Transcript
Dave Buettner (0:02)
You're listening to the Cyberwire network, powered by N2K.
Carl Sigler (0:12)
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try Deleteme. I have to say, Deleteme is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Deleteme's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K Retired General Paul Nakasone warns the US is falling behind in cyberspace. Australia orders government entities to remove and ban Kaspersky products. Fatal rat targets industrial organizations in the APAC region. A major cryptocurrency exchange reports the theft of $1.5 billion in digital assets. Apple removes end to end encryption for iCloud. In the UK researchers uncover a Lockbit ransomware attack exploiting a Windows Confluence server. Researchers uncover zero day vulnerabilities in a widely used cloud logging utility. A PayPal email scam is tricking users into calling scammers. Republican leaders in the House request public input on national data privacy standards. A Michigan man faces charges for his use of the Genesis Cybercrime marketplace. Our guest is Carl Sigler, Senior Security Research Manager from Trustwave Spider Labs, explaining the domino effect of a cyber attack on the power grid and meta sues an Insta extortionist. It's Monday, February 24th, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Happy Monday and thanks for joining us. It is great to have you here with us. Retired General Paul Nakasone warned that the US is falling behind in cyberspace with adversaries expanding their capabilities. Speaking over the weekend at District con in Washington D.C. he cited Chinese backed breaches and ransomware attacks as evidence of weak cybersecurity. He also expressed concern about cyber operations causing physical damage, predicting future attacks could disable platforms through digital means. Nakasone, now at Vanderbilt University, highlighted AI's role in cyber offense, including autonomous targeting by AI powered drones. He questioned the limits of AI driven cyberweapons and their ability to bypass defenses. He endorses a more aggressive US Cyber strategy, citing past cyber command operations against Russian and Iranian hackers. He emphasized persistent engagement to keep cyber enemies in check. Nakasone stressed the need for top cyber talent, warning of recruitment challenges due to past government actions. He acknowledged ongoing cyber command reforms but avoided direct criticism of political leadership changes, stating that presidents choose their own advisers. Australia has ordered government entities to remove and ban Kaspersky products, citing security risks. The order, issued by the Department of Home affairs requires all federal systems to eliminate Kaspersky software by April 1, though no specifics were provided. The move aligns with concerns over Russian government influence on the company. The decision follows a similar US ban, which began in 2017 and expanded in 2024, leading Kaspersky to exit the US market. The company sold its US customer base to Ultra AV, though the transition faced issues. While Australia previously monitored US actions without immediate restrictions, it has now joined other countries in barring Kaspersky from government networks. Several European nations have already blocked the company's product for years. Kaspersky has yet to comment on Australia's decision. Meanwhile, according to researchers with Kaspersky ICS cert, Chinese speaking hackers are targeting industrial organizations across the Asia Pacific region with the Fatal RAT Remote Access Trojan. The cyber espionage campaign exploits legitimate Chinese cloud services including including Udial Cloud Notes and Tencent Cloud to evade detection. The attack focuses on manufacturing, energy, IT and logistics sectors in Taiwan, China, Japan, Thailand and Singapore. Hackers distribute phishing emails and WeChat or Telegram messages disguised as tax documents to deliver malware. The infection process involves multiple evasion techniques, including DLL sideloading and anti virtual machine checks. Fatal RAT logs, keystrokes, exfiltrates data and allows remote execution of destructive commands like MBR corruption. Kaspersky warns of risks to operational technology systems and advises network segmentation, DLL sideloading, monitoring and blocking known indicators of compromise. Bybit, a major cryptocurrency exchange, reported a cyber attack that led to the theft of $1.5 billion in digital assets. Hackers exploited a vulnerability in the Smart contract logic, gaining control of an ETH cold wallet and transferring over 400,000 ETH and Steth. The attack may have involved a flaw in the safe global platform's user interface. Despite a surge in withdrawal requests, Bybit assured users their funds remain secure. CEO Ben Zhao stated the exchange is solvent and can cover the loss with its $20 billion in assets if needed. The attack comes amid rising crypto related cybercrime, with Chainalysis reporting $2.2 billion stolen in 2024, a 20% increase from the previous year. Apple has removed end to end encryption for iCloud in the UK, following secret data access demands from the government under the Investigatory Powers act, sometimes referred to as the Snoopers Charter. Security and consumer rights experts are calling for lawmakers to hold the government accountable. Apple argues that creating an E2E backdoor for the government would compromise all users security. Instead, it removed the advanced data protection feature for UK customers, disappointing privacy advocates. Experts warn this decision could weaken the UK's data security reputation and impact data flows with the EU. Critics say the move sets a dangerous precedent, emboldening other governments to