Transcript
A (0:02)
You're listening to the Cyberwire Network powered by N2K. Are you ready for AI in cybersecurity? Demand for these skills is growing exponentially for cybersecurity professionals. It's why CompTIA, the largest vendor neutral certification authority, is developing SEC AI Plus. It's their first ever AI certification for focused on artificial intelligence and cybersecurity and is designed to help mid career cybersecurity professionals demonstrate their competencies with AI tools. And that's why N2K's SEC AI practice exam is coming out this year to help you prepare for the certification release in 2026. To find out more about this new credential and how N2K can help you prepare today, check out our blog@certify.cybervista.net.
B (1:01)
And.
A (1:01)
Thanks.
B (1:10)
At Thales they know cybersecurity can be tough and you can't protect everything. But with Thales you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on TALAS to protect what matters most applications, data and identity. That's Talas T H A L E S learn more at talasgroup.com cyber warns a Windows SMB privilege escalation flaw is under active exploitation. Microsoft issues an out of band fix for a Winre USB input failure. Nation state hackers had long term access to F5 Envoy Air confirms it was hit by the zero day in Oracle's E business suite. A non profit hospital system in Massachusetts suffers a cyber attack. Russia's Cold River Group rapidly retools its malware arsenal. Glass worm malware hides malicious logic with invisible Unicode carriers. European authorities dismantle a large scale Latvian sim farm operation. Myanmar's military raids a notorious cybercrime hub. Our guest is Josh Kamjoo from Sublime Security discussing how teams should get ahead of scattered spiders. Next move and Eagle Scouts are soaring into cyberspace. It's Tuesday, October 21, 2020. I'm Dave Buettner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. CISA warns attackers are exploiting a Windows server message block flawless to gain system privileges on unpatched Windows systems. With a CVSS score of 8.8. The vulnerability affects Windows Server, Windows 10 and Windows 11 through 24H2. Microsoft addressed it in June's 2025 Patch Tuesday. An attacker could trick users into connecting to a malicious application server such as an SMB server, then compromise the protocol. Attackers could gain system level privileges, raising a risk of serious compromise. CISA requires federal civilian executive branch agencies to secure affected systems by November 10th, and organizations should apply Microsoft's June 2025 security updates. Microsoft shipped an out of band update that revives Windows RE on systems where USB input went silent. The company acknowledged the bug on Friday. It blocked navigation inside Windows recovery environment while mice and keyboard still worked after login. Microsoft began rolling out the update today. Obviously, recovery is rescue for responders, and Microsoft recommends users install the update immediately. If you cannot boot, use a touch Keyboard or a PS2 device or a USB recovery drive. Enterprises can deploy via PXE or use Windows 80K and Winpe. F5 says Nation State Hackers maintained long term access, stealing big IP code and vulnerability data, prompting urgent government warnings, according to Bloomberg. Access began in late 2023 and was discovered Aug. 9, per FFile's filing. People briefed say attackers exploited exposed F5 software after staff ignored company guidelines. Intruders downloaded big IP files, including source code and data on undisclosed flaws. F5 reports no code modification or known active exploitation. Stolen code and vulnerability details raise the risk of silent surveillance, manipulation or disruption of big IP traffic. CISA issued an emergency directive requiring federal agencies to identify and update F5 products by October 22nd. The UK National Cybersecurity center also warned customers. Envoy Air has confirmed it was hit in a coordinated wave of attacks, exploiting a zero day in Oracle's E Business suite, a system critical to global enterprise operations. The Clop Ransomware Group, long associated with large scale extortion, leveraged the flaw for remote takeover without credentials. The same campaign hit Harvard earlier this month and may extend to American Airlines. The vulnerability remained unpatched for nearly three months, underscoring the danger of lagging vendor response times in supply chain software dependencies. Haywood Healthcare, a nonprofit system in north central Massachusetts, has taken its IT network offline after a cyber attack disrupted operations at its two hospitals. The outage has forced ambulance diversions, halted