CyberWire Daily - A ticking clock to exploitation.
Episode Date: September 9, 2024Patch Now alerts come from Progress Software and Veeam Backup & Restoration. Car rental giant Avis notifies nearly 300,000 customers of a data breach. The UK’s National Crime Agency struggles to ret...ain top cyber talent. Two Nigerian brothers get prison time for their roles in a deadly sextortion scheme. SpyAgent malware uses OCR to steal cryptocurrency. A Seattle area school district suffers a cybercrime snow day. Our guest is Amer Deeba, CEO of Normalyze, discussing data’s version of hide and go seek - the emergence of shadow data. A crypto leader resigns after being held at gunpoint. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Amer Deeba, CEO of Normalyze, discussing data’s version of hide and go seek, or the emergence of shadow data. Selected Reading Progress LoadMaster vulnerable to 10/10 severity RCE flaw (Bleeping Computer) New Veeam Vulnerability Puts Thousands of Backup Servers at Risk – PATCH NOW! (HACKREAD) Thousands of Avis car rental customers had personal data stolen in cyberattack (TechCrunch) UK National Crime Agency, responsible for fighting cybercrime, ‘on its knees,’ warns report (The Record) 2 Brothers Sentenced to More Than 17 Years in Prison in Sextortion Scheme (The New York Times) SpyAgent Android malware steals your crypto recovery phrases from images (Bleeping Computer) Highline schools closing Monday because of cyberattack (Seattle Times) Crypto Firm CEO Resigns Following Armed Robbery of Company Funds (Blockonomi) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hatch Now alerts come from Progress Software and Veeam Backup and Restoration.
Car rental giant Avis notifies nearly 300,000 customers of a data breach.
The UK's National Crime Agency struggles to retain top cyber talent.
Two Nigerian brothers get prison time
for their roles in a deadly sextortion scheme.
Spy agent malware uses OCR to steal cryptocurrency.
A Seattle-area school district
suffers a cybercrime snow day.
Our guest is Amer Diba,
CEO of Normalize,
discussing data's version of hide-and-go-seek, the emergence of shadow data.
And a crypto leader resigns after being held at gunpoint.
It's Monday, September 9th, 2024.
I'm Dave Bittner, and this to have you back with us here today.
Progress Software has released an emergency patch for a critical vulnerability in its
Loadmaster and Loadmaster Multi-Tenant Hypervisor products. The flaw, rated 10 out of 10 in severity,
The flaw, rated 10 out of 10 in severity, allows unauthenticated attackers to remotely execute arbitrary system commands via a crafted HTTP request.
This vulnerability stems from improper input validation in Loadmaster's management interface, enabling remote code execution.
Progress has provided an add-on package to fix the issue for vulnerable versions including the free version of load master no active exploits have been reported but users
are urged to apply the patch and follow recommended security measures to protect their systems
a critical vulnerability in vm backup and replication software allows attackers to gain full control of systems without
authentication. It's classified as a remote code execution flaw, and if exploited, attackers could
run arbitrary code, potentially leading to data breaches or ransomware deployment. Cybersecurity
firm Census identified over 2,800 Veeam servers exposed online, mainly in Germany and France.
This vulnerability follows a similar flaw exploited by ransomware groups earlier in 2023.
Veeam has released a patch addressing this and five other issues. Users are strongly urged to
update their systems and review network security to prevent exposure to the
internet and monitor for unauthorized activity. Car rental giant Avis is notifying nearly 300,000
customers that their personal information was stolen in an August 2024 cyber attack.
The breach exposed sensitive data including names, mailing and email addresses, phone numbers, birth dates, credit card details, and driver's license numbers.
The attack began on August 3rd, but was discovered two days later.
Avis has not disclosed how the breach occurred, and further details remain unclear.
So far, the largest number of affected individuals are from Texas, with over 34,000
residents impacted. Additional breach notifications are expected. Avis, which owns Budget and Zipcar,
operates in over 180 countries and earned $12 billion in revenue in 2023. The company has not
commented on who is responsible for its cybersecurity efforts
The UK's National Crime Agency, commonly viewed as an elite force capable of tackling serious organized crime, including cybercrime
is struggling to maintain its operations, according to a recent report by Spotlight on Corruption, a non-profit civil society group. The report warns
that the agency is on its knees, citing a severe brain drain caused by a broken pay system,
which is driving away senior staff and cyber experts. Notably, the NCA loses nearly 20% of
its cyber capacity each year, a significant blow as cybercrime continues to rise
globally. This staffing crisis has forced the NCA to depend heavily on costly temporary labor
and consultants, who now account for more than 10% of the agency's budget. The report calls on
the UK government to take immediate action, emphasizing that the NCA is at a critical juncture.
Without urgent reforms and proper funding, the agency will struggle to fulfill its mission to
protect the country from growing threats like fraud, organized crime, and cyber attacks.
Britain's new Labour government, which campaigned on rebuilding the public sector after years of
austerity and budget cuts,
faces a crucial decision.
The report argues,
The question for the new government is not whether it can afford to invest in pay reform at the NCA,
but whether it can afford not to.
