CyberWire Daily - The shadowy adversary in Cisco's crosshairs.
Episode Date: April 25, 2024Cisco releases urgent patches for their Adaptive Security Appliances. Android powered smart TVs could expose Gmail inboxes. The FTC refunds millions to Amazon Ring customers. The DOJ charges crypto-mi...xers with money laundering. A critical vulnerability has been disclosed in the Flowmon network monitoring tool. A Swiss blood donation company reopens following a ransomware attack. Multiple vulnerabilities are discovered in the Brocade SANnav storage area network management application. Brokewell is a new Android banking trojan. Meta’s ad business continues to face scrutiny in the EU. Ann Johnson, host of Microsoft Security’s Afternoon Cyber Tea podcast speaks with LinkedIn's CISO Geoff Belknap. And an AI Deepfake Sparks a Community Crisis. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We are joined by Ann Johnson, host of Microsoft Security’s Afternoon Cyber Tea podcast talking with Geoff Belknap sharing "Insights from LinkedIn's CISO." You can listen to their full discussion here. Selected Reading 'ArcaneDoor' Cyberspies Hacked Cisco Firewalls to Access Government Networks (WIRED) Cisco Releases Security Updates Addressing ArcaneDoor Campaign, Exploited Vulnerabilities in ASA and FTD (NHS England Digital) Android TVs Can Expose User Email Inboxes (404 Media) FTC Sending $5.6 Million in Refunds to Ring Customers Over Security Failures (SecurityWeek) Southern District of New York | Founders And CEO Of Cryptocurrency Mixing Service Arrested And Charged With Money Laundering And Unlicensed Money Transmitting Offenses (United States Department of Justice) Maximum severity Flowmon bug has a public exploit, patch now (Bleeping Computer) Plasma donation company Octapharma slowly reopening as BlackSuit gang claims attack (The Record) New Brokewell malware takes over Android devices, steals data (Bleeping Computer) Vulnerabilities Expose Brocade SAN Appliances, Switches to Hacking (SecurityWeek) Meta could face further squeeze on surveillance ads model in EU (TechCrunch) Baltimore County educator framed principal with AI-generated voice, police say (Baltimore Banner) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Thank you. could expose Gmail inboxes. The FTC refunds millions to Amazon Ring customers.
The DOJ charges crypto mixers with money laundering.
A critical vulnerability has been discovered
in the Flomon network monitoring tool.
A Swiss blood donation company reopens
following a ransomware attack.
Multiple vulnerabilities are discovered
in the Brocade SandNav storage area
network management application.
Brokewell is a new Android banking trojan.
Meta's ad business continues to face scrutiny in the EU.
Anne Johnson, host of Microsoft's Security Afternoon Cyber Tea podcast,
speaks with LinkedIn's CISO, Jeff Belknap.
And an AI deepfake sparks a community crisis.
It's Thursday, April 25th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. briefing. Cisco revealed that its adaptive security appliances, hybrid devices featuring firewalls and VPNs, were compromised by state-sponsored hackers in a campaign dubbed Arcane Door.
The attack involved exploiting two zero-day vulnerabilities to infiltrate various global
government networks. Cisco's Talos security team, along with Microsoft researchers,
identified the hacking group as UAT-4356 or Storm-1849, suggesting high-level espionage motives without
previous known activities. The hackers deployed specialized tools targeting Cisco's devices,
indicative of their sophisticated espionage-driven agenda. Although Cisco has not officially blamed
any country, sources claim the campaign aligns with China's interests.
The intrusions, which peaked between December 2023 and January of this year,
leveraged the vulnerabilities to execute and maintain malicious code within Cisco's hardware.
The more severe of these, called LineDancer,
allowed the execution of custom malicious commands directly on the devices,
while the other, called LineRunner, ensured malware persistence even after device reboots.
To mitigate these threats, Cisco has released patches and additional security measures.
Furthermore, a UK cybersecurity advisory noted that physically unplugging affected devices to force a hard reboot could
disrupt hacker access. This incident is part of a broader trend where edge devices such as email
servers and VPNs are exploited as initial footholds for network breaches. The trend is emphasized in
Mandiant's recent mTrends report, which notes that state-sponsored groups, especially from China and Russia,
are increasingly targeting these sorts of devices.
This shift highlights a critical vulnerability in network defenses, underscoring the strategic
significance of edge devices in modern cyber conflicts.
An alarming security loophole in Android-powered TVs could potentially expose users' Gmail inboxes
if attackers gain physical access to the device.
The vulnerability was highlighted by Senator Ron Wyden's office during a review of streaming TV privacy practices.
A YouTuber demonstrated that by sideloading a web browser on an Android TV,
demonstrated that by sideloading a web browser on an Android TV,
one could access the Gmail inbox of the account used to set up the TV without needing a password, exploiting the persistent login from the Android OS.
Initially, Google described this as expected behavior,
but has since recognized it as a security flaw and is working on a fix.
This vulnerability underscores the risks of using
Google accounts on devices like TVs, not typically associated with personal data browsing, especially
in settings like businesses or when resold. Google is now updating software on Google TV devices to
prevent such unauthorized access and advising users to keep their devices updated.
