The CyberWire Daily Podcast 4.3.24
Ep 2038 | 4.3.24

Biden administration brings down the hammer.


The Cyber Safety Review Board hands Microsoft a scathing report. Jackson County, Missouri declares a state of emergency following a ransomware attack. The concerning growth of Chinese brands in U.S. critical infrastructure. Malware campaigns make use of YouTube. OWASP issues a data breach warning. Trend Micro tracks LockBit’s faltering rebound. India’s government cloud service leaks personal data. ChatGPT jailbreaks spread on popular hacker forums. On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's CISSP study journey and focus on the when and how of studying for Domain 1. And you can no longer just walk out of an Amazon grocery store.

Today is April 3rd, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The Cyber Safety Review Board hands Microsoft a scathing report. 

In a scathing report released yesterday, the Biden administration's Cyber Safety Review Board criticized Microsoft for cybersecurity failings that allowed Chinese hackers to infiltrate email accounts of top U.S. officials, including Commerce Secretary Gina Raimondo. The board highlighted Microsoft's inadequate security culture and practices, contributing to breaches affecting U.S. agencies dealing with China. It asserted the intrusion, identified in June and originating in May, was avoidable, stemming from a series of Microsoft's errors, and called for an overhaul of the tech giant's security approach due to its critical role in global infrastructure. The board recommended halting feature additions to Microsoft's cloud computing until significant security enhancements are made and urged for a transparent, security-focused reform plan. The breach compromised 22 organizations and over 500 individuals globally, including the U.S. ambassador to China, with 60,000 emails from the State Department downloaded. Additionally, the board criticized Microsoft for misleading public statements and a culture that sidelines security investment and risk management, alongside expressing concerns over a separate hack attributed to Russian hackers. Microsoft acknowledged the need for a new security engineering culture and pledged to harden its systems against attacks.

We note that Microsoft is a CyberWire partner, but we cover them just like we do any other company. 

Jackson County, Missouri declares a state of emergency following a ransomware attack. 

Jackson County, Missouri, has declared a state of emergency and indefinitely shut down major offices after a suspected ransomware attack disrupted its IT systems, affecting services like tax payments, marriage licenses, and inmate searches. Although the attack coincided with a special election, the electoral offices remained unaffected. This incident adds to the growing number of ransomware attacks targeting local governments, with 28 such incidents reported this year. Jackson County, with a population of 654,000, is actively investigating the breach with cybersecurity partners to ascertain the attack's nature and extent. County Executive Frank White Jr. has highlighted the potential financial implications and emphasized the need for protective measures for resident data and county assets while maintaining essential services. Law enforcement and IT security contractors have been engaged to assist in the investigation and recovery efforts.

The concerning growth of Chinese brands in U.S. critical infrastructure. 

Forescout Vedere Labs reports a concerning 40% year-over-year increase in Chinese-made devices within U.S. networks, notably penetrating critical infrastructure sectors despite official bans. The study underscores the presence of banned Hikvision and Dahua cameras in government networks and widespread use of Yealink VoIP phones, highlighting a significant security vulnerability. With sectors such as manufacturing, healthcare, and financial services showing substantial increases in Chinese device usage, the potential for remote access and tampering by the Chinese government poses a significant threat. Nearly 300,000 devices from 473 Chinese manufacturers were identified in U.S. networks as of February 2024, marking a 41% increase from the previous year. This growth emphasizes the risks associated with the expanding footprint of Chinese technology in essential services, with concerns over espionage, sabotage, and exploitation of software vulnerabilities. Forescout's findings call for heightened vigilance and a reassessment of cybersecurity measures in safeguarding critical infrastructure against sophisticated cyber threats.

Malware campaigns make use of YouTube. 

Hackers are exploiting YouTube channels, often associated with cracked or pirated video games, to distribute malware such as Vidar, StealC, and Lumma Stealer, according to Proofpoint researchers. These malicious campaigns utilize video descriptions to guide users to external sites where malware is downloaded, targeting particularly popular games among younger audiences. Proofpoint's investigation uncovered more than 24 such accounts, which YouTube has since removed. The platform employs a mix of machine learning and human review to enforce its guidelines against malicious content. The malware distribution is facilitated primarily through MediaFire URLs, but Discord links have also been implicated. This campaign, difficult to attribute to any specific threat actor, appears designed to target non-enterprise, individual users likely to possess sensitive personal information valuable to attackers. Despite YouTube's efforts, including the removal of over 20.5 million channels in Q4 2023 for policy violations, the challenge of policing content and protecting users from such sophisticated threats persists.

OWASP issues a data breach warning. 

