CyberWire Daily - Hacked, attacked, and sued.
Episode Date: October 10, 2024The Internet Archive gets breached and DDoSed. Dutch police arrest the alleged proprietors of an illicit online market. Fidelity Investments confirms a data breach. Marriott settles for $52 million ov...er a multi-year data breach. Critical updates from Mozilla, FortiNet, Palo Alto Networks, VMWare, and Apple. Mongolian Skimmer targets Magento installations. On our Industry Voices segment, we speak with Ben April, Chief Technology Officer at Maltego Technologies GMBH, about "Overcoming information overload: Challenges in social media investigations." Bankruptcy pulls back the curtain on a data brokerage firm. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, we speak with Ben April, Chief Technology Officer at Maltego Technologies GMBH, about "Overcoming information overload: Challenges in social media investigations." Selected Reading Internet Archive Breach Exposes 31 Million Users (WIRED) Dutch cops reveal takedown of 'largest dark web market' Fidelity says data breach exposed personal data of 77,000 customers (TechCrunch) Marriott Agrees $52m Settlement for Massive Data Breach (Infosecurity Magazine) Mozilla releases patches for actively exploited Firefox bug (The Register) CISA says critical Fortinet RCE flaw now exploited in attacks (Bleeping Computer) Palo Alto Warns of Critical Flaw That Let Attackers Takeover Firewalls (Cyber Security News) VMware NSX Vulnerabilities Allow Hackers To Execute Arbitrary Commands (Cyber Security News) iTunes Local Privilege Escalation (CVE-2024-44193) Vulnerability Analysis and Exploitation (CYFIRMA) The Mongolian Skimmer (Jscrambler) National Public Data files for bankruptcy after info leak (The Register) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Internet Archive gets breached and DDoSed.
Dutch police arrest the alleged proprietors of an illicit online market.
Fidelity Investments confirms a data breach.
Marriott settles for $52 million over a multi-year data breach.
Critical updates from Mozilla, Fortinet, Palo Alto Networks, VMware, and Apple.
Mongolian Skimmer targets Magento installations.
VMware and Apple.
Mongolian skimmer targets Magento installations.
On our Industry Voices segment,
we speak with Ben April,
Chief Technology Officer
at Maltigo Technologies,
about overcoming
information overload,
challenges in social media
investigations.
And bankruptcy pulls back
the curtain on a data
brokerage firm.
It's Thursday, October 10th, 2024.
I'm Dave Bittner,
and this is your CyberWire Intel Briefing. briefing. Thanks for joining us here today. In a rather chaotic turn of events, the Internet Archive confirmed a major data breach on Wednesday, hours after a suspicious JavaScript pop-up claimed the
same. Security researcher Troy Hunt, who runs Have I Been Pwned, verified that the breach exposed
31 million email addresses, usernames, and bcrypt password hashes, dating back to September. The
breach comes on top of a wave of distributed denial-of-service attacks
that have intermittently taken the site offline.
Despite multiple requests, the Internet Archive remained silent
until founder Brewster Kaley acknowledged the breach and DDoS attacks on ex-Twitter,
stating they had disabled the compromised JavaScript library and were upgrading security.
Troy Hunt, who received the stolen data on September 30th and warned the archive on October 6th,
was sympathetic, given the archive's current predicament.
The organization is not only battling ongoing cyberattacks,
but also facing multiple legal challenges, including a looming $621 million copyright lawsuit.
Though Hunt wished for earlier disclosure, he urged understanding, reminding everyone that
the Internet Archive, a non-profit, is doing great work despite the relentless challenges.
The alleged administrators of the Bohemia and Canabia dark web marketplaces have been arrested following an investigation by Dutch police.
These marketplaces, which dealt in illicit goods like cannabis and DDoS tools, reportedly conducted around 67,000 transactions monthly, with a record turnover of 12 million euros in September of 2023. The operators
allegedly made 5 million euros before shutting down the sites and attempting an exit scam to
flee with the funds. Despite their efforts, law enforcement agencies from the Netherlands,
Ireland, the UK, and the US continued the investigation, leading to two arrests, one in the Netherlands
and another in Ireland. Dutch authorities emphasize that this operation demonstrates
that the dark web is far less anonymous than many users believe, thanks to international cooperation.
