CyberWire Daily - The mother of all data breaches.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. The mother of all data breaches, CISA director Easterly is the victim of a swatting incident. An AI robocall in New Hampshire seeks to sway the election. Australia sanctions an alleged Russian cybercrime operator.

Starting point is 00:02:15 Atlassian Confluence servers are under active exploitation. Apple patches a WebKit zero day. Black Basta hits a major UK water provider. Hackers who targeted an Indian ISP launch an online search portal, Massachusetts hospital suffered a Christmas Day ransomware attack, Anne Johnson, host of the Afternoon Cyber Tea podcast, speaks with Caitlin Sarian, known to many as Cybersecurity Girl, and HP claims bricked printers are a security feature.

Starting point is 00:02:45 Not a bug. It's Tuesday, January 23rd, 2024. I'm Dave Bittner, and this is your CyberWire Intel briefing. Thank you for joining us. It is great to have you with us here today. We begin with reporting from CyberNews on a colossal data leak known as the mother of all breaches, Moab. It contains a staggering 26 billion records across 12 terabytes of data. This leak amalgamates information from numerous previous breaches, including major platforms like LinkedIn, Twitter, Weibo, and Tencent. Cybersecurity expert Bob Diachenko, in collaboration with the CyberNews team, discovered the massive leak, which likely constitutes the largest of its kind to date.

Starting point is 00:03:54 The Moab comprises data from over 3,800 distinct data breaches, each represented by a separate folder in the leak. Notably, this collection includes not only data from past breaches, but potentially also previously unpublished information, raising security concerns about the extent of its impact. Researchers speculate that the owner of the Moab, possibly a malicious actor, data broker, or data-intensive service, was likely aggregating this data for nefarious purposes. The leak poses significant risks as it includes sensitive information beyond mere credentials,

Starting point is 00:04:33 making it a treasure trove for identity theft, phishing schemes, and other targeted cyber attacks. Among the leaked records are hundreds of millions from various companies and government organizations worldwide. The implications for consumers are alarming, especially considering the common practice of reusing usernames and passwords, which could lead to widespread credential stuffing attacks. Horse being out of the barn, experts stress the importance of robust cyber hygiene practices, such as using strong, unique passwords, enabling multi-factor authentication, being vigilant against phishing attempts, and promptly updating security for accounts with reused passwords. In an alarming incident, Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, fell victim of a swatting at her home in Arlington County, Virginia. This malicious act involved a false 9-11 call claiming a shooting at her residence. Fortunately, no injuries or

Starting point is 00:05:40 actual incidents were reported. The case is part of a growing trend of swatting attacks targeting public officials and government figures across the United States. White House Press Secretary Karine Jean-Pierre condemned these actions, and Senator Rick Scott proposed legislation for stricter penalties against these sorts of hoaxes. CISA, integral in safeguarding U.S. elections and infrastructure, has faced threats and conspiracy theories, particularly from far-right groups, due to its role in countering misinformation and protecting election integrity. This has led to legal challenges and debates over free speech and the role of government in regulating online content. in regulating online content. The increasing use of swatting as a tool for targeting government officials and institutions raises significant concerns

Starting point is 00:06:29 about its strategic and abusive use in the digital realm. The New Hampshire Attorney General's Office is investigating a robocall incident that used AI-generated voice technology to mimic President Joe Biden, aiming to dissuade voters from participating in the state's primary election. Here's a sample of the call. It's important that you save your vote for the November election. Voting this Tuesday only enables the Republicans

Starting point is 00:06:57 in their quest to elect Donald Trump again. This false message urged voters to save your vote for the November election, misleadingly stating that voting on Tuesday supports Donald Trump's re-election. The call appeared to originate from Kathy Sullivan, a former state Democratic Party chair, but she denied any involvement, labeling it as election interference and harassment. The White House confirmed the call was fake, and Biden's campaign manager condemned the spread of disinformation, emphasizing the importance of combating attempts to undermine democracy. This incident reflects a growing concern about the use of generative AI

