Microsoft urges users to patch a critical TCP/IP remote code execution vulnerability. Texas sues GM over the privacy of location and driving data. Google says Iran’s APT42 is responsible for recent phishing attacks targeting presidential campaigns. Doppelgänger struggles to sustain its operations. Sophos X-Ops examines the Mad Liberator extortion gang. Fortra researchers document a potential Blue Screen of Death vulnerability on Windows. China’s Green Cicada Network creates over 5,000 AI-controlled inauthentic X(Twitter) accounts. Kim Dotcom is being extradited to the United States. Our guest is Rui Ribeiro, CEO at JScrambler, to discuss how the extensive use of first and third-party JavaScript is a blessing and a curse. Wireless shifting can really grind your gears.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
Today’s guest Rui Ribeiro, JScrambler's CEO, joins us to discuss how the extensive use of first and third-party JavaScript is both a blessing and a curse.
Selected Reading
Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled, patch now (Bleeping Computer)
Texas sues General Motors over car data tracking (POLITICO)
Google: Iranian Group APT42 Behind Trump, Biden Hack Attempts (Security Boulevard)
Doppelgänger operation rushes to secure itself amid ongoing detections, German agency says (The Record)
Palo Alto Networks Patches Unauthenticated Command Execution Flaw in Cortex XSOAR (SecurityWeek)
A new extortion crew, Mad Liberator, emerges on the scene (The Register)
Beware, Windows users. Newly-spotted CVE-2024-6768 vulnerability can cause blue screen (MSPoweruser)
CyberCX Unmasks China-linked AI Disinformation Capability on X (Cyber CX)
Kim Dotcom is being Megauploaded to the US for trial (The Verge)
Want to Win a Bike Race? Hack Your Rival’s Wireless Shifters (WIRED)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
[Music] You're listening to the Cyberwire Network, powered by N2K. [Sound of seagulls] This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify. The global commerce platform that supercharges you're selling, wherever you sell. With Shopify, you'll harness the same intuitive features, trusted apps, and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at Shopify.com/tech, all lowercase. That's Shopify.com/tech. [Music] The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why Cloudflare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. [Music] [Music] Microsoft urges users to patch a critical TCP/IP remote code execution vulnerability. Texas sues GM over the privacy of location and driving data. Google says Iran's APT-42 is responsible for recent phishing attacks targeting presidential campaigns. Doppelganger struggles to sustain its operations. Sophos Exops examines the mad liberator extortion gang. Portra researchers document a potential blue screen of death vulnerability on Windows. China's Green Cicada Network creates over 5,000 AI-controlled inauthentic X-Twitter accounts. Kim.com is being extradited to the United States. Our guest is Rui Ribiero, CEO at JScrambler, to discuss how the extensive use of first- and third-party JavaScript is a blessing and a curse. And wireless shifting can really grind your gears. [Music] It's Thursday, August 15th, 2024. I'm Dave Fittner and this is your Cyberwire Intel Briefing. [Music] Thank you for joining us here today. It is great to have you with us. Microsoft has urged users to patch a critical TCP/IP remote code execution vulnerability that affects all Windows systems with IP6 enabled. Discovered by Kunlen Lab, this wormable flaw could allow remote unauthenticated attackers to execute arbitrary code by sending specially crafted IP6 packets. Disabling IP6 is a temporary mitigation, but Microsoft advises against it due to potential system issues. Given its high likelihood of exploitation, users are strongly advised to install the latest security updates immediately. Texas Attorney General Ken Paxton has filed a lawsuit against General Motors, accusing the automaker of violating the privacy rights of millions of Texans by selling their location and driving data. The suit alleges GM misled drivers into sharing data, which was then sold to data brokers and used to influence insurance rates without drivers' consent. This action marks the first state-level enforcement against an automaker for such data practices. GM says they're currently reviewing the complaint and they've expressed a commitment to consumer privacy. Google's Threat Analysis Group, TAG, has identified APT42, an Iranian-backed group linked to the Islamic Revolutionary Guard, as responsible for recent phishing attacks targeting the Biden-Harris and Trump campaigns. These attacks aim to compromise the personal email accounts of individuals connected to the campaigns, including former U.S. officials. TAG blocked many of these attempts and reported the activity to law enforcement. APT42 is known for using sophisticated social engineering tactics, such as posing as journalists and event organizers to lure victims. This group's activities reflect Iran's efforts to influence political outcomes and support its military objectives. Recent months have seen increased targeting of U.S. and Israeli entities, with APT42 adapting its methods to exploit various platforms like Google Meet, OneDrive and WhatsApp. Other security firms, including Microsoft, have also reported heightened activity from Iranian threat groups as the 2024 U.S. elections approach. The Russian