CyberWire Daily - Hacking allegations and antitrust heat.
Episode Date: December 18, 2024The U.S. considers a ban on Chinese made routers. More than 200 Cleo managed file-transfer servers remain vulnerable. The Androxgh0st botnet expands. Schneider Electric reports a critical vulnerabilit...y in some PLCs. A critical Apache Struts 2 vulnerability is being actively exploited. Malicious campaigns are targeting Chinese-branded IoT devices. A Nebraska-based healthcare insurer discloses a data breach affecting over 225,000 individuals. IntelBroker leaks 2.9GB of data from Cisco’s DevHub environment. CISA issues a Binding Operational Directive requiring federal agencies to enhance cloud security. On today’s CERTByte segment, Chris Hare and Dan Neville unpack a question targeting the Network+ certification. INTERPOL says, “Enough with the pig butchering.“ Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CertByte Segment This week, Chris is joined by Dan Neville to break down a question targeting the Network+ certification (N10-008 expires on 12/20/24 and the N10-009 update launched on June 20th of this year). Today’s question comes from N2K’s CompTIA® Network+ Practice Test, both exam versions of which are offered on our site. Have a question that you’d like to see covered? Email us at certbyte@n2k.com. If you're studying for a certification exam, check out N2K’s full exam prep library of certification practice tests, practice labs, and training courses by visiting our website at n2k.com/certify. To get the full news to knowledge experience, learn more about our N2K Pro subscription at https://thecyberwire.com/pro. Please note: The questions and answers provided here and on our site are not actual current or prior questions and answers from these certification publishers or providers. Selected Reading U.S. Weighs Ban on Chinese-Made Router in Millions of American Homes (Wall Street Journal) Attack Exposure: Unpatched Cleo Managed File-Transfer Software (BankInfo Security) Androxgh0st Botnet Targets IoT Devices, Exploiting 27 Vulnerabilities (Hackread) Schneider Electric reports critical flaw in Modicon Programmable Logic Controllers (Beyond Machines) RATs can sniff out your Chinese-made web cameras: here’s how to defend yourself (Cybernews) Regional Care Data Breach Impacts 225,000 People (SecurityWeek) Hacker IntelBroker Leaked 2.9GB of Data Stolen From Cisco DevHub Instance (Cyber Security News) New critical Apache Struts flaw exploited to find vulnerable servers (Bleeping Computer) CISA Issues Binding Operational Directive for Improved Cloud Security (SecurityWeek) Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure (CISA) INTERPOL urges end to 'Pig Butchering' term, cites harm to online victims (INTERPOL) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. considers a ban on Chinese-made routers.
More than 200 Clio managed file transfer servers remain vulnerable.
The Androx ghost botnet expands.
Schneider Electric reports a critical vulnerability in some PLCs.
A critical Apache Struts 2 vulnerability is being actively exploited.
Malicious campaigns are targeting Chinese-branded IoT devices.
A Nebraska-based healthcare insurer
discloses a data breach affecting over 225,000.
Intel broker leaks 2.9 gigabytes of data
from Cisco's DevHub environment.
CISA issues a binding operational directive
requiring federal agencies to enhance cloud security.
On today's CertByte segment,
Chris Hare and Dan
Neville unpack a question targeting the Network Plus certification. And Interpol says, enough with
the pig butchering. It's Wednesday, December 18th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us. Great to have you with us, as always.
Thanks for joining us. Great to have you with us as always.
The Wall Street Journal reports that the U.S. government is considering a ban on TP-Link routers amid rising security concerns.
Investigations by the Commerce, Defense, and Justice Departments suggest TP-Link routers made by a China-based company may pose national security risks. A Microsoft report linked TP-Link devices
to a Chinese hacking network targeting Western organizations.
The devices dominate the U.S. home
and small business router segment with a 65% market share.
TP-Link routers are often shipped with unresolved security flaws,
and the company reportedly doesn't cooperate with security researchers.
The Justice Department is also probing whether TP-Link's low-pricing strategy violates antitrust laws.
The potential ban could disrupt the router market,
which TP-Link has dominated due to affordability and partnerships with over 300 U.S. Internet providers.
to affordability and partnerships with over 300 U.S. Internet providers.
