One small step for scammers.
The US charges a Chinese national for spear-phishing government employees. The feds impose new sanctions on the makers of Predator spyware. Dealing with fake data breaches. Researchers discover a critical vulnerability in Google Cloud Platform. D-Link has patched critical vulnerabilities in three popular wireless router models. Snowflake ups their authentication game. A US mining company confirms a cyberattack. Researchers identify critical threats targeting construction industry accounting software. Tim Starks from CyberScoop joins us with his reporting on the US Postal Service’s ability to meet the challenges of the upcoming election. Cisco’s second round of layoffs hit hard.
Today is Tuesday September 17th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
The US charges a Chinese national for spear-phishing government employees.
The US announced charges against Chinese national Song Wu for spear-phishing government employees to obtain restricted aerospace software. Wu, still at large, allegedly posed as US researchers and engineers to target NASA, Air Force, Navy, and private aerospace companies. He sought access to specialized software, including source code from NASA, for aerospace engineering. Wu, an employee of China’s state-owned Aviation Industry Corporation, conducted the phishing campaign between 2017 and 2021 and faces wire fraud and identity theft charges.
Additionally, the Department of Justice unsealed a 2021 indictment against Jia Wei, a Chinese national working for the People’s Liberation Army, for hacking a US communications company. Charges were also announced against Russian national Denis Postovoy for exporting drone components to Russia and other individuals for smuggling UAV parts to Iran.
The feds impose new sanctions on the makers of Predator spyware.
The US government has imposed new sanctions on spyware manufacturer Intellexa Consortium and five individuals for their role in developing and distributing the Predator malware. The sanctions, announced by the Treasury’s Office of Foreign Assets Control (OFAC), target the group’s executives and the British Virgin Islands-based Aliada Group. Predator spyware, similar to NSO Group’s Pegasus, is used by repressive regimes to eavesdrop on journalists, dissidents, and politicians through zero-click exploits. The US views these activities as a threat to national security and has frozen any US-based assets of the sanctioned individuals and entities. This move follows previous sanctions in March against other members of the consortium. The government aims to curb the spread of disruptive technologies while promoting responsible development aligned with international standards.
Dealing with fake data breaches.
Fake data breaches are becoming a growing threat, causing significant panic and damage even when no actual breach occurs. A story from Security Boulevard explores how Cybercriminals exploit fear by claiming to have stolen sensitive information, demanding ransoms from companies, and creating chaos. Recent examples include false breach claims against Sony, Epic Games, and Europcar, all of which triggered public outrage and damaged their reputations despite being debunked.
To mitigate the impact of these fake breaches, organizations need to verify breach claims before taking public action. Advanced security measures, such as real-time email monitoring and predictive AI, can help detect actual threats and distinguish them from hoaxes. Employee training on recognizing phishing attempts and a clear communication strategy for suspected breaches are also essential. As cybercriminals evolve, particularly with the use of AI-generated fake data, organizations must stay vigilant and continually update their security protocols to protect against both real and fake breaches.
Researchers discover a critical vulnerability in Google Cloud Platform.
Security researchers from Tenable discovered a critical vulnerability in Google Cloud Platform (GCP) that could have allowed attackers to execute malicious code on millions of servers. Dubbed “CloudImposer,” the flaw was found in GCP’s Cloud Composer service and stemmed from a risky package installation process vulnerable to dependency confusion attacks. Exploiting the flaw, attackers could upload malicious packages, potentially compromising GCP services like App Engine and Cloud Functions. Google has since patched the vulnerability, implemented safeguards, and updated best practices for secure package management.
D-Link has patched critical vulnerabilities in three popular wireless router models.
D-Link has patched critical vulnerabilities in three popular wireless router models that could allow remote attackers to execute arbitrary code or access devices via hardcoded credentials. The vulnerabilities, three of which are rated critical, include stack-based buffer overflows (CVE-2024-45694, CVE-2024-45695) and improper input validation in the telnet service (CVE-2024-45696, CVE-2024-45697, CVE-2024-45698). D-Link advises users to update their firmware. The vulnerabilities were reported by Taiwan’s CERT, but the standard 90-day disclosure period wasn’t followed, prompting public disclosure before patches were ready. Though no active exploits have been reported, D-Link routers are frequently targeted by botnets, making these updates essential for security.
