Today’s Topics:

• CISA Responds to Controversial ‘Airport Security Bypass’ Vulnerability
• U.S. Offers $10 Million for Info on Russian Cadet Blizzard Hackers Behind Major Attacks
• How can Netizen help?

CISA Responds to Controversial ‘Airport Security Bypass’ Vulnerability

In late August 2024, cybersecurity researchers Ian Carroll and Sam Curry revealed a potentially alarming security flaw within FlyCASS, a third-party web-based application utilized by smaller airlines as part of the Cockpit Access Security System (CASS) and Known Crewmember (KCM) programs. These programs play a critical role in enabling Transportation Security Administration (TSA) security officers to verify the identity and employment status of airline crewmembers, allowing pilots and flight attendants to bypass regular security screening procedures.

The disclosed vulnerability, an SQL injection flaw, could allegedly allow malicious actors to gain unauthorized access to the application’s administrative functions. With this access, attackers could manipulate the list of pilots and flight attendants associated with a participating airline. According to Carroll and Curry, they successfully added a fictitious employee to the database, highlighting the severity of the issue.

“Surprisingly, there is no further check or authentication to add a new employee to the airline. As the administrator of the airline, we were able to add anyone as an authorized user for KCM and CASS,” the researchers stated. They further warned that with basic knowledge of SQL injection, an attacker could theoretically bypass airport security screening and access the cockpits of commercial airliners.

The vulnerabilities were reported in April 2024 to several agencies, including the Federal Aviation Administration (FAA), ARINC (which operates the KCM system), and the Cybersecurity and Infrastructure Security Agency (CISA). In response, the FlyCASS service was swiftly disabled within the KCM and CASS systems, and the identified issues were patched.

However, the researchers expressed dissatisfaction with the disclosure process. While CISA acknowledged the issue initially, the researchers allege that communication from the agency abruptly ceased, leaving them without further updates. Additionally, they criticized the TSA for issuing what they described as “dangerously incorrect statements” regarding the vulnerability, denying the severity of the findings.

The TSA responded to the situation by downplaying the potential impact of the FlyCASS vulnerability. A TSA spokesperson emphasized that the flaw was not present in a TSA system and did not connect to any government infrastructure. The spokesperson assured that there was no impact on transportation security, and that the vulnerability had been promptly resolved by the third party responsible for the software.

“In April, TSA became aware of a report that a vulnerability in a third party’s database containing airline crewmember information was discovered and that through testing of the vulnerability, an unverified name was added to a list of crewmembers in the database. No government data or systems were compromised and there are no transportation security impacts related to the activities,” the spokesperson said.

Furthermore, the TSA clarified that they do not solely rely on the database in question for crewmember verification and have additional procedures in place to ensure security.

Initially silent on the matter, CISA has now issued a statement in response to inquiries. While the statement did not provide specific details about the potential impact of the vulnerabilities, CISA confirmed its awareness and involvement in addressing the issue.

“CISA is aware of vulnerabilities affecting software used in the FlyCASS system. We are working with researchers, government agencies, and vendors to understand the vulnerabilities in the system, as well as appropriate mitigation measures,” a CISA spokesperson stated. The agency also noted that it is actively monitoring for any signs of exploitation, though none have been observed to date.

The disclosure of the FlyCASS vulnerability has sparked a debate over the extent of its impact and the effectiveness of the response from the involved agencies. While the researchers who discovered the flaw warn of significant security risks, the TSA maintains that the vulnerability posed no immediate threat to transportation security. As CISA and other stakeholders continue to investigate, this incident serves as a reminder of the ongoing challenges in securing critical infrastructure against evolving cyber threats.

U.S. Offers $10 Million for Info on Russian Cadet Blizzard Hackers Behind Major Attacks

The U.S. government, along with a coalition of international partners, has officially linked a Russian hacking group known as Cadet Blizzard to the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).

“These cyber actors have been responsible for network operations targeting global entities for espionage, sabotage, and reputational damage since at least 2020,” the authorities said in a statement. “Since early 2022, their focus appears to be on disrupting efforts to provide aid to Ukraine.”

