Hacked, attacked, and sued.

The Internet Archive gets breached and DDoSed. Dutch police arrest the alleged proprietors of an illicit online market. Fidelity Investments confirms a data breach. Marriott settles for $52 million over a multi-year data breach. Critical updates from Mozilla, FortiNet, Palo Alto Networks, VMWare, and Apple. Mongolian Skimmer targets Magento installations. On our Industry Voices segment, we speak with Ben April, Chief Technology Officer at Maltego Technologies GMBH, about "Overcoming information overload: Challenges in social media investigations." Bankruptcy pulls back the curtain on a data brokerage firm.

Today is Thursday October 10th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The Internet Archive gets breached and DDoSed. 

In a rather chaotic turn of events, the Internet Archive confirmed a major data breach on Wednesday, hours after a suspicious JavaScript pop-up claimed the same. Security researcher Troy Hunt, who runs Have I Been Pwned (HIBP), verified that the breach exposed 31 million email addresses, usernames, and bcrypt password hashes, dating back to September. The breach comes on top of a wave of distributed denial-of-service (DDoS) attacks that have intermittently taken the site offline.

Despite multiple requests, the Internet Archive remained silent until founder Brewster Kahle acknowledged the breach and DDoS attacks on X, stating they had disabled the compromised JavaScript library and were upgrading security. Hunt, who received the stolen data on September 30 and warned the Archive on October 6, was sympathetic, given the Archive’s current predicament. The organization is not only battling ongoing cyberattacks but also facing multiple legal challenges, including a looming $621 million copyright lawsuit.

Though Hunt wished for earlier disclosure, he urged understanding, reminding everyone that the Internet Archive, a nonprofit, is “doing great work” despite the relentless challenges.

Dutch police arrest the alleged proprietors of an illicit online market. 

The alleged administrators of the Bohemia and Cannabia dark web marketplaces have been arrested following an investigation by Dutch police. These marketplaces, which dealt in illicit goods like cannabis and DDoS tools, reportedly conducted around 67,000 transactions monthly, with a record turnover of €12 million in September 2023. The operators allegedly made €5 million before shutting down the sites and attempting an “exit scam” to flee with the funds. Despite their efforts, law enforcement agencies from the Netherlands, Ireland, the UK, and the USA continued the investigation, leading to two arrests—one in the Netherlands and another in Ireland. Dutch authorities emphasized that this operation demonstrates that the dark web is far less anonymous than many users believe, thanks to international cooperation.

Fidelity Investments confirms a data breach. 

Fidelity Investments, one of the world’s largest asset managers, confirmed that personal information of 77,000 customers was compromised in an August data breach. The breach occurred between August 17 and 19, when a third party accessed data using two recently established customer accounts. Fidelity detected the activity on August 19 and terminated the unauthorized access. While no Fidelity accounts or funds were accessed, it remains unclear how the breach affected thousands of customers. Fidelity has not disclosed the types of data compromised.

Marriott settles for $52 million over a multi-year data breach. 

Marriott has agreed to a $52 million settlement with 50 U.S. states over a multi-year data breach that affected over 131 million American customers. The breach, which occurred between 2014 and 2018, exposed 339 million global guest records, including personal details, unencrypted passport numbers, and payment information. Marriott acquired Starwood in 2016, during the period of the breach, and attackers accessed the Starwood guest database undetected for four years. The settlement resolves allegations that Marriott violated consumer protection and data security laws. Marriott has agreed to enhance its cybersecurity practices, including implementing a comprehensive information security program. The U.K. also fined Marriott £18.4 million ($24 million) in 2020. Marriott emphasized it admitted no liability but is committed to improving its data security practices worldwide.

Critical updates from Mozilla, FortiNet, Palo Alto Networks, VMWare, and Apple. 

Mozilla has issued a critical security patch for Firefox, addressing a code execution vulnerability, CVE-2024-9680, in the browser’s Animation timelines. This use-after-free flaw is actively being exploited, prompting advisories from national cybersecurity centers in Canada, Italy, and the Netherlands. The vulnerability, discovered by ESET’s Damien Schaeffer, has been rated 9.8 (critical) by the National Vulnerability Database, with high impacts on confidentiality, integrity, and availability. 

