The CyberWire Daily Podcast 12.9.24
Ep 2205 | 12.9.24

Router security in jeopardy.

Transcript

A critical zero-day is confirmed by a Japanese router maker. Romania annuls the first round of its 2024 presidential election over concerns of Russian interference. A sophisticated malware campaign targets macOS users. Mandiant uncovers a method to bypass browser isolation using QR codes. Belgian and Dutch authorities arrest eight individuals linked to online fraud schemes. A medical device company discloses a ransomware attack. A community hospital in Massachusetts confirms a ransomware attack affecting over three hundred thousand. The Termite ransomware gang claims responsibility for the attack on Blue Yonder. Synology patches multiple vulnerabilities in its Router Manager (SRM) software. The head of U.S. Cyber Command outlines the challenges of keeping decision makers up to date. Our guest is Anna Pobletts, Head of Passwordless at 1Password, discussing the state of passkeys and what she sees on the road to a truly passwordless future. Robot rats join the mischief.

Today is Monday December 9th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A critical zero-day is confirmed by Japanese router maker I-O Data. 

Japanese device maker I-O Data confirmed the exploitation of critical zero-day vulnerabilities in its routers, with full patches delayed until mid-December 2024. The flaws include risks of disabling firewalls, executing arbitrary commands, and exposing sensitive information. The three vulnerabilities—CVE-2024-45841 (CVSS 6.5), CVE-2024-47133 (CVSS 7.2), and CVE-2024-52564 (CVSS 7.5)—allow attackers to steal authentication data, execute commands as an admin, or modify device settings remotely.

While a firmware update (v2.1.9) addresses CVE-2024-52564, fixes for the other flaws are pending. The zero-days, reported by Japanese researchers and coordinated through a national cybersecurity partnership, remain under wraps. IO-Data urged caution, highlighting ongoing exploitation of these vulnerabilities in the wild. Users are advised to apply available updates promptly.

Romania annuls the first round of its 2024 presidential election over concerns of Russian interference. 

Romania’s constitutional court annulled the first round of its 2024 presidential election, narrowly won by far-right candidate Calin Georgescu [Colin Joo-DESK-coo], citing concerns over Russian interference and election irregularities. This unprecedented decision cancels a scheduled runoff and mandates restarting the election process to ensure legality and fairness under Article 146(f) of the Constitution.

Georgescu, boosted by alleged TikTok manipulation and cyberattacks traced to a state-level actor, led with 22.9% of the vote, ahead of centrist Elena Lasconi’s 19.2%. The campaign faced over 85,000 cyberattacks on election systems, prompting warnings from the U.S. about Romania’s pro-Western stability.

Public protests erupted in Bucharest, with large pro-Europe demonstrations opposing Georgescu’s ultranationalist stance. Georgescu’s rise, fueled by economic frustrations and anti-Ukraine rhetoric, contrasts with Lasconi’s pro-Western agenda, deepening tensions in this contentious election.

A sophisticated malware campaign targets macOS users. 

Researchers at Cado Security Labs have uncovered a sophisticated malware campaign targeting macOS users, active for over four months. Disguised as a video meeting app, the malware steals sensitive data from macOS Keychain, Chromium-based browsers (Chrome, Brave, Vivaldi, etc.), Telegram, and cryptocurrency wallets. Hackers use AI-generated websites, fake social media accounts, and cloned Telegram contacts to build trust and lure victims.

Victims report phishing attempts linked to blockchain and cryptocurrency work. The malware also exploits browser session cookies, bypassing two-factor authentication. Despite offering cross-platform downloads, the campaign only delivers macOS malware, prompting users for passwords under false error messages.

Experts say users should stay vigilant against unsolicited business offers, especially on Telegram.

Mandiant uncovers a method to bypass browser isolation using QR codes. 

Mandiant uncovered a method to bypass browser isolation using QR codes for command-and-control (C2) operations. Browser isolation safeguards local systems by executing web scripts remotely and streaming only visuals back to users. Mandiant’s technique embeds commands in QR codes displayed on webpages, which isolation mechanisms do not filter. Infected devices decode these commands for malicious use. Though limited by low data transfer rates and latency, the method demonstrates vulnerabilities in current defenses, emphasizing the need for layered security strategies.

Belgian and Dutch authorities arrest eight individuals linked to online fraud schemes. 

Belgian and Dutch authorities arrested eight individuals linked to a fraud scheme involving phishing, online scams, and money laundering. The operation, active since 2022, used phishing emails, texts, and in-person impersonations to steal banking credentials, targeting older victims across ten European countries. Law enforcement conducted 17 searches, seizing luxury goods, cash, and a firearm. The suspects operated call centers in high-end locations and spent stolen millions on lavish lifestyles. Arrests included four in Belgium and four in the Netherlands, with investigations ongoing.