Fidelity Investments, one of the world's largest asset managers, confirmed that personal information of 77,000 customers was compromised in an August data breach.
The breach occurred between August 17th and 19th when a third party accessed data using two recently established customer accounts.
Fidelity detected the activity on August 19th and terminated the unauthorized access.
While no Fidelity accounts or funds were accessed, it remains unclear how the breach affected thousands of customers.
Fidelity has not disclosed the types of data compromised.
Marriott has agreed to a $52 million settlement with 50 U.S. states over a multi-year data breach that affected
over 131 million American customers. The breach, which occurred between 2014 and 2018, exposed
339 million global guest records, including personal details, unencrypted passport numbers,
and payment information. Marriott acquired Starwood in 2016
during the period of the breach, and attackers access the Starwood guest database undetected
for four years. The settlement resolves allegations that Marriott violated consumer
protection and data security laws. Marriott has agreed to enhance its cybersecurity practices,
including implementing a comprehensive information security program.
The UK also fined Marriott $24 million in 2020. Marriott emphasized it admitted no liability
but is committed to improving its data security practices worldwide.
committed to improving its data security practices worldwide. We've got a number of critical updates to report on today. Mozilla has issued a critical security patch for Firefox addressing a code
execution vulnerability in the browser's animation timelines. This use-after-free flaw is actively
being exploited, prompting advisories from national cybersecurity centers in
Canada, Italy, and the Netherlands. The vulnerability discovered by ESET's Damien Schaefer
has been rated 9.8 by the National Vulnerability Database, with high impacts on confidentiality,
integrity, and availability. CISA has revealed active exploitation of a critical remote code
execution vulnerability in FortaOS. This flaw allows unauthenticated attackers to execute
commands or arbitrary code on unpatched devices via the FGFMD daemon, which manages authentication
requests and keep-alive messages on FortiGate and FortiManager.
Fortinet patched the flaw in February, advising administrators to restrict FGFMD access
and implement local-in policies to reduce the attack surface.
Palo Alto Networks has issued an urgent warning about critical vulnerabilities in its Expedition solution,
which could allow attackers to hijack pan-OS firewalls.
The most recent flaw has a CVSS score of 9.9 and allows unauthenticated attackers to run OS commands,
potentially exposing usernames, passwords, and API keys.
Other vulnerabilities include command injection,
SQL injection, and cross-site scripting issues.
Although no evidence of exploitation exists,
public exploit code is available.
Palo Alto urges users to update to the latest Expedition version
and rotate credentials immediately.
VMware issued a critical advisory addressing multiple vulnerabilities
in its NSX and Cloud Foundation products.
These include a command injection vulnerability
allowing attackers to execute arbitrary commands as root,
a local privilege escalation vulnerability
that lets authenticated users gain higher permissions,
and a content spoofing vulnerability,
enabling attackers to redirect victims to malicious domains.
Rated as moderate risks,
VMware urges users to update to the latest fixed versions,
as no workarounds are available.
And a critical vulnerability affecting iTunes for Windows has been discovered,
allowing unauthorized users to
gain elevated access and potentially compromise system security. The issue stems from improper
permission setting in a key directory, enabling attackers to exploit this flaw for administrative
access. Apple released a fix on September 12th, and users are urged to update immediately. Organizations with
unmanaged Windows systems are particularly vulnerable and should act quickly to patch
their systems. Researchers at Jscrambler recently uncovered a skimming campaign using obfuscated
JavaScript. Initially, the use of unusual accented Unicode characters in the code
led some to speculate that this was a new obfuscation technique. However, the researchers
quickly identified it as a common tactic to disguise skimming malware. The team reverse
engineered the code, revealing a typical skimmer that monitors form inputs like payment fields,
a typical skimmer that monitors form inputs like payment fields, exfiltrates data, and uses anti-debugging techniques. The skimmer, dubbed Mongolian skimmer due to a unique Unicode character,
was found targeting vulnerable Magento installations. In one case, researchers even
discovered two skimming groups communicating via code comments, agreeing to share profits.
Despite its obfuscation, the skimmers' tactics were relatively standard and easy to reverse.
