CyberWire Daily - Mini-breach, mega-hype.
Episode Date: September 13, 2024Fortinet reveals a data breach. The feds sanction a Cambodian senator for forced labor scams. UK police arrest a teen linked to the Transport for London cyberattack. New Linux malware targets Oracle W...ebLogic. Citrix patches critical Workspace app flaws. Microsoft unveils updates to prevent outages like the CrowdStrike incident. U.S. Space Systems invests in secure communications. Illegal gun-conversion sites get taken down. Tim Starks of CyberScoop tracks Russian hackers mimicking spyware vendors. Cybersecurity hiring gaps persist. Hackers use eye-tracking to steal passwords. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, we welcome back Tim Starks, senior reporter from CyberScoop, to discuss “Google: apparent Russian hackers play copycat to commercial spyware vendors.” You can read the article Tim refers to here. Selected Reading Fortinet Data Breach: What We Know So Far (SOCRadar) Cambodian senator sanctioned by US over cyber-scams (The Register) UK NCA arrested a teenager linked to the attack on Transport for London (Security Affairs) New 'Hadooken' Linux Malware Targets WebLogic Servers (SecurityWeek) Citrix Workspace App Vulnerabilities Allow Privilege Escalation Attacks (Cyber Security News) Microsoft Vows to Prevent Future CrowdStrike-Like Outages (Infosecurity Magazine) Space Systems Command Awards $188M Contract for meshONE-T Follow-on (Space Systems Command) Domains seized for allegedly importing Chinese gun switches (The Register) Why Breaking into Cybersecurity Isn’t as Easy as You Think (Security Boulevard) Apple Vision Pro’s Eye Tracking Exposed What People Type (WIRED) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Thank you. linked to the Transport for London cyber attack. New Linux malware targets Oracle WebLogic.
Citrix patches critical workspace app flaws.
Microsoft unveils updates to prevent outages
like the CrowdStrike incident.
U.S. space systems invests in secure communications.
Illegal gun conversion sites get taken down.
Tim Starks of Cyberscoop tracks Russian hackers
mimicking spyware vendors,
cybersecurity hiring gaps persist, and hackers use eye-tracking to steal passwords. It's Friday, September 13th, 2024.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Yesterday, Fortinet disclosed a security breach involving unauthorized access to a third-party cloud-based file drive.
A small number of files affecting less than 0.3% of Fortinet's customers were accessed.
Impacted customers, primarily in the Asia-Pacific region, were promptly notified.
Fortinet confirmed that the breach did not affect its operations, products, or services. Shortly after the incident,
a threat actor on a hacker forum claimed to have stolen 440 gigabytes of data from Fortinet's
Azure SharePoint, offering it via an S3 bucket. However, the validity of these claims was questioned,
with some users reporting issues accessing the data.
While Fortinet worked with affected customers and implemented strong security measures,
the connection between the breach and the threat actor's claims remains unverified,
suggesting a potential case of opportunistic deception common on dark web forums.
The U.S. Department of the Treasury's Office of Foreign Assets Control
sanctioned Cambodian entrepreneur and senator Lee Yong-fat
for human rights abuses tied to forced labor in online scam centers.
Lee's conglomerate, LYP Group, owns O-Smack Resort, allegedly a forced labor camp
where workers promote cryptocurrency and foreign exchange scams. Victims are lured with false job
offers, then have their phones and passports confiscated and are forced to work under duress.
Some victims reported abuse, including beatings and electric shocks,
with two jumping to their deaths.
Cambodian authorities have rescued victims of various nationalities from the resort.
The sanctions freeze Lee's U.S. assets and prohibit U.S. persons from doing business with him.
Similar forced labor scam operations have also been found
in the Philippines and Myanmar. A 17-year-old was arrested by the U.K.'s National Crime Agency
in connection with the cyber attack on Transport for London on September 1st. The teenager was
detained on suspicion of Computer Misuse Act offenses and later released on bail.
