Mini-breach, mega-hype.
Fortinet reveals a data breach. The feds sanction a Cambodian senator for forced labor scams. UK police arrest a teen linked to the Transport for London cyberattack. New Linux malware targets Oracle WebLogic. Citrix patches critical Workspace app flaws. Microsoft unveils updates to prevent outages like the CrowdStrike incident. U.S. Space Systems invests in secure communications. Illegal gun-conversion sites get taken down. Tim Starks of CyberScoop tracks Russian hackers mimicking spyware vendors. Cybersecurity hiring gaps persist. Hackers use eye-tracking to steal passwords.
Today is Friday September 13th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Fortinet discloses a data breach.
Yesterday, Fortinet disclosed a security breach involving unauthorized access to a third-party cloud-based file drive. A small number of files, affecting less than 0.3% of Fortinet’s customers, were accessed. Impacted customers, primarily in the Asia-Pacific (APAC) region, were promptly notified. Fortinet confirmed that the breach did not affect its operations, products, or services. Shortly after the incident, a threat actor on a hacker forum claimed to have stolen 440 GB of data from Fortinet’s Azure SharePoint, offering it via an S3 bucket. However, the validity of these claims was questioned, with some users reporting issues accessing the data. While Fortinet worked with affected customers and implemented strong security measures, the connection between the breach and the threat actor’s claims remains unverified, suggesting a potential case of opportunistic deception common on Dark Web forums.
The feds sanction a Cambodian senator for an alleged forced labor scam operation.
The U.S. Department of the Treasury’s Office of Foreign Assets Control sanctioned Cambodian entrepreneur and senator Ly Yong Phat for human rights abuses tied to forced labor in online scam centers. Ly’s conglomerate, L.Y.P. Group, owns O Smach Resort, allegedly a forced labor camp where workers promote cryptocurrency and foreign exchange scams. Victims are lured with false job offers, then have their phones and passports confiscated, and are forced to work under duress. Some victims reported abuse, including beatings and electric shocks, with two jumping to their deaths. Cambodian authorities have rescued victims of various nationalities from the resort. The sanctions freeze Ly’s U.S. assets and prohibit U.S. persons from doing business with him. Similar forced labor scam operations have also been found in the Philippines and Myanmar.
The UK arrests a 17-year-old in connection with the Transport for London cyberattack.
A 17-year-old was arrested by the U.K.’s National Crime Agency (NCA) in connection with a cyberattack on Transport for London (TfL) on September 1. The teenager was detained on suspicion of Computer Misuse Act offenses and later released on bail. TfL initially reported no customer data was compromised, but later revealed that threat actors accessed customer information, including names, contact details, and bank account numbers from Oyster card refunds.
A new Linux malware targets Oracle Weblogic controllers.
Aqua Security’s Nautilus research team has identified a new Linux malware, Hadooken, targeting Oracle WebLogic servers. The malware gains initial access by exploiting weak passwords, then downloads a shell or Python script to ensure its successful deployment. Once executed, Hadooken collects SSH data to move laterally within the organization, spreading further. It drops a cryptominer and Tsunami malware, although Tsunami’s use remains uncertain. The malware maintains persistence by creating multiple cronjobs. Hadooken was traced to two IP addresses, one linked to the TeamTNT and Gang 8220 groups, also distributing Mallox ransomware to Windows systems. Static analysis suggests connections to Rhombus and NoEscape ransomware families. Aqua discovered over 230,000 internet-connected WebLogic servers, with a few hundred potentially vulnerable to exploits due to misconfigurations.
Citrix provides updates for critical vulnerabilities in the Citrix Workspace app for Windows.
Citrix has released security updates to address two critical vulnerabilities, CVE-2024-7889 and CVE-2024-7890, in the Citrix Workspace app for Windows. These flaws allow local attackers to escalate privileges to SYSTEM on affected machines. Citrix urges users to update to patched versions and follow best practices to enhance security. CISA also recommends prompt action.
Microsoft announces updates to help prevent IT outages like the CrowdStrike event.
Microsoft has announced new security capabilities aimed at preventing IT outages like the CrowdStrike incident in July, where a faulty Falcon Sensor update disrupted critical sectors by preventing Windows systems from booting. The incident highlighted the risks of security software accessing the system kernel, which is central to a computer’s operations. Microsoft plans to enhance security outside of kernel mode, focusing on anti-tampering, performance needs, and security sensor requirements. Collaboration with ecosystem partners will ensure a balance between reliability and security. These developments were discussed during a Microsoft-hosted security summit on September 10, where industry leaders and government officials agreed on the need for more Windows security options and shared best practices. Microsoft’s goal is to improve resilience in critical infrastructure while maintaining high security standards.
U.S. Space Systems Command announces investments in more secure communications.
In a major boost to U.S. military communications, the U.S. Space Systems Command has awarded a $188 million contract to expand the cutting-edge meshONE-Terrestrial network, enhancing secure data transport and warfighting capabilities across more than 85 locations. Here’s Alice Caruth from N2K’s T-Minus daily space podcast with the details.
Be sure to check out the T-Minus daily space podcast wherever you get your favorite podcasts.
Illegal gun-conversion websites get shut down.
The U.S. Attorney’s Office in Massachusetts has seized over 350 domains allegedly used by Chinese entities to sell devices converting semi-automatic pistols into fully automatic weapons, along with illegal silencers, to U.S. residents. These conversion devices, known as “switches,” are banned under the National Firearms Act (NFA). Authorities began targeting these operations in August 2022, using undercover purchases via apps like WhatsApp and Telegram. The items were falsely labeled as toys or jewelry when shipped. Investigations led to the seizure of over 700 conversion devices, 87 illegal silencers, and various firearms. The seized websites now display notifications of government action. The DOJ also called for the 3D printing industry to curb the production of such devices.
A look at the hiring gaps in cyber security.
In an article for Security Boulevard, Chris Lindsey highlights the challenges new entrants face in the application security field despite the high demand for cybersecurity talent. One major hurdle is the persistent requirement for a college degree, even as skills-based hiring is promoted. Lindsey points out that job postings often list unrealistic qualifications, like CISSP certification for entry-level roles, which requires five years of experience. Additionally, companies struggle to define clear application security roles, delaying the hiring process. Overqualified candidates sometimes take entry-level jobs, limiting opportunities for newcomers. Tight budgets also mean little time or resources for training, leading to burnout among existing staff. Automated hiring systems and even fake job postings add further frustration for applicants. Lindsey suggests a shift toward skills-based hiring and offering training to passionate senior developers, alongside encouraging candidates to focus on their soft skills and communicate their strengths confidently.
Next, we welcome back Tim Starks, senior reporter from CyberScoop, talking about “Google: apparent Russian hackers play copycat to commercial spyware vendors.” We’ll be right back.
Welcome back. You can read the article Tim refers to in our show notes.
Hackers track your gaze to peek at your passwords.
And finally, it turns out, your eyes aren’t just windows to your soul—they could be windows to your passwords, too. A group of computer scientists discovered a new attack, dubbed GAZEploit, that targets Apple’s Vision Pro headset. By tracking eye movements while people type on the device’s virtual keyboard, the researchers could guess passwords, PINs, and messages with impressive accuracy—92% for messages, 77% for passwords. The attack works by analyzing the eye-tracking data of a user’s virtual avatar, often used in video calls. Apple fixed the vulnerability in a July update after being notified in April. This research highlights the risks of biometric data leaks, especially as wearable tech becomes more common. So, next time you’re typing, just remember: someone might be watching—and eyeing your secrets.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
