Microsoft is phasing out Android use for employees in China. Mastodon patches a security flaw exposing private posts. OpenAI kept a previous breach close to the vest. Nearly 10 billion passwords are leaked online. A Republican senator presses CISA for more information about a January hack. A breach of the Egyptian Health Department impacts 122,000 individuals. South Africa's National Health Laboratory Service (NHLS) suffers a ransomware attack. Eldorado is a new ransomware-as-a-service offering. CISA adds a Cisco command injection vulnerability to its Known Exploited Vulnerabilities catalog. N2K’s CSO Rick Howard catches up with AWS’ Vice President of Global Services Security Hart Rossman to discuss extending your security around genAI. Ransomware scrambles your peace of mind.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
Recently N2K’s CSO Rick Howard caught up with AWS’ Vice President of Global Services Security Hart Rossman at the AWS re:Inforce event. They discussed extending your security around genAI. Watch Hart’s presentation from AWS re:Inforce 2024 - Securely accelerating generative AI innovation.
Selected Reading
Microsoft Orders China Staff to Switch From Android Phones to iPhones for Work (Bloomberg)
Mastodon: Security flaw allows unauthorized access to posts (Stack Diary)
A Hacker Stole OpenAI Secrets, Raising Fears That China Could, Too (The New York Times)
“A treasure trove for adversaries”: 10 billion stolen passwords have been shared online in the biggest data leak of all time (ITPro)
Senate leader demands answers from CISA on Ivanti-enabled hack of sensitive systems (The Record)
Egyptian Health Department Data Breach: 120,000 Users' Data Exposed (GB Hackers)
South African pathology labs down after ransomware attack (The Cape Independent)
New Eldorado ransomware targets Windows, VMware ESXi VMs (Bleeping Computer)
CISA adds Cisco NX-OS Command Injection bug to its Known Exploited Vulnerabilities catalog (Security Affairs)
New RUSI Report Exposes Psychological Toll of Ransomware, Urges Action (Infosecurity Magazine)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyber Wire Network, powered by N2K. Some decisions are easy, like playing your favorite song. Other decisions are hard, like choosing the right credit card. But that's mostly because the financial system is complicated. There's so many offers, rates, and products, but which one's best for you? That's why we've reinvented credit karma to do the hard work for you. We scan for the latest offers from our trusted partners to help you find the best financial hits for your unique situation. That way you can spend less time saying, huh, and more time doing well, anything. Download into a credit karma today and get everything you need to outsmart the system. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies, like Atlassian, Flow Health, and Quora, use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's v-a-n-t-a.com/cyber for $1,000 off Vanta. Microsoft is phasing out Android use for employees in China. Mastodon patches a security flaw exposing private posts. OpenAI kept a previous breach close to the vest. Nearly 10 billion passwords are leaked online. A Republican Senator presses SISA for more information about a January hack. A breach of the Egyptian Health Department impacts 122,000 individuals. South Africa's National Health Laboratory Service suffers a ransomware attack. El Dorado is a new ransomware-as-a-service offering. SISA adds a Cisco command injection vulnerability to its known exploited vulnerabilities catalog. N2K's CSO Rick Howard catches up with AWS's Vice President of Global Services Security, Hart Rossman, to discuss extending your security around generative AI. And ransomware scrambles your piece of mind. It's Monday, July 8th, 2024. I'm Dave Bittner, and this is your Cyberwire Intel Briefing. [Music] Thank you for joining us here today. It is great, as always, to have you with us. Starting in September, Microsoft employees in China will be required to use iPhones for work, cutting off Android devices. An internal memo revealed that this move is part of Microsoft's secure future initiative, aiming to ensure all staff use Microsoft Authenticator and identity pass apps. The decision stems from the fragmented Android app market in China, where Google Play is unavailable, and local platforms by Huawei and Xiaomi prevail. Consequently, Microsoft has decided to block these devices from accessing its corporate resources. Affected employees will receive an iPhone 15 as a one-time replacement. The change is driven by security concerns following multiple state-sponsored cyber attacks, including a significant breach linked to Russia earlier this year. Microsoft's Executive Vice President Charlie Bell emphasized the company's commitment to prioritizing security, pledging a major overhaul to address cloud vulnerabilities and enhance credential protection. Mastodon, the decentralized social network, has issued an urgent call for instance operators to update their server software due to a high-risk security flaw. The vulnerability allows attackers to access private posts by expanding the audience to unintended users. Rated with a CVSS score of 8.2, it affects all versions from 2.6.0 onwards. The Mastodon team has released updates to fix this issue and other security problems. An additional fixed bug involved inadequate permissions check for API endpoints. Mastodon emphasized the importance of updating servers promptly given past security issues. The team will release a detailed description of the vulnerability on July 15, giving administrators time to update. The decentralized nature of Mastodon makes timely updates by individual instance operators crucial. Early last year, a hacker accessed OpenAI's internal messaging system stealing details about their AI