CyberWire Daily - It was DDoS, not us.
Episode Date: January 28, 2025DeepSeek blames DDoS for recent outages. Hackers behind last year’s AT&T data breach targeted members of the Trump family, Kamala Harris, and Marco Rubio’s wife.The EU sanctions Russians for cyber...attacks against Estonia. ENGlobal confirms personal information was taken in last year’s ransomware attack. CISA issues a critical warning about a SonicWall vulnerability actively exploited. A large-scale phishing campaign exploits users’ trust in PDF files and the USPS. Apple patches a zero-day affecting many of their products. A ransomware attack on an Ohio-based operator of skilled nursing and rehabilitation facilities affects over 70,000. President Trump has a tumultuous first week back in office. Our guest is Bogdan Botezatu, Director, Threat Research and Reporting at Bitdefender, to discuss the dark market subculture and its parallels to holiday shopping. A nonprofit aims to clean up the AI industry’s mess. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We are joined by Bogdan Botezatu, Director, Threat Research and Reporting at Bitdefender, to discuss the dark market subculture and its parallels to holiday shopping. Check out Bitdefender’s research on the topic here. Selected Reading DeepSeek Blames Disruption on Cyberattack as Vulnerabilities Emerge (SecurityWeek) DeepSeek FAQ (Stratechery) We tried out DeepSeek. It worked well, until we asked it about Tiananmen Square and Taiwan (The Guardian) Hackers Mined AT&T Breach for Data on Trump's Family, Kamala Harris (404 Media) European Union Sanctions Russian Nationals for Hacking Estonia (SecurityWeek) ENGlobal Says Personal Information Accessed in Ransomware Attack (SecurityWeek) CISA Warns of SonicWall 0-day RCE Vulnerability Exploited in Wild (Cyber Security News) Hackers Use Malicious PDFs, pose as USPS in Mobile Phishing Scam (Security Boulevard) Amazon Prime Security Warning As Hackers Strike—What You Need To Know (Forbes) Apple plugs exploited security hole in iOS, updates macOS (The Register) Nursing Home, Rehab Chain Says Hack Affects Nearly 70,000 (GovInfo Security) A Tumultuous Week for Federal Cybersecurity Efforts (Krebs on Security) Initiative Aims to Enable Ethical Coding LLMs (IEEE Spectrum) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try
DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started
removing my personal information from hundreds of data brokers. I finally have peace of mind,
knowing my data privacy is protected. DeleteMe's team does all the work for you, with detailed
reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when you go to JoinDeleteMe.com delete me dot com slash n2k and use promo code n2k at checkout.
The only way to get 20 percent off is to go to join delete me dot com slash n2k and enter
code n2k at checkout.
That's join delete me dot com slash n2k code n2k. DeepSeek blames DDoS for outages, hackers behind last year's AT&T data breach targeted
members of the Trump family, Kamala Harris and Marco Rubio's wife. The EU sanctions Russians for cyber attacks against Estonia.
And Global confirms personal information was taken in last year's ransomware attack.
CISA issues a critical warning about a Sonic Wall vulnerability actively exploited.
A large-scale phishing campaign exploits users' trust in PDF files and the U.S. Postal Service.
Apple patches a zero-day, affecting many of their products.
A ransomware attack on an Ohio-based operator of skilled nursing and rehabilitation facilities
affects over 70,000.
President Trump has a tumultuous first week back in office.
Our guest is Bogdan Bodazatu, Director of Threat Research and Reporting at Bitdefender,
discussing the dark market subculture and its parallels to holiday shopping. to It's Tuesday, January 28, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
It is great to have you with us.
Chinese AI company DeepSeq attributed a registration outage to a cyberattack on its servers, which
it believes was a DDoS attack.
While existing users remain unaffected, new user registrations were temporarily halted. This comes as DeepSeek faces scrutiny over security vulnerabilities in its open-source
R1 AI model, which the company touts as competitive with OpenAI's chat GPT and Google's Gemini.
Security firm Kila reported successfully jailbreaking R1 using methods like EvilJailbreak and Leo, which have been
patched in other models.
The firm also demonstrated R1's capability to fabricate sensitive data, such as personal
details of OpenAI employees.
Keela highlighted R1's unreliability, calling its outputs inaccurate and potentially harmful.
The incident has raised concerns about privacy and data security,
especially given the geopolitical context of Chinese tech.
