Rhode Island cyberattack exposes sensitive data.

Dave Bittner

You're listening to the Cyberwire Network.

Perry Carpenter

Powered by n2k.

Mason Amadeus

This episode is brought to you by Dutch Bros. Big smiles, rocking tunes and epic drinks. Dutch Bros. Is all about you. Choose from a variety of customizable handcrafted beverages like our Rebel Energy drinks, coffees, teas and more. Download the Dutch Bros app for a free medium drink plus find your nearest shop, order ahead and start earning rewards. Offer valid for new app users only. Free medium drink Reward upon registration. 14 day expiration terms apply. See Dutchbros.com.

Dave Bittner

Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off a cyber attack in Rhode Island Target who applied for government assistance programs U.S. senators propose a $3 billion budget item to rip and replace Chinese telecom equipment. The CLOP Ransomware gang confirms exploiting vulnerabilities in Clio's managed file transfer platforms. A major Southern California health care provider suffers a ransomware attack A leading US Auto parts provider discloses a cyber attack on its Canadian Business Unit. SRP Federal Credit Union notifies over 240,000 individuals of a cyber attack A sophisticated phishing campaign targets YouTube creators. Researchers identify a high severity vulnerability in Mulvad VPN. A horrific dark web forum moderator gets 30 years in prison. Our guests are Perry Carpenter and Mason Amadeus, hosts of the new Fake Files podcast and jailbreaking your license plate. Foreign December 16, 2024 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It is great to have you with us. A cyber attack on Rhode Island's RI Bridges system has potentially exposed sensitive personal information of hundreds of thousands of people who applied for government assistance programs since 2016, including SNAP, Medicaid, and other social services. Hackers, part of an international cybercrime group threatened to release the data unless paid, though this was classified as extortion rather than ransomware. Highly sensitive details like Social Security and bank account numbers may have been stolen. The breach was confirmed on December 10 after hackers provided evidence to Deloitte, the system's vendor. Malicious code was found, prompting officials to shut down the system to mitigate further risk. State officials, along with Deloitte and law enforcement are investigating. Impacted individuals will receive free credit monitoring and access to support. Benefits for December were distributed, but new applications must be filed on paper. For now. Open enrollment for health insurance continues, with enrollment unaffected. So far, the $3 billion added to the 2025 National Defense Authorization act for removing Chinese made telecom equipment is being framed as a critical step in preventing breaches like the SALT Typhoon cyber espionage campaign. Salt Typhoon, linked to Chinese government hackers, has highlighted vulnerabilities in US Networks, especially those relying on Huawei and ZTE equipment. The FCC previously identified a $3 billion funding gap in its rip and replace program, which aims to remove such technology from 126 carriers systems without full funding. Rural carriers remain exposed, lacking resources to upgrade or replace compromised equipment. SALT Typhoon's success against major operators underscores the risks for smaller networks with fewer defenses. Senators from both parties stressed the urgency of securing networks. While some criticized expanding FCC regulations, others highlighted the need for swift action to eliminate known vulnerabilities. The SALT Typhoon attacks serve as a stark Securing telecom infrastructure is a matter of national security. The Clop ransomware gang has confirmed to Bleeping Computer their involvement in exploiting vulnerabilities in Clio's managed file transfer platforms, including Harmony, vltrader and Lexacom. The attacks utilized a zero day vulnerability that Clio initially patched in October. However, cybersecurity firm Huntress discovered last week that the patch was incomplete, allowing attackers to bypass it, upload backdoors and steal data. While Cleo did not publicly disclose prior exploits, Bleeping Computer reports. Klopp admitted responsibility linking the attacks to their previous methods, including similar exploits in the move, IT breaches A ransomware attack on PIH Health, a Southern California healthcare provider serving over 3 million residents, has disrupted IT systems, impacting hospitals, urgent care centers, pharmacies and more. Cybercriminals claim to have stolen 17 million patient records and threaten to publish 2 terabytes of sensitive data unless a deal is made. PIH Health confirmed it's working with forensic specialists and law enforcement, but has not acknowledged the hackers claims publicly. The attack has forced PIH to rely on downtime procedures, delaying test results, surgeries and prescription refills. Online services, including appointment scheduling are unavailable. The breach could become one of the largest healthcare data breaches this year if the hackers claims are verified. Cybersecurity experts warn that such attacks will persist without stronger federal intervention, including measures like pre authorized traffic filtering and comprehensive national privacy laws. PIH also faced a phishing breach in 2020, leading to lawsuits. Meanwhile, ConnectOnCall.com, a Freesia subsidiary offering communications tools for healthcare providers, experienced a data breach affecting 914,000 individuals. The breach, lasting from February 16 through May 12 of this year, exposed sensitive data including patient names, phone numbers, medical record numbers, health conditions and prescription details. Social Security numbers of some individuals were also compromised. The platform was taken offline, immediately investigated by third party cybersecurity experts, and later relaunched with enhanced security. Affected individuals received notifications with credit monitoring offered to those whose Social Security numbers were exposed. LKQ Corporation, a leading US Auto parts provider, disclosed a cyberattack on its Canadian business unit, causing weeks of disruption starting November 13. LKQ, which operates in 24 countries with 45,000 employees, reported the incident in an SEC filing, stating the unit is now near full capacity and the threat has been contained. The company does not expect significant financial impact and plans to seek reimbursement through cybersecurity insurance. No threat actors have claimed responsibility. SRP Federal Credit Union is notifying over 240,000 individuals about a cyber attack that exposed sensitive personal information including names, Social Security numbers, driver's license details and financial data. The breach occurred between September 5th and November 4th of this year and was discovered after the credit union secured its systems and reviewed compromised files. While SRP has no evidence of misuse, it is offering one year of free identity protection services to affected individuals. The ransomware group nitrogen active since September 2024, has claimed responsibility, alleging it stole 650 GB of data and is selling it online. SRP has not confirmed the nature of the attack, but reported the incident to law enforcement and attorneys general in Texas and maine. Founded in 1960, SRP serves over 200,000 members across Georgia and South Carolina with a workforce of 400 employees. CloudSec has uncovered a sophisticated phishing campaign targeting YouTube creators, leveraging fake brand collaboration emails to steal accounts and spread scams. Scammers use specialized tools to scrape email addresses from YouTube channels and send bulk phishing emails via browser automation. These emails, posing as lucrative collaboration offers, include attachments disguised as contracts or promotional materials hosted on platforms like OneDrive. Protected by passwords to appear legitimate, the malicious attachments often contain malware hidden within files. Once downloaded the malware can steal login credentials, financial data, intellectual property, or grant remote access to attackers. Over 200,000 creators have been targeted with attackers using hundreds of SMTP servers to execute the campaign globally. YouTube creators are advised to verify unsolicited collaboration offers, avoid downloading suspicious attachments, and confirm the sender's legitimacy directly with the brand. Security researchers at x41D sec have identified high severity vulnerabilities in Mulvad VPN, including race conditions and temporal safety violations in its signal handler code. These flaws could lead to memory corruption and potential code execution if an attacker triggers a signal at the right moment, though exploitation is complex. Additionally, a DLL sideloading vulnerability in Mullvad's Windows installer could allow attackers to execute malicious code during installation. Mulvad users are urged to update their software to mitigate the risks. The depths of human depravity are truly staggering sometimes Robert Schuss, a 37 year old Texan, has been sentenced to 30 years in prison for his heinous crimes against children. This monster ran a dark web forum where pedophiles could exchange and discuss child sex abuse material, including videos and images of babies and toddlers. He personally abused one child for six years, creating hundreds of instances of CSAM with the boy, and even bribed the child's family with gifts and money. But that's not all. Schuss also secretly recorded two other minors and asked two others to send him naked pictures of themselves. The FBI found over 117,000 CSAM images and 1100 videos on his SE computers and storage drives. This is a man who has no regard for human life or dignity and has spent years preying on the most vulnerable members of society. The US Attorney aptly described Schuss as the embodiment of evil, and it's hard to disagree with that assessment. His crimes are a stark reminder of the importance of holding perpetrators accountable for their actions and the need for law enforcement to remain vigilant in protecting our children from these monsters. In addition to the 30 years in the slammer, Schoos will now face 10 years of supervised release, pay $153,000 in restitution to his victims, and be registered as a sex offender for life. But even this may not be enough to bring justice to those he has harmed. Coming up after the break, my conversation with Perry Carpenter and Mason Amadeus about their new podcast right here on the N2K CyberWire network, the Fake Files Podcast. And we'll talk about digital license plates, because sometimes even your car wants to go incognito we'll be right back. And now a word from our sponsor, Know before it's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBeFor's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35. Vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint, identity, or web security vendors. Then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbe4.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why Cloudflare created the first ever Connectivity Cloud. Visit cloudflare.com to protect your business everywhere you do business.

Mason Amadeus

Foreign.

Dave Bittner

Carpenter and Mason Amadeus are co hosts of the new Fake Files podcast right here on the N2K CyberWire network. I recently caught up with them for a preview of the show. All right, well gentlemen, we are here to talk about your new endeavor. This is the Fake Files podcast. Why don't we start off with some high level stuff here. Perry, I'm going to give you the honors. Can you tell us what prompted you to take on this new podcast?

Perry Carpenter

Oh, nice. I don't know if that was an intentional pun, but you used the word prompt, which has to do with large language models, which has to do with AI, which has to do with the podcast.

Dave Bittner

I only wish I were that clever.

Perry Carpenter

Well, you should still claim credit so we can cut that part out.

Dave Bittner

Sure.

Perry Carpenter

I mean the thing that prompted it was I was in this mindset of trying to figure out how to use my time like we do when we hit this age. And I had just released a book called Fake F A I K which is all about deepfakes, disinformation and AI generated deceptions and was trying to figure out how do I continue my focus going down the AI road, which naturally converges with my focus around deception and social engineering and cybersecurity. And I was also trying to figure out, like, what do I do with this other podcast that I have, 8th layer insights, which is all about the intersection of humanity and security or technology or whatever spin you want to put on that. But it's the human condition as it tries to deal with fact that technology is rapidly advancing and that creates a lot of interesting strain. And as I was trying to figure that out, everything really started to come together because Mason, who is the co host on another podcast that we have called Digital Folklore, and it was actually the creator of the name Fake for the book, he came up with that idea because we were talking about deep fakes and cheap fakes, but with this, there's AI in the middle. And so as I was trying to think about, like, how do I combine all these interests and make a sustainable thing that is going to be fun for me, interesting for other people to listen to. Everything came together in the idea of the Fake Files podcast, which is actually an offshoot not only of the book, but an Audio miniseries, a 10 part audio miniseries that Mason and I did to follow along with the chapter structure of the book and to dramatize some of the stories. And it just seemed like by the time we got to the end of that, it's like, oh, this is a chemistry that we have and a way of doing things that could become very self sustaining, even at a pace much faster than I was able to produce 8th Lawyer Insights episodes.

Dave Bittner

Well, Mason, for our listeners, can you give us a little taste of what we can expect here from the show?

Mason Amadeus

Yeah, absolutely. We're kind of exploring anywhere that AI intersects with humanity. So it's a very broad thing. I think the best way to describe it would be the vibe of. It is kind of like a morning radio show with Perry and me as your hosts, breaking down either the latest news topics or doing some demonstrations of different AI tools with a focus on making it accessible for a wider audience. Because me, my background in sort of creative media, a lot of digital artists right now are pretty contentious. Like a lot of the opinions around AI are very contentious in the art community as generative AI came on the scene. But a lot of people are just really scared to engage with the technology. And like, a lot of my friends and colleagues just haven't even like used chatgpt and so I think just bridging the gap between what feels like something that's inaccessible. Which I know is a little bit ironic because like working in natural language with computers for the first time is the most intuitive and easy thing. But people are still sort of hesitant to engage with AI and so making that a space for everyone to be a part of and learn. And also I'm wrestling with my own complicated feelings about AI as someone in the creative space. Being able to type a couple words and have a really good looking picture or at this point even music and sound effects be generated is a big deal.

Dave Bittner

It kind of reminds me of, you know, that old saying, I think it's attributed to Arthur C. Clarke about how a high enough level of technology is indistinguishable from magic.

Perry Carpenter

Yeah, yeah, it feels like that, you know, and actually when we were talking to people in the, that specializes in folklore and urban legends, they were saying that there's something in the, you know, the idea of prompting that is almost like a summoning ritual. And you do see like the way that technology is butting up against humanity. And really interesting, interesting ways when people are making those kind of comparisons, it's, oh, now I can invoke something from the machine. And even out of that spin tons of interesting conspiracy theories that, you know, when you think about conspiracy theories, of course those are adjacent to social engineering and disinformation and everything else. So all this becomes this interesting little hodgepodge of very adjacent ideas to. I don't know, I don't even know how to describe. It is like this boiling mess of us as a species trying to figure out like, what is it even to be human anymore? Because we used to think that one of the defining traits of humanity was this innate creativity. And it turns out that AI models are pretty good at creativity and large language models especially are really bad at math and reasoning. And so what does that mean? I'm pretty good at creativity and I'm really bad at math. So I don't know, it's a whole.

Mason Amadeus

New way of interacting with machines that didn't exist before. And it touches on so many different aspects of life because, I mean, especially at this point in time, people are trying to use large language models for literally everything. And there's a lot that they can do and the implications of this are huge. Just not like vertically in every sector and across everything else horizontally.

Dave Bittner

Mason, I'm curious, I mean, do you understand people's hesitation here that for folks who don't even want to lay hands on the technology.

Mason Amadeus

Yeah, I mean, I think A large part of it's a social force, right, that like on Reddit, people are just writing polemics against each other, either pro or AI, for reasons of like, oh, it's the death of creativity and job loss. And I can't help but think back to. I'm not sure if this is true, but a common example of when motion pictures first came out and people ran from the theater screaming because it seems so real. It's weird to live through a moment that feels relatable to that and to have those feelings myself. I was hesitant to engage with AI tools at first, and I think it just comes from a fear because it's really. Most of the problems with it come down to capitalism and corporate greed and things like that. Like the job loss that might come from creative professionals working in spaces that are. They're no longer needed to do, I don't know, marketing or just simple graphic design or commissioned portraits and stuff. So there's like the fear of job loss. There's also just this questioning of is every hour, every day, every year of my life that I've spent honing a skill just invalidated now because a computer can do it? And I personally, I've been doing nothing but sort of cook on this for a while. And what I've come back to and why I'm trying to embrace AI is that it's here. It's not going to go away. There's nothing you can do to stop that. And also human creativity is innate and limitless. And the joy of creating something is not going to be taken away by the fact that you can generate something that just becomes. It makes it more accessible for anybody to make a thing. But people will always value something that you spent time hand making. I don't think it actually takes away from creativity, but I am afraid of. I'm a little hesitant with this show to receive some backlash from my peers in the creative space because it's just so contentious. A lot of people, there are like mastodon instances. The mastodon art instance disallows AI completely. You'll just get banned. A lot of artist communities, people just suspect everything of AI and point fingers and say, you're not a real artist, you're just filling the Internet with slop, or you're burning down rainforests or whatever if you use AI and it's all just that. A lot of it's that sensationalist stuff. But there's also real reasons to distrust giant companies wielding this kind of power. And then there's also the ethical dilemmas with training data and consent and all of that. So it's.

Perry Carpenter

I.

Mason Amadeus

It's. I'm incredibly empathetic to it. But where I'm coming from now is that as an individual, the amount of control I have over that is minimal. So all I can do is try and engage and learn and. And stick around with it. And I've come around to really enjoying it. All of the imaging and sound design, all the transitions and the fake files are either 100% AI generated or hand fully recorded by me. I thought that'd be, like, a little fun project to do, to play with generative AI as a source of sound effects.

Perry Carpenter

Yeah. And that's one of the defining things in the show, is that we're leaning into the AI ness because we feel like in these areas where things are blended is where people, I think, get really. They feel like you're pulling the wool over their eyes if you use AI art or music or something like that. But in a show about AI, one of the things that we have to do is really understand the technology, keep up with the technology and engage with it. I think in a dualistic fashion. One is to say, if I'm a good person that wants to be creative with it, how do I do that and how do I have fun? And so we give ourselves permission to have fun with it and to play with it and to make it part of the show and integral to the show. And then the other thing that we have to do is think about this from a security perspective and put on that hat and say, now, if I was a bad person and I wanted to be really creative with it, what could I do? And I think asking and playing in both of those areas is a really interesting place to be, because not a lot of people are giving themselves permission to go really far down both of those roads at the same time.

Dave Bittner

No, that's an interesting take. And I think the creative part can be kind of the. The spoonful of sugar that makes the security medicine go down.

Mason Amadeus

Right, Exactly. Yeah. I forget who it was. Someone when we launched Digital Folklore accused us of trying to hide vitamins inside of candy. I think they were like, I came in, Peter. Oh, that was Peter.

Perry Carpenter

Yeah. He was like, yeah, I thought that I was gonna get this nice candy bar, and then all of a sudden, he slipped vitamins in it.

Mason Amadeus

So we're doing that again.

Perry Carpenter

Yeah.

Dave Bittner

All right. So your audience is warned. If you're not careful, you may learn something.

Perry Carpenter

You may get a green bean in there somewhere, too. You never know.

Dave Bittner

That's Perry Carpenter and Mason Amadeus. The new show is called the Fake Files Podcast. You can find it wherever you get your favorite podcasts and right here on the N2K CyberWire network. And finally, digital license plates. The high tech replacements for boring metal ones offer features like theft alerts and custom messages. But security researcher Josep Rodriguez has revealed a darker side. They can be hacked. With a few tools and a little ingenuity, Rodriguez demonstrated how to jailbreak the plates, allowing users to change plate numbers at will. Perfect for dodging tickets or pinning them on someone else. Think James Bond or kit from Knight Rider. But more petty criminal than secret agent or supercar. By tweaking the plate's firmware, Rodriguez could swap out its display with just a smartphone Apple. Worse, a hacker could track a driver or wreak havoc by selling pre jailbroken plates online. The company providing the digital plates insists it's a highly unlikely scenario. But Rodriguez disagrees, calling it relatively simple. So while digital plates might sound futuristic, they also come with risks. Like suddenly being blamed for someone else's speeding tickets. Drive safe and maybe stick to old school metal for now. And that's the Cyberwire. For links to all of today's stories, please check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your team smarter. Learn how@n2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Keltzman. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Park. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.