CyberWire Daily - Hackers in handcuffs.
Episode Date: December 13, 2024The U.S. dismantles the Rydox criminal marketplace. File-sharing provider Cleo urges customers to immediately patch a critical vulnerability. A Japanese media giant reportedly paid nearly $3 million... to a Russia-linked ransomware group. The largest Bitcoin ATM operator in the U.S. confirms a data breach. Microsoft quietly patches two potentially critical vulnerabilities. Researchers at Claroty describe a malware tool used by nation-state actors to target critical IoT and OT systems. Dell releases patches for a pair of critical vulnerabilities. A federal court indicts 14 North Korean nationals for a scheme funding North Korea’s weapons programs. Texas accuses a data broker of sharing sensitive driving data without consent. Tim Starks, senior reporter at CyberScoop, joins Dave to explore the FCC's groundbreaking proposal to introduce cybersecurity rules linked to wiretapping laws. How the bots stole Christmas. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Tim Starks, senior reporter at CyberScoop, joins Dave to explore the FCC's groundbreaking proposal to introduce cybersecurity rules linked to wiretapping laws. Read more about it in Tim’s article. Selected Reading Rydox Cybercrime Marketplace Disrupted, Administrators Arrested (SecurityWeek) Cleo urges customers to ‘immediately’ apply new patch as researchers discover new malware (The Record) Japanese game and anime publisher reportedly pays $3 million ransom to Russia-linked hackers (The Record) Bitcoin ATM Giant Byte Federal Hit by Hackers, 58,000 Users Impacted (Hackread) Microsoft Patches Vulnerabilities in Windows Defender, Update Catalog (SecurityWeek) Researchers Discover Malware Used by Nation-Sates to Attack OT Systems (Infosecurity Magazine) Critical Dell Security Vulnerabilities Let Attackers Compromise Affected Systems (Cyber Security News) 14 North Korean IT Workers Charged, US to Offer $5 Million Rewards for Info (Cyber Security News) Texas adds data broker specializing in driver behavior to list of alleged privacy law violators (The Record) UK Shoppers Frustrated as Bots Snap Up Popular Christmas Gifts (Infosecurity Magazine) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. dismantles the Ridox criminal marketplace.
File-sharing provider Clio urges customers to immediately patch a critical vulnerability.
A Japanese media giant reportedly paid nearly $3 million to a Russia-linked ransomware group.
The largest Bitcoin ATM operator in the U.S. confirms a data breach.
Microsoft quietly patches two potentially
critical vulnerabilities. Researchers at Clarity describe a malware tool used by nation-state actors
to target critical IoT and OT systems. Dell releases patches for a pair of critical vulnerabilities.
A federal court indicts 14 North Korean nationals for a scheme funding North Korea's weapons
programs.
Texas accuses a data broker of sharing sensitive driving data without consent. Tim Starks, senior reporter at Cyberscoop, joins me to explore the FCC's groundbreaking
proposal to introduce cybersecurity rules linked to wiretapping laws.
And how the bots stole Christmas.
It's Friday, December 13th, 2024.
I'm Dave Bittner, and this is for joining us. It is great to have you here with us.
The U.S. has dismantled Ridox, a marketplace for stolen personal data and fraud tools, and unsealed charges against its alleged administrators.
Three suspects from Kosovo, Ardit Kudlishe, Jetmir Kudlishe, and Shpend Sokoli, were arrested in a coordinated operation.
Ardit and Jetmir were detained in Kosovo and await U.S. extradition, while Sokoly was arrested in Albania and will be prosecuted there.
Active since 2016, Ridox facilitated the sale of stolen personal data, credit card details, and credentials from thousands of U.S. victims.
The site hosted over 18,000 users and sold over 321,000 cybercrime-related products, generating $230,000.
U.S. authorities seized the Ridox domain, its servers in collaboration with Malaysian police,
and $225,000 in cryptocurrency. Ardit and Jetmir face charges of identity theft,
Ardit and Jetmir face charges of identity theft, device fraud, and money laundering, with potential decades-long sentences.
Sokoli's arrest also led to the seizure of computers, phones, and cryptocurrency.
Clio has urged customers to immediately apply a patch for a critical vulnerability in its popular file-sharing products, Clio Harmony, VL Trader, and Lexicom,
used by enterprises across industries.
