Tuesday, January 2, 2024

🐛 The bug haunting security pros

Plus: AI ransomware arrests | Tuesday, January 02, 2024
 
Axios Open in app View in browser
 
 
Axios Codebook
By Sam Sabin · Jan 02, 2024

Happy New Year! Welcome back to Codebook.

  • 🎊 It's 2024 — wild! Have a New Year's resolution or goal? I'd love to hear about it.
  • 📬 Have thoughts, feedback or scoops to share? codebook@axios.com.

Today's newsletter is 1,335 words, a 5-minute read.

 
 
1 big thing: Untangling the monthslong tail of the latest critical security flaw
Illustration of a computer mouse with an extremely long cord

Illustration: Sarah Grillo/Axios

 

Companies are starting 2024 grappling with the fallout from a security vulnerability they've known about for months.

Driving the news: Xfinity said last month that hackers had exploited a high-severity vulnerability in network hardware developed by Citrix, resulting in the theft of 36 million customers' sensitive information.

  • The discovery came roughly two months after Xfinity had patched the flaw in its system.

Why it matters: Researchers believe hackers have been exploiting the vulnerability, known as Citrix Bleed, since at least August, and Citrix didn't find the flaw and issue a patch until October.

  • Now, companies like Xfinity are investigating what sensitive information hackers made off with during those months.

Catch up quick: Ransomware gangs have reportedly used Citrix Bleed to target some of the biggest corporations in recent months, including Boeing, the Industrial and Commercial Bank of China, and more than 60 credit unions.

  • The Citrix Bleed vulnerability affects Citrix's NetScaler Gateway appliances and NetScaler web application delivery controls — popular enterprise tools that allow employees to remotely access a variety of workplace applications.
  • The flaw can give hackers rare access to employees' passwords and session tokens that allow them to bypass multifactor authentication tools.
  • U.S. cyber officials have warned that both nation-state and criminal groups are now targeting Citrix Bleed.

Yes, but: The number of vulnerable systems has significantly decreased in the last two months, suggesting companies are actually taking the steps needed to resolve the flaw.

  • As of Dec. 31, roughly 1,300 vulnerable instances of the Citrix product were still online — compared to around 4,600 on Oct. 31, per data from security organization Shadowserver.

What they're saying: "We're going to continue to see data exfiltration news where data was stolen," Chris Henderson, senior director of threat operations at security platform Huntress, told Axios.

  • "For people who are now patched, the risk of ransomware hasn't passed, but we would've heard of most of them already," he added.

The big picture: It often takes months for companies to figure out the true scope of a cyber intrusion.

  • Expect to see more organizations issuing notices in the coming months detailing just how much access Citrix Bleed had given intruders to their networks.

Between the lines: Patching Citrix Bleed is also a bit tricky since it requires companies to implement a separate set of mitigations to kick out any lingering intruders, Henderson said.

  • Some organizations were also slow to patch the vulnerability in their systems after Citrix announced it, he added, leaving those companies open to attacks from hacking groups that quickly figured out how to target them.

Zoom out: Citrix Bleed is just the latest in a long string of critical vulnerabilities that have plagued companies in the last year — following similar flaws in a popular file-transfer tool, a network monitoring tool and more.

  • Researchers and companies uncovered 96 zero-day vulnerabilities in 2023, according to data from Trend Micro's Zero Day Initiative.

Be smart: Citrix Bleed is a reminder that company security teams need to weigh the privacy costs of a data breach over compliance and disruptions to business operations.

  • When a critical security flaw is discovered, some companies might be tempted to wait a few days to patch it so they don't disrupt any critical business operations, Henderson said.
  • "It's probably cheaper for them to go pay for that identity protection on everybody than to take outages," Henderson said. "Really considering the knock-on effects of the individuals impacted beyond just the hit to revenue and profitability — it needs to start being a tighter consideration for these [events.]"
Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 
2. Pro-Palestine hackers dump corporate secrets
Illustration of a laptop with a safe door as the screen opening to reveal binary code.

Illustration: Aïda Amer/Axios

 

A Pro-Palestinian hacking group has released data allegedly stolen from nearly 60 organizations, including SpaceX, Toyota and Ikea.

Driving the news: The Cyber Toufan hacking group said in its Telegram channel last week that it had "fulfilled our promises" of stealing and leaking data from companies supporting Israel over the last 30 days.

  • The group also dropped a 5.5 gigabyte file purportedly from a backend server connected to Israel's state payment gateway infrastructure.
  • The Record, a cybersecurity-focused publication, first reported on the group's claims. Several security researchers told The Record it appears the data the group leaked seemed legitimate.

Why it matters: Cyber Toufan hasn't stopped at stealing data — it's also wiping servers and causing damage inside organizations, researchers say.

  • The dump appears to include a slew of sensitive data, including complete server disk images, digital certificates and other information hackers can use to further extort these companies, according to security researcher Kevin Beaumont.

