Buckets of trouble. - CyberWire Daily

Summary

CyberWire Daily – Episode: "Buckets of Trouble"
Release Date: December 10, 2024
Host: Dave Buettner
Produced by: N2K Networks

Introduction

In the December 10, 2024 episode of CyberWire Daily, host Dave Buettner delves into a spectrum of pressing cybersecurity issues, from large-scale hacking operations and critical vulnerabilities to significant ransomware attacks and groundbreaking advancements in quantum computing. The episode also features an insightful interview with Jason Lamar, Senior Vice President of Product at Cobalt, who discusses the evolving landscape of offensive security. This comprehensive summary captures the key discussions, expert insights, and notable conclusions presented throughout the episode.

Major Cybersecurity Breaches and Vulnerabilities

Shiny Hunters and Nemesis Tied to Large-Scale Hacking Operation

Cybersecurity researchers Noam Rotem and Ran Lokar uncovered a sophisticated hacking operation linked to the notorious Shiny Hunters and Nemesis groups. This operation exploited vulnerabilities and misconfigurations to access sensitive data, including AWS keys, source code, and cryptocurrency wallets.

Notable Insights:
- Automation Tools: The attackers utilized tools like ff, httpx, and Shodan to automate exploits across millions of websites and endpoints globally.
- Data Sales: Stolen data was sold on Telegram by French-speaking individuals, generating revenue in the hundreds of euros.
- Operational Exposure: An open AWS S3 bucket inadvertently exposed the attackers' tools, techniques, and some identities, including links to Sezyu Kaizen, a convicted member of Shiny Hunters.
Mitigation Efforts: Collaborating with AWS, researchers mitigated the breach's impact and notified affected parties, highlighting the persistent threat posed by these sophisticated syndicates.

Dell Power Manager Vulnerability

A critical flaw in Dell Power Manager, a tool for managing power settings on Dell systems, was discovered, allowing attackers with local access to execute malicious code and escalate privileges.

Details:
- Vulnerability Score: The flaw carries a CVSS score of 7.8.
- Exploitation: Requires local access but is low in complexity and does not need user interaction.
Response: Dell promptly released version 3.17 to address the issue, urging immediate updates due to the absence of workarounds, thereby emphasizing the importance of timely patching and robust endpoint security.

TikTok's Efforts to Delay U.S. Ban

TikTok sought a federal court injunction to postpone a U.S. ban slated for January 19th, challenging the D.C. Circuit Court's mandate to sever ties with its Chinese parent company, ByteDance.

Legal Arguments:
- National Security: TikTok contends that the ban poses no immediate national security risk.
Current Status: The injunction request is pending, which could allow the incoming administration to reassess the case, potentially averting the ban and avoiding Supreme Court involvement.

Radiant Capital's $50 Million Cryptocurrency Heist

Radiant Capital reported a significant cryptocurrency theft of $50 million, attributing the attack to North Korean state-affiliated hackers known as Citrine Sleet (UNC4736 or Apple Juice).

Attack Mechanism:
- Advanced Exploitation: Bypassed security measures like hardware wallets and multi-signature verification using malware delivered via spoofed Telegram messages.
- Targeted Networks: Compromised developer devices to authorize transactions on Arbitrum and Binance smart chain networks.
Response: Radiant is collaborating with U.S. law enforcement and recovery firms to reclaim stolen funds while advocating for enhanced device-level security to prevent future breaches.

Ransomware Attacks on Japanese Firms

Japanese companies, including Kurita Water Industries and Ito N, reported ransomware attacks affecting their U.S. subsidiaries.

Impact:
- Kurita Water Industries: Attack on Qurita America resulted in encrypted servers and potential data leaks, though core systems remained operational.
- Ito N North America: Ransomware impacted servers in Texas, with operations being restored using backup data.
Trend: These incidents signal a surge in ransomware targeting Japanese firms in 2024, with other major companies like Fujitsu and Game Freak also affected.

WhatsApp's "View Once" Feature Under Scrutiny

Meta’s WhatsApp faced criticism after vulnerabilities in its "View Once" feature allowed attackers to bypass privacy protections using modified web clients.

Exploitation: Browser extensions ignored content restrictions, enabling recipients to save or share media intended for single views.
Response: Meta implemented a robust server-side fix in November to block "View Once" media access on web clients, though concerns about metadata exposure and vulnerabilities in mobile clients persist.
Expert Recommendations: Enhanced device integrity checks and Digital Rights Management (DRM) are suggested to bolster protection.

Spy Loan Malware Targeting Android Users

A surge in malicious loan apps posing as legitimate financial tools has been observed, particularly targeting Android users.