Initially addressed in October,
researchers at Huntress found systems remained vulnerable.
Clio released a new patch Wednesday and is generating a new CVE.
The vulnerability, exploited by sophisticated threat actors
has affected consumer products, shipping, and retail supply chains
with 24 confirmed compromised organizations.
Attackers have deployed malware named Malicus
using Clio software for initial access and persistence.
Notably, the Termite ransomware gang exploited this flaw,
probably linked to the CLOP gang. Huntress observed 160 vulnerable endpoints globally, with ransomware activity
yet to emerge. Cybersecurity firms, including Sophos and Arctic Wolf, report primarily U.S.-based
retail victims. Experts credit rapid industry response with mitigating potential
large-scale impacts. Japanese media giant Kadokawa reportedly paid nearly $3 million
to Russia-linked ransomware group BlackSuit following a major cyber attack in June.
The hackers accessed 1.5 terabytes of data, including contracts, internal documents, and employee personal information.
Kadokawa's subsidiary, Nico Nico, temporarily shut down its live streaming platform due to the breach.
Evidence of the payment includes emails from BlackSuit claiming receipt of the ransom
and a $2.98 million cryptocurrency transaction
discovered by security firm Unknown Technologies.
The hackers initially demanded $8.25 million,
but allegedly agreed to $3 million, stating they would delete the stolen data.
However, some information was leaked despite the payment.
Kotakawa expects a $15 million fiscal loss due to the attack.
Amid criticism of its handling of the breach,
the company faces a potential acquisition by Sony,
which employees view as a positive change.
Byte Federal, the largest Bitcoin ATM operator in the U.S.,
confirmed a data breach affecting 58,000 customers.
The breach, caused by a vulnerability in third-party software GitLab,
occurred in September of this year, but was discovered on November 18.
Compromised data includes names, addresses, social security numbers,
transaction histories, and more.
Byte Federal secured the server, implemented additional protections,
and notified affected customers.
While no misuse of data or funds has been reported,
experts warn of potential phishing risks.
Microsoft announced the patching of two potentially critical vulnerabilities
in Update Catalog and Windows Defender.
These flaws have been fully mitigated and require no user action.
The Windows Defender flaw, rated medium severity based on CVSS scores,
could have allowed unauthorized disclosure of sensitive file content over a network due to improper index authorization.
content over a network due to improper index authorization. The update catalog vulnerability involving deserialization of untrusted data was a privilege escalation issue on the web server.
Microsoft emphasized that neither flaw was disclosed publicly nor exploited before patching.
The company is now assigning CVE identifiers to cloud service vulnerabilities for transparency following industry trends.
Similar measures have been adopted by Google Cloud, reflecting growing emphasis on proactive security and communication about server-side vulnerabilities.
Clarity's Team 82 have identified IO-Control, a malware tool used by nation-state actors to target critical IoT and OT systems, including SCADA devices. Linked to Iran's IRGC-CEC Cyber
Avengers group, IO-Control has compromised devices such as fuel management systems, IP cameras, and PLCs from vendors like D-Link, Hikvision, and Orpac.
One campaign impacted U.S. and Israeli fuel systems.
The U.S. Treasury has sanctioned IRGC-CEC officials
and offers a $10 million bounty for information on those involved.
Dell disclosed two critical vulnerabilities
affecting PowerFlex appliances,
RACs, Insight IQ, and Data Lakehouse products.
The first, with a CVSS score of 10.0,
allows unauthenticated remote code execution
through improper link resolution.
The second, scoring 8.2,
involves insecure storage of sensitive information, enabling high-privileged local attackers to access cluster pods.
Dell has released patches for impacted systems and urges users to update immediately.
A federal court in St. Louis has indicted 14 North Korean nationals for a scheme generating $88 million to fund North Korea's weapons programs.
Over six years, IT workers from North Korea-linked companies Yanbian Silverstar and Velocis Silverstar
used false identities to secure remote jobs with U.S. companies.
They not only collected salaries but also stole sensitive data,
threatening extortion. The Justice Department seized $1.5 million and 17 domains as part of
the case. The scheme highlights cybersecurity risks and the misuse of remote work. U.S.
companies are urged to rigorously vet IT workers. Rewards up to $5 million are offered for leads on suspects.