Starting point is 00:07:39 and deepfake technology in elections. The misuse of AI in political contexts has been observed globally, raising alarms about the potential impact on election integrity. U.S. lawmakers and federal agencies are yet to pass comprehensive legislation to regulate AI's role in politics, despite its increasing influence and the potential for misinformation. and the potential for misinformation. Alexander Ermakov, a Russian national, has been sanctioned by Australia for his involvement in the country's most severe data breach at Medibank,

Starting point is 00:08:13 affecting 9.7 million Australians. In this landmark cyber attack, sensitive information, including abortion records, was stolen and publicly leaked. Ermakov, believed to be part of the notorious Russian cybercrime gang R-Evil, faces financial penalties and a travel ban. Australian Home Affairs Minister Claire O'Neill condemned the act as a cowardly and significant violation of privacy.

Starting point is 00:08:41 This is the first application of Australia's 2021 cyber sanctions legislation targeting individuals linked to major online attacks. The breach, which exposed a wide range of personal data, including medical records, led to Medibank refusing to pay a ransom and subsequent publication of the stolen data online. The incident has sparked multiple class actions, citing inadequate protection of sensitive information by the firms involved. Security experts are witnessing increased attempts to exploit a critical vulnerability in outdated Atlassian Confluence servers. This remote code execution flaw, disclosed by Atlassian last week, affects versions released before December 5, 2023, including some unsupported ones. The vulnerability allows unauthenticated attackers to remotely execute code on vulnerable Confluence data center and server endpoints across several versions. Patches are available, and Shadow Server, a threat monitoring service, has recorded over 39,000 exploitation attempts, mainly from Russian IP addresses, targeting the flaw.

Starting point is 00:09:52 These attackers typically use the Who Am I command for callbacks to assess system access and privileges. Currently, just over 11,000 Atlassian Confluence instances are detectable online, although not all are vulnerable. Given the high stakes, Confluence server administrators should urgently update their systems to versions released after December 5, 2023. For those using outdated instances, it's advised to assume potential compromise, check for exploitation signs, conduct thorough cleanups, and upgrade to secure versions. Apple has rolled out new versions of its operating systems, including iOS, iPadOS, tvOS, and macOS Sonoma. Users are strongly advised to update their devices promptly due to a critical security concern in WebKit,

Starting point is 00:10:45 the engine powering Apple's web browser. The flaw, already exploited in some instances, allows malicious content to execute arbitrary code. Beyond this, the updates bring several additional security enhancements. iOS 17.3, in particular, resolves various issues in different system components, including the neural engine, the kernel, mail, Safari, and shortcuts. While these vulnerabilities were not reportedly exploited, patching them significantly bolsters the security of Apple devices against potential threats. Also new in iOS 17.3 is stolen device protection,

Starting point is 00:11:24 which makes it harder for crooks to alter an iPhone's security settings. Major UK water provider Southern Water has confirmed a breach in its IT systems by the Black Basta ransomware group, resulting in the theft of data. of data. The compromised information includes scans of identity documents, HR-related files, and corporate car leasing documents, potentially affecting both employees and customers. The company, serving 2.5 million water and 4.7 million wastewater customers, assures that customer relations and financial systems remain unaffected with normal service operations. The company had previously detected suspicious activities and had initiated an investigation with independent cybersecurity experts. While a small portion of the data has been published online, Southern Water is yet to confirm the extent of customer or employee data compromise.

Starting point is 00:12:23 The incident has been reported to the UK government, regulators, and the Information Commissioner's office. Hackers responsible for the breach of major Indian ISP and cable TV operator Hathaway have created a dark web search engine enabling potential victims to check if their personal information was compromised. The leaked database was initially offered for sale before being publicly released on breach forums.

