Breaking news blocked.
A global news agency suffers a cyberattack. CISA and the FBI provide guidance on cross site scripting attacks. A Texas health system diverts patients following a ransomware attack. Western Digital patches a critical vulnerability in network attached storage devices. California passes a law protecting domestic abuse survivors from being tracked. Verizon and PlayStation each suffer outages. CISA responds to critiques from the OIG. T-Mobile settles with the FCC over multiple data breaches. The DOJ indicts a Minnesota man on charges of selling counterfeit software license keys. On our Industry Voices segment kicking off Cybersecurity Awareness Month, we are joined by Chad Raduege [RAD-uh-gee], Executive Director of the Oklahoma Cyber Innovation Institute at The University of Tulsa, discussing the Institute’s K-12 outreach initiatives. A Crypto Criminal Stretches His Limits—And His Legs.
Today is Tuesday October 1st 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
A global news agency suffers a cyberattack.
Agence France-Presse (AFP) experienced a cyberattack on September 27, disrupting its content distribution infrastructure, but its core news reporting remains unaffected. The attack targeted AFP’s IT systems, specifically content delivery networks and file transfer services used to deliver news to clients. While the type of attack and the responsible party are still unknown, AFP quickly responded, with the French cybersecurity agency ANSSI assisting in securing the systems. AFP warned clients that their FTP credentials might have been compromised, advising them to update passwords and secure their systems. Despite these technical issues, AFP assured that its newsroom continues to operate without interruptions, delivering news globally in multiple languages. No group has claimed responsibility for the attack so far.
CISA and the FBI provide guidance on cross site scripting attacks.
Cross-site scripting (XSS) vulnerabilities remain a persistent issue in software development despite being preventable. CISA and the FBI have issued a Secure by Design alert to address these risks. XSS attacks occur when malicious scripts are injected into trusted web pages due to improper handling of user inputs. This can lead to data theft, session hijacking, or unauthorized actions in the user’s browser. These vulnerabilities often arise from inadequate input validation, sanitization, or escaping of user inputs. Despite effective mitigations, XSS vulnerabilities continue to be widespread, ranking second in MITRE’s top software weaknesses list. CISA and the FBI urge developers to adopt best practices, such as input validation, using modern web frameworks with built-in security, conducting thorough code reviews, and adversarial testing to prevent these vulnerabilities during the development process.
A Texas health system diverts patients following a ransomware attack.
UMC Health System in Texas has been diverting patients after a ransomware attack forced them to take their IT systems offline. The incident, disclosed on September 27, led to both emergency and non-emergency patients being diverted to nearby hospitals. UMC launched an investigation and disconnected its systems to contain the breach. By Monday, some services were restored, and only a few patients were still being diverted. UMC’s Emergency Center is now accepting ambulance patients, while other facilities remain open but are not fully operational. The hospital has engaged third-party experts to aid in the recovery process. Downtime procedures have been implemented, and patients are being informed of changes to appointments. UMC continues its efforts to restore services safely and provide updates on the investigation and remediation efforts.
Western Digital patches a critical vulnerability in network attached storage devices.
A critical vulnerability, CVE-2024-22170, has been identified in Western Digital’s My Cloud devices, affecting models like My Cloud EX2 Ultra and PR4100. This flaw, with a CVSS score of 9.2, allows attackers to exploit an unchecked buffer in the Dynamic DNS client through a Man-in-the-Middle attack, leading to arbitrary code execution. Western Digital has addressed the issue in a firmware update and urges users to update immediately. The vulnerability poses risks of unauthorized access, data corruption, and system crashes. Western Digital thanks researchers at Claroty for responsibly disclosing the issue.
California passes a law protecting domestic abuse survivors from being tracked.
California has passed a new law requiring car manufacturers to let drivers disable remote access to their vehicles, aimed at protecting domestic abuse survivors from being tracked by abusers. Signed by Governor Gavin Newsom, the bill is part of a broader package of domestic violence protections. It addresses the growing concerns around connected cars’ ability to track users. Automakers must now allow vehicle owners to block specific individuals from accessing their cars remotely, and they cannot charge a fee for this service. Additionally, the law mandates in-vehicle alerts when remote access is being used. The legislation could influence nationwide changes, as manufacturers tend to create cars for multiple markets. The Federal Communications Commission (FCC) is also investigating how it can regulate automakers to ensure connected cars aren’t used to harass survivors, following pressure from advocacy groups.
Verizon and PlayStation each suffer outages.