Authorities say they continue their efforts to thwart North Korea's attempts to bypass sanctions.
Texas Attorney General Ken Paxton has accused data broker Arity, owned by Allstate,
of sharing sensitive consumer driving data without clear notice or consent.
Arity gathers driving behavior data via SDKs embedded in partner apps such as MyRadar,
GasBuddy, and Life360, then sells it to insurers to inform pricing decisions.
Texas alleges Arity violated its privacy law by failing to obtain affirmative consent and not providing opt-out options.
Sensitive data collected includes geolocation and driving patterns.
The state's investigation revealed Arity's partnerships with apps often lack transparency,
with some apps failing to disclose these relationships in their privacy policies.
While MyRadar claims its data sharing is anonymized and opt-in,
Texas accuses other apps of improperly sharing data.
The broader investigation reflects growing scrutiny of data brokers exploiting consumer information,
particularly in the automotive and insurance sectors.
Up next, Tim Starks from CyberScoop joins me to explore the FCC's proposal
to introduce cybersecurity rules
linked to wiretapping laws.
And malicious bots are turning holiday shopping
into a Hunger Games-style scramble
for overpriced gifts.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak.
Learn more at blackcloak.io.
It is always my pleasure to welcome back to the show Tim Starks.
He is a senior reporter at CyberScoop.
Tim, welcome back.
It is always my pleasure to be back.
senior reporter at CyberScoop. Tim, welcome back. It is always my pleasure to be back.
Well, interesting story that you've written here for CyberScoop. This is about the FCC for the first time proposing cybersecurity rules in response to this wiretapping situation here.
Unpack this for us, Tim. What's going on? Yeah, so there have been some calls from Capitol Hill in response to this very monumental, big deal hack of the telecom providers in the United States,
and also it turns out elsewhere, by the Chinese hacking group known as Salt Typhoon.
And they had been asking the FCC to put in place some security requirements connected to the wiretapping law known as,
colloquially as CALEA,
Communications Assistance for Law Enforcement Act,
I believe is what it stands for.
Right.
And the reason they asked for this is because
the hackers seem to have exploited
that backdoor system for wiretapping requests inside of telecommunications companies.
And they may have gotten access to some pretty secret info as a result.
There have been some calls from the Hill.
And now the FCC had originally, between Jessica Rosenworcel and Brendan Carr,
the person who's the current chair and the
person who's about to be the chair had been a little noncommittal about this. But now the chairwoman
is going forward with this and saying, we need to do this immediately. Essentially, this rule would
go into effect right away as soon as they voted on it. And what sort of things are they calling for
here? Essentially, they're saying you need to hit a baseline of security under and connected to Kalia, or you're going to face fines, potentially criminal punishment, but I'm thinking fines would probably be the way they'd go.
are probably scratching their heads to think that these sorts of things weren't already in place with something as critical as a backdoor
into our communication systems?
Yeah. I mean, it's a good kind of common sense thing on its surface, right?
It certainly, from the benefit of hindsight, makes you scratch your head
and say, why weren't we doing this already?
But one of the interesting things about cybersecurity over the many, many years I've covered it is how much things I think look obvious after they're hacked.
You know, I think that if you go to, let's say, 2016, I always think of this example.
There had been a couple instances of hackers going after political campaigns, presidential campaigns.
But they hadn't been that big of a news until 2016.
And then everybody kind of goes, well, we should have known.
We should have done better.
And I'm not second-guessing anybody, by the way, who thinks we should have done something by now.
That's just me saying that I think it's a combination of hindsight and,
yeah, probably should have been doing this. Anything noteworthy about the fact that this
is flowing through the FCC? I mean, it's noteworthy that they're acting after just such a short time
of it being discussed. And then just a couple of weeks ago, they were saying, we're not sure we
want to do this yet. To go from that to zero to 60, essentially, is pretty fast to go from that kind of level of noncommittalness to not only are we putting forward this proposal, we're putting it forward and we're hoping to vote on it immediately, essentially.
So that's pretty noteworthy to me.
I think it'll be interesting to see what happens.