Starting point is 00:12:51 The breach, reportedly executed through a vulnerability in Hathaway's Laravel framework CMS, resulted in two files being leaked. The first, a 12-gigabyte file, supposedly contains personal details of over 41 million customers, though analysis suggests the actual number of unique affected accounts is closer to 4 million after removing duplicates and dummy accounts. The second file, now deleted, also contained extensive personal and financial details of Hathaway's employees and customers. The hackers in this case go by the name Dawn of Devil. The Anna Jakes Hospital in Massachusetts was the target of a ransomware attack by the Money Message Gang on Christmas Day. The cyber attack led to the compromise of 600 gigabytes of data and disruptions to the hospital's electronic

Starting point is 00:13:45 health record system, causing ambulances to be diverted. AJH has acknowledged the attack and confirmed its immediate response to secure the environment. Despite these challenges, the hospital has maintained full operational capacity, continuing to provide safe and effective patient care. Coming up after the break, Anne Johnson, host of the Afternoon Cyber Tea podcast, speaks with Caitlin Sarian, known to many as Cybersecurity Girl. Stay with us. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security but when it comes to our GRC programs we rely on point-in-time checks but get this more than 8,000 companies like Atlassian and Quora have continuous

Starting point is 00:14:57 visibility into their controls with Vanta here's the gist Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?

Starting point is 00:15:55 Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. Anne Johnson is host of the Microsoft Afternoon Cyber Tea podcast right here on the N2K network. In this excerpt from their recent episode, she speaks with Caitlin Sarian,

Starting point is 00:16:46 known to many online as Cybersecurity Girl. Here's their conversation. Caitlin is a leading influencer with a cybersecurity-focused social presence, primarily on TikTok and Instagram, where she provides insights on data protection, privacy, and cybersecurity. Previously, Caitlin was at the helm of TikTok's global cybersecurity advocacy and culture team overseeing both internal and external cybersecurity awareness and educational initiatives. Before her time at TikTok, Caitlin spent nearly a decade in cybersecurity consulting. Welcome to Afternoon Cyber Tea, Caitlin. Thanks so much, Anne, for having me. I cannot wait to be on this. So I want to talk about some of those basics that you talk about. In your opinion,

Starting point is 00:17:24 what does it mean to actually be cyber and privacy aware? Yeah, so the way I'm taking this question is just for the general public. And for me, it just means for people to understand that anytime they're online, anytime they download an app or a software, anytime they are inputting information into a product or service. Data is being collected on them. It's being used. It's being sold. They're being tracked. And I just don't think people are aware

Starting point is 00:17:53 because there was such a boom in technology in the last 10, 15 years that we're just trying to keep up and we want to take advantage of all these cool new things. And what we don't realize is that when we're taking advantage of all these things, they're also taking advantage of us in some way, shape, or form. So I think for me, it's just educating the public to let them know that it's all fine and dandy if they want to use these apps.

Starting point is 00:18:18 It's all fine and dandy if they want to use IoT or whatever it is. But know that they're giving up some of their freedom, not really freedoms, I guess their data, and that it's being used in other ways that they might not realize. And so it's just that awareness for them and then also teaching them what to do with it after that. What are the top five critical tips or recommendations that you give folks who are just starting on the cyber awareness journey? Oh, man. Okay. So, it's a loaded question.

Starting point is 00:18:50 We'll walk through it. I think the first is understand, like, what accounts and who has their data. And the way I do this is kind of taking an inventory. So, the first thing I do is look through my emails. I look through my emails to see what companies are emailing me, what I've done with those companies. And if it's companies that I've never used or used one time, I go to their website and I request to delete the data, ask them to delete my account, delete my data.