The report highlights that NCA officers, like other public sector workers,
have faced stagnant pay for over a decade,
exacerbated by high inflation since 2022. This has made NCA positions less attractive
compared to private sector jobs or international counterparts like the FBI. While the NCA is often
likened to the FBI, Spotlight on Corruption points out stark differences between the two agencies.
The FBI boasts a much lower turnover rate of 1.7%.
FBI agents also enjoy better pay, benefits, and professional growth opportunities,
making the NCA less competitive in attracting talent.
In contrast, serving British police officers would have to take a pay cut to
join the NCA, which lacks similar performance-based pay increases. The government spokesperson
acknowledged the vital role the NCA plays in combating organized crime and reiterated its
commitment to investing in the agency and its staff to ensure it has the necessary capacity and capabilities. However,
with cybercrime and fraud continuing to rise and key staff leaving at an alarming rate,
it remains to be seen whether these promises will translate into the significant reforms
and investments the NCA urgently needs. Two Nigerian brothers, Samuel and Samson Agoshi, have been sentenced to 17 and a half years
in prison for their roles in a social media sextortion scheme that claimed over 100 victims,
including at least 11 minors. The brothers, who posed as young women on Instagram and other
platforms, extorted money from their victims by threatening
to share nude photos with family and friends if they didn't pay up. One of the victims was Jordan
DeMay, a 17-year-old high school student who killed himself in 2022 after being threatened
by the brothers. The sentencing is seen as a significant step in cracking down on sextortion schemes,
which have claimed thousands of victims in recent years.
The U.S. Attorney for the Western District of Michigan said that the sentences send a
thundering message to scammers that they will be held accountable,
regardless of where they're located.
A new Android malware called SpyAgent uses optical character recognition technology to steal cryptocurrency wallet recovery phrases from screenshots stored on mobile devices.
Recovery phrases, or seed phrases, are crucial for accessing cryptocurrency wallets.
If stolen, attackers can use these phrases to take control of the wallet and its funds.
Spy Agent is distributed through at least 280 malicious APKs outside of Google Play,
often spread via SMS or social media.
Once installed, it scans device images for recovery phrases
and sends sensitive data to its command and control server.
The malware primarily targets South Korea,
but is expanding to the UK with potential plans for an iOS variant.
To mitigate risks, users should avoid installing apps outside of Google Play
and monitor for suspicious permissions.
The Highline Public School District in Washington State announced the closure of all
schools on Monday due to a breach in its technology systems. The district detected
unauthorized activity and immediately isolated critical systems, working with third-party and
government partners to restore and test their network. The closure affects athletics, school
activities, and the vaccine clinic, with central offices remaining open. The closure affects athletics, school activities, and the vaccine
clinic, with central offices remaining open. The breach delays the first day of kindergarten,
and families will be updated by Monday afternoon regarding Tuesday's schedule.
The district, which serves over 17,000 students across 35 schools south of Seattle,
has not detected any personal data theft.
The breach impacts essential operations such as school transportation and attendance tracking,
making it difficult to operate classes safely at the start of the school year.
Coming up after the break, Amer Diba, CEO of Normalize, discusses the emergence of shadow data.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical
for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Amer Diba is Chief Executive Officer of Normalize,
and I recently sat down with him to discuss Data's version of hide-and-go-seek,
the emergence of shadow data.
I think everyone who's familiar with the name of shadow IT from five, six, ten years ago,
and shadow data is sort of the equivalent of it,
but on the data side.
So as customers are digitally transforming their businesses
and building applications,
specifically in cloud environments,
to automate, digitize, use AI,
the concept of shadow data became very popular
because you have developers copying data stores
and moving data from one environment to another
and leaving some of it behind
without really going back to do the cleanup when they're done.
And that ended up creating the concept of shadow data
or a data store that was used for a period of time,
contains a lot of data,
and some of it can be very sensitive,
but then it was left behind and people forgot about it.
And yet it's still available in the environment.
It's accessible by different users,
could be accessible internally or externally,
and can lead to data compromises.
In fact, some of the data breaches that happened was related to the concept of shadow data
that was used at some point within the environment, contained sensitive information, was left
within the environment.
And then hackers were able to find it, compromise it, and of course, have a data breach happen from it.
And is this typically the result of folks
going about their normal day-to-day business of,
you know, I'll stick something over here
because I might need it for a little while
and then time passes and I've moved on to the next thing?
Yeah, you're developing an application, for example.
You started in the dev environment.
You tested, you created all these data stores
part of your test environment
that contained actually real data.
And or you're using this data
to feed a new AI model that you're building
and you're trying to refine it.
And then you're putting certain data models in it
or data that you're amalgamating it from multiple sources.
And all of that is being used
as you're building the application and testing it.
And then you produce everything.
You moved it from dev to QA to pre-prod to production.
And along the way, you move some of these data stores along with you.
In some cases, you cleaned it.
In some cases, you left it behind.
And that's what ends up being called the shadow data.
In this era where more and more organizations
find themselves training AI models,
how does shadow data apply to that process?