disinformation network Doppelganger is struggling to sustain its operations following a crackdown on its infrastructure, triggered by reports that European hosting companies were unknowingly supporting the Kremlin-linked campaign, the Bavarian State Office for the Protection of the Constitution revealed that Doppelganger operators hastily backed up systems and secured data after the exposure. Active since May 2022, the network created fake social media profiles, websites and news portals to spread propaganda across Germany, France, the U.S., Ukraine and Israel. German authorities confirmed the network's Russian ties, noting operations aligned with Moscow's time zones and holidays. Palo Alto Networks has issued patches for several vulnerabilities, including a high severity issue which affects the Cortex-XOR product. This flaw allows unauthenticated attackers to execute commands within certain configurations. Patches are available starting with version 1.12.33. Additionally, updates were released for Prisma Access Browser, addressing over 30 vulnerabilities in the Chromium-based browser. Two medium severity flaws were also patched, impacting PanOS and the Global Protect app. Palo Alto Networks is not aware of any active exploitation of these vulnerabilities. A report from Sophos XOps examines the "Mad Liberator" extortion gang emerging in mid-2023. The group uses social engineering and the "Any Desk Remote Access Tool" to steal data from organizations and demand ransom. Unlike traditional ransomware, it primarily focuses on data exfiltration but may also encrypt files as part of a double extortion strategy. The group operates a leak site to pressure victims into paying by threatening to release stolen data. Victims are tricked into granting any desk access, often believing the request is from legitimate IT staff. The attacks last several hours with files stolen and ransom notes deployed before the session ends. Researchers from security firm Fortra document a newly discovered vulnerability that can cause a blue screen of death on Windows 10, 11 and Server 2022, even with all updates installed. This flaw, due to improper input validation, allows attackers with physical access to repeatedly crash the system by manipulating a BLF file. Fortra reported the issue to Microsoft in December of 2023, but it was initially dismissed. Fortra published the vulnerability in August 2024 after successfully reproducing the problem. The issue poses a risk of denial of service and data loss. Cyber CX Intelligence has been tracking the Green Cicada Network, a group of at least 5,000 AI-controlled inauthentic X Twitter accounts, likely part of an emerging information operation linked to China. This network primarily amplifies divisive US political issues with potential intentions to interfere in the upcoming presidential election. The system associated with Chinese AI research has shown increasing activity since July 2024 and has been refining its operations to avoid detection. Cyber CX warns of the growing use of generative AI in malicious activities and urges organizations to update their threat models accordingly. Kim.com, the German-born internet entrepreneur, is being extradited to the United States to face criminal charges linked to his defunct file sharing platform, Mega Upload. The US Department of Justice accuses.com of enabling widespread piracy costing entertainment companies over $500 million. After moving to New Zealand in 2010.com's Auckland mansion was raided in 2012 following an FBI request. Since then, he has fought extradition while promoting conspiracy theories online. New Zealand's Justice Minister recently signed the order for his extradition. Two former Mega Upload officers have already been sentenced after avoiding extradition through plea deals. Coming up after the break, our guest, Rui Ribiero, CEO at Jay Scrambler, discusses how the extensive use of first- and third-party JavaScript is a blessing and a curse. Stay with us. [MUSIC] When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's V-A-N-T-A.com/cyber for $1,000 off Vanta. [MUSIC] Most of our listeners who deal with legacy privileged access management products know they tend to be expensive, difficult to deploy, and hard to use. Keeper security is the answer. Keeper's Zero Trust solution delivers password, secrets, and connection management in one easy-to-use platform. It's fast to deploy, agentless, clientless, and has no implementation fees. Plus, Keeper is FedRAMP authorized. That's why we trust Keeper to prevent breaches and gain full control over privileged users. Visit keeper.io/cyberwire to schedule a quick demo. That's keeper.io/cyberwire. And thanks to Keeper security for supporting our podcast. [MUSIC] Rui Rubioro is CEO at JScrambler, and I recently sat down with him to discuss how the extensive use of first- and third-party JavaScript is a blessing and a curse. So let's focus on the specific use of JavaScript, which was exactly what it was created for. It's the language that basically is used by every browser to drive every possible interaction with the -- to make rich interfaces and proper interfaces for the end users. So we're talking about the client side. It's executed mainly on the client side for the purposes that we are talking here. And it's also a way for companies to add functionality to their websites. So as you understand when you're building an e-commerce web store, you are focused on delivering the best experience to your