Fortinet reveals a data breach. The feds sanction a Cambodian senator for forced labor scams. UK police arrest a teen linked to the Transport for London cyberattack. New Linux malware targets Oracle WebLogic. Citrix patches critical Workspace app flaws. Microsoft unveils updates to prevent outages like the CrowdStrike incident. U.S. Space Systems invests in secure communications. Illegal gun-conversion sites get taken down. Tim Starks of CyberScoop tracks Russian hackers mimicking spyware vendors. Cybersecurity hiring gaps persist. Hackers use eye-tracking to steal passwords.
Remember to leave us a 5-star rating and review in your favorite podcast app.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
Today, we welcome back Tim Starks, senior reporter from CyberScoop, to discuss “Google: apparent Russian hackers play copycat to commercial spyware vendors.” You can read the article Tim refers to here.
Selected Reading
Fortinet Data Breach: What We Know So Far (SOCRadar)
Cambodian senator sanctioned by US over cyber-scams (The Register)
UK NCA arrested a teenager linked to the attack on Transport for London (Security Affairs)
New 'Hadooken' Linux Malware Targets WebLogic Servers (SecurityWeek)
Citrix Workspace App Vulnerabilities Allow Privilege Escalation Attacks (Cyber Security News)
Microsoft Vows to Prevent Future CrowdStrike-Like Outages (Infosecurity Magazine)
Space Systems Command Awards $188M Contract for meshONE-T Follow-on (Space Systems Command)
Domains seized for allegedly importing Chinese gun switches (The Register)
Why Breaking into Cybersecurity Isn’t as Easy as You Think (Security Boulevard)
Apple Vision Pro’s Eye Tracking Exposed What People Type (WIRED)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the CyberWire network, powered by N2K. Defense contractors face immense pressure to comply with CMMC 2.0 security standards, needing a secure user-friendly file-sharing solution. Kiteworks, a FedRAP moderate-authorized solution, supports nearly 90% of CMMC 2.0 level 3 requirements, reducing compliance effort and cost. Kiteworks leverages a zero-trust framework for swift compliance and offers a secure platform for defense data protection needs with advanced security features and ease of use. It's intuitive UI, mobile apps, and centralized policy management simplify administration. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal secure file-sharing platform made for defense contractors. Visit kiteworks.com to get started. Fortinet reveals a data breach. The Fed's sanction a Cambodian senator for alleged forced labor scams. UK police arrest a teen linked to the transport for London's cyberattack. New Linux malware targets Oracle WebLogic. Citrix patches critical workspace app flaws. Microsoft unveils updates to prevent outages like the CrowdStrike incident. US space systems invest in secure communications. Illegal gun conversion sites get taken down. Tim Starks of cyber scoop tracks Russian hackers mimicking spyware vendors. Cybersecurity hiring gaps persist and hackers use eye tracking to steal passwords. It's Friday September 13th, 2024. I'm Dave Bitner and this is your Cyberwire Intel Briefing. [Music] Yesterday, Fortinet disclosed a security breach involving unauthorized access to a third-party cloud-based file drive. A small number of files affecting less than 0.3 percent of Fortinet's customers were accessed. Impacted customers primarily in the Asia Pacific region were promptly notified. Fortinet confirmed that the breach did not affect its operations products or services. Shortly after the incident, a threat actor on a hacker forum claimed to have stolen 440 gigabytes of data from Fortinet's Azure SharePoint, offering it via an S3 bucket. However, the validity of these claims was questioned with some users reporting issues accessing the data. While Fortinet worked with affected customers and implemented strong security measures, the connection between the breach and the threat actor's claims remains unverified, suggesting a potential case of opportunistic deception common on dark web forums. The U.S. Department of the Treasury's Office of Foreign Assets Control sanctioned Cambodian entrepreneur and Senator Lee Young-Fatt for human rights abuses tied to forced labor in online scam centers. Lee's conglomerate, L.Y.P. Group, owns OSMAC Resort, allegedly a forced labor camp where workers promote cryptocurrency and foreign exchange scams. Victims are lured with false job offers, then have their phones and passports confiscated and are forced to work under duress. Some victims reported abuse, including beatings and electric shocks, with two jumping to their deaths. Cambodian authorities have rescued victims of various nationalities from the resort. The sanctions freeze Lee's U.S. assets and prohibit U.S. persons from doing business with him. Similar forced labor scam operations have also been found in the Philippines and Myanmar. A 17-year-old was arrested by the U.K.'s National Crime Agency in connection with the cyber attack on Transport for London on September 1. The teenager was