The Federal Trade Commission is distributing over $5.6 million in refunds to customers of Amazon's Ring
following a 2023 settlement over privacy breaches.
The FTC's complaint highlighted that Ring failed to secure its devices against hackers and employee misuse,
leading to unauthorized access to customer videos and accounts, including surveillance of private
areas. At least 55,000 U.S. customers were affected. Ring also used customer videos to
train AI algorithms without consent. Over 117,000 affected ring device owners are receiving PayPal payments,
which must be redeemed within 30 days. This follows a separate $25 million FTC
settlement with Amazon over retaining children's recordings on Alexa devices.
The U.S. Department of Justice has charged Kion Rodriguez and William Lonergan Hill,
founders of Samurai Wallet, with operating an unlicensed money-transmitting business
and money-laundering conspiracy. Their platform, Samurai, facilitated over $2 billion in unlawful
transactions and laundered more than $100 million, allegedly targeting criminal
elements by anonymizing cryptocurrency transactions. Arrests were made in the U.S.
and Portugal, with extradition pending for Hill. The charges highlight Samurai's role in enabling
large-scale money laundering and sanctions evasion. International collaboration led to the seizure of Samurai's domain and app.
Rodriguez and Hill face maximum penalties
of up to 25 years in prison if convicted.
A critical vulnerability has been disclosed
in Progress Flomon, a network monitoring tool
used by over 1,500 companies globally,
including Sega and Volkswagen. Rated
10 out of 10 in severity, the flaw allows unauthenticated attackers to remotely access
the Flomon web interface and execute arbitrary commands via a specially crafted API request.
Researchers at Rhino Security Labs demonstrated this by injecting commands to plant a web shell and escalate privileges.
Progress Software has urged customers to update their systems to the patched versions.
Although exploit code is available and some servers are exposed online, there are no reports of active exploitation yet.
active exploitation yet. OctoFarmer, a major plasma donation company, is reopening some of its 180 global centers after a ransomware attack by the BlackSuit gang forced a shutdown for nearly
a week. The Switzerland-based firm, one of the largest independent plasma companies,
detected unauthorized network activity on April 17th, leading to an ongoing investigation
with external experts. BlackSuit, which is a rebrand of the Royal Ransomware Group known for
attacking the city of Dallas, claimed to have stolen business, laboratory data, and donor
information. They reportedly breached OctoFarmer's systems through VMware, a platform recently identified by Mandiant as increasingly targeted by ransomware actors.
OctoPharma has advised donors to confirm the operational status of their local centers.
identified 18 vulnerabilities in the Brocade SANNAV Storage Area Network Management application,
including critical issues that allow remote attackers root access.
These flaws, with nine assigned CVE identifiers,
expose fiber channel switches to attacks that could intercept credentials and manipulate data. Key vulnerabilities include unsecured APIs,
and manipulate data. Key vulnerabilities include unsecured APIs,
the use of HTTP instead of HTTPS,
and clear-text syslog traffic.
The SAN-NAV appliance also has default root access,
publicly known root passwords,
unauthenticated Postgres database access,
and insecure Docker configurations.
These vulnerabilities could allow a full appliance takeover and data theft.
Despite initial rejection, Brocade acknowledged and patched these issues
in SANNAV version 2.3.1,
with advisories recently published by Broadcom and patches from HPE.
Security researchers at fraud risk company Threat Fabric have identified a new
Android banking trojan called Brokewell, which captures every user action on a device from
screen touches to text inputs. Delivered via deceptive Google Chrome update notification,
Brokewell is actively developed to provide comprehensive device control and data theft.
It features capabilities like overlay attacks to steal login credentials,
interception of cookies, and capture of device interactions.
The Trojan can also remotely execute gestures, click on screen elements, and adjust device settings.
Developed by a threat actor known as Baron Samadit,
settings. Developed by a threat actor known as Baron Samadit, Brokewell leverages a custom loader to bypass security restrictions introduced in Android 13. This malware poses significant
risks due to its ability to evade detection and is expected to evolve into a malware-as-a-service
operation. Meta's targeted advertising business is facing potential legal challenges in the EU
following an opinion from the Court of Justice of the EU's Advocate General,
who stated that the use of personal data for ads should be time-limited under GDPR's privacy laws.
This could affect Meta's profit from tracking and profiling users.
The non-binding opinion precedes a court ruling
expected in three to six months, which historically often aligns with the Advocate General's views.
The opinion also touches on issues of data retention and proportionality concerning
personalized advertising. Moreover, the case involves a privacy complaint against Meta's
use of data without sufficient legal basis,
including for sensitive personal data like sexual orientation,
raising significant implications for Meta's operations in the EU.
Coming up after the break,
Anne Johnson, host of Microsoft Security's
Afternoon Cyber Tea podcast,
speaks with LinkedIn's CISO, Jeff Belknap.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.
Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for
security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
Anne Johnson is host of Microsoft Security's Afternoon Cyber Tea podcast.
