AT&T wireless announces a massive data breach. NATO will build a cyber defense center in Belgium. The White House outlines cybersecurity budget priorities.A popular phone spyware app suffers a major data breach.Some Linksys routers are sending user credentials in the clear. Sysdig describes Crystalray malware. A massive phishing campaign is exploiting Microsoft SharePoint servers. Germany strips Huawei and ZTE from 5G infrastructure. Our guest is Brigid Johnson, Director of AWS Identity, on the importance of identity management. The EU tells X-Twitter to clean up its act or pay the price.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
At the recent AWS re:Inforce 2024 conference, N2K’s Brandon Karpf spoke with Brigid Johnson, Director of AWS Identity, about the importance of identity and where we need to go. You can watch a replay of Brigid’s session at the event, IAM policy power hour, here.
Selected Reading
AT&T Details Massive Breach of Customers' Call and Text Logs (Data Breach Today)
NATO Set to Build New Cyber Defense Center (Infosecurity Magazine)
New Presidential memorandum sets cybersecurity priorities for FY 2026, tasking OMB and ONCD to evaluate submissions (Industrial Cyber)
mSpy Data Breach: Millions of Customers’ Data Exposed (GB Hackers)
Advance Auto Parts’ Snowflake Breach Hits 2.3 Million People (Infosecurity Magazine)
These Linksys routers are likely transmitting cleartext passwords (TechSpot)
Known SSH-Snake bites more victims with multiple OSS exploitation (CSO Online)
Beware of Phishing Attack that Abuses SharePoint Servers (Cyber Security News)
Germany to Strip Huawei From Its 5G Networks (The New York Times)
EU threatens Musk’s X with a fine of up to 6% of global turnover (The Record)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyberwire Network, powered by N2K. We get it. This interruption isn't what you actually want to be listening to right now. But at Credit Karma, we've learned that a little disruption can be a good thing, especially when it comes to the slow, outdated, and totally complicated financial system. We started shaking things up by offering free access to your credit scores, then we expanded into more areas of personal finance. And now we've added new tools and personalized features to make it easier to optimize your money and grow it faster. Download into it Credit Karma today and get everything you need to outsmart the system. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC2, ISO 27001, HIPPA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. AT&T Wireless announces a massive data breach. NATO will build a cyber defense center in Belgium, the White House outlines cybersecurity budget priorities, a popular phone spyware app suffers a major data breach. Some link-sis routers are sending user credentials in the clear. Sis Dig describes Crystal Ray Malware, a massive phishing campaign is exploiting Microsoft's SharePoint servers, Germany strips Huawei and ZTE from 5G infrastructure. Our guest is Bridget Johnson, director of AWS Identity on the importance of identity management, and the EU tells X-Twitter to clean up its act or pay the price. It's Friday, July 12th, 2024. I'm Dave Bitner, and this is your Cyberwire Intel Briefing. Happy Friday, and thank you for joining us. Attackers have stolen logs of call and text interactions from nearly every AT&T wireless customer, the company announced. The data, which covers a six-month period in 2022, was taken from AT&T's account on the data warehousing platform Snowflake. AT&T plans to notify around 110 million individuals affected by the breach. The stolen data includes call and text records, phone numbers involved, the count of interactions per day and month, and total talk time. It also includes cell-site ID numbers, which could help pinpoint users' approximate locations. However, it does not contain sensitive information like subscriber names, dates of birth, social security numbers, or call timestamps. Despite this, AT&T warns that publicly available tools could link phone numbers to specific names. The breach, believed to have occurred between April 14th and April 25th of this year, was first discovered on April 19th. AT&T immediately launched an investigation with external cybersecurity experts and notified the U.S. Securities and Exchange Commission via an 8K filing. The SEC mandates reporting material cybersecurity incidents within four days, except under certain circumstances. The U.S. Department of Justice allowed a delay in public disclosure during its investigation. AT&T has been cooperating with law enforcement and reports at least one person has been apprehended. AT&T clarified that this incident is unrelated to a separate data leak involving 70 million customers advertised by the Shiny Hunters Group in 2021. In other snowflake-related news, advanced auto parts disclosed a significant data breach affecting over 2 million job applicants and current and former employees. The breach, occurring from April 14th through May 24th of this year, compromised their snowflake environment. Exposed data includes full names, social security numbers, drivers' licenses, and government IDs, advanced auto parts is offering 12 months of free identity theft protection and credit monitoring through Experian. The incident was briefly acknowledged in a June Form 8K SEC filing. NATO members