Podcasts
CyberWire Daily
Ep 2127
The CyberWire Daily Podcast 8.12.24
Ep 2127 | 8.12.24

Confidential or compromised?

Show Notes
Transcript

The Trump campaign claims its email systems were breached by Iranian hackers. A Nashville man is arrested as part of an alleged North Korean IT worker hiring scam. At Defcon, researchers reveal significant vulnerabilities in Google’s Quick Share. Ransomware attacks hit an Australian gold mining company as well as multiple U.S. local governments. GPS spoofing is a matter of time. Cisco readies another round of layoffs. Nearly 2.7 billion records of personal information for people in the United States have been shared on a hacking forum. Our own Rick Howard speaks with Mark Ryland, Director of Amazon Security, about formal verification. A hacker hacks the hackers. 

Today is Monday August 12th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The Trump campaign claims its email systems were breached by Iranian hackers.

Concerns about foreign interference in the U.S. presidential election resurfaced after the Trump campaign claimed its email systems were breached by Iranian hackers. The breach was reportedly tied to the release of a confidential internal document about vice-presidential candidate JD Vance. News outlets received the document from an anonymous sender named “Robert,” raising alarms about potential foreign meddling.

The Trump campaign linked the incident to a recent Microsoft report that identified Iranian hacking attempts targeting a high-ranking official in a U.S. presidential campaign. While Microsoft didn’t explicitly name the campaign, sources indicated it was likely Trump’s. Despite these claims, no official evidence has confirmed the breach or Iranian involvement.

Democratic Representatives Eric Swalwell and Adam Schiff have called for the declassification of any information related to foreign interference. They stressed the importance of a swift response to prevent a repeat of the 2016 election’s Russian interference. Meanwhile, Trump took to his platform, Truth Social, to accuse Iran of hacking one of his campaign websites, although he admitted that only publicly available information was accessed.

Security experts remain concerned about the broader implications, fearing additional leaks and the potential for disinformation campaigns similar to those seen in 2016. The situation underscores the ongoing challenges in securing U.S. elections against foreign influence as the country approaches another contentious election cycle.

A Nashville man is arrested as part of an alleged North Korean IT worker hiring scam. 

Federal authorities arrested Matthew Isaac Knoot, a Nashville man, for allegedly facilitating a scheme that deceived U.S. companies into hiring North Korean IT workers using stolen identities. These workers, posing as U.S. citizens, funneled income to fund North Korea’s weapons program. Prosecutors revealed that Knoot hosted laptops at his residences, allowing the North Koreans to access U.S. company networks remotely, making it appear they were working domestically. Knoot profited from this scheme by charging fees for hosting the laptops and a cut of the salaries. The operation generated over $250,000 between July 2022 and August 2023. The arrest follows a broader federal crackdown on similar schemes, including a recent case in Arizona. Knoot now faces multiple charges, including wire fraud and identity theft, which could lead to a 20-year prison sentence if convicted.

At Defcon, researchers reveal significant vulnerabilities in Google’s Quick Share. 

At Defcon 32, researchers Or Yair and Shmuel Cohen from SafeBreach revealed significant vulnerabilities in Google’s Quick Share, a peer-to-peer file transfer utility for Android, Windows, and Chrome OS. Quick Share uses various protocols like Bluetooth and Wi-Fi Direct, but these were not originally designed for file transfers. The researchers identified ten vulnerabilities, including a critical Remote Code Execution (RCE) flaw on Windows systems, dubbed QuickShell. This RCE exploit combines five of the vulnerabilities, allowing attackers to bypass security controls and take full control of target devices. The flaws also enable attackers to force file downloads and hijack Wi-Fi connections. Google has acknowledged the seriousness of these issues, assigning CVEs to two of the vulnerabilities.

Ransomware attacks hit an Australian gold mining company as well as multiple U.S. local governments. 

Evolution Mining, an Australian gold mining company, disclosed a ransomware attack on its IT systems discovered on August 8. The company, operating in Australia and Canada, reported the incident to the Australian Stock Exchange, stating that it has been “contained” with the help of external cyber forensics experts. No details were provided about the ransomware group involved or any potential extortion payment. Evolution Mining assured that the attack won’t materially impact operations and that it has been reported to the Australian Cyber Security Centre (ACSC).

