CyberWire Daily - Buckets of trouble.
Episode Date: December 10, 2024Researchers uncover a large-scale hacking operation tied to the infamous ShinyHunters. A Dell Power Manager vulnerability lets attackers execute malicious code. TikTok requests a federal court injunct...ion to delay a U.S. ban. Radiant Capital attributed a $50 million cryptocurrency heist to North Korea. Japanese firms report ransomware attacks affecting their U.S. subsidiaries. WhatsApp’s “ViewOnce” feature faces continued scrutiny. SpyLoan malware targets Android users through deceptive loan apps. A major Romanian electricity distributor is investigating an ongoing ransomware attack. A critical flaw in OpenWrt Sysupgrade has been fixed. Contenders for top cyber roles in the next Trump administration visit Mar-a-Lago. On our Industry Voices segment, Jason Lamar, Cobalt’s Senior Vice President of Product, joins us to share insights on offensive security: staying ahead of cyber threats. Google’s new quantum chip promises scaling without failing. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, Jason Lamar, Cobalt’s Senior Vice President of Product, joins us to share insights on offensive security: staying ahead of cyber threats. Check out Cobalt’s GigaOm Radar Report for PTaaS 2024 to learn more. Selected Reading ShinyHunters, Nemesis Linked to Hacks After Leaking Their AWS S3 Bucket (Hackread) Dell Power Manager Vulnerability Let Attackers Execute Malicious Code (Cyber Security News) TikTok Asks Court To Suspend Ban Ahead of Supreme Court Appeal (The Information) Radiant links $50 million crypto heist to North Korean hackers (Bleeping Computer) US subsidiaries of Japanese water treatment company, green tea maker hit with ransomware (The Record) WhatsApp View Once Vulnerability Let Attackers Bypass The Privacy Feature (Cyber Security News) SpyLoan Malware: A Growing Threat to Android Users (Security Boulevard) Romanian energy supplier Electrica hit by ransomware attack (Bleeping Computer) OpenWrt Sysupgrade flaw let hackers push malicious firmware images (Bleeping Computer) Homeland Security veteran to be interviewed for Trump administration cyber role (The Record) Google claims ‘breakthrough’ with new quantum chip (Silicon Republic) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Researchers uncover a large-scale hacking operation tied to the infamous shiny hunters.
A Dell power manager vulnerability lets attackers execute malicious code.
TikTok requests a federal court injunction to delay a U.S. ban.
Radiant Capital attributed a $50 million cryptocurrency heist to North Korea.
Japanese firms report ransomware attacks affecting their U.S. subsidiaries.
WhatsApp's ViewOnce feature faces continued scrutiny. Spy loan malware targets Android
users through deceptive loan apps. A major Romanian electricity distributor is investigating
an ongoing ransomware attack. Contenders for top cyber roles in the next Trump administration
visit Mar-a-Lago. In our Industry Voices segment, Jason Lamar,
Cobalt's Senior Vice President of Product,
joins us to share insights on offensive security.
And Google's new quantum chip promises scaling without failing.
Coming to you live from the Cybersecurity Marketing Society's Cyber Marketing Con in Philadelphia,
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us here today.
It is great, as always, to have you with us.
Cybersecurity researchers Noam Rotem and Ran Lokar have uncovered a large-scale hacking operation
tied to the infamous Shiny Hunters and Nemesis groups.
Exploiting vulnerabilities and misconfigurations,
hackers accessed sensitive data, including AWS keys, source code, and cryptocurrency wallets.
Using tools like FF, HTTPX, and Shodan,
they automated exploits targeting millions of websites and endpoints globally.
The operation, traced to French-speaking individuals,
involves selling stolen data on Telegram for hundreds of euros.
Notably, an open AWS S3 bucket used by the attackers revealed harvested data
and even linked back to Sezu Kaizen, a convicted member of Shiny Hunters.
This error exposed their tools, techniques, and some identities.
Researchers collaborating with AWS mitigated the impact and notified affected parties.
Shiny Hunters, known for breaches at major firms like AT&T and Ticketmaster,
and Nemesis, tied to a black market forum, demonstrate the sophistication of these
syndicates. A critical vulnerability in Dell Power Manager, used to manage power settings on Dell
systems, allowed attackers with local access and low privileges to execute malicious code and
escalate privileges. The flaw stems from improper access control,
enabling unauthorized access to sensitive system functions and potential full system compromise.
Rated with a CVSS score of 7.8,
the vulnerability requires local access
but is low in complexity and does not need user interaction.
Dell has released version 3.17 to address the issue, urging users to update
immediately. No workarounds exist, emphasizing the need for timely patching and robust endpoint
security to mitigate risks. TikTok has requested a federal court injunction to delay a U.S. ban
set for January 19th as it appeals to the U.S. Supreme Court.