technologies. The breach occurred via an online forum where employees discussed the latest advancements. Although the hacker didn't access core systems, OpenAI revealed the incident internally in April of 2023, but didn't inform the public or law enforcement since no customer or partner data was compromised. Some employees feared that foreign adversaries like China could exploit such vulnerabilities, raising concerns about OpenAI's security measures. Leopold Ashenbrenner and ex-employee highlighted these issues, alleging inadequate protection against foreign threats. Despite his claims, OpenAI asserted they had addressed the incident. The company claims to have since bolstered its security products and continues to improve its defenses against potential threats. Last week, almost 10 billion passwords were leaked on an underground hacking forum described as the largest password leak ever. On July 4, a user named Obamacare hosted a file RockU2024.txt containing 9.9 billion unique passwords. CyberNews researchers confirmed these passwords stemmed from various data breaches over the past two decades. The file updates the previous record holder, RockU2021, which had 8.4 billion passwords. Despite the age of some passwords, security experts warn they can still be exploited due to password reuse. Simon Lawrence from I Confidential emphasized the danger of credential stuffing attacks where stolen logins are tested across different networks. Organizations are urged to reassess password policies, educate employees on password reuse risks, and implement multi-factor authentication to enhance security. Republican Senator Charles Grassley has demanded answers from CISA Director Jen Easterly about a January hack involving the agency's Chemical Security Assessment Tool, CSAT, and one other sensitive system due to vulnerabilities in avanti products. This breach potentially compromised critical infrastructure information. While CISA confirmed the breach in March, it didn't disclose the involvement of CSAT until June 24. Grassley criticized CISA for not adequately protecting its systems, raising national security concerns. The incident led to unauthorized access to site security plans, vulnerability assessments and user accounts. Grassley, emphasizing government transparency, requested detailed documentation by July 17 on all breached systems, impacted entities, CISA's prior knowledge of avanti vulnerabilities, and steps taken to secure their systems. Brian Harrell, former CISA Assistant Director, expressed concerns over the breach, noting its negative impact on renewing the chemical facility anti-terrorism standards, or CFAT's regulation. The CFAT's program, crucial for regulating high-risk facilities security, has stalled in Congress since July of 2023. CISA has yet to comment publicly on Grassley's letter. The Egyptian Health Department, the EHD, has reported a data breach affecting 122,000 individuals, which occurred on December 21 of 2023. Discovered the same day, the breach involved an external system hack compromising sensitive personal information, including names and identifiers. Joseph Fus, representing the EHD, confirmed that affected individuals were notified on July 2 of this year, and authorities were informed. The breach data poses a risk of identity theft, prompting the EHD to offer 12 months of credit monitoring services through TransUnion. The EHD has set up a helpline to assist affected individuals and provide guidance on safeguarding personal information. South Africa's National Health Laboratory Service is recovering from a ransomware attack on June 22, which disrupted diagnostic systems and deleted backups, causing significant delays in lab testing across public health facilities. Although all labs are now operational, physicians cannot access test results online. NHS assured that no patient data was compromised and data restoration is expected within weeks. The delays have severely impacted emergency patients and intensive care units with over 6.3 million unprocessed blood tests postponing major operations. Urgent tests results are being communicated via telephone, raising concerns about operational continuity. The NHS serves 80% of South Africa's population and operates over 265 labs. The incident underscores the nation's vulnerability to cyber attacks, following similar incidents targeting other government agencies and healthcare providers in Kenya. Representatives say the NHS faces a prolonged recovery with an unclear timeline for full restoration. A new ransomware as a service called El Dorado emerged in March, featuring locker variants for VMware ESXi and Windows. The group has claimed 16 victims, primarily in the US, targeting real estate, education, healthcare and manufacturing sectors. Cybersecurity firm Group IB tracked El Dorado's activities, noting its promotion on ramp forums and recruitment of skilled affiliates. El Dorado's data leak site was down at the time of reporting. The ransomware, written in Go, can encrypt both Windows and Linux platforms using the cha-cha 20 algorithm and RSA encryption. It depends a numerical extension to encrypted files and drops ransom notes named how return your data dot text. El Dorado encrypts network shares via SMB and deletes shadow volume copies to hinder recovery. Affiliates can customize attacks, especially on Windows systems. El Dorado is a unique development not based on previous ransomware groups and has quickly proven its capability to cause significant damage. The US Cybersecurity and Infrastructure Security Agency added a Cisco NXOS command injection vulnerability to its known exploited vulnerabilities catalog. This zero-day vulnerability, exploited by the China-linked group Velvet Ant, allows authenticated local attackers with administrator credentials to execute arbitrary commands as root