And in her most recent episode, she spoke with the CISO at LinkedIn, Jeff Belknap.
Today, I'm joined by Jeff Belknap, who is the Chief Information Security Officer and Vice President of Engineering at LinkedIn.
Jeff brings more than 20 years of experience in security and network architecture with
experience in financial services and the telecommunications sector.
Jeff joined LinkedIn in 2019 as the Chief Information Security Officer, and in this
role, he is responsible for safeguarding LinkedIn's member and customer data,
as well as helping the business navigate risk. Jeff has held several security leadership roles
at various technology companies and previously served on the board of directors of the Bay Area
CISO Council. Before joining LinkedIn, Jeff was responsible for physical and information security
at Slack. Welcome to Afternoon Cyber Tea, Jeff.
Thanks for having me.
It's going to be fun.
I think that anybody who is in security long-term
knows that it's very mission-driven work
and the people who stay in the industry
have a service focus.
So it's good to hear you reinforce that.
One of the things I admire about you
is you really do have this effortless way
of transitioning between business
and technology sides of the house, so to speak.
Do you think of yourself as a business guy who knows technology or a technologist that has strong business acumen?
And what do you think is more important for the modern CISO?
This is a tough one.
I think I certainly find myself complaining about CISOs and security leaders being bucketed in kind of that specialized IT
bucket. And I think the reality is, especially for CISOs and even more so for just generically
security leaders, you have to really think about your job and the sort of maturity of the career
path as being the early days of CFOs or GCs in that, you know, you can be a great leader
and a competent executive, but if you've never opened Excel before, you really probably don't
belong leading finance. If you've never done anything customer facing, you probably shouldn't
be leading a sales function. And similarly, if you've never practiced law, probably a bad idea
to lead the legal function. So I think you have to sort of look at it as this,
it's not an either or, you're not a technologist or a business leader or an operator. You are an
executive in an organization and you are helping that organization be as successful and grow the
way it needs to grow and thrive the way it needs to thrive from the perspective of the part of the
organization that you are responsible and accountable for.
So I think the other thing to keep in mind
in terms of thinking about what's important here
is wherever your organization goes in the future,
it is going to be in a way seeking harmony with technology
and seeking to leverage technology
to achieve the goals of that organization.
And I think the CISO role, wherever it goes,
is less about picking that side
and focusing on one aspect of your skill set or another and thinking about how you can really use
all your knowledge and all your skills to focus on leveling up that organization and helping it
succeed. I think the CISO at LinkedIn, which is a talent site at its essence, it's going to have a point of view. We've all heard the number. There's a few
million or more open cyber roles worldwide and industry-wide. And every cyber leader I talk to
knows there's an issue, but they get tripped up on the how. How are they going to solve it?
How do you think about cyber talent needs at LinkedIn? And how does that translate into
your strategies to source and also to retain folks on
your team? So I think certainly the number varies depending on who you talk to, but I think one
thing is for sure, the demand for high quality talent in the security industry has not gone away
and is not going away. Certainly markets may rise and fall and those numbers may go up and down,
but the thing that has never changed, even as we've gone through macroeconomic shifts
in the hiring industry,
is it is really hard for us to both find
the people we're looking for,
but also to describe to people that are in the industry
or wanting to get into the industry,
what we're looking for.
What do we want from those people?
And I think the most important thing is over time, we're getting better at understanding what we want from those people.
And understanding something that I believe very deeply in, which is like, we have to build some of those people.
We can't just expect them to come to us with five or ten years of experience in all of the different various domains that happen in cybersecurity.
Especially because cybersecurity is an inherently multidisciplinary domain.
Be sure to check out the Microsoft Security Afternoon
Cyber Tea podcast wherever you get your podcasts. Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And finally, in a quiet suburb of Baltimore, whispers of scandal turned into a storm of controversy as accusations against Pikesville High School's principal Eric
Eiswert spread like wildfire. Allegedly captured on audio and shared via email, a recording of
Eiswert's voice spewed racist and anti-Semitic remarks, causing an uproar among the community
and leading to his temporary removal. The impact was immediate and devastating.
Hate-filled messages flooded social media,
and the school community reeled under the weight of the allegations
against the respected principal.
But the story took an unexpected turn
when a police investigation revealed
that the voice everyone thought was Eiswert
was actually an AI deepfake,
and it was allegedly masterminded by the school's
former athletic director, Dajon Darion. As the police dug deeper, they uncovered more than just
technological deception. Darion was also implicated in financial misdeeds, including unauthorized
payments, and he now faces several charges including disrupting
school activities, theft, retaliating against a witness, and stalking. This saga of deception
highlights not only the vulnerabilities exposed by advanced technology, but also the deep wounds
inflicted in a community when trust is shattered by those entrusted with its youth. It's a stark reminder of the crucial importance
of not rushing to judgment,
especially in an era where sophisticated AI tools
can craft startlingly convincing falsehoods.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter.
Learn more at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music by Elliot Peltzman. Our executive producers are Jennifer Iben and
Brandon Karp. Our executive editor is
Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.