The CyberWire Daily Podcast 12.3.24
Ep 2201 | 12.3.24

Nam3l3ss but not harmless.

Transcript

More than 760,000 see their personal data exposed on the BreachForums cybercrime forum. The new head of the UK’s NCSC warns against underestimating growing cyber threats. The Consumer Financial Protection Bureau (CFPB) looks to prevent data brokers from selling Americans’ personal and financial information. A U.S. government and energy sector contractor discloses a ransomware attack. The “smoked ham” Windows backdoor is being actively deployed. A new report warns of overreliance on Chinese-made LIDAR technology. SmokeLoader malware targets companies in Taiwan. NIST proposes new password guidelines. South Korean police make arrests over 240,000 satellite receivers with built-in DDoS attack capabilities. On our Threat Vector segment, we preview this week’s episode where host David Moulton goes Behind the Scenes with Palo Alto Networks' CIO and CISO. ChatGPT has a Voldemort moment.

Today is Tuesday December 3rd, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

More than 760,000 see their personal data exposed on the BreachForums cybercrime forum. 

More than 760,000 employees across major organizations had their personal data exposed after a threat actor, “Nam3l3ss,” posted it on the BreachForums cybercrime forum. The data, tied to the 2023 MOVEit hack orchestrated by the Cl0p ransomware group, includes names, emails, phone numbers, job titles, and manager details. Affected organizations include Bank of America, Koch, Nokia, JLL, Xerox, Morgan Stanley, and Bridgewater.

The MOVEit breach exploited a zero-day vulnerability in Progress Software’s file transfer tool, impacting nearly 2,800 organizations and 100 million individuals. Atlas Privacy, which analyzed the data, linked the breach to Cl0p and noted the information’s value for social engineering. Bank of America tops the list with over 288,000 affected employees.

Nam3l3ss, who recently leaked Amazon employee data, appears to have filtered and repackaged terabytes of stolen data for easier dissemination. The breach underscores growing risks tied to large-scale cyber extortion campaigns.

The new head of the UK’s NCSC warns against underestimating growing cyber threats. 

The UK is underestimating growing cyber threats, warns Richard Horne, the new head of the National Cyber Security Centre (NCSC), part of GCHQ. Speaking at the launch of NCSC’s annual review, Horne highlights a widening gap between the increasing sophistication of cyber threats and the UK’s defenses, particularly around critical national infrastructure (CNI).

Over the past year, NCSC handled 430 incidents, 89 of which were nationally significant. Ransomware remains the most immediate threat, with state-linked actors now targeting industrial control systems. Two major vulnerabilities exploited by state-backed hackers were identified, linking Iran and ransomware groups to UK infrastructure risks.

Horne criticized the lack of adoption of the government-backed Cyber Essentials scheme, with only 31,000 organizations certified out of 5 million eligible. He called for urgent improvements in resilience, emphasizing rising risks from state and non-state actors, especially Russia and China.

The Consumer Financial Protection Bureau (CFPB) looks to prevent data brokers from selling Americans’ personal and financial information. 

The Consumer Financial Protection Bureau (CFPB) has proposed a rule to prevent data brokers from selling Americans’ personal and financial information, such as Social Security numbers and phone numbers, under the Fair Credit Reporting Act (FCRA). This proposal, following President Biden’s executive order to limit private data sales, aims to close loopholes that allow data brokers to evade FCRA regulations.

CFPB Director Rohit Chopra stated the rule would address the “widespread evasion” of federal privacy laws and hold data brokers to the same standards as credit bureaus and background check companies. It would restrict brokers from selling sensitive identifying information, reinforcing FCRA protections.

The move highlights growing scrutiny of data brokers for profiting from personal data sales and poses significant regulatory changes. The proposal will be open for public comment until March 2025, amidst uncertainty over its future under potential regulatory rollbacks.

A U.S. government and energy sector contractor discloses a ransomware attack. 