on affected devices. Cisco addressed the flaw, which affects several Nexus series switches and recommended using the Cisco software checker to identify vulnerable devices. Federal agencies must fix this vulnerability by July 23rd of this year. Coming up after the break, Rick Howard catches up with AWS's Vice President of Global Services Security, Hart Rossman. Stay with us. ♪♪ And now, a word from our sponsor, no before. Where would infosec professionals be without users making security mistakes? Working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed security coach. A real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. The existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with security coach. Learn more at nobefore.com/securitycoach. That's nobefore.com/securitycoach. And we thank no before for sponsoring our show. ♪♪ The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. ♪♪ My N2K colleague, Rick Howard, recently caught up with AWS's Vice President of Global Services Security, Hart Rossman. At the AWS Reinforce event, they discussed extending your security around generative AI. AWS is a media partner here at N2K CyberWire. In June of 2024, Brandon Karp, our VP of Programming, Jen Ivan, our Executive Producer, and I traveled to the great city of Philadelphia to attend the 2024 AWS Reinforce Security Conference. And I got to sit down with Hart Rossman, the AWS Vice President of Security for Sales, Marketing, and Global Services. He gave a presentation on the future of generative AI in security, so I asked him how it went. You know, it was super fun. I had Emily Weber with me, who is a principal security leader on the Annapurna organization. That's the part of the business that helps fabricate some of the chips that we use, internally, infranium, tranium, those sorts of things, inferentia, tranium, and those sorts of things. And we also had two customer speakers as well, from RC and from Bloomberg. And the focus of our talk was really to help the security community learn about best practices for implementing security around JNI workloads. Well, it's also new. I was looking at the Gartner Hype chart for AI in security just last week, right? And everything's still on this side of the peak of inflated expectations, right? It hasn't even got to the top and started to drop yet, so we're all still very excited about it. And we're all pretty confused about what security people should be doing and let alone what businesses should be doing with generative AI. So what's some of the pitfalls that you can try to avoid if they listen to your talk? Yeah, you know, I think it's honestly less about pitfalls and more about understanding how you can take the security program you've already invested in and extend it to this new technology, this new experience in JNI, you know, things that have always been important are still important, right? Identity and access control, having that principal lease privilege across your JNI workload, right? You want to look at things like ensuring that you've got encryption and to end. So that's the learning point, right? Because you're saying the strategies that you've chosen for to protect your enterprise. They don't change this because we have this new manual technology. Oh, a lot of it's the fundamentals, right? But then there's new opportunities to do security. Well, and by the way, for me, the most exciting part is actually using this new technology to improve security outcomes. In my mind, there's like two big areas of kind of greenfield for generative AI. One was what you just described. We can run those algorithms against our own configurations to make sure that we haven't screwed anything up, that we're not missing anything, and maybe even proactively finding things. You know, this my bad thing might happen in the future, so that's one thing. That's what you were talking about with those kinds of services. Yeah, it's like an assistive technology, right? You've got these really expert people in your organization who are security architects, engineers, and senate responders. And, you know, they can benefit from this technology and assistive fashion to get things done better, faster, less expensive, right? Or to correlate knowledge across the enterprise? And I think for the responder in particular, right? Having accessed an LLM that's been deeply encoded with security relevant knowledge is a game changer, right? It really adds a ton of value. So that's a really interesting question. Who owns that in the enterprise? You know, because I'm not sure that it, I mean, maybe Amazon, it's so big and has so many resources that you might have a special team that does that. But I'm on the other side of that in 2K, we're just a startup. So who does, who is a charge of figuring that out and incorporating that? I mean, what's the best practice that? Yeah, you know, I think obviously there are different approaches for different folks. What I often advocate is, you know, the service team or the enterprise application owner is probably the best suited to adopt anything new. And Gen AI is no different. So in this case, if you've got a team responsible for security escalations and investigations, right? This is an opportunity for them to embrace the new hotness, right? Bring that technology in-house, train it, develop it in a way that works best for their needs, right? And then get after it. Having said that, some organizations work better in a CCOE model, right, a center of excellence model. And if that's your jam, you know, get after it, that's super cool. So then the other way you might use Generative AI is because what we were just talking about is improving your already deployed systems. How do you configure them? How do you monitor those kinds of things? But the other way is to just take all the data that's generated