Hacking allegations and antitrust heat.

Dave Bittner

You're listening to the Cyberwire Network. Powered by n2k.

Unknown Sponsor Voice

This episode is brought to you by Dutch Bros. Big smiles, rocking tunes and epic drinks. Dutch Bros. Is all about you. Choose from a variety of customizable handcrafted beverages like our Rebel Energy drinks, coffees, teas and more. Download the Dutch Bros app for a free medium drink plus find your nearest shop, order ahead and start earning rewards Offer valid for new app users only. Free medium Drink Reward upon registration. 14 day expiration terms apply. See Dutchbros.com.

Dave Bittner

Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off the US considers a ban on Chines routers more than 200 Clio managed file transfer servers remain vulnerable. The Androx Ghost botnet expands Schneider Electric reports a critical vulnerability in some PLCs. A critical Apache Struts 2 vulnerability is being actively exploited. Malicious campaigns are targeting Chinese branded IoT devices. A Nebraska based healthcare insurer discloses a data breach affecting over 225,000. Intel broker leaks 2.9 gigabytes of data from Cisco's Dev Hub environment. CISA issues a binding operational directive requiring federal agencies to enhance cloud security. On today's certbyte segment, Chris Hare and Dan Neville unpack a question targeting the network certification and Interpol says enough with the pig butchering. It's Wednesday, December 18th, 2024. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us. Great to have you with us as always. The Wall Street Journal reports that the US Government is considering a ban on TP link routers amid rising security concerns. Investigations by the Commerce, Defense and Justice departments suggest TP link routers made by a China based company may pose national security risks. A Microsoft report linked TP link devices to a Chinese hacking network targeting Western organizations. The devices dominate the US home and small business router segment. With a 65% market share. TP Link routers are often shipped with unresolved security flaws, and the company reportedly doesn't cooperate with security researchers. The Justice Department is also probing whether TP Link's low pricing strategy violates antitrust laws. The potential ban could disrupt the router market, which TP Link has dominated due to affordability and partnerships with over 300 US Internet providers. TP Link denies selling products below cost and insists on compliance with U.S. laws. While U.S. officials haven't disclosed evidence of deliberate collusion with Chinese state sponsored hackers, concerns persist. TP Link's founders remain connected to Chinese institutions conducting military cyber research despite efforts to rebrand as US Centric, including announcing a California headquarters. Critics see the company's ties to China as inseparable. If enacted, the ban would mark the largest removal of Chinese telecom equipment in the US since Huawei in 2019. Similar bans have been enacted in Taiwan and India, citing security risks. This move underscores the broader challenges of securing the telecommunications supply chain, with US Officials acknowledging systemic vulnerabilities across the router market, including domestic brands. More than 200 Clio managed file transfer servers remain vulnerable despite warnings of active mass attacks exploiting critical flaws in the software. These vulnerabilities allow attackers to execute arbitrary commands and exfiltrate Data. Despite a December 11 patch, only 199 of the exposed servers are fully updated. The CLOP Ransomware group is suspected of exploiting these vulnerabilities, marking its fifth major file transfer software attack. Organizations including retail and energy sectors have been targeted with incidents involving significant data transfers to suspicious IPs. Researchers found attackers using Java based remote access trojans for system reconnaissance, file exfiltration and command execution. Security experts urge users to patch immediately, review logs for post exploitation indicators, and take vulnerable systems offline if necessary. Clio has released updated fixes and logging mechanisms to address these threats, but systemic risks remain for unpatched systems. Cloud 6 XVigil platform has revealed a significant expansion of the Androx Ghost botnet, now exploiting 27 vulnerabilities, up from 11 in November. The botnet has integrated with the IoT focused Mozzie botnet targeting web servers, IoT devices and platforms like Cisco, ASA, Atlassian, Jira and PHP frameworks. Exploits include remote code execution, brute force attacks and credential stuffing, leveraging vulnerabilities in Sophos firewalls, TP link routers and more. The botnet's sophistication suggests coordinated control potentially linked to Chinese CTF communities. This poses global risks of data breaches, ransomware and surveillance. A critical flaw in Schneider Electric Modicon controllers allows unauthenticated attackers to exploit port 502, compromising systems without user interaction. Rated 9.8 on the CVSS scale, this vulnerability impacts controllers used globally in critical infrastructure sectors like energy and manufacturing. With no patch yet available, users are advised to isolate devices from the public Internet, restrict access to Port 502 TCP segment networks and secure controllers physically. Schneider Electric says they are developing a remediation plan. A critical Apache Struts 2 vulnerability is being actively exploited using public proof of concept exploits to identify vulnerable systems affecting various STRUTS versions. The flaw allows attackers to upload malicious files via path traversal, enabling remote code execution. Exploitation has been detected with attackers deploying scripts to verify compromised systems. Apache urges users to upgrade and implement the new file upload mechanism as patching alone is insufficient. Malicious campaigns are targeting Chinese branded IoT devices, including Hikvision and Zhomai web cameras and DVRs, exploiting weak passwords and unpatched vulnerabilities. The FBI warns of attacks using Hiatus Rat, which scans devices with tools like Ingram to bypass authentication and inject commands. Active since July 2022, the malware has targeted IoT devices globally and US government servers. Many vulnerabilities remain unpatched. The FBI advises isolating vulnerable devices, enforcing strong passwords, enabling multi factor authentication and promptly applying updates to mitigate risks. Nebraska based healthcare insurer Regional Care disclosed a data breach affecting over 225,000 individuals. The breach, detected in mid September, involved unauthorized access to an account which was promptly shut down. An investigation revealed sensitive data including names, birth dates, Social Security numbers, medical and health insurance information had been compromised. Affected individuals are being offered free credit monitoring. Regional Care has not linked the breach to any ransomware group and provided limited additional details about the incident. Intel broker has leaked 2.9 gigabytes of data from Cisco's DevHub environment, part of a larger 4.5 terabyte breach, raising concerns about the security of the tech giant. The breach, revealed in October 2024, exploited an exposed API token and involved sensitive data including source code, hard coded credentials, encryption keys and customer related resources. Allegedly, data from major corporations like Verizon and Microsoft was also compromised. Cisco, while confirming the breach, stated its core systems remain unaffected and attributed the incident to a misconfigured developer environment. The company has disabled Dev Hub access, launched an investigation and engaged law enforcement. Cybersecurity experts emphasize this incident underscores the need for stronger access controls and monitoring of public facing systems as hackers increasingly validate breaches with partial leaks. To attract buyers in underground markets, the US Cybersecurity and Infrastructure Security Agency has issued binding Operational Directive 25 01, requiring federal agencies to enhance cloud security by adopting secure configuration baselines. The directive aims to mitigate risks from misconfigurations and weak controls by mandating compliance with CISA's Secure Cloud business Applications or SCUBA standards. Agencies must identify cloud tenants and create an inventory by February 21, 2025, deploy scuba assessment tools by April 25, 2025, and implement mandatory scuba policies, including Microsoft Office 365 baselines by June 20. Annual updates to cloud tenant inventories and continuous reporting are also required. CISA plans to maintain and update policies, assist agencies, and monitor compliance. While directed at federal agencies, CISA encourages broader adoption to bolster collective cybersecurity resilience. Meanwhile, the Office of the National Cyber Director and CISA released a playbook to guide federal grant managers and recipients on integrating cybersecurity into critical infrastructure projects. The Playbook for Strengthening Cybersecurity in Federal Grant Programs offers model language and recommendations for incorporating cybersecurity into grant making processes and project assessments, reflecting Biden administration priorities. Like the Investing in America initiative, the Playbook emphasizes secure by design principles and critical infrastructure resilience. While advisory, it encourages agencies and grant recipients to prioritize cybersecurity in upcoming infrastructure upgrades. Coming up after the break on today's CertBytes segment, Chris Hare and Dan Neville unpack a question targeting the network certification and Interpol says enough with the pig butchering, stay with us. Foreign.

Chris Hare

And now a word from our sponsor. Know before it's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBeFor's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35 vendor integrations and counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity, or web security vendors. Then coach your users at the moment. The risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbe4.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show.

Dave Bittner

The IT world used to be simpler.

Chris Hare

You only had to secure and manage environments that you controlled.

Dave Bittner

Then came new technologies and new ways to work.

Chris Hare

Now employees, apps and networks are everywhere.

Dave Bittner

This means poor visibility, security gaps and added risk.

Chris Hare

That's why Cloudflare created the first ever Connectivity Cloud. Visit cloudflare.com to protect your business everywhere.

Dave Bittner

You do business on today's edition of our recurring Certbyte segment, Chris Hare and Dan Neville look at a question targeting the Network Certification.

Dan Neville

Hi everyone, it's Chris. I'm a content developer and Project Management specialist here at N2K Networks. I'm also your host for this week's edition of Certification Certbyte, where I share a practice question from our suite of industry leading content and a study tip to help you achieve the professional certifications you need to fast track your career growth in IT, cybersecurity and project management. Today's question targets the CompTIA network plus Exam, which entails both Exam ID N10008, which launched on September 15, 2021 and Exam ID N10009, which launched on June 2020 20th of this year. This exam is targeted for those candidates who already hold an A certification and have about 9 to 12 months of networking experience. I have our Captain of Comptia, Dan, here to help us out today. How are you today Dan?

Unknown Guest Voice

Ooh, I love being Captain of Comptia. Thanks Chris. I appreciate you working with me on this one.

Dan Neville

Absolutely. So Dan, do you have any advice for anyone who is deciding which version of this exam they should take?

Unknown Guest Voice

Well, a lot of it depends on where you're at in your career. If you've been doing NETworking for a while, 008 is going to be an easier one for you because you'll have more experience. But if you want to be up on the latest and greatest topics and issues in networking, by all means go after the.009.

Dan Neville

That is great advice. So we're going to turn the tables and have you ask me the question. But before we do that, and while I must drop the moxie to answer it, I understand you have a 10 second study bit for this test. So what do you have for us?

Unknown Guest Voice

Okay, this is a kind of a practical sneaky thing. So the first few questions on the COMPT exams are normally performance based questions and they take up a lot of time. What you ought to do is immediately mark those for review and address them at the end. And the same thing is going to go for any question that you can't answer in less than 30 seconds. Just mark it for review, come back to it in the end, and chances are you'll have seen something else that will help you with that answer.

Dan Neville

That's great. And there are a few exams that don't allow you to do that. So it's important that students know they should take advantage of that.

Unknown Guest Voice

Absolutely.

Dan Neville

Great. Awesome tip. So, Captain Dan, what do you have for me today?

Unknown Guest Voice

Okay, so here's the question. You need to check for open circuits and short circuits on your network. What tools should you use? Okay. And your choices are you got a butt set, you got a toner probe, you got a protocol analyzer, and you got a cable tester.

Dan Neville

So which one got a lot of weird ones? Okay, so I think we need to first clarify that this question targets both versions of the network exam 008 and 009, and it's under the network troubleshooting objective. And it also applies to sub objective 2 in the content outline, which has to do with troubleshooting, cabling and other physical interface issues. Is that correct?

Unknown Guest Voice

You bet.

Dan Neville

All right. All that said, I don't know exactly what these options are, but let me address these in order, as I usually do. So for a. I think I recall from my telecom days that a BUD set may have to do with telephones and toner probe. No idea. Protocol analyzer. That sounds more process based than testing for particular circuits. And finally, D cable tester. That seems straightforward as circuits are conducted through cable. So I'm going to guess D cable tester.

Unknown Guest Voice

Wah. That's excellent. The correct answer is indeed, D cable tester.

Dave Bittner

Right.

Unknown Guest Voice

That'll check for open circuits and short circuits on your network. So a cable tester includes an electrical current source, a voltmeter, and an interface for connecting with the cable. As you correctly pointed out, a butt set is used for telephone lines. So you got really close there.

Dan Neville

Okay.

Unknown Guest Voice

An ATONA probe identifies only a single cable on the network in a big bundle. And a protocol analyzer is software that allows you to view information about network communication protocols.

Dan Neville

Awesome. Thank you again for your question and great explanation. I thought this was interesting, but I read that COMPTIA states that the network exam is the only one on the market today that includes the core skills required to support networks on any environment. So what type of roles would you.

Unknown Guest Voice

See the certification useful for probably Systems administrator, Network administrator, network support, even tech support roles.

Dan Neville

And are there any upcoming COMPTIA practice tests or courses you'd like to promote here?

Unknown Guest Voice

Ooh, of course. Let's see. We got Cloud plus coming up very, very shortly in their new edition. IT Fundamentals has been rebranded to Tech, so that'll be out shortly. Pentest plus later in the fall and brand new Security X which has the update to Cask plus that'll be out late in the fall or early next year. So we got a lot going on.

Dan Neville

Great. Thank you so much Dan.

Unknown Guest Voice

Thank you. I appreciate it.

Dan Neville

And thank you for joining me for this week's Cert Bite. If you're actively studying for this certification and have any questions about certificate study tips or even future certification questions you'd like to see, please feel free to email me at certbyton2k.com that's C-E-R-T B Y T E2K.com if you'd like to learn more about N2K's practice tests, visit our website at n2k.com certify for more resources, including our new N2K Pro offerings. Check out thecyberwire.com pro for sources and citations for this question, please check out our Show Notes. Happy Certifying?

Dave Bittner

Be sure to visit our Show Notes for links to the Practice test and other helpful resources that Chris and Dan talked about. And finally, Interpol wants to ditch the grim term pig butchering in favor of the less stigmatizing romance baiting to describe scams involving fake romances and fraudulent investments. The old term, coined by fraudsters themselves, likens victims to pigs fattened up for financial slaughter, a description that shames victims and deters them from seeking help. Instead, romance baiting highlights the emotional manipulation scammers use to gain trust and exploit victims. Interpol says words matter, drawing parallels to shifts in language around domestic abuse and sexual violence. By adopting victim focused terminology, Interpol hopes to encourage reporting and put the spotlight on the criminals, not the victims. This push is part of their Think Twice campaign, which also tackles online threats like ransomware and phishing. Let's swap out victim blaming language for empathy and hold scammers accountable for their despicable cons. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity if you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. This episode was produced by Liz Snow Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iban. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here. Tomor.