Brendan Carr, the incoming nominee for FCC
chair, has been a China hawk. He has talked about the need to do something about these
salt tophane breaches, but we don't know for sure yet what he wants to do. And we haven't
seen the commissioner's vote on this. Of course, it's a very fresh proposal. It just started
circulating yesterday, according to the FCC. So we're moving pretty fast, but it's still not exactly clear what the path is going forward.
But that'll take a little time to find out, but it doesn't seem like it's going to take very long.
And probably, based on what you just said, something that will survive the transition
to the next presidential administration. Yeah. And for what it's worth, if you talk
about what's noteworthy about this,
this is the first time
that there's been this
kind of thing happening.
I mean, it's the first time they've ever put in place
anything cybersecurity-related under this wiretapping law.
There is a tiny provision
of CALEA that they're exploiting
to say that
they have the authority to do this.
In their mind, they've had the authority to do this. So it's in their mind, they've had the
authority to do this and now they're just actually doing it. Has there been any talk of any sort of
liability or for the telecoms themselves for having not protected this already?
You know, there's always, there's always the risk of that. I've not heard much talk of that myself.
You know, I think, I think one of the
issues we're having is we just still don't know really how deep and how bad this got. So, you
know, we know some of the targets. We know it was a broad cyber espionage campaign. To hear an FBI
official who spoke to reporters on background this week, including me, to hear him tell it,
An FBI official spoke to reporters on background this week, including me.
To hear him tell it, there was no definitive, this is the only way they were going after this under Scalia.
It was part of a very broad espionage campaign. But we know that they hit or tried to hit the actual president-elect and the then nominees for president when this was first unfolding.
So I think we'd have to see first who really suffers.
And with any breach, there's always a lawsuit that comes out.
Always.
Somebody files something.
They don't always go very well, to be honest.
There's been very few cases of major import where liability has been established.
And the court has said, yep, you're liable.
You owe them this much money.
It's not as frequent as you might think, or at least as what I might think.
It seems like a lot of those cases don't go anywhere.
Not all of them, but a lot of them.
Yeah.
And, of course, a lot of folks have been kind of wagging their fingers and saying, when it comes to back doors, I told you so.
Do you think we'll see any movement of the needle in that category?
Yeah, there's always been this.
And here's another sort of interesting thing that's come out this past week about this.
about this. When the, when CISN, FBI, and the NSA, and a bunch of other agencies around the world put together some guidance about what needs to happen in response to this, they said,
you need to encrypt your systems. You need to use encrypted apps. We always have this tug of war
between the people on the pro-security side saying encryption is the way to go. There's always been
this dichotomy in the government, and we're seeing it now,
where with one hand, they're saying
everybody should encrypt what they're doing.
And on the other hand, they're saying,
we need a way in to catch criminals
and do all the other stuff we need to do
to keep our nation safe.
So there's always this tug of war
between encryption good, encryption bad.
And we're seeing it yet again as of this week.
Yeah.
All right.
Well, Tim Starks is Senior reporter at CyberScoop.
Tim, thanks so much for sharing your insights.
Yeah, thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default deny approach can keep your company safe and compliant. Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And finally, this Christmas, the Grinch isn't stealing presents.
He's programming bots.
According to Imperva, 71% of shoppers in the UK blame malicious bots
for ruining their holiday cheer by scalping the season's hottest gifts.
These sneaky bots snatch up stock faster than Santa can load a sleigh,
leaving parents with two options,
overpaying on resale sites or settling for the dreaded alternative gift.
A staggering 19% of shoppers reported paying more for replacements,
while 10% succumbed to inflated prices on secondary marketplaces.
Imperva's Tim Ayling warns that AI-powered bots are turbocharging the chaos,
scalping gifts at record speed. The results? Disappointed kids, frustrated parents, and a retailer reputation nosedive.
But retailers don't have to play the victim. Imperva suggests bot-fighting strategies like
rate-limiting, blocking outdated browsers, and sniffing out headless browsers.
With these tips, retailers might just save Christmas and keep the bots on the naughty list. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Andrew Morris, founder and CTO of Gray Noise.
founder and CTO of GrayNoise.
We're discussing their research.
GrayNoise Intelligence discovers zero-day vulnerabilities in live streaming cameras with the help of AI.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review
in your favorite podcast app. Please also fill out the survey in the show notes or send an email to
cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the
most influential leaders and operators in the public and private sector, from the Fortune 500
to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at N2K.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Bye.