The CyberWire Daily Podcast 7.8.24
Ep 2102 | 7.8.24

The age old battle between iPhone and Android.


Microsoft is phasing out Android use for employees in China. Mastodon patches a security flaw exposing private posts. OpenAI kept a previous breach close to the vest. Nearly 10 billion passwords are leaked online. A Republican senator presses CISA for more information about a January hack. A breach of the Egyptian Health Department impacts 122,000 individuals. South Africa's National Health Laboratory Service (NHLS) suffers a ransomware attack. Eldorado is a new ransomware-as-a-service offering. CISA adds a Cisco command injection vulnerability to its Known Exploited Vulnerabilities catalog. N2K’s CSO Rick Howard catches up with AWS’ Vice President of Global Services Security Hart Rossman to discuss extending your security around genAI.  Ransomware scrambles your peace of mind. 

Today is Monday July 8th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Microsoft is phasing out Android use for employees in China. 

Starting in September, Microsoft employees in China will be required to use iPhones for work, cutting off Android devices. An internal memo revealed that this move is part of Microsoft's Secure Future Initiative, aiming to ensure all staff use Microsoft Authenticator and Identity Pass apps. The decision stems from the fragmented Android app market in China, where Google Play is unavailable, and local platforms by Huawei and Xiaomi prevail. Consequently, Microsoft has decided to block these devices from accessing its corporate resources. Affected employees will receive an iPhone 15 as a one-time replacement. The change is driven by security concerns, following multiple state-sponsored cyberattacks, including a significant breach linked to Russia earlier this year. Microsoft's Executive Vice President, Charlie Bell, emphasized the company's commitment to prioritizing security, pledging a major overhaul to address cloud vulnerabilities and enhance credential protection.

Mastodon patches a security flaw exposing private posts. 

Mastodon, the decentralized social network, has issued an urgent call for instance operators to update their server software due to a high-risk security flaw, CVE-2024-37903. This vulnerability allows attackers to access private posts by expanding the audience to unintended users. Rated with a CVSS score of 8.2, it affects all versions from 2.6.0 onwards. The Mastodon team has released updates 4.2.10 and 4.1.18 to fix this issue and other security problems. An additional fixed bug involved inadequate permissions checks for API endpoints. Mastodon emphasized the importance of updating servers promptly, given past security issues. The team will release a detailed description of the vulnerability on July 15th, giving administrators time to update. The decentralized nature of Mastodon makes timely updates by individual instance operators crucial.

OpenAI kept a previous breach close to the vest. 

Early last year, a hacker accessed OpenAI’s internal messaging system, stealing details about their AI technologies. The breach occurred via an online forum where employees discussed the latest advancements. Although the hacker didn't access core systems, OpenAI revealed the incident internally in April 2023 but didn't inform the public or law enforcement since no customer or partner data was compromised. Some employees feared that foreign adversaries, like China, could exploit such vulnerabilities, raising concerns about OpenAI's security measures. Leopold Aschenbrenner, an ex-employee, highlighted these issues, alleging inadequate protection against foreign threats. Despite his claims, OpenAI asserted they had addressed the incident. The company claims to have since bolstered its security protocols and continues to improve its defenses against potential threats.

Nearly 10 billion passwords are leaked online. 

Last week, almost 10 billion passwords were leaked on an underground hacking forum, described as the largest password leak ever. On July 4, a user named ‘ObamaCare’ posted a file, ‘rockyou2024.txt,’ containing 9.9 billion unique passwords. Cybernews researchers confirmed these passwords stemmed from various data breaches over the past two decades. The file updates the previous record-holder, rockyou2021, which had 8.4 billion passwords.

Despite the age of some passwords, security experts warn they can still be exploited due to password reuse. Simon Lawrence from i-confidential emphasized the danger of credential-stuffing attacks, where stolen logins are tested across different networks. Organizations are urged to reassess password policies, educate employees on password reuse risks, and implement multifactor authentication (MFA) to enhance security.

A Republican senator presses CISA for more information about a January hack. 

Sen. Charles Grassley (R-IA) has demanded answers from CISA Director Jen Easterly about a January hack involving the agency’s Chemical Security Assessment Tool (CSAT) and another sensitive system, due to vulnerabilities in Ivanti products. This breach potentially compromised critical infrastructure information. While CISA confirmed the breach in March, it didn’t disclose the involvement of CSAT until June 24. Grassley criticized CISA for not adequately protecting its systems, raising national security concerns.

The incident led to unauthorized access to site security plans, vulnerability assessments, and user accounts. Grassley, emphasizing government transparency, requested detailed documentation by July 17 on all breached systems, impacted entities, CISA’s prior knowledge of Ivanti vulnerabilities, and steps taken to secure their systems.

Brian Harrell, former CISA assistant director, expressed concern over the breach, noting its negative impact on renewing the ‘Chemical Facility Anti-Terrorism Standards’ or CFATS regulation. The CFATS program, crucial for regulating high-risk facilities’ security, has stalled in Congress since July 2023. CISA has yet to comment publicly on Grassley's letter.

