FBI initiates router revolution.

The FBI kicks Moobot out of small business routers. Sensitive data has been stolen from a state government network. AMC proposes a multi-million-dollar settlement after improperly sharing subscriber’s viewing habits. The U.S. targets an Iranian military ship in the Red Sea with a cyberattack. Lawmakers propose transparency in the use of algorithms in criminal trials. CERT-EU highlights a spear phishing spike. An infamous Zeus and IcedID operator pleads guilty. Our guests are Dr. Josh Brunty, Head Coach, and Brad Wolfenden, Program Director, of US Cyber Games join us to share the details of how their 2024 season is shaping up. And AI comes to video.

Today is February 16, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The FBI kicks Moobot out of small business routers.

On Thursday the FBI announced the disruption of a Russian GRU-led hacking campaign, "Operation Dying Ember," which compromised over a thousand home and small office routers worldwide for cyber espionage. This operation, conducted with international partners, successfully expelled the hackers and prevented their re-entry by identifying and eliminating "Moobot" malware from the infected routers. The GRU utilized these routers for extensive spearphishing campaigns targeting entities of interest to the Russian government, including U.S. and foreign governments, military, and corporate organizations. This initiative is part of the Justice Department's increased efforts to counteract Russian cyber activities against the U.S. and its allies. This announcement follows a similar FBI operation against Chinese government-sponsored hackers targeting U.S. infrastructure, highlighting the FBI's ongoing efforts to dismantle malicious cyber operations and safeguard national and allied security.

Sensitive data has been stolen from a state government network. 

CISA and MS-ISAC have reported a cybersecurity breach where an unidentified group infiltrated a state government's network, stealing sensitive data. At this point neither the state nor the group have been identified. The data was later found for sale on the dark web, traced back to a compromised account of a former employee. Using CISA's Untitled Goose Tool, it was discovered that the attackers exploited credentials from a former employee and SharePoint to access on-premises and Azure AD systems, also conducting LDAP queries for further information. The agencies recommend enhancing security by reviewing administrator accounts and implementing multifactor authentication.

Meanwhile, CISA has added a vulnerability affecting Cisco's ASA and FTD security products, to its Known Exploited Vulnerabilities catalog due to its exploitation by the Akira ransomware group. This flaw, identified back in 2020, allows unauthorized remote access to sensitive device memory data, including credentials, via the Anyconnect SSL VPN feature. Despite Cisco's patch in 2020, recent Truesec investigations reveal its active exploitation in ransomware attacks. CISA mandates government agencies to patch this vulnerability by March 7 and strongly advises all organizations to secure their systems against this exploit to prevent unauthorized access and data breaches.

AMC proposes a multi-million-dollar settlement after improperly sharing subscriber’s viewing habits. 

Streaming media provider AMC has proposed an $8.3 million settlement for sharing 6 million subscribers' viewing history from its streaming services with tech companies like Google, Facebook, and X (Twitter), violating 1988’s Video Privacy Protection Act (VPPA). AMC's use of tracking technologies like the Meta Pixel enabled the linkage of personal information with viewing data. Despite denying wrongdoing, AMC seeks to settle to avoid litigation uncertainties, with a hearing set for May 16. The settlement includes altering tracking practices and offers affected subscribers a one-week free subscription. 

The Video Privacy Protection Act, by the way, is designed to protect the privacy of individuals' video rental and purchase records. The law was a direct response to the privacy concerns raised during the confirmation hearings of Judge Robert Bork for the U.S. Supreme Court, when a newspaper published his video rental history. Under the VPPA, video tape service providers, and now streaming services, are prohibited from knowingly disclosing, without the consumer's written consent, information about the specific videos an individual rents or purchases or about their personal information to third parties. Despite dating back to the 80s, The VPPA is considered one of the stronger laws in the U.S. aimed at protecting consumer privacy, particularly in the context of entertainment and media consumption.

The U.S. targets an Iranian military ship in the Red Sea with a cyberattack.

NBC News reports that the U.S. executed a cyberattack on an Iranian military ship in the Red Sea and Gulf of Aden. The ship was said to be gathering intelligence for attacks on cargo vessels. This cyber operation came in response to an Iranian-backed militia drone strike in Iraq killing three U.S. service members, and aimed to disrupt the ship's capability to aid Houthi rebels in Yemen. The Houthis have targeted shipping lanes, affecting global shipping and prompting companies to halt operations in these waters. The U.S. action follows airstrikes in Iraq and Syria and forms part of a broader strategy against Iranian aggression. Despite denials from Iran regarding the ship's role, the U.S. continues to counter threats in the region.

