The CyberWire Daily Podcast 6.17.24
Ep 2090 | 6.17.24

Scattered Spider hacker snagged in Spain.


Spanish authorities snag a top Scattered Spider hacker. HC3 issues an alert about PHP. WIRED chats with ShinyHunters about the breach affecting Snowflake customers. Meta delays LLM training over European privacy concerns. D-Link urges customers to upgrade routers against a factory installed backdoor. A new Linux malware uses emojis for command and control. Vermont’s Governor vetoes a groundbreaking privacy bill. California fines Blackbaud millions over a 2020 data breach. Guest Patrick Joyce, Proofpoint's Global Resident CISO, sharing some key challenges, expectations and priorities of chief information security officers (CISOs) worldwide. N2K’s CSO Rick Howard for a preview of his latest CSO Perspectives podcast episode on The Current State of XDR: A Rick-the-Toolman episode. Be sure to change those virtual locks. 

Today is Monday June 17th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Spanish authorities snag a top Scattered Spider hacker. 

Spanish authorities, with assistance from the FBI, have arrested 22-year-old Tyler Buchanan, a key figure in the Scattered Spider hacking group, notorious for attacking organizations like MGM Resorts, Twilio, and Apple. Buchanan was apprehended in Palma de Mallorca while attempting to fly to Italy. He controlled $27 million in bitcoin at the time. This marks the second major arrest of a Scattered Spider member in 2024, following Michael Noah Urban's earlier capture. Despite these successes, experts warn that the group's decentralized nature means they are likely to continue their activities, with new leaders ready to step in.

HC3 issues an alert about PHP. 

The Health Sector Cybersecurity Coordination Center (HC3) of the U.S. Department of Health & Human Services issued an alert about a critical vulnerability in PHP affecting healthcare systems. This remote code execution flaw impacts PHP versions on Windows from 5.x to 8.3.8. The vulnerability allows attackers to execute arbitrary code when PHP is configured for CGI interaction, posing significant risks to servers. Discovered on May 7, 2024, the flaw stems from an old argument injection bug. Researchers recommend updating PHP to the latest version or applying a ‘mod_rewrite’ rule for unsupported versions. Despite recent detection, exploitation attempts are already occurring. HC3 emphasizes the need for robust cybersecurity measures, training, and utilizing resources like CISA's Cyber Hygiene Vulnerability Scanning services.

WIRED chats with ShinyHunters about the breach affecting Snowflake customers. 

In a piece for WIRED, Kim Zetter describes how hackers, including the ShinyHunters group, breached Ticketmaster and other Snowflake customers by first compromising EPAM Systems, a Belarusian-founded contractor. WIRED spoke with an individual claiming to be a member of ShinyHunters through a text chat. In the breach, about 165 accounts were affected, including Ticketmaster and Santander, with stolen data involving millions of sensitive records. The vulnerability stemmed from an EPAM employee’s infected computer, allowing hackers to access credentials stored in a project management tool. Despite EPAM’s denial, evidence suggests hackers used these credentials due to the lack of multifactor authentication (MFA) on Snowflake accounts. Snowflake is now working to mandate MFA for all users.

Meta delays LLM training over European privacy concerns. 

Meta has delayed training its large language models (LLMs) using public content from Facebook and Instagram due to privacy concerns raised by the Irish Data Protection Commission (DPC). The DPC's request follows concerns over using public posts and comments. Meta expressed disappointment, calling it a setback for AI innovation in Europe but affirmed compliance with European laws. The pause affects the launch of Meta AI in Europe. Meta plans to collaborate with the DPC and the UK's Information Commissioner's Office (ICO) to address these privacy concerns. Regulators welcomed the delay, emphasizing the importance of safeguarding privacy rights in AI development.

D-Link urges customers to upgrade routers against a factory installed backdoor. 

A critical vulnerability (CVE-2024-6045) in several D-Link routers allows unauthenticated attackers to gain administrative access. With a CVSS score of 8.8, this issue stems from a factory testing backdoor. Attackers can enable Telnet and obtain admin credentials. D-Link has released firmware updates; users should promptly update to secure their devices.

A new Linux malware uses emojis for command and control. 

A newly discovered Linux malware, 'DISGOMOJI,' uses emojis to execute commands on infected devices, targeting Indian government agencies. Found by Volexity and linked to Pakistan-based UTA0137, the malware is part of a successful cyber-espionage campaign. DISGOMOJI stands out for using Discord and emojis as its command and control platform, potentially bypassing text-based security filters. It executes commands, takes screenshots, steals files, and deploys additional payloads. The malware targets a custom Linux distribution used by Indian agencies but can affect other Linux systems. It maintains persistence via cron jobs and spreads laterally, stealing data and credentials.

Vermont’s Governor vetoes a groundbreaking privacy bill. 

Vermont Governor Phil Scott vetoed a consumer privacy bill allowing individuals to sue companies for data privacy violations. The legislature may override the veto with a two-thirds vote. If passed, Vermont would join a few states with strong data privacy rights. Scott cited the private right of action as risky and burdensome for businesses. The bill also includes a Kids Code for online privacy for minors. Attorney General Charity Clark criticized the veto, highlighting the bill's extensive development process. Scott urged adopting Connecticut's privacy model, which privacy advocates find weak. Bill sponsor Monique Priestley criticized the veto and tech industry's influence, while the Chamber of Progress, a progressive tech industry coalition defended the veto, citing constitutional concerns.

California fines Blackbaud millions over a 2020 data breach. 

Software firm Blackbaud will pay a $6.75 million fine and improve data security and breach notification practices after a May 2020 hack, per California Attorney General Rob Bonta. The company, serving over 45,000 organizations, misled consumers about the breach's impact, initially denying access to personal data. However, Blackbaud knew by August 2020 that sensitive data, including Social Security and bank account numbers, was compromised. The complaint from California noted poor security practices, allowing the hacker prolonged access. The settlement, consistent with agreements in other states, requires Blackbaud to enhance security measures, delete unnecessary data, and improve breach response protocols. The FTC also mandated comprehensive security improvements.

Coming up, our guest is Patrick Joyce, Proofpoint's Global Resident CISO. Patrick shares some key challenges, expectations and priorities of chief information security officers (CISOs) worldwide. We’ll be right back

That was Patrick Joyce, Global Resident CISO at Proofpoint. You can learn more from their 2024 Voice of the CISO report. There’s a link in our show notes. 

Next up, I’m joined byN2K’s CSO Rick Howard for a preview of his latest CSO Perspectives podcast episode on The Current State of XDR. 

You can find links to Rick’s accompanying essay in the show notes. Also, if you are not an N2K CyberWire Pro subscriber, you can still catch the first half of the episode as a preview by checking out the link in the show notes. 

Welcome back

Be sure to change those virtual locks. 

And finally, Nagaraju Kandula, a former QA employee at National Computer Systems (NCS) in Singapore, was sentenced to over two years in prison for deleting 180 virtual servers after being fired. In a vengeful spree, Kandula caused $678,000 in damages by using his still-active credentials. Fired for poor performance in November 2022, he accessed NCS systems multiple times, testing and ultimately executing a server-wiping script in March 2023. His actions were traced back to him via his IP address and Google search history on how to delete virtual servers. Though no sensitive data was compromised, the incident underscores the critical need for companies to promptly revoke access for terminated employees. NCS learned the hard way that neglecting this basic security step can lead to costly and disruptive consequences. So, remember, folks, always change the locks when someone leaves!

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.



We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.