Experts urge users to question data origins, ownership, and ethical training practices,
echoing broader fears over foreign AI platforms.
As a side note, Ben Thompson at Stratecary has written an excellent explainer of Deepseq
and Why It Matters.
We'll have a link to that in the show notes.
Hackers behind the 2024 AT&T data breach targeted phone records tied to prominent individuals,
including members of the Trump family, Kamala Harris and Marco Rubio's wife, according to sources cited by 404 Media. The breach, which impacted nearly all AT&T
customers' call and text metadata from May through October 2022, poses significant national security
risks. Hackers plan to create a paid lookup tool for the stolen data, which they enriched using publicly
available resources to associate phone numbers with names.
The breach exploited an AT&T instance of Snowflake, a data warehousing tool.
Despite the severity of the attack, concerns have been raised about FCC Chairman Brendan
Carr's leniency toward telecom companies. Senator Ron Wyden criticized AT&T's lax security
and called for encrypted communication services
to replace traditional telecom offerings
to prevent future incidents.
The European Union sanctioned three Russian GRU officers
for 2020 cyberattacks against Estonia.
They allegedly hacked Estonian ministries,
stealing classified data, health records, and sensitive business information. The EU
claims the attacks aim to undermine Estonia's security and cyber capabilities.
The men are tied to Unit 29-155, which is associated with global espionage and sabotage, including the Whispergate
malware and is accused of targeting other EU states and Ukraine.
The sanctions mark a response to escalating cyber threats.
N Global Corporation, a major supplier to the energy sector, confirmed that personal
information was compromised in a
November 2024 ransomware attack. Systems were taken offline, limiting access to essential
operations for six weeks. Initially, NGlobal reported encrypted data but did not disclose
theft. A new SEC filing revealed sensitive personal information was accessed, though
details on
the breach's scope remain unclear.
The company has since restored systems and resumed normal operations.
And Global stated the attack had no material financial impact, but has not identified the
threat actor responsible.
CISA has issued a critical warning about a vulnerability in SonicWall SMA-1000 appliances
that allows remote attackers to execute commands without authentication.
With a CVSS score of 9.8, this flaw, exploited in the wild, impacts multiple versions of
SonicWall's appliances.
SonicWall has released a hotfix to address the issue and advises immediate updates.
Organizations unable to patch should restrict AMC and CMC access to trusted IPs.
This flaws exploitation risks full system compromise, emphasizing urgent mitigation.
A large-scale phishing campaign exploits users' trust in PDF files and the U.S. Postal Service
to steal credentials and sensitive data, according to Zimperium researchers.
Attackers send SMS messages with malicious PDFs mimicking USPS communications, embedding
hidden phishing links to bypass security tools.
Victims are directed to fake USPS sites where they provide personal and payment information
under the guise of resolving delivery issues.
Zimperium found over 20 malicious PDFs and 630 phishing pages targeting users across
50 countries.
This tactic leverages the assumption that PDFs are safe, exploiting
their widespread use in business. Attackers also impersonate other delivery
services like UPS and FedEx. Experts warn that inadequate mobile security and
limited visibility into file contents make such campaigns effective. Apple has
patched a zero-day vulnerability exploited in the wild, affecting iPhones,
iPads, Macs, and other devices.
The flaw, a use-after-free issue in the core media component, could allow rogue apps to
elevate privileges and gain system control.
While details of the exploitation remain sparse, Apple confirmed it targeted older iOS versions
before iOS 17.2.
The fix is available in multiple updates for multiple platforms.
Affected devices include iPhone XS and later various iPad models, Apple Vision Pro, and
Apple Watch Series 6 or newer.
Additional vulnerabilities patched include issues allowing unauthorized code execution
via AirPlay, privilege escalation, and Safari address bar spoofing.
Users are strongly advised to update to protect against potential exploits targeting unpatched
devices.
HCF Management, an Ohio-based operator of skilled nursing and rehabilitation facilities,
is notifying 70,000 individuals affected by a ransomware attack in fall of last year.
The Russian-speaking Ransom Hub Gang claims to have stolen and published 250 gigabytes
of data.
The breach affected multiple facilities, with Heritage Healthcare
reporting the largest impact and Hempfield Manor most affected among single sites.
HCF discovered unauthorized access on October 3, 2024, and later determined attackers
infiltrated its systems on September 17, stealing residents' personal and medical data, including social
security numbers and health insurance details.
