Security Now 1076: 21-Year-Old Malware Discovery, Bitwarden Supply Chain Attack, and Iranian Nuclear Facility Cyber Incident

This episode of Security Now covers several critical cybersecurity topics, beginning with the discovery of a sophisticated piece of malware called "Fast 16.sys." This malware, which had gone undetected for 21 years, predates Stuxnet by about five years and was found embedded in a Windows system driver. The malware was uncovered by security researchers through a coincidental discovery, revealing a highly advanced and stealthy operation. The driver, disguised as a legitimate system file, was designed to operate covertly within Windows 2000 and XP systems, demonstrating an unprecedented level of sophistication in its ability to evade detection for over two decades. The discussion highlights how this malware likely originated from a nation-state actor, possibly the NSA, given its complexity and the resources required to develop and deploy it. The implications of this discovery are significant, as it suggests that advanced persistent threats have been operating at a high level of sophistication for much longer than previously thought, raising questions about the effectiveness of current cybersecurity defenses and the potential for similar undetected threats still lurking in systems today. The episode also delves into a supply chain attack targeting Bitwarden's command-line interface (CLI). The attack involved a compromised GitHub action in Bitwarden's continuous integration and continuous deployment (CI/CD) pipeline, which allowed malicious code to be inserted into the Bitwarden CLI package distributed via npm, a popular package manager for JavaScript. The malicious version of the package was designed to steal sensitive information such as GitHub tokens, SSH keys, environment variables, and cloud secrets, then exfiltrate this data to a domain impersonating Checkmarx, a cybersecurity company. Fortunately, the malicious package was only available for about 90 minutes before being removed, and no end users of Bitwarden were affected. This incident underscores the growing threat of supply chain attacks, where attackers target the development and distribution processes of software rather than the end users directly. The discussion emphasizes the need for better security practices in CI/CD pipelines, including stricter controls on third-party actions and more rigorous vetting of dependencies. It also highlights the importance of monitoring and securing the software supply chain to prevent similar attacks in the future. Another topic explored in the episode is the mysterious malfunction of networking equipment at an Iranian nuclear facility just before a US and Israeli missile strike. The equipment, which included routers from major vendors like Cisco, Fortinet, Juniper, and Microtech, failed simultaneously, raising suspicions of a coordinated cyberattack. The timing of the failures, combined with the fact that Iran was disconnected from the global internet at the time, suggests that the routers may have been pre-programmed to malfunction under specific conditions, possibly as part of a broader cyber warfare strategy. This incident illustrates the growing intersection of cyber and physical warfare, where cyberattacks can have direct real-world consequences, such as disrupting critical infrastructure. The discussion also touches on the challenges of attributing such attacks, as well as the broader implications for global cybersecurity, particularly in the context of state-sponsored cyber operations. The episode also covers Meta's decision to install monitoring software on its employees' systems to capture mouse movements, clicks, and keystrokes. The data collected is intended to train Meta's AI models, particularly in areas where AI struggles, such as replicating human interactions with user interfaces. While Meta claims the data will not be used for employee performance reviews, the move has raised concerns about privacy and the potential for misuse of such monitoring tools. The discussion explores the ethical and legal implications of workplace surveillance, particularly in an era where AI is increasingly being used to automate tasks traditionally performed by humans. It also highlights the broader trend of companies leveraging employee data to improve AI systems, which could have significant implications for job security and workplace privacy in the future. Finally, the episode includes an update from Steve Gibson on his recent work to overhaul GRC's e-commerce system and the release of a new version of the DNS Benchmark tool. The e-commerce system has been redesigned to better accommodate different licensing models, including personal use and consultant licenses, with a new "gold badge" feature for users who purchase multiple licenses. The DNS Benchmark tool has also been updated with a more user-friendly interface, including a prominent "Run Benchmark" button and a full Windows application menu to improve usability. The discussion highlights the importance of user feedback in refining software tools and the ongoing challenges of maintaining and updating legacy systems. It also serves as a reminder of the value of continuous improvement in software development, particularly in tools that are widely used by the cybersecurity community.