A serious breach showdown.

Anydesk confirms a serious breach. Clorox and Johnson Controls file cyber incidents with the SEC. There’s already a potential Apple Vision Pro kernel exploit. A $25 million deepfake scam. Akamai research hops on the FritzFrog botnet. The US sanctions Iranians for attacks on American water plants. Commando Cat targets Docker API endpoints. Pennsylvania courts fall victim to a DDoS attack. A new leader takes the reins at US Cyber Command and the NSA. Our guest is Dr. Heather Monthie from N2K Networks, with insights on the White House's recent easing of education requirements for federal contract jobs. And remembering one of the great cryptology communicators.

Today is February 5th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Anydesk confirms a serious breach.

Late last Friday afternoon remote software company AnyDesk confirmed a significant security breach in its systems. Unauthorized access was detected during a routine security audit, leading to the exposure of a substantial amount of source code and code signing certificates.

The company has engaged the services of cybersecurity experts CrowdStrike and is working closely with authorities to address the situation. They say it is notably not related to ransomware.

In an effort to mitigate risks, AnyDesk has revoked and is replacing compromised security certificates and systems. Additionally, they have reset passwords for their web portal, advising customers to change their credentials as a precaution.

The breach led to a service interruption, with a four-day outage at the end of January, where users were unable to log into the AnyDesk client. Despite this disruption, the company assures that there is no evidence of end-user devices being affected.

AnyDesk serves over 170,000 enterprise customers globally, including major brands like Samsung and Comcast. Following this disclosure, some observers have criticized the company for what’s been perceived as a “Friday afternoon news dump”, an attempt to downplay the story by releasing it just before the weekend.

Clorox and Johnson Controls file cyber incidents with the SEC.

Continuing with breach disclosures, two major companies recently filed SEC disclosures outlining significant financial losses due to cyber incidents. Clorox, a cleaning product manufacturer, faced a major operational disruption from an attack last August, leading to $49 million in expenses by December 2023. The costs primarily involved third-party consulting, IT recovery, forensic experts, and additional operational costs due to the disruption. Clorox anticipates reduced future expenses and has not yet received insurance proceeds for the incident.

Meanwhile, Johnson Controls, a building management conglomerate, reported a $27 million expense in the last quarter of 2023 following a confirmed ransomware attack in September. The company expects further expenses in fiscal 2024, mainly in the first half, for response and remediation efforts. The attack disrupted their billing systems but is not expected to materially impact net income, with a substantial portion of the costs likely covered by insurance.

There’s already a potential Apple Vision Pro kernel exploit. 

Apple launched their much anticipated spatial computing platform Apple Vision Pro last week, and now CyberNews reports that Joseph Ravichandran, an MIT PhD student, revealed a potential Kernel exploit for Apple's Vision Pro VR headset on X. The exploit triggers when the device crashes, switching to full passthrough and prompting a reboot. Kernel exploits, coveted by attackers for their ability to bypass security and execute malicious code, are serious vulnerabilities. Ravichandran, known for identifying the PACMAN attack on Apple's M1 CPU, highlighted this shortly after Apple's recent software update aimed at patching security flaws. Apple and Ravichandran have yet to comment on the exploit revelation.

A $25 million deepfake scam. 

A finance worker at a multinational firm was deceived into transferring $25 million due to an elaborate deepfake scam, as reported by Hong Kong police. The worker attended a video call, believing he was interacting with the company's CFO and other staff members, but they were all deepfake simulations. Initially skeptical due to a suspicious email discussing a secret transaction, the worker was convinced after the video call, where the participants appeared and sounded like real colleagues. This led to him remitting approximately $25.6 million. Hong Kong police, who have made six arrests related to similar scams, revealed that deepfake technology has been used in multiple instances to deceive facial recognition systems for fraudulent loan applications and bank account registrations. This scam was uncovered when the employee verified the transaction with the company's head office.

Akamai research hops on the FritzFrog botnet.

The FritzFrog botnet, active since 2020, has evolved to exploit the Log4Shell vulnerability, targeting not just internet-facing applications but also internal networks. Researchers at Akamai detail this shift in the botnet's behavior. FritzFrog, known for compromising SSH connections to deploy cryptominers, now scans system files on infected hosts to identify and attack vulnerable Java applications.

Dubbed "Frog4Shell," this campaign leverages the Log4Shell bug found in the Log4j web tool, which led to a major global patching effort starting in 2021. Despite these efforts, researchers are still finding vulnerable systems two years later. FritzFrog has been particularly notorious, compromising over 500 servers, including those in banks, universities, and medical centers. It had a period of dormancy but resurfaced in 2022.

Akamai's research reveals over 20,000 FritzFrog attacks affecting more than 1,500 victims. This botnet poses a unique risk by exploiting unpatched internal machines, which were initially considered less vulnerable and thus often neglected. The malware targets all hosts within a network, exposing even patched internet-facing applications to risk if any part of the network is breached.

The botnet has also developed new capabilities, including privilege escalation and cyberdefense evasion tools. Researchers anticipate that FritzFrog will continue to evolve, possibly integrating more exploits. In 2022, about 37% of the infected nodes were in China, but the victims were globally distributed. There's speculation that the FritzFrog operator might be based in China or is attempting to appear so.

