Hackers in handcuffs.

Dave Buettner

You're listening to the Cyberwire Network, powered by N2K. Quick question. Do your end users always, and I mean always without exception, work on company owned devices and IT approved apps? I didn't think so. So my next question is how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices? 1Password has an answer to this Extended Access Management 1Password Extended Access Management helps you secure every sign in for every app on every device because it solves the problems traditional IAM and MDM can't touch. And it's now available to companies with Okta and Microsoft Entra and in beta for Google Workspace customers. Check it out@1Password.com cyberwire that's 1Password.com cyberwire the US dismantles the Rideox Criminal Marketplace File sharing provider Clio urges customers to immediately patch a critical vulnerability. A Japanese media giant reportedly paid nearly $3 million to a Russia linked ransomware group. The largest Bitcoin ATM operator in the US confirms the data breach. Microsoft quietly patches two potentially critical vulnerabilities. Researchers at Clarity describe a malware tool used by nation state actors to target critical IoT and OT systems. Dell releases patches for a pair of critical vulnerabilities. A Federal Court indicts 14 North Korean nationals for a scheme funding North Korea's weapons programs. Texas accuses a data broker of sharing sensitive driving data without consent. Tim Starks, senior reporter at Cyberscoop, joins me to explore the FCC's groundbreaking proposal to introduce cybersecurity rules linked to wiretapping laws and how the bots stole Christmas. It's Friday, December 13, 2020. Dave Buettner and this is your Cyberwire Intel Briefing. Happy Friday and thank you for joining us. It is great to have you here with us. The US has dismantled RIDOCs, a marketplace for stolen personal data and fraud tools, and unsealed charges against its alleged administrators. Three suspects from Kosovo, Ardit Kudlicha, Jetmir Kudlicha and Spend Sokoli were arrested in a coordinated operation. Ardit and Jetmir were detained in Kosovo and await US Extradition, while Sakoli was arrested in Albania and will be prosecuted there. Active since 2016, Ridox facilitated the sale of stolen personal data, credit card details and credentials from thousands of US victims. The site hosted over 18,000 users and sold over 321,000 cybercrime related products generating $230,000. US authorities seized the RIDOCS domain, its servers in collaboration with Malaysian police and $225,000 in cryptocurrency. Ardit and Jetmere face charges of identity theft, device fraud and money laundering, with potential decades long sentences. Sekoli's arrest also led to the seizure of computers, phones and cryptocurrency. Clio has urged customers to immediately apply a patch for a critical vulnerability in its popular file sharing products Clio, Harmony, vltrader and Lexicom, used by enterprises across industries. Initially addressed in October, researchers at Huntress found systems remained vulnerable. Clio released a new patch Wednesday and is generating a new cve. The vulnerability, exploited by sophisticated threat actors, has affected consumer products, shipping and retail supply chains, with 24 confirmed compromised organizations. Attackers have deployed malware named Malicious using Clio software for initial access and persistence. Notably, the Termite Ransomware gang exploited this flaw, probably linked to the Klopp gang. Huntress observed 160 vulnerable endpoints globally with ransomware activity yet to emerge. Cybersecurity firms including Sophos and Arctic Wolf report primarily US Based retail victims. Experts credit rapid industry response with mitigating potential large scale impacts. Japanese media giant Kadokawa reportedly paid nearly $3 million to Russia linked ransomware group Black Suit Following a major cyberattack in June, the hackers accessed 1.5 terabytes of data, including contracts, internal documents and employee personal information. Kadokawa's subsidiary Niconico temporarily shut down its live streaming platform due to the breach. Evidence of the payment includes emails from Black Suit claiming receipt of the ransom and a $2.98 million cryptocurrency transaction discovered by security firm Unknown Technologies. The hackers initially demanded $8.25 million but allegedly agreed to 3 million, stating they would delete the stolen data. However, some information was leaked despite the payment. Kotokawa expects a $15 million fiscal