The D.C. Circuit Court upheld a law requiring TikTok to sever ties with Chinese parent ByteDance.
TikTok argues the ban poses no immediate national security risk and seeks a decision by December 16th.
The injunction would allow the incoming administration to reassess the case,
potentially avoiding harm and Supreme Court involvement.
DeFi platform Radiant Capital has attributed the $50 million cryptocurrency heist from its platform
on October 16th to North Korean state-affiliated hackers known as Citrine Sleet, also known as UNC-4736 or Apple Juice.
The sophisticated attack bypassed advanced security measures, including hardware wallets and multi-signature verification,
exploiting malware delivered via a spoof telegram message.
Hackers used the malicious payload Inlet Drift to compromise developer
devices, enabling authorized transactions on the Arbitrum and Binance smart chain networks.
Mandiant assisted in the investigation, linking the attack to North Korea's broader strategy of
targeting cryptocurrency platforms to fund state operations. Radiant, a DeFi platform enabling cross-blockchain asset
management, emphasized the attacker's ability to evade standard verification processes.
It's now working with U.S. law enforcement and recovery firms to reclaim stolen funds
while calling for improved device-level security to mitigate future threats.
improve device-level security to mitigate future threats.
Japanese firms Kurita Water Industries and Ito-N recently reported ransomware attacks affecting their U.S. subsidiaries. Kurita, a global leader in water treatment chemicals,
revealed that its Minnesota-based Kurita America was targeted on November 29.
Attackers encrypted servers and potentially leaked data belonging to customers, employees, and partners.
However, core systems have been restored and operations remain unaffected.
Similarly, Ito-N, North America, part of Japan's largest green tea producer,
faced a ransomware attack on December 2nd, impacting servers in Texas.
Backup data is being used to restore operations, and investigations are ongoing.
These incidents highlight the surge in ransomware targeting Japanese companies in 2024,
with major firms like Fujitsu, Game Freak, and Nidec also affected.
Meta's WhatsApp faced criticism after a vulnerability in its View Once feature
allowed attackers to bypass privacy protections using modified WhatsApp web clients.
The feature, designed to limit media to a single view,
was undermined by browser extensions that ignored its restrictions,
enabling recipients to save or share content.
Meta initially deployed a partial fix in September, but attackers adapted quickly.
A robust server-side fix in November resolved the issue by blocking once-view media access
on web clients. While effective, this fix raised concerns about metadata exposure and left vulnerabilities in modified mobile clients.
Experts suggest device integrity checks or DRM for enhanced protection.
Spy loan malware is a growing threat targeting Android users through deceptive loan apps.
Masquerading as legitimate financial tools, these apps exploit social engineering to
gain access permissions and steal sensitive data, including financial information, contacts,
and location details. Downloaded over 8 million times, spy loan apps bypass Google Play Store's
filters and target users globally, with cases reported in India, Southeast Asia,
Africa, and Latin America. Victims face financial exploitation, blackmail, and harassment.
Authorities are combating the threat, but Spyloan's global prevalence demands stronger
security measures and user vigilance. Electrica Group, a major Romanian electricity distributor, is investigating an
ongoing ransomware attack that has not impacted its critical SCADA systems. The company, serving
over 3.8 million customers, emphasized that temporary disruptions are precautionary measures
to protect infrastructure and data. Romania's energy ministry confirmed the attack, stating that network
equipment remains unaffected. The incident follows a declassified report revealing over 85,000 cyber
attacks targeting Romania's election infrastructure, highlighting the country's increasing
cybersecurity challenges. Electrica is collaborating with authorities to resolve the issue.
challenges. Electrica is collaborating with authorities to resolve the issue.
A critical flaw in OpenWRT's attended sysupgrade feature could have enabled attackers to distribute malicious firmware via custom builds. OpenWRT is a popular Linux-based OS for routers and IoT
devices, and it's had vulnerabilities involving command injection
and hash truncation.
Researcher Ryotak demonstrated
how these flaws allowed modification
of firmware artifacts.
OpenWRT developers promptly addressed the issue,
fixing it within hours.
Although no exploitation has been detected,
users are urged to update their firmware
to eliminate potential risks.
Brian Harrell, a seasoned veteran of the Department of Homeland Security under the
Trump administration, is reportedly a leading contender for high-ranking cybersecurity roles
in the next administration, the Record reports. Sources familiar with the situation reveal that Harrell has been invited
to Mar-a-Lago in the coming weeks to interview for roles such as Director of the Cybersecurity
and Infrastructure Security Agency and DHS Undersecretary for Strategy, Policy, and Plans.
