The CyberWire Daily Podcast 4.25.24
Ep 2054 | 4.25.24

The shadowy adversary in Cisco's crosshairs.


Cisco releases urgent patches for their Adaptive Security Appliances. Android powered smart TVs could expose Gmail inboxes. The FTC refunds millions to Amazon Ring customers. The DOJ charges crypto-mixers with money laundering. A critical vulnerability has been disclosed in the Flowmon network monitoring tool. A Swiss blood donation company reopens following a ransomware attack. Multiple vulnerabilities are discovered in the Brocade SANnav storage area network management application. Brokewell is a new Android banking trojan. Meta’s ad business continues to face scrutiny in the EU. Ann Johnson, host of Microsoft Security’s Afternoon Cyber Tea podcast speaks with LinkedIn's CISO Geoff Belknap. And an AI Deepfake Sparks a Community Crisis. 

Today is April 25th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Cisco releases urgent patches for their Adaptive Security Appliances. 

Cisco revealed that its Adaptive Security Appliances—hybrid devices featuring firewalls and VPNs—were compromised by state-sponsored hackers in a campaign dubbed ArcaneDoor. The attack involved exploiting two zero-day vulnerabilities to infiltrate various global government networks. Cisco's Talos security team, along with Microsoft researchers, identified the hacking group as UAT4356 or STORM-1849, suggesting high-level espionage motives without previous known activities. The hackers deployed specialized tools targeting Cisco’s devices, indicative of their sophisticated, espionage-driven agenda. Although Cisco has not officially blamed any country, sources claim the campaign aligns with China’s interests.

The intrusions, which peaked between December 2023 and January 2024, leveraged the vulnerabilities to execute and maintain malicious code within Cisco's hardware. The more severe of these, Line Dancer, allowed the execution of custom malicious commands directly on the devices, while the other, Line Runner, ensured malware persistence even after device reboots. To mitigate these threats, Cisco has released patches and additional security measures. Furthermore, a UK cybersecurity advisory noted that physically unplugging affected devices to force a hard reboot could disrupt hacker access.

This incident is part of a broader trend where edge devices, such as email servers and VPNs, are exploited as initial footholds for network breaches. This trend is emphasized in Mandiant's recent M-Trends report, which notes that state-sponsored groups, especially from China and Russia, are increasingly targeting such devices. This shift highlights a critical vulnerability in network defenses, underscoring the strategic significance of edge devices in modern cyber conflicts.

Android powered smart TVs could expose Gmail inboxes. 

An alarming security loophole in Android-powered TVs could potentially expose users' Gmail inboxes if attackers gain physical access to the device. The vulnerability was highlighted by Senator Ron Wyden's office during a review of streaming TV privacy practices. A YouTuber demonstrated that by sideloading a web browser on an Android TV, one could access the Gmail inbox of the account used to set up the TV without needing a password, exploiting the persistent login from the Android OS. Initially, Google described this as expected behavior but has since recognized it as a security flaw and is working on a fix. This vulnerability underscores the risks of using Google accounts on devices like TVs not typically associated with personal data browsing, especially in settings like businesses or when resold. Google is now updating software on Google TV devices to prevent such unauthorized access, advising users to keep their devices updated.

The FTC refunds millions to Amazon Ring customers. 

The Federal Trade Commision is distributing over $5.6 million in refunds to customers of Amazon's Ring, following a 2023 settlement over privacy breaches. The FTC's complaint highlighted that Ring failed to secure its devices against hackers and employee misuse, leading to unauthorized access to customer videos and accounts, including surveillance of private areas. At least 55,000 U.S. customers were affected. Ring also used customer videos to train AI algorithms without consent. Over 117,000 affected Ring device owners are receiving PayPal payments, which must be redeemed within 30 days. This follows a separate $25 million FTC settlement with Amazon over retaining children’s recordings on Alexa devices.

The DOJ charges crypto-mixers with money laundering. 

The U.S. Department of Justice has charged Keonne Rodriguez and William Lonergan Hill, founders of Samourai Wallet, with operating an unlicensed money transmitting business and money laundering conspiracy. Their platform, Samourai, facilitated over $2 billion in unlawful transactions and laundered more than $100 million, allegedly targeting criminal elements by anonymizing cryptocurrency transactions. Arrests were made in the U.S. and Portugal, with extradition pending for Hill. The charges highlight Samourai's role in enabling large-scale money laundering and sanctions evasion. International collaboration led to the seizure of Samourai's domain and app. Rodriguez and Hill face maximum penalties of up to 25 years in prison if convicted.

A critical vulnerability has been disclosed in the Flowmon network monitoring tool. 

