It was DDoS, not us. - CyberWire Daily

Summary

CyberWire Daily Podcast Summary: "It was DDoS, not us." Release Date: January 28, 2025 | Host: Dave Buettner | Produced by N2K Networks

1. Episode Overview

In the January 28, 2025 episode of CyberWire Daily titled "It was DDoS, not us," host Dave Buettner delves into a series of significant cybersecurity events shaping the industry. The episode features an in-depth interview with Bogdan Bodizatu, Director of Threat Research and Reporting at Bitdefender, who explores the intricate world of dark markets and their implications for global cybersecurity.

2. Top Cybersecurity News Highlights

The episode kicks off with a rapid-fire news segment covering critical incidents and developments:

Deepseek DDoS Attack: Chinese AI firm Deepseek attributes a recent registration outage to a Distributed Denial of Service (DDoS) attack. This disruption temporarily halted new user registrations, although existing users remained unaffected. The incident coincides with rising scrutiny over Deepseek’s security vulnerabilities in its open-source R1AI model, which rivals offerings from OpenAI and Google.
AT&T Data Breach: Hackers responsible for last year's AT&T data breach have targeted sensitive phone records linked to high-profile individuals, including members of the Trump family, Kamala Harris, and Marco Rubio’s wife. The breach, occurring between May and October 2022, exposed call and text metadata for nearly all AT&T customers. Experts warn of significant national security risks stemming from this extensive data compromise.
EU Sanctions on Russian Cyber Actors: In response to the 2020 cyberattacks against Estonia, the European Union has sanctioned three Russian GRU officers linked to Unit 29155. These officers are accused of orchestrating sophisticated attacks aimed at undermining Estonia's security and espionage efforts across multiple EU states and Ukraine.
NGlobal Ransomware Attack: NGlobal Corporation, a key player in the energy sector, disclosed that personal information was compromised during a November 2024 ransomware attack. Over 70,000 individuals have been affected, with sensitive medical and personal data, including Social Security numbers, being exposed.
SonicWall Vulnerability: The Cybersecurity and Infrastructure Security Agency (CISA) issued a critical warning concerning a severe vulnerability in SonicWall SMA1000 appliances (CVSS score: 9.8). This flaw permits remote command execution without authentication, urging organizations to apply immediate patches or restrict access to trusted IPs.
Large-Scale Phishing Campaign: A sophisticated phishing operation exploits users' trust in PDF files and the US Postal Service by sending deceptive SMS messages containing malicious PDFs. These files redirect victims to counterfeit USPS websites designed to steal personal and payment information.
Apple Zero-Day Patch: Apple addressed a zero-day vulnerability affecting multiple devices, including iPhones, iPads, and Macs. This "use after free" flaw allows unauthorized privilege escalation, and the company has released updates to mitigate the risk.
Ohio-Based Ransomware Impact: A ransomware attack on HCF Management, an operator of skilled nursing and rehabilitation facilities, resulted in unauthorized access to personal and medical data of over 70,000 individuals. The Russian-affiliated Ransom Hub gang claimed responsibility, threatening to release 250 gigabytes of stolen data.

3. In-Depth Interview: Bogdan Bodizatu on Dark Markets

Guest: Bogdan Bodizatu, Director of Threat Research and Reporting at Bitdefender
Topic: Exploring the dark market subculture and its cybersecurity implications

a. Understanding Dark Markets

Bogdan Bodizatu provides a comprehensive overview of dark markets, highlighting their role as clandestine platforms for illicit trade:

[15:38] Bogdan Bodizatu: "A dark market is a closed marketplace that's usually anonymized on what we call the dark web... these markets are like online stores but for crime."

b. Types of Dark Markets

Bogdan differentiates between highly restrictive and more permissive dark markets:

[16:17] Bogdan Bodizatu: "There are two different types of dark markets. Restricted ones require vetting or formal introductions and sell high-end illicit goods, while less restrictive markets allow easier access, catering to mass-market illicit items like recreational drugs and stolen data."

c. Law Enforcement Engagement

The discussion shifts to the interaction between dark markets and law enforcement:

[19:02] Bogdan Bodizatu: "These dark markets pose a real threat... police will normally lurk on these dark markets, but they don't have the necessary amount of skill and free time to go after each and every one."

d. Implications for CISOs

Bogdan offers strategic advice for Chief Information Security Officers (CISOs) on monitoring and mitigating risks associated with dark markets:

[23:56] Bogdan Bodizatu: "CISOs should monitor any activity involving the Tor browser and the Darknet... Blocking access at the gateway level is essential unless it's necessary for specific organizational roles like journalism or law enforcement."

4. AI and Ethical Data Handling with Software Heritage

Beyond the interview, the episode touches on the efforts of Software Heritage, a nonprofit dedicated to cleaning up the AI industry's data practices:

Mission and Initiatives: Software Heritage has amassed over 22 billion source files from platforms like GitHub to create the world's largest repository of ethically sourced code. Their initiative, Code Commons, seeks to ensure AI training datasets are transparent, reproducible, and accountable.
Challenges: The organization faces significant hurdles, including unifying messy metadata, developing opt-out tools for developers, and aligning training data with open-source licenses. Their ambitious goal includes creating tools to detect when AI-generated outputs resemble existing code, promoting responsible AI development.

[25:23] Dave Buettner: "AI coding assistants are revolutionizing programming, but their mystery box training data raises ethical questions. Enter Software Heritage, a nonprofit on a mission to clean up the AI industry's mess."

5. Key Takeaways and Conclusions

Evolving Threat Landscape: The cybersecurity landscape continues to evolve with sophisticated attacks targeting both corporate and individual data across various sectors.
Dark Markets as Persistent Threats: Dark markets represent a significant and ongoing threat, facilitating the trade of illicit goods and services while posing challenges for law enforcement and organizational security.
Importance of Proactive Defense: CISOs and security professionals must adopt proactive measures, including monitoring for dark web activities and patching vulnerabilities promptly, to safeguard their organizations.
Ethical AI Development: Initiatives like those undertaken by Software Heritage are crucial in ensuring that AI development progresses responsibly, with transparent and ethically sourced data.

6. Additional Resources

Deep SEQ Analysis by Ben Thompson: An insightful explainer on Deepseek and its significance, available through the podcast's show notes.
Links to All Stories: Access comprehensive coverage of today's stories and additional insights by visiting daily briefing@thecyberwire.com.

7. Feedback and Engagement

Listeners are encouraged to share their thoughts and feedback to help the CyberWire team deliver pertinent and timely cybersecurity insights. Rating and reviewing the podcast on your preferred platform, filling out the survey in the show notes, or emailing cyberwire2k.com are excellent ways to contribute.

Produced by: Liz Stokes
Mixer: Trey Hester
Music and Sound Design: Elliot Peltzman
Executive Editor: Jennifer Ibin
Executive Producer: Brandon Karp
President: Simone Petrella
Publisher: Peter Kilpe
Host: Dave Buettner

Stay informed and secure with CyberWire Daily, your source for the latest in cybersecurity news and analysis.

Transcript

Dave Buettner (0:02)

