A digital leaker gets 40 years behind bars.
Former CIA leaker sentenced to 40 years. Interpol arrests suspected cybercriminals and takes down servers. Cloudflare discloses a Thanksgiving Day data breach. The FBI removes malware from outdated routers. President Biden plans to veto a Republican-led bill overturning cyber disclosure rules. Attackers target poorly managed Linux systems. Infected USB devices take advantage of popular websites for malware distribution. Blackbaud faces a data deletion mandate from the FTC. Our guest is Adam Marré, CISO of Arctic Wolf, to kick off our continuing discussion of 2024 election security. A cybersecurity incident in Georgia leads to a murder suspect on the run.
Today is February 2nd, 2024. Groundhog Day here in the United States. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Former CIA leaker sentenced to 40 years.
Joshua Schulte, a former CIA programmer, was sentenced to 40 years in prison for a series of crimes, including espionage. In 2022, he was found guilty of leaking the CIA's most critical hacking tools to WikiLeaks, an act the agency described as a "digital Pearl Harbor." This breach was the largest in CIA history.
US Attorney Damian Williams condemned Schulte's actions as a severe betrayal to the United States, motivated by revenge against the CIA for its response to his security breaches while employed. The espionage, computer hacking, contempt of court, making false statements to the FBI, and child pornography charges led to his 40-year sentence by US District Judge Jesse Furman.
Schulte worked in the CIA's hacking unit from 2012 to 2016, during which he stole cyber tools designed for breaking into technology systems. He leaked these tools to WikiLeaks in 2017, which then published the classified data. This leak reportedly resulted in significant damage to the CIA's intelligence collection capabilities, endangering personnel and costing the agency hundreds of millions of dollars.
The data exposed included malware, viruses, trojans, and "zero day" exploits, which became accessible to foreign intelligence, hackers, and cyber extortionists globally. Initially charged with possessing child pornography in 2017, Schulte faced added espionage charges later. After a hung jury in 2020 on major charges, a 2022 jury convicted him under the Espionage Act and for obstruction.
Interpol arrests suspected cybercriminals and takes down servers.
A global operation from Interpol, called 'Synergia' resulted in the arrest of 31 suspected cybercriminals and the identification of 1,300 malicious servers used for phishing attacks and malware distribution. This coordinated effort, running from September to November of last year, involved nearly 60 law enforcement agencies and several private companies. They successfully dismantled 70% of the command-and-control servers they’d identified, primarily located in Europe, Hong Kong, and Singapore, with ongoing investigations for others. Additionally, 70 more suspects were identified for their roles in phishing, banking malware, and ransomware distribution. Although specific cybercrime groups uncovered during the operation were not disclosed, Interpol highlighted the collaborative nature of the effort.
Cloudflare discloses a Thanksgiving Day data breach.
Cloud services provider Cloudflare has disclosed that on Thanksgiving Day last year they experienced a security breach in their internal Atlassian server. Despite unauthorized access, no customer data or systems were compromised, and the intrusion was contained within 24 hours. An investigation, named Project Code Red and conducted with CrowdStrike, concluded that attackers used credentials stolen during an Okta breach in October 2023. The attackers sought information about Cloudflare's network architecture and security, accessing internal tools like Confluence and Jira.
Cloudflare's investigation revealed that the attackers, potentially a nation-state actor, accessed their Confluence wiki, Jira bug database, and Bitbucket source code management system on 14 November 2023. They also attempted to infiltrate a São Paulo data center, which was thwarted. Cloudflare responded by rotating 5,000 unique production credentials, segregating test and staging systems, conducting forensic analysis, and re-imaging network systems. Remediation efforts were completed by 5 January 2024, with ongoing focus on software security and credential management.
The FBI removes malware from outdated routers.
The FBI removed malware from hundreds of outdated NetGear and Cisco routers in the US, after receiving a court order to do so. These routers, no longer updated and vulnerable, were part of a botnet controlled by "Volt Typhoon," a group with ties to the Chinese government. This action aimed to block Volt Typhoon's access to sensitive infrastructure. The FBI says they will inform affected router owners or their providers. Router owners can undo the FBI's changes by restarting their routers, but this may leave them susceptible to future attacks. The FBI recommends replacing these end-of-life routers.
President Biden plans to veto a Republican-led bill overturning cyber disclosure rules.