loss due to the attack amid criticism of its handling of the breach. The company faces a potential acquisition by Sony, which employees view as a positive change. Byte Federal, the largest Bitcoin ATM operator in the US confirmed a data breach affecting 58,000 customers. The breach, caused by a vulnerability in third party software GitLab, occurred in September of this year but was discovered on November 18. Compromised data includes names, addresses, Social Security numbers, transaction histories and more. Byte Federal secured the server, implemented additional protections and notified affected customers. While no misuse of data or funds has been reported, experts warn of potential phishing risks. Microsoft announced the patching of two potentially critical vulnerabilities in Update Catalog and Windows Defender. These flaws have been fully mitigated and require no user action. The Windows Defender flaw rated medium severity based on CVSS scores could have allowed unauthorized disclosure of sensitive file content over a network due to improper index authorization. The update catalog vulnerability involving deserialization of untrusted data was a privilege escalation issue on the web server. Microsoft emphasized that neither flaw was disclosed publicly nor exploited before patching. The company is now assigning CVE identifiers to Cloud service vulnerabilities for transparency following industry trends, similar measures have been adopted by Google Cloud, reflecting growing emphasis on proactive security and communication about server side vulnerabilities. Researchers at Clarity's Team 82 have identified IO Control, a malware tool used by nation state actors to target critical IoT and OT systems, including SCADA devices linked to Iran's IRGC CEC Cyber Avengers Group. IO Control has compromised devices such as fuel management systems, IP cameras and PLCs from vendors like D Link, Hikvision and Orpac. One campaign impacted U.S. and Israeli fuel systems. The U.S. treasury has sanctioned IRGC CEC officials and offers a $10 million bounty for information on those involved. Dell disclosed two critical vulnerabilities affecting Powerflex appliances, Racks, insightiq and Data Lakehouse products. The first, with a CVSS score of 10.0, allows unauthenticated remote code execution through improper link resolution. The second, scoring 8.2, involves insecure storage of sensitive information, enabling high privileged local attackers to access cluster pods. Dell has released patches for impacted systems and urges users to update immediately. A Federal Court in St. Louis has indicted 14 North Korean nationals for a scheme generating $88 million to fund North Korea's weapons programs over six years. IT workers from North Korea linked companies Yonbin, Silver Star and Velocis. Silver Star used false identities to secure remote jobs with US Companies. They not only collected salaries but also stole sensitive data, threatening extortion. The Justice Department seized $1.5 million and 17 domains as part of the case. The scheme highlights cybersecurity risks and the misuse of remote work. US Companies are urged to rigorously vet IT workers. Rewards up to $5 million are offered for leads on suspects. Authorities say they continue their efforts to thwart North Korea's attempts to bypass sanctions. Texas Attorney General Ken Paxton has accused data broker Arity, owned by Allstate, of sharing sensitive consumer driving data without clear notice or consent. Arity gathers driving behavior data via SDKs embedded in partner apps such as MyRadar, GasBuddy and Life360, then sells it to insurers to inform pricing decisions. Texas alleges Arity violated its privacy law by failing to obtain affirmative consent and not providing opt out options. Sensitive data collected includes geolocation and driving patterns, the state's investigation revealed. Arity's partnerships with apps often lack transparency, with some apps failing to disclose these relationships and their privacy policies. While Myradar claims its data sharing is anonymized and Opt in Texas accuses other apps of improperly sharing data, the broader investigation reflects growing scrutiny of data brokers exploiting consumer information, particularly in the automotive and insurance sectors. Up next, Tim Starks from Cyberscoop joins me to explore the FCC's proposal to introduce cybersecurity rules linked to wiretapping laws and malicious bots are turning holiday shopping into a Hunger Games style scramble for overpriced gifts. We'll be right back.

