CyberWire Daily - A new Mirai-based botnet.
Episode Date: January 8, 2025Researchers ID a new Mirai-based botnet. Android devices get their first round of updates for the new year. Criminals exploit legitimate Apple and Google services in sophisticated voice phishing attac...ks. Japan attributes over 200 cyberattacks to the Chinese hacking group MirrorFace. A PayPal phishing scam exploits legitimate platform functionality. SonicWall addresses critical vulnerabilities in its SonicOS software. CISA warns of active exploitation of vulnerabilities in Mitel MiCollab. A new government backed labelling program hopes to help consumers choose more secure devices. On today’s CertByte segment, Chris Hare and Steven Burnley unpack a question from N2K’s ISC2® Certified in Cyber Security (CC) Practice Test. Streaming license plate readers - no password required. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CertByte Segment Welcome to CertByte! On this bi-weekly segment hosted by Chris Hare, a content developer and project management specialist at N2K. In each segment, Chris is joined by an N2K Content Developer to help illustrate the learning. This week, Chris is joined by Steven Burnley to break down a question targeting the CC - Certified in Cyber Security certification by ISC2®. Today’s question comes from N2K’s ISC2® Certified in Cyber Security (CC) Practice Test. The CC(SM) - Certified in Cyber Security is an entry-level, ANAB accredited exam geared towards anyone who wants to prove their foundational skills, knowledge, and abilities. To learn more about this and other related topics under this objective, please refer to the following resource: ISC2 (n.d.). https://www.isc2.org/landing/cc-etextbook  Have a question that you’d like to see covered? Email us at certbyte@n2k.com. If you're studying for a certification exam, check out N2K’s full exam prep library of certification practice tests, practice labs, and training courses by visiting our website at n2k.com/certify. To get the full news to knowledge experience, learn more about our N2K Pro subscription at https://thecyberwire.com/pro. Please note: The questions and answers provided here, and on our site, are not actual current or prior questions and answers from these certification publishers or providers. Additional source: https://www.isc2.org/certifications/cc Selected Reading New Mirai Botnet Exploits Zero-Days in Routers and Smart Devices (Infosecurity Magazine) First Android Update of 2025 Patches Critical Code Execution Vulnerabilities (SecurityWeek) A Day in the Life of a Prolific Voice Phishing Crew (Krebs on Security) Japan links Chinese hacker MirrorFace to dozens of cyberattacks targeting security and tech data (AP News) Casio says hackers stole personal data of 8,500 people during October ransomware attack (TechCrunch) New PayPal Phishing Scam Exploits MS365 Tools and Genuine-Looking Emails (Hackread) Multiple Sonicwall VPN Vulnerabilities Let Attackers Bypass Authentication (Cyber Security News) CISA Warns of Mitel MiCollab Vulnerabilities Exploited in Attacks (SecurityWeek) New Labels Will Help People Pick Devices Less at Risk of Hacking (SecurityWeek) Researcher Turns Insecure License Plate Cameras Into Open Source Surveillance Tool (404 Media) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Researchers ID a new Mirai-based botnet.
Android devices get their first round of updates for the new year.
Criminals exploit legitimate Apple and Google services in sophisticated voice phishing attacks.
Japan attributes over 200 cyber attacks to the Chinese hacking group Mirror Face.
A PayPal phishing scam exploits legitimate platform functionality.
SonicWall addresses critical vulnerabilities in its SonicOS software.
CISA warns of active exploitation of vulnerabilities in Mytel MyCollab.
A new government-backed labeling program hopes to help consumers choose more secure devices.
On today's CertByte segment, Chris Hare and Stephen Burnley unpack a question from N2K's ISC2 Certified in Cybersecurity practice test.
And streaming license plate readers. No password required.
It's Wednesday, January 8th, 2025. I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thank you for joining us here once again today.
Great to have you with us.
Security researchers have identified a new Mirai-based botnet, offensively named GayFemBoy,
which uses zero-day exploits to target industrial routers and smart home devices.
Discovered by Qui-AnxinXLab in February of 2024, the botnet evolved from a standard Mirai variant to a sophisticated threat.