CT imaging and affected radiology lab, phone and email systems while inpatient and outpatient care continues. Digital systems are severely limited, experts warn the attack reflects the healthcare sector's growing vulnerability to ransomware and extortion schemes, where operational disruption, not just data theft, is the goal. Analysts from Lumify, Rapid7 and Clearwater note that weak vendor security, delayed patching and poor segmentation remain systemic risks. They urge hospitals to prioritize zero Trust architectures, faster patch management, segmentation of medical devices and continuous risk analysis to build resilience against the accelerating wave of financially motivated AI assisted attacks targeting patient care infrastructure. Russian linked Cold river has rapidly retooled its malware arsenal, replacing the publicly exposed lost keys with a chained suite. GTIG calls no robot, yes robot and maybe robot and has used it more aggressively than prior campaigns. The attack begins with a click fix captcha lure that tricks victims into running a malicious dll via rundll32, which then fetches staged components, initially a Python based backdoor and later a lighter, more flexible PowerShell backdoor, Google's threat intelligence group notes. Cold river alternated noisy and stealthy delivery chains, rotated infrastructure and tweaked components to frustrate analysis, signaling a higher development and operations tempo aimed at credential theft and espionage against NGOs, former Intel officers and NATO aligned targets. Defenders should prioritize phishing resistant controls, robust detonation and DLL executable monitoring and rapid capture of multi component chains. A developer focused supply chain campaign named Glass Worm has infected roughly 35,000 Marketplace installs across OpenVSX and Microsoft Visual Studio by hiding malicious logic with invisible Unicode characters. Once deployed, it steals GitHub, NPM and OpenVSX credentials and crypto wallet data, self propagates using compromised accounts to backdoor more extensions and installs a SOCKS proxy plus HVNC for covert remote access. Its final payload, zombie, which is massively obfuscated JavaScript that turns workstations into criminal nodes, is fetched via links embedded in Solana blockchain transactions with Google Calendar and a fallback IP as backups, making takedown and attribution difficult. Key defensive actions include treating extensions as supply chain risks, enforcing MFA and least privilege for developer accounts, scanning repos for invisible or unusual characters, monitoring outbound traffic for proxies or hvnc and validating third party code before inclusion. European authorities dismantled a large scale sim farm operation in Latvia known as Sim Cartel, which provided millions of fake mobile numbers used in phishing, smishing and fraud across 80 countries. Coordinated by Europol and Eurojust, the raid resulted in seven arrests, the seizure of 1200 SIM boxes operating 40,000 SIMs, cryptocurrency worth $835,000 and the takedown of several domains. The group's infrastructure enabled the creation of 49 million fraudulent online accounts supporting scams that impersonated police, ran fake marketplaces and stole financial credentials. Victim losses exceeded $5.2 million. Investigators say the service's bulk SIM access masked identities fueled transnational cybercrime and exposed the blurred boundary between telecom misuse and organized fraud, highlighting the need for stricter SIM registration and cross border digital forensics collaboration. Myanmar's military has raided KK Park, a notorious cybercrime hub near the Thai border, detaining over 2,000 people and seizing 30 Starlink terminals used to power global online scam operations. The crackdown, launched in September, targeted networks behind romance and investment fraud schemes that trafficked foreign workers and forced them into criminal labor. KK park, near Miawadi in Cayenne State, lies in a contested region partly controlled by ethnic militias. The junta accuse the Karen National Union of complicity, which that group denies. The raid follows international sanctions against similar scam syndicates in Cambodia and reflects mounting regional pressure, especially from China and Thailand, to dismantle Southeast Asia's human trafficking linked cybercrime compounds exploiting unlicensed Starlink connectivity to evade surveillance and fuel transnational fraud. Coming up after the break, Josh Can Kamjoo from Sublime Security discusses how teams can get ahead of Scattered Spider's next move and Eagle Scouts are soaring into cyberspace. Stick around. What's your 2am Security worry? Is it do I have the right controls in place?