CyberWire Daily - One small step for scammers.
Episode Date: September 17, 2024The US charges a Chinese national for spear-phishing government employees. The feds impose new sanctions on the makers of Predator spyware. Dealing with fake data breaches. Researchers discover a crit...ical vulnerability in Google Cloud Platform. D-Link has patched critical vulnerabilities in three popular wireless router models. Snowflake ups their authentication game. A US mining company confirms a cyberattack. Researchers identify critical threats targeting construction industry accounting software. Tim Starks from CyberScoop joins us with his reporting on the US Postal Service’s ability to meet the challenges of the upcoming election. Cisco’s second round of layoffs hit hard. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest today is Tim Starks, Senior Reporter from CyberScoop, joining us to discuss his piece on "Election officials say U.S. Postal Service woes place election mail at risk." Selected Reading DoJ: Chinese Man Used Spear-Phishing to Obtain Software From NASA, Military (SecurityWeek) US Ramps Up Sanctions on Spyware-Maker Intellexa (Infosecurity Magazine) All Smoke, no Fire: The Bizarre Trend of Fake Data Breaches and How to Protect Against Them (Security Boulevard) Google Cloud Platform RCE Flaw Let Attackers Execute Code on Millions of Google Servers (Cyber Security News) D-Link fixes critical RCE, hardcoded password flaws in WiFi 6 routers (Bleeping Computer) Breach-Weary Snowflake Moves to MFA, 14-Character Passwords (GovInfo Security) Owner of only US platinum mine confirms data breach after ransomware claims (The Record) Cracks in the Foundation: Intrusions of FOUNDATION Accounting Software (Huntress) Cisco's second layoff of 2024 affects thousands of employees (TechCrunch) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N national for spear phishing government employees.
The feds impose new sanctions on the makers of predator spyware.
Dealing with fake data breaches.
Researchers discover a critical vulnerability in Google Cloud Platform.
D-Link has patched critical vulnerabilities in three popular wireless router models.
Snowflake ups their authentication game.
A U.S. mining company confirms a cyber attack.
Researchers identify critical threats targeting construction industry accounting software. Tim Starks from CyberScoop joins us with his reporting
on the U.S. Postal Service's ability to meet the challenges of the upcoming election.
And Cisco's second round of layoffs hit hard.
It's Tuesday, September 17th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here again today.
It is great to have you with us.
The U.S. announced charges against Chinese national Song Wu
for spearfishing government employees to obtain restricted aerospace software.
Wu, still at large, allegedly posed as U.S. researchers and engineers
to target NASA, Air Force, Navy, and private aerospace companies.
He sought access to specialized software, including source code from NASA, for aerospace engineering.
Wu, an employee of China's state-owned Aviation Industry Corporation,
conducted the phishing campaign between 2017 and 2021 and faces wire fraud
and identity theft charges. Additionally, the Department of Justice unsealed a 2021 indictment
against Hai Wei, a Chinese national working for the People's Liberation Army, for hacking a U.S.
communications company. Charges were also announced against Russian national Denis Postovoy
for exporting drone components to Russia and other individuals for smuggling UAV parts to Iran.
The U.S. government has imposed new sanctions on spyware manufacturer Intellexa Consortium
and five individuals for their role in developing and distributing the
Predator malware. The sanctions, announced by the Treasury's Office of Foreign Assets Control,
target the group's executives and the British Virgin Islands-based Aliada Group. Predator
spyware, similar to NSO Group's Pegasus, is used by repressive regimes to eavesdrop on journalists, dissidents,
and politicians through zero-click exploits. The U.S. views these activities as a threat
to national security and has frozen any U.S.-based assets of the sanctioned individuals and entities.
This move follows previous sanctions in March against other members of the consortium.
The government aims to curb the spread of disruptive technologies
while promoting responsible development aligned with international standards.
Fake data breaches are becoming a growing threat,
causing significant panic and damage even when no actual breach occurs.
A story from Security Boulevard explores
how cybercriminals exploit fear by claiming to have stolen sensitive information, demanding
ransoms from companies, and creating chaos. Recent examples include false breach claims against Sony,
Epic Games, and Europcar, all of which triggered public outrage and damaged their reputations,
despite being debunked. To mitigate the impact of these fake breaches,
organizations need to verify breach claims before taking public action.
Advanced security measures such as real-time email monitoring and predictive AI can help
detect actual threats and distinguish them from hoaxes.
Employee training on recognizing phishing attempts and a clear communication strategy
for suspected breaches are also essential. As cybercriminals evolve, particularly with the
use of AI-generated fake data, organizations must stay vigilant and continually update
their security protocols to protect against both real and fake breaches.
Security researchers from Tenable discovered a critical vulnerability in Google Cloud Platform
that could have allowed attackers to execute malicious code on millions of servers.
Dubbed Cloud Imposer, the flaw was found in GCP's Cloud Composer service
and stemmed from a risky package installation process vulnerability to dependency confusion
attacks. Exploiting the flaw, attackers could upload malicious packages, potentially compromising
GCP services like App Engine and Cloud Functions. Google has since patched the vulnerability, implemented safeguards, and updated best practices for secure package management.
