Patch Now alerts come from Progress Software and Veeam Backup & Restoration. Car rental giant Avis notifies nearly 300,000 customers of a data breach. The UK’s National Crime Agency struggles to retain top cyber talent. Two Nigerian brothers get prison time for their roles in a deadly sextortion scheme. SpyAgent malware uses OCR to steal cryptocurrency. A Seattle area school district suffers a cybercrime snow day. Our guest is Amer Deeba, CEO of Normalyze, discussing data’s version of hide and go seek - the emergence of shadow data. A crypto leader resigns after being held at gunpoint.
Remember to leave us a 5-star rating and review in your favorite podcast app.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
Our guest is Amer Deeba, CEO of Normalyze, discussing data’s version of hide and go seek, or the emergence of shadow data.
Selected Reading
Progress LoadMaster vulnerable to 10/10 severity RCE flaw (Bleeping Computer)
New Veeam Vulnerability Puts Thousands of Backup Servers at Risk – PATCH NOW! (HACKREAD)
Thousands of Avis car rental customers had personal data stolen in cyberattack (TechCrunch)
UK National Crime Agency, responsible for fighting cybercrime, ‘on its knees,’ warns report (The Record)
2 Brothers Sentenced to More Than 17 Years in Prison in Sextortion Scheme (The New York Times)
SpyAgent Android malware steals your crypto recovery phrases from images (Bleeping Computer)
Highline schools closing Monday because of cyberattack (Seattle Times)
Crypto Firm CEO Resigns Following Armed Robbery of Company Funds (Blockonomi)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the CyberWire network, powered by N2K. Defense contractors face immense pressure to comply with CMMC 2.0 security standards, needing a secure, user-friendly file-sharing solution. KiteWorks, a FedRAP moderate authorized solution, supports nearly 90% of CMMC 2.0 level 3 requirements, reducing compliance effort and cost. KiteWorks leverages a zero-trust framework for swift compliance and offers a secure platform for defense data protection needs with advanced security features and ease of use. Its intuitive UI, mobile apps and centralized policy management simplify administration. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with KiteWorks universal secure file-sharing platform made for defense contractors. Visit kiteworks.com to get started. Patch now alerts come from Progress software and Veeam backup and restoration. Our rental giant Avis notifies nearly 300,000 customers of a data breach. The UK's National Crime Agency struggles to retain top cyber talent. Two Nigerian brothers get prison time for their roles in a deadly sextortion scheme. Spy agent Malware uses OCR to steal cryptocurrency. A Seattle area school district suffers a cybercrime snow day. Our guest is Amer Diva, CEO of Normalize, discussing data's version of heightened ghost seat, the emergence of shadow data, and a crypto-leader resigns after being held at gunpoint. Its Monday, September 9, 2024. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Happy Monday! Hope you had a good weekend and great to have you back with us here today. Progress software has released an emergency patch for a critical vulnerability in its loadmaster and loadmaster multi-tenant hypervisor products. The flaw, rated 10 out of 10 in severity, allows unauthenticated attackers to remotely execute arbitrary system commands via a crafted HTTP request. This vulnerability stems from improper input validation in Loadmaster's management interface, enabling remote code execution. Progress has provided an add-on package to fix the issue for vulnerable versions, including the free version of Loadmaster. No active exploits have been reported, but users are urged to apply the patch and follow recommended security measures to protect their systems. A critical vulnerability in Veeam backup and replication software allows attackers to gain full control of systems without authentication. This is classified as a remote code execution flaw and, if exploited, attackers could run arbitrary code, potentially leading to data breaches or ransomware deployment. Cybersecurity Farm Census identified over 2,800 Veeam servers exposed online, mainly in Germany and France. This vulnerability follows a similar flaw exploited by ransomware groups earlier in 2023. Veeam has released a patch addressing this and five other issues. Users are strongly urged to update their systems and review network security to prevent exposure to the Internet and monitor for unauthorized activity. Car rental giant Avis is notifying nearly 300,000 customers that their personal information was stolen in an August 2024 cyberattack. The breach exposed sensitive data, including names, mailing and email addresses, phone numbers, birth dates, credit card details, and driver's license numbers. The attack began on August 3 but was discovered two days later. Avis has not disclosed how the breach occurred and further details remain unclear. So far, the largest number of affected individuals are from Texas with over 34,000 residents impacted. Additional breach notifications are expected. Avis, which owns budget and zip car, operates in over 180 