Lawmakers propose transparency in the use of algorithms in criminal trials. 

Democratic Representatives Mark Takano and Dwight Evans have reintroduced the Justice in Forensic Algorithms Act, aiming to increase transparency in the use of algorithms within criminal trials. This legislation would grant defendants access to the source code of software analyzing evidence against them and mandates the National Institute of Standards and Technology (NIST) to establish testing standards for forensic algorithms. The initiative addresses concerns over human bias in software, especially in facial recognition technology, and the potential for technology to be viewed as infallible in legal contexts. Highlighting the importance of due process over proprietary rights, the bill seeks to ensure that defendants and their attorneys can scrutinize the technology that could impact the outcomes of criminal proceedings. Representative Takano says he is optimistic about bipartisan support due to shared concerns over law enforcement's surveillance powers.

CERT-EU highlights a spear phishing spike. 

A report from CERT-EU finds that in 2023, EU-based organizations experienced a significant increase in spear phishing attacks, particularly exploiting EU political and diplomatic events. These attacks were notably linked to the EU's political processes for the first time in such a concentrated period, utilized lures related to EU affairs and policies, including documents and information related to specific EU bodies and events. China-backed threat group Mustang Panda has been identified as a perpetrator since at least 2022. Attackers targeted individuals and organizations involved with the EU, often impersonating EU staff or public administration members from EU countries to increase the credibility of their phishing attempts. The diplomacy, defense, and transport sectors outside public administration were particularly targeted, with attackers also diversifying their methods to include instant messaging and social media platforms. This escalation of spear phishing activities poses a significant threat, especially with the upcoming EU elections in May 2024.

An infamous Zeus and IcedID operator pleads guilty. 

Vyacheslav Penchukov, a 37-year-old from Donetsk, Ukraine, pleaded guilty for his significant role in the Zeus and IcedID malware attacks, which led to massive financial thefts from victims worldwide. Arrested in Switzerland in 2022 and extradited to the U.S. in 2023, Penchukov's crimes spanned from stealing bank account details via Zeus since 2009 to collaborating with the IcedID malware from 2018 to 2021, which also facilitated ransomware attacks. His criminal activities, which notably included an attack on Vermont Medical Center, resulted in extensive damages and led to his placement on the FBI’s Cyber Most Wanted List. Penchukov faces sentencing on May 9th, with each charge potentially carrying a maximum of 20 years in prison.

 

The US Cyber Games 2024 season is starting to gain momentum. Next up, I’ll be speaking with the team’s head coach Dr. Josh Brunty and program director Brad Wolfenden to learn how the 2024 season is shaping up.

 

AI comes to video.

And finally, having seen generative AI applied to written content and still images, it was only a matter of time before these rapidly evolving tools would be applied to video.

Yesterday, OpenAI introduced Sora, a new text-to-video generation model capable of creating realistic videos up to one minute long from text prompts. Sora excels in generating complex scenes with accurate details, multiple characters, and various motions, and can generate videos from still images or enhance existing videos. Despite its impressive capabilities, Sora may face challenges with complex scene physics and cause-and-effect relationships. The demo videos they’ve posted are simultaneously impressive and a little unsettling. Currently, access is limited to "red teamers" for assessing potential risks and a select group of visual artists, designers, and filmmakers for feedback. 

I have a couple of thoughts. First, I would hate to be in the stock footage business right now. Second, this particular genie is not going back in the bottle, and could contribute to making what is sure to be a wild election year even more chaotic. And lastly, I can’t help thinking of that old chestnut from Arthur C. Clarke, that any sufficiently advanced technology is indistinguishable from magic. 

Do check out the videos, and let us know what you think. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We will not be publishing on Monday, February 19, 2024 in observance of Washington’s Birthday here in the US. We’ll have some great bonus content for you to check out on Monday and be back on the mic Tuesday. 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

Alternative - Thank you for being part of our N2K Cyberwire community. Just by listening, you’re staying ahead in cybersecurity with our podcast. Share your thoughts at cyberwire@n2k.com and be a part of shaping a daily briefing that's trusted by leaders and security experts worldwide. With each episode, feel better informed, connected, and empowered in the ever-evolving world of cybersecurity. Your insights make us better – together, we're not just informed, we're a step ahead. And that’s a great feeling to share. 

And please, do share! With your colleagues and online, help us spread the word and continue to provide you with the news, intelligence and insights you need. 

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.