The company engaged forensic experts and secured its network, but now faces at least two federal
class action lawsuits alleging negligence.
It remains unclear if the attackers encrypted HCF's systems during the breach. On his first week back in office, President Trump shook up the nation's cybersecurity
and governance landscape with a series of controversial executive orders, according
to a report from Krebs on security.
Among the most dramatic moves, he fired all members of the Cyber Safety Review Board,
a bipartisan body created to investigate
major cyber incidents.
The CSRB had produced key reports on crises like Log4Shell and the 2023 Microsoft Exchange
breach and was in the midst of investigating Chinese cyber intrusions targeting U.S. telecoms
when Trump dismissed its advisors. Critics liken the move to halting airline crash investigations mid-flight.
Meanwhile, Trump dismantled a Biden-era order on artificial intelligence safety,
replacing it with a new AI action plan led by venture capitalist David Sacks.
The plan focuses on maintaining U.S US AI dominance, but raises concerns due to
Trump's personal ties to cryptocurrency, including his family's recent ventures into meme coins.
Trump also pardoned January 6 rioters and revoked Biden's disinformation governance
policies and organized crime task force. These sweeping changes left many security
experts questioning the future of federal cyber defense and governance
under Trump's administration.
Coming up after the break, my conversation with Bhagdan Bharazatu,
Director of Threat Research and Reporting at Bitdefender,
we're talking about the dark market subculture,
and a non-profit aims to clean up the AI industry's mess.
Stay with us. Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite
of solutions designed to give you total control, stopping unauthorized
applications, securing sensitive data, and ensuring your organization runs
smoothly and securely. Visit ThreatLocker.com today to see how a
default deny approach can keep your company safe and compliant.
Do you know the status of your compliance controls right now? Like, right now. We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Bhagdan Bhattasattu is Director of Th threat research and reporting at Bitdefender.
I recently sat down with him to discuss dark market subcultures and parallels to holiday
shopping.
Well, a dark market is a closed marketplace that's usually anonymized on what we call
the dark web.
These markets are not your regular round of the mill stores because they sell usually prohibited goods and services
like maybe drugs, weapons,
assassination as a service and so on.
So these markets are like online stores, but for crime.
And how does one find themselves invited
or a part of this or accepted in this particular community?
Well, there are a couple of ways
you could become part of this community.
I'm not endorsing these,
so this is strictly educational, right?
I warned you. So the thing is that these
dark markets sell prohibited goods and services, as I said, but these goods and services have
slowly become mass market products, like drugs, right? Pills, You name it. And there's an increasingly high demand for these products.
So whoever has access to the goods has taken one step further and moved their business
online.
There's no drug selling at the corner.
Now everything can be done pretty much more comfortably through a dark market. So with these being said,
I would say that there are two different types
of dark markets.
There are the restricted ones,
the highly restrictive ones that grant access to people
based on vetting or formal introduction
from a previous customer, right?
And these markets sell the best of the best. or a formal introduction from a previous customer.
And these markets sell the best of the best.
If you manage to get into such a market, you could buy pretty much anything from bulk drugs
to advanced weaponry to, I don't know, hit tanks with. There's another type of dark market that's a little bit less restrictive.
It usually involves sales of recreational drugs in small quantities, stolen accounts,
maybe credit cards and so on.
These markets are a little bit more permissive. You only need to know the URL you are looking
for, and then you can set up an account and you'll be ready to
buy in no time. Of course, the more transactions you make on
that market, the more your reputation increases. But given the fact that
these services are anonymized and the payment mechanisms are also anonymized, there's a little
friction when it comes to meeting with a potential customer. So these markets are less restrictive. They allow people to get into business easier than very secretive and very restrictive dark
markets that require that ingot introduction.
And to what degree does law enforcement take interest in these markets?
These dark markets pose a real threat to people because they normally sell things that should
be kept away from people.
Drugs are an issue, child pornography is an issue, stolen accounts is an issue, credit
cards are an issue issue and so on. So the police will normally lurk on these dark markets, but they don't have the necessary
amount of skill and free time to go after each and every one.
So they will choose markets that are high stakes that deal with most cybercrime or low hanging fruits markets that are easy to the anonymizing clothes.
So probably probably the dark markets you have accounts on are monitored by the police and it's a matter of time until these will gain a little bit more attention from law enforcement.
I suppose it's fair to say that these markets are hosted in
places that are willing to turn a blind eye to what's going on?