The attacks have primarily targeted critical infrastructure and key resource sectors, including government services, financial services, transportation, energy, and healthcare sectors across NATO member states, the European Union, Central America, and Asia.

The advisory, released last week as part of Operation Toy Soldier, is a coordinated effort involving cybersecurity and intelligence agencies from the U.S., the Netherlands, the Czech Republic, Germany, Estonia, Latvia, Ukraine, Canada, Australia, and the U.K.

Cadet Blizzard, also known as Ember Bear, FROZENVISTA, Nodaria, Ruinous Ursa, UAC-0056, and UNC2589, first gained attention in January 2022 for deploying the destructive WhisperGate (also known as PAYWIPE) malware against multiple Ukrainian organizations in the lead-up to Russia’s full-scale invasion.

In June 2024, Amin Timovich Stigal, a 22-year-old Russian national, was indicted in the U.S. for his role in carrying out destructive cyberattacks on Ukraine using wiper malware. However, WhisperGate is not exclusive to this group alone.

The U.S. Department of Justice (DoJ) has also charged five officers associated with Unit 29155 with conspiracy to commit computer intrusions and wire fraud conspiracy. These charges cover a wide range of targets, including Ukraine, the U.S., and 25 other NATO nations.

The five officers charged are:

• Yuriy Denisov (Юрий Денисов), a colonel in the Russian military and commanding officer of Cyber Operations for Unit 29155
• Vladislav Borovkov (Владислав Боровков), Denis Denisenko (Денис Денисенко), Dmitriy Goloshubov (Дима Голошубов), and Nikolay Korchagin (Николай Корчагин), all lieutenants in the Russian military assigned to Unit 29155 for cyber operations.

“The defendants acted to create panic among Ukrainian citizens regarding the security of their government systems and personal data,” according to the DoJ. “Their targets included systems and data with no military or defense roles. Later, they expanded to target countries providing aid to Ukraine.”

In conjunction with the indictment, the U.S. Department of State’s Rewards for Justice program has announced a reward of up to $10 million for information leading to the defendants’ locations or information about their cyber activities.

Unit 29155 has been implicated in numerous destabilizing activities across Europe, including attempted coups, sabotage, influence operations, and assassination plots. Since 2020, they have extended these efforts to offensive cyber operations aimed at espionage, reputational damage, and destruction of valuable systems.

According to the advisory, Unit 29155 is composed of junior GRU officers who collaborate with known cybercriminals and civilian enablers like Stigal to execute their missions. Their operations include website defacements, infrastructure scanning, data exfiltration, and leaking or selling sensitive data.

Their attack methods typically begin with scanning for known vulnerabilities in platforms like Atlassian Confluence Server and Data Center, Dahua Security, and Sophos’ firewall systems. After breaching a victim’s environment, they use tools like Impacket to facilitate post-exploitation and lateral movement, ultimately exfiltrating data to designated servers.

The advisory also mentioned that the group may have used the Raspberry Robin malware as an access broker. Another tactic involved targeting Microsoft Outlook Web Access (OWA) infrastructure with password spraying techniques to steal valid credentials.

Organizations are urged to take immediate action to reduce their vulnerability to such attacks. Recommendations include regular system updates, prompt remediation of known vulnerabilities, network segmentation to limit the spread of malicious activity, and implementing phishing-resistant multi-factor authentication (MFA) for all externally facing account services.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Overview:

• Phish Tale of the Week
• Chinese APT Group Volt Typhoon Exploits Critical Versa Director Vulnerability
• NPD Breach Exposes Nearly 3 Billion: What You Need to Know
• How can Netizen help?

Phish Tale of the Week

Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this SMS, the actors are appearing as an undisclosed company, offering remote jobs. The message tells us that a company is looking for multiple partners to join their team, and offers us the opportunity to contact them further for information on a remote job. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

Here’s how we can tell not to click on this link:

