Crime, compliance, and controversy.
French authorities outline the allegations against Telegram’s CEO. Google finds familiar spyware in Mongolian government websites. The Mirai botnet leverages obsolete security cameras. Iran’s Peach Sandstorm targets the space industry. A federal appeals court says platforms may be liable to algorithmically recommended content. Scam cycles are getting shorter. McDonald’s officials are grimacing after hackers take over their Instagram account. Our guests today are Dave DeWalt, Founder and CEO of NightDragon, and Nicole Bucala, CEO and GM at DataBee, sharing their joint initiative which aims to propel future cybersecurity innovations. A would-be extortionist fails to cover his tracks.
Today is Thursday August 29th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
French authorities outline the allegations against Telegram’s CEO.
Telegram CEO Pavel Durov is under formal investigation in France for alleged involvement in organized crime through the messaging platform. A French judge imposed bail conditions, including a €5 million payment, twice-weekly police check-ins, and a travel ban from France. Durov faces accusations related to complicity in illegal activities on Telegram, such as child abuse, drug trafficking, and money laundering. His arrest has sparked debates about the balance between free speech and law enforcement. The investigation, which began in February, highlights tensions between Telegram’s operations and government compliance. France’s move has strained diplomatic relations with Russia, where Durov also holds citizenship. While Telegram asserts compliance with EU laws, French authorities criticize the platform’s lack of cooperation in criminal investigations. This case underscores the broader issue of how governments deal with encrypted platforms used for both lawful and illicit activities.
Google finds familiar spyware in Mongolian government websites.
Researchers at Google have revealed that Russian government hackers, specifically the APT29 group linked to Russia’s Foreign Intelligence Service (SVR), have used exploits resembling those developed by spyware firms Intellexa and NSO Group. These exploits were found embedded in Mongolian government websites, potentially compromising visitors’ iPhones and Android devices through a “watering hole” attack. The exploits targeted vulnerabilities in Safari on iPhones and Chrome on Android, even though those vulnerabilities had been patched. The attack aimed to steal user account cookies, potentially granting hackers access to government accounts. Google is unsure how the Russian hackers obtained the exploits but speculates they may have purchased or stolen them. Google advises users to keep software updated to prevent such attacks.
The Mirai botnet leverages obsolete security cameras.
Cybersecurity researchers at Akamai have identified a zero-day vulnerability, CVE-2024-7029, in CCTV cameras manufactured by Taiwan-based AVTECH, which is being exploited by hackers to expand a botnet based on the notorious Mirai malware. The flaw, found in the camera’s “brightness” setting, allows remote control of the devices, enabling the spread of a Mirai variant called Corona. Despite the cameras being old and discontinued, they remain in widespread use, including in critical infrastructure. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory warning about the vulnerability, highlighting its ease of exploitation and the lack of response from AVTECH. Akamai notes that this incident reflects a growing trend of attackers exploiting older, unpatched vulnerabilities to deploy malware. The vulnerability was publicly known since 2019 but only received a formal CVE designation this month.
Iran’s Peach Sandstorm targets the space industry.
The Iranian hacking group APT 33, also known as Peach Sandstorm, has intensified its focus on space-related infrastructure, alongside other critical sectors, according to new findings from Microsoft. Active for over a decade, Peach Sandstorm is notorious for its aggressive cyber espionage, particularly through “password spraying” attacks. Recently, the group has developed a sophisticated multistage backdoor named “Tickler,” which allows them to remotely access and control victim networks. Since April 2024, Peach Sandstorm has targeted space, satellite, and defense sectors, using Tickler to infiltrate these high-stakes environments. Microsoft reports that the group also manipulated victims’ Azure cloud infrastructure, gaining further control. Additionally, the hackers have been using fake LinkedIn profiles to conduct intelligence gathering in the space and satellite industries. These actions underline a significant and evolving threat to global space infrastructure, with Peach Sandstorm demonstrating a persistent interest in disrupting and exploiting this critical sector.
A federal appeals court says platforms may be liable to algorithmically recommended content.
