The CyberWire Daily Podcast 12.13.24
Ep 2209 | 12.13.24

Hackers in handcuffs.

Transcript

The U.S. dismantles the Rydox criminal marketplace. File-sharing provider Cleo urges customers to immediately patch a critical vulnerability. A Japanese media giant reportedly paid nearly $3 million to a Russia-linked ransomware group. The largest Bitcoin ATM operator in the U.S. confirms a data breach. Microsoft quietly patches two potentially critical vulnerabilities. Researchers at Claroty describe a malware tool used by nation-