KnowBe4

And now a word from our sponsor, KnowBefore. It's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBefore, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBe4's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35. Vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefore.com SecurityCoach that's knowbefore.com SecurityCoach and we thank KnowBe4 for sponsoring our show.

Dave Buettner

Identity Architects and engineers Modernize your identity systems with Strata. Integrate legacy apps with any idp, ensure seamless identity failover and apply MFA without touching app code. Strata offers robust, efficient identity management, reducing tech debt and enhancing security. Gain peace of mind and operational efficiency with Strata's comprehensive solutions. Visit Strada IO CyberWire. Share your biggest identity challenge and enjoy free AirPods Pro. Optimize your identity solutions today. Visit Strata IO CyberWire and our thanks to Strada for being a longtime friend and supporter of this podcast. It is always my pleasure to welcome back to the show Tim Starks. He is a senior reporter at cyberscoop. Tim, welcome back.

Tim Starks

It is always my Pleasure to be back.

Dave Buettner

Well, interesting story that you've written here for cyberscoop. This is about the FCC for the first time proposing cybersecurity rules in response to this wiretapping situation here. Unpack this for us, Tim, what's going on?

Tim Starks

Yeah, so there have been some calls from Capitol Hill in response to this very monumental big deal hack of the telecom providers in the United States and also it turns out elsewhere by the Chinese hacking group known as Salt Typhoon. And they had been asking the FCC to put in place some security requirements connected to the wiretapping law, known as colloquially as calea. Communications Assistance for Law Enforcement Act, I believe is what it stands for. And the reason they asked for this is because the hackers seem to have exploited that backdoor system for wire typing requests inside of telecommunications companies and they may have gotten access to some pretty secret info as a result. You know, there have been some calls from the Hill. And now, you know, the FCC had originally, between Jessica Rosenworsel and Brendan Carr, had kind of, you know, the person who's the current chair and the person who's about to be the chair had been a little noncommittal about this, but now the chairwoman is going forward with this and saying we need to do this immediately. Essentially, this rule would go into effect right away as soon as they voted on it.

Dave Buettner

And what sort of things are they calling for here?

Tim Starks

Essentially they're saying you need to hit a baseline of security under and connected to CALEA or you're going to face fines, potentially criminal punishment. But I'm thinking fines would probably be the way they'd go.

Dave Buettner

It's interesting to me, I suppose, and a lot of folks are probably scratching their heads to think that these sorts of things weren't already in place with something as critical as a backdoor into our communication systems.

Tim Starks

Yeah, I mean, it's, you know, it's a, it's a good kind of common sense thing on its surface. Right. It certainly, from the benefit of hindsight, makes you, makes you scratch your head and say, why weren't we doing this already? But, you know, one of the, one of the interesting things about cybersecurity over the many, many years I've covered it, is how much things I think look obvious after they're hacked. I think that if you go to, let's say, 2016, I always think of this example. There had been a couple instances of hackers going after political campaigns, presidential campaigns, but they hadn't been that big of a news until 2016. And then everybody Kind of goes, well, we should have known, we should have done better. And I'm not second guessing anybody, by the way, who thinks we should have done something by now. That's just me saying that. I think it's a combination of hindsight and yeah, probably should have been doing this.

Dave Buettner

Anything noteworthy about the fact that this is flowing through the fcc?

Tim Starks

I mean, it's noteworthy that they're acting after just such a short time of it being discussed. And then just a couple weeks ago they were saying we're not sure we want to do this yet. To go from that to 0 to 60 essentially is pretty fast. To go from that kind of level of non committalness to not only are we putting forward this proposal, we're putting it forward and we hoping to vote on it immediately, essentially. So that's pretty noteworthy to me. I think it'll be interesting to see what happens. Brendan Carr, the incoming nominee for FCC chair, has been a China hawk. He has talked about the need to do something about these salt toffin. Breaches. Breaches. But we don't know for sure yet what he wants to do. And we haven't seen the commissioner's vote on this. Of course, it's a very fresh proposal. It just started circulating yesterday according to the fcc. So we're moving pretty fast. But it's still not exactly clear what the path is going forward. But that'll take a little time to find out. But it doesn't seem like it's going.

