The CyberWire Daily Podcast 1.18.24
Ep 1985 | 1.18.24

A credential dump hits the online underground.


A massive credential dump hits the online underground. CISA and the FBI issue joint guidance on drones. TensorFlow frameworks are prone to misconfigurations. Swiss federal agencies are targets of nuisance DDoS. Cybercriminals hit vulnerable Docker servers. Quarkslab identifies PixieFAIL in UEFI implementations. Google patches Chrome zero-day. The Bigpanzi botnet infects smart TVs. Proofpoint notes the return of TA866. In our Threat Vector segment, David Moulton dives into the evolving world of AI in cybersecurity with Kyle Wilhoit, director of threat research at Unit 42. And we are shocked- SHOCKED! - to learn that Facebook is tracking us.

Today is January 18th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Thanks for joining us today, it is good to have you here. .

A massive credential dump hits the online underground. 

Troy Hunt, the operator of the breach notification service Have I Been Pwned?, reports a significant data breach involving about 71 million unique credentials. The data has been circulating on the internet for at least four months, and was posted on a well-known underground market known for the sale of compromised credentials.

Typically, Troy Hunt doesn’t pay much attention to these sorts of dumps, because they’re usually just repurposed and repackaged data from earlier breaches. However, this particular breach was different. It contained nearly 25 million passwords that had never been leaked before. The breach comprised 319 files totaling 104GB, and included nearly seventy one million unique email addresses. 

The breach seems to be the result of “stealer” malware, which captures credentials from compromised machines. The passwords in this breach appeared in plaintext. This is unusual since account credentials taken in website breaches are almost always cryptographically hashed. Most of the exposed credentials were weak, and would easily fall to a simple password dictionary attack.

Hunt confirmed the authenticity of the dataset by contacting people at some of the listed emails, who confirmed that the credentials listed were indeed accurate. 

Hunt noted that in addition to the stealer malware, a large percentage of the passwords in this breach came from credential stuffing.

CISA and the FBI issue joint guidance on drones. 

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have warned about the risks of using China-made drones in critical U.S. infrastructure sectors. In a joint guidance, they highlighted the dangers of sensitive information exposure due to China's laws that allow government access to data held by Chinese companies, including drone manufacturers. The agencies noted that prominent Chinese drone manufacturers, deemed as "Chinese military companies" by the Department of Defense, are under the purview of these laws. The widespread use of these drones in key U.S. sectors poses national security concerns, including unauthorized system and data access. The agencies recommend procuring drones adhering to secure-by-design principles, preferably U.S.-made, and provide suggestions for mitigating security risks associated with industrial drones.

TensorFlow frameworks are prone to misconfigurations. 

Researchers at Praetorian discovered critical misconfigurations in the open-source TensorFlow machine learning framework's continuous integration and continuous delivery (CI/CD) systems. These vulnerabilities could potentially allow attackers to orchestrate supply chain attacks. Attackers could compromise TensorFlow's build agents via malicious pull requests, enabling them to upload harmful releases to TensorFlow's GitHub repository, gain remote code execution, and access a GitHub Personal Access Token. TensorFlow uses GitHub Actions for its software build and deployment pipeline, where self-hosted runners execute jobs. GitHub's documentation advises using self-hosted runners only with private repositories, as public repository forks can run dangerous code on these runners. Praetorian identified TensorFlow workflows executed on non-ephemeral, self-hosted runners with extensive write permissions, posing risks of persistent access and code injection into the TensorFlow repository. After responsible disclosure in August 2023, the project maintainers addressed these issues by December 2023, requiring approval for all fork pull requests and restricting GITHUB_TOKEN permissions to read-only for self-hosted runner workflows. 

Swiss federal agencies are targets of nuisance DDoS.

Multiple federal agencies in Switzerland experienced distributed denial-of-service (DDoS) attacks, causing temporary unavailability of their public-facing websites. The nuisance attacks, claimed by the Russian hacktivist group NoName057(16), were intended as a form of psychological warfare rather than data theft, flooding websites with overwhelming requests. Swiss authorities had previously warned about potential attacks coinciding with Ukrainian President Volodymyr Zelenskyy's visit to the World Economic Forum in Davos. The Swiss National Cyber Security Centre quickly detected and mitigated the attacks.

Cybercriminals hit vulnerable Docker servers.

Cybercriminals have launched a new campaign targeting vulnerable Docker servers, deploying two containers: an XMRig miner and the 9Hits viewer application, as identified by Cado Security researchers. This marks the first known instance of malware using the 9Hits Traffic Exchange viewer as a payload. 9Hits allows members to earn credits by visiting websites, which the attackers exploit for gain. 

The 9Hits app, a headless Chrome application, is employed to visit various websites, including adult content, without a visible user interface. Interestingly, the attackers have disabled the app's ability to visit crypto-related sites. This campaign is a reminder of the importance of Docker host security, as it can significantly drain CPU resources and disrupt legitimate workloads on compromised hosts.