Normally, they're hosted on the Tor network.
These markets have these huge benefit of getting anonymity from a technology that has been designed for
anonymity and privacy. Even if the dark web, the Tor network is a technology that's been
online for quite a while now, it's still difficult to de-anonymize and cyber criminals are taking advantage of technology to keep
their business online but away from prying eyes.
At the same time, yes, there's a different type of market that we call markets that sit
on the deep web.
These are specialized forums on the internet.
They have a URL that resolves in a normal browser.
You don't need to have the tool browser installed or any special software.
These markets have a login page and they allow people to see what's going on inside only
after they have set up an account. Some new accounts are not able to make transactions
for a specific time until they get a little bit of a reputation. Some others are allowed
to see just several categories. And these are normally markets that deal with e-cry, stolen accounts, malware,
maybe an ASMR creation kits and so on,
but nothing too fancy.
Yeah, it always strikes me as interesting,
you know, that one of the, I guess,
high risk areas of all this is that
if you're buying illicit goods online,
at some point, physical items have to be delivered.
And so, you know, for example, here in the US, we'd be dealing with the US Postal Service.
And there are postal inspectors and they take these things very seriously.
Yes, they do.
And it's amazing how this business works, given the fact that eventually goods have
to exchange hands.
I'm a little bit more worried about giving my home address to a guy that
sells guns and anti-tank missiles, but hey, it's just me. No, joking aside, I saw this amazing
presentation two years ago at DEFCON with a dark web operator who was disclosing how he did business in the United
States through the postal services.
And yeah, operational security is an issue, but with the proper protection, it's possible
that these goods will exchange hands in safety.
But once again, I'm not advocating for these services
and please be aware that when you're placing an order,
you don't have the chance to talk to customer service.
You get the chance to talk to a highly expert criminal who has been
doing this for quite a while.
For the folks who have the responsibility of protecting an organization, you know, the
CISOs of the world, where does this play into their defensive posture?
Is this sort of thing just something to keep an eye on,
to monitor that this isn't something
that your users are frequenting?
What are your recommendations there?
Normally, CISOs, for instance, monitor any kind of activity
that involves the total browser and the darknet,
because whenever connections and the darknet because whenever
connections to the darknet are being initialized,
there's one of two possibilities.
Either your data is being exfiltrated by some malware that
connects to a darknet command and control center or
your users are involving in
physical prime that might reflect badly on the company.
If you have employees who are blousing drug markets or,
I don't know,
different other markets that deal with very, very specialized imagery,
you don't want to have your business or your IP address associated with this kind
of activity.
Yeah, so hitting the Tor network is a big gold red flag.
Yes, and normally it should be blocked as much as possible at the gateway level because there's nothing good coming out of Tor unless you're a journalist or a media organization or some law enforcement,
right? But if you're just a regular company, there's no need to have access to the tour network
enabled from your from a normal network. That's Bogdan Badazatu from Bitdefender. We have a link to their research in our show notes.
And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to specific
apps not the entire network, continuously verifying every request based on identity
and context, simplifying security management with AI-powered automation, and detecting
threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Hit pause on whatever you're listening to
and hit play on your next adventure.
Stay two nights and get a $50 Best Western gift card.
Life's the trip.
Make the most of it at Best Western.
Visit bestwestern.com for complete terms and conditions.
And finally, AI coding assistants are revolutionizing programming, but their mystery box training
data raises ethical questions.
Enter Software Heritage, a nonprofit on a mission to clean up the AI industry's mess.
Think of them as the Marie Kondo of code.
They've collected over 22 billion source files from platforms like GitHub to create
the world's largest repository of ethically sourced code.
Their new initiative, CodeCommons, aims to make AI training datasets transparent, reproducible,
and accountable.
But it's not all smooth sailing.
Cleaning up AI's data pipeline is like untangling a million pairs of headphones. Software heritage must
unify messy metadata, build opt-out tools for developers, and ensure that training data
aligns with open-source licenses. The team has big dreams, including creating a tool
to flag when AI outputs resemble existing code. While it's an uphill battle, they are determined to steer AI development
in a responsible direction.
And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at the CyberWire website.
And I'll see you next time.
Bye. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at
n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original
music and sound design by Elliot Peltzman. Our executive editor is Jennifer Iben. Our
executive producer is Brandon Carr. Simone Petrella is our president.
Peter Kilpey is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thanks for watching!