Transcript
Dave Bittner (0:02)
You're listening to the Cyberwire Network. Powered by n2k.
Unknown Sponsor Voice (0:09)
This episode is brought to you by Dutch Bros. Big smiles, rocking tunes and epic drinks. Dutch Bros. Is all about you. Choose from a variety of customizable handcrafted beverages like our Rebel Energy drinks, coffees, teas and more. Download the Dutch Bros app for a free medium drink plus find your nearest shop, order ahead and start earning rewards Offer valid for new app users only. Free medium Drink Reward upon registration. 14 day expiration terms apply. See Dutchbros.com.
Dave Bittner (0:42)
Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off the US considers a ban on Chines routers more than 200 Clio managed file transfer servers remain vulnerable. The Androx Ghost botnet expands Schneider Electric reports a critical vulnerability in some PLCs. A critical Apache Struts 2 vulnerability is being actively exploited. Malicious campaigns are targeting Chinese branded IoT devices. A Nebraska based healthcare insurer discloses a data breach affecting over 225,000. Intel broker leaks 2.9 gigabytes of data from Cisco's Dev Hub environment. CISA issues a binding operational directive requiring federal agencies to enhance cloud security. On today's certbyte segment, Chris Hare and Dan Neville unpack a question targeting the network certification and Interpol says enough with the pig butchering. It's Wednesday, December 18th, 2024. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us. Great to have you with us as always. The Wall Street Journal reports that the US Government is considering a ban on TP link routers amid rising security concerns. Investigations by the Commerce, Defense and Justice departments suggest TP link routers made by a China based company may pose national security risks. A Microsoft report linked TP link devices to a Chinese hacking network targeting Western organizations. The devices dominate the US home and small business router segment. With a 65% market share. TP Link routers are often shipped with unresolved security flaws, and the company reportedly doesn't cooperate with security researchers. The Justice Department is also probing whether TP Link's low pricing strategy violates antitrust laws. The potential ban could disrupt the router market, which TP Link has dominated due to affordability and partnerships with over 300 US Internet providers. TP Link denies selling products below cost and insists on compliance with U.S. laws. While U.S. officials haven't disclosed evidence of deliberate collusion with Chinese state sponsored hackers, concerns persist. TP Link's founders remain connected to Chinese institutions conducting military cyber research despite efforts to rebrand as US Centric, including announcing a California headquarters. Critics see the company's ties to China as inseparable. If enacted, the ban would mark the largest removal of Chinese telecom equipment in the US since Huawei in 2019. Similar bans have been enacted in Taiwan and India, citing security risks. This move underscores the broader challenges of securing the telecommunications supply chain, with US Officials acknowledging systemic vulnerabilities across the router market, including domestic brands. More than 200 Clio managed file transfer servers remain vulnerable despite warnings of active mass attacks exploiting critical flaws in the software. These vulnerabilities allow attackers to execute arbitrary commands and exfiltrate Data. Despite a December 11 patch, only 199 of the exposed servers are fully updated. The CLOP Ransomware group is suspected of exploiting these vulnerabilities, marking its fifth major file transfer software attack. Organizations including retail and energy sectors have been targeted with incidents involving significant data transfers to suspicious IPs. Researchers found attackers using Java based remote access trojans for system reconnaissance, file exfiltration and command execution. Security experts urge users to patch immediately, review logs for post exploitation indicators, and take vulnerable systems offline if necessary. Clio has released updated fixes and logging mechanisms to address these threats, but systemic risks remain for unpatched systems. Cloud 6 XVigil platform has revealed a significant expansion of the Androx Ghost botnet, now exploiting 27 vulnerabilities, up from 11 in November. The botnet has integrated with the IoT focused Mozzie botnet targeting web servers, IoT devices and platforms like Cisco, ASA, Atlassian, Jira and PHP frameworks. Exploits include remote code execution, brute force attacks and credential stuffing, leveraging vulnerabilities in Sophos firewalls, TP link routers and more. The botnet's sophistication suggests coordinated control potentially linked to Chinese CTF communities. This poses global risks of data breaches, ransomware and surveillance. A critical flaw in Schneider Electric Modicon controllers allows unauthenticated attackers to exploit port 502, compromising systems without user interaction. Rated 9.8 on the CVSS scale, this vulnerability impacts controllers used globally in critical infrastructure sectors like energy and manufacturing. With no patch yet available, users are advised to isolate devices from the public Internet, restrict access to Port 502 TCP segment networks and secure controllers physically. Schneider Electric says they are developing a remediation plan. A critical Apache Struts 2 vulnerability is being actively exploited using public proof of concept exploits to identify vulnerable systems affecting various STRUTS versions. The flaw allows attackers to upload malicious files via path traversal, enabling remote code execution. Exploitation has been detected with attackers deploying scripts to verify compromised systems. Apache urges users to upgrade and implement the new file upload mechanism as patching alone is insufficient. Malicious campaigns are targeting Chinese branded IoT devices, including Hikvision and Zhomai web cameras and DVRs, exploiting weak passwords and unpatched vulnerabilities. The FBI warns of attacks using Hiatus Rat, which scans devices with tools like Ingram to bypass authentication and inject commands. Active since July 2022, the malware has targeted IoT devices globally and US government servers. Many vulnerabilities remain unpatched. The FBI advises isolating vulnerable devices, enforcing strong passwords, enabling multi factor authentication and promptly applying updates to mitigate risks. Nebraska based healthcare insurer Regional Care disclosed a data breach affecting over 225,000 individuals. The breach, detected in mid September, involved unauthorized access to an account which was promptly shut down. An investigation revealed sensitive data including names, birth dates, Social Security numbers, medical and health insurance information had been compromised. Affected individuals are being offered free credit monitoring. Regional Care has not linked the breach to any ransomware group and provided limited additional details about the incident. Intel broker has leaked 2.9 gigabytes of data from Cisco's DevHub environment, part of a larger 4.5 terabyte breach, raising concerns about the security of the tech giant. The breach, revealed in October 2024, exploited an exposed API token and involved sensitive data including source code, hard coded credentials, encryption keys and customer related resources. Allegedly, data from major corporations like Verizon and Microsoft was also compromised. Cisco, while confirming the breach, stated its core systems remain unaffected and attributed the incident to a misconfigured developer environment. The company has disabled Dev Hub access, launched an investigation and engaged law enforcement. Cybersecurity experts emphasize this incident underscores the need for stronger access controls and monitoring of public facing systems as hackers increasingly validate breaches with partial leaks. To attract buyers in underground markets, the US Cybersecurity and Infrastructure Security Agency has issued binding Operational Directive 25 01, requiring federal agencies to enhance cloud security by adopting secure configuration baselines. The directive aims to mitigate risks from misconfigurations and weak controls by mandating compliance with CISA's Secure Cloud business Applications or SCUBA standards. Agencies must identify cloud tenants and create an inventory by February 21, 2025, deploy scuba assessment tools by April 25, 2025, and implement mandatory scuba policies, including Microsoft Office 365 baselines by June 20. Annual updates to cloud tenant inventories and continuous reporting are also required. CISA plans to maintain and update policies, assist agencies, and monitor compliance. While directed at federal agencies, CISA encourages broader adoption to bolster collective cybersecurity resilience. Meanwhile, the Office of the National Cyber Director and CISA released a playbook to guide federal grant managers and recipients on integrating cybersecurity into critical infrastructure projects. The Playbook for Strengthening Cybersecurity in Federal Grant Programs offers model language and recommendations for incorporating cybersecurity into grant making processes and project assessments, reflecting Biden administration priorities. Like the Investing in America initiative, the Playbook emphasizes secure by design principles and critical infrastructure resilience. While advisory, it encourages agencies and grant recipients to prioritize cybersecurity in upcoming infrastructure upgrades. Coming up after the break on today's CertBytes segment, Chris Hare and Dan Neville unpack a question targeting the network certification and Interpol says enough with the pig butchering, stay with us. Foreign.