by the exhaust of all those tools in your environment. Run these algorithms on it and maybe find new bad guys that you didn't know were there, okay? So is that sometime in the future? Is that still years away from us? Yeah, I think that's true if you expand kind of that shorthand of Jedi to talk about machine learning in general, right? And so when we talk about Generative AI is a great way to interface and create that knowledge base through the health lab. And then we add to it kind of some broader machine learning techniques that's absolutely the right way to go, right? And our GuardDuty is a great example of that, right? We were doing machine learning driven threat detection and response in GuardDuty years before Generative AI became a thing, right? Yeah, and machine learning has been around even with detecting malware. It's been around forever. And so when you put them together, though, you get this powerful really experience for the developer, for the builder, for the responder. And that, for me, really drives this idea that we have to remember as leaders in the security community, we've got to be early adopters. We've got to take advantage of first mover, right? And so if the rest of the business is super excited about something like JNI and you're still hesitant or you're still reluctant to resistent, right? By the time you get hip to it, it's going to be the same old trope in security where, you know, you're chasing the business to help protect them. Whereas if today, you know, you're building security workloads on bedrock, if you're using solutions and technologies like perplexity, right, to do your own searches as security later, right? You'll have an authentic point of view on what works for you, what doesn't work for you, and where you want the business to go. Instead of playing catch up in China, sort of artificially create rules of engagement. What's the downside there? I mean, I know all of us look at the Gardner-Hype chart, every day thinks it's going to be great for us in the future. What can go wrong here? What should we be looking for? You know, I don't see specifically a downside, to be perfectly honest. I think it goes back to what we were discussing earlier, which is, you know, really taking the lessons learned that we know in enterprise security programs, right? And extend that to JNI. So, you know, model input and output validation, writing, encryption, identity, all these things are still important, right? The question is, as a security professional, do you understand the nuance of the use cases of the new technology to ensure that those best practices are implemented? That was Hart-Rossman, the AWS Vice President of Security for Sales, Marketing and Global Services. That's N2K Cyberwire's Chief Security Officer Rick Howard, speaking with AWS's Vice President of Global Services Security, Hart-Rossman. [MUSIC] And now a message from Black Cloak. What's the easiest way for threat actors to bypass your company's cyber defenses, targeting your executives at home? That's because 87% of executives use personal devices to conduct business, often with zero security measures in place. Once execs leave your organization's secure network, they become easy targets for hijacking credential theft and reputational harm. Close the at-home security gap with Black Cloak Concierge Cybersecurity and Privacy, award-winning 24/7, 365 protection for executives and their families. Learn more at blackcloak.io. [MUSIC] And finally, a new report out of the UK reveals the often overlooked mental toll ransomware attacks take on victims. Beyond data theft and financial loss, these cyber attacks significantly impact the psychological and physiological well-being of individuals, as highlighted by the Royal United Services Institute, RUSI. Dr. Jason Nurse, a cybersecurity expert at the University of Kent, emphasized that ransomware not only disrupts services, but also deeply affects staff who suddenly cannot return to their families. The report, Your Data is Stolen and Encrypted, the Ransomware Victim Experience, published on July 2nd, provides unique insights into victims' psychological experiences during ransomware incidents. It outlines how certain factors can worsen or alleviate their distress and suggests policy measures to reduce harm. Daniel Card, an incident response specialist, stressed the importance of basic self-care during a response, noting that well-being is crucial for effective incident handling. The report recommends that line managers be sensitive to the psychological and physical harm caused by ransomware attacks. Public policy must prioritize mitigating the psychological impact of such attacks. The report calls for more funding for mental health services tailored to ransomware victims and suggests that cyber insurance policies cover mental health counseling. Despite awareness efforts, many organizations still prioritize cybersecurity inadequately. Daniel Card noted the scale of this challenge, emphasizing the need for organizations to strengthen their security measures continuously. This report is part of a 12-month research project by RUSI and the University of Kent, funded by the UK's NCSC and the Research Institute for Sociotechnical Cybersecurity. In the heat of the moment, it's easy to lose sight of the human element of a Ransomware attack. Let's remember to extend kindness and understanding to those affected, fostering a culture of compassion and resilience. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on Jason and Brian's show every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bitner. Thanks for listening. We'll see you back here, tomorrow. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most, right now, to frontline practitioners. Register early and save at M-Wise.io/Cyberwire. That's M-Wise.io/Cyberwire. [MUSIC]