Harrell, who previously served as DHS Assistant Secretary for Infrastructure Protection,
is well regarded for his expertise
in safeguarding critical infrastructure.
Recorded Future News first reported his candidacy for these prominent positions.
He's not the only one under consideration.
Matt Hayden, former DHS Assistant Secretary for Cyber, Infrastructure, Risk, and Resilience,
and Sean Planky, a former
National Security Council cyber team member and Acting Assistant Secretary at the Department
of Energy's Cybersecurity Office, are also being considered for potential leadership
at CISA.
Two sources confirmed Planky's name in the mix for the top CISA role.
The forthcoming Mar-a-Lago interviews are part of broader plans
to fill key positions within DHS,
not only in cybersecurity,
but also in areas such as immigration enforcement
and leadership roles
at the Transportation Security Administration.
This diverse hiring strategy
reflects the transition team's focus
on securing leadership across various critical sectors.
Coming up after the break, Jason Lamar, Cobalt's Senior Vice President of Product,
joins us to share insights on offensive security.
And Google's new quantum chip promises scaling without failing.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
In our Industry Voices segment, Jason Lamar, Cobalt's Senior Vice President of Product,
joins us to share insights on offensive security, staying ahead of cyber threats.
And it really matters. This whole area of offensive security matters.
Why? Because being proactive is really critical
to keeping your business safe from new and evolving
cyber attacks. We have penetration testing
and that is changing more and more frequently
as part of the software development lifecycle.
And customers increasingly are adopting
a pentesting as a service model
because that's an area where this whole model shines.
There's also a lot of automation
where you have different capabilities being used. Offensive security is all
about being proactive. It's about, you know, getting in the mindset of an external attacker,
looking for the weaknesses that you have on your external attack surface.
Well, I want to dig into pen testing as a service, but before we do, what other things
fall under the umbrella of offensive security measures? What sort of things would you
categorize there? I would say there's things like red teaming, where you're trying to understand
your particular scenarios that are high risk for your particular kind of organization
or threat stack and how your defenses work in that is also really important. So having an
adversarial mindset, looking at not just probing for vulnerabilities like a scanner or even just,
you know, just basically trying to become more testing-like here, the adversary.
Let's dig into some of the details about penetration testing as a service.
Can we start off again sort of at a high level here?
I mean, where do you think we stand when it comes to the types of offerings that are out there for this?
We see a lot of snake oil, to be honest. Script kiddies that are running the same couple of tools,
calling it a pen test or even claiming that's offensive. There's automated DAS scans that
people are doing, and then they have some kind of human review calling that offensive.
So there's a lot of snake oil.
What we recommend is people look for
the provider's methodology
and how have they exercised that over years.
Have they got experience with it?
And offensive security is about going beyond pen testing
and delivering a breadth of engagements based on
maturity of an organization.
Some organizations are just starting out.
They need to do scans to pick up the easy to find things.
But as they mature, they want to do pen testing
to bring a variety of testing and outside-in perspective.
And then as they get even more mature, they'll do things like red teaming, secure code reviews, and those kind of engagements.
So it depends on the maturity of the customer, but everyone's on a journey, I would say, to up their game.
But everyone's on a journey, I would say, to up their game.
Do you have any suggestions or words of wisdom for the types of questions people should be asking out there if they want to align that provider with where they are on their own journey?
Well, I mean, I think every industry has kind of a standard analysts
or different folks that monitor the industry
and give recommendations.
For the offensive security arena
and especially the pen testing as a service arena,
GigaOM is a great resource.
We have a thing called the GigaOM Radar.
And the GigaOM radar. And the GigaOM radar really takes you through
specific selection criteria,
areas where you might evaluate different providers
or different companies that you would get this from.
And they'll talk about how the company's doing
with actionable reporting
or how good their integrations are
and how scalable they are,
how quickly they can do testing for you because not everyone can plan ahead.
But this GigaOM radar, I think, is super helpful in characterizing and understanding different
players and their strengths and also who are the front runners or the folks that I think the terms they use are outperformers. But I mean, it just helps
you understand what the field is of providers and, you know, based upon your requirements,
you can interpret what's most important there. What about setting a cadence for this sort of thing? How often do you engage? How
often do you have penetration testing happen? How do folks go about dialing that in?
Well, I think it's always important to talk with the organization that you want to partner with and have them consult with you as part of the
ongoing discussion you have about procuring tests or engaging them. Usually there's an
assessment or some kind of, it's not even a costly thing, do some kind of understanding of
where you're at in your maturity of your testing
program. And that can help you understand what you need most if you're not sure what you need to do.
If you have very specific requirements and you know what you want, then it just depends on the
kind of activity that you're looking at. You might say, well, I just need a very quick compliance test
for a new product that I'm deploying.