A critical vulnerability has been disclosed in Progress Flowmon, a network monitoring tool used by over 1,500 companies globally, including SEGA and Volkswagen. Rated 10/10 in severity, the flaw allows unauthenticated attackers to remotely access the Flowmon web interface and execute arbitrary commands via a specially crafted API request. Researchers at Rhino Security Labs demonstrated this by injecting commands to plant a webshell and escalate privileges. Progress Software has urged customers to update their systems to the patched versions. Although exploit code is available and some servers are exposed online, there are no reports of active exploitation yet.

A Swiss blood donation company reopens following a ransomware attack. 

Octapharma, a major plasma donation company, is reopening some of its 180 global centers after a ransomware attack by the BlackSuit gang forced a shutdown for nearly a week. The Switzerland-based firm, one of the largest independent plasma companies, detected unauthorized network activity on April 17, leading to an ongoing investigation with external experts. BlackSuit, which is a rebrand of the Royal ransomware group known for attacking Dallas, claimed to have stolen business, laboratory data, and donor information. They reportedly breached Octapharma's systems through VMware, a platform recently identified by Mandiant as increasingly targeted by ransomware actors. Octapharma has advised donors to confirm the operational status of their local centers.

Multiple vulnerabilities are discovered in the Brocade SANnav storage area network management application. 

Security researcher Pierre Barre has identified 18 vulnerabilities in the Brocade SANnav storage area network management application, including critical issues that allow remote attackers root access. These flaws, with nine assigned CVE identifiers, expose Fibre Channel switches to attacks that could intercept credentials and manipulate data. Key vulnerabilities include unsecured APIs, the use of HTTP instead of HTTPS, and clear-text syslog traffic. The SANnav appliance also has default root access, publicly known root passwords, unauthenticated Postgres database access, and insecure Docker configurations. These vulnerabilities could allow full appliance takeover and data theft. Despite initial rejection, Brocade acknowledged and patched these issues in SANnav version 2.3.1, with advisories recently published by Broadcom and patches from HPE.

Brokewell is a new Android banking trojan. 

Security researchers at fraud risk company ThreatFabric have identified a new Android banking trojan called Brokewell, which captures every user action on a device, from screen touches to text inputs. Delivered via a deceptive Google Chrome update notification, Brokewell is actively developed to provide comprehensive device control and data theft. It features capabilities like overlay attacks to steal login credentials, interception of cookies, and capture of device interactions. The trojan can also remotely execute gestures, click on screen elements, and adjust device settings. Developed by a threat actor known as Baron Samedit, Brokewell leverages a custom loader to bypass security restrictions introduced in Android 13. This malware poses significant risks due to its ability to evade detection and is expected to evolve into a malware-as-a-service operation.

Meta’s ad business continues to face scrutiny in the EU. 

Meta's targeted advertising business is facing potential legal challenges in the EU following an opinion from the Court of Justice of the EU’s Advocate General, who stated that the use of personal data for ads should be time-limited under GDPR’s privacy laws. This could affect Meta’s profit from tracking and profiling users. The non-binding opinion precedes a court ruling expected in three to six months, which historically often aligns with the Advocate General’s views. The opinion also touches on issues of data retention and proportionality concerning personalized advertising. Moreover, the case involves a privacy complaint against Meta's use of data without sufficient legal basis, including for sensitive personal data, like sexual orientation, raising significant implications for Meta’s operations in the EU.

Coming up, we’ve got host of Microsoft Security’s Afternoon Cyber Tea podcast, Ann Johnson, talking with Geoff Belknap sharing insights from his role as LinkedIn's CISO.

We’ll be right back

Welcome back

AI Deepfake Sparks Community Crisis. 

In a quiet suburb of Baltimore, whispers of scandal turned into a storm of controversy as accusations against Pikesville High School’s Principal Eric Eiswert spread like wildfire. Allegedly captured on audio and shared via email, a recording of Eiswert's voice spewed racist and antisemitic remarks, causing an uproar among the community and leading to his temporary removal. The impact was immediate and devastating: hate-filled messages flooded social media, and the school community reeled under the weight of the allegations against the respected principal. 

But the story took an unexpected turn when a police investigation revealed that the voice everyone thought was Eiswert was actually an AI deepfake, and it was allegedly masterminded by the school's former athletic director, Dazhon Darien.

As the police dug deeper, they uncovered more than just technological deception. Darien was also implicated in financial misdeeds, including unauthorized payments , and he now faces several charges including disrupting school activities, theft, retaliating against a witness, and stalking. 

This saga of deception highlights not only the vulnerabilities exposed by advanced technology but also the deep wounds inflicted on a community when trust is shattered by those entrusted with its youth. It’s a stark reminder of the crucial importance of not rushing to judgment, especially in an era where sophisticated AI tools can craft startlingly convincing falsehoods. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.


We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.