CyberWire Daily - Multi-factor frustration.
Episode Date: January 13, 2025An MFA outage affects Microsoft 365 Office apps. The Biden administration introduces new export controls to block adversaries from accessing advanced AI chips. A Dutch university cancels lectures af...ter a cyberattack. Three Russian nationals have been indicted for operating cryptocurrency mixers. Juniper Networks releases security updates for Junos OS. Spain’s largest telecommunications company confirms a data breach. The “Banshee” infostealer leverages a stolen Apple encryption algorithm. Researchers uncover a novel ransomware campaign targeting Amazon S3 buckets. A major data broker suffers a major data breach. Our guest Philippe Humeau, CEO and Founder of CrowdSec, shares the biggest issues currently facing cybersecurity and how open-source cybersecurity platforms combat them. The weirdness of AI. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest Philippe Humeau, CEO and Founder of CrowdSec, shares the biggest issues currently facing cybersecurity and how open-source cybersecurity platforms combat them. Selected Reading Microsoft MFA outage blocking access to Microsoft 365 apps (Bleeping Computer) White House Moves to Restrict AI Chip Exports (GovInfo Security) New Ransomware Group Uses AI to Develop Nefarious Tools (Infosecurity Magazine) Cyberattack forces Dutch university to cancel lectures (The Record) 3 Russians Indicted for Operating Blender.io and Sinbad.io Crypto Mixers (Hackread) Juniper Networks Fixes High-Severity Vulnerabilities in Junos OS (SecurityWeek) Aviatrix Controller RCE Vulnerability Exploited In The Wild (Cyber Security News) Hackers Exploiting YouTube to Spread Malware That Steals Browser Data (GB Hackers) Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs (Dark Reading) A breach of a data broker's trove of location data threatens the privacy of millions (TechCrunch) Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C (Halcyon) AI Mistakes Are Very Different Than Human Mistakes (IEEE Spectrum) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. An MFA outage affects Microsoft 365 Office apps.
The Biden administration introduces new export controls to block adversaries from accessing advanced AI chips.
A Dutch university cancels lectures after a cyber
attack. Three Russian nationals have been indicted for operating a cryptocurrency mixer.
Juniper Networks releases security updates for Junos OS. Spain's largest telecommunications
company confirms a data breach. The Banshee InfoStealer leverages a stolen Apple encryption
algorithm. Researchers uncover a novel ransomware campaign targeting Amazon S3 buckets. And the weirdness of AI.
It's Monday, January 13th, 2025.
I'm Dave Bittner, and this is for joining us here today. It is always great to have you
with us. Microsoft resolved a multi-factor authentication outage affecting Microsoft 365 Office apps.
The issue prevented users relying on MFA from accessing the apps,
and some experienced problems with MFA registration and resets.
Microsoft rerouted traffic to alternative infrastructure during its investigation,
which revealed the outage was limited to users in Western Europe
served by a specific section of unresponsive infrastructure.
Additionally, some Windows Server 2016 devices experienced crashes in Microsoft 365 apps,
prompting further investigation. The company continues monitoring service telemetry to
address these issues. This outage follows several recent disruptions.
In December, users faced product deactivated errors,
while earlier incidents impacted office web apps and the admin center.
In November, a global outage affected multiple services,
including Teams, Exchange, SharePoint, and Outlook.
Microsoft has since confirmed that services are stable.
The Biden administration is introducing new export controls
to block adversaries like Russia and China
from accessing U.S. advanced AI chips and machine learning blueprints.
The rules, taking effect in 12 months,
implement a three-tiered system with the harshest
restrictions on adversaries while exempting key allies such as Australia, Japan, and the EU.
Commerce Secretary Gino Raimondo emphasized protecting U.S. leadership in AI while allowing
secure technology diffusion. Exceptions permit up to 1,700 advanced GPUs per order without a license
and up to 320,000 over two years for buyers meeting security standards.
Restrictions also apply to advanced AI models trained on massive computational operations.
Critics, including NVIDIA and the Semiconductor Industry Association,
argue the rushed rollout risks stifling innovation. The rules extend 2022 through 2023 chip controls
and include measures to secure AI models and data centers while enabling allies to maintain
frontier AI infrastructure.
A new ransomware group that surfaced in late 2024 called FunkSec claimed 85 victims in December alone, according to Checkpoint Research.
The group, presenting itself as a ransomware-as-a-service operation,
uses AI-assisted tools, enabling low-skilled actors to develop advanced malware.
FunkSec employs double extortion tactics, combining data theft with encryption,
and targets organizations globally, particularly in countries aligned with Israel.
Checkpoint notes many of the group's victim claims may be recycled from previous hacktivist campaigns,
questioning their authenticity.