Quarkslab identifies PixieFAIL in UEFI implementations. 

Researchers at Quarkslab identified nine vulnerabilities, collectively named PixieFAIL, in the IPv6 network protocol stack of EDK II, a part of TianoCore's UEFI open-source reference implementation. UEFI (Unified Extensible Firmware Interface) is crucial for booting computer hardware and interfacing with the operating system.

PixieFAIL vulnerabilities could lead to remote code execution, sensitive information leakage, denial-of-service (DoS) attacks, and network session hijacking. 

Google patches Chrome zero-day.

Google has released an update for Chrome which includes four security fixes, including one for a zero-day vulnerability that has reportedly already been exploited. Please update appropriately. 

Meanwhile, Google’s Threat Analysis Group (TAG) has discovered that the Russian threat group COLDRIVER, known for targeting high-profile individuals in NGOs and NATO countries, has expanded its tactics to include malware. COLDRIVER previously focused on credential phishing, but now deploys the SPICA backdoor malware via seemingly benign but encrypted PDF documents. When targets report an inability to read these documents, they are offered a "decryption" utility which is actually a malware installation. SPICA, written in Rust, allows various malicious activities, including command execution and data theft. 

The Bigpanzi botnet infects smart TVs.

The cybercrime group Bigpanzi, active since 2015, has reportedly infected at least 172,000 smart TVs and set-top boxes, mainly targeting Spanish and Portuguese-speaking users in Latin America. Chinese security firm QiAnXin identified that Bigpanzi built its botnet using social engineering, distributing apps for pirated content viewing and enhanced TV experiences, along with backdoored firmware updates. These methods integrate devices into the Bigpanzi botnet, enabling DDoS attacks. QiAnXin linked Bigpanzi to the previously discovered Pandora botnet.

While 172,000 infections were tracked weekly after commandeering two command-and-control domains, the estimated total number of infected devices is believed to be in the millions. Most infected devices are Android-based smart TVs or eCos-operated set-top boxes, predominantly located in Brazil. Bigpanzi, also known as Pandora, is one of the few modern botnets targeting smart TVs and set-top boxes for DDoS attacks, distinguishing it from other groups like Ares, the Lemon Group, and BADBOX, which focus on ad fraud.

Proofpoint notes the return of TA866.

Researchers at Proofpoint observed the return of threat actor TA866 in a large-volume email campaign targeting North America, following a nine-month hiatus. The campaign,which began about a week ago, involved invoice-themed emails with PDF attachments containing OneDrive URLs. These URLs initiated a complex infection chain leading to WasabiSeed and Screenshotter malware. The attack chain included a PDF, OneDrive URL, JavaScript file, and MSI files executing WasabiSeed VBS scripts and Screenshotter components, which captured and sent desktop screenshots to a command-and-control server.

TA866, known for both crimeware and cyberespionage, appears to be financially motivated in this campaign.Proofpoint assesses that TA866 is a sophisticated and organized actor capable of large-scale attacks using custom tools. The campaign's timing coincides with other threat actors' return after end-of-year breaks, indicating an overall increase in threat landscape activity. 

Next up on our Threat Vector segment, David Moulton from Palo Alto Networks’s Unit 42 speaks with Kyle Wilhoit (will-hoitte like in Deloitte)  about  the current state and future trends of AI in cyberthreats.


We are shocked- SHOCKED! - the learn that Facebook is tracking us. 

And finally, you know that feeling where you’re pretty confident that something is bad, but having the data laid bare in front of you just drives it home? This is one of those stories.

A study from Consumer Reports, utilizing data shared by 709 volunteers, revealed extensive online surveillance by Facebook. Sure, tell us something we didn’t already know. The volunteers' data, gathered from their Facebook archives, showed that 186,892 companies sent information about them to Facebook. On average, each participant's data was shared by 2,230 companies, with some reaching over 7,000. The study highlights server-to-server tracking, where personal data is transferred directly from a company's servers  to Meta's servers, a method often hidden from users. 

Meta defends its practices, offering transparency tools to users. However, Consumer Reports found issues with these tools, such as unclear data provider identities and companies ignoring opt-out requests. 

The data tracks user interactions outside Meta's platforms,  including website visits, physical store visits, and purchases. Meta's tracking pixel and server-to-server tracking capture these interactions, but again,  users cannot monitor server-to-server traffic.

Consumer Reports suggests policy changes, including data minimization, expanding authorized agents' powers, increasing ad transparency, and improving data readability in Meta's tools. The burden, however, remains on users to protect their privacy, underscoring the need for a national digital privacy law. For now, consumers have limited options. Meta spokesperson Emil Vazquez reiterated the company's commitment to investing in data minimization technologies.

I don’t know. How many times have we heard, “Your privacy is important to us!”

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.


We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.