It exploits over 20 vulnerabilities, including a zero-day flaw in four-faith routers and unassigned vulnerabilities in Niterbit routers and Vimar home devices.
and Weimar home devices. With about 15,000 active IPs across China, Russia, the U.S., Iran, and Turkey,
the botnet launches frequent DDoS attacks, peaking in late 2024. Its targets span multiple sectors,
and even XLAB researchers were attacked after registering command and control domains for analysis.
Lacking DDoS mitigation, XLab eventually ceased their investigation to avoid further disruptions.
Google has released its first Android security updates for 2025, addressing 36 vulnerabilities,
including five critical remote code execution bugs in the system component.
The update, split into two parts, begins with fixing 24 issues in Android's framework, media framework, and system components.
The critical RCE flaws affect Android versions 12 through 15. The second patch resolves an additional 12 vulnerabilities in imagination
technologies, media tech, and Qualcomm components, covering all 36 flaws. Google also patched a
critical RCE bug in Pixel Devices' baseband subcomponent. While there's no evidence of
exploitation in the wild, Google urges users to update promptly.
Android Automotive OS and Wear OS devices will also receive patches.
Cybercriminals are exploiting legitimate Apple and Google services in sophisticated voice phishing attacks, as revealed by Krebs on security. These scammers trick users into believing they're interacting with Apple or Google
by sending notifications, emails, and account recovery prompts using spoofed identities.
One case involved a cryptocurrency investor who lost $4.7 million after scammers used Google
Assistant and fake recovery emails to deceive him. The scammers leveraged Apple's
support line to generate legitimate account confirmation prompts, reinforcing their
authenticity. A leaked phishing panel video demonstrates how scammers tricked a musician
into revealing his Apple credentials. A phishing group dubbed Crypto Chameleon also targeted cryptocurrency exchanges and high-profile individuals,
including billionaire Mark Cuban, who lost $43,000 in crypto.
These groups rely on leaked data, phishing kits, and tools like autodoxers to refine targets.
Despite their innovation, internal betrayal and law enforcement remain persistent
threats to these criminal operations. Japan has attributed over 200 cyberattacks since 2019
to the Chinese hacking group Mirror Face, targeting national security and advanced technology data.
The attacks focused on the foreign and defense ministries, the space agency,
and private sector entities using tactics like phishing emails referencing geopolitical topics
and exploiting VPN vulnerabilities. Notable incidents include breaches at JAXA and disruptions
at Nagoya's port and Japan Airlines. Experts urge Japan to strengthen cybersecurity as it
enhances defense cooperation with the U.S. and allies. Elsewhere in Japan, Casio confirmed a
ransomware attack in October compromised the personal data of nearly 8,500 individuals,
including 6,500 employees, 1,900 business partners, and 91 customers.
Data exposed included names, email addresses, and sensitive information like taxpayer IDs and
birthdates. The Russia-linked underground ransomware gang claimed responsibility,
stealing over 200 gigabytes of data. Casio attributed the breach to phishing and declined to negotiate with the attackers.
While most systems are restored, some services remain offline.
No credit card data was compromised.
Fortinet's FortiGuard Labs has uncovered a sophisticated PayPal phishing scam
exploiting legitimate platform functionality.
Scammers use genuine-looking emails with valid sender addresses to direct users to PayPal's
login page under the guise of investigating a payment request. The attack leverages a Microsoft
365 test domain and distribution lists to send legitimate PayPal money requests, bypassing
traditional phishing checks through Microsoft 365's sender rewriting scheme. Victims unknowingly
link their PayPal accounts to the scammers, granting attackers potential control over finances.
Unlike traditional phishing, this scam uses authentic emails and URLs, making detection harder.
Fortinet's CISO Carl Windsor emphasized the need for vigilance,
urging users to verify URLs, avoid unsolicited links, and enable two-factor authentication.
The scam highlights the critical role of cybersecurity awareness
in protecting against increasingly sophisticated attacks.
SonicWall has issued a security advisory addressing four critical vulnerabilities in its SonicOS software, affecting various firewall models and cloud platforms. These include a weak pseudo-random number generator, improper authentication in SSL VPN,
a server-side request forgery flaw, and privilege escalation in Gen7 cloud platforms.
With CVSS scores ranging from 6.5 to 8.2, these vulnerabilities could allow attackers to bypass authentication,
escalate privileges, or establish unauthorized connections.
SonicWall urges immediate updates and limiting SSL VPN and SSH management access to trusted sources.