D-Link has patched critical vulnerabilities in three popular wireless router models
that could allow remote attackers to execute arbitrary code or access devices via hard-coded credentials.
The vulnerabilities, three of which are rated critical, include stack-based buffer overflows
and improper input validation in the Telnet service. D-Link advises users to update their
firmware. The vulnerabilities were reported by Taiwan's CERT, but the standard 90-day disclosure period wasn't followed, prompting public disclosure before patches were ready.
Though no active exploits have been reported, D-Link routers are frequently targeted by botnets, making these updates essential for security.
for security. Snowflake, a cloud-based data warehousing platform, has introduced default multi-factor authentication and a 14-character password minimum to enhance security following
a series of June cyberattacks. High-profile customers like Santander Bank and Neiman Marcus
were targeted, with attackers stealing data from Snowflake customer tenants and demanding ransoms.
The breaches involved credential stuffing attacks attributed to the UNC-5537 threat group.
Snowflake's new security measures, effective from October 2024, aim to eliminate password-only
sign-ins and align with CISA's Secure by Design pledge.
Stillwater Mining Company, the only U.S. platinum and palladium producer, confirmed a cyberattack
this summer that exposed sensitive information of 7,258 employees.
Hackers accessed names, contact details, social security numbers, financial information, and medical records.
The breach, discovered on July 8, wasn't confirmed until August 19.
The Ransom Hub hacking group took credit for the attack and leaked the data.
Ransom Hub, responsible for over 210 attacks since February, has targeted organizations like Rite Aid and Planned Parenthood.
Stillwater Mining is cooperating with law enforcement and cybersecurity experts.
Meanwhile, the company recently laid off 700 workers, blaming Russian palladium dumping for
driving down prices. U.S. Senator Jon Tester criticized the layoffs, calling it unacceptable that Russia is flooding U.S. markets with cheaper palladium,
which remains unbanned despite other sanctions on Russian imports.
On September 14, researchers at Huntress identified a critical threat targeting Foundation accounting software,
widely used in the construction industry.
foundation accounting software, widely used in the construction industry.
Attackers were exploiting default credentials to brute force access to the software's Microsoft SQL Server instance, often exposed via port 4243 for mobile app use.
Once inside, attackers used high-privilege accounts to enable and leverage the XB
command shell feature,
allowing them to execute OS-level commands.
Huntress observed over 35,000 brute-force login attempts across several affected companies,
leading to successful breaches.
To mitigate this, Huntress recommends rotating credentials,
disabling XP Command Shell, and avoiding public exposure of the foundation application.
Coming up after the break, Tim Starks from CyberScoop joins us with his reporting on the
U.S. Postal Service's ability to meet the challenges of the upcoming election.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy. We could book a vacation. Like sweaty. We could go skating. Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.
Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. It is always my pleasure to welcome back to the show Tim Starks.
He is a senior reporter at CyberScoop.
Tim, it's great to have you back.
Always great to be back.
So your recent reporting over on CyberScoop was about some concerns that some election officials have with the U.S. Postal Service as the election approaches.
What's going on here, Tim?
Yeah, they're worried about everything across all fronts, really.
But we're talking about the U.S. Postal Service,
not the band co-headed by Ben Gibbard, I believe.
Fair enough.
There are some problems that they say that they're seeing
with lost or delayed election mail, things like mail imbalance.
Some concerns about training, they're seeing with lost or delayed election mail, things like mail-in ballots, some concerns
about training, concerns about the processing facility operations, basically across all
the fronts that election mail matters and people wanting to be able to get their ballots
in and get registered and get everything checked and cleared and ready to go.
With the rise of mail-in ballots following the 2020 election.
We've seen this become a bigger part of the way people vote as a sort of permanent thing.
There were obviously very specific reasons it was an issue in 2020, but people have been
using it more and more.
And so the idea of having some issues at the USPS to deliver that stuff, you know, the risk here is that people will vote and their vote won't count because it didn't get in at a certain time or there was some problem with the postmarking.
And that's what these officials are worried about. representatives of all 50 states and the District of Columbia, led by the National Association of
Secretaries of State and the National Association of State Election Directors, saying to the Postal
Service, you've got to take action now because this is really dangerous. Is this a point of
frustration where they have previously reached out and they're not getting the type of response
they would like to see from the Postal Service? That is what they say. They specifically said, we've tried to contact the election and political mail headquarters,
the state regional managers of customer relations, and have not seen any improvement.
But I asked the Postal Service for a comment, and they said they have been very receptive
to those organizations and address
their concerns and are going to continue to do so. So it's a little bit of a he said,
she said situation at this point, but it's clear that the frustration that they have is real.
The interpretation of how well they're doing is probably somewhere in between
the postal services, what they're saying and what the election officials are saying.
the Postal Service is what they're saying and what the election officials are saying.
Do these states' attorneys general have any ability to force the issue? Is this something they'd have to take to members of Congress to see any real action?
