FBI fights fake news.
The FBI flags fake videos claiming to be from the agency. Okta patches an authentication bypass vulnerability. Microsoft confirms Windows Server 2025 Blue Screen of Death issues. Scammers exploit DocuSign’s APIs to send fake invoices that bypass spam filters. Hackers use smart contracts for command and control. ICS suppliers face challenges convincing customers to secure their environments. Barracuda tracks a phishing campaign impersonating OpenAI. X-Twitter makes controversial changes to its block feature. A Nigerian man gets 26 years in prison for email fraud. On our Solution Spotlight, N2K's Simone Petrella interviews Alex Stamos, CISO at SentinelOne, at the ISC2 Security Congress 2024 about lessons learned in 2024 and what that means for 2025. For a South Dakota plastic surgeon, ransomware was just the beginning of his financial woes.
Today is Monday, November 4th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
The FBI flags fake videos claiming to be from the agency.
The FBI recently issued a warning about two fake videos circulating online that falsely claim to be from the agency. One video alleges that the FBI arrested groups tied to the Democratic Party for committing ballot fraud, while the other references Vice President Kamala Harris’ husband, Doug Emhoff, suggesting the FBI won’t investigate his supposed ties to a government contractor.
The first video shows images of people in FBI shirts alongside a voiceover claiming three groups rigged mail-in voting using deceased and elderly citizens’ identities. It also includes fabricated quotes from Bellingcat journalist Eliot Higgins, suggesting a repeat of past election fraud concerns. Higgins responded on social media, clarifying that the quotes were fake and likely part of a Russian disinformation campaign. He mocked the video’s use of QR codes, noting that the FBI doesn’t use such methods, which made the video easier to track as inauthentic.
Experts, including Darren Linvill from Clemson University’s Media Forensics Hub, identified these videos as likely Russian “Doppelganger” content—low-quality, high-volume misinformation. This campaign aims to sow distrust in U.S. elections by promoting false claims of fraud and interference. The U.S. intelligence community has been on alert, noting a recent uptick in foreign disinformation, including fake videos implying voter fraud, corruption, and election tampering.
Okta patches an authentication bypass vulnerability.
Okta recently discovered and patched a security vulnerability in its AD/LDAP Delegated Authentication system that allowed attackers to bypass authentication using just a username—if the username was 52 characters or longer. This unusual flaw could be exploited only under specific conditions: the account had to have a previous successful login stored in the system’s cache (created by the bcrypt hashing algorithm) and multi-factor authentication (MFA) had to be disabled.
The vulnerability, which lingered for over three months, was fixed immediately upon discovery on October 30. Okta advised customers to review logs for authentication attempts using lengthy usernames dating back to July 23 and strongly recommended implementing MFA and phishing-resistant authenticators, like Okta Verify FastPass.
Security engineer Yan Zhu added that the issue stemmed from bcrypt’s behavior with long inputs, suggesting that hashing usernames with SHA-256 could prevent similar problems. Okta did not confirm any instances of successful exploitation.
Microsoft confirms Windows Server 2025 Blue Screen of Death issues.
Microsoft has confirmed several issues in Windows Server 2025 affecting systems with over 256 logical processors. These bugs can cause installation failures, long start-up times, and Blue Screen of Death (BSOD) errors, though they occur inconsistently.
To check if your system is impacted, open Task Manager and verify if it shows more than 256 logical processors. Microsoft is working on a fix, to be released in an upcoming monthly update. In the meantime, admins can work around the issue by limiting logical processors to 256 or fewer through UEFI settings.
Scammers exploit DocuSign’s APIs to send fake invoices that bypass spam filters.
Scammers are exploiting DocuSign’s APIs to send fake invoices that look authentic and bypass spam filters by originating from genuine DocuSign accounts. Cybersecurity firm Wallarm reports that attackers create paid DocuSign accounts, modify templates, and use APIs to send realistic phishing invoices, particularly imitating brands like Norton. These invoices may include accurate product pricing, activation fees, or wire instructions to enhance credibility and trick victims into unauthorized payments.
This phishing approach is effective because emails from DocuSign accounts are seen as legitimate, making them hard for traditional filters to catch. To protect against these scams, organizations should verify sender credentials, enforce strict financial approval protocols, and provide employee training on phishing risks. Regularly reviewing invoice details for unexpected charges and following DocuSign’s anti-phishing guidelines also help mitigate risks.
Hackers use smart contracts for command and control.
Security researchers at Checkmarx have identified a novel open-source supply chain attack that combines blockchain technology with traditional attack methods. The malicious package, “jest-fet-mock,” was found on npm, posing as legitimate JavaScript testing utilities by slightly altering their names—a technique called typosquatting.
Targeting development environments with elevated privileges, the malware triggers upon download, calling a smart contract to retrieve its command-and-control (C2) server address. This use of blockchain provides attackers with unique advantages: the decentralized, immutable blockchain infrastructure is nearly impossible to disrupt, and they can dynamically update the C2 address without modifying the malware.
This approach allows attackers to maintain communication resilience, evading defenses even if specific C2 servers are blocked. Checkmarx stresses that this attack highlights the need for strict security controls and validation of open-source packages, especially in sensitive development environments.