ENGlobal Corporation, a contractor for the U.S. government and energy sector, has restricted its operations following a ransomware attack that encrypted some of its data files. The Texas-based company disclosed the breach in an SEC filing, noting it became aware of the incident on November 25. ENGlobal, whose clients include the Departments of Defense and Energy, is investigating the attack but has not determined its financial impact. Full restoration of IT systems remains uncertain.

The “smoked ham” Windows backdoor is being actively deployed. 

Cyber researchers at Trac-Labs have analyzed a renewed threat from UNC2465, a cybercriminal group once affiliated with the now-defunct Darkside ransomware. The group is actively deploying the “smoked ham” Windows backdoor, which facilitates initial access and persistence in targeted networks. UNC2465 uses trojanized installers disguised as legitimate tools and spreads malware through phishing emails, malicious ads, and cloud services like Google Drive and Dropbox.

The backdoor allows for reconnaissance, lateral network movement using tools like Mimikatz, and credential harvesting. Despite the disruption of some ransomware groups, UNC2465 remains a significant threat, adapting its tactics and ransomware partnerships to continue operations.

A new report warns of overreliance on Chinese-made LIDAR technology. 

The non-profit Foundation for Defense of Democracies (FDD) think tank warns that US reliance on Chinese-made LIDAR technology poses significant national, economic, and cyber security risks. LIDAR, critical for creating 3D maps and models, supports autonomous navigation, infrastructure monitoring, and military applications like enemy detection. However, Chinese LIDAR systems’ integration into US critical infrastructure, such as public safety, transportation, and utilities, could expose users to espionage and sabotage by Beijing.

The report highlights the risk of Chinese intelligence exploiting LIDAR systems, similar to previous cases involving Huawei’s communication technology. Additionally, China could disrupt LIDAR supply chains, as it has with rare earth elements, to exert strategic pressure.

FDD recommends reducing reliance on untrusted vendors, implementing rigorous cybersecurity standards, and boosting domestic LIDAR production to secure vital systems. Legislative action, like a proposed ban on purchasing Chinese LIDAR, underscores growing concerns over these vulnerabilities.

SmokeLoader malware targets companies in Taiwan. 

Researchers at FortiGuard Labs uncovered a SmokeLoader malware campaign targeting companies in Taiwan across manufacturing, healthcare, IT, and other sectors. Known for its modular design and advanced evasion techniques, SmokeLoader acted both as a downloader and a direct attacker by fetching plugins from its command-and-control (C2) servers. The malware was delivered via phishing emails exploiting vulnerabilities like CVE-2017-0199 and CVE-2017-11882 in Microsoft Office.

The malware’s plugins were used for credential theft, keylogging, browser injections, and persistence across systems. It leveraged sophisticated techniques, including steganography and obfuscated scripts, to avoid detection. Attackers exploited cloud services like Google Drive to host payloads and used malicious advertising campaigns to spread infections. This campaign highlights SmokeLoader’s adaptability and the persistent threat it poses. FortiGuard advises organizations to remain vigilant and strengthen defenses against such advanced malware operations.

NIST proposes new password guidelines. 

The Wall Street journal looks at NIST’s proposed updated password guidelines aimed at improving security and usability. The draft, set for finalization in 2025, advises organizations to eliminate outdated practices like frequent password changes and overly complex requirements. Instead, NIST emphasizes longer passwords, recommending a minimum of 8 characters, ideally 15 or more, with support for special characters like emojis.

The guidelines also promote tools such as password managers and passkeys, which use biometrics to authenticate without passwords. Research shows that strict password rules often backfire, leading users to create predictable patterns. NIST also recommends block lists to prevent the use of compromised or common passwords.

While passkeys offer strong security against phishing, vulnerabilities remain if devices aren’t properly secured. These new standards aim to balance user-friendliness with robust protections, reshaping password practices across government and industry.