CISA has revealed active exploitation of a critical remote code execution (RCE) vulnerability in FortiOS (CVE-2024-23113). This flaw allows unauthenticated attackers to execute commands or arbitrary code on unpatched devices via the fgfmd daemon, which manages authentication requests and keep-alive messages on FortiGate and FortiManager. Fortinet patched the flaw in February, advising administrators to restrict fgfmd access and implement local-in policies to reduce the attack surface.

Palo Alto Networks has issued an urgent warning about critical vulnerabilities in its Expedition solution, which could allow attackers to hijack PAN-OS firewalls. The most severe flaw, CVE-2024-9463, has a CVSS score of 9.9 and allows unauthenticated attackers to run OS commands, potentially exposing usernames, passwords, and API keys. Other vulnerabilities include command injection, SQL injection, and cross-site scripting issues. Although no evidence of exploitation exists, public exploit code is available. Palo Alto urges users to update to the latest Expedition version and rotate credentials immediately.

VMware issued a critical advisory (VMSA-2024-0020) addressing multiple vulnerabilities in its NSX and Cloud Foundation products. These include a command injection vulnerability (CVE-2024-38817) allowing attackers to execute arbitrary commands as root, a local privilege escalation vulnerability (CVE-2024-38818) that lets authenticated users gain higher permissions, and a content spoofing vulnerability (CVE-2024-38815) enabling attackers to redirect victims to malicious domains. Rated as moderate risks, VMware urges users to update to the latest fixed versions as no workarounds are available.

A critical vulnerability affecting iTunes for Windows has been discovered, allowing unauthorized users to gain elevated access and potentially compromise system security. The issue stems from improper permission settings in a key directory, enabling attackers to exploit this flaw for administrative access. Apple released a fix on September 12, 2024, and users are urged to update immediately. Organizations with unmanaged Windows systems are particularly vulnerable and should act quickly to patch their systems.

Mongolian Skimmer targets Magento installations. 

Researchers at Jscrambler recently uncovered a skimming campaign using obfuscated JavaScript. Initially, the use of unusual accented Unicode characters in the code led some to speculate that this was a new obfuscation technique. However, the researchers quickly identified it as a common tactic to disguise skimming malware. The team reverse-engineered the code, revealing a typical skimmer that monitors form inputs like payment fields, exfiltrates data, and uses anti-debugging techniques. The skimmer, dubbed “Mongolian Skimmer” due to a unique Unicode character, was found targeting vulnerable Magento installations. In one case, researchers even discovered two skimming groups communicating via code comments, agreeing to share profits. Despite its obfuscation, the skimmer’s tactics were relatively standard and easy to reverse. 

 

Next up on our Industry Voices segment, I speak with Maltego’s Chief Technology Officer Ben April about "Overcoming information overload: Challenges in social media investigations." We’ll be right back.

Welcome back. Thanks to Ben and Maltego for joining us on Industry Voices. 

Bankruptcy pulls back the curtain on a data brokerage firm. 

National Public Data (NPD), a Florida-based data brokerage, has filed for bankruptcy after a massive data leak exposed personal information of potentially millions. The fun started in June when the hacking group USDoD posted 277.1 GB of data from NPD, offering it for $3.5 million. Initially, NPD downplayed the breach, claiming “only” 1.3 million people were affected. But in bankruptcy filings, NPD conceded the true number could be “hundreds of millions.” The breach exposed sensitive details like social security numbers, prompting lawsuits and regulatory investigations. To make matters worse, NPD’s financial situation looks as shabby as their data security—listing assets like two HP Pavilion desktops worth $200 each, a ThinkPad laptop at $100, and five Dell servers. With more than a dozen class-action lawsuits looming and regulators closing in, the business admits it can’t cover liabilities. Adding a final twist, the company also owns some eyebrow-raising domain names like asseeninporn.com. Unsurprisingly, privacy experts warn that this fiasco highlights the urgent need for stronger data protection laws, as the data brokerage industry remains the “wild west” of personal information. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.