The Open Worldwide Application Security Project, better known as OWASP, has issued a warning to its members who joined between 2006 and 2014 about a data breach stemming from a misconfigured old Wiki web server, leading to the potential exposure of personal information contained in resumes. This misconfiguration allowed unauthorized access to names, email addresses, phone numbers, and physical addresses of members who had provided their resumes as part of the membership process. The breach was identified in late February following support requests, prompting OWASP to take immediate remedial action. Measures included disabling directory browsing, reconfiguring the web server, removing resumes, and purging cached data. OWASP has since enhanced its security protocols and no longer collects resumes, minimizing future data collection to essential information only. Efforts to contact affected members are underway, particularly those whose data may still be current and at risk of being used for scam purposes.

Trend Micro tracks LockBit’s faltering rebound. 

After an international law enforcement operation dubbed "Operation Cronos" disrupted the LockBit ransomware gang in February, the group is struggling to regain its footing. Despite efforts to recover, including the quick establishment of new .onion domains, Trend Micro reports that LockBit's rebound is faltering. The operation led by the U.K.'s National Crime Agency seized domains, source code, and decryption keys, also arresting two suspected members. Law enforcement's strategic use of LockBit's own leak site to publish agency press releases and decryption keys, coupled with a personalized warning to gang affiliates, has severely damaged LockBit's reputation. The gang's distinct brand, a key asset in the ransomware community, has been notably undermined, affecting their recovery efforts. Furthermore, LockBit's operator was banned from prominent hacker forums, significantly hindering the group's operations. This takedown has not only debilitated LockBit but also induced paranoia and self-reflection among other ransomware groups, potentially marking a novel approach in combating cybercriminal organizations.

India’s government cloud service leaks personal data. 

A significant cybersecurity flaw in the Indian government's cloud service, S3WaaS, led to the exposure of sensitive citizen data, including Aadhaar numbers, COVID-19 vaccination records, and passport details. Security researcher Sourajeet Majumder discovered the misconfiguration in 2022, which allowed this data to be accessible online and indexed by search engines. Despite reporting the issue to India's CERT-In and with support from the Internet Freedom Foundation, personal information continued to leak as recently as last week. Efforts by TechCrunch to highlight the unresolved exposures prompted action, resulting in the removal of the exposed data from public access. However, the full extent of the leak remains unclear, raising concerns about potential identity theft, discrimination, and the urgent need for security reforms in government data handling.

ChatGPT jailbreaks spread on popular hacker forums. 

ChatGPT jailbreaks, tools for bypassing OpenAI's content and safety policies, are increasingly prevalent on hacker forums, nearly two years after ChatGPT's release. These tactics enable cybercriminals to create phishing emails and other malicious content. Mike Britton from Abnormal Security noted a rise in detailed discussions on cybercrime forums about specific jailbreaking prompts, with some forums even dedicating sections to AI misuse. State-sponsored groups and other threat actors are using ChatGPT for various malicious activities, including social engineering and vulnerability research. Abnormal Security's analysis reveals that jailbreaking ChatGPT is primarily used for launching sophisticated social engineering attacks at scale. The company highlighted five common jailbreak prompts and suggested that organizations incorporate defenses against adversarial generative AI into their cyber strategies. Despite OpenAI's efforts to curb misuse by strengthening ChatGPT's adherence to safety guidelines, the adaptability of threat actors poses ongoing challenges in preventing malicious use of generative AI technologies.


Coming up on our Learning Layer segment, Sam Meisenberg and Joe Carrigan continue their discussion of Joe's CISSP study journey and focus on the when and how of studying for Domain 1. 

We’ll be right back

Welcome back. You can find the article Sam and Joe discussed in our show notes. 

You can no longer just walk out of an Amazon grocery store. 

Amazon is discontinuing its "Just Walk Out" technology in Amazon Fresh grocery stores, shifting towards using Amazon Dash Carts and self-checkout counters. Initially celebrated for automating the checkout process via cameras and sensors, Just Walk Out required significant human intervention, with over 1,000 employees in India reviewing footage for accurate checkouts. This system also faced challenges such as delayed receipt delivery and did not meet Amazon’s internal efficiency goals, contrary to expectations. In contrast, Dash Carts provide a more direct and reliable shopping experience. While the Just Walk Out technology will remain in a limited number of UK stores and Amazon Go convenience stores, this pivot suggests Amazon's ongoing adjustment in its strategy to solidify its footprint in the grocery market, beyond its ownership of Whole Foods and amidst competition from larger grocery retailers.

For me, while I have not personally experienced Amazon’s Just Walk Out Technology, I have used a similar system at my local Apple Store - finding what I need on a shelf, scanning it in the Apple Store App on my phone, paying in the app and then just…leaving. Maybe it’s the shape of things to come, but for this kid who grew up in the 80s it feels weird. Like I’m waiting for a giant cage to drop out of the ceiling, or a burly security guard to wrestle me to the ground. It’s like leaving a party without saying goodbye. Feels odd…

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.


We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.