Transcript
Dave Buettner (0:02)
You're listening to the Cyberwire Network, powered by N2K. Quick question. Do your end users always, and I mean always without exception, work on company owned devices and IT approved apps? I didn't think so. So my next question is how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices? 1Password has an answer to this Extended Access Management 1Password Extended Access Management helps you secure every sign in for every app on every device because it solves the problems traditional IAM and MDM can't touch. And it's now available to companies with Okta and Microsoft Entra and in beta for Google Workspace customers. Check it out@1Password.com cyberwire that's 1Password.com cyberwire the US dismantles the Rideox Criminal Marketplace File sharing provider Clio urges customers to immediately patch a critical vulnerability. A Japanese media giant reportedly paid nearly $3 million to a Russia linked ransomware group. The largest Bitcoin ATM operator in the US confirms the data breach. Microsoft quietly patches two potentially critical vulnerabilities. Researchers at Clarity describe a malware tool used by nation state actors to target critical IoT and OT systems. Dell releases patches for a pair of critical vulnerabilities. A Federal Court indicts 14 North Korean nationals for a scheme funding North Korea's weapons programs. Texas accuses a data broker of sharing sensitive driving data without consent. Tim Starks, senior reporter at Cyberscoop, joins me to explore the FCC's groundbreaking proposal to introduce cybersecurity rules linked to wiretapping laws and how the bots stole Christmas. It's Friday, December 13, 2020. Dave Buettner and this is your Cyberwire Intel Briefing. Happy Friday and thank you for joining us. It is great to have you here with us. The US has dismantled RIDOCs, a marketplace for stolen personal data and fraud tools, and unsealed charges against its alleged administrators. Three suspects from Kosovo, Ardit Kudlicha, Jetmir Kudlicha and Spend Sokoli were arrested in a coordinated operation. Ardit and Jetmir were detained in Kosovo and await US Extradition, while Sakoli was arrested in Albania and will be prosecuted there. Active since 2016, Ridox facilitated the sale of stolen personal data, credit card details and credentials from thousands of US victims. The site hosted over 18,000 users and sold over 321,000 cybercrime related products generating $230,000. US authorities seized the RIDOCS domain, its servers in collaboration with Malaysian police and $225,000 in cryptocurrency. Ardit and Jetmere face charges of identity theft, device fraud and money laundering, with potential decades long sentences. Sekoli's arrest also led to the seizure of computers, phones and cryptocurrency. Clio has urged customers to immediately apply a patch for a critical vulnerability in its popular file sharing products Clio, Harmony, vltrader and Lexicom, used by enterprises across industries. Initially addressed in October, researchers at Huntress found systems remained vulnerable. Clio released a new patch Wednesday and is generating a new cve. The vulnerability, exploited by sophisticated threat actors, has affected consumer products, shipping and retail supply chains, with 24 confirmed compromised organizations. Attackers have deployed malware named Malicious using Clio software for initial access and persistence. Notably, the Termite Ransomware gang exploited this flaw, probably linked to the Klopp gang. Huntress observed 160 vulnerable endpoints globally with ransomware activity yet to emerge. Cybersecurity firms including Sophos and Arctic Wolf report primarily US Based retail victims. Experts credit rapid industry response with mitigating potential large scale impacts. Japanese media giant Kadokawa reportedly paid nearly $3 million to Russia linked ransomware group Black Suit Following a major cyberattack in June, the hackers accessed 1.5 terabytes of data, including contracts, internal documents and employee personal information. Kadokawa's subsidiary Niconico temporarily shut down its live streaming platform due to the breach. Evidence of the payment includes emails from Black Suit claiming receipt of the ransom and a $2.98 million cryptocurrency transaction discovered by security firm Unknown Technologies. The hackers initially demanded $8.25 million but allegedly agreed to 3 million, stating they would delete the stolen data. However, some information was leaked despite the payment. Kotokawa expects a $15 million fiscal loss due to the attack amid criticism of its handling of the breach. The company faces a potential acquisition by Sony, which employees view as a positive change. Byte Federal, the largest Bitcoin ATM operator in the US confirmed a data breach affecting 58,000 customers. The breach, caused by a vulnerability in third party software GitLab, occurred in September of this year but was discovered on November 18. Compromised data includes names, addresses, Social Security numbers, transaction histories and more. Byte Federal secured the server, implemented additional protections and notified affected customers. While no misuse of data or funds has been reported, experts warn of potential phishing risks. Microsoft announced the patching of two potentially critical vulnerabilities in Update Catalog and Windows Defender. These flaws have been fully mitigated and require no user action. The Windows Defender flaw rated medium severity based on CVSS scores could have allowed unauthorized disclosure of sensitive file content over a network due to improper index authorization. The update catalog vulnerability involving deserialization of untrusted data was a privilege escalation issue on the web server. Microsoft emphasized that neither flaw was disclosed publicly nor exploited before patching. The company is now assigning CVE identifiers to Cloud service vulnerabilities for transparency following industry trends, similar measures have been adopted by Google Cloud, reflecting growing emphasis on proactive security and communication about server side vulnerabilities. Researchers at Clarity's Team 82 have identified IO Control, a malware tool used by nation state actors to target critical IoT and OT systems, including SCADA devices linked to Iran's IRGC CEC Cyber Avengers Group. IO Control has compromised devices such as fuel management systems, IP cameras and PLCs from vendors like D Link, Hikvision and Orpac. One campaign impacted U.S. and Israeli fuel systems. The U.S. treasury has sanctioned IRGC CEC officials and offers a $10 million bounty for information on those involved. Dell disclosed two critical vulnerabilities affecting Powerflex appliances, Racks, insightiq and Data Lakehouse products. The first, with a CVSS score of 10.0, allows unauthenticated remote code execution through improper link resolution. The second, scoring 8.2, involves insecure storage of sensitive information, enabling high privileged local attackers to access cluster pods. Dell has released patches for impacted systems and urges users to update immediately. A Federal Court in St. Louis has indicted 14 North Korean nationals for a scheme generating $88 million to fund North Korea's weapons programs over six years. IT workers from North Korea linked companies Yonbin, Silver Star and Velocis. Silver Star used false identities to secure remote jobs with US Companies. They not only collected salaries but also stole sensitive data, threatening extortion. The Justice Department seized $1.5 million and 17 domains as part of the case. The scheme highlights cybersecurity risks and the misuse of remote work. US Companies are urged to rigorously vet IT workers. Rewards up to $5 million are offered for leads on suspects. Authorities say they continue their efforts to thwart North Korea's attempts to bypass sanctions. Texas Attorney General Ken Paxton has accused data broker Arity, owned by Allstate, of sharing sensitive consumer driving data without clear notice or consent. Arity gathers driving behavior data via SDKs embedded in partner apps such as MyRadar, GasBuddy and Life360, then sells it to insurers to inform pricing decisions. Texas alleges Arity violated its privacy law by failing to obtain affirmative consent and not providing opt out options. Sensitive data collected includes geolocation and driving patterns, the state's investigation revealed. Arity's partnerships with apps often lack transparency, with some apps failing to disclose these relationships and their privacy policies. While Myradar claims its data sharing is anonymized and Opt in Texas accuses other apps of improperly sharing data, the broader investigation reflects growing scrutiny of data brokers exploiting consumer information, particularly in the automotive and insurance sectors. Up next, Tim Starks from Cyberscoop joins me to explore the FCC's proposal to introduce cybersecurity rules linked to wiretapping laws and malicious bots are turning holiday shopping into a Hunger Games style scramble for overpriced gifts. We'll be right back.