Coming up after the break, my conversation with Ben April, Chief Technology Officer at Maltigo Technologies.
We're talking about overcoming information overload. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive
protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Ben April is Chief Technology Officer at Maltigo Technologies. In today's sponsored
Industry Voices segment, I speak with him about
overcoming information overload,
challenges in social media investigations.
You know, social media
is kind of a huge piece
of what we do these days.
I mean, if you think about
how much time people spend
in their day-to-day lives
posting things on social media,
you know, it becomes a
massive source of information in just about any
community of interest. One of the key features we've got to keep in mind is that even if your
subject, whoever you're investigating, isn't posting themselves, chances are friends, family, relatives, you know, still include them in posts
and pictures and things like that. So it's pervasive and it's pretty powerful.
So how has this evolved over time? I mean, as these platforms have matured,
as they've gotten larger, are the opportunities evolving as well?
or are the opportunities evolving as well?
I think they have to be.
I mean, so I started at a time before social media was a thing.
I mean, I remember Facebook,
actually, I remember MySpace coming out
and then Facebook, you know,
we had mailing lists before that
and Usenet and all those things.
So it's like there's been this slow, steady progression,
at least at the beginning,
from various forms of text message, you message, web forums and all that jazz.
And then we started getting to the point where bandwidth would allow us to add pictures, and it continued to grow.
And now we've got people posting 360-degree real-time live video of them doing a jigsaw puzzle or whatever.
But, I mean, it's so pervasive, and there's so much content and data,
it's hard to not imagine it being part of an investigator's world.
Yeah.
Well, as the platforms have grown, as they've become more a part of everyone's day-to-day,
how has that affected the collection of social media intelligence?
I think it's gotten, you know, to some degree easier,
but also at the same time harder.
So if we're thinking about how it's easier,
there's just so much more opportunities.
You know, so many services, so many systems.
But if you're going the other way and you're looking at the difficulty, you've got multiple
types of collections. So are you trying to do real-time, meaning I want to know what my actor
is doing every step of the day? Are you trying to do kind of a historical,
longitudinal study on what they're doing,
what they're accessing, what they're interested in,
who they're interacting in?
Every service has slightly different approaches
for how they do this.
Every service has different use policies
and how are you allowed to collect the data?
Do they offer pay-for services where you can download it directly?
Do you have to create sock puppets and scrape it?
It's just a whole universe that you've got to kind of get wrapped up in.
Yeah.
It's my perception, certainly, that these platforms have gotten a lot noisier, the proliferation of bots.
And now, of course, AI-driven bots.
So, I mean, I suspect, as we talk about kind of looking for a needle in a haystack, it seems to me like that haystack has gotten a lot bigger.
Yeah, I mean, there was a time we measured that haystack in, you know, terabytes. And,
oh, I'm sure we'd be talking about yottabytes or something like that at this point, just the
massive scale. And really, you know, we get to some interesting computer science challenges when
you start to talk about, you know, how is it indexed and how can I
seek through and find the thing I'm actually looking for? And, you know, you're absolutely
right. You've got bots. You've got bots everywhere. You know, just let's think back a year or so to the
recent Twitter purchase and how bots were a big piece of that. But what content is real? What
content was created by a bot, but actually with the intent of the actor in question versus what
content came from things like ChatGPT? As people are considering using social media for their own
threat intelligence, for gathering up this
information that's relevant to them, it strikes me that they have a choice between engaging with
a third-party vendor or spinning up their own effort to do it internally. And I suppose some
organizations dial in a mix of those two things. Can you give us some insights on those different approaches
and what some of the pros and cons are with each of them?
Sure. I'll start with the hard way, which would generally be rolling it yourself from scratch.
There's a lot to consider in terms of what services you want to collect. Do you want to
use prefabricated tools or do you want to build your own? How do those various services feel about it?
Moving on into the full commercial, you've got to look for whether you're getting access to real-time only or real-time plus historical or maybe even historical only?
And actually, what does your investigation need?
If you're trying to find an actor at the moment,
you probably only need real-time. If you are specifically looking to find and create cases
for potential prosecution,
at that point, you need to consider evidentiary data collection and whether that's
relevant to your case. How are you archiving the data you're collecting? Is the vendor doing it?