South Korean police make arrests over 240,000 satellite receivers with built-in DDoS attack capabilities.

South Korean police arrested a CEO and five employees for manufacturing over 240,000 satellite receivers with built-in or update-enabled DDoS attack capabilities. Between 2019 and 2024, 98,000 devices shipped with pre-installed DDoS modules, while others were updated later. These devices, sold at the request of a purchasing company starting in 2018, enabled illegal attacks targeting external systems, allegedly to counter a rival’s actions.

Users of the receivers were unknowingly involved in these attacks, potentially experiencing degraded device performance. The scheme was uncovered after intelligence from Interpol revealed the involvement of a Korean manufacturer and a foreign broadcaster.

Authorities seized the company’s assets, totaling 61 billion KRW (~$4.35 million), and charged the suspects under Korea’s Information Protection Act. While the purchasing company’s operators remain at large, Korean police are seeking international cooperation to apprehend them. 

 

Next up we’ve got our biweekly Threat Vector segment. We are switching things up and are giving you a preview of this week’s episode. Host David Moulton goes “Behind the Scenes with Palo Alto Networks' CIO and CISO Securing Business Success with Frictionless Cybersecurity.” Meerah Rajavel, CIO of Palo Alto Networks, and Niall Browne, CISO of the organization, join David to discuss the importance of aligning IT strategy with cybersecurity. 

We’ll be right back.

Welcome back. You can catch new episodes of Threat Vector every Thursday on our website and on your favorite podcast app. You can find a link in our show notes. 

 

ChatGPT has a Voldemort moment. 

And finally, The curious case of ChatGPT's meltdown moments! It seems that this AI wonderkid has its limits, and certain names are enough to send it into a digital tailspin. What do David Mayer, Jonathan Zittrain, and Jonathan Turley have in common? Well, aside from being accomplished individuals with impressive credentials, they've all managed to trigger ChatGPT's "I'm unable to produce a response" feature.

It turns out that these names are connected to some rather awkward AI hallucinations. For example, ChatGPT falsely claimed that Jonathan Turley had been involved in a non-existent sexual harassment scandal. The chatbot even cited a Washington Post article as evidence, which, it turned out, was also made up by the AI itself.

Jonathan Zittrain's name is also on the list of banned names, but there's no obvious reason why. He recently wrote an article in The Atlantic called "We Need to Control AI Agents Now," which might have something to do with it, but it's unclear. What's more, his work has been cited in a New York Times copyright lawsuit against OpenAI and Microsoft, but entering the names of other authors whose work is also cited in the suit doesn't cause ChatGPT to break.

And then there's David Mayer, who was initially blocked by ChatGPT before being unblocked for reasons that are still unclear. Some speculate it might be connected to David Mayer de Rothschild, a member of the wealthy and influential Rothschild family, but there's no evidence to support this theory.

Ars Technica points out that these hard-coded filters can cause problems for ChatGPT users. It's been shown how an attacker could interrupt a session using a visual prompt injection of one of the names rendered in a barely legible font embedded in an image. Moreover, someone could exploit the blocks by adding one of the names to a website, thereby potentially preventing ChatGPT from processing the data it contains – though not everyone might see that as a bad thing.

I can’t help wondering if OpenAI could simply have ChatGPT whisper the names that can not be named. You know, like Voldemort. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

This holiday season, Only Malware in the Building returns with a festive, A Christmas Carol-inspired twist! In this special episode, Selena Larson—Proofpoint intelligence analyst and host of DISCARDED—Rick Howard, and I embark on a ghostly journey through the most pressing cybersecurity threats of the season. 

In this festive adventure, we dive into key cyber risks like two-factor authentication (2FA) pitfalls, social engineering scams, and the frightening return of consumer-targeted attacks. From the echoes of past cyberattacks to the threats hidden behind holiday merriment, we’re here to bring you practical wisdom with a dash of holiday spirit. That’s Only Malware in the Building, check it out!

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.