments where even the walls have shields. So unless you're guarding national secrets, rest easy knowing the hackers are probably more interested in juicier targets than your cat videos, still, if you're the paranoid type, maybe keep that tin foil hat handy. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the Cyberwire.com. We'd love to know what you think of this podcast, your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. Your privilege that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Carr. Simone Petrella is our president, Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [Music] As September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most, right now to frontline practitioners. Remember early and save at M-Wise.io/Cyberwire, that's M-Wise.io/Cyberwire. [Music] [MUSIC PLAYING]