detained on suspicion of computer misuse act offenses and later released on bail. Transport for London initially reported no customer data was compromised, but later revealed that threat actors accessed customer information, including names, contact details and bank account numbers from Oyster card refunds. Aqua Security's Nautilus Research Team has identified a new Linux malware, Hadukin, targeting Oracle WebLogic servers. The malware gains initial access by exploiting weak passwords, then downloads a shell or Python script to ensure its successful deployment. Once executed, Hadukin collects SSH data to move laterally within the organization, spreading further. It drops a crypto miner and tsunami malware, although tsunami's use remains uncertain. The malware maintains persistence by creating multiple cron jobs. Hadukin was traced to two IP addresses, one linked to the team TNT and gang 82-20 groups, also distributing mallocs ransomware to Windows systems. Static analysis suggests connections to rhombus and no escape ransomware families. Aqua discovered over 230,000 internet-connected WebLogic servers with a few hundred potentially vulnerable to exploits due to misconfigurations. Citrix has released security updates to address two critical vulnerabilities in the Citrix workspace app for Windows. These flaws allow local attackers to escalate privileges to system-on-affected machines. Citrix urges users to update the patched versions and follow best practices to enhance security. CISA also recommends prompt action. Microsoft has announced new security capabilities aimed at preventing IT outages like the CrowdStrike incident in July, where a faulty Falcon sensor update disrupted critical sectors by preventing Windows systems from booting. The incident highlighted the risks of security software accessing the system kernel, which is central to a computer's operations. Microsoft plans to enhance security outside of kernel mode, focusing on anti-tempering performance needs and security sensor requirements. Collaboration with ecosystem partners will ensure a balance between reliability and security. These developments were discussed during a Microsoft-hosted security summit on September 10, where industry leaders and government officials agreed on the need for more Windows security options and shared best practices. Microsoft's stated goal is to improve resilience in critical infrastructure while maintaining high security standards. In a major boost to U.S. military communications, the U.S. Space Systems Command has awarded a $188 million contract to expand the cutting-edge Mesh-1 terrestrial network, enhancing secure data transport and warfighting capabilities across more than 85 locations. Here's Alice Caruth from N2K's T-minus daily space podcast with the details. U.S. Space Command's tactical C3 acquisition delta has awarded a $188 million follow-on production agreement to serve one tech for the expansion of the Mesh-1 terrestrial network known as Mesh-1T. Mesh-1T is a scalable, resilient and cyber-secure, wide-area network designed for high-speed, IP-based data transport across various locations and conflict conditions. Mesh-1T enhances warfighter capabilities by securely and efficiently connecting data producers and data consumers, providing diversified communication paths built on modern technology and industry standards. The new agreement will expand Mesh-1T services to over 85 locations, enhancing its capabilities within 24/7, 365 managed transport services and enterprise-wide upgrades. Be sure to check out the T-minus daily space podcast wherever you get your favorite podcasts. The U.S. Attorney's Office in Massachusetts has seized over 350 domains allegedly used by Chinese entities to sell devices converting semi-automatic pistols into fully-automatic weapons, along with illegal silencers to U.S. residents. These conversion devices, known as switches, are banned under the National Firearms Act. Authorities began targeting these operations in August of 2022 using undercover purchases via apps like WhatsApp and Telegram. The items were falsely labeled as toys or jewelry when shipped. Investigations led to the seizure of over 700 conversion devices, 87 illegal silencers and various firearms. The seized websites now display notifications of government action. The DOJ also called for the 3D printing industry to curb the production of such devices. In an article for Security Boulevard, Chris Lindsey highlights the challenges new entrants face in the application security field despite the high demand for cybersecurity talent. One major hurdle is the persistent requirement for a college degree, even as skills-based hiring is promoted. Lindsey points out that job postings often list unrealistic qualifications like CISSP certification for entry-level roles, which requires five years of experience. Additionally, companies struggle to define clear application security roles, delaying the hiring process. Overqualified candidates sometimes take entry-level jobs, limiting opportunities for newcomers. Tight budgets also mean little time or resources for training leading to burnout among existing staff. Automated hiring systems and even fake job postings add further frustration for applicants. Lindsey suggests a shift towards skills-based hiring and offering training to passionate senior developers alongside encouraging candidates to focus on their soft skills and communicate their strengths confidently. Coming up after the break, Tim Starks from Cyber Scoop tracks Russian hackers mimicking spyware vendors. Stay with us. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by Databrokers. So I decided to try Delete Me. I have to say Delete Me is a game changer. Within days of signing up, they started removing my personal information from hundreds of Databrokers. I finally have peace of mind knowing my data privacy is protected. Delete Me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com/n2k and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com/n2k and enter code N2K at checkout. That's joindeleteme.com/n2k code N2K. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's v-a-n-t-a.com/cyber for $1,000 off Vanta. It is always my pleasure to welcome back to the show. Tim Starks, he is a senior reporter at Cyber Scoop. Tim, welcome back. Hey, hey, Dave. So, I want to talk about the article that you recently published here. It's titled Google, a parent Russian hackers play copycat to commercial spyware vendors. There's a good bit to unpack here. Can you take us through this story? Yeah, there is a good deal to unpack. One thing that's interesting about this story is that when we, by we, I mean cyber reporters, when we write about threat research, we often are talking about who got hacked and why and that kind of thing, we gave that short shift in the story because what's interesting is the how here and what it means. This is the first time that Google, which did this threat research, has seen in the wild, as they say, out there in the world, that a, an APT group, a nation state back hackers seem to have taken exploits and vulnerabilities that spyware vendors have been using and used it for their own purposes. And what's one of the things that's really interesting about this is that we talk about who has the most advanced capabilities in cyber. And you think of Russia, and this is likely Russian hackers, they say with moderate confidence. These are Russian hackers. Russia's way up there, covering spyware like I have, that people have said, these spyware vendors give capabilities to nations that wouldn't normally have them. They give them this very sophisticated technology that they wouldn't be able to produce on their own. That's not usually the case for Russia. They don't need to produce, they don't need to hire spyware vendors. This is the first time that the spyware vendors have done something that a major sophisticated cyber nation has stolen, basically, and said, oh, that's good, we're going to use that. So that's what's really interesting about this story to me, is that we just haven't seen this before. There's been people who have warned that this could happen. That's a danger of the spyware vendors, but this is the first time it seems to have happened. Well, help me understand exactly what's going on here. My understanding is we have a zero day that the spyware vendors would take advantage of, and then they would spin up their own, I'm going to just call it technology, to take advantage of that zero day. To what degree do we think that this Russian APT group is making use of what the spyware vendors had used? Are they only using the zero day and spinning up their own technology? Are they lifting the actual technology from the spyware groups? Do we know? It seems more the latter that they have said that they, what's interesting is that Google has said we don't know exactly what happened here. We don't know for sure how they did this. What they've said is that they don't think that Russia just simultaneously found this vulnerability and spun up an exploit that just happened to be strikingly similar, almost identical to what the spyware vendors were doing. They don't exactly know, and I was talking to some researchers yesterday, even after the story was published, about how do they do this? There are theories about how it might have happened. Maybe they got a device that had this vulnerability on it. Maybe they did it some other way. It looks like they essentially stole what the spyware vendors were doing, the NSO groups and the Intilexis, and said, "Oh, this is good. We'll use this." It doesn't seem like they came up with it on their own. It seems like they said, "Okay, this zero day is out there. Now there's in this terminology using in-day, in-day, the vulnerabilities are publicly known, but they're not yet patched." They swooped into that zone right there and started using that here, is what seems to have happened. There is some mystery about what exactly the Russians did to copy this, that's still unresolved and I'm probing it still, but there's no answer right now. Are we confident that perhaps the Russians