demand similar access. Some warn it could lead to compliance issues for businesses operating in Europe and even threaten the UK's data sharing agreement with the US. Security researchers at the DFIR report have uncovered a lockbit ransomware attack that exploited a Windows confluent server. The attackers gained initial access through a remote code execution vulnerability, quickly deploying Mimikatz, Metasploit and AnyDesk to escalate privileges and move laterally across the network via rdp. They used rclone to exfiltrate data to Mega IO before executing the ransomware. PDQ deploy was leveraged to automate the spread of lockbit across critical systems, ensuring widespread encryption. The entire attack, from initial compromise to ransomware deployment, was completed in just two hours. The researchers emphasized the importance of patching confluence vulnerabilities, monitoring network activity and restricting remote access to prevent similar intrusions. This case underscores the growing sophistication and speed of ransomware operations targeting unpatched enterprise applications. Security researchers at Tenable uncovered zero day vulnerabilities in fluentbit, a widely used logging utility embedded in cloud platforms like aws, Google Cloud and Microsoft Azure. The flaws exploit null pointer dereference weaknesses in the Prometheus remote write and open telemetry plugins, exposing billions of production environments to cyber threats. Attackers can crash fluent bit servers or leak sensitive data using simple HTTP requests. These vulnerabilities affect kubernetes deployments, enterprise logging systems, and compliance workflows with major users, including Cisco, Splunk and VMware. Patches are available, but unpatched systems remain at high risk. Experts urge immediate updates, API access restrictions and security audits to prevent widespread service disruptions and data leaks. A paypal email scam is tricking users into calling scammers by sending fake Purchase confirmations from PayPal's legitimate email address, serviceaypal.com the scam exploits PayPal's address settings, allowing attackers to insert fraudulent messages into the address to field. Victims receive an email stating that their shipping address has changed for a MacBook purchase and are urged to call a fake PayPal support number. Once on the call, scammers convince victims to install remote access software enabling theft of funds, data or malware deployment. The emails bypass security filters because they originate directly from PayPal's servers. Users are advised to ignore the email, verify their account directly via PayPal, and not call the provided number. Experts recommend PayPal limit character input in address fields to prevent abuse. Republican leaders on the House Energy and Commerce Committee, Brett Guthrie from Kentucky and John Joyce from Pennsylvania, are requesting public input on how to develop national data privacy and security standards. They issued a request for information to guide legislation that would protect Americans digital data across various services. The lawmakers acknowledged the challenges posed by rapid technological advancements and conflicting state and federal laws. Their request seeks insights on data collection, transparency, user consent and lessons from international privacy laws. They also want input on how a federal privacy law would interact with existing regulations like hipaa, FCRA and coppa. Congress has long debated digital privacy legislation, but past efforts have failed due to political disagreements. The public can submit responses by April 7. Lawmakers hope to finally establish baseline privacy protections similar to those in other western nations. The U.S. justice Department has charged Andrew Szenkovsky, age 29, for purchasing 2,500 stolen login credentials from the Genesis Market CyberCrime Marketplace in 2020. Authorities say he used stolen credentials to steal money from a bank account and attempted to sell data on RAIDforums, a now dismantled cybercrime site. Schenkovsky faces charges including wire fraud and identity theft. His arraignment hearing is this week. The Genesis Market, seized by the FBI in April 2023, had provided cybercriminals access to stolen credentials. While 120 people were arrested, the site's administrators remained at large and and its dark web presence later disappeared. The Justice Department previously charged a Buffalo police detective for buying stolen credentials from the site. Coming up after the break, my conversation with Carl Sigler from Trustwave Spider Labs. He's explaining the domino effect of a cyber attack on the power grid and meta sues an Insta extortionist. Stay with us. We've all been there. You realize your business needs to hire someone yesterday? How can you find amazing candidates fast well, it's easy. Just use Indeed when it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed. Indeed Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored Jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed plus with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed According to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility@indeed.com cyberwire just go to indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. Cyber threats are more sophisticated than ever. Passwords. They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door, the login. Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing for individuals, SMBs and enterprises. They deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats. Upgrade your security today. Carl Sigler is senior security Research Manager at Trustwave Spider Labs. I recently sat down with him to discuss the domino effect of a cyber attack on the power grid.