TP-Link denies selling products below cost and insists on compliance with U.S. laws.
While U.S. officials haven't disclosed evidence of deliberate collusion with Chinese state-sponsored hackers, concerns persist.
TP-Link's founders remain connected to Chinese institutions
conducting military cyber research.
Despite efforts to rebrand as U.S.-centric, including announcing a California headquarters,
critics see the company's ties to China as inseparable.
If enacted, the ban would mark the largest removal of Chinese telecom equipment in the U.S. since Huawei in 2019.
removal of Chinese telecom equipment in the U.S. since Huawei in 2019. Similar bans have been enacted in Taiwan and India, citing security risks. This move underscores the broader challenges of
securing the telecommunications supply chain, with U.S. officials acknowledging systemic
vulnerabilities across the router market, including domestic brands. More than 200 Clio managed file transfer servers remain vulnerable
despite warnings of active mass attacks exploiting critical flaws in the software.
These vulnerabilities allow attackers to execute arbitrary commands and exfiltrate data.
Despite a December 11th patch, only 199 of the exposed servers are fully updated.
The CLOP ransomware group is suspected of exploiting these vulnerabilities, marking its fifth major file transfer software attack.
Organizations including retail and energy sectors have been targeted, with incidents involving significant data transfers to suspicious IPs.
Researchers found attackers using Java-based remote-access Trojans for system reconnaissance,
file exfiltration, and command execution.
Security experts urge users to patch immediately, review logs for post-exploitation indicators,
and take vulnerable systems offline if necessary.
Clio has released updated fixes and logging mechanisms to address these threats,
but systemic risks remain for unpatched systems.
CloudSec's XVigil platform has revealed a significant expansion of the Androx Ghost botnet, now exploiting 27 vulnerabilities, up from 11 in November.
The botnet has integrated with the IoT-focused Mozzie botnet,
targeting web servers, IoT devices, and platforms like Cisco ASA, Atlassian JIRA, and PHP frameworks.
Exploits include remote code execution, brute force attacks, and credential stuffing,
leveraging vulnerabilities in Sophos firewalls, TP-Link routers, and more.
The botnet's sophistication suggests coordinated control, potentially linked to Chinese CTF
communities.
This poses global risks of data breaches, ransomware, and surveillance.
A critical flaw in Schneider Electric Modicon controllers allows unauthenticated attackers to
exploit port 502, compromising systems without user interaction. Rated 9.8 on the CVSS scale,
this vulnerability impacts controllers used globally in critical infrastructure sectors like energy and manufacturing.
With no patch yet available, users are advised to isolate devices from the public Internet, restrict access to port 502 TCP, segment networks, and secure controllers physically.
Schneider Electric says they are developing a remediation plan.
A critical Apache Struts 2 vulnerability is being actively exploited
using public proof-of-concept exploits to identify vulnerable systems.
Affecting various Struts versions,
the flaw allows attackers to upload malicious files via path traversal,
enabling remote code execution. Exploitation has been detected, with attackers deploying scripts
to verify compromised systems. Apache urges users to upgrade and implement the new file
upload mechanism, as patching alone is insufficient. Malicious campaigns are targeting Chinese-branded
IoT devices, including Hikvision and Zhomai web cameras and DVRs, exploiting weak passwords and
unpatched vulnerabilities. The FBI warns of attacks using HiatusRat, which scans devices
with tools like Ingram to bypass authentication and inject commands.
Active since July 2022, the malware has targeted IoT devices globally and U.S. government servers.
Many vulnerabilities remain unpatched.
The FBI advises isolating vulnerable devices, enforcing strong passwords,
enabling multi-factor authentication, and promptly
applying updates to mitigate risks. Nebraska-based health care insurer Regional Care disclosed a data
breach affecting over 225,000 individuals. The breach, detected in mid-September, involved
unauthorized access to an account, which was promptly shut down.
An investigation revealed sensitive data, including names, birthdates, social security numbers,
medical and health insurance information, had been compromised.
Affected individuals are being offered free credit monitoring.