No exploitation in the wild has been reported.
CISA has warned of active exploitation of two vulnerabilities in Mitel MyCollab.
The first, a critical path traversal flaw with a CVSS of 9.8.
The second, a low severity issue with a score of 2.7.
The critical bug allows unauthorized administrative actions,
while the low severity flaw requires admin credentials and cannot modify files or
escalate privileges. Mitel addressed the critical flaw and mitigated the other in MyCollab version
9.8 SP2. CISA urges organizations to patch by January 28th per federal mandates to mitigate
potential risks. The U.S. government is launching the Cyber Trustmark
Initiative, a voluntary labeling program to help consumers identify smart devices with robust
cybersecurity protections. Devices like baby monitors, security cameras, fitness trackers,
and smart appliances can carry the label if they meet federal cybersecurity standards.
The label includes a shield logo and QR code for detailed security information,
such as whether manufacturers provide software updates. Major brands like Amazon, Google,
and Samsung are participating with labeled products expected later this year. The initiative,
with labeled products expected later this year.
The initiative, led by the FCC and inspired by the Energy Star program,
aims to inform consumers while encouraging manufacturers to improve device security. With the average home containing 21 connected devices,
this program seeks to reduce vulnerabilities that cybercriminals could exploit.
Coming up after the break on today's CertByte segment, Chris Hare and Stephen Burnley unpack a question from N2K's ISC2 Certified in Cybersecurity Practice Test.
And streaming license plate readers.
No password required.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Thank you. off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform secures their personal devices, home Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
It's time for our recurring CertByte segment, and in today's edition,
N2K's Chris Hare teams up with Stephen Burnley to unpack a question from N2K's ISC2 Certified in Cybersecurity practice test.
Hi, everyone. It's Chris. I'm a content developer and project management specialist here at N2K Networks.
I'm also your host for this week's edition of CertByte, where I share a practice test question from our suite of industry-leading content and a study tip to help you achieve the professional certifications
you need to fast-track your career growth in IT, cybersecurity, and project management.
Today's question targets the ISE2 Certified in Cybersecurity or CC exam, which launched on August 31st, 2022. This exam is
targeted for those candidates who are college students or grads, IT professionals, or career
changers wanting to pivot to the cybersecurity industry. ISC2 also reports that their members
earn 35% higher salaries than non-members. I have a new guest host here to help us out today,
Steven, who is our resident ISE2 expert. Welcome, Steven. How are you today?
I'm doing great, Chris. Thanks for inviting me. I feel like I spent my entire life either
taking practice exams for certification exams or now writing certification exam questions,
so I'm really happy to be here. We are happy to have you.
So if you've been listening to our episodes,
you know that we are going to be turning the tables.
And Stephen, you're going to be asking me today's question.
But first, while I corral some courage,
I understand you have a 10-second study bit for this test.
So what do you have for us today, Stephen?
Well, I want to remind everyone that when you're
practicing to take a certification exam, that the practice tests are not the actual questions.
So one of the things that we do at N2K in our practice exams is make sure all of the incorrect
answers are also plausible answers on the real exam for other types of questions. So
make sure you study the wrong answers and read those descriptive links
in the bottom of the practice exam tips.
That is a really great tip.
So Stephen, what do you have for me today?
All right, this is networking, Chris.
So prepare yourself.
So here we go.
You use a computer on a TCP IP network
and you transfer data through well-known TCP port 80.
Which protocol is most likely being used to transfer data?
Now, this is a multiple-choice question.
You don't have to have these memorized.
So let me tell you what your four choices are.
Your choices are FTP, POP3, SMTP, or HTTP.
All right, Stephen.
So this falls under the network security objective and understand computer networking sub-objective.
Is that correct?
That's correct.
And it's a good idea for you to place this exam in the appropriate objective so you know you've studied all parts of the exam.
That's right.
So not my strong suit, but I admit
I have studied for, taken, and passed this CC test, and it was no easy feat, even though it's
targeted for beginners. So it was a tough test. And for our listeners out there, it's 100 multiple
choice questions, and you get two hours. It sounds like I'm stalling, which I am, so I should know
this. And I do recall this answer as I did a memorization technique for this, which I am, so I should know this. And I do recall this answer as I did a memorization
technique for this, which I will discuss in a bit. So my answer is D, HTTP.