Snowflake ups their authentication game.
Snowflake, a cloud-based data warehousing platform, has introduced default multifactor authentication (MFA) and a 14-character password minimum to enhance security following a series of June cyberattacks. High-profile customers like Santander Bank and Neiman Marcus were targeted, with attackers stealing data from Snowflake customer tenants and demanding ransoms. The breaches involved credential stuffing attacks, attributed to the UNC5537 threat group. Snowflake’s new security measures, effective from October 2024, aim to eliminate password-only sign-ins and align with CISA’s Secure By Design Pledge.
A US mining company confirms a cyberattack.
Stillwater Mining Company, the only U.S. platinum and palladium producer, confirmed a cyberattack this summer that exposed sensitive information of 7,258 employees. Hackers accessed names, contact details, Social Security numbers, financial information, and medical records. The breach, discovered on July 8, wasn’t confirmed until August 19. The RansomHub hacking group took credit for the attack and leaked the data. RansomHub, responsible for over 210 attacks since February, has targeted organizations like Rite Aid and Planned Parenthood. Stillwater Mining is cooperating with law enforcement and cybersecurity experts. Meanwhile, the company recently laid off 700 workers, blaming Russian palladium dumping for driving down prices. U.S. Senator Jon Tester criticized the layoffs, calling it unacceptable that Russia is flooding U.S. markets with cheaper palladium, which remains unbanned despite other sanctions on Russian imports.
Researchers identify critical threats targeting construction industry accounting software.
On September 14, researchers at Huntress identified a critical threat targeting FOUNDATION Accounting Software, widely used in the construction industry. Attackers were exploiting default credentials to brute-force access to the software’s Microsoft SQL Server (MSSQL) instance, often exposed via port 4243 for mobile app use. Once inside, attackers used high-privilege accounts to enable and leverage the xp_cmdshell feature, allowing them to execute OS-level commands. Huntress observed over 35,000 brute-force login attempts across several affected companies, leading to successful breaches. To mitigate this, Huntress recommends rotating credentials, disabling xp_cmdshell, and avoiding public exposure of the FOUNDATION application.
Next up, I’m joined by Tim Starks from CyberScoop discussing "Election officials say U.S. Postal Service woes place election mail at risk."
We’ll be right back
Welcome back
Cisco’s second round of layoffs hit hard.
As the news broke about Cisco’s second round of layoffs in 2024, thousands of employees found themselves grappling with uncertainty and disappointment. For many, Cisco wasn’t just a job; it was a community. The networking giant had become a place where people invested their energy, ideas, and passion. It’s hard to imagine how it feels when that chapter closes unexpectedly, especially without clear communication from leadership.
The impact of these layoffs stretches far beyond the numbers. Behind every statistic is a person with responsibilities, dreams, and ambitions. It’s not just the loss of a paycheck—it’s the loss of daily routines, camaraderie with coworkers, and a sense of purpose. In times like these, it’s easy to feel forgotten, especially when headlines focus on profits and executive compensation rather than the real lives affected.
Yet, through this painful transition, it’s important to remember: your worth is not tied to your job. Every skill you’ve honed, every challenge you’ve overcome, and every connection you’ve made is part of who you are. Even if today feels like a setback, it’s just one chapter in a much bigger story—one that still has room for growth, success, and new beginnings.
While the road ahead may seem uncertain, remember that you are not alone. There’s a community of support out there, and your experience, talent, and resilience are valuable. Don’t let this moment define you. Instead, let it remind you of your strength, your adaptability, and the incredible things you’re capable of.
To everyone impacted by the layoffs, stay hopeful. This is not the end of your journey but the start of something new. You have so much to offer, and brighter days are ahead. Trust in yourself—you’ll find the path that’s right for you.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.