Regional Care has not linked the breach to any ransomware group and provided limited additional details about the
incident. Intel Broker has leaked 2.9 gigabytes of data from Cisco's DevHub environment, part of a
larger 4.5 terabyte breach, raising concerns about the security of the tech giant. The breach,
revealed in October 2024, exploited an exposed API token and involved sensitive data, including source code, hard-coded credentials, encryption keys, and customer-related resources.
Allegedly, data from major corporations like Verizon and Microsoft was also compromised.
Cisco, while confirming the breach, stated its core systems remain unaffected and attributed the incident to a misconfigured developer environment.
The company has disabled DevHub access, launched an investigation, and engaged law enforcement.
Cybersecurity experts emphasize this incident underscores the need for stronger access controls and monitoring of public-facing systems
as hackers increasingly validate breaches with partial leaks to attract buyers in underground
markets. The U.S. Cybersecurity and Infrastructure Security Agency has issued Binding Operational
Directive 25-01, requiring federal agencies to enhance cloud security by adopting secure The directive aims to mitigate risks from misconfigurations and weak controls by mandating compliance with CISA's Secure Cloud Business Applications, or SCUBA, standards.
Standards. Agencies must identify cloud tenants and create an inventory by February 21, 2025,
deploy SCUBA assessment tools by April 25, 2025, and implement mandatory SCUBA policies,
including Microsoft Office 365 baselines, by June 20. Annual updates to cloud tenant inventories and continuous reporting are also required.
CISA plans to maintain and update policies, assist agencies, and monitor compliance.
While directed at federal agencies, CISA encourages broader adoption to bolster collective cybersecurity resilience.
resilience. Meanwhile, the Office of the National Cyber Director and CISA released a playbook to guide federal grant managers and recipients on integrating cybersecurity into critical
infrastructure projects. The Playbook for Strengthening Cybersecurity in Federal Grant
Programs offers model language and recommendations for incorporating cybersecurity into grant-making
processes and project assessments. Reflecting Biden administration priorities like the
Investing in America initiative, the playbook emphasizes secure-by-design principles and
critical infrastructure resilience, while advisory, it encourages agencies and grant
recipients to prioritize cybersecurity in
upcoming infrastructure upgrades. Coming up after the break on today's CertBytes segment,
Chris Hare and Dan Neville unpack a question targeting the Network Plus certification.
And Interpol says enough with the pig butchering. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 365 with Black Cloak.
Learn more at blackcloak.io.
On today's edition of our recurring CertByte segment,
Chris Hare and Dan Neville look at a question targeting the Network Plus
certification. Hi, everyone. It's Chris. I'm a content developer and project management specialist
here at N2K Networks. I'm also your host for this week's edition of CertByte, where I share a
practice question from our suite of industry-leading content and a study tip to help you achieve the professional certifications you
need to fast-track your career growth in IT, cybersecurity, and project management.
Today's question targets the CompTIA Network Plus exam, which entails both exam ID N10008,
which launched on September 15, 2021, and exam ID N1009, which launched on June 20th
of this year. This exam is targeted for those candidates who already hold an A-plus certification
and have about nine to 12 months of networking experience. I have our captain of CompTIA,
Dan, here to help us out today. How are you today, Dan?
Woo-hoo. I love being captain of CompTIA. Thanks, Chris. I appreciate you working with me on this
one. Absolutely. So, Dan, do you have any advice for anyone who is deciding which version of this
exam they should take? Well, a lot of it depends on where you're at in your career. If you've been
doing networking for a while, 008, 008 is going to be an easier one for you
because you'll have more experience.
But if you want to be up on the latest and greatest topics
and issues in networking,
by all means, go after the 009.
That is great advice.
So we're going to turn the tables
and have you ask me the question. But before we do that, and while I muster up the moxie to answer it, I understand you have a 10-second study bit for this test. So what do you have for us?
on the CompTIA exams are normally performance-based questions, and they take up a lot of time.
What you ought to do is immediately mark those for review and address them at the end.
And the same thing is going to go for any question that you can't answer in less than 30 seconds.