The US sanctions Iranians for attacks on American water plants. 

The US has sanctioned six Iranian Islamic Revolutionary Guard Corps (IRGC) officials for cyber-attacks on American water plants last year. These attacks come amidst heightened tensions following a drone strike in Jordan that killed three US soldiers, for which an Iranian-backed militia is blamed. The US Treasury's Under Secretary emphasized the seriousness of targeting critical infrastructure and vowed to hold perpetrators accountable. 

The IRGC-affiliated Cyber Av3ngers targeted several US water systems, including one in Pennsylvania, exploiting weak cybersecurity like default passwords. While the attacks were considered low-level, they raised concerns about the vulnerability of US water systems. Federal officials, including Pennsylvania Senators and a Congressman, have urged for a full investigation. The US Cybersecurity & Infrastructure Security Agency (CISA) warns that countries like Iran are increasingly investing in cyber capabilities, posing significant threats to US infrastructure.

Commando Cat targets Docker API endpoints.

Researchers at Cado security have discovered a new malware campaign, named "Commando Cat," targeting Docker API endpoints. This is the second Docker-targeted campaign in 2024, following a recent report on the malicious use of the 9hits traffic exchange application. Commando Cat is a cryptojacking campaign exploiting Docker for initial access, using the service to access the host's filesystem and execute multiple interdependent payloads. These payloads aim to establish persistence, enable backdoors, steal Cloud Service Provider credentials, and run a cryptocurrency miner.

The malware exhibits unique evasion techniques, including a rare process hiding mechanism, using the hid process hider script instead of more common rootkit kernel modules. It also employs a Docker Registry blackhole to prevent other attackers from accessing the compromised system.

Commando Cat functions as a credential stealer, a stealthy backdoor, and a cryptocurrency miner, making it a versatile threat. Its payloads bear similarities to those used by other threat actors, particularly TeamTNT, suggesting Commando Cat could be a copycat group building upon TeamTNT's techniques. The sophistication, redundancy, and evasion tactics of this malware make it a challenging threat to detect.

Pennsylvania courts fall victim to a DDoS attack. 

Over the weekend the website of the Pennsylvania state courts agency experienced a cyberattack which disabled several online systems. This incident was confirmed by officials on Sunday night, who noted that the attack did not compromise any data. Chief Justice Debra Todd says the attack is being investigated by the U.S. Department of Homeland Security and the FBI. She described the incident as a "denial of service" attack, a method where attackers overload a system with traffic, causing it to crash and denying access to legitimate users.

The agency, known as the Administrative Office of Pennsylvania Courts, has not yet identified the attackers or their motives, and it remains unclear whether their cybersecurity measures were effective or if any ransom was demanded. Key online services affected include the docket sheets and an electronic document filing portal. Despite these disruptions, the state's courts continued to operate.

A new leader takes the reins at US Cyber Command and the NSA.

After six years, Army Gen. Paul Nakasone has passed the leadership of U.S. Cyber Command and the National Security Agency to Air Force Gen. Timothy Haugh. The change-of-command ceremony, held at NSA’s Morrison Center, occurs amidst increasing challenges in digital warfare and concerns over election security against potential foreign hacking. Nakasone, praised for his leadership during a period of heightened global challenges and low morale following security breaches, introduced significant changes, including the "persistent engagement" doctrine and the establishment of the Cybersecurity Directorate at NSA.

Haugh, previously Cyber Command’s deputy and head of the Air Force’s digital warfare branch, is recognized as highly qualified for leading these agencies. The ceremony, attended by top national security officials, highlighted the evolving importance of technology in national security, with Haugh expressing enthusiasm for future challenges and opportunities.

Our guest today is Dr. Heather Monthie of N2K Networks. Heather shares some insight into the White House's recent easing of education requirements for federal contract jobs. 

We’ll be right back

You can find the background to the easing of education requirements for federal contract jobs in our Selected Reading section of our Show Notes. for guest outro

 

Remembering a great cryptology communicator. 

And finally, David Kahn, a renowned journalist and historian known for his groundbreaking work on cryptology, passed away at age 93 due to complications from a stroke. His fascination with cryptology began at age 13 after discovering a book on codes and ciphers. Kahn's landmark 1967 book, "The Codebreakers," explored the history of secret communication, establishing him as a leading figure in the field. Despite initial resistance from the U.S. government and the NSA, his work eventually gained widespread recognition and respect.

Kahn's career in journalism began at Newsday and later included a stint at the New York Herald Tribune's Paris edition. He earned a doctorate in modern history from Oxford University, where he focused on German military intelligence in World War II, leading to his book "Hitler’s Spies." His other works included "Seizing the Enigma" and "The Reader of Gentlemen’s Mail."

Despite not being a skilled cryptanalyst himself, Kahn's extensive knowledge and collection of intelligence artifacts earned him a special place in the field, culminating in the NSA’s National Cryptologic Museum housing the David Kahn Collection. Kahn's work significantly contributed to the public's understanding of cryptology and signals intelligence.

May his memory be a blessing to those who knew and loved him. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.