1. The first warning sign for this SMS is the context in which it was sent. When I recieved this SMS, I immediately knew not to click on the link due to the fact that I did not recently inquire anywhere about any remote work; Real companies looking to recruit qualified employees would not reach out to numbers in this way. On top of that, it’s very apparent that this message was blasted out to random numbers: the message doesn’t even include my name or attempt to provide any level of familiarity that would convince me to click on their fake WhatsApp link.
2. The second warning signs in this email is the messaging. This message tries to create a sense of opportunity and urgency in order to get you to take action by using language such as “All you need is a computer to start working” and “If you are interested: please contact.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through SMS.
3. The final warning sign for this email is the wording. The grammar is strange and unprofessional, a real job offer or recruiter would not begin their email with “I’m Lauren and we’re currently looking for multiple partners to join our team,” without specifying where they work, or what the job entails. Additionally, the formatting of the word “WhatsApp” is incorrect, with dashes strewn throughout the messaging app’s name. All of these factors point to the above being a smishing text, and a very unsophisticated one at that.

General Recommendations:

A phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
2. Verify that the sender is actually from the company sending the message.
3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
4. Do not give out personal or company information over the internet.
5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

Cybersecurity Brief

In this month’s Cybersecurity Brief:

Chinese APT Group Volt Typhoon Exploits Critical Versa Director Vulnerability

A serious vulnerability in Versa Director, identified as CVE-2024-39717, has been exploited by the Chinese advanced persistent threat (APT) group Volt Typhoon. This zero-day flaw, uncovered recently, has far-reaching consequences for organizations using Versa Director to manage their SD-WAN environments.

Versa Director is a key tool for managing network configurations in SD-WAN setups. The vulnerability affects its user interface customization feature, particularly the option to change the favicon. This feature, which lets users with high-level roles like Provider-Data-Center-Admin or Provider-Data-Center-System-Admin adjust the platform’s appearance, also permits the upload of files with a .png extension. Unfortunately, this extension can be easily exploited to hide malicious payloads as seemingly benign image files.

The core issue is that the platform does not rigorously validate these file uploads. As a result, authenticated users with administrative privileges can upload files that contain malware or backdoors. Once inside, attackers can leverage this access to infiltrate downstream networks, steal credentials, and carry out further malicious operations.

Given its potential impact, this vulnerability has been rated highly severe. CVE-2024-39717 carries a CVSS v2 base score of 8.3 and a CVSS v3 base score of 7.2, reflecting the substantial risk of data breaches and unauthorized access it poses.

Volt Typhoon, a state-sponsored hacking group from China, has taken advantage of this flaw to breach and compromise networks. Their campaign, which began in early June 2024, has primarily targeted Internet Service Providers (ISPs) and Managed Service Providers (MSPs). The group has used this exploit to deploy custom web shells and extract sensitive credentials, affecting several organizations within the ISP, MSP, and IT sectors.

Organizations using Versa Director should act quickly to address this vulnerability by updating to version 22.1.4 or later. It’s also crucial to review and strengthen security configurations and remain vigilant for any signs of compromise. By applying these updates and practices, organizations can reduce the risk of exploitation and safeguard their networks against ongoing threats.

To read more about this article, click here.

NPD Breach Exposes Nearly 3 Billion: What You Need to Know

In what’s shaping up to be one of the most staggering data breaches in history, nearly three billion people have had their personal information exposed. The breach targeted National Public Data (NPD), a background checking service run under the name Jerico Pictures. The breach became widely known after a class-action lawsuit surfaced in early August, raising serious concerns about the sheer scale of the incident.

The lawsuit claims that this massive breach happened during a cyberattack back in April, compromising the personal data of nearly three billion people. NPD and Jerico Pictures initially kept quiet, not confirming any details of the attack. However, by the end of August, NPD finally broke their silence, admitting on their website that a third party had gained unauthorized access to their data systems as early as December 2023. The data then leaked out between April and over the summer.

Before this breach, Yahoo’s 2013 incident held the record as the largest, affecting all 3 billion of its user accounts. That attack exposed things like names, email addresses, phone numbers, and birthdates, though luckily it didn’t include financial information. The NPD breach, however, is a different story. This time, far more sensitive information was leaked—Social Security numbers, mailing addresses, and other personal details.

NPD, which is based in Coral Springs, Florida, and owned by Jerico Pictures, specializes in gathering background information by scraping data from non-public sources. What makes this breach especially troubling is that many of those affected likely didn’t even realize NPD had their personal data in the first place.

The information that was leaked included names, email addresses, phone numbers, Social Security numbers, and physical addresses—basically everything a criminal would need to cause serious damage.

