Brazil nixes Twitter’s successor.

Brazil blocks access to X/Twitter. Transport for London has been hit with a cyberattack. Threat actors have poisoned GlobalProtect VPN software to deliver WikiLoader. “Voldemort” is a significant international cyber-espionage campaign. Researchers uncover an SQL injection flaw with implications for airport security. Three men plead guilty to running an MFA bypass service. The FTC has filed a complaint against security camera firm Verkada. CBIZ Benefits & Insurance Services disclosed a data breach affecting nearly 36,000. The cybersecurity implications of a second Trump term. On our Industry Insights segment, guest Caroline Wong, Chief Strategy Officer at Cobalt, discusses application security and artificial intelligence.  A Washington startup claims to revolutionize political lobbying with AI.

Today is Tuesday September 3rd 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Brazil blocks access to X/Twitter. 

Brazil has blocked access to social platform X/Twitter after the company repeatedly failed to comply with court orders aimed at curbing disinformation campaigns. The government demands that X appoint a legal representative in Brazil and pay a fine of 18 million reals (about $3.2 million) before lifting the ban. Brazil’s Supreme Court unanimously upheld the suspension, emphasizing that freedom of expression comes with responsibilities. The court ordered internet service providers to block access to X within five days and warned that using VPNs to bypass the ban could result in fines and legal consequences. The crackdown is part of a broader investigation into disinformation efforts linked to supporters of former President Jair Bolsonaro. X, led by Elon Musk, has resisted complying with the orders, drawing criticism from Brazilian officials who argue that all businesses must adhere to the country’s laws, regardless of their global stature.

Transport for London has been hit with a cyberattack. 

Transport for London (TfL), the agency overseeing London’s transport network, has been hit by a cyberattack, affecting its back-office systems. While TfL stated there’s no evidence of customer data being compromised or service disruptions, staff have been advised to work from home. Immediate actions have been taken to secure systems. The National Cyber Security Centre is collaborating with TfL and law enforcement to assess the impact. 

Threat actors have poisoned GlobalProtect VPN software to deliver WikiLoader. 

Hackers have been targeting VPNs like GlobalProtect to inject malware and steal sensitive data, compromising private networks without detection. Cybersecurity researchers at Palo Alto Networks discovered that threat actors have poisoned GlobalProtect VPN software to deliver WikiLoader, a sophisticated malware loader. Active since late 2022, WikiLoader primarily spreads via phishing but recently shifted to SEO poisoning, leading users to fake installer pages. The malware uses complex evasion techniques, including DLL sideloading and shellcode decryption, making detection difficult. WikiLoader’s operators utilize compromised WordPress sites and MQTT brokers for command and control. The malware creates persistence through scheduled tasks and hides in over 400 files within a malicious archive. Despite the malware’s complexity, it was detected by Cortex XDR through behavioral indicators. Mitigations include enhanced SEO poisoning detection, robust endpoint protection, and application whitelisting.

“Voldemort” is a significant international cyber-espionage campaign. 

Security researchers at Proofpoint have uncovered a significant international cyber-espionage campaign affecting over 70 organizations across 18 sectors. Insurance companies are among the most targeted, along with aerospace, transportation, and universities. Beginning on August 5, 2024, the campaign has sent at least 20,000 phishing emails, masquerading as local tax authorities in various languages. Victims are tricked into clicking malicious links, leading to the installation of the “Voldemort” backdoor via DLL sideloading with a legitimate Cisco WebEx executable. Voldemort, a custom backdoor, gathers information and can deploy additional payloads, with Cobalt Strike likely among them. Uniquely, this malware uses Google Sheets for command-and-control, data exfiltration, and command execution. Proofpoint has not attributed the campaign to any specific group, noting its mix of sophisticated and basic techniques, suggesting a complex and unusual threat actor.

Researchers uncover an SQL injection flaw with implications for airport security. 

Security researchers Ian Carroll and Sam Curry uncovered a significant vulnerability in FlyCASS, a third-party service managing the Known Crewmember (KCM) and Cockpit Access Security System (CASS) programs, which are used to bypass security screenings for airline employees. The vulnerability, an SQL injection flaw, allowed unauthorized individuals to log in as administrators, manipulate employee data, and potentially bypass airport security. The researchers successfully exploited this flaw to create a fictitious account with full access privileges. After discovering the issue, they notified the Department of Homeland Security (DHS), leading to the system being disconnected and the vulnerability fixed. However, the Transportation Security Administration (TSA) downplayed the vulnerability’s impact and quietly removed conflicting information from their website. Additionally, FlyCASS suffered a ransomware attack in February 2024, raising additional security concerns about the system’s integrity.