have agreed to establish the NATO Integrated Cyber Defense Center at the Supreme Headquarters Allied Powers Europe in Belgium. Announced during NATO's 75th Anniversary Summit in Washington, D.C., the NICC aims to enhance resilience and respond to digital threats. The center will house civilian and military experts from member states and utilize advanced technology to improve situational awareness and collective cyber defense. Its primary role is to inform military commanders about offensive cyber threats and vulnerabilities, including those affecting civilian critical infrastructure. NATO has been bolstering its cyber capabilities, conducting defense exercises and developing rapid response strategies, the NICC and similar initiatives respond to rising threats from countries like Russia and China, emphasizing the alliance's commitment to cybersecurity. The executive office of the president issued a memorandum outlining cybersecurity priorities for the fiscal year 2026 budget. The OMB and ONCD will review agency responses, identify gaps, and provide feedback to ensure submissions align with the national cybersecurity strategy. Key priorities include defending critical infrastructure, disrupting threat actors, shaping market forces, investing in resilience, and forging international partnerships. Agencies must also enhance cybersecurity transparency, modernize IT systems, and adopt zero trust architectures. Budget submissions should support cybersecurity supply chain risk management and foster public private sector collaboration. Agencies must update zero trust plans within 120 days and ensure resources for critical infrastructure protection and workforce development. Additionally, agencies are encouraged to support the secure use of open-source software and prepare for quantum-resistant cryptography. MSpy, a popular phone spyware app, has suffered a major data breach, exposing the sensitive information of millions of customers. Brainstack MSpy's parent company has not publicly acknowledged the breach. Disclosed by hacker Maya Arsen-Krimyu, the breach involved over 100 gigabytes of zendesk records, including millions of customer service tickets, email addresses, and email contents. The breach affects customers globally, including significant clusters in Europe, India, Japan, South America, the UK, and the US. Troy Hunt of Have I Been Pwn added 2.4 million unique email addresses from the breach to his site's catalog. The breach underscores the risks of spyware, which can be misused for unauthorized surveillance. Users of Lynxis Villap Pro 6E and 7 Mesh routers should change their passwords and Wi-Fi network names through an external web browser. These models transmit sensitive data, including SSIDs and passwords, unencrypted to an Amazon server during initial setup, potentially exposing users to men in the middle attacks, according to Belgian consumer organization Testan Koop. New patches have been released, but Lynxis has not publicly addressed whether the latest firmware fixes the issue. Crystal Ray, a threat actor known for using SSH-based malware, has expanded its operations to over 1,500 victims, utilizing multiple open-source software tools, according to a study from Sysdig. After initial access, Crystal Ray installs back doors and spreads across networks using SSH Snake to gather credentials for sale. Sysdig reports that Crystal Ray's activities now include mass scanning, exploiting vulnerabilities and deploying crypto miners for profit. They leverage OSS tools like ZMap, ASN, HTTPX, Nuclei and Platypus, modifying existing vulnerability proof of concepts for their payloads. The group targets cloud service providers to steal credentials, which are sold on black markets, to defend against such attacks, Sysdig emphasizes proper vulnerability, identity, and secrets management alongside effective detection and prevention tools. Indicators of compromise are provided for reference in the report. A massive phishing campaign is exploiting Microsoft SharePoint servers to host malicious PDFs with phishing links. The attack observed by malware hunting service AnyRun has surged with over 500 detections in the last 24 hours. This campaign uses trusted SharePoint services, making it hard to detect malicious intent. The phishing flow involves an email link directing to a SharePoint PDF, a capture prompt, and a fake Microsoft login page. Users should verify email sources, check URLs, and enable multi-factor authentication. Indicators of phishing include unexpected SharePoint notifications, mismatched file types, urgent requests, and suspicious login pages. The German government has agreed with major telecom companies to phase out critical Huawei and ZTE components from their 5G infrastructure over the next five years. Interior Minister Nancy Faser announced that Deutsche Telekom, Vodafone, and Telephonica would discontinue using Chinese-made components in core 5G network parts by the end of 2026 and from antennas, transmission lines, and towers by the end of 2029. This decision aims to protect Germany's economy and communication systems from potential cybersecurity risks. Despite no specific evidence against Huawei, the move aligns Germany with other European countries and the U.S., which have already restricted Huawei and ZTE equipment. Coming up after the break, our guest, Brigitte Johnson, director