On Monday morning, thousands of Verizon users across major U.S. cities, including New York, Los Angeles, and Chicago, experienced widespread cellphone service outages. Over 104,000 reports were logged on Downdetector by 11:30 a.m. Eastern, with the number later dropping to 78,000. Many users reported their phones showing “SOS” mode, preventing calls and messages. Verizon confirmed the issue, with engineers working to resolve it, though the cause was unclear. Simultaneously, the PlayStation Network (PSN) faced a global outage, affecting services like gaming, account management, and the PlayStation Store. Sony is working to fix the issue, which began at 8:41 PM ET, with some services still down, potentially due to overloaded servers. Both outages disrupted users’ daily activities and work.
CISA responds to critiques from the OIG.
The Office of Inspector General (OIG) has highlighted challenges facing the Cybersecurity and Infrastructure Security Agency (CISA) in sharing cyber threat information, as mandated by the Cybersecurity Act of 2015. While CISA met some basic requirements, including updating its guidance and improving security clearances, participation in the Automated Indicator Sharing (AIS) system has declined significantly. The number of AIS participants dropped from 304 in 2020 to 135 in 2022, with a 93% reduction in shared cyber threat indicators. The OIG identified a lack of outreach and unclear financial tracking as key issues. CISA has committed to evaluating AIS, exploring alternatives, and improving recruitment and retention of participants, with a target completion date of July 2025. The OIG also recommended CISA develop a spending plan and implement performance metrics, which the agency agreed to address.
T-Mobile settles with the FCC over multiple data breaches.
The Federal Communications Commission (FCC) reached a $31.5 million settlement with T-Mobile over multiple data breaches that compromised millions of U.S. consumers’ personal information between 2021 and 2023. As part of the agreement, T-Mobile will invest $15.75 million in cybersecurity improvements and pay a $15.75 million civil penalty. The settlement requires T-Mobile to adopt modern cybersecurity practices, such as zero-trust architecture and multi-factor authentication, and improve oversight and data management. The FCC’s Privacy and Data Protection Task Force played a key role in the investigation.
The DOJ indicts a Minnesota man on charges of selling counterfeit software license keys.
Benjamin Paley, 75, co-owner of Minnesota IT company GEN8 Services, has been indicted for participating in an international conspiracy to sell counterfeit software license keys for Brocade networking devices. Paley, along with co-conspirators Wade Huber and David Rosenblatt, allegedly ran a scheme from 2014 to 2022, selling at least 3,637 forged Brocade switch licenses. These counterfeit keys were sold at prices far below market rates, costing Brocade between $5 million and $363 million in losses. Paley faces charges of conspiracy to commit access device fraud and access device fraud, with potential penalties of up to 15 years in prison for each count and fines up to $250,000. His co-conspirators have pleaded guilty, and sentencing is set for later this month.
Coming up next on our Industry Voices segment, we kick off Cybersecurity Awareness Month with Chad Raduege. Chad is the Executive Director of the Oklahoma Cyber Innovation Institute at The University of Tulsa. We talk about the Institute’s K-12 outreach initiatives. We’ll be right back
Welcome back. You can find links to the Oklahoma Cyber Innovation Institute and Cybersecurity Awareness Month in our show notes.
A Crypto Criminal Stretches His Limits—And His Legs.
And finally, Krebs on Security chronicles an absolutely bonkers mix of cybercrime and corruption straight out of a pulp novel. A California man, Adam Iza (aka “The Godfather”), is accused of not only dodging taxes on millions allegedly earned from cybercrime but also paying off local cops to help intimidate rivals. Iza, co-owner of the cryptocurrency platform Zort, reportedly spent investors’ money on luxury cars, jewelry, and even leg-lengthening surgery. I swear I am not making this up.
According to the FBI, Iza hired Los Angeles Sheriff’s Department officers to help him extort former business partners, some of whom were tied to the notorious hacker group UGNazi. One incident involved trying to steal a laptop full of cryptocurrency, while another involved kidnapping attempts. Iza allegedly paid these officers $280k a month for their “services,” like forcing rivals to hand over assets.
Iza’s scheme came to light after he stiffed a private investigator, triggering a cascade of lawsuits and criminal investigations. His girlfriend, also allegedly involved, is now dating the star of reality TV show Love Island. This tale has everything—crypto, hackers, corrupt cops, and reality show romance!
With corrupt deputies, stolen millions, and custom legs, this saga truly stretches the limits of what we thought possible in cybercrime.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner.
A program note - we are taking a break from publishing this Wednesday and Thursday for some internal company meetings. We will be back on our regular schedule starting this Friday.