You're listening to the Cyberwire Network, powered by N2K. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect. Prepare and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more@AI.domo.com that's AI.domo.com Deep Seek blames DDoS for outages hackers behind last year's AT&T data breach targeted members of the Trump family, Kamala Harris and Marco Rubio's wife. The EU sanctions Russians for cyber attacks against Estonia and Global confirms personal information was taken in last year's ransomware attack. CISA issues a critical warning about a sonic wall vulnerability actively exploited. A large scale phishing campaign exploits users trust in PDF files and the US Postal Service. Apple patches a zero day affecting many of their products. A ransomware attack on an Ohio based operator of skilled nursing and rehabilitation facilities affects over 70,000. President Trump has a tumultuous first week back in office. Our guest is Bogdan Bodizatu, director of Threat research and reporting at bitdefender, discussing the dark market subculture and its parallels to holiday shopping and A nonprofit aims to clean up the AI industry's mess. It's Tuesday, January 28th, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Thanks for joining us here today. It is great to have you with us. Chinese AI company Deepseek attributed a registration outage to a cyber attack on its servers, which it believes was a DDoS attack. While existing users remain unaffected, new user registrations were temporarily halted. This comes as Deepsea faces scrutiny over security vulnerabilities in its open source R1AI model, which the company touts as competitive with OpenAI's ChatGPT and Google's Gemini security firm Keela reported successfully jailbreaking R1 using methods like Evil Jailbreak and Leo, which have been patched in other models. The firm also demonstrated R1's capability to fabricate sensitive data, such as personal details of OpenAI employees. Keila highlighted R1's unreliability, calling its outputs inaccurate and potentially harmful. The incident has raised concerns about privacy and data security, especially given the geopolitical context of Chinese tech Experts urge users to question data origins, ownership and ethical training practices, echoing broader fears over foreign AI platforms. As a side note, Ben Thompson at Stratecherie has written an excellent explainer of Deep SEQ and why it matters. We'll have a link to that in the show. Notes hackers behind the 2024 AT&T data breach targeted phone records tied to prominent individuals, including members of the Trump family, Kamala Harris and Marco Rubio's wife. According to sources cited by 404 Media, the breach, which impacted nearly all AT and T customers call and text metadata from May through October 2022, poses significant national security risks. Hackers plan to create a paid lookup tool for the stolen data, which they enriched using publicly available resources to associate phone numbers with names. The breach exploited an AT and T instance of Snowflake, a data warehousing tool. Despite the severity of the attack, concerns have been raised about FCC Chairman Brendan Carr's leniency toward telecom companies. Senator Ron Wyden criticized AT&T's lax security and called for encrypted communications services to replace traditional telecom offerings. To prevent future incidents, the European Union sanctioned three Russian GRU officers for 2020 cyberattacks against Estonia. They allegedly hacked Estonian ministries, stealing classified data, health records and sensitive business information. The EU claims the attacks aim to undermine Estonia's security and cyber capabilities. The men are tied to unit 29155, which is associated with global espionage and sabotage, including the Whispergate malware, and is accused of targeting other EU states and Ukraine. The sanctions mark a response to escalating cyber threats. Nglobal Corporation, a major supplier to the energy sector, confirmed that personal information was compromised in a November 2024 ransomware attack. Systems were taken offline, limiting access to essential operations for six weeks. Initially, NGlobal reported encrypted data but did not disclose theft. A new SEC filing revealed sensitive personal information was accessed, though details on the breach's scope remain unclear. The company has since restored systems and resumed normal operations, and Global stated the attack had no material financial impact but has not identified the threat actor responsible. CISA has issued a critical warning about a Vulnerability in SonicWall SMA1000 appliances that allows remote attackers to execute commands without authentication. With a CVSS score of 9.8. This flaw, exploited in the wild, impacts multiple versions of Sonicwall's appliances. Sonicwall has released a hotfix to address the issue and advises immediate updates. Organizations unable to patch should restrict AMC and CMC access to trusted IPs. This flaws exploitation risks full system compromise, emphasizing urgent mitigation. A large scale phishing campaign exploits Users trust in PDF files and the US Postal Service to steal credentials and sensitive data, according to Zimperium researchers, attackers send SMS messages with malicious PDFs mimicking USPS communications, embedding hidden phishing links to bypass security tools. Victims are directed to fake USPS sites, where they provide personal and payment information under the guise of resolving delivery issues. Ximperium found over 20 malicious PDFs and 630 phishing pages targeting users across 50. This tactic leverages the assumption that PDFs are safe, exploiting their widespread use in business. Attackers also impersonate other delivery services like UPS and FedEx. Experts warn that inadequate mobile security and limited visibility into file contents make such campaigns effective. Apple has patched a zero day vulnerability exploited in the wild, affecting iPhones, iPads, Macs and other devices. The flaw, a use after free issue in the core media component, could allow rogue apps to elevate privileges and gain system control. While details of the exploitation remain sparse, Apple confirmed It targeted older iOS versions before iOS 17.2. The fix is available in multiple updates for multiple platforms. Affected devices include iPhone XS and later various iPad models, Apple Vision Pro and Apple Watch Series 6 or newer. Additional vulnerabilities patched include issues allowing unauthorized code execution via airplay, privilege escalation and Safari address bar spoofing. Users are strongly advised to update to protect against potential exploits targeting unpatched devices. HCF Management, an Ohio based operator of skilled nursing and rehabilitation facilities, is notifying 70,000 individuals affected by a ransomware attack in fall of last year. The Russian speaking Ransom Hub gang claims to have stolen and published 250 gigabytes of data. The breach affected multiple facilities, with Heritage Healthcare reporting the largest impact and Hempfield Manor most affected. Among single sites, HCF discovered unauthorized access on October 3, 2024 and later determined attackers infiltrated its systems on September 17, stealing residents personal and medical data, including Social Security numbers and health insurance details. The company engaged forensic experts and secured its network, but now faces at least two federal class action lawsuits alleging negligence. It remains unclear if the attackers encrypted HCF's systems during the breach. On his first week back in office, President Trump shook up the nation's cybersecurity and governance landscape with a series of controversial executive orders, according to a report from Krebs on security. Among the most dramatic moves he fired all members of the Cybersafety Review Board, a bipartisan body created to investigate major cyber incidents. The CSRB had produced key reports on crises like Log4, Shell and the 2023 Microsoft Exchange breach and was in the midst of investigating Chinese cyber intrusions targeting US Telecoms when Trump dismissed its advisors. Critics likened the move to halting airline crash investigations mid flight. Meanwhile, Trump dismantled a Biden era order on artificial intelligence safety, replacing it with a new AI action plan led by venture capitalist David Sachs. The plan focuses on maintaining US AI dominance but raises concerns due to Trump's personal ties to cryptocurrency, including his family's recent ventures into meme coins. Trump also pardoned January 6 rioters and revoked Biden's disinformation governance policies. An organized crime task force. These sweeping changes left many security experts questioning the future of federal cyber defense and governance under Trump's administration. Coming up after the break, my conversation with Bogdan Bhattazatu, director of threat research and reporting@bitdefender. We're talking about the dark market subculture and a non profit aims to clean up the AI industry's mess. Stay with us. Still getting around to that fix on your car? You got this on ebay, you'll find millions of parts guaranteed to fit. Doesn't matter if it's a major engine repair or your first time swapping your windshield wiper, eBay has that part you need ready to click perfectly into place for changes big and small, loud or quiet. Find all the parts you need at prices you'll love. Guaranteed to fit every time. But you already know that Ebay Things people love Eligible Items Only Exclusion supply and now a message from our sponsor Zscaler, the leader in cloud security Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever With AI tools, it's time to rethink your security Zscaler 0Trust AI stops attackers by hiding your attack surface making apps and IPs invisible eliminating lateral movement Connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context Simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@zscaler.com Security hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you. I was concerned about my data being sold by data brokers, so I decided to try Deleteme. I have to say, Deleteme is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Deleteme's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. Bogdan Bodizatu is director of Threat Research and reporting@bitdefender. I recently sat down with him to discuss dark market subcultures and parallels to holiday shopping.