Transport for London initially reported no customer data was compromised,
but later revealed that threat actors accessed customer information,
including names, contact details, and bank account numbers from Oyster card refunds.
Aqua Security's Nautilus research team has identified a new Linux malware, Hadouken,
targeting Oracle WebLogic servers.
The malware gains initial access by exploiting weak passwords, then downloads a shell or
Python script to ensure its successful deployment.
Once executed, Hadouken collects SSH data
to move laterally within the organization, spreading further.
It drops a crypto miner and Tsunami malware,
although Tsunami's use remains uncertain.
The malware maintains persistence by creating multiple cron jobs.
Hadouken was traced to two IP addresses,
one linked to the Team TNT and
Gang 8220 groups, also distributing Malox ransomware to Windows systems.
Static analysis suggests connections to Rhombus and No Escape ransomware families.
Aqua discovered over 230,000 internet-connected WebLogic servers
with a few hundred potentially vulnerable to exploits due to misconfigurations.
Citrix has released security updates to address two critical vulnerabilities
in the Citrix workspace app for Windows.
These flaws allow local attackers to escalate privileges to system on affected machines.
Citrix urges users to update to patched versions and follow best practices to enhance security.
CISA also recommends prompt action.
Microsoft has announced new security capabilities aimed at preventing IT outages like the CrowdStrike incident in July, where a faulty
Falcon sensor update disrupted critical sectors by preventing Windows systems from booting.
The incident highlighted the risks of security software accessing the system kernel,
which is central to a computer's operations. Microsoft plans to enhance security outside of kernel mode, focusing on anti-tampering,
performance needs, and security sensor requirements. Collaboration with ecosystem
partners will ensure a balance between reliability and security. These developments were discussed
during a Microsoft-hosted security summit on September 10, where industry leaders and government officials agreed on the need
for more Windows security options and shared best practices.
Microsoft's stated goal is to improve resilience in critical infrastructure
while maintaining high security standards.
In a major boost to U.S. military communications, the U.S. Space Systems Command has awarded a $188 million contract to expand the cutting-edge MESH-1 terrestrial network, enhancing secure data transport and warfighting capabilities across more than 85 locations.
Here's Alice Carruth from N2K's T-minus Daily Space podcast with the details.
U.S. Space Command's tactical C-3 acquisition Delta
has awarded a $188 million follow-on production agreement
to serve one tech for the expansion of the Mesh1 terrestrial network known as Mesh1T.
Mesh1T is a scalable, resilient and cyber-secure wide-area network designed for high-speed,
IP-based data transport across various locations and conflict conditions.
Mesh1T enhances warfighter capabilities by securely and efficiently connecting data producers
and data consumers, providing diversified communication paths built on modern technology and industry standards.
The new agreement will expand Mesh1T services to over 85 locations,
enhancing its capabilities within 24-7, 365 managed transport services and enterprise-wide upgrades.
transport services, and enterprise-wide upgrades. used by Chinese entities to sell devices converting semi-automatic pistols into fully automatic weapons, along with illegal silencers to U.S. residents. These conversion devices,
known as switches, are banned under the National Firearms Act. Authorities began targeting these
operations in August of 2022 using undercover purchases via apps like WhatsApp and Telegram.
The items were falsely labeled as toys or jewelry when shipped. Investigations led to the seizure
of over 700 conversion devices, 87 illegal silencers, and various firearms. The seized
websites now display notifications of government action.
The DOJ also called for the 3D printing industry
to curb the production of such devices.
In an article for Security Boulevard,
Chris Lindsay highlights the challenges new entrants face
in the application security field
despite the high demand for cybersecurity talent.
One major hurdle is the persistent requirement for a college degree, even as skills-based hiring is
promoted. Lindsay points out that job postings often list unrealistic qualifications like CISSP
certification for entry-level roles, which requires five years of experience.