Eindhoven University of Technology cancelled lectures and activities after a cyber attack detected Saturday night.
The Dutch university shut down its network as a precaution, but noted IT staff retain access to systems and are investigating.
No data theft has been confirmed.
Network-dependent services like email, Wi-Fi, and canteen registers are offline,
although the campus remains open.
Three Russian nationals have been indicted for operating cryptocurrency mixers
Blender.io and Sinbad.io, which laundered money from cybercrimes, including funds stolen by
the North Korean Lazarus Group. Roman Ostapenko and Alexander Oleynik were arrested in December
2024, while Anton Tarasov remains at large. Blender.io, active from 2018 through 2022,
Blender.io, active from 2018 through 2022, promised anonymity through a no-logs policy.
After its shutdown, Sinbad.io emerged, offering similar services.
Both mixers were previously sanctioned by the U.S. Treasury for laundering millions in cryptocurrency,
including funds stolen from the Axie Infinity hack in 2022. The suspects face charges of money laundering conspiracy and operating an unlicensed money transmitting
business with potential sentences of up to 20 years. Authorities emphasized international
cooperation in combating cybercrime and disrupting illicit financial networks.
in combating cybercrime and disrupting illicit financial networks.
Juniper Networks kicked off 2025 by releasing security updates for Junos OS, addressing dozens of vulnerabilities, including several high-severity flaws.
These include an out-of-bounds read bug in the routing protocol daemon that can cause
denial of service via malformed BGP packets, and a kernel
memory exhaustion flaw triggered by malformed IPv6 packets. Fixes were also issued for high-severity
open SSH vulnerabilities and critical flaws in third-party components like XPAT. No exploits have been reported, but users are urged to apply patches promptly.
Telefonica, Spain's largest telecommunications company, confirmed a data breach involving its
internal ticketing system after 2.3 gigabytes of data appeared on breach forums. Hackers using
compromised employee credentials accessed the system, scraping documents and tickets, some linked to Telefonica.com emails.
Attackers linked to the Hellcat ransomware group did not attempt extortion before leaking the data.
Telefonica has blocked access and reset impacted accounts.
While the full extent of the breach remains unclear, the company says they are
investigating and enhancing security measures. A critical remote code execution vulnerability
affects Aviatrix Controller, a popular cloud networking platform. Actively exploited with a
CVSS score of 10, it enables unauthenticated attackers to execute arbitrary code via unsanitized API inputs.
Exploitation has led to cryptojacking malware and backdoors in unpatched systems, with attackers targeting publicly exposed controllers.
Multiple versions are affected. Organizations are urged to patch immediately, restrict access, and monitor for
lateral movement within cloud environments. The macOS info-stealer Banshee has been leveraging
a stolen Apple encryption algorithm to evade antivirus detection since September 2024.
Initially sold on Russian cybercrime marketplaces as a $1,500 stealer-as-a-service,
Banshee targets macOS systems to steal browser credentials,
cryptocurrency wallet data, system information, and to unlock passwords.
Earlier versions were easily detected due to plain-text packaging,
but a potent variant emerged using the same encryption algorithm as Apple's
X-Protect antivirus, bypassing nearly all antivirus solutions for months.
Banshee spread via GitHub repositories, offering cracked software and phishing sites mimicking
legitimate programs like Google Chrome and Telegram. Despite its source code leaking in November and Yaro rule updates addressing it,
encrypted versions of Banshee largely remain undetected.
Researchers warn that this incident underscores the need for vigilance,
as macOS users are increasingly targeted by sophisticated malware campaigns.
Researchers with the Halcyon Rise team have uncovered a novel ransomware
campaign targeting Amazon S3 buckets using AWS's server-side encryption with customer-provided
keys. The attack, orchestrated by a group dubbed Codefinger, leverages compromised AWS keys to encrypt S3 data, rendering it unrecoverable without the attacker's AES-256 key.
Victims face permanent data loss, and files are set for deletion within seven days to pressure ransom payments.
Organizations should restrict SSCC usage, audit AWS keys, and enable advanced logging to mitigate this threat.
Gravy Analytics, a major location data broker, has suffered a major data breach, exposing
millions of people-sensitive location data collected from popular smartphone apps.
Hackers accessed Gravy's Amazon Cloud Storage using a misappropriated key, stealing terabytes
of data, including over 30
million location data points. The leaked dataset tracks individuals' movements to sensitive sites
such as the White House, military bases, and personal residences, raising concerns about
privacy and national security. Vulnerable groups like LGBTQ plus individuals in restrictive countries
face heightened risks from de-anonymization. Gravy sources much of its data via ad auctions,
where apps unknowingly share users' information. The breach follows an FTC ban on Gravy for
unlawful tracking practices. Experts recommend using ad blockers, disabling app
tracking, and restricting location sharing to protect against such risks. Gravy has confirmed
the breach and is investigating while its website remains offline.