Medical device company Artivion discloses a ransomware attack. 

Medical device company Artivion disclosed a ransomware attack that disrupted order and shipping processes by forcing some systems offline. The Atlanta-based firm, which markets cardiac and vascular products in over 100 countries, identified the attack on November 21. Files were encrypted and exfiltrated, prompting containment and remediation efforts. While Artivion continues operations with mitigated disruptions, it expects some uninsured expenses. The company stated the attack hasn’t materially impacted finances but acknowledged potential risks if restoration delays persist. No threat actor has claimed responsibility.

A community hospital in Massachusetts confirms a ransomware attack affecting over three hundred thousand. 

Anna Jaques Hospital, a community hospital in Massachusetts, confirmed a ransomware attack on December 25, 2023, exposing sensitive data for over 310,000 patients. Threat actors from the “Money Message” group leaked stolen data, including personal, medical, and financial information, after failed extortion attempts. The hospital’s lengthy forensic investigation concluded on November 5, 2024. While no fraud has been detected, impacted individuals are being offered identity protection and credit monitoring. 

The Termite ransomware gang claims responsibility for the attack on Blue Yonder. 

The Termite ransomware gang has claimed responsibility for the November attack on SaaS provider Blue Yonder, disrupting services for high-profile clients like Starbucks, Sainsbury’s, and Morrisons. Blue Yonder, a Panasonic subsidiary specializing in supply chain software, serves over 3,000 customers worldwide, including Microsoft, DHL, and Procter & Gamble. The attack caused outages across Blue Yonder’s managed services, impacting Starbucks’ scheduling systems and causing shipping delays for companies like BIC.

Termite claims to have stolen 680GB of data, including databases, emails, documents, and reports. The gang uses a Babuk-based encryptor and has listed Blue Yonder and other victims on its dark web portal. Blue Yonder has restored services for some customers and is working with cybersecurity experts to mitigate the breach, but it has not confirmed the extent of the data compromise.

Synology patches multiple vulnerabilities in its Router Manager (SRM) software. 

Synology has patched multiple moderate-severity vulnerabilities in its Router Manager (SRM) software, versions prior to 1.3.1-9346-10. The flaws, CVE-2024-53279 through CVE-2024-53285, involve Cross-site Scripting (XSS) vulnerabilities across features like File Station, WiFi Connect, and DDNS Record. Exploitation requires authenticated, often administrator-level access and could allow attackers to inject malicious web scripts, steal data, or manipulate sessions. Synology urges users to update to the latest version to mitigate risks.

The head of U.S. Cyber Command outlines the challenges of keeping decision makers up to date. 

Air Force Gen. Timothy D. Haugh, commander of U.S. Cyber Command and director of the NSA, emphasized the need to enhance intelligence distribution. Speaking at the Reagan Defense Forum yesterday,  Gen. Haugh said the U.S. excels at collecting and analyzing intelligence, but timely and effective delivery to decision-makers remains a challenge. He highlighted the Chinese-led “Salt Typhoon” hack, which targeted companies and political figures, as part of China’s broader cyber strategy. He stressed the importance of educating allies and strengthening partnerships with industry to protect critical infrastructure.

Haugh noted progress in cooperation between the NSA, CISA, FBI, and private sector partners but called for faster, more effective collaboration. Initiatives like the enduring security framework aim to bolster telecommunications infrastructure defenses. As a combat support agency, the NSA ensures military commanders, particularly those in active threat zones like the Red Sea, receive actionable intelligence. Additionally, the NSA supports U.S. European Command in delivering unified signals intelligence for military and policy decisions.

 

Next up, we discuss our passwordless future with 1Password’s Head of Passwordless Anna Pobletts as we talk about the state of passkeys and where we are going. After that, stay tuned for SMEO, the robot rat that’s tricking real rats into thinking it’s one of them.

We’ll be right back

Welcome back.

Robot rats join the mischief. 

In a plot twist straight out of Rat-atouille: The Robot Edition, researchers from the Beijing Institute of Technology and the Technical University of Munich have crafted a robot rat so socially savvy, it’s fooling actual rats into thinking it’s one of them. Published in Nature Machine Intelligence, the team used AI and reinforcement learning to teach the robo-rodent the fine art of rat communication—whether that’s friendly nuzzling or laying down the law in a cage scuffle.

The robot doesn’t look entirely rat-like (think more “rat on wheels”), but it’s got the moves. With a flexible spine, nimble head, and functioning forelimbs, it mimics rat behavior well enough to trigger emotional responses from its furry peers—fear during anger or playful wrestling during happier times. Scientists envision these rodent doppelgängers as tools to study social behavior and emotional states in real rats. 

The robot rat fools real rats into trusting it; meanwhile, AI fools humans into thinking their chat history is private. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.