It was DDoS, not us.

Dave Buettner

You're listening to the Cyberwire Network, powered by N2K. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect. Prepare and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more@AI.domo.com that's AI.domo.com Deep Seek blames DDoS for outages hackers behind last year's AT&T data breach targeted members of the Trump family, Kamala Harris and Marco Rubio's wife. The EU sanctions Russians for cyber attacks against Estonia and Global confirms personal information was taken in last year's ransomware attack. CISA issues a critical warning about a sonic wall vulnerability actively exploited. A large scale phishing campaign exploits users trust in PDF files and the US Postal Service. Apple patches a zero day affecting many of their products. A ransomware attack on an Ohio based operator of skilled nursing and rehabilitation facilities affects over 70,000. President Trump has a tumultuous first week back in office. Our guest is Bogdan Bodizatu, director of Threat research and reporting at bitdefender, discussing the dark market subculture and its parallels to holiday shopping and A nonprofit aims to clean up the AI industry's mess. It's Tuesday, January 28th, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Thanks for joining us here today. It is great to have you with us. Chinese AI company Deepseek attributed a registration outage to a cyber attack on its servers, which it believes was a DDoS attack. While existing users remain unaffected, new user registrations were temporarily halted. This comes as Deepsea faces scrutiny over security vulnerabilities in its open source R1AI model, which the company touts as competitive with OpenAI's ChatGPT and Google's Gemini security firm Keela reported successfully jailbreaking R1 using methods like Evil Jailbreak and Leo, which have been patched in other models. The firm also demonstrated R1's capability to fabricate sensitive data, such as personal details of OpenAI employees. Keila highlighted R1's unreliability, calling its outputs inaccurate and potentially harmful. The incident has raised concerns about privacy and data security, especially given the geopolitical context of Chinese tech Experts urge users to question data origins, ownership and ethical training practices, echoing broader fears over foreign AI platforms. As a side note, Ben Thompson at Stratecherie has written an excellent explainer of Deep SEQ and why it matters. We'll have a link to that in the show. Notes hackers behind the 2024 AT&T data breach targeted phone records tied to prominent individuals, including members of the Trump family, Kamala Harris and Marco Rubio's wife. According to sources cited by 404 Media, the breach, which impacted nearly all AT and T customers call and text metadata from May through October 2022, poses significant national security risks. Hackers plan to create a paid lookup tool for the stolen data, which they enriched using publicly available resources to associate phone numbers with names. The breach exploited an AT and T instance of Snowflake, a data warehousing tool. Despite the severity of the attack, concerns have been raised about FCC Chairman Brendan Carr's leniency toward telecom companies. Senator Ron Wyden criticized AT&T's lax security and called for encrypted communications services to replace traditional telecom offerings. To prevent future incidents, the European Union sanctioned three Russian GRU officers for 2020 cyberattacks against Estonia. They allegedly hacked Estonian ministries, stealing classified data, health records and sensitive business information. The EU claims the attacks aim to undermine Estonia's security and cyber capabilities. The men are tied to unit 29155, which is associated with global espionage and sabotage, including the Whispergate malware, and is accused of targeting other EU states and Ukraine. The sanctions mark a response to escalating cyber threats. Nglobal Corporation, a major supplier to the energy sector, confirmed that personal information was compromised in a November 2024 ransomware attack. Systems were taken offline, limiting access to essential operations for six weeks. Initially, NGlobal reported encrypted data but did not disclose theft. A new SEC filing revealed sensitive personal information was accessed, though details on the breach's scope remain unclear. The company has since restored systems and resumed normal operations, and Global stated the attack had no material financial impact but has not identified the threat actor responsible. CISA has issued a critical warning about a Vulnerability in SonicWall SMA1000 appliances that allows remote attackers to execute commands without authentication. With a CVSS score of 9.8. This flaw, exploited in the wild, impacts multiple versions of Sonicwall's appliances. Sonicwall has released a hotfix to address the issue and advises immediate updates. Organizations unable to patch should restrict AMC and CMC access to trusted IPs. This flaws exploitation risks full system compromise, emphasizing urgent mitigation. A large scale phishing campaign exploits Users trust in PDF files and the US Postal Service to steal credentials and sensitive data, according to Zimperium researchers, attackers send SMS messages with malicious PDFs mimicking USPS communications, embedding hidden phishing links to bypass security tools. Victims are directed to fake USPS sites, where they provide personal and payment information under the guise of resolving delivery issues. Ximperium found over 20 malicious PDFs and 630 phishing pages targeting users across 50. This tactic leverages the assumption that PDFs are safe, exploiting their widespread use in business. Attackers also impersonate other delivery services like UPS and FedEx. Experts warn that inadequate mobile security and limited visibility into file contents make such campaigns effective. Apple has patched a zero day vulnerability exploited in the wild, affecting iPhones, iPads, Macs and other devices. The flaw, a use after free issue in the core media component, could allow rogue apps to elevate privileges and gain system control. While details of the exploitation remain sparse, Apple confirmed It targeted older iOS versions before iOS 17.2. The fix is available in multiple updates for multiple platforms. Affected devices include iPhone XS and later various iPad models, Apple Vision Pro and Apple Watch Series 6 or newer. Additional vulnerabilities patched include issues allowing unauthorized code execution via airplay, privilege escalation and Safari address bar spoofing. Users are strongly advised to update to protect against potential exploits targeting unpatched devices. HCF Management, an Ohio based operator of skilled nursing and rehabilitation facilities, is notifying 70,000 individuals affected by a ransomware attack in fall of last year. The Russian speaking Ransom Hub gang claims to have stolen and published 250 gigabytes of data. The breach affected multiple facilities, with Heritage Healthcare reporting the largest impact and Hempfield Manor most affected. Among single sites, HCF discovered unauthorized access on October 3, 2024 and later determined attackers infiltrated its systems on September 17, stealing residents personal and medical data, including Social Security numbers and health insurance details. The company engaged forensic experts and secured its network, but now faces at least two federal class action lawsuits alleging negligence. It remains unclear if the attackers encrypted HCF's systems during the breach. On his first week back in office, President Trump shook up the nation's cybersecurity and governance landscape with a series of controversial executive orders, according to a report from Krebs on security. Among the most dramatic moves he fired all members of the Cybersafety Review Board, a bipartisan body created to investigate major cyber incidents. The CSRB had produced key reports on crises like Log4, Shell and the 2023 Microsoft Exchange breach and was in the midst of investigating Chinese cyber intrusions targeting US Telecoms when Trump dismissed its advisors. Critics likened the move to halting airline crash investigations mid flight. Meanwhile, Trump dismantled a Biden era order on artificial intelligence safety, replacing it with a new AI action plan led by venture capitalist David Sachs. The plan focuses on maintaining US AI dominance but raises concerns due to Trump's personal ties to cryptocurrency, including his family's recent ventures into meme coins. Trump also pardoned January 6 rioters and revoked Biden's disinformation governance policies. An organized crime task force. These sweeping changes left many security experts questioning the future of federal cyber defense and governance under Trump's administration. Coming up after the break, my conversation with Bogdan Bhattazatu, director of threat research and reporting@bitdefender. We're talking about the dark market subculture and a non profit aims to clean up the AI industry's mess. Stay with us. Still getting around to that fix on your car? You got this on ebay, you'll find millions of parts guaranteed to fit. Doesn't matter if it's a major engine repair or your first time swapping your windshield wiper, eBay has that part you need ready to click perfectly into place for changes big and small, loud or quiet. Find all the parts you need at prices you'll love. Guaranteed to fit every time. But you already know that Ebay Things people love Eligible Items Only Exclusion supply and now a message from our sponsor Zscaler, the leader in cloud security Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever With AI tools, it's time to rethink your security Zscaler 0Trust AI stops attackers by hiding your attack surface making apps and IPs invisible eliminating lateral movement Connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context Simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@zscaler.com Security hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you. I was concerned about my data being sold by data brokers, so I decided to try Deleteme. I have to say, Deleteme is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Deleteme's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. Bogdan Bodizatu is director of Threat Research and reporting@bitdefender. I recently sat down with him to discuss dark market subcultures and parallels to holiday shopping.