There's folks out there that can start a test within 24 hours
and have you up and running.
I know of one that can do that.
And then there's whole programs
where you've got a very mature application
or group of applications,
and they change less frequently, so you do your annual test there,
but maybe you spend your testing time on things that are changing a lot within applications,
particularly around this area of LLM AI, existing applications that have been stable and kind of not changing a lot
are getting new experiences added to them. So we've had folks come and say, hey, I want to
test this AI stuff. They may want to do a smaller test where they're just doing
prompt injection kind of test, or they may want to
have a new experience altogether and they want to do a comprehensive test. So it depends on
what your application or asset is, the rates of change on it, and the risk that you want to try to
mitigate by testing and at least having that visibility
and then understanding how your controls will do
and what compliance needs that you have to fulfill your organization's objectives.
And what are the advantages of engaging with someone from outside of your own organization to do this
rather than handling it in-house?
Well, if you're blessed with a team
that is able to do this kind of testing,
that's really great.
A lot of organizations don't have the ability
to hire for this in-house.
And even those that do often need
what I would call surge resources.
There's overflow work.
And so that's where you want to look outside.
If you don't know where to start, obviously engage with someone, especially as part of the meet us kind of part of the relationship.
You'd want to have a discussion about your maturity and what your needs are.
If you have specific projects that you know you need to do,
you know, they're on a timeline and scope is really clear and that kind of thing,
then, you know, it's a good opportunity to use resources that can go fast.
So you engage someone who's got a large network of testers available.
That's going to be an easier process than going through a statement of work with different vendors for each test.
There's some economies that you can have by working with an organization that does pen testing as a service or red teaming as a service.
And other benefits would be
you have the ability to have a relationship with a company,
do some testing with them.
They know you, they know your assets and your organization.
You kind of understand what your unique situation is
and what you want to get out of things.
And as more projects come up,
then you can just add those into the work
that you're already doing ongoing.
Some customers, they have annual testing,
you know, and that's kind of their thing.
Other customers have like, they want to do agile testing where especially increasingly with software development, there's an area of an app that's been undergoing a significant amount of change.
Hey, we want to pen test that area outside of our annual cadence.
Very common for that to happen as well.
Very common for that to happen as well.
So you want a relationship with organizations that have those flexible capabilities to meet you in the kind of testing that you need.
I can imagine that particularly for companies who are just starting down this path, there could be a certain amount of intimidation here.
That you're asking someone to come and poke at all the soft exposed parts of your company here. I mean, is that part of that onboarding conversation to put people at ease and
let them know exactly what to expect? Absolutely. And to get yourself comfortable,
first of all, do you like the folks you're talking with? That's always important. But, you know, folks that do this a lot, like we do over 4,000 tests a year, right? So,
there's a familiarity and understanding of folks that are entering the process and
their care about some concerns that, you know, we are particularly tuned with and others like us so
don't be intimidated but do do engage and and help the folks that you're talking with understand what
your actual needs are and if you don't know what your needs are be willing to go through a
conversation to uncover those because a lot of times that can be very enriching, whether you buy anything or not.
That's Jason Lamar, Senior Vice President of Product at Cobalt. We'll have a link to their research in our show notes. Thank you. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, Google's latest breakthrough in quantum computing,
a chip named Willow,
tackles the notorious challenge of error correction
in scaling up quantum computers.
Traditionally, adding more qubits,
the building blocks of quantum systems,
results in more errors,
derailing the dream of functional quantum computing.
But Willow flips the script,
reducing errors as more qubits are added.
Hartmut Nevin, head of Google Quantum
AI, proudly announced they achieved below-threshold error rates, a historic feat since Peter Shor
introduced quantum error correction in 1995. Nevin likened the milestone to building the
first convincing prototype for a scalable, logical qubit, a step closer to truly large, useful quantum computers.
But quantum enthusiasts, hold your champagne,
the tech is still in the experimental phase.
Remember when Google claimed quantum supremacy in 2019?
IBM quickly played referee, disputing Google's assertion
that its quantum processor outpaced supercomputers.
Meanwhile, IBM continues its quantum crusade, launching a $100 million initiative with U.S.
and Japanese universities to create quantum-centric supercomputers. Quantum industry
veteran Bob Sutor reminds us that while companies like Google and IBM are pouring resources into solving quantum's puzzles,
progress requires more than just deep pockets.
Collaboration across regions, countries, and alliances is key.
So, while Willow's achievement is a major leap,
the road to practical quantum computing is still filled with hurdles,
debates, and undoubtedly a few more bold claims from competitors.
Until then, quantum's promise remains a tantalizing mix of science, strategy,
and a dash of corporate rivalry. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. Thank you. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at N2K.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester
with original music and sound design
by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.