Are you doing it? Those all come into play. It gets complicated.
Yeah. There's a lot of important questions to ask. Do you find that there are some common
mistakes that people make when they're spinning
up these sort of efforts? Any words of wisdom you can share there? Yeah, I'll give you two there.
So the first one is really, I'll call it the assumption of intent. We've talked about this
haystack of data out there, but as you find what appear to be needles, it's very easy to get into
a mindset where the data you find that matches the assumption you went in with reinforces
confirmation bias, so to speak. So you don't know what the poster in a case of social media intended and you've got to kind
of remind yourself that yes i found that eureka moment they said exactly what i was hoping they
were going to say is that applicable does it actually does it actually hold true now if you've
been following somebody for multiple months and watching large swaths of interactions, yeah, you can start to kind of
build a, I have a sense when they're joking around, I have a sense when they're legit.
The other scenario I'll give you in terms of mistakes is really understanding the semantic
meaning of what you're getting. When you're pulling data in from a feed, it's kind of
decoupled from the service as you might imagine it as a user.
In terms of blending this data with your own internal data, I mean, you gather the things
up from social media, but now you have to integrate that with the things that you're
getting from other sources. Do you have any insights on what the best ways are to do that? How to be most
effective there? It comes down to tooling and data models. Really having the ability to find
those interactions between information collected from disparate sources and the data you have in
house, in my opinion, is kind of one of the core superpowers of internet investigators, right?
The idea that maybe I found a post about an actor talking about a type of fraud in social media,
and if I can link that actor to an account on my organization's infrastructure, I can now watch and evaluate their interactions more closely.
Maybe it's a higher risk score.
Maybe it's a different level of monitoring.
But the idea that these indicators, usernames,
in some cases passwords, email addresses,
all these things tend to follow people around.
They tend to use them.
And when you think about social media, it's all about likes and views.
So you tend to try to build a following and a profile.
So you really want to kind of hang on to that indicator.
kind of hang on to that indicator, the ability to pivot that indicator into your infrastructure,
into your data sets, and find that activity is priceless. For folks who are at the early stages of this journey, they're about to go out and start shopping around for these services. What
sort of questions should they be asking? What are the important
things for them to be looking for? I would start by trying to understand
what data is collected, where it's collected from, what services are covered. Align that with
kind of your list of services that are most interesting from an investigative perspective
and then understand how they collect the data.
Is it a scrape where some services
only provide some percentage of the available posts?
So you're getting a sample of a sample maybe?
Or is it direct API access where you have confidence
that you're seeing everything
that happened in the back end?
That's Ben April,
Chief Technology Officer
at Maltigo Technologies.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And finally, National Public Data, NPD, a Florida-based data brokerage,
has filed for bankruptcy after a massive data leak exposed personal information of potentially millions.
The fund started in June when the hacking group USDOD posted 277 gigabytes of data from NPD,
offering it for $3.5 million.
Initially, NPD downplayed the breach, claiming only 1.3 million people were affected.
But in bankruptcy filings, NPD conceded the true number could be hundreds of millions.
The breach exposed sensitive details like social security numbers,
prompting lawsuits and regulatory investigations.
To make matters worse, NPD's financial situation looks as shabby as their data security,
listing assets like two HP Pavilion desktops worth $200 each, a ThinkPad laptop at $100, and five Dell servers.
With more than a dozen class-action lawsuits looming and regulators closing in, the business admits it can't cover liabilities.
Adding a final twist, the company also owns some eyebrow-raising domains like asseeninporn.com.
Unsurprisingly, privacy experts warn that this fiasco highlights the urgent need for stronger data protection laws, as the data brokerage industry remains the
Wild West of personal information.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback
ensures we deliver the insights that keep you a step ahead in the rapidly changing world of
cybersecurity. If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire
is part of the daily routine
of the most influential leaders and operators
in the public and private sector,
from the Fortune 500
to many of the world's preeminent intelligence
and law enforcement agencies.
N2K makes it easy for companies
to optimize your biggest investment,
your people.
We make you smarter about your teams
while making your team smarter.
Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with
original music and sound design by Elliot Peltzman. Our executive producer is Jennifer
Iben. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilpie
is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.