countries and earned $12 billion in revenue in 2023. The company has not commented on who is responsible for its cybersecurity efforts. The U.K.'s National Crime Agency, commonly viewed as an elite force capable of tackling serious organized crime, including cybercrime, is struggling to maintain its operations, according to a recent report by Spotlight on Corruption, a non-profit civil society group. The report warns that the agency is on its knees, citing a severe brain drain caused by a broken pay system, which is driving away senior staff and cyber experts. Notably, the NCA loses nearly 20 percent of its cyber capacity each year. A significant blow as cybercrime continues to rise globally. This staffing crisis has forced the NCA to depend heavily on costly temporary labor and consultants, who now account for more than 10 percent of the agency's budget. The report calls on the U.K. government to take immediate action, emphasizing that the NCA is at a critical juncture. Without urgent reforms and proper funding, the agency will struggle to fulfill its mission to protect the country from growing threats, like fraud, organized crime, and cyber attacks. Britain's new labor government, which campaigned on rebuilding the public sector after years of austerity and budget cuts, faces a crucial decision. The report argues, "The question for the new government is not whether it can afford to invest in pay reform at the NCA but whether it can afford not to." The report highlights that NCA officers, like other public sector workers, have faced stagnant pay for over a decade, exacerbated by high inflation since 2022. This has made NCA positions less attractive compared to private sector jobs or international counterparts, like the FBI. While the NCA is often likened to the FBI, spotlight on corruption points out stark differences between the two agencies, the FBI boasts a much lower turnover rate of 1.7 percent. FBI agents also enjoy better pay, benefits, and professional growth opportunities, making the NCA less competitive in attracting talent. In contrast, serving British police officers would have to take a pay cut to join the NCA, which lacks similar performance-based pay increases. The government spokesperson acknowledged the vital role the NCA plays in combating organized crime and reiterated its commitment to investing in the agency and its staff to ensure it has the necessary capacity and capabilities. However, with cybercrime and fraud continuing to rise and key staff leaving at an alarming rate, it remains to be seen whether these promises will translate into the significant reforms and investments the NCA urgently needs. Two Nigerian brothers, Samuel and Samson Agoshi, have been sentenced to 17 and a half years in prison for their roles in a social media sextortion scheme that claimed over 100 victims, including at least 11 miners. The brothers, who posed as young women on Instagram and other platforms, extorted money from their victims by threatening to share nude photos with family and friends if they didn't pay up. One of the victims was Jordan DeMay, a 17-year-old high school student who killed himself in 2022 after being threatened by the brothers. The sentencing is seen as a significant step in cracking down on sextortion schemes, which have claimed thousands of victims in recent years. The U.S. Attorney for the Western District of Michigan said that the sentences send a "thundering message" to scammers that they will be held accountable, regardless of where they're located. A new Android malware called Spy Agent uses optical character recognition technology to steal cryptocurrency wallet recovery phrases from screenshots stored on mobile devices. Recovery phrases, or seed phrases, are crucial for accessing cryptocurrency wallets. If stolen, attackers can use these phrases to take control of the wallet and its funds. Spy Agent is distributed through at least 280 malicious APKs outside of Google Play, often spread via SMS or social media. Once installed, it scans device images for recovery phrases and sends sensitive data to its command and control server. The malware primarily targets South Korea but is expanding to the UK with potential plans for an iOS variant. To mitigate risks, users should avoid installing apps outside of Google Play and monitor for suspicious permissions. The Highline Public School District in Washington State announced the closure of all schools on Monday due to a breach in its technology systems. The District detected unauthorized activity and immediately isolated critical systems, working with third-party and government partners to restore and test their network. The closure affects athletics, school activities, and the vaccine clinic with central offices remaining open. The breach delays the first day of kindergarten and families will be updated by Monday afternoon regarding Tuesday's schedule. The District, which serves over 17,000 students across 35 schools south of Seattle, has not detected any personal data theft. The breach impacts essential operations such as school transportation and attendance tracking, making it difficult to operate classes safely at the start of the school year. Coming up after the break, I'm Mayor Deeba, CEO of Normalize, discusses the emergence of shadow data. Stay with us. Hey everybody, Deeba here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by Databrokers. So I decided to try Delete Me. I have to say, Delete Me is a game changer. Within days of signing up, they started removing my personal information from hundreds of Databrokers. I finally have peace of mind, knowing my data privacy is protected. Delete Me's team does all the work for you with detailed reports, so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com/n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com/n2k and enter code n2k at checkout. That's joindeleteme.com/n2k code n2k. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC2, ISO 27001, HIPPA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real-time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's v-a-n-t-a.com/cyber for $1,000 off Vanta. Amer Diba is Chief Executive Officer of Normalize, and I recently sat down with him to discuss data's version of hide-and-go-seek, the emergence of shadow data. I think everyone was familiar with the name of shadow IT from five, six, 10 years ago, and shadow data is the equivalent of it, but on the data side. As customers are digitally transforming their businesses and building applications specifically in cloud environments to automate, digitize with AI, the concept of shadow data became very popular because you have developers copying data stores and moving data from one environment to another and leaving some of it behind without going back to do the cleanup when they're done. That's creating the concept of shadow data or a data store that was used for a period of time, contains a lot of data, and some of it can be very sensitive, but then it was left behind, and people forgot about it, and yet still available in the environment. It's accessible by different users, could be accessible internally or externally, and can lead to data compromises. In fact, some of the data breaches that happened was related to the concept of shadow data that was used at some point within the environment, contained sensitive information was left within the environment, and then hackers were able to find it, compromise it, and of course, have a data breach happen from it. Is this typically the result of folks going about their normal day-to-day business? I'll stick something over here because I might need it for a little while, and then time passes, and I've moved on to the next thing. You're developing an application, for example, you started in Dev, in Dev environment, you tested, you created all these data source part of your test environment that contained actual real data, and you're using this data to feed a new AI model that you're building, and you're trying to refine it, and then you're putting certain data models in it, or data from, you're amalgamating it from multiple sources, and all of that is being used as you're building the application and testing it, and then you produce everything, you move it from Dev to QA, to Pre-Pro to production, and along the way, you move some of these data stores along with you, some in some cases, you clean it, some cases, you left it behind, and that's what's end up being being called the data, the shadow data. In this era where more and more organizations find themselves training AI models, how does shadow data apply to that process? Again, if the model was using some data stores that, when it was being built at the beginning, that it contains basically information to help the model formalize and get better, that basically same thing as part of the built building and application that was using the shadow data, this data, and then it was overlooked, or copies of it was moved around the environment outside of the peer view of the IT organization, that monitoring on an ongoing basis, because typically, you know, security, cyber security and IT are monitoring what's in production, sometimes, and what's in pre-production, but when it comes to what's being monitored in development environments or in on environments that's still being constructed, that's out of their actual kind of their ongoing monitoring. So in that case, that shadow data or that data that was overlooked will be where that was used part of an AI model will also be there, some of it might be in the AI model, some of it might be outside of the AI model, but at the end of the day, it contains sensitive information and it needs to be protected like any other type of data, because if it contains PII or THI or keys or records that are sensitive to your environment, you really need to secure it like you secure everything else. And how have organizations typically come at this problem, even historically? Yeah, I mean, I think we started seeing it recently more and more, specifically, like in cloud environments where it's so easy to create the shadow data, like you can create an S3 bucket or an Azure block and start putting information in it, and then you can connect to an application or to an LLM. So in the cloud, the creation of shadow data can be pretty instantaneous in a way, as if you needed to build