A breach of the Egyptian Health Department impacts 122,000 individuals. 

The Egyptian Health Department (EHD) has reported a data breach affecting 122,000 individuals, which occured on December 21, 2023. Discovered the same day, the breach involved an external system hack compromising sensitive personal information, including names and identifiers. Joseph Fusz, representing the EHD, confirmed that affected individuals were notified on July 2, 2024, and authorities were informed. The breached data poses a risk of identity theft, prompting the EHD to offer 12 months of credit monitoring services through TransUnion. The EHD has set up a helpline to assist affected individuals and provide guidance on safeguarding personal information.

South Africa's National Health Laboratory Service (NHLS) suffers a ransomware attack.

South Africa's National Health Laboratory Service (NHLS) is recovering from a ransomware attack on June 22, which disrupted diagnostic systems and deleted backups, causing significant delays in lab testing across public health facilities. Although all labs are now operational, physicians cannot access test results online. NHLS assured that no patient data was compromised, and data restoration is expected within weeks. The delays have severely impacted emergency patients and intensive care units, with over 6.3 million unprocessed blood tests postponing major operations. Urgent test results are being communicated via telephone, raising concerns about operational continuity. The NHLS serves 80% of South Africa's population and operates over 265 labs. The incident underscores the nation's vulnerability to cyberattacks, following similar incidents targeting other government agencies and healthcare providers in Kenya. Representatives say the NHLS faces a prolonged recovery with an unclear timeline for full restoration.

Eldorado is a new ransomware-as-a-service offering. 

A new ransomware-as-a-service (RaaS) called Eldorado emerged in March, featuring locker variants for VMware ESXi and Windows. The group has claimed 16 victims, primarily in the U.S., targeting real estate, education, healthcare, and manufacturing sectors. Cybersecurity firm Group-IB tracked Eldorado's activities, noting its promotion on RAMP forums and recruitment of skilled affiliates. Eldorado’s data leak site was down at the time of reporting. The ransomware, written in Go, can encrypt both Windows and Linux platforms using the ChaCha20 algorithm and RSA encryption. It appends a numerical extension to encrypted files and drops ransom notes named “HOW_RETURN_YOUR_DATA.TXT”. Eldorado encrypts network shares via SMB and deletes shadow volume copies to hinder recovery. Affiliates can customize attacks, especially on Windows systems. Eldorado is a unique development, not based on previous ransomware groups, and has quickly proven its capability to cause significant damage.

CISA adds a Cisco command injection vulnerability to its Known Exploited Vulnerabilities catalog. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Cisco NX-OS Command Injection Vulnerability, CVE-2024-20399, to its Known Exploited Vulnerabilities catalog. This zero-day vulnerability, exploited by the China-linked group Velvet Ant, allows authenticated, local attackers with administrator credentials to execute arbitrary commands as root on affected devices. Cisco addressed the flaw, which affects several Nexus series switches, and recommended using the Cisco Software Checker to identify vulnerable devices. Federal agencies must fix this vulnerability by July 23, 2024.


Coming up, we’ve got N2K’s Rick Howard talking with AWS’ VP of Global Services Security Hart Rossman about extending your security around genAI from the AWS Re:Inforce 2024 event.

We’ll be right back

Welcome back. You can find the link to Hart’s presentation from Re:Inforce 2024 in our show notes. 

Ransomware scrambles your peace of mind. 

And finally, a new report out of the UK reveals the often overlooked mental toll ransomware attacks take on victims. Beyond data theft and financial loss, these cyberattacks significantly impact the psychological and physiological well-being of individuals, as highlighted by the Royal United Services Institute (RUSI). Dr. Jason Nurse, a cybersecurity expert at the University of Kent, emphasized that ransomware not only disrupts services but also deeply affects staff who suddenly cannot return to their families.

The report, “Your Data is Stolen and Encrypted: The Ransomware Victim Experience,” published on July 2, 2024, provides unique insights into victims' psychological experiences during ransomware incidents. It outlines how certain factors can worsen or alleviate their distress and suggests policy measures to reduce harm.

Daniel Card, an incident response specialist, stressed the importance of basic self-care during a response, noting that well-being is crucial for effective incident handling. The report recommends that line managers be sensitive to the psychological and physical harm caused by ransomware attacks.

Public policy must prioritize mitigating the psychological impact of such attacks. The report calls for more funding for mental health services tailored to ransomware victims and suggests that cyber-insurance policies cover mental health counseling.

Despite awareness efforts, many organizations still prioritize cybersecurity inadequately. Daniel Card noted the scale of the challenge, emphasizing the need for organizations to strengthen their security measures continuously. This report is part of a 12-month research project by RUSI and the University of Kent, funded by the UK’s NCSC and the Research Institute for Sociotechnical Cyber Security.

In the heat of the moment it’s easy to lose sight of the human element of a ransomware attack.  Let's remember to extend kindness and understanding to those affected, fostering a culture of compassion and resilience.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.



And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.