didn't go through a third party to gain access to this, hire someone who's sympathetic to them in a country who has a better relationship to the country where the spyware vendors are? Yeah, that's one possibility. There's no confidence in that. If you were able to literally get a device that's been compromised in this way, you might be able to copy the exploit. That is one of the options that's out there. Another thing that's interesting is that Russia, I wrote about this last year, where Medusa, the Russian news outlet, is not stationed in Russia anymore, but it focuses on Russia, was the subject of some spyware attacks. At the time, people said, "Well, Russia appears to not be an SO client." From all the reporting I was able to do in terms of talking to everybody involved, this is new. This is fascinating that they could have—one another possibility that the Dethra out there is that NSO group and Intel XM might create their own exploits, but they also might hire people. They might buy them, essentially. It's possible that, like you said, the people who produced this exploit might have sold it to NSO group or Intel XM, and then after getting a little bang for their buck on that, they stumbled down and decided, "Well, I'll sell it to this other guys, too," after it goes from zero day to end day. That's another possibility. Interesting. You point out in your research here that they seem to be targeting government websites in Mongolia. Is there anything to read into that? Yeah, I have to say, I neglected to go into this in my story, and I feel bad about it, but I subsequently have looked into it a little bit and discovered that Russia and Mongolia do have historically good relations for the most part, but there is some feuding going on right now over the spending on a gas pipeline and where it will go through, and Russia is pretty pissed at Mongolia about this, that they have not gone forward with it in the way that Russia wanted them to. They've held up on some of the funding and planning. I'm not sure why that is. I'm not sophisticated enough on Mongolian politics, I'm afraid, but that is the situation, and so it does seem that foreign hackers that are nation-state-based might spy on allies, but more often, they're spying on people that they're adversaries with. While Russia and Mongolia might be historical allies, they're not 100% right now. They're not best friends at this moment. They're not totally on the same page, so there's a chance that that's something that they were looking at. By affecting these Mongolian websites, Mongolian government websites, it seems that they were trying to target Mongolian politicians perhaps, or other people in Mongolia, so the target was Mongolia. These were watering hole attacks where they said, "We're going to, in fact, this website and hope that people come here, we'll be able to get them." Essentially, we'll build a to get info about them, the people who are coming, by using these watering holes. Yeah, it's interesting. All right, well, Tim Starks is a senior reporter at Cyber Scoop. We will have a link to his reporting in our show notes. Tim, thank you so much for joining us. Thank you. Thank you for the link. This episode is brought to you by Microsoft Azure. Turn your ideas into reality with an Azure-free account. Get everything you need to develop apps across cloud and hybrid environments, scale workloads, create cloud-connected mobile experiences and so much more. Discover what you can create with popular services free for 12 months. Learn more at azure.com. That's azure.com and sign up for a free account to start building in the cloud today. And finally, it turns out your eyes aren't just windows to your soul. They could be windows to your passwords too. A group of computer scientists discovered a new attack dubbed gazeploit that targets Apple's Vision Pro headset. By tracking eye movements, while people type on the device's virtual keyboard, the researchers could guess passwords, pins and messages with impressive accuracy. 92% for messages, 77% for passwords. The attack works by analyzing the eye tracking data of a user's virtual avatar, often used in video calls. Apple fixed the vulnerability in a July update after being notified in April. This research highlights the risks of biometric data leaks, especially as wearable tech becomes more common. So, the next time you're typing, just remember someone might be watching and eyeing your secrets. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's research Saturday in my conversation with Alex Delamate. Grette researcher from Sentinel-1 Labs, we're discussing their research titled Xeon Sender, SMS spam shipping multi-tool targeting SaaS credentials. That's research Saturday, check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Pounceman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Park. Simone Petrella is our president. Peter Kiltby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most right now to frontline practitioners. Register early and save at M-Wise.io/Cyberwire. That's M-Wise.io/Cyberwire.