an application, you can get access to it, copy it from multiple sources, put it as a S3 bucket as a block, or this type of kind of temporary storage mechanism that can be easily created in cloud environments. So that's how we start seeing it happen and become more and more of a common issue. The term shadow data is really a couple of years old, I think two to three years old, and it started happening as data security posture solutions are starting to forming to address specifically this issue of shadow data. We started to hear more and more about it as some of the breaches that happen recently. Also, where it happened because of shadow data, that's where we started seeing it more and more and hearing about it and became kind of a its own risk factor in cyber security. So what are your recommendations then? How can folks best come at this and do a better job dealing with this issue? You have to take it seriously and knowing and getting the visibility of your data, whatever it is in your environment is the number one, I think, representative measure that you can have in place. Because once you have that visibility, you know where your shadow data is, you know where your real data is, where what contains sensitive information and what's not. And you can really understand or put the controls around it in order to protect it and to prevent it, prevent the breaches from happening around it. So if you approach it that way and you build the framework to discover the data first, to classify it, to understand what's in it, what's the value of it for your organization, and to understand whether on your risk or attack paths around the tech would really make it compromiseable and take those proactive measures to fix it, then you are in good shape. So that's kind of our recommendation in terms of like also our business and what we do with customers is take that very seriously, make sure you have the controls in place to discover the data. We have a cloud on premise, fast environment. All of those could contain one or one different types of forms of shadow data, although we see it more and more in cloud environments, again, because of the ease of creation of shadow data there. And make sure you understand where it is, what's in it, and remove it, eliminate it from your environment altogether, remove access, unnecessary access to it. If for example, developers within the organization still have access to it, but they don't need to eliminate their access, or if you don't need the data altogether, make sure just to eliminate it from your environment. It really seems like it's easy to have almost a pack rat mentality when it comes to this, particularly when you're talking about cloud storage. I know for me as a user, because so much of my information is stored in the cloud and not locally on my laptop's hard drive, I don't find myself bumping up against any kinds of storage limits. So why ever delete anything? It's the human nature. We're all hoarders. We like to collect stuff, we like to collect data, like we collect all you look at our inboxes. We rarely go back and clean up emails from five, six years ago that we don't need it anymore. That contains customer records, versus order numbers, customer information, all types of data that could be actually as you compromise, be made to be accountable for it. That's why knowing what you have, understanding what's in it, how valuable is it, and then deciding if you need to keep it, or the strict access to it, or at least make sure it's protected. There are no vulnerabilities around it, there are no configurations, there are no overwhelming access. All of it, that was just increased the level of self-control data. That's Amer Diva, CEO of Normalize. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. And finally, Nick Dracon, CEO of Revolo Intel, a crypto research and education platform, has stepped down after a traumatic robbery where he was held at gunpoint and forced to transfer cryptocurrency. The attackers, described as a sophisticated group, stole personal funds, company capital, and investor assets, threatening Dracon, his wife, and their eight-month-old son. The criminals had detailed knowledge of Revolo's crypto-deposit addresses, raising suspicions of insider involvement. Dracon has since forfeited his ownership stake in Revolo, which pledged 30% of future profits to affected members. Vu Benson, former chief operating officer, has taken over as CEO. Dracon apologized for errors that may have made him a target and is cooperating with authorities to recover the stolen funds. This incident serves as a sobering reminder of the personal risks that come with managing digital assets and the importance of prioritizing safety, not just for ourselves, but for our loved ones. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on Jason and Brian's show every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Eliot Pelsman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Carp. Simone Petrella is our president. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most right now to frontline practitioners. Register early and save at mwise.io/cyberwire. That's mwise.io/cyberwire. [Music]