of AWS Identity, on the importance of identity management. Stay with us. And now, a word from our sponsor, no before. Where would infosec professionals be without users making security mistakes? Looking less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed Security Coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach. Learn more at nobefore.com/securitycoach. That's nobefore.com/securitycoach, and we thank no before for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. One came new technologies and new ways to work. Now, employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. At the recent AWS Reinforce 2024 conference, N2K's Brandon Carp spoke with Bridget Johnson, director of AWS Identity, about the importance of identity and where things may be headed. Here's their conversation. I am here today at AWS Reinforce with Bridget Johnson. Bridget is the director of AWS Identity, and we were just chatting about the importance of identity. The language of cyberwire is a first principle of security. Can you give us Bridget your view of the state of identity today, why it's so critical, and your perspective on where we need to go with identity? Yeah, so when you think about identity, I like to think about who can access what and under which conditions. There's a lot of resources on the cloud, a lot of data on the cloud, and you want to make sure that you have the right access controls and identity controls all the way down. So that fine grain power allows for the right access controls based on your business needs and your security use cases. So I mean, taking it from even the attacker perspective, right, how does identity actually provide us better security? Well, when it comes to security, right, you want to make sure that you specify who has access to what in the most fine grain way so that individuals, whether it's humans or your workloads, only have the access that they need and nothing beyond that. And so when you think about you want to reduce any surface of access and reduce broad access so that if somebody gets access that they shouldn't to an identity, that they're only being used what they actually need. In my past, I've managed environments, I've managed workloads. One of the stressors that I always had was removing access or being more prescriptive of who gets what when or what workloads have access to what when never really wanting to take that step and clean up the environment. I was always afraid I was going to break something. Have we solved that problem for the end user yet? I think we're getting there, right? We're taking the right strides to get closer. So with Access Analyzer, we have a lot of data to help people see what is not used and what you can clean up safely. And we're going to continue to invest in that area to build your confidence, to restrict access and remove broad access. And so with Access Analyzer, we've been investing with unused access. And so you can find unused access keys. You should feel pretty confident to delete those, especially if they haven't been used for, I don't know, half a year, an entire year, unused roles. And then for your individual roles, you want to remove unused access. And so the way I like to think about it is for human access, maybe you do need that. Maybe you need it in dev. You want people to explore. You want the developers to have a little bit of freedom. But as you go up to production, both for human access and specifically for workload access, you should only be granting access to what is actually needed. And using the data of essentially what you did use and then crafting a policy that is fine-grained based on that data is a really powerful workflow. You're shared before we start recording, you have some announcements about Access Analyzer. But would you feel free to kind of share what's coming with Access Analyzer and how folks can actually deploy this and use that in their environments? Yeah. So when we talked with customers, a lot of them, you know, they're running environments across multiple accounts and across the organization. And so with Access Analyzer starting in December, we launched unused access findings. So you can turn on for your organization. You can also turn on a member account and it will identify a finding of unused access keys, unused roles, and for the roles that are being used, it actually tells you what permissions you aren't using. And so this gives you, one, it helps you identify central security teams, identify what is no longer used in my environment. Maybe it no longer brings me joy and I can get rid of it. And so what we're doing today here at Reinforce is we're extending that feature and now we're actually generating a policy for customers so that they can remediate that and remove that unused access. Part of that you were, you mentioned there's a policy aspect. There's recommendations as part of this. There's policy as code integrated into this foreign end user. How can a user take this and then turn it into actual organizational policy to affect the long term identity security of an organization and their workloads? Yeah. What most customers are going to want to do is they're going to want to get these policies in the hands of developers, right? And so we are working with Access Analyzer to bring policy analysis, policy generation closer to development because what we