The breach came to the public’s attention after a lawsuit was filed accusing NPD of negligence and violating their duty to protect the data. The lead plaintiff, Christopher Hofmann, says he first found out about the breach on July 24, 2024, when his identity theft protection service alerted him that his personal information had popped up on the Dark Web as part of the “nationalpublicdata.com” breach.

According to the lawsuit, back on April 8, 2024, a criminal organization called “USDoD” posted a database titled “National Public Data” on a hacker forum named “Breached.” This database supposedly contained the personal details of nearly 2.9 billion people and was being sold for a jaw-dropping $3.5 million.

NPD’s breach notification has urged those affected to keep a close eye on their financial accounts. They’ve recommended obtaining free credit reports from Equifax, Experian, and TransUnion. Additionally, cybersecurity company Pentester has set up a tool at npd.pentester.com that allows individuals to check if their data was part of the breach. By entering your name and birth year, you can see a list of breached accounts and even the last four digits of the exposed Social Security numbers.

While it’s impossible to undo the breach, there are steps you can take to reduce your vulnerability to identity theft. Many people are turning to identity theft protection services, which offer account monitoring and restoration support. Though these services can’t prevent breaches from happening, they can be invaluable in helping you respond quickly if your information is misused.

Netizen recommends these key steps to safeguard your information:

• Sign up for credit monitoring that works around the clock.
• Turn on two-factor authentication for your online accounts.
• Be wary of unsolicited requests for personal information.
• Regularly check your bank statements for suspicious activity.
• Use a PIN when verifying debit card purchases.
• Consider placing a fraud alert on your credit file, which alerts creditors to confirm your identity before approving new accounts.

For further details on this breach, Netizen’s Monday Security Brief from August 12th covers it more extensively.

Another option is to freeze your credit. This step can prevent third parties from accessing your credit report, adding another layer of protection. It does require you to use a PIN for any changes to your credit status, but it can be a valuable tool, especially after a breach of this size.

While we can’t always control how third-party companies manage our personal data, we can take proactive steps to protect ourselves from the consequences of their mishandling.

To read more about this article, click here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Today’s Topics:

• FBI Lapses in Securing Sensitive Storage Media Exposed by OIG Audit
• Pavel Durov Arrested: French Police Target Telegram’s Content Oversight Issues
• How can Netizen help?

FBI Lapses in Securing Sensitive Storage Media Exposed by OIG Audit

The FBI’s handling of sensitive and classified electronic storage media has recently come under scrutiny, according to an audit by the Department of Justice’s Office of the Inspector General (OIG). The report reveals several critical weaknesses in the FBI’s procedures for managing decommissioned storage devices, such as hard drives and thumb drives, which contain both sensitive but unclassified information and classified national security information (NSI).

The audit found that once these devices were removed from computers marked for destruction, they were often left unaccounted for and improperly stored. In some instances, internal hard drives from Top Secret systems were kept on pallets in shared spaces for extended periods, without proper oversight or protection.

The OIG’s investigation highlighted a significant issue: the FBI personnel failed to properly label and track these storage devices after their removal. While computers were labeled with appropriate classification markings, the extracted storage media were often left as standalone items without any indication of their classification level. This lack of labeling and accountability created substantial risks, making it challenging to verify whether these devices had been destroyed or accessed by unauthorized individuals.

At the facility where these storage devices were meant to be destroyed, there were major gaps in physical security. Media that was marked as non-accountable—those removed from sensitive systems—was stored on a pallet with torn wrapping in a shared workspace accessible to nearly 400 personnel. This facility also housed other FBI operations, including logistics and IT equipment fulfillment, which further complicated security measures. Contractors from at least 17 companies and FBI task force officers had access to the facility, adding to the security concerns.

The OIG report revealed that the FBI could not account for whether any devices had been removed from the unsecured pallets. Both FBI supervisors and contractors admitted that no process was in place to track or monitor the media after extraction.

Furthermore, the audit pointed out deficiencies in the FBI’s procedures for securing electronic media before destruction. According to the Open-Storage Secure Areas, Closed-Storage Secure Areas, and Controlled Unclassified Areas Policy Guide (1264PG), FBI personnel are required to follow a clean desk policy and store classified materials in locked containers at the end of each day. However, the audit found that these standards were not consistently followed.