Again, if the model was using some data stores
when it was being built at the beginning,
that it contains basically information
to help the model formalize and get better,
that basically, same thing as part of building an application
that was using the shadow data, this data,
and then it was overlooked or copies of it
was moved around the environment
outside of the purview of the IT organization
that monitoring on an ongoing basis.
Because typically, you know, security, cybersecurity and IT are monitoring what's in production
sometimes and what's in pre-production.
But when it comes to what's being monitored in development environments or in environments
that are still being constructed, that's out of their actual ongoing monitoring.
So in that case, that shadow data or that data that was overlooked
that was used as part of an AI model will also be there.
Some of it might be in the AI model, some of it still might be outside of the AI model,
but at the end of the day, it contains sensitive information,
and it needs to be protected like any other type of data,
because if it contains PII or PHIs or keys or records that are sensitive to your environment,
you really need to secure it like you secure everything else.
And how have organizations typically come at this problem,
I mean, historically?
Yeah, I mean, I think we started seeing it recently
more and more,
specifically like in cloud environments
where it's so easy to create these shadow data.
Like you can create an S3 bucket or an Azure blob and start putting information
in it, and then you can connect it to an application or to an LLM.
So in the cloud, the creation
of shadow data can be pretty instantaneous
in a way. If you need it to build an application,
you can get access to it, copy it from multiple sources,
put it, as I said, as a bucket, as a blob,
or this type of kind of temporary storage mechanism
that can be easily created in cloud environments.
So that's how we start seeing it happen
and become more and more of a common issue.
happen and become more and more of a common issue.
And the term shadow data really is a couple of years old, I think two to three years old. And it started happening as data security posture solutions are starting to form to
address specifically the issue of shadow data.
We started to hear more and more about it as some of the breaches that happened recently.
Also, where it happened because of shadow data,
that's where we started seeing it more and more
and hearing about it and became its own risk factor in cybersecurity.
So what are your recommendations then?
How can folks best come at this and do a better job dealing with this issue?
You have to take it seriously and knowing and getting visibility of your data, whatever it is in your real data is with what contains sensitive information and what's not and you can really
understand or put the controls around it in order to protect it and to prevent it prevent
breaches from happening around it so if you approach it that way and you build the framework
to discover the data first to classify, to understand what's in it,
what's the value of it for your organization,
and to understand if there are any risk or attack paths
around it that could really make it compromisable
and take those proactive measures to fix it,
then you're in good shape.
And that's kind of our recommendation
in terms of also our business
and what we do with customers
is take that very seriously.
Make sure you have the controls in place
to discover the data,
whether it's cloud, on-premise,
SaaS environments,
all of those could contain
one or more different types of forms of shadow data,
although we see it more and more in cloud environments, again, because of the ease of forms of shadow data, although we see it more and more in cloud environments,
again, because of the ease of creation of shadow data there.
And make sure you understand where it is, what's in it,
and remove it, eliminate it from your environment altogether,
remove access, unnecessary access to it.
If, for example, developers within the organization still have access to it,
but they don't need to eliminate their access. Or if you don't need the data altogether,
make sure just to eliminate it from your environment.
It really seems like it's easy to have almost a pack rat mentality when it comes to this,
particularly when you're talking about cloud storage. I know for me as a user,
because so much of my information is stored in the cloud
and not locally on my laptop's hard drive,
I don't find myself bumping up against any kinds of storage limits.
So why ever delete anything, right?
It's the human nature.
We're all hoarders.
We collect stuff. We're all hoarders. We collect stuff.
We like to collect data.
All you look at are inboxes.
We rarely go back
and clean up emails
from five, six years ago
that we don't need it anymore that contains
customer records
versus order
numbers, customer information,
all types of data that could be actually, if you
compromise,
be made,
you know, you have to
be accountable for it.
That's why
knowing what you have, understanding
what's in it, how valuable is it, and
then deciding if you need to keep it or
restrict access to
it or at least make
sure it's protected.
There are no vulnerabilities around it.
There are no configurations.
There are no over-privileged access.
All of that, that was just to increase the level of risk around the data.
That's Amir Diba, CEO of Normalize.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And finally, Nick Drekhan, CEO of Revelo Intel, a crypto research and education platform,
has stepped down after a traumatic robbery where he was held at gunpoint and forced to transfer cryptocurrency.
The attackers, described as a sophisticated group, stole personal funds, company capital, and investor assets, threatening Dracon,
his wife, and their eight-month-old son. The criminals had detailed knowledge of Revelo's
crypto deposit addresses, raising suspicions of insider involvement. Dracon has since forfeited
his ownership stake in Revelo, which pledged 30% of future profits to affected members.
Vu Benson, former chief operating officer,
has taken over as CEO.
Dracon apologized for errors that may have made him a target
and is cooperating with authorities to recover the stolen funds.
This incident serves as a sobering reminder
of the personal risks that
come with managing digital assets and the importance of prioritizing safety,
not just for ourselves, but for our loved ones.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver
the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app. Please also fill out
the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that
N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your team smarter.
Learn how at N2k.com. This episode
was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by
Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp.
Simone Petrella is our president. Peter Kilpie is our publisher. And I'm Dave Bittner. Thanks
for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.