Dave Buettner

To take very long and probably based on what you just said, something that will survive the transition to the next presidential administration.

Tim Starks

Yeah. And for what it's worth, if you talk about what's noteworthy about this, this is the first time that there's been this kind of thing happening. I mean, it's the first time that they've ever put in place anything cybersecurity related under this wiretapping law. There is a tiny provision of CALEA that they're exploiting to say that they have the authority to do this. So it's in their mind they've had the authority to do this and now they're just actually doing.

Dave Buettner

Has there been any talk of any sort of liability or for the telecoms themselves for having not protected this already?

Tim Starks

You know, there's always the risk of that. I've not heard much talk of that myself. You know, I think one of the issues we're having is we just still don't know really how deep and how bad this got. So, you know, we know some of the targets we know it was a broad cyber espionage campaign. To hear an FBI official who spoke to reporters on background this week, including me, to hear him tell it, there was no, there was no definitive. This is the only way they were going after this. Under calea, it was part of a very broad espionage campaign. But we know that they hit or tried to hit the actual president elect and the then nominees for president when this was first unfolding. So I think we'd have to see first who really suffers. And with any breach, there's always a lawsuit that comes out. Always somebody files something, they don't always go very well. To be honest. There's been very few cases of major import where liability has been established and a court has said, yep, you're liable. You owe them this much money. It's not as frequent as you might think, or at least as what I might think. It seems like a lot of those cases don't go anywhere. Not all of them, but a lot of them.

Dave Buettner

Yeah. And of course, a lot of folks have been kind of wagging their fingers and saying, when it comes to back doors, I told you so. Do you think we'll see any movement of the needle in that category?

Tim Starks

Yeah, there's always been this, and here's another sort of interesting thing that's come out this past week about this. When CISA and FBI and the NSA and a bunch of other agencies around the world put together some guidance about what needs to happen in response to this. They said you need to encrypt your systems, you need to use encrypted apps. We always have this tug of war between the people on the pro security side saying encryption is the way to go. There's always been this dichotomy in the government and we're seeing it now where with one hand they're saying everybody should encrypt what they're doing, and on the other hand, they're saying we need a way in to catch criminals and do all the other stuff we need to do to keep our nation safe. So there's always this tug of war between encryption good, encryption bad. And we're seeing it yet again as of this week.

Dave Buettner

Yeah. All right, well, Tim Starks is senior reporter at cyberscoop. Tim, thanks so much for sharing your insights.

Tim Starks

Yeah, thank you.

Dave Buettner

And finally this Christmas, the Grinch isn't stealing presents. He's programming bots. According to Imperva, 71% of shoppers in the UK blame malicious bots for ruining their holiday cheer by scalping the season's hottest gifts. These sneaky bots snatch up stock faster than Santa can load a sleigh, leaving parents with two options overpaying on resale sites or settling for the dreaded alternative gift. A staggering 19% of shoppers reported paying more for replacements, while 10% succumbed to inflated prices on secondary marketplaces. Imperva's Tim Ailing warns that AI powered bots are turbocharging the chaos, scalping gifts at record speed. The results? Disappointed kids, frustrated parents, and a retailer reputation nosedive. But retailers don't have to play the victim. Imperva suggests bot fighting strategies like rate limiting, blocking outdated browsers, and sniffing out headless browsers. With these tips, retailers might just save Christmas and keep the bots on the naughty list. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@the cyberwire.com Be sure to check out this weekend's Research Saturday and my conversation with Andrew Morris, founder and CTO of Graynoise. We're discussing their research. Gray Noise Intelligence discovers zero day vulnerabilities in live streaming cameras with the help of A.I. that's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwiren2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your team smarter. Learn how@n2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iban. Our executive editor is Brandon Park. Simone Petrella is our president, Peter Kilpie is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here next week.