In a significant legal development, a U.S. appeals court has opened the door for TikTok to face potential liability over the tragic death of 10-year-old Nylah Anderson. The young girl died after attempting the “blackout challenge,” a dangerous trend that TikTok’s algorithm had placed on her For You Page. Initially, a lower court had ruled that TikTok was protected under Section 230 of the Communications Decency Act, which typically shields social media platforms from being held accountable for content posted by users. However, the Third Circuit Court of Appeals in Pennsylvania disagreed, arguing that by curating content through its algorithms, TikTok may have played an active role in the harm caused.
Judge Paul Matey, in his opinion, emphasized that Section 230 wasn’t meant to create a “lawless no-man’s land” for platforms. Instead, he argued, platforms should be accountable when their algorithms actively push harmful content. This ruling challenges the broad immunity social media companies have relied on and could have far-reaching implications across the industry. The case will now return to the District Court, where TikTok will face renewed scrutiny over its role in Anderson’s death.
Scam cycles are getting shorter.
Cybercriminals have increasingly shifted to shorter, more targeted online scams, significantly reducing the duration of their operations over the past four years, according to a Chainalysis report. Scammers are rapidly refreshing their infrastructure, with 43% of scam revenues tracked in 2024 linked to newly active wallets. This trend reflects a move from large, prolonged schemes to quicker, smaller campaigns, often leveraging tactics like “pig butchering.” This approach reduces the risk of detection and allows criminals to launder stolen funds more effectively.
Cisco patches multiple vulnerabilities.
Cisco has released patches for multiple vulnerabilities in its NX-OS software, with the most critical being CVE-2024-20446, a high-severity flaw in the DHCPv6 relay agent that could allow remote attackers to cause a denial-of-service (DoS) condition. The flaw affects Nexus 3000, 7000, and 9000 series switches in standalone NX-OS mode with specific configurations. Other patched issues include medium-severity command injection and sandbox escape vulnerabilities, potentially allowing unauthorized code execution or privilege escalation. Cisco reports no known exploitation of these vulnerabilities in the wild.
McDonald’s officials are grimacing after hackers take over their Instagram account.
Faster than you can say, “Would you like fries with that?” hackers took over McDonald’s official Instagram account, promoting a fake cryptocurrency called “GRIMACE” and allegedly stealing $700,000 from investors. They used the account’s 5.1 million followers and tweets from McDonald’s social media head, Guillaume Huin, to lend credibility to the scam, promising investors a follow from the official account. The fake coin’s market value surged to $25 million within 30 minutes before crashing when the hackers withdrew the funds and vanished. Huin later confirmed his Twitter account had been compromised. McDonald’s apologized for the incident, stating they are working with authorities to investigate the breach and remove offensive content. The swift deletion of the fraudulent posts likely limited the number of victims.
I had a conversation with NightDragon Founder and CEO Dave DeWalt and CEO and General Manager at Comcast DataBee Nicole Bucala. Next up, they join me to share their joint initiative to propel future cybersecurity innovations. We’ll be right back
Welcome back. You can find out more about the NightDragon and DataBee initiative in the show notes.
A would-be extortionist fails to cover his tracks.
In a classic case of “crime doesn’t pay,” a Missouri man, Daniel Rhyne, 57, found himself on the wrong side of the law after attempting to extort his former employer. Rhyne, a “core infrastructure engineer” who clearly took his job too literally, allegedly wreaked havoc on his ex-employer’s systems, locking out administrators, deleting accounts, and shutting down servers—all in a bid to score a €700,000 ($750,000) Bitcoin ransom.
But here’s where the plot thickens—like a poorly scripted movie, Rhyne left a trail leading right back to his virtual doorstep. Investigators traced the cyber sabotage to a remote desktop session linked to his own laptop. Now, instead of counting his ransom money, Rhyne is facing some hefty charges, including extortion, intentional damage to a protected computer, and wire fraud. With the possibility of decades behind bars and up to $750,000 in fines, it’s safe to say this caper didn’t quite go as planned.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.