Hunting vulnerabilities.

Palo Alto Networks releases hotfixes for an exploited zero-day. Delinea issues an urgent update for a critical flaw. Giant Tiger data is leaked online. A European semiconductor manufacturer deals with a data breach. Roku suffers its second breach of the year. Operators of the Hive RAT face charges. A former Amazon security engineer gets three years in prison for hacking cryptocurrency exchanges.  Zambian officials arrest 77 in a scam call center crack down. Our guest Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division describes dual ransomware. And Rob Boyce, Managing Director at Accenture, shares his thoughts on security testing of generative AI. And selling Pokemon cheats leaves one man in Japan feeling like he had a run-in with a Scaldiburn.  

Today is April 15th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Palo Alto Networks releases hotfixes for an exploited zero-day. 

Palo Alto Networks is addressing a zero-day vulnerability (CVE-2024-3400) exploited by suspected state-sponsored hackers, impacting its PAN-OS firewall appliances. The vulnerability, allowing remote code execution with root privileges, affects devices with GlobalProtect and telemetry features enabled. Following initial mitigations, Palo Alto began releasing hotfixes on Sunday, with 40,000 appliances potentially at risk. Volexity linked the exploitation to threat actor UTA0218, noting data exfiltration and internal network movement, including attempts to deploy a Python backdoor named Upstyle.

There's speculation on the involvement of BianLian, a ransomware group, and Lazarus, a North Korean-sponsored entity, in these attacks, following observations by VulDB. While the two groups operate differently, there have been instances where Lazarus disguised its operations as BianLian's ransomware attacks for intelligence collection. Discussions around a proof-of-concept exploit for CVE-2024-3400 surfaced on social media, though the cybersecurity community has debunked these as fake.

Delinea issues an urgent update for a critical flaw. 

Delinea, known for its Secret Server privileged access management solution, has issued an urgent update for on-prem installations to address a critical flaw that could let attackers bypass authentication, gain admin rights, and steal sensitive information. This vulnerability, found in the Secret Server SOAP API, prompted Delinea to initially block SOAP endpoints for cloud customers and subsequently release a patch. Despite the severity, Delinea reports no evidence of data compromise or exploitation attempts. They've also provided guidance for on-prem users to detect potential exploitation. The vulnerability and a proof-of-concept exploit were publicly disclosed by security researcher Kevin Beaumont, following a discovery and disclosure attempt by Johnny Yu.

Giant Tiger data is leaked online. 

Back in March, Giant Tiger, a Canadian retail chain, experienced a data breach exposing 2.8 million customer records, including names, email addresses, phone numbers, and physical addresses. A threat actor has now claimed responsibility for this breach, leaking the data on a hacker forum. HaveIBeenPwned has since added the leaked database to its platform, allowing individuals to check if their information was compromised. The breach was linked to a third-party vendor used by Giant Tiger for customer communication and engagement. No payment details or passwords were disclosed. Giant Tiger has informed affected customers, advising caution against potential phishing attempts. Users are encouraged to consider identity monitoring services to protect against identity theft.

A European semiconductor manufacturer deals with a data breach. 

Nexperia, a prominent semiconductor manufacturer headquartered in the Netherlands, experienced a cybersecurity incident In March where unauthorized access to its IT servers was detected. The company immediately isolated the compromised systems and engaged third-party cybersecurity specialists, including FoxIT, to assess and mitigate the breach. Nexperia has informed relevant authorities and continues to investigate the incident's full scope and impact. 

Roku suffers its second breach of the year. 

Online streaming service provider Roku has experienced its second cybersecurity incident this year, with 576,000 user accounts affected due to credential stuffing attacks, leveraging reused passwords. This follows a previous breach impacting over 15,000 accounts. Roku states that in fewer than 400 instances attackers made unauthorized purchases, though sensitive payment information remained secure. Roku has reset passwords for the compromised accounts, refunded unauthorized transactions, and is advising customers to use unique passwords and watch for suspicious communications. To enhance security, Roku has enabled two-factor authentication (2FA) across all 80 million user accounts. 

Operators of the Hive RAT face charges. 

Authorities in Australia and the US have arrested two individuals linked to the Hive remote access trojan (RAT), previously known as Firebird. This malware was advertised as a tool for covertly accessing and extracting sensitive data from targeted systems. In Australia, one of the accused faces twelve computer offense charges, with a court appearance set for May 7. Meanwhile, in the US, Edmond Chakhmakhchyan, 24, from Van Nuys, was indicted for selling Hive RAT on hacker forums, assisting customers, and knowingly facilitating illegal activities, including cryptocurrency theft. Chakhmakhchyan, who pleaded not guilty, is due for trial on June 4. The RAT enables unauthorized system access, application manipulation, data theft, keystroke logging, and eavesdropping on communications.

 A former Amazon security engineer gets three years in prison for hacking cryptocurrency exchanges.  

Shakeeb Ahmed, a former Amazon security engineer, has been sentenced to three years in prison for hacking two cryptocurrency exchanges in July 2022, resulting in over $12 million in theft. Post-imprisonment, Ahmed faces three years of supervised release, and is ordered to forfeit $12.3 million and pay restitution. Utilizing his expertise in smart contract reverse engineering and blockchain audit, Ahmed targeted Nirvana Finance and an unnamed Solana blockchain exchange. His guilty plea to computer fraud could have led to a maximum of five years in jail. U.S. Attorney Damian Williams emphasized the commitment to prosecuting hackers regardless of the hack's sophistication. Ahmed's tactics involved manipulating smart contracts to steal and launder the funds, including using cryptocurrency mixers to convert the assets into Monero for anonymity, while also researching ways to avoid detection and extradition.

Zambian officials arrest 77 in a scam call center crack down. 

Zambian law enforcement arrested 77 individuals at Golden Top Support Services, a call center alleged to scam global internet users. The Chinese-run company, located in Lusaka, is accused of hiring Zambian youths under the guise of legitimate call center work, only to involve them in fraudulent schemes over WhatsApp, Telegram, and other chat platforms. The scams targeted victims worldwide, including in Singapore, Peru, the UAE, and across Africa. The operation, which the Drug Enforcement Commission (DEC) hailed as a major cybercrime crackdown, resulted in the seizure of vehicles, firearms, computers, and thousands of SIM cards. While 17 Zambian suspects were released, the rest, including 22 Chinese nationals and one Cameroonian, remain detained for further investigation.

Today, we have two guests for you. First, we have, Deputy Assistant Director Cynthia Kaiser of the FBI Cyber Division discussing dual ransomware. 

Our next guest is Rob Boyce, Managing Director at Accenture, sharing some thoughts on security testing of generative AI.

 

Selling Pokemon cheats leaves one man in Japan feeling like he had a run-in with a Scaldiburn.  

In Japan, a 36-year-old man was arrested for selling modified Pokémon save data, a violation of the country's 2019 Unfair Competition Prevention Act. Detected by a police cyber patrol, he modified Pokémon Violet save data to alter Pokémon move sets and took custom orders for rare Pokémon online, charging up to 13,000 yen ($84) per transaction from December 2022 to March 2023. He confessed to the crimes, claiming it was a means to earn a living. He faces up to five years in prison and/or a fine of up to 5 million yen ($32,600). This incident adds to a string of crimes involving the lucrative Pokémon franchise, including a January 2022 incident that saw two Los Angeles police officers fired after they ignored a call to respond to a burglary in order to chase down a Snorlax in Pokemon Go.

This Pokémon trainer’s next quest: finding the legendary ‘Get Out of Jail Free’ card. Maybe they can make clever use of the elusive Bailbondasaur. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.