Threat Details:
- Prevalence: Over 8 million downloads globally, affecting users in India, Southeast Asia, Africa, and Latin America.
- Malicious Activities: Theft of financial information, contacts, and location details, leading to financial exploitation, blackmail, and harassment.
Mitigation: Authorities are intensifying efforts to combat these threats, emphasizing the need for stronger security measures and heightened user vigilance.

Romanian Electricity Distributor Ransomware Attack

Electrica Group, a major Romanian electricity distributor, is investigating an ongoing ransomware attack that has not yet impacted its critical SCADA systems.

Impact: Temporary disruptions are in place to safeguard infrastructure and data, serving over 3.8 million customers.
Context: This incident follows a report of over 85,000 cyberattacks targeting Romania's election infrastructure, underscoring the nation’s escalating cybersecurity challenges.

Industry Voices: Offensive Security with Jason Lamar of Cobalt

In the Industry Voices segment, Jason Lamar, Senior Vice President of Product at Cobalt, shares his expertise on the importance and evolution of offensive security.

The Crucial Role of Offensive Security

Jason Lamar emphasizes, “[16:47] Red teaming is crucial because it helps organizations understand their high-risk scenarios and assess how their defenses perform against simulated attacks.”

Proactive Measures: Offensive security involves being proactive to safeguard businesses against evolving cyber threats through methods like penetration testing and red teaming.

Penetration Testing as a Service (PTaaS)

Lamar discusses the landscape of PTaaS, highlighting both its benefits and challenges.

Types of Offerings: He notes, “[17:38] There’s a lot of snake oil in the market, with many providers offering automated scans masquerading as pen tests. It's essential to evaluate providers based on their methodology and experience."
Provider Selection: Lamar recommends using resources like GigaOM’s Radar to assess providers' capabilities, scalability, and integration strengths.

Setting Testing Cadence

Establishing an appropriate testing frequency is vital for maintaining security integrity.

Customization: “[20:49] Setting a cadence for penetration testing depends on your application’s maturity, change frequency, and the specific risks you aim to mitigate.” Regular assessments can range from annual tests to agile testing aligned with development cycles.

Advantages of External Providers

Engaging external offensive security providers offers several benefits over in-house testing.

Expertise and Flexibility: “[23:18] External providers bring specialized expertise and flexible resources, allowing organizations to scale their testing efforts without the overhead of maintaining an in-house team.” This is particularly beneficial for handling surge capacities and diverse testing needs.
Building Relationships: Establishing relationships with trusted providers ensures a deeper understanding of the organization’s unique security landscape, facilitating more effective and tailored security assessments.

Addressing Intimidation in Testing

Lamar reassures organizations that engaging with offensive security experts need not be intimidating.

Collaborative Approach: “[26:08] Trusted providers, who conduct thousands of tests annually, are adept at easing client concerns and tailoring their approach to meet specific needs.” Open dialogue and mutual understanding are key to successful engagements.

Groundbreaking Advances in Quantum Computing

The episode concludes with a discussion on Google's latest quantum computing achievement – the Willow chip.

Google's Willow Chip Milestone

Hartmut Nevin, Head of Google Quantum AI, announced that the Willow chip successfully addresses error correction challenges in scaling quantum computers.

Innovation: Unlike traditional approaches where adding more qubits increases errors, Willow reduces errors as more qubits are integrated, marking a historic advancement since Peter Shor's introduction of quantum error correction in 1995.
Significance: Nevin stated, “[27:02] We’ve built the first convincing prototype for a scalable logical qubit, bringing us closer to functional large-scale quantum computers.”

Industry Perspective

While Willow represents a significant leap, experts caution that practical quantum computing remains in its experimental phase.

Competitive Landscape: Google’s progress is juxtaposed with IBM’s ongoing efforts, including a $100 million initiative with U.S. and Japanese universities to develop quantum-centric supercomputers.
Collaborative Necessity: Quantum industry veteran Bob Sutor highlighted, “[27:45] Progress in quantum computing requires collaboration across regions and alliances, beyond mere financial investment.”
Future Outlook: Despite Willow’s success, the path to practical quantum computing is fraught with challenges, debates, and intense competition, underscoring the need for continued innovation and cooperation within the industry.

Conclusion

The "Buckets of Trouble" episode of CyberWire Daily provides a thorough examination of recent cybersecurity threats, vulnerabilities, and advancements. From uncovering sophisticated hacking operations and addressing critical software vulnerabilities to exploring the future of quantum computing and the nuances of offensive security, the episode delivers valuable insights for cybersecurity professionals and enthusiasts alike. The expert commentary by Jason Lamar enriches the discussion, offering practical advice on enhancing organizational security through proactive measures. As the cybersecurity landscape continues to evolve, staying informed and adaptable remains paramount.