users. And you might not even be a very technically savvy company, but you want to make sure that they have the possibility to interact with a support desk. We have a chat that we can show videos about your product, that you can even show through the experiences, that you have proper payments, that you have proper shipping calculation, like all of those things are brought through partners. Most of the time these integrations are done by JavaScript on the client side. So this is code that's running on your browser, and it's doing all those functionalities. And so what are some of the challenges here? What's the potential security implications of this? All of these third parties. So the company that's providing the chat, the company that's providing the payment, the company that's providing the monitoring capabilities, the analytics, Facebook, Google, like all of these companies. And on average, you have about 70 companies there. So 70 vendors are there. All of them can access all the data that's either being displayed or typed on a page. So this means that when you're tapping a credit card, many of them could be eavesdropping. That doesn't mean that they are, but they could be because there's nothing limiting. So if you look at it, all of the information that ever exists on a database today from a company has either been typed in, most likely through a browser, or a mobile application, because it's there and it's useful for you as a user, it can be displayed. So it's a, it's a very big problem, if exploited, and it has been exploited in many, many times. The most known one, of course, is credit card scheming, so stealing credit cards from checkout pages. And that's what drove the PCI council to create a new directive that, among other things, the PCI DSS before requires companies that provide checkout pages to know the third parties that are there to be able to, and also to make sure that they are not stealing your credit cards. So this is a problem that has existed for a long time, but it is a problem that became much more relevant by the fact that today we have accepted, and we built websites by bringing in lots of third parties into the experience. So help me understand here, I mean, suppose I'm relying on a third party to be able to have credit card functionality on my website. But then I've got another third party who's taking care of my chat functionality. Is it possible that the folks who are taking care of the chat functionality would have a view into what's going on in the credit card functionality? Not only a possibility, it has happened several times exactly on the chat example. I think that new web was the case as it forms also have with a similar case. So it has happened many times already. And in some situations it was due to what some form of attack. In some other situations it's just like misconfiguration. I'm going to give you like another example on that. So you know that when you are engaging with a website, someone is trying to see if everyone is having a very good experience. So they have tools that track the users and see where they are clicking, where they are stopping engaging with website, that kind of thing. Most of them are designed to capture all the information that's being displayed because that's how they can then make business decisions. If they are incorrectly configured and they are on the checkout page, which they are because a company has invested a lot of money to get you to buy a product. So they want to know when you are on the checkout page, if you are having any issues in buying that product, if it's not correctly configured, it will capture all the credit card information. Because it was a tool designed to do so. Right, right. So it strikes me that what we are talking about here is kind of vulnerability from two directions. I mean there's the consumer themselves who want to protect themselves against a website that they are interacting with that potentially has these sort of vulnerabilities taking place. But then on the other side you've got the folks who are building the websites who want to make sure that they are not inadvertently falling victim to something like this on their end. Yes, but I would say like the consumers, they shouldn't be concerned by the fact that if we build the experience properly, if we build websites properly, the consumer doesn't need to, or we cannot put that burden on the consumer. But that burden on the company that's providing the service. And it's clear today that this is exactly what is going to be done by all the governments, at least EU, European Union and the US have clearly stated like you are providing the website you are providing all these third parties. It's your responsibility for any of them misstep. This is pretty clear like we and we have recently seen an example which is totally different than the ones that I've shared moments ago, which is like the example of the hospital that added the Facebook pixel to every web page. And when you were booking an oncology appointment, basically, Facebook would know that you had some oncology problem. And then it would start feeding you ads about medical cures. So, well, if you look at it, that type of information was, again, it was not a vulnerability. It was a misconfiguration like the Facebook pixels shouldn't be on that page, or knowing that Facebook does this, the hospital must make sure that Facebook is never on any page where it could infer something about your status. It was the hospital that was that had to do the settlement, not Facebook, because it was the hospital that brought in Facebook into that page. So if you look at it, things are starting to make sense in the way that I'm providing the service I bring all these partners, I am responsible for all of them. But that means that these companies must have ways to control these partners. And that's where we can mean as Facebook, because you provide with a way for you to continue to innovate, to add the Facebook, to add the video, to add a chatbot, to add all of these features that you need to provide a very good experience, but still sandbox time and make sure that none of them is accessing information from your users. Because it's not just about the privacy of your users, it's also about the privacy of your own business, because like this, all of these third parties, they have access to, well, could have access to all your user data. And if they could have access to all your user data, they can sell it, they can abuse it in some way, so they could really hurt your business model. So what we are saying is, yes, innovate, but at least put the controls in place, because today, it's incredible vision and dangerous for a company, they are exposing a lot of data to third party. Well, help me understand, you know, what are the types of options that are available? I mean, I know you mentioned you and your colleagues at JScrambler, you're doing some kind of sandboxing there is described to me how that sort of thing works. So the idea is that every piece of JavaScript that's there or every vendor that's there, we are sandboxing them. So we know that this, for example, chat application, it's designed to just communicate and never access credit card information. So we can set policies and say, we are bringing in this vendor, you can only communicate with this server, you can only do these type of actions, and is not able to access credit card, social security, whatever information. If the script misbehaves because it's badly configured or because it is under attack or it's a vulnerability that has been implemented or to support it supply chain has been compromised in any way and it needs to be having differently. We were able to detect it and block it. So looking at the example of a mage card, like stealing, stealing a credit card information, imagine that that experience, you have that chat application and that chat application starts misbehaving and starts accessing credit card information. If we are there, solution like to scramble which is sandboxing and monitoring that third party, what we can do is after we can either block it from day one, or we will notice the behavior change. And after verifying that it has in fact been compromised in some way, we can start blocking it or remove that that vendor altogether. So this means that for a company, you have reduced the impact for that attack or for that vulnerability to a few credit cards instead of hundreds of thousands of credit cards that would be left there to be stolen for months and months. So this is like the idea that the problem will happen. The question is how big it's going to be for you. And with tooling such as ours, we can really make sure that it is zero to an extra leap back for that. That's Rui Ribiero, CEO at JScrambler. Elevate your enterprise identity solutions with Strata, seamlessly connect legacy apps to any identity provider, apply MFA effortlessly, and maintain identity continuity without disruptions. Strata reduces tech debt, enhances security, and provides a robust, efficient identity management system. Feel secure and efficient managing your identity infrastructure. Strata helps you streamline operations and ensure continuous identity availability. Visit strata.io/cyberwire, share your identity challenge, and receive a free set of AirPods Pro. Take control of your identity management today. Visit strata.io/cyberwire, and our thanks to Strata for being a longtime friend and supporter of this podcast. And finally, in the world of professional cycling, where cheating has taken many forms, a new high tech threat has emerged, gear shifting sabotage. Researchers recently revealed that hackers could exploit Shimano's wireless shifting systems to disrupt races by forcing bikes to shift gears at critical moments. The attack is surprisingly simple, requiring only off-the-shelf hardware, and could wreak havoc during events like the Tour de France. While Shimano is rushing to patch the vulnerability, the incident highlights the unintended risks of adding wireless features to everyday tech, including bikes. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes, or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people, to make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, our mixer is Trey Hester, with original music and sound design by Elliot Pelsman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Carr. Simone Petrella is our president, Peter Kilby is our publisher, and I'm Dave Pitner. Thanks for listening. We'll see you back here, tomorrow. [Music] [Music] This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cyber security challenges we face. It's happening at M.Y.'s, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M.Y.'s features one-to-one access with industry experts, and fresh insights into the topics that matter most, right now, to frontline practitioners. Register early and save at mwise.io/cyberwire. That's mwise.io/cyberwire. [Music]