ICS suppliers face challenges convincing customers to secure their environments.
An article in Security Week describes how Siemens and Rockwell Automation are addressing cybersecurity challenges in industrial control systems (ICS), where cyberattacks pose significant risks to operational technology (OT). Both companies face obstacles in encouraging clients to update and secure ICS environments, historically designed without cybersecurity in mind. Siemens’ ProductCERT team focuses on transparency, advising clients on vulnerabilities via regular security advisories and automation-compatible formats to support timely updates. The team underscores the need for patching but acknowledges customer hesitancy due to possible disruptions and financial concerns.
Rockwell Automation, on the other hand, emphasizes client engagement through risk-based security justifications and works with OT clients to quantify risks and prioritize high-impact vulnerabilities. Both companies encourage security investments, from basic controls to advanced intrusion detection and endpoint protection. Rockwell advocates for Proof of Concept engagements to demonstrate cybersecurity’s value, aiming to gradually build trust and encourage proactive risk reduction in OT environments.
Barracuda tracks a phishing campaign impersonating OpenAI.
Since the launch of ChatGPT, cybercriminals have leveraged generative AI for more convincing phishing attacks, while businesses worry if their cybersecurity can keep up. Attackers use AI to craft realistic phishing emails, targeting brands like OpenAI to lure users into providing sensitive data. Recently, Barracuda researchers identified a large-scale phishing campaign impersonating OpenAI, urging users to update payment details to maintain subscriptions. Although the attack lacked sophistication, it used tactics like urgency, mimicry of official emails, and varied hyperlinks to evade detection.
Despite AI’s potential, studies by Barracuda, Forrester, and Verizon show that AI has not yet changed phishing fundamentally but enhances its scalability and authenticity. Experts recommend organizations deploy advanced email security, offer frequent security training, and automate response processes to mitigate threats.
X-Twitter makes controversial changes to its block feature.
X-Twitter is updating its block feature, now allowing blocked users to view public posts, followers, and following lists, though they still can’t follow, interact, or send direct messages. This controversial change has raised safety concerns, with many arguing that blocked users should not have any visibility of those who blocked them.
X-Twitter claims the update promotes transparency, suggesting the block feature could be misused to hide harmful information. However, critics point out that users already have the option to make accounts private. Many believe the new policy could lead to increased harassment and stalking.
In response, tech advocate Tracy Chou developed an app to automate blocking, adding a layer of friction for potential harassers. She emphasized that reducing barriers to viewing blocked users’ profiles only makes it easier for malicious actors to pursue unwanted interactions.
A Nigerian man gets 26 years in prison for email fraud.
Kolade Akinwale Ojelade, a Nigerian man residing in the UK, was sentenced in the US to 26 years in prison for a $12 million email fraud scheme targeting the real estate sector. Extradited to the US in April 2024, Ojelade pleaded guilty to wire fraud and identity theft. His scheme involved phishing to compromise email accounts of real estate firms. He monitored email exchanges about high-value transactions, then intercepted them to send altered payment instructions from spoofed accounts. This tricked buyers and companies into wiring funds to accounts he and his associates controlled.
Prosecutors estimated that, though the actual losses were around $12 million, the intended losses exceeded $100 million. Alongside his prison sentence, Ojelade was ordered to pay over $3.3 million in restitution and faces deportation upon release. The FBI emphasized the lasting financial impact of his crimes on individuals and businesses.
Up next, we’ve got N2K’s Simone Petrella on our Solution Spotlight talking with SentinelOne’s CISO Alex Stamos. Simone caught up with Alex at the ISC2 Security Congress 2024 and they discussed lessons learned in 2024 and what that means for 2025.
We’ll be right back
Welcome back. We will share the full conversation between Simone and Alex in our Special Edition podcast airing on Sunday, November 10th in your CyberWire Daily feed.
For a South Dakota plastic surgeon, ransomware was just the beginning of his financial woes.
And finally, Dr. James Breit, a South Dakota plastic surgeon, was fined $500,000 by the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS OCR) following a ransomware attack seven years ago, which impacted his clinic’s servers and affected over 10,000 patients. Although Breit paid $53,000 to hackers to regain access, he claims no patient data was compromised. However, OCR found his clinic in “significant noncompliance” with HIPAA requirements, citing failures in risk assessment and cybersecurity measures, leading to hefty penalties and mandated improvements.
OCR’s enforcement reflects an increasing emphasis on HIPAA Security Rule compliance in the healthcare sector, particularly as ransomware incidents have surged. OCR director Melanie Fontes Rainer emphasized that lack of proactive security measures makes healthcare providers “attractive targets” for cybercriminals.
Breit’s case contrasts with assurances from agencies like CISA and the FBI that reporting incidents won’t lead to punitive investigations. OCR’s actions suggest otherwise, as fines and corrective action plans often follow self-reported breaches. While these measures aim to boost healthcare resilience, they highlight tensions between regulatory bodies’ enforcement priorities and the goal of encouraging transparency in cyber incident reporting.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.