In response to the OIG’s concerns, the FBI stated that they would start storing unsanitized hard drives and solid-state drives (SSDs) in a secure cage within the facility until they could be processed properly. Despite this commitment, the OIG noted during follow-up visits in early 2024 that additional security measures, such as a new camera system, had been delayed. As of June 2024, the FBI was still working on obtaining a waiver to install video surveillance at the facility.

To address these vulnerabilities, the OIG has provided the FBI with several recommendations to improve its control over the storage and disposal of electronic media. These include:

• Revising procedures to ensure that all storage media containing sensitive or classified information are properly accounted for, tracked, and sanitized before destruction.
• Implementing measures to clearly mark electronic storage media with the appropriate classification level, in line with FBI and DOJ policies.
• Enhancing physical security controls at facilities where media is stored and processed, to prevent loss or theft.

The audit underscores the need for the FBI to strengthen its procedures for managing sensitive storage media, particularly at facilities where media is destined for destruction. With nearly 400 individuals having access to the facility and media being left unsecured for long periods, the risk of unauthorized access or loss is significant.

The OIG continues its broader audit of FBI contracts and procedures and is urging the FBI to take immediate action to safeguard its electronic storage media. The FBI has been asked to provide an update on its response to the recommendations within 90 days.

For more information or questions about the audit, the OIG encourages contacting Michael E. Horowitz, Inspector General, or Jason R. Malmstrom, Assistant Inspector General for Audit, at the DOJ.

Pavel Durov Arrested: French Police Target Telegram’s Content Oversight Issues

In a notable turn of events for digital privacy and cybersecurity, Pavel Durov, the founder and CEO of Telegram, has been arrested in France. The arrest, reported by French television network TF1, stems from a warrant related to an ongoing investigation into Telegram’s content moderation practices.

The focus of the investigation is Telegram’s alleged failure to properly moderate content on its platform, which has reportedly facilitated a range of criminal activities. These include drug trafficking, child exploitation, money laundering, and fraud. Critics argue that Telegram’s lax approach to content moderation has enabled it to become a significant hub for criminal enterprises.

Guardio Labs, a cybersecurity firm, has raised alarms about Telegram’s role in the criminal ecosystem. A recent report from the firm describes Telegram as a thriving platform where cybercriminals trade tools and data. “This messaging app has become a major conduit for seasoned and emerging cybercriminals, enabling them to exchange illicit tools and victims’ data,” the report states.

Telegram, which is headquartered in Dubai, has over 950 million monthly active users as of July 2024. The app has recently expanded its features, including an in-app browser and a Mini App Store, positioning itself as a multifunctional super app similar to Tencent’s WeChat.

Durov was apprehended at Paris’ Bourget Airport upon arriving from Azerbaijan. French law enforcement, including the Gendarmerie des Transports Aériens (GTA) and the Office National Antifraude (ONAF), detained him. The arrest warrant was issued by the Office des Mineurs (OFMIN), a branch of the French National Police’s judicial direction, due to allegations that Telegram’s lack of effective moderation made Durov complicit in the crimes facilitated through the app.

Authorities suspect that Durov’s alleged failure to cooperate with law enforcement, along with his provision of tools such as disposable phone numbers and cryptocurrencies, contributed to serious crimes like drug trafficking, child exploitation, and fraud. “Durov made a critical error by entering France knowing he was a person of interest,” a source close to the investigation commented.

The arrest marks a significant moment in the global effort to hold tech platforms accountable for criminal activities conducted through their services. The case not only aims to disrupt the criminal networks utilizing Telegram but also seeks to spur European countries towards greater cooperation in combatting cybercrime.

Telegram, known for its robust encryption and capacity for large, private groups, has faced criticism for its role in criminal activities. “Telegram has emerged as a platform of choice for organized crime,” an investigator noted, underscoring concerns about its use in the distribution of banned content and coordination of criminal activities.

As the investigation progresses, the impact of this high-profile case on future regulatory measures for digital platforms and their responsibility in content moderation remains to be seen.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.