Kansas City Hacking Indictment, ProjectSend Zero-Day & The Greyt Migreytion

Forecast: Visibility is low with a 43% chance of extended response times. Heavy downpours of healthcare vulnerabilities dominate, with brief breaks of exploit intelligence. ‍ In this week's episode of GreyNoise Storm⚡️Watch, we kick things off with our regular roundtable introductions before diving into some intriguing poll results about cybersecurity metrics. The community weighed in heavily on what drives action in their organizations, with Mean Time to Respond leading the pack at 43% of votes, followed by Mean Time to Detect at 28%. Notably, system patching status came in third at 26%, while the tongue-in-cheek option about whiskey levels in the team liquor cabinet garnered a surprising 13% of responses. The crew then gathers round the Festivus pole to channel their inner George Costanza's as they each air their grievances — cyber and possibly otherwise — from the past year. So many things were busted in 2024 that we're shocked we kept the episode under four hours. The episode features a crucial discussion on practical OPSEC fundamentals, particularly focusing on executive protection challenges. We explore how predictable movement patterns and excessive public information exposure can create security vulnerabilities. The conversation covers everything from website vulnerabilities to social media risks, emphasizing the importance of consistent security protocols and information control strategies. Healthcare cybersecurity takes center stage as we discuss recent research presented at the Health-ISAC Fall Americas Summit, courtesy of our friends at Censys. We also dig into VulnCheck's comprehensive analysis of Known Exploited Vulnerabilities for 2024, along with essential insights on exploit intelligence and vulnerability prioritization. The show wraps up with a look at the results of platform improvements since GreyNoise's "Greyt Migreytion". Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: Strong vulnerability management systems roll in, with scattered threat hunting ahead. Brace for ProjectSend exploits and turbulence near Kansas City. ‍ In this episode of Storm⚡️Watch, we explore crucial cybersecurity trends and breaking developments across the industry. Our recent community poll revealed fascinating insights into resource allocation priorities, with Vulnerability Management and Patching emerging as the clear frontrunner, chosen by half of respondents. Threat Intelligence and Hunting secured the second spot with 27.3% of votes, while Security Awareness and Incident Response capabilities tied for third place. Breaking news from Kansas City highlights a significant cybersecurity incident with a federal indictment for computer hacking, demonstrating the ongoing challenges in cybercrime enforcement. Meanwhile, the cybersecurity community continues to experience shifts in social media dynamics, particularly noting the ongoing migration of cyber professionals from X (formerly Twitter) to alternative platforms. Censys has made waves with their latest release of Censeye, an innovative automated hunting tool now available to the security community. This development arrives alongside VulnCheck's critical discovery of CVE-2024-11680, a ProjectSend vulnerability currently being exploited in the wild, emphasizing the importance of rapid threat detection and response. The GreyNoise team shares exciting news about "The Greyt Migreytion," heralding the rollout of their new global observation grid, a game-changing advancement in threat detection and response. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: Stormy skies with APT28's Wi-Fi exploits and rough seas in the Baltics as undersea cables are mysteriously cut. ‍ In this episode of Storm⚡️Watch, we review the fascinating poll results that reveal communication with non-technical leaders as the most undervalued skill in modern security, garnering 220 votes across three social media platforms and significantly outpacing other critical abilities like incident report writing, OSINT, and threat hunting. The crew then examines a groundbreaking cyber attack technique dubbed the "Nearest Neighbor Attack," executed by Russian APT28. This sophisticated operation allowed attackers to breach a U.S. organization's network by exploiting nearby Wi-Fi networks through a series of calculated steps, including password spraying and compromising adjacent organizations. The attack, occurring just before Russia's invasion of Ukraine, showcases a novel vector that combines the advantages of physical proximity with remote operation capabilities. Maritime security takes center stage as we explore two major undersea cable cuts in the Baltic Sea this November. The BSC East-West Interlink between Sweden and Lithuania and the C-Lion1 connecting Finland and Germany were severed, causing notable network latency increases. A Chinese vessel, Yi Peng 3, has drawn attention in the investigation, with German Defense Minister Boris Pistorius suggesting these incidents were deliberate hybrid actions rather than accidents. We round out the episode with updates from our respective organizations, including Censys's 2024 State of the Internet Report, VulnCheck's analysis of CISA's top exploited vulnerabilities, and GreyNoise's latest insights on critical infrastructure risks and technical challenges involving null bytes. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: High pressure systems of infrastructure attacks continues to build over U.S. utilities with scattered exploitation attempts, while the vulnerability forecast shows increasing cloudiness around CPE data availability. ‍ In today's episode, we're diving into network fingerprinting and vulnerability management with some fascinating developments in the cybersecurity landscape. Our featured guest is John Althouse, the creator of JA4+, who has developed an innovative suite of network fingerprinting methods that's making waves in threat detection. JA4+ builds on previous fingerprinting techniques but takes things further with human-readable formats and enhanced detection capabilities. John's work comes at a critical time, as we've seen an uptick in zero-day exploits targeting enterprise networks throughout 2023. The latest CISA report highlights how threat actors are becoming more sophisticated in their approaches, particularly in exploiting vulnerabilities before patches can be deployed. Speaking of vulnerabilities, we've got some concerning news about critical infrastructure security. Recent findings have exposed potential vulnerabilities in around 300 U.S. drinking water systems, highlighting the ongoing challenges in protecting our essential services. This ties directly into the importance of tools like JA4+ for detecting and preventing unauthorized access to critical systems. We're also discussing an interesting development in vulnerability management - VulnCheck's NVD++ initiative. They're outpacing NIST's National Vulnerability Database by providing CPE data for nearly 77% of CVEs published in 2024, compared to NIST's 41%. This is particularly relevant given the recent disruption in CPE data availability from the NVD. Throughout our conversation, we'll explore how these developments intersect and what they mean for the future of cybersecurity, especially in protecting critical infrastructure and managing vulnerabilities effectively. John's insights on JA4+ and its applications in real-world threat detection scenarios are particularly valuable as organizations face increasingly sophisticated cyber threats. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast: CYBER WEATHER ALERT | Volt Typhoon bringing sustained APT activity across the Pacific Rim. Expect persistent perimeter probing with a 100% chance of state-sponsored shenanigans. Pack your EDR umbrella! ‍ This week's episode tackles a disturbing story from Disney World where a terminated employee allegedly hacked into their menu system to alter critical peanut allergy information. We dig into the attack details then don our tin-foil hats to explore the potential real-world consequences of malicious insider threats. We're excited to share Sophos' latest research on Pacific Rim, an extensive investigation into nation-state adversaries targeting edge devices. We hone in on this event through the filter of GreyNoise's analysis of this multi-year APT campaigns, and show you live threat data through the GreyNoise Visualizer to demonstrate the ongoing nature of these attacks. VulnCheck brings us two fascinating pieces - a deep examination of ABB vulnerabilities affecting industrial control systems, and an innovative new command-and-control feature called ShellTunnel in the go-exploit framework. GreyNoise has been especially busy, uncovering zero-day vulnerabilities in live streaming cameras using AI assistance. We'll discuss their technical breakdown of CVE-2024-8956 and CVE-2024-8957, which CISA just added to their Known Exploited Vulnerabilities catalog. The October NoiseLetter is out with the latest threat intelligence insights, and don't miss upcoming events including the Quarterly Roadmap Showcase and a special webinar on discovering zero-days with AI. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Expect severe disruptions in transit security, with a chance of clearer skies as the White House pushes for smoother collaboration with cybersecurity researchers. Transport for London’s Cybersecurity Crisis\ Transport for London (TfL) has found itself in a cybersecurity “trainwreck,” facing a range of vulnerabilities and management issues that have exposed its infrastructure to significant risk. An investigation reveals a series of failures, from outdated systems to neglected security protocols, painting a chaotic picture of public infrastructure’s readiness against cyber threats. With passengers’ data and critical operations potentially at stake, this story highlights the growing urgency for improved cybersecurity measures in public sector systems. White House Endorsement of Cybersecurity Researcher Collaboration In a significant policy shift, the White House has endorsed a more collaborative approach with cybersecurity researchers, aiming to bolster national defenses against growing cyber threats. This endorsement includes support for responsible disclosure practices and partnerships that could help expedite vulnerability identification and mitigation across industries. By actively promoting collaboration, the administration signals a move toward a more unified and proactive stance on national cybersecurity, recognizing the essential role of researchers in safeguarding critical infrastructure and public safety. CVE’s 25th Anniversary Report Celebrating 25 years, the Common Vulnerabilities and Exposures (CVE) program reflects on its progress in tracking and cataloging cybersecurity threats, becoming a cornerstone in the fight against vulnerabilities. The anniversary report not only emphasizes milestones in vulnerability identification and mitigation but also considers how the program must evolve to meet emerging challenges as cyber threats grow more sophisticated. With an eye on improving its database and keeping pace with the expanding threat landscape, CVE aims to continue being an essential resource for the cybersecurity community. CVE-2024-47575 Vulnerability as Flagged by Censys Censys has flagged CVE-2024-47575 as a serious vulnerability affecting systems reliant on outdated cryptographic protocols, specifically impacting certain SSL/TLS implementations. This vulnerability poses a risk to data integrity and confidentiality, enabling potential attackers to intercept or alter sensitive information in transit. The case of CVE-2024-47575 underscores the need for organizations to update and secure their cryptographic practices to avoid exposure to similar vulnerabilities.   Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Turbulent conditions persist as major platforms face relentless attacks, with data breaches and DDoS storms threatening critical infrastructure and digital archives ‍ In this episode of Storm⚡️Watch, we wade into several significant cybersecurity incidents and updates. First, The American Water attack has raised concerns about the vulnerability of critical infrastructure, with potential implications for military services and water supply systems across the United States. We'll explore the details of this cyberattack and its broader impact on national security. The Internet Archive, a vital resource for digital preservation, has been facing a series of relentless attacks. We'll discuss the ongoing distributed denial-of-service (DDoS) attacks that have disrupted services, as well as a major data breach affecting 31 million users. Our conversation will cover the challenges of protecting such a vast repository of information and the potential motivations behind these persistent assaults on the "Wayback Machine" and other Archive services. On the tools and intelligence front, we'll highlight Censys' new CVE search feature, which promises to enhance vulnerability management for security professionals. We'll also discuss GreyNoise's latest analysis of Russian cyber threats, revealing that 9 out of 12 vulnerabilities tracked by GreyNoise from a recent U.S. and UK advisory are currently being actively probed. Additionally, we'll touch on GreyNoise's upcoming Quarterly Roadmap Showcase, offering listeners a glimpse into future developments. Lastly, we'll examine the recently disclosed ScienceLogic vulnerability, which has been added to CISA's Known Exploited Vulnerabilities catalog. This zero-day flaw has been linked to a breach at Rackspace, underscoring the critical nature of prompt patching and the ongoing challenges in securing third-party utilities. Join us as we break down these crucial cybersecurity stories and their implications for the digital world. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Healthcare and telecom under stormy skies—watch for cyber squalls and gusts of disinformation In this episode of Storm⚡️Watch, we dive into the world of cybersecurity with a focus on healthcare and telecommunications. We kick things off with a look at the current state of Internet of Healthcare Things (IoHT) exposures on public-facing networks. A recent study by Censys revealed some alarming findings about the security of DICOM servers, which are used for storing and transmitting medical images. With over 3,800 publicly exposed servers and data from 59 million patients at risk, it's clear that the healthcare industry needs to step up its cybersecurity game. We then shift gears to discuss a major cybersecurity incident involving Chinese hackers who managed to compromise wiretap systems of major U.S. telecom and internet providers. This breach is directly linked to the Communications Assistance for Law Enforcement Act (CALEA), a 30-year-old federal law that has long been criticized by security experts. The incident raises important questions about the balance between government surveillance needs and cybersecurity concerns. For those interested in staying up-to-date with the latest vulnerability intelligence, we highlight recent blog posts from VulnCheck, including their KEV Report and Initial Access Intelligence for September 2024. We also touch on GreyNoise's latest blog post about protecting democracy from the growing threat of deepfakes and disinformation. As always, we wrap up the episode with our "We Need to Talk About KEV" segment, where we discuss the latest additions to CISA's Known Exploited Vulnerabilities catalog. This roundup helps listeners stay informed about the most critical vulnerabilities that require immediate attention. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = 50% chance of unexpected software installations followed by scattered UDP packet sprays. ‍ In this episode of Storm⚡️Watch, we follow up on the intriguing 'Noise Storms' that had the cybersecurity community buzzing. Security researcher David Schuetz has made some fascinating discoveries about these mysterious ping packets flooding the internet. His investigation, detailed at darthnull.org/noisestorms/, takes us on a journey through packet analysis, timestamp decoding, and network protocol deep-dives, offering new perspectives on the potential origins of those enigmatic 'LOVE' packets. Our Cyberside Chat segment dives into the recent CUPS daemon vulnerability, exploring the implications of this daft uncoordinated disclosure. We'll break down the details provided by Censys in their analysis of the Common Unix Printing Service vulnerabilities. In our Cyber Focus segment, we discuss the surprising news about Kaspersky antivirus software deleting itself and installing UltraAV and other bits of code without warnings. We'll also highlight some recent blog posts from Censys, VulnCheck, and GreyNoise. These articles cover topics ranging from Fox Kitten infrastructure analysis to securing internet-exposed industrial control systems, and even delve into phishing tactics targeting election security. Our "We Need to Talk About KEV" segment rounds up the latest additions to CISA's Known Exploited Vulnerabilities catalog, keeping you informed about the most critical security issues to address. Storm Watch Homepage >> Learn more about GreyNoise >>  

Forecast = Expect heavy BTLE storms with a high chance of UUID leaks. Pack your Faraday umbrellas and watch out for rogue packets raining from the cloud. ‍ On this episode of Storm⚡️Watch, we're diving into some major cybersecurity developments that have been making waves. We'll start by unpacking the ongoing saga of the Columbus, Ohio cyberattack, which has turned into a complex web of legal battles, data leaks, and questions about municipal cybersecurity preparedness. We'll explore how this incident is affecting the city's tech aspirations and what it means for residents' data security. Next, we're excited to bring you our Cyberside Chat, where we'll be discussing a fascinating topic: BLUUID. We'll explore how Bluetooth vulnerabilities are impacting everything from insulin pumps to firewalls. We'll break down the technical details of extracting BTLE UUIDs from Android APK files and how this process can be used to identify devices. We'll also delve into some serious vulnerabilities discovered in Firewalla firewall products, including potential remote code execution risks. As always, we'll be sharing some of our recent work in the cybersecurity field. We've got some intriguing analyses from Censys, including a deep dive into Fox Kitten infrastructure and a challenging look at securing internet-exposed industrial control systems. VulnCheck has been busy too, with a new blog post about the Flax Typhoon botnet. And don't miss our GreyNoise blog, where we're questioning assumptions about ICS security. We'll wrap up with our regular "We Need to Talk About KEV" segment, where we'll round up the latest additions to CISA's Known Exploited Vulnerabilities catalog. It's a packed episode that you won't want to miss, so tune in to stay on top of the latest in the world of cybersecurity. Storm Watch Homepage >> Learn more about GreyNoise >>