The White House announced President Biden’s intention to veto a Republican-led effort to overturn the SEC's new cyber incident disclosure rules. These rules mandate public companies to report material breaches within four business days of recognizing their significant impact. The aim is to provide investors with timely, relevant information on cybersecurity incidents. Critics, including some Republican lawmakers, argue that early disclosure of incomplete information could harm investors and aid attackers. They also believe these rules conflict with existing reporting requirements.
Despite these concerns, the Biden administration supports the rules, citing the need for transparency to encourage corporate investment in cybersecurity and risk management. The White House argues that reversing the SEC's decision would disadvantage investors and lead to underinvestment in cybersecurity, affecting economic and national security. The SEC clarified that the required disclosures are limited and won't include detailed technical information, mitigating risks to security. Additionally, disclosures can be delayed if they pose a substantial risk to national security or public safety.
Attackers target poorly managed Linux systems.
AhnLab Security Intelligence Center (ASEC) is using an SSH honeypot to monitor attacks on Linux systems. Attackers, targeting poorly managed Linux systems, install malware via brute force and dictionary attacks. These attacks often involve creating backdoor accounts or altering existing high-privilege accounts like the root account. Attackers can then control the infected systems and install various malware, including ransomware and CoinMiners.
ASEC's analysis reveals that attackers use specific commands to add new accounts or change root account passwords. They also register self-generated SSH keys, allowing password-less access to the compromised systems. Attack logs suggest automated scripts are employed following successful system breaches.
To protect against such attacks, ASEC recommends using strong, regularly changed passwords, employing SSH key-based authentication, restricting root account SSH access, limiting SSH access to certain IP addresses, and using firewalls.
Infected USB devices take advantage of popular websites for malware distribution.
UNC4990, a financially motivated threat actor active since 2020, employs traditional methods like USB devices for malicious attacks. Recently, they've adapted tactics using popular websites like GitHub, GitLab, Ars Technica, and Vimeo to distribute malware. They utilize the EMPTYSPACE downloader and QUIETBOARD backdoor, with EMPTYSPACE executing payloads from command and control servers and delivering QUIETBOARD.
The attack begins with social engineering to distribute USB drives containing a malicious shortcut (.LNK file). When connected to a victim's device, the shortcut triggers a PowerShell script (explorer.ps1) which fetches the EMPTY SPACE downloader. In 2023, UNC4990 started using Vimeo, embedding payloads in video descriptions and the explorer.ps1 script. They also employed an image on Ars Technica with an embedded payload.
UNC4990 has utilized various versions of the EMPTYSPACE loader, with the Python-based QUIETBOARD capable of executing arbitrary code, stealing cryptocurrency, infecting USB drives, screenshotting, gathering information, and communicating with C2 servers.
Blackbaud faces a data deletion mandate from the FTC.
Blackbaud, a data and software services company, has been mandated by the FTC to erase unnecessary personal data following a 2020 breach where lax security practices led to the exposure of sensitive customer data. The breach, affecting millions, involved unencrypted personal, financial, and medical information. Blackbaud, serving 45,000 entities, failed to encrypt critical data, including Social Security and bank account numbers. Despite earning $1.1 billion in 2022, Blackbaud provided limited post-breach support and delayed notifying customers, initially downplaying the breach's severity. The FTC's proposed order requires Blackbaud to delete superfluous data, abstain from misleading statements about data security, establish a comprehensive security program, and implement a detailed data retention and deletion policy.
It’s a big election year here in the US. Coming up next, we have Arctic Wolf’s CISO Adam Marré joining us to share key cybersecurity threats to the 2024 election season.
A cybersecurity incident in Georgia leads to a murder suspect on the run.
And finally, ABC news reports that 30-year-old murder suspect named Zion River Shaka was mistakenly released by Clayton County authorities in Georgia last week following a “cybersecurity incident.” Shaka, who has been in Fulton County Jail since 2020, was transferred to Clayton County for a hearing with instructions to return to Fulton County Jail afterward. However, after the hearing, he was erroneously released. Earlier this week we reported that Fulton County, which includes most of Atlanta, experienced a "widespread system outage" due to a "cybersecurity incident," affecting phone, court, and tax systems.
Authorities are now actively searching for him.
Looks like the suspect found a real-life 'backdoor' vulnerability in the jail's security protocol.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. You can email us at firstname.lastname@example.org—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.