[Listen to the full episode and access detailed show notes at thecyberwire.com.](https://thecyberwire.com)

Transcript

Dave Buettner (0:02)

You're listening to the Cyberwire Network, powered by N2K. Quick question. Do your end users always, and I mean always without exception, work on company owned devices and IT approved apps? I didn't think so. So my next question is how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices? 1Password has an answer to this Extended Access Management 1Password Extended Access Management helps you secure every sign in for every app on every device because it solves the problems traditional IAM and MDM can't touch. And it's now available to companies with Okta and Microsoft Entra and in beta for Google Workspace customers. Check it out@1Password.com cyberwire that's 1Password.com cyberwire Researchers uncover a large scale hacking operation tied to the infamous Shiny Hunters A Dell Power manager vulnerability lets attackers execute malicious code. TikTok requests a federal court injunction to delay a US ban. Radiant Capital attributed a $50 million cryptocurrency heist to North Korea. Japanese firms report ransomware attacks affecting their US subsidiaries. WhatsApp's view once feature faces continued scrutiny. Spy loan malware targets Android users through deceptive loan apps. A major Romanian electricity distributor is investigating an ongoing ransomware attack. Contenders for top cyber roles in the next Trump administration, visit Mar A Lago in our Industry Voices segment, Jason Lamar Cobalt, Senior vice President of Product, joins us to share insights on offensive security and Google's new Quantum chip promises scaling without failing. Coming to you live from the Cybersecurity Marketing Society's Cyber Marketing Con in Philadelphia. I'm Dave Buettner and this is your Cyberwire Intel Brief Briefing. Thanks for joining us here today. It is great as always to have you with us. Cybersecurity researchers Noam Rotem and Ran Lokar have uncovered a large scale hacking operation tied to the infamous Shiny Hunters and Nemesis groups. Exploiting vulnerabilities and misconfigurations, hackers accessed sensitive data including AWS keys, source code and cryptocurrency wallets. Using tools like ff, httpx and Shodan, they automated exploits targeting millions of websites and endpoints globally. The operation traced to French speaking individuals involved selling stolen data on Telegram for hundreds of Euros. Notably, an open AWS S3 bucket used by the attackers revealed harvested data and even linked back to Sezyu Kaizen, a convicted member of Shiny Hunters. This error exposed their tools, techniques and some identities. Researchers collaborating with AWS mitigated the impact and notified affected parties. Shiny Hunters, known for breaches at major firms like AT&T and Ticketmaster and Nemesis, tied to a black market forum demonstrate the sophistication of these syndicates. A critical vulnerability in Dell Power Manager, used to manage power settings on Dell systems, allowed attackers with local access and low privileges to execute malicious code and escalate privileges. The flaw stems from improper access control, enabling unauthorized access to sensitive system functions and potential full system compromise. Rated with a CVSS score of 7.8, the vulnerability requires local access but is low in complexity and does not need user interaction. Dell has released version 3.17 to address the issue, urging users to update immediately. No workarounds exist, emphasizing the need for timely patching and robust endpoint security to mitigate risks. TikTok has requested a federal court injunction to delay a U.S. ban set for January 19th as it appeals to the U.S. supreme Court. The D.C. circuit Court upheld a law requiring TikTok to sever ties with Chinese parent ByteDance. TikTok argues the ban poses no immediate national security risk and seeks a decision by December 16th. The injunction would allow the incoming administration to reassess the case, potentially avoiding harm and Supreme Court involvement. Defi platform Radiant Capital has attributed the $50 million cryptocurrency heist from its platform on October 16 to North Korean state affiliated hackers known as Citrine Sleet, also known as UNC4736 or apple juice. The sophisticated attack bypassed advanced security measures including hardware wallets and multi signature verification, exploiting malware delivered via a spoof telegram message. Hackers use the malicious payload inlet drift to compromise developer devices, enabling authorized transactions on the Arbitrum and Binance smart chain networks. Mandiant assisted in the investigation, linking the attack to North Korea's broader strategy of targeting cryptocurrency platforms to fund state operations. Radiant, a DEFI platform enabling cross blockchain asset management, emphasized the attacker's ability to evade standard verification processes. It's now working with US Law enforcement and recovery firms to reclaim stolen funds while calling for improved device level security to mitigate future threats. Japanese firms Kurita Water Industries and Ito N recently reported ransomware attacks affecting their U.S. subsidiaries. Querita, a global leader in water treatment chemicals, revealed that its Minnesota based Qurita America was targeted on November 29th. Attackers encrypted servers and potentially leaked data belonging to customers, employees and partners. However, core systems have been restored and operations remain unaffected. Similarly, Ito N North America, part of Japan's largest green tea producer, faced a ransomware attack on December 2, impacting servers in Texas. Backup data