This week, multiple U.S. local governments faced ransomware attacks, including Killeen, Texas, and Sumter County, Florida, as senior U.S. cyber officials grappled with the growing threat. Killeen, with nearly 160,000 residents, was targeted by the BlackSuit ransomware gang, disrupting utility payments and other services. In response, the city worked with state authorities to contain the breach and restore systems, urging residents to monitor their financial accounts. Meanwhile, Sumter County’s Sheriff’s Office also experienced a ransomware attack, impacting access to certain records. These incidents are part of a broader surge in ransomware attacks affecting governments and healthcare institutions.

At the DefCon cybersecurity conference, senior officials, including Anne Neuberger from the White House, discussed the challenges of combating ransomware. They highlighted the difficulty in addressing the issue, particularly due to the lack of international cooperation, especially with Russia. Efforts to improve responses include promoting better backup practices, offering free cybersecurity programs, and enhancing international collaboration.

GPS spoofing is a matter of time. 

Cybersecurity researchers have uncovered a disturbing trend in GPS spoofing attacks, which have recently surged by 400%, particularly around conflict zones. Traditionally, GPS spoofing misleads aircraft about their location, but a new dimension has emerged: the ability to hack time. Ken Munro, founder of Pen Test Partners, explained during a DEF CON presentation that GPS isn’t just about positioning; it’s also a critical source of time for aircraft systems. Munro described a recent incident where a major airline’s onboard clocks were manipulated, suddenly advancing by years, which caused the plane to lose access to its encrypted communication systems. This forced the aircraft to be grounded for weeks while engineers manually reset its systems. Although these attacks aren’t likely to cause crashes, they create confusion that could lead to more serious problems. 

Cisco readies another round of layoffs. 

Reuters reports that Cisco is set to announce a second round of layoffs this year, potentially affecting over 4,000 employees, as it shifts focus to higher-growth areas like cybersecurity and AI. This follows similar cuts in February, as the company grapples with sluggish demand and supply-chain issues in its core networking equipment business. Cisco recently completed a $28 billion acquisition of cybersecurity firm Splunk and has been investing heavily in AI. The layoffs are part of a broader trend in the tech industry, with over 126,000 layoffs reported this year.

Nearly 2.7 billion records of personal information for people in the United States have been shared on a hacking forum.

A massive data breach has exposed nearly 2.7 billion records of personal information for people in the United States on a hacking forum. The leaked data, allegedly sourced from National Public Data, includes names, social security numbers, physical addresses, and possible aliases. National Public Data, known for compiling user profiles for background checks, reportedly scraped this information from public sources. The breach, initially linked to a threat actor named USDoD, was ultimately leaked by another hacker, “Fenice,” on August 6th. The unencrypted data consists of two text files totaling 277GB. While it contains legitimate information for many individuals, some details may be outdated or inaccurate. The breach has sparked multiple class action lawsuits against National Public Data. Affected individuals are advised to monitor their credit reports for fraudulent activity and be cautious of phishing attempts.

 

Coming up on our guest segment, N2K’s CSO Rick Howard speaks with Mark Ryland, Director of Amazon Security at AWS, about formal verification, which is logical proofs about correctness of systems, at AWS re:Inforce. Rick and Mark caught up at AWS re:Inforce 2024.

We’ll be right back

Welcome back. You can find out more about AWS re:Inforce in our show notes. 

Next we’ve got our CSO Perspectives preview with N2K’s Rick Howard asking “What does materiality mean exactly?”

As always, thanks Rick. You can find links to both the CSO Perspectives episodes, for N2K Pro subscribers and also a preview episode for those who are not yet subscribers, in our show notes.   

 

A hacker hacks the hackers. 

And finally, security researcher Vangelis Stykas, CTO of Atropos.ai, managed to outsmart ransomware gangs, saving six companies from major financial losses. Stykas discovered glaring vulnerabilities in the hackers’ own systems—thanks to simple coding blunders. His sleuthing allowed him to infiltrate these criminal networks, providing two companies with decryption keys without paying a dime and alerting four cryptocurrency firms before their files could be encrypted.

Among the hacker mishaps, one ransomware group, Everest, left a default password on their SQL databases. Another group, BlackCat, exposed sensitive APIs, inadvertently revealing their IP addresses. Stykas even accessed the Mallox group’s admin chat, grabbing two decryption keys and unmasking several members.

Despite his heroic efforts, the companies involved haven’t gone public with the incidents. While Stykas admits that hacking the hackers isn’t a universal solution, it’s certainly a satisfying one for those with the right resources.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.