Details: Affected companies appear to include SpaceX, Toyota's Israel site, Ikea Israel, and a handful of government agencies, schools and even cybersecurity vendors, per Beaumont.

  • Cyber Toufan emerged in November, and the suspected Iranian group has been active on its Telegram channel ever since.
  • Some of Cyber Toufan's victims remain offline weeks after they were hit.

The big picture: As the war between Israel and Hamas continues, hackers have continued to target not only companies based in the region, but also companies in allied nations.

What's next: Cyber Toufan pledged in its Telegram post to keep targeting companies "so long as our brothers keep striking the occupying forces on the ground."

Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 
3. A precedent-setting ransomware arrest in China
Illustration of jail bars with a binary code lock

Illustration: Sarah Grillo/Axios

 

Four hackers were arrested in China in late November for using ChatGPT to develop ransomware, according to a report in the South China Morning Post on Friday.

Why it matters: The arrests are the first of their kind in China, and they could foreshadow a wave of similar cybercrime cases in 2024.

Details: Hackers admitted to using ChatGPT to help them write ransomware for an attack on an unidentified company in the city of Hangzhou, according to the SCMP and the state-run Xinhua News Agency.

  • The hackers demanded 20,000 Tether, a cryptocurrency stablecoin that's worth the same as the U.S. dollar.

The big picture: Experts have warned that hackers are using ChatGPT to aid in their schemes, including ransomware and phishing.

  • So far, researchers have only been able to guess how criminals could be using the technology based on their own experiments.
  • However, it's difficult to prove when hackers are using AI chatbots to help them — unless the attackers admit to it themselves.

The intrigue: It's unclear if the China-based hackers are also facing charges for using ChatGPT, according to the SCMP.

  • Using OpenAI's chatbot falls in a legal gray area in China currently as the government restricts access to foreign generative AI products.

What we're watching: This is likely the first of many AI-related ransomware cases in 2024.

  • Expect this to be the year law enforcement and security researchers start to better understand how cybercriminals are utilizing commercially available AI tools.
Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 

A message from Axios

Your trusted source for policy news
 
 

Axios Pro: Policy takes you into the halls of Congress, with an insider's look at the Hill and everything happening.

Subscribe today.

 
 
4. Catch up quick

@ D.C.

👨🏻‍💻 Jeff Moss, founder of cyber conferences Black Hat and DEF CON, has become a go-to adviser for the Biden administration. (The Messenger)

🗳️ Arizona's secretary of state says the state is already preparing for a swarm of AI-created deepfake hoaxes to flood this year's election cycle. (Politico)

📈 Government officials say that 2023 may have been the worst year on record for ransomware attacks. (The Economist)

@ Industry

👔 The Wall Street Journal offers a guide to the cyber trends that executives should anticipate in 2024, including intensifying nation-state attacks and a tighter labor market. (Wall Street Journal)

@ Hackers and hacks

👾 Security researchers have developed and released a free tool that helps Black Basta ransomware victims recover their files, but Black Basta has fixed the hole so the tool can't be used in new attacks. (BleepingComputer)

👀 A resident of Oakland, California, details the identity fraud he's experienced since hackers stole his personal information during a ransomware attack last March. (ABC7)

💥 A look at some of the worst breaches, leaks, ransomware attacks, digital extortion incidents and state-sponsored campaigns of 2023. (Wired)

Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 
5. 1 fun thing
Screenshot of a tweet describing John Mayer at a cat cafe in Tokyo while Anderson Cooper laughs nonstop.

Screenshot: @RealBrittain/X

 

I'm never getting over this New Year's Eve interview with John Mayer while he's in a cat cafe in Tokyo.

  • I, too, would be cackling like Anderson Cooper.
Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 

A message from Axios

Your trusted source for policy news
 
 

Axios Pro: Policy takes you into the halls of Congress, with an insider's look at the Hill and everything happening.

Subscribe today.

 

☀️ See y'all Friday!

Thanks to Scott Rosenberg and Megan Morrone for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.

HQ
Are you a fan of this email format?
Your essential communications — to staff, clients and other stakeholders — can have the same style. Axios HQ, a powerful platform, will help you do it.
 

Axios thanks our partners for supporting our newsletters.
Sponsorship has no influence on editorial content.

Axios, 3100 Clarendon B‌lvd, Arlington VA 22201
 
You received this email because you signed up for newsletters from Axios.
To stop receiving this newsletter, unsubscribe or manage your email preferences.
 
Was this email forwarded to you?
Sign up now to get Axios in your inbox.
 

Follow Axios on social media:

Axios on Facebook Axios on Twitter Axios on Instagram
 
 
                                             

No comments:

Post a Comment

Private investors pour $50 billion into booming sector… investment opportunity

Unstoppable megatrend driven by hundreds of billions in government spending ...