Bogdan Bodizatu

Well, a dark market is a closed marketplace that's usually anonymized on what we call the dark web. These markets are not your regular run of the mill stores because they sell usually prohibited goods and services like maybe drugs, weapons, assassination as a service and so on. So these markets are like online stores but for crime.

Dave Buettner

And how does one find themselves invited or a part of this or accepted in this particular community?

Bogdan Bodizatu

Well, there are a couple of ways you could become part of this community. I'm not endorsing these, so this is strictly educational. Right. I warned you. So the thing is that these dark markets sell of prohibited goods and services, as I said. But these goods and services have slowly become mass market products like drugs, right? Pills, you name it. And there's an increasingly high demand for these products. So whoever has access to the goods has taken one step further and moved their business online. There is no drug selling at the corner now. Everything can be done pretty much more comfortably through a dark market. So with these being said, I would say that there are two different types of dark markets. There are the restricted ones, the highly restrictive ones that grant access to people based on vetting or formal introduction from a previous customer.

Dave Buettner

Right.

Bogdan Bodizatu

And these markets sell the best of the best. If you manage to get into such a market, you could buy pretty much anything from bulk drugs to advanced weaponry to, I don't know, hit tanks with. There's another Type of dark market that's a little bit less restrictive. It usually involves sales of recreational drugs in small quantities, stolen accounts, maybe credit cards and so on. So these markets are a little bit more permissive. You only need to know the URL you are looking for and then you can set up an account and you'll be ready to buy in no time. Of course, the more transactions you make on that market, the more your reputation increases. But given the fact that these services are anonymized and the payment mechanisms are also anonymized, there's little friction when it comes to meeting with a potential customer. So these markets are less restrictive. They allow people to get into business easier than very secretive and very restrictive dark markets that require vetting on introduction.

Dave Buettner

And to what degree does law enforcement take interest in these markets?

Bogdan Bodizatu

These dark markets pose a real threat to people because they normally sell things that should be kept away from people. Drugs are an issue, child pornography is an issue, stolen account is an issue, credit cards are an issue, and so on. So the police will normally lurk on these dark markets, but they don't have the necessary amount of skill and free time to go after each and every one. So they will choose markets that are high stakes, that deal with most cybercrime or low hanging fruits. Markets that are easy to de anonymize and close. So probably, probably, probably the dark markets you have accounts on are monitored by the police and it's a matter of time until these will gain a little bit more attention from law enforcement.

Dave Buettner

And I suppose it's fair to say that these markets are hosted in places that are willing to turn a blind eye to what's going on.

Bogdan Bodizatu

Normally they're hosted on the Tor network. These dark markets have, have these huge benefit of getting anonymity from a technology that has been designed for anonymity and privacy. Even if the dark web, the Tor network is a technology that's been online for quite a while now, it's still difficult to de anonymize. And cybercriminals are taking advantage of technology to keep their business online but away from prying guys at the same time. Yes, there's a different type of market that we call markets that sit on the deep web. These are specialized forums on the Internet. They have a new RL that resolves in a normal browser. You don't need to have the Tor browser installed or any special software. These markets have a login page and they allow people to see what's going on inside only after they have set up an account. Some Some new accounts are not able to do to make transactions for a specific time until they get a little bit of a reputation. Some others are allowed to see just several categories. And these are normally markets that deal with e crime, stolen accounts, malware, maybe ransomware creation kits and so on, but nothing too fancy.

Dave Buettner

Yeah, it always strikes me as interesting, you know, that one of the, I guess, high risk areas of all this is that if you're buying illicit goods online, at some point physical items have to be delivered. And so, you know, for example, here in the US we'd be dealing with the US Postal Service and there are postal inspectors and they take these things very seriously.

Bogdan Bodizatu

Yes, they do. And it's amazing how this business works given the fact that eventually goods have to exchange hands. I'm a little bit more worried about giving my home address to a guy that sells guns and anti tank missiles. But hey, it's just me. No joking aside, I saw this amazing presentation two years ago at DEFCON with a dark web operator who was disclosing how he did business in the United States through the postal services. And yeah, operational security is an issue, but with the proper protection, it's possible that these goods will exchange hands in, in safety. Right, but once again, I'm not advocating for these services. And please be aware that when everybody is placing an order, you don't have the chance to talk to customer service. You get the chance to talk to a highly expert criminal who has been doing this for quite a while.

Dave Buettner

For the folks who have the responsibility of protecting an organization, the CISOs of the world, where does this play into their defensive posture? Is this sort of thing just something to keep an eye on, to monitor that this isn't something that your users are frequenting. What are your recommendations there?

Bogdan Bodizatu

Normally CISOs, for instance, monitor any kind of activity that involves the Tor browser and the Darknet, because whenever connections to the Darknet are being initialized, there's one of two possibilities. Either your data is being exfiltrated by some malware that connects to a Darknet command and control center, or your users are involving in physical crime that might reflect badly on the company. If you have employees who are browsing drug markets, or, I don't know, different other markets that deal with very, very specialized imagery. Right. You don't want to have your business or your IP address associated with this kind of activity.

Dave Buettner

Yeah. So hitting the Tor network is a big gold red flag.

Bogdan Bodizatu

Yes. And normally it should be blocked as much as possible at the gateway level because there's nothing good coming out of Tor, unless you're the journalist or a media organization or some law enforcement, right? But if you're just a regular company, there's no need to have access to the Tor network enabled from your from from a normal network.

Dave Buettner

That's Bogdan Badazatu from Bitdefender. We have a link to their research in our show Notes. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. And finally, AI coding assistants are revolutionizing programming, but their mystery box training data raises ethical questions Enter Software Heritage, a nonprofit on a mission to clean up the AI industry's mess. Think of them as the Marie Kondo of code. They've collected over 22 billion source files from platforms like GitHub to create the world's largest repository of ethically sourced code. Their new initiative, Code Commons, aims to make AI training datasets transparent, reproducible and accountable. But it's not all smooth sailing. Cleaning up AI's data pipeline is like untangling a million pairs of headphones. Software Heritage must unify messy metadata, build opt out tools for developers, and ensure that training data aligns with open source licenses. The team has big dreams, including creating a tool to flag when AI outputs resemble existing code. While it's an uphill battle, they are determined to steer AI development in a responsible direction. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive editor is Jennifer Ibin. Our executive producer is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Bogdan Bodizatu

Foreign.

Dave Buettner

Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with Threat Locker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.