Well, if you're talking about states' attorneys general, that's a different thing, right? I don't
think they have any real recourse. One thing that's been interesting that we've learned about the Postal Service since 2020 specifically is that it's an
entity that is a little harder to control for everybody. The Biden administration made pretty
clear that they weren't happy with Postmaster Louis DeJoy, but for various administrative
reasons, they've not been able to remove him. So I don't think the states have any real recourse other than to keep raising their voice
and hoping that this changes.
I'm not enough of an expert on the law surrounding what kind of suits the states might be able to bring on this
if it came to that, but it does seem like it would be difficult based on the overall independence of the Postal Service and its ability to not be controlled by even the president.
You know, it's one thing to track the success of ballots being delivered, to have those statistics.
But another concern that you point out in your reporting here is the actual safety of the mail, that the Postal Inspection Service are delivery of 99.89% of its ballots from voters to election officials within one week.
That was during the 2020 election, and they approved on that.
Well, it looks like they came down a little bit to 99.3%. However, if you look at this on a level of how close elections can be, one of the complaints prior to this letter was from the state of Kansas. The secretary of state there said that during the primary, late delivery or lack of proper postmarks, that led to nearly 1,000 ballots being ruled ineligible.
Those percentages sound pretty good, but if you're talking about thousands of voters, that's still something that could make a real difference in an election.
that's still something that could make a real difference in an election.
As far as the concerns they have, yes.
The Postal Service isn't just wrestling with this.
There's been a massive, massive increase
in the kinds of threats that election workers
have been facing since the 2020 election.
This is something that not just USPS has talked about,
but cybersecurity officials who are very focused on
things like Jenny Esterly, the head of the Cybersecurity and Infrastructure Security
Agency, has said this is one of the top three concerns that they deal with. Now, that's probably
more the infrastructure security side of things, but it gives you a sense of what people are
wrestling with who are working on cybersecurity, who are also working on election security.
And in the case of the Postal Service,
one of the top officials with the Postal Inspection Service
had said violence was the number one concern for him for 2024,
that the FBI and USPIS were working to give guidance
to election officials on suspicious packages.
So there's a lot that USPS would be dealing with in even less trying times.
But with the threats to election workers, they're dealing with a double-edged thing here
where they have to worry about delivering the mail,
and they have to worry about delivering the mail that doesn't hurt anybody.
Yeah, it's really interesting because, as you mentioned,
it seems as though mail-in voting is really popular. People really like it, the convenience of being able to do it and get it out of the way and not have to wait in line in hot weather or cold weather or all those kinds of things. But along with that comes this extra added burden on the Postal Service to ensure the integrity of those ballots.
Yeah. And, you know, during the Trump administration, you know, there were a lot
of fears about the budget being cut and whether they'd be able to handle the influx. You know,
again, to hear the USPS tell it, they've handled it, or they've handled it pretty well. And they
said they're going to keep doing better. You know, as long as this is a part of our lives,
and they said they're going to keep doing better.
As long as this is a part of our lives,
mail-in voting has proven to be popular, like you say,
and despite the disinformation about it,
pretty reliable in terms of being able to accurately identify voters' intentions.
So this is a problem that's not going to go away, and as long as there's any concern about USPS being able to deliver mail
properly during that crucial, crucial time, we're not going to stop caring about this.
Yeah. All right. Well, Tim Starks is senior reporter at CyberScoop. We will have a link
to his story in our show notes. Tim, thank you so much for joining us.
Thank you. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, as the news broke about Cisco's second round of layoffs in 2024,
thousands of employees found themselves grappling with uncertainty and disappointment.
For many, Cisco wasn't just a job, it was a community.
The networking giant had become a place where people invested their energy, ideas, and passion.
It's hard to imagine how it feels when that chapter closes unexpectedly,
especially without clear communication from leadership. The impact of these layoffs
stretches far beyond the numbers. Behind every statistic is a person with responsibilities,
dreams, and ambitions. It's not just the loss of a paycheck. It's the loss of daily routines,
camaraderie with co-workers, and a sense of purpose. In times like these, it's the loss of daily routines, camaraderie with co-workers,
and a sense of purpose. In times like these, it's easy to feel forgotten, especially when
headlines focus on profits and executive compensation rather than the real lives affected.
Still, throughout this painful transition, it's important to remember your worth is not tied to your job. Every skill you've honed,
every challenge you've overcome, every connection you've made is part of who you are. Even if today
feels like a setback, it's just one chapter in a much bigger story, one that still has room for
growth, success, and new beginnings. While the road ahead may seem uncertain,
remember, you are not alone.
There's a community of support out there,
and your experience, talent, and resilience are valuable.
Don't let this moment define you.
Instead, let it remind you of your strength,
your adaptability,
and the incredible things you're capable of.
To everyone impacted by the layoffs, stay hopeful.
This is not the end of your journey, but the start of something new.
You have so much to offer, and brighter days are ahead.
Trust in yourself.
You'll find the path that's right for you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to
cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the
most influential leaders and operators in the public and private sector, from the Fortune 500
to many of the world's preeminent intelligence
and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment,
your people. We make you smarter about your teams while making your team smarter.
Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with
original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your