Additionally, companies struggle to define clear application security roles, delaying the hiring
process. Overqualified candidates sometimes take entry-level jobs, limiting opportunities for
newcomers. Tight budgets also mean little time or resources for training, leading to burnout among existing staff.
Automated hiring systems and even fake job postings add further frustration for applicants.
Lindsay suggests a shift towards skills-based hiring and offering training to passionate senior developers,
alongside encouraging candidates to focus on their soft skills and communicate their strengths confidently.
Coming up after the break, Tim Starks from CyberScoop tracks Russian hackers mimicking spyware vendors.
Stay with us. We could try hot yoga. Too sweaty. We could go skating. Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat self-packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply. Air Transat.
Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
It is always my pleasure to welcome back to the show Tim Starks.
He is a senior reporter at CyberScoop.
Tim, welcome back.
Hey, Dave.
So I want to talk about the article that you recently published here.
It's titled, Google, Apparent Russian Hackers Play Copycat to Commercial Spyware Vendors.
There's a good bit to unpack here.
Can you take us through this story?
Yeah, there is a good bit to unpack here. Can you take us through this story? Yeah, there is a good deal to unpack. One of the things that's interesting about this story is that
when we, by we, I mean cyber reporters, when we write about threat research, we often are talking
about who got hacked and why and that kind of thing. We gave that short shrift in the story
because what's interesting is the how here and what it means. This is the first time that Google,
which did this research, has seen in the
wild, as they say, out there in the world
that an APT group, a nation
state-backed hackers, seem to have taken
exploits and vulnerabilities
that spyware vendors have been using
and used it for their own purposes.
And one of the things
that's really interesting about this
is that we talk about
who has the most advanced capabilities
in cyber.
And you think of Russia,
and this is likely Russian hackers,
they say with moderate confidence, these are Russian hackers. Russia you think of Russia, and this is likely Russian hackers, they say with moderate confidence,
these are Russian hackers.
Russia's way up there.
Covering spyware like I have,
that people have said,
these spyware vendors give capabilities to nations
that wouldn't normally have them.
They give them this very sophisticated technology
that they wouldn't be able to produce on their own.
That's not usually the case for Russia.
They don't need to hire spyware vendors.
This is the first time that the spyware vendors have done something that a major sophisticated
cyber nation has stolen, basically, and said, oh, that's good.
We're going to use that.
So that's what's really interesting about this story to me, is that we just haven't
seen this before. There's been people who have warned that this could happen. That's the danger
of these spyware vendors. But this is the first time it seems to have happened. Well, help me
understand exactly what's going on here. I mean, my understanding is we have a zero day that the
spyware vendors would take advantage of, and then they would spin up their own, I'm going to just call it technology,
right, to take advantage of that zero day. So to what degree do we think that this Russian APT
group is making use of what the spyware vendors had used? Are they only using the zero day and
spinning up their own technology? Are they lifting the actual technology from the spyware
groups? Do we know? It seems more the latter. What's interesting is that Google has said,
we don't know exactly what happened here. We don't know for sure how they did this.
What they've said is that they don't think that Russia just simultaneously found this vulnerability and spun up an exploit that just happened to be strikingly similar, almost identical to what the spyware vendors were doing.
They don't exactly know.
And I was talking to some researchers yesterday, even after the story was published, about how do they do this?
And there are theories about how it might have happened.
Maybe they got a device that had this vulnerability on it.
Maybe they did it some other way.
It looks like they essentially stole what the spyware vendors were doing,
the NSO groups and the Intellexus, and said, oh, this is good.
We'll use this.
It doesn't seem like they came up with it on their own.
It seems like they said, okay, this zero-day is out there.
Now there's in this terminology using in-day, in-day,
where the vulnerabilities are publicly known, but they're not yet
patched. And they kind of
swooped into that zone right there
and started using that here
is what seems to have happened.