Coming up after the break, my conversation with Philippe Humot, CEO and founder of CrowdSec. We discuss how open source cybersecurity platforms can help combat some of the biggest issues facing cybersecurity.
And the weirdness of AI.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools. And a spa. And endless snacks. Yes! Yes! Yes! Transat. Travel moves us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
Philippe Humot is CEO and founder of CrowdSec. I recently caught up with him to discuss some of the biggest issues facing cybersecurity
and how open source cybersecurity platforms can help combat them.
Right now, our biggest concern, I would say, is the fact that we expect AI to be weaponized,
not on the classical social layer,
you know, when you try to hook people
with crafted messages and spear phishing
and crafted audio and video bits and so on,
but rather on a purely technical standpoint.
And we call this MOAI,
Massively Multimodal Offensive AI, sorry.
And we think it's the next big thing.
For folks who aren't familiar with that,
can you describe to us what that entails?
Yeah, sure.
So mostly, if you think about LLMs,
it's somewhat similar.
So tech, you're probably familiar with CTF,
which is capture the flag.
So in our world, when cyber professionals are training,
they often do what's called a CTF.
So they try to compromise machines,
and they do this as fast as they can to get to the most point.
But all those attempts are locked, right?
So they end up in a text file,
which can be easily passed by an AI to learn how the best are doing and what are they doing.
And then add to this the CVE databases that are pretty much freely available all around the globe.
Some exploit databases, some meta-exploits, some academic paper research and stuff like that.
some academic paper research and stuff like that.
Add all that together and you get a comprehensive guide on how to hack into any system.
And this is what the Moai's are learning from.
They learn from actually humans doing research
and they become extremely good at that after quite some training.
But once it's ready, it can totally become a service,
like a ransomware as a service.
We rent an offensive AI as a service as well.
Well, you are, of course, the founder of CrowdSec,
and you describe yourselves as an open-source,
multiplayer firewall provider.
Can we go through those one at a time with the advantages?
I think most people are familiar with open source, but let's start there. Why open source when talking about
provisioning your firewall? Yeah, so first I have to say that I'm not an open source zealot, right?
I'm not an open source monk, someone that by default would go open source. I'm a businessman
and I decided with my colleagues and co-founders that open
source would be the best way, the best route
for us, which is fairly different.
So we did open source this
program, which is basically an IDS,
IPS, and WAF.
So something that detects attacks,
that remediates attacks, and that also
detects attacks on the web layer.
So those are all the three acronyms I just gave you.
So we decided to give it for free
because we wanted the largest number to use it.
And why that?
Because it's a bit like Waze.
Every time your server using CrowdSec
is defending itself against an attack,
it's sharing the IP address
that has been aggressive towards itself.
And we get signals from all around the world,
constantly day in, day out,
something like 10 million signals per day.
And it gives us a map of IP addresses used by cybercriminals.
And obviously, we broadcast back this map to our clients.
And so that's the multiplayer element.
That's the multiplayer element.
Actually, it came from a joke.
So people were always like, hey, how do you describe CrowdSec?
And I had a hard time
at some point to describe because it's pretty
disruptive. It's not something that's been seen
so many times in the industry yet.
So I was sometimes
at the very beginning first, I had a hard
time to define it really properly.
And one of my friends at Google
said, hey, you know what? You're a multiplayer firewall.
I'm like, hey, I like the sound of that.
It's quite true. We also describe, funnily enough, as're a multiplayer firewall. I'm like, hey, I like the sound of that. It's quite true.
We also describe, funnily enough, as a ways of firewall.
So basically, why is it like this?
Because since we share with each other the dangers of the digital highways,
and we tell where are the dangers and who you should not be pairing with,
there's something awfully similar with ways as well.
Yeah, it's a great analogy. It reminds me, I was on a road trip with my father recently, who's quite a bit older than me, and he was looking at
the Waze display up on my dashboard, and he said, what are all those
little dots on the road? And I said, those are other people using the same
system that we're using. So that's how it knows how fast the road's
moving ahead of us and if
there's an accident or something like that. So I think that's really an effective metaphor for you.
Yeah. And in the sense, we have like, I don't know, probably 300,000 servers nowadays in the
system that are sharing the attacks they're receiving every time. And you know, Waze,
they are using your position, your heading,
and your speed, basically,
and your unique phone identifier,
obviously,
to assess whether there is a problem
or not ahead of you.
And we do pretty much the same.
We just use the IP address,
the type of behavior
it tried to play against your servers,
and the timestamp.