are seeing in customers is they apply those guard rails and then they allow developers to deploy their own policies and that's great, right? This allows developers to move faster and I actually love this evolution of permissions in the cloud. And so one, we have policy generation so developers can run their workload and then they can start pretty broad and then they can essentially generate a policy so that existed prior to today. But then they're probably going to get a knock on their door eventually from central security teams saying like, "Hey, you have this workload running for a while and you need to scope down permissions. It's too broad." And that's where the policy recommendation will come into play. And so the central security team can share that policy recommendation with the developer. The developer should look at it and verify it's right and we'll talk about the verifying stuff in a second and then put it in their pipeline to get to the right permission. You preempted my next question which was of all the developers, I know every single one of them wants the keys to the kingdom. They want to be totally in control so this idea of pushing identity and control to the developers and policy controls and allowing them to experiment and be fast and move fast. But I also know developers love taking more than they probably should. They always want more, they're always going to ask for more. So can you maybe just explain a little bit more how that central security team might maintain that level of control, mitigate the risk of an overly zealous dev, which having been a dev in my own past, I was that overly zealous dev. Yeah. And I think that's fine for development, right? And so what we've seen customers implement and I love this story is, okay, your central security team, your job is to apply those guardrails, right? Let those devs have a little bit broader access in dev and let them bump up against those guardrails. And that could be making sure that they can't write data outside the organization. That can mean that they're not deleting critical resources like central security roles within their dev account. Okay. So this is in dev. They need to explore. They need to kind of figure out what their workloads need. They need to try things out. That's encourage. But then as you go up the stack, as you go into production, you want to verify that you're not granting broad access. You want to verify that there's not public access. You want to verify that you're trimming down permissions. And so this is where we're working. And we have a few checks, we're calling custom policy checks, that we're allowing devs and what we're seeing is customers are putting these in the CI/CD pipelines. And so you can say, for example, maybe you start a little bit broad, hey, Dev, this is what you need for your workload, typical workload. And you can check that as the dev updates the policy, it doesn't grant new access, right? So then it's like always either equal to or smaller than what might be your default workload permissions. Okay. And so making sure that they're not fundamentally changing the core policy, even though they might be experimenting and pushing that boundary. Right. And then there's other checks that were added. So you can say, check access, not granted. So let's say in production, you have some really critical resources. I don't know, a DynamoDB table with all of your data in it. And you just want to say like, hey, make sure that the roles do not grant access to delete that table. That would be really not great if we had that access floating around, even though you might have a guardrail around it, you just don't want it out there. And so that's another check you can do. And then we also have checking for public access. And so you have a resource based policy and essentially make sure it's not public, granting public access. You mentioned the importance though of verifying these things. And I can see that as a core challenge. How do you actually provably and with confidence verify that you've deployed these things correctly that they're functioning as they should? So how do you do that? Yeah. So all of those checks that I just mentioned are based on automated reasoning, really excited about automated reasoning. We try to work it into a lot of the access analyzer products when it makes sense. So automated reasoning is essentially we turn AWS into math. And then we can ask it questions. And that question is answered by proof. And so when you say, hey, is this policy doesn't grant any new access, we actually know provably that the policy that you're submitting does not grant new access. Okay. That's probably a little beyond my knowledge of math, but I mean, math is fundamentally provable. Yeah. So that's deployed right now in this environment. Yep. Yep. So you can use that. And we're seeing more and more customers put their custom checks into CI/CD pipelines. And yeah, it's backed by automated reasoning and it's very, very powerful. With the new launch with access analyzer that you're announcing today and backed, verified through automated reasoning as a user, how will I be interacting? How will I see that verification? What will be my experience as a user? When you're using the custom checks, you pass in a policy and you pass in what you care about. We will give you an answer. And so you get