Three men plead guilty to running an MFA bypass service. 

Three men have pleaded guilty in the UK to running a website, www.OTP.Agency, that enabled criminals to bypass banking anti-fraud measures, leading to significant financial losses. The site charged criminals subscription fees to access services that bypassed multi-factor authentication on major banking platforms. An elite package allowed access to Visa and Mastercard verification sites, facilitating extensive fraud. The National Crime Agency (NCA) shut down the site in 2021 after uncovering the scheme, which may have earned up to £7.9 million. Sentencing is set for November 2024.

The FTC has filed a complaint against security camera firm Verkada. 

The FTC has filed a complaint against security camera firm Verkada for inadequate security practices, which allowed a hacker to access customers’ cameras, including in sensitive locations like psychiatric hospitals. According to the complaint, Verkada failed to implement proper data protection and encryption, leading to breaches, including a 2021 incident where up to 150,000 cameras were compromised. Verkada has agreed to a $2.95 million settlement with the FTC, which includes implementing better security measures and addressing email marketing violations under the CAN-SPAM Act.

CBIZ Benefits & Insurance Services disclosed a data breach affecting nearly 36,000. 

CBIZ Benefits & Insurance Services (CBIZ) disclosed a data breach affecting nearly 36,000 individuals after a hacker exploited a vulnerability in one of its web pages. The breach occurred between June 2 and June 21, 2024, compromising client information, including names, contact details, Social Security numbers, and health data. CBIZ, a major U.S. professional services firm, discovered the breach on June 24 and has since notified impacted clients. Although there’s no evidence of misuse, CBIZ offers two-year credit monitoring and identity theft protection to mitigate risks.

The cybersecurity implications of a second Trump term. 

In a featured article for CyberScoop, senior reporter Tim Starks looks at the cybersecurity possibilities that could come with a presidential win for former President Trump. Despite previous turmoil during Donald Trump’s presidency, a number of cybersecurity officials are reportedly prepared to rejoin or newly enlist if he wins a second term. Trump has begun assembling his transition team, with potential cyber officials including former Trump administration members like Pedro Allende, Nick Andersen, and Karen Evans. Although specifics are uncertain, some former officials believe that a second Trump administration would bring a more disciplined approach, with potential changes to key agencies like CISA. Project 2025, a policy blueprint for Trump’s second term, suggests scaling back CISA’s role, moving it to the Transportation Department, and focusing more on political appointees. Despite this, cybersecurity remains a priority for both Trump and his potential administration, with an emphasis on reducing regulations and addressing threats from China, AI, and quantum computing. The exact future of agencies like CISA under Trump remains uncertain, with possible changes but likely continuity in core functions.

 

Coming up next on our Industry Insights segment, I speak with Cobalt’s Chief Strategy Officer Caroline Wong about application security and artificial intelligence. We’ll be right back

Welcome back. You can find out more about what Caroline discussed in Cobalt’s The State of Pentesting Report 2024. There’s a link in our show notes. 

A Washington startup claims to revolutionize political lobbying with AI.

And finally, our unbridled AI enthusiasm desk pointed us to an exposé from Politico. In it, they describe LobbyMatic, a Washington startup claiming to revolutionize political lobbying with AI. Politico reveals the firm is actually run by Jacob Wohl and Jack Burkman, infamous far-right conspiracy theorists and convicted felons. The duo, operating under the aliases “Jay Klein” and “Bill Sanders,” have used the AI buzzword to lure big-name clients like Toyota, all while hiding their true identities. Former employees discovered the truth after noticing suspicious behavior, including fake personas and questionable business practices. The company touts AI as a game-changer, but it seems more like a smokescreen for a dubious operation, with Wohl and Burkman using it to exploit public enthusiasm for AI and potentially mislead clients. Their history of spreading misinformation and staging fake events raises concerns that LobbyMatic could be yet another vehicle for deceit, using AI as a cover. One former employee summed it up: “If I knew who they were, I wouldn’t have touched it with a 10-foot pole.”

Who knows. Maybe in this case, AI really stands for artificial identities. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.