Starting point is 00:19:17 A lot of people just press unsubscribe, but they don't realize that pressing unsubscribe doesn't really do anything. It just opts you out of email lists, but this company still has you. So take an inventory, go through your Google or like your Gmail or anything like that, any of your emails and see who has your data actively. And then what I would do is Google yourself because a lot of people, I know it sounds self-indulging,

Starting point is 00:19:39 but it's actually not. There's so much, that's a great way to see what information is out that the internet has on you. And for me, you can see tons of data brokers, at least in the US, that have a ridiculous amount of personal information on you and start requesting to delete it. I think those are the two main things is just understanding who has your data. And then also you can do this by looking at your home screen, seeing what apps you have. If you downloaded an app a while ago and created an account, don't just delete that app, go request to have them delete your data. A lot of people just think like unsubscribing or deleting

Starting point is 00:20:15 an app automatically deletes you from that system. It doesn't. You have to actively request to delete your data off of those apps and platforms and softwares. And then moving forward, just signing up for as little as possible. Like if you could continue as a guest, I would highly suggest continue as a guest if it's something that you don't use that often. And then when you do continue as guest, I would make an email that is really only for kind of one-off random stuff. So they don't have all your personal data. For example, if someone were to get into one of your emails, hopefully it's only your kind of junk email stuff. I always use, there's also a lot of services that actually offer the ability to generate emails and passwords and

Starting point is 00:20:56 phone numbers and designate them to specific websites. So you don't actually have to give your real email. So I would just, again, sign up for as little as possible. You want to try to minimize your digital footprint as much as possible. And then also, again, start deleting your data off of the data broker's websites. That's really big in the US. I mean, the issue is anytime you do anything, basically, every few months, it ends up being back on data brokers to actually partner with a company called Delete Me because I don't have the time to go through hundreds of thousands of data brokers to delete my data every couple months when it pops up. And then when it comes to permission, give as little

Starting point is 00:21:36 permission as possible. So like, say, for example, if you're going on a website and it asks you for cookies, it's don't press allow all. Usually there's a button that says manage cookies and I only allow like functional cookies. Or if an app asks for permission to get your photos or push notifications or anything like that, I literally minimize the permissions as much as possible. I am trying to give the least amount of privilege while still being able to use them.

Starting point is 00:22:02 And so those are kind of my top five is one, understand the accounts you have, take an inventory of your emails. Two is kind of Google yourself, see what's out there. And then moving forward is try to sign up for as little as possible. Delete your data from the data brokers. And then again, the fifth is give as little information as possible and don't allow permission for everything. as little information as possible and don't allow permission for everything. Once again, you can catch the afternoon Cyber Tea podcast

Starting point is 00:22:28 right here on the Cyber Wire podcast network. Cyber threats are evolving every second Thank you. of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And finally, last Thursday, HP CEO Enrique Lores addressed concerns over HP printers being rendered inoperable with third-party ink cartridges. He cited security risks, suggesting that viruses could be embedded in non-HP cartridges, potentially infecting printers and networks. This comes amidst a lawsuit against HP's dynamic security system, which prevents HP printers from working with cartridges lacking HP chips or circuitry. Cybersecurity experts, however, express skepticism about the feasibility of such an attack. HP's own research through its bug bounty program suggested a theoretical risk, but there's no evidence of this kind of thing being executed in practice.

Starting point is 00:24:19 The lawsuit against HP alleges that customers weren't informed about firmware updates bricking printers with third-party ink. It questions whether HP's actions are more about protecting intellectual property and driving subscription models than genuine security concerns. HP has been pushing its Instant Ink subscription service, and CEO Lores acknowledged the company's focus on making printing a subscription-based model. I'm going to say that one more time. HP's CEO acknowledged the company's focus on making printing a subscription-based model.

Starting point is 00:25:07 And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com. We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,

Starting point is 00:25:29 as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your biggest investment, your people. We make you

Starting point is 00:25:45 smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music by Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon Karp. Our executive editor is Peter Kilby and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.

Starting point is 00:27:06 Learn more at ai.domo.com. That's ai.domo.com.

CyberWire Daily - The mother of all data breaches.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.