Just mark it for review, come back to it in the end, and chances are you'll have seen something else that will help you with that answer. That's great. And there are a few exams that don't allow you to do that.
So it's important that students know they should take advantage of that.
Absolutely.
Great.
Awesome tips.
So Captain Dan, what do you have for me today?
Okay.
So here's the question.
You need to check for open circuits and short circuits on your network.
What tools should you use?
Okay.
And your choices are, you got a butt set, you got a toner probe, you got a protocol analyzer, and you got a cable tester.
So which one?
Got a lot of weird ones.
Okay.
So I think we need to first clarify that this question targets both versions of the Network Plus exam, 008 and 009.
And it's under the Network Troubleshooting Objective.
And it also applies to Subobjective 2 in the content outline, which has to do with troubleshooting, cabling, and other physical interface issues.
Is that correct?
You bet.
All right.
All that said, I don't know exactly what these options are,
but let me address these in order as I usually do. So for A, I think I recall from my telecom
days that a butt set may have to do with telephones. And toner probe, no idea. Protocol
analyzer, that sounds more process-based than testing for particular circuits.
And finally, D, cable tester.
That seems straightforward as circuits are conducted through cables.
So I'm going to guess D, cable tester.
Wow, that's excellent.
The correct answer is indeed D, cable tester.
Great.
That will check for open circuits and short circuits on your network.
So a cable tester includes an electrical current source, a voltmeter, and an interface for connecting with the cable.
As you correctly pointed out, a butt set is used for telephone lines, so you got really close there.
Okay.
And a toner probe identifies only a single cable on the network in a big bundle.
And a protocol analyzer is software that allows you to view information about network communication protocols.
Awesome.
Thank you again for your question and great explanation.
I thought this was interesting, but I read that CompTIA states that the Network Plus exam is the only one on the
market today that includes the core skills required to support networks on any environment.
So what type of roles would you see the certification useful for?
Let's see, probably systems administrator, network administrator,
network support, even tech support roles.
And are there any upcoming CompTIA practice tests or courses you'd like to promote here?
Ooh, of course. Let's see. We got Cloud Plus coming up very, very shortly in their new edition.
IT Fundamentals has been rebranded to Tech Plus, and that'll be out shortly.
has been rebranded to Tech Plus.
That'll be out shortly.
Pentest Plus, later in the fall.
And brand new Security X,
which has the update to CAS Plus.
That'll be out late in the fall or early next year.
So we got a lot going on.
Great. Thank you so much, Dan.
Thank you. I appreciate it.
And thank you for joining me for this week's CertByte. If you're actively studying for this certification and have any questions about study tips or even future
certification questions you'd like to see, please feel free to email me at certbyte at n2k.com.
That's C-E-R-T-B-Y-T-E at n number 2k.com. If you'd like to learn more about N2K's practice tests, visit our website
at n2k.com forward slash certify. For more resources, including our new N2K Pro offerings,
check out thecyberwire.com forward slash pro. Resources and citations for this question,
please check out our show notes. Happy certifying. Certified.
Be sure to visit our show notes for links to the practice test and other helpful resources that Chris and Dan talked about. Thank you. are thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And finally, Interpol wants to ditch the grim term pig butchering
in favor of the less stigmatizing romance baiting
to describe scams involving fake romances and fraudulent investments. The old term,
coined by fraudsters themselves, likens victims to pigs fattened up for financial slaughter,
a description that shames victims and deters them from seeking help. Instead,
romance baiting highlights the emotional manipulations scammers use to gain trust
and exploit victims. Interpol says words matter, drawing parallels to shifts in language around
domestic abuse and sexual violence. By adopting victim-focused terminology, Interpol hopes to encourage
reporting and put the spotlight on the criminals, not the victims. This push is part of their
Think Twice campaign, which also tackles online threats like ransomware and phishing.
The message? Let's swap out victim-blaming language for empathy
and hold scammers accountable for their despicable cons.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill
out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that
N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the
public and private sector, from the Fortune 500 to many of the world's preeminent intelligence
and law enforcement agencies. This episode was produced by Liz Stokes.
Our mixer is Trey Hester, with original music and sound design by Elliot Pelsman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Bye.