a very easy answer, pass or fail. And this is what makes it easy to put into your CI/CD pipelines or in your tooling. Some customers have built custom policy tooling as well. And so that's all you don't deal with automated reasoning, but you know that it's not just bridged on the other end reading your policy and giving an answer. Got it. So I don't have to worry about understanding the math or I just, it's the fact that it is turning AWS into math based on a proof and verifying that what I've requested it to do, it's actually doing that. Yes. Yes. These are great developments in identity, but obviously identity isn't solved. We're not at that panacea yet. So what is next? What are the next things that we need to address with identity? Yes. I think when you look at how we've worked with customers and to, we've invested in two areas. One is going to be that central security team. Their job is to, yes, apply the guardrails. So we'll make that easier and easier. Their job is also to verify that access is adhering to their security standards. So we're going to give more tools to help them verify that information. And then with that, in last year, we actually launched a dashboard. And so that can help the central security team kind of identify maybe some problem areas where they need to spend their time and attention. Maybe you'll see a bunch of unused access or some external access in dev and you're like, that might be okay. But if it's in your prod environment for one of your critical resources, you want to narrow in on that. So that dashboard can help. So we're going to continue to invest in the central security team to help them identify where they need to spend their time and attention and will also help them identify and verify their access controls are adhering to their security standards. Then you want to essentially get access controls adhering to the security standards and getting to the right permissions and the functional permissions closer to development, right? And so we're seeing this more and more. So we'll provide more tools to get to the right policy for these developers, more tools to verify their adhering to security standards. 'Cause really our goal is to enable developers to have a lot of agility when it comes to building on AWS and setting the right access control. That is what we care about. Bridget Johnson, thank you so much for coming on the show. We look forward to having you back. Yeah, thanks. That was great. That's N2K's Brandon Carp with the story. Our thanks to Bridget Johnson from AWS for joining us. [Music] And now a message from Black Cloak. What's the easiest way for threat actors to bypass your company's cyber defenses? Targeting your executives at home. That's because 87% of executives use personal devices to conduct business, often with zero security measures in place. Once execs leave your organization's secure network, they become easy targets for hijacking credential theft and reputational harm. Close the at-home security gap with Black Cloak concierge cybersecurity and privacy, award-winning 24/7 365 protection for executives and their families. Learn more at blackcloak.io [Music] And finally, the European Commission has formally told Elon Musk's social media platform, X, formerly Twitter, that it believes the company is breaching the EU's tech regulations. This revelation follows a December investigation and could lead to fines of up to 6% of X Twitter's global annual turnover. The Commission's preliminary findings accuse X Twitter of breaking Digital Services Act rules on dark patterns, advertising transparency, and data access for researchers. X Twitter's sale of the blue check mark for verification has been deemed deceptive with malicious actors using it to fool users. The platform's non-compliance with EU transparency laws for ads also ruffled feathers, as its ad repository apparently rivals a labyrinth in complexity. Moreover, X Twitter's data access policies for researchers were likened to a Herculean challenge with exorbitant fees and restricted API access, making it nearly impossible for researchers to do their job. Harry Breton, the commissioner for the internal market, hinted at significant fines and mandatory changes if these findings hold. While TikTok and meta are also under the EU's magnifying glass, X Twitter has the option to appeal and suggest remedies. Interestingly, since going private, X Twitter no longer discloses its revenues, although Musk admitted to declining earnings last year. When it comes to compliance, Mr. Musk's X Twitter seems to be lost in cyberspace. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at TheCyberwire.com. Be sure to check out this weekend's research Saturday, and my conversation with Ashir Malhotra and Vitor Ventura from Cisco Talos. We're discussing Operation Celestial Force, employs mobile and desktop malware to target Indian entities. That's research Saturday, check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Carr. Simone Petrella is our president. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here, next week. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-wise features one-to-one access with industry experts and fresh insights into the topics that matter most right now to frontline practitioners. Register early and save at M-wise.io/cyberwire. That's M-wise.io/cyberwire.