There is some mystery about what exactly
the Russians did to copy
this. That's still
unresolved, and I'm probing it still,
but there's no answer right now.
Are we confident that perhaps the Russians didn't go through a third party to gain access to this?
You know, hire someone who's sympathetic to them in a country who has a better relationship to
the country where the spyware vendors are. Yeah, I mean, that's one possibility. We're not,
you know, there's no confidence in that. confidence in that. If you were able to literally get a device that's been compromised in this way,
you might be able to copy the exploit.
That is one of the options that's out there.
And another thing that's interesting is that Russia,
I wrote about this last year where Meduza, the Russian news outlet,
or it's not stationed in Russia anymore,
but it focuses on Russia,
was the subject of some spyware attacks.
And at the time, people said,
well, Russia doesn't need to...
Russia appears to not be an NSO client
from all the reporting I was able to do
in terms of talking to everybody involved.
This is new.
This is fascinating that they might, they could have,
you know,
another possibility
that I'll throw out there
is that,
you know,
NSO Group
and Intellectual
might create
their own exploits,
but they also might
hire people.
They might buy them,
essentially.
So it's possible that,
like you said,
the people who
produced this exploit
might have sold it
to NSO Group
or Intellectual.
And then, after getting a little bang for their buck on that,
they doubled down and decided,
yeah, we'll sell it to the seller guys too.
After it goes from zero data in day.
So that's another possibility.
Interesting.
You point out in your research here
that they seem to be targeting government websites in Mongolia.
Is there anything to read into that? Yeah, I have to say I neglected to go into this in Mongolia. Is there anything to read into that?
Yeah, I have to say I neglected to go into this in my story
and I feel bad about it.
But I subsequently have looked into it a little bit
and discovered that there is some, you know,
Russia and Mongolia do have historically good relations
for the most part,
but there is some feuding going on right now
over the spending on a gas pipeline
and where it will go through.
And Russia's pretty pissed at Mongolia about this, that they have not gone forward with it in the way that Russia wanted them to.
They've held up on some of the funding and planning.
I'm not sure why that is.
I'm not sophisticated enough on Mongolian politics, I'm afraid.
But that is the situation.
And so it does seem that while foreign hackers that are nation-state based might spy on allies,
but more often they're spying on people that they're adversaries with.
And while Russia and Mongolia might be historical allies, they're not 100% right now.
They're not best friends at this moment.
They're not totally on the same page.
So there's a chance that that's something that they were looking at.
They were looking, by infecting these Mongolian websites, Mongolian government websites,
it seems that they were trying to target Mongolian politicians, perhaps, or other people in Mongolia. So the target was Mongolia.
These were watering hole attacks where they said, we're going to infect this website and hope that
people come here. We'll be able to get them, essentially, we'll be able to get info about
them, the people who are coming, by using these watering hole attacks. Yeah, that's interesting.
All right, well, Tim Starks is a senior reporter at CyberScoop.
We will have a link to his reporting in our show notes.
Tim, thank you so much for joining us.
Thank you. Thank you for the link.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And finally, it turns out your eyes aren't just windows to your soul.
They could be windows to your passwords, too.
A group of computer scientists discovered a new attack dubbed GazePloit that targets Apple's Vision Pro headset. By tracking eye movements while people type on the device's
virtual keyboard, the researchers could guess passwords, pins, and messages with impressive
accuracy. 92% for messages, 77% for passwords.
The attack works by analyzing the eye-tracking data of a user's virtual avatar, often used in video calls.
Apple fixed the vulnerability in a July update after being notified in April.
This research highlights the risks of biometric data leaks, especially as wearable tech becomes more common.
So, the next time you're typing,
just remember, someone might be watching
and eyeing your secrets.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday in my conversation with Alex Delamate, threat researcher from SentinelOne Labs.
We're discussing their research titled Xeon Sender, SMS Spam Shipping Multitool Targeting SaaS Credentials.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Thank you. Our business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.