All right, we're off to a good start. That is correct. The Hypertext Transfer Protocol,
HTTP, is assigned to port 80, and that is a well-known port number that you do need to know for the CC exam.
HTTP is used to transfer data between browsers and servers on the web.
HTTP is a stateless protocol, which means the server and the client do not collect any information about each other.
Now, in terms of studying the incorrect answers, those may be plausible correct answers on other questions,
so let's make sure we know those as well.
answers. Those may be plausible correct answers on other questions, so let's make sure we know those as well. The FTP stands for the File Transfer Protocol, and that uses the well-known
TCP ports 20 and 21. FTP is used to transfer files or data between FTP clients and servers
on a TCP IP network. Now, the next one is related to email. It is the POP3 or Post Office Protocol that uses well-known TCP port 25.
SMP is used to transfer email messages between email servers and then sometimes transfer messages from clients to servers in older environments.
So I'm curious now, you used a memorization technique to remember these ports.
What is your trick?
So there are a lot of mnemonics out there that
you can use, as you very well know, Stephen. And for port 80, I've seen everything from mapping
port 80 to the part acronym, part phrase, hold the phone, I see a ghost, since the number 80
looks like a sideways ghost face, I guess, which is foreboding since it's a non-encrypted port.
But I just associated 80 with the HTTP protocol
coming out in 1989.
So that's what I used.
And there are so many techniques.
Can you share some of what you've heard
that have been helpful?
Well, when you take a certification exam
related to technology concepts like this,
it can be acronym soup.
So one of my tips is, I don't try to remember all of the words in the acronym. For example,
HTTP, I would just think of that one as hyper. The SMTP, I would think of as simple. And then
that way, I'm only trying to remember one word that's easily pronounced rather than an acronym
or the whole thing pronounced all the way out.
That is very helpful. So I'd love to hear from our listeners what techniques they've used as well,
so leave us a comment. Also, Stephen, this is one of those tests where you are not allowed to mark items for review, which makes the exam even more challenging. Is that due to the fact that it's
adaptive, which means it supplies subsequent questions based on your previous answers?
Actually, no. On this particular exam, the exam questions will be balanced according to the percentage of the questions that are stated in the exam summary.
So it's a really good idea as a student to make sure that you study all the parts of the exam,
and those percentage weighting will give you an idea about how many questions you'll get on each topic. Excellent. Great question. Appreciate
your being here today, Stephen. Are there any upcoming ISE2 or other practice tests you'd like
to promote here? We do, actually. We have an update coming for the CISSP exam in early 2025
and just recently updated the framework for the Cisco Certified Network
Associate or CCNA exam this past September. We also have a ton more Microsoft CompTIA and
Amazon exam updates coming, so keep a lookout for those on our website.
Excellent. Thank you so much, Stephen.
Thank you for having me, Chris.
Absolutely. And thank you for joining me for this week's CertByte.
If you're actively studying for this certification and have any questions about study tips or
even future certification questions you'd like to see, please feel free to email me
at certbyte at n2k.com.
That's C-E-R-T-B-Y-T-E at N number 2K dot com.
If you'd like to learn more about N2K's practice tests, visit our website
at n2k.com forward slash certify. For more resources, including our N2K Pro offerings,
check out thecyberwire.com forward slash pro. For sources and citations for this question,
please check out our show notes. Thank you. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, Motorola's automated license plate readers are unintentionally moonlighting as live-streaming surveillance tools, thanks to misconfigurations exposing them to the unsecured Internet.
Security researcher Matt Brown found that some of these cameras, intended for private networks,
Some of these cameras, intended for private networks,
are accidentally broadcasting video and license plate data online for anyone with the right tools to access.
Using the IoT search engine Census,
Brown located streams showing color and infrared footage
along with real-time plate data, no login required.
Privacy advocate Will Freeman turned this oversight into a proof-of-concept
nightmare, crafting a tool that decodes and timestamps car movements into spreadsheets.
Want to track a stranger's daily commute? There's an app for that, theoretically. Freeman warns this
exposure underscores how risky automatic license plate readers are to privacy,
despite claims they're harmless unless you're a criminal.
Motorola promises a firmware update to address these issues. Until then, some cameras remain accidental live streamers, mapping our every move. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Trey Hester
with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer
Iben. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilpie
is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow Bye.