And this is all we need
to actually compute
this real-time map of
IP addresses used by cybercriminals.
I think it's
fair to say that these IP
attacks are heading in one direction,
that we continue to see more
and more of them, that it's growing in size.
What are your recommendations
for folks to best protect
themselves these days?
Yeah, so regarding servers,
because obviously it's totally different
when you speak about workstations.
Workstation is all about having a proper EDR,
ARC-ZR, or whatever, glorified antivirus,
proper MFA everywhere.
We all know that.
The thing is, regarding servers,
you don't have UN interaction happening on the servers,
or very few, actually.
Sometimes admins come and they check the logs or they check if something is broken and they fix it.
But basically, the servers are exposed to a tone of traffic, a lot of attention.
Something like probably along the lines of 2,000 times per day they are pulled, if they are not even known.
And a known server is pulled up to 4,000, 5,000 times a day.
And if you're a bank or something like that,
you're north of 200,000 times a day.
So you want to automate that as best as possible.
And you want to get rid of the noise in the first place
and say, okay, I don't care about it.
Those are very light IP addresses.
Those are the Gatling guns of the internet.
They're just like the humming of the microwave background, Cosmic Microwave Background Day. They are gatling guns of the internet. They're just like the humming of the microwave background,
Cosmic Microwave Background Day.
They are the background humming of the internet.
It's just noise.
It's not interesting.
I don't need to do a lot of things to defend against this.
It's really low-hanging fruit attack.
Now, on the other end of the spectrum,
there are people that are here to skin you alive,
and they know how to do it.
So let's pretend for a second that we're a healthcare institution.
Some IPs will be just noise. they know how to do it. So let's pretend for a second that we're a healthcare institution.
Some IPs will be just a noise. Some IPs will try to reuse credentials that they stole somewhere else.
Some IPs will try to break into your website or your VPN or things like this. And some IPs,
we know for a fact they are specifically attacking healthcare industry. Why? Because they know the protocols. They know're not the use, the habits of people who are using the software,
which software and so on.
So those ones,
even though there are maybe like
a thousand or two thousand of them only,
are far more dangerous
than a million ones
just scanning stupidly your website.
So I think to avoid a lot of fatigue,
what you need to do is automate
and leave this background noise
in the garbage can.
It's really useless to deal with this, not even to store it.
But pay extra attention to what is extremely qualified,
like the ones that are trying to go after you specifically
because you're a bank or a media or whatever,
or the ones that have attack patterns that you know can strike you in the back,
like, I don't know, credential reuse or exploitation,
zero days, CVs,
and things like this. All right. Well, I think I have everything I need for our story here.
Is there anything I missed? Anything I haven't asked you that you think it's important to share?
Yeah, I think sharing is the key here. I mean, we can try to diffuse endlessly payloads, right?
The one that are like the rockets.
When you think about a missile,
you think about the rocket itself and you think about the payload.
And the payload is obviously dangerous,
but if you neutralize all the rockets,
the payload is never going to reach you.
And this is what we should all do.
We should partake all together to diffuse all the rockets.
And that way we receive far less payload far less, sorry, payloads.
That's why, I mean, join the army. It's free, it's open source, it's available to everyone.
It's called Crowdset, so please join the club. That's Philippe Humot, CEO and founder of Crowdset. Thank you. thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your
company safe and compliant. And finally, humans are experts at messing up.
From losing our keys to occasionally misplacing a decimal,
mistakes are just part of the human experience. To keep these slip-ups in check, we've invented
all sorts of clever safeguards, checklists, double-entry bookkeeping, and even writing
not this leg on patients before surgery. But now we're integrating a whole new kind of mistake maker, AI.
Unlike us, AI doesn't get tired or distracted,
but its errors, they're a breed apart.
While a human might flub a math problem,
AI might suggest that cabbages eat goats
or forget what money is mid-task.
A piece by Bruce Schneier and Nathan Sanders for IEEE Spectrum
suggests the weirdness of AI errors lies in their unpredictability.
They don't follow human patterns, making them both fascinating and unnerving.
However, AI isn't entirely alien.
It shares some human quirks like repeating familiar terms or falling for social engineering tricks.
It's also distractible.
Get it to process long documents, and it might zone out halfway through.
Dealing with AI mistakes requires creativity.
Asking the same question multiple ways or cross-checking its output can help, since machines are endlessly patient with our nitpicking.
And while we can train AI to make more human-like errors, it's clear we need systems tailored to its peculiarities.
The key is balance.
Use AI where it excels, like processing vast amounts of data, but don't expect it to replace human judgment.
After all, whether it's a person or an algorithm, everyone benefits from a second opinion, especially if goats and cabbages are involved. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you.