is being used to restore operations, and investigations are ongoing. These incidents highlight the surge in ransomware targeting Japanese companies in 2024, with major firms like Fujitsu, Game Freak and nidec also affected. Meta's WhatsApp faced criticism after a vulnerability in its view once featured allowed attackers to bypass privacy protections using modified WhatsApp web clients. The feature, designed to limit media to a single view, was undermined by browser extensions that ignored its restrictions, enabling recipients to save or share content. Meta initially deployed a partial fix in September, but attackers adapted quickly. A robust server side fix in November resolved the issue by blocking Once View media access on Web clients. While effective, this fix raised concerns about metadata exposure and left vulnerabilities in modified mobile clients. Experts suggest device integrity checks, or DRM for enhanced protection. Spy loan malware is a growing threat targeting Android users through deceptive loan apps masquerading as legitimate financial tools. These apps exploit social engineering to gain access permissions and steal sensitive data, including financial information, contacts and location details. Downloaded over 8 million times, spyloan apps bypass Google Play Store's filters and target users globally, with cases reported in India, Southeast Asia, Africa and Latin America. Victims face financial exploitation, blackmail and harassment. Authorities are combating the threat, but Spyloan's global prevalence demands stronger security measures and user vigilance. Electrica Group, a major Romanian electricity distributor, is investigating an ongoing ransomware attack that has not impacted its critical SCADA systems. The company, serving over 3.8 million customers, emphasize that temporary disruptions are precautionary measures to protect infrastructure and data. Romania's Energy Ministry confirmed the attack, stating that network equipment remains unaffected. The incident follows a declassified report revealing over 85,000 cyberattacks targeting Romania's election infrastructure, highlighting the country's increasing cybersecurity challenges. Electrica is collaborating with authorities to resolve the issue. A critical flaw in open WRTs attended sys upgrade feature could have enabled attackers to distribute malicious firmware via custom builds. OpenWRT is a popular Linux based OS for routers and IoT devices, and it's had vulnerabilities involving command injection and hash truncation. Researcher Ryotac demonstrated how these flaws allowed modification of firmware artifacts. OpenWRT developers promptly addressed the issue, fixing it within hours. Although no exploitation has been detected, users are urged to update their firmware to eliminate potential risks. Brian Harrell, a seasoned veteran of the Department of Homeland Security under the Trump administration, is reportedly a leading contender for high ranking cybersecurity roles in the next administration, the Record reports. Sources familiar with the situation reveal that Harrell has been invited to Mar A Lago in the coming weeks to interview for roles such as director of the Cybersecurity and Infrastructure Security Agency and DHS Undersecretary for Strategy, Policy and plans. Harrell, who previously served as DHS Assistant Secretary for Infrastructure protection, is well regarded for his expertise in safeguarding critical infrastructure. Recorded Future News first reported his candidacy for these prominent positions. He's not the only one under consideration. Matt Hayden, former DHS Assistant Secretary for Cyber Infrastructure Risk and Resilience, and Sean Plankey, a former National Security Council Cyber Team member and acting assistant secretary at the Department of Energy's Cybersecurity office, are also being considered for potential leadership at cisa. Two sources confirmed Plankey's name in the mix for the top CISA role. The forthcoming Mar? A Lago interviews are part of broader plans to fill key positions within DHS not only in cybersecurity but also in areas such as immigration enforcement and leadership roles at the Transportation Security Administration. This diverse hiring strategy reflects the transition team's focus on securing leadership across various critical sectors. Coming up after the break, Jason Lamar, Cobalt's senior Vice President of product, joins us to share insights on offensive security and Google's new quantum chip promises scaling without failing and now a word from our sponsor, KnowBefore. It's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBefore, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBefore's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco 35. Vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefore.com SecurityCoach that's knowbefore.com SecurityCoach and we thank KnowBe4 for sponsoring our show Identity Architects and engineers modernize your identity systems with Strata, integrate legacy apps with any idp, ensure seamless identity failover, and apply MFA with without touching app code. Strada offers robust, efficient identity management, reducing tech debt and enhancing security. Gain peace of mind and operational efficiency with Strata's comprehensive solutions. Visit Strada IO CyberWire. Share your biggest identity challenge and enjoy free AirPods Pro. Optimize your identity solutions today. Visit Strata IO CyberWire and our thanks to Strata for being a longtime friend and supporter of this podcast. In our Industry Voices segment, Jason Lamar, Cobalt's senior vice president of product, joins us to share insights on offensive security, Staying ahead of Cyber threats and It.