🎓️ Vulnerable U | #036

SEC Charged SolarWinds CISO, Biden's new AI Safety Executive Order, Boeing Ransomware, and more!

Read Time: 8 minutes

Howdy friends!

I wanted to share a quote by Stephen Fry about getting through the bad days.

I’ve found that it’s of some help to think of one’s moods and feelings about the world as being similar to weather.

Here are some obvious things about the weather:

It’s real.

You can’t change it by wishing it away.

If it’s dark and rainy it really is dark and rainy and you can’t alter it.

But nor is it your fault that it’s dark and rainy, and it might be dark and rainy for two weeks in a row.

BUT

It will be sunny one day.

It isn’t under one’s control as to when the sun comes out, but come out it will.

One day.

It really is the same with one’s moods, I think. The wrong approach is to believe that they are illusions. They are real. Depression, anxiety, listlessness—these are as real as the weather—AND EQUALLY NOT UNDER ONE’S CONTROL. No one’s fault. Not yours.

BUT

They will pass: they really will.

In the same way that one has to accept the weather, so one has to accept how one feels about life sometimes. “Today's a crap day,” is a perfectly realistic approach. It’s all about finding a kind of mental umbrella.

Stephen Fry

In this episode:

  • SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures

  • Bridging Public and Private Sectors for Enhanced Cybersecurity

  • Biden releases AI executive order directing agencies to develop safety guidelines

  • F5 hurriedly squashes BIG-IP remote code execution bug

  • Prolific Puma: Shadowy Link Shortening Service Enables Cybercrime

  • North Korean Hackers Targeting Crypto Experts with KANDYKORN macOS Malware

  • Now Russians accused of pwning JFK taxi system to sell top spots to cabbies

  • Boeing confirms ‘cyber incident’ after ransomware gang claims data theft

  • Alliance of 40 countries to vow not to pay ransom to cybercriminals, US says

  • Russian Hackers Breached 632,000 DOJ And Pentagon Email Addresses In Massive MOVEit Cyberattack

  • And more!

ICYMI

🖊️ Something I wrote: I talked about the Loneliness Epidemic last week

🎧️ Something I heard: This song hypnotized me while writing yesterday.

🎤 Something I said: Talked about the Okta hack and SEC going after SolarWinds CISO over on my YouTube.

🔖 Something I read: Listen first, speak last.

📣 Sponsor

Are you using production data for pre-production tasks like development, preview, and test?

Auto-Anonymize Prod Data with Privacy Dynamics.

With anonymized data you can:

→ Use real data for testing, model training, and dev environments
→ Resolve data minimization requirements from GDPR, HIPAA, and CPRA
→ Eliminate risk of sensitive data leaks in your lower environments

Automate PII-free replicas for your lower environments with Privacy Dynamics, saving your team time and your company money.

Vulnerable News

3 years after the SolarWinds breach was disclosed, the SEC is going after their CISO. Not for being breached. Not for not doing well enough at building a security infrastructure. For lying about it to auditors and investors. It turns out that if you’re a publicly traded company, you’re held to a different standard on disclosures.

  • Misrepresentation of Cybersecurity Practices: SolarWinds is accused of overstating its cybersecurity measures and understating known vulnerabilities, misleading investors.

  • Known Vulnerabilities Ignored: Despite internal assessments highlighting significant security weaknesses, the company allegedly failed to take adequate action.

  • Impact on Investors: Following the disclosure of the SUNBURST cyberattack, SolarWinds' stock price plummeted, showcasing the financial repercussions of cybersecurity lapses.

This SEC complaint is full of fun stuff, and under a microscope, it all looks awful. But I’m less judgmental about the lousy security things found here because if we all went under this scrutiny, I’m sure some embarrassing headlines would pop up - but the claims that are getting him in trouble are the misrepresenting of facts to inflate the stock price.

But “solarwinds123” is a pretty lousy password…

I hear folks talk about this setting a bad precedent for CISOs facing legal repercussions after a breach. We’ve not seen that happen unless they lie or cover something up. Not to say law enforcement will forever use this legal precedent in only upstanding ways - but as of now, all CISOs have to worry about is being good and honest communicators. I’ve seen some egregious flaws pass audit if a proper roadmap was illustrated clearly. (read more)

In the perfect second story follow-up, Joe Sullivan, ex-CISO of Uber who faced similar legal scrutiny after their breach, has written an opinion piece about this issue. Nobody is better, or at least more interesting, to talk about the SolarWinds story.

Sullivan advocates for cooperation between public and private sectors as a pragmatic approach to cyber defense, contrasting it with actions like the SEC's charge against SolarWinds' CISO, which may not foster a conducive environment for tackling cyber threats.

  • Cooperation Over Regulation: Joe advocates a collaborative approach rather than punitive measures.

  • Public-Private Synergy: A call for united efforts in navigating the cyber threat landscape.

I share his concern with lawyers and regulators pretending to be cybersecurity experts for a day in court. However, the charges in this case seem to be mostly about misrepresenting material facts impacting stock price, not cybersecurity controls. (read more)

In a preemptive move ahead of legislative action, President Joe Biden has signed an executive order outlining rules for generative AI. The order encompasses eight crucial objectives to foster AI safety, privacy, equity, consumer protection, innovation, national AI leadership, government technology utilization, and workforce support.

  • Comprehensive Objectives: Spanning AI safety standards to job displacement analysis.

  • Red Teaming AI Models: NIST tasked with establishing standards for pre-release evaluation.

  • Mitigating Discrimination: Guidelines to curb AI-fueled discrimination in multiple domains.

Super interesting to me is the inclusion of red teaming and anti-discrimination measures, aiming to pre-empt issues that could have far-reaching societal impacts. (read more)

F5 has urgently fixed a remote code execution bug in its BIG-IP suite discovered by Praetorian researchers. This severe flaw, rated 9.8/10 on the CVSS scale, could lead to a total system compromise if exploited. F5 rushed the fix, fearing the vulnerability's details might have leaked beyond the initial disclosure process, reflecting a reactive posture towards vulnerability management.

  • Severe Flaw: CVSS score of 9.8, capable of total system compromise.

  • Prompt Fix: Emergency patch issued, fearing potential external knowledge of the flaw.

  • Disclosure Dynamics: Initial reluctance turned into an urgent fix, showcasing reactive vulnerability management.

The frenzied patching shows us a reactive, rather than proactive, stance in vulnerability management. It's always a dance between maintaining a scheduled disclosure timeline and reacting to the potential external exposure of critical flaws. (read more)

Prolific Puma, an underground entity, has facilitated cybercriminals by providing a link-shortening service. For years, it has aided malicious actors in evading detection while distributing phishing, scams, and malware through algorithmically generated domains.

“The actor was discovered not from malware or phishing sites, but from DNS analytics.”

Prolific Puma controls one of the largest networks Infoblox tracks. Since April 2022, they have registered between 35k and 75k unique domain names. This report is incredibly thorough with all their data on this threat actor group. Detailing the technical analysis and even the economics of how they operate. (read more)

Name a more iconic duo than North Korea’s Lazarus Group and hacking crypto people.

North Korean state-sponsored hackers are targeting blockchain engineers at an undisclosed crypto exchange via Discord, deploying a novel macOS malware named KANDYKORN. This malware campaign involves luring victims using a Python application, leading to multiple complex stages of intrusion, each designed to evade defensive measures. KANDYKORN, the final payload, is an advanced memory-resident RAT capable of various malicious activities.

  • Targeted Attack: Specific focus on blockchain engineers via Discord.

  • Complex Intrusion: Multi-stage attack with evasion at each step.

  • Advanced Malware: KANDYKORN, a full-featured RAT for various malicious operations.

Don’t download random apps from Discord because someone told you to. (read more)

Sitting in the parking lot waiting for your turn is unpaid, and it turns out some taxi drivers found the incentive to skip the line so high that they were willing to try to hack the dispatch system.

  • Illegal Entrepreneurship: Utilizing hacking skills to create a black market for queue cuts.

  • Exploitation of System: The taxi dispatch system was manipulated to offer paid priority dispatching.

"bribing someone to insert a flash drive containing malware into computers connected to the dispatch system, obtaining unauthorized access to the dispatch system via a Wi-Fi connect, and stealing computer tablets connected to the dispatch system."

This scenario is a wild blend of digital anarchy meeting everyday annoyance. It demonstrates how hackers can manipulate data and real-world systems and services to create illicit revenue streams. While it adds a novel entry to the playbook of cyber misdemeanors, it also opens up a discussion on securing operational technologies that form the backbone of urban services. (read more)

We saw the LockBit website update with Boeing as a victim earlier this week. They just confirmed it.

  • Incident Confirmed: Boeing acknowledges a cyber incident after LockBit ransomware gang claims data theft.

  • Targeted Areas: Attackers aimed at the company's parts and distribution business, yet flight safety remains unaffected.

  • Ransom Speculations: LockBit threatened to release a vast amount of sensitive data unless a ransom was paid by November 2; indications of potential negotiations surfaced as the ransom demand listing vanished

The dilemma here is one many corporations might face: to negotiate or not with ransomware operators, especially when legal constraints are at play. The vanished listing on LockBit's site might signify a behind-the-scenes negotiation. (read more)

A coalition of 40 nations, spearheaded by the U.S., vows not to succumb to ransom demands from cyber adversaries, aiming to choke off a vital funding stream for these malefactors. This International Counter Ransomware Initiative emerges amidst a global uptick in ransomware onslaughts, with the U.S. bearing the brunt of such attacks.

“The alliance will also use artificial intelligence (AI) to analyze blockchains and identify illicit funds, as well as share a blacklist of digital wallets used for ransom payments through the US Department of Treasury.”

  • United Front: 40 countries pledge against paying ransoms.

  • Targeting Funding: Aim to dismantle hackers' financial mechanisms.

  • Information Sharing: Platforms for sharing data on ransom payment accounts are in the works.

The global pledge is a bold stance against persistent successful ransom attacks. However, its efficacy hinges on the steadfastness of all participants amidst a crisis. While the initiative is a stride towards a collective defense, enforcing such a pledge amidst a high-stakes ransomware attack will be the real litmus test. (read more)

Russian hackers have breached about 632,000 email addresses from the Justice and Defense departments via a file transfer program called MOVEit. The breach occurred on May 28 and May 29, and although characterized as a “major incident,” the compromised data was “generally of low sensitivity.” (read more)

Not much to add here. It's just a bummer for those impacted. CEO states it is unrelated to the Cisco deal. (read more)

The European Data Protection Board has broadened the temporary ban on targeted advertising on Facebook and Instagram, initially imposed by Norway's Data Protection Authority. This move, resulting from Meta's usage of personal data for behavioral advertising, mandates the halt of such data processing across the European Economic Area. Meta faces a tight deadline to align its operations with these directives amidst ongoing non-compliance concerns. (read more)

Rapid7 observed suspected exploitation of a critical Apache ActiveMQ vulnerability (CVE-2023-46604) by attackers deploying HelloKitty ransomware in two distinct environments. This remote code execution flaw allows adversaries to run arbitrary shell commands, paving the way for ransomware deployment. Affected versions include Apache ActiveMQ 5.16.0 to 5.18.0. The adversaries exploited outdated ActiveMQ instances, emphasizing the criticality of timely patching. (read more)

Miscellaneous mattjay

Reply with your thoughts on this tabletop

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay