Transcript
Dave Bittner (0:02)
You're listening to the Cyberwire Network powered by N2K. Did you know Active Directory is targeted in 9 out of 10 cyber attacks. Once attackers get in, they can take control of your entire network. That's why Semperis created Purple Night, the free security assessment tool that scans your Active directory for hundreds of vulnerabilities and shows you how to fix them. Join thousands of IT pros using Purple Night to stay ahead of threats. Download it now at sempras.com purple-night that's sempras.com purple knight a critical vulnerability in SUSE Manager allows attackers to run commands with root privilege A joint CISA and US Coast Guard threat hunt at a critical infrastructure site reveals serious cybersecurity issues. Health care providers across the US Report recent data breaches. Cybercriminals infiltrate a bank by physically planting a Raspberry PI on a network switch. Russian state backed hackers target Moscow diplomats to deploy Apollo shadow malware. Luxembourg investigates a major telecom outage tied to Huawei equipment. China's cyberspace regulator summons Nvidia over alleged security risks linked to its H2O AI. A new report examines early indicators of system compromise. Today our guest is Ryan Whelan, Managing director and global head of Accenture Cyber Intelligence, with their analysis of scattered Spider and PWN to own puts a million dollar bounty on WhatsApp. 0 clicks It's Friday, August 1, 2025. I'm Dave F and this is your Cyberwire Intel Briefing. Thanks for joining us here today. Happy Friday. I don't know how the rest of you feel, but it seems impossible to me that we are already in August. A critical vulnerability in SUSE Manager allows attackers to run commands with root privileges without authentication through an exposed WebSocket endpoint on port 443. This flaw, found during a customer security audit, affects multiple SUSE Manager versions, including recent container and cloud deployments. Attackers only need network access to exploit it. A proof of concept confirmed the risk using a simple HTML page, Immediate action is needed. Block Port 443 or isolate vulnerable systems from untrusted networks, then patch using the updates SUSE has released until fully patched. Organizations should enforce strict network controls to limit exposure. A joint CISA and US Coast Guard threat hunt at a critical infrastructure site revealed serious cybersecurity issues, though no active threat actors were found. Key risks included shared admin accounts with plain text passwords, weak IT OT segmentation, and insufficient logging. Misconfigured systems allowed IT users direct access to SCADA networks, raising concerns about potential real world safety impacts. Admin credentials were stored in scripts and reused across many devices, increasing the risk of lateral movement and persistence by attackers. Inadequate network controls and missing bastion hosts further weaken defenses. CISA urges critical infrastructure operators to fix misconfigurations, enforce unique credentials, use MFA, segment IT and OT environments, and adopt bastion hosts and VPNs. The advisory stresses urgency in addressing these gaps to prevent potential cyber physical impacts. Additionally, yesterday CISA issued two high severity ICS advisories warning of major vulnerabilities in Gurop seismic devices and Rockwell automation systems using VMware. The GuroP flaw allows unauthenticated remote access via telnet, risking manipulation of seismic monitoring equipment. Rockwell Systems face four critical VMware related bugs enabling code execution and full system compromise. No exploitation has been reported, but CISA urges immediate isolation of affected systems, network segmentation and patching Several healthcare providers across the US have reported recent hacking related data breaches. Mid Florida Primary Care disclosed a breach affecting sensitive patient data accessed between November and December 2024. Northwest Denture center in Washington confirmed the exposure of protected health information for over 12,000 individuals may of this year. Equilibria Mental Health Services in Massachusetts was hit by a phishing attack compromising up to 2,000 individuals forward. The National Data bank for Rheumatic Diseases reported unauthorized access in March affecting personal and medical data. Meanwhile, Inc. Ransom claims to have targeted the West Virginia Primary Care association, allegedly stealing 296 gigabytes of data. However, WVPCA has not confirmed any breach. Impacted organizations are offering credit, monitoring and enhancing security protocols in response to these incidents. Cybercriminal group UNC 2891 infiltrated an Indonesian bank in early 2024 by physically planting a Raspberry PI on a network switch linked to an atmosphere, Group IB reports. Equipped with a 4G modem, the device allowed remote access to the bank's internal systems. The attackers used a backdoor called TinyShell disguised as a Linux display manager to evade detection and maintain persistent access via the bank's mail server. Though they successfully stole cash, the attack was mitigated days later. Forensics teams struggled due to the group's advanced obfuscation tactics and including the use of Linux bind mounts, now documented as mitre attack technique T1564 013. While the attackers aimed to deploy the CAKE tap rootkit for further withdrawals, defenders ultimately blocked their goal. The incident highlights the need for advanced memory and network forensics beyond standard response measures. Russian state backed hackers from the APT group Secret Blizzard, also known as Turla and Krypton are targeting diplomatic personnel in Moscow using adversary in the middle attacks to deploy custom malware called Apollo Shadow, Microsoft reports. The group, active since 2006 and linked to Russia's FSB, uses access at the ISP level via domestic surveillance systems like Sorm to intercept traffic and deliver malware. Victims are redirected through a fake captive portal where Apollo Shadow installs a fake Kaspersky certificate to gain system control. The malware modifies system settings, installs root certificates via Certutil, and creates a persistent admin account. Microsoft warns that diplomats using Russian ISPs are likely targets and urges use of VPNs, least privilege policies and script blocking to reduce risk. This is the first confirmed case of ISP level adversary in the middle malware deployment inside Russia. Luxembourg is investigating a major telecom outage on July 23rd caused by a cyberattack that disrupted 4G and 5G services for over three hours. The attack, reportedly targeting Huawei equipment, also disrupted emergency calls, Internet access and banking services. Officials believe it was a deliberate sophisticated denial of service attack exploiting a software flaw in Post Luxembourg's infrastructure. A full forensic probe is underway. The incident has prompted a review of national resilience and may lead to regulatory changes for network redundancy during outages. China's cyberspace regulator has summoned Nvidia over alleged security risks linked to its H2O AI chips sold in China. The Cyberspace Administration of China requested explanations and supporting evidence, citing national laws on data and network security. This follows growing concerns about U S made AI chips containing tracking and remote shutdown features. US Lawmakers, including Senator Tom Cotton, have proposed laws to require such features for exported chips. The Cyberspace Administration of China claims Nvidia's chips may already include this technology, prompting further scrutiny. A new report from Graynoise reveals that attackers often begin exploiting vulnerabilities in edge devices up to six weeks before they're publicly disclosed or assigned a CVE. In 80% of cases, pre disclosure activity like scanning, brute forcing and zero day exploit attempts spikes before the CVE is announced. This trend is especially common for eight major vendors Cisco, Citrix, Fortinet, Avanti, Juniper, Mikrotik, Palo Alto Networks and SonicWall. Graynoise identified 216 such pre disclosure spikes, urging defenders to treat them as early warnings. Security teams should enhance monitoring during these spikes, harden systems and block malicious IPs to prevent compromise. These early indicators provide a window for proactive defense, especially against nation state actors like typhoons targeting enterprise edge devices for surveillance and long term access. Coming up after the break, Ryan Whelan, Managing Director and global Head of Accenture Cyber Intelligence, joins us with their analysis of scattered spider and PWN2 own puts. A million dollar bounty on WhatsApp zero clicks. Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo. That's V A N-T A.com cyber foreign Dave here. I've talked about Delete me before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Delete Me keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now our listeners get a special deal 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K Ryan Whelan is managing Director and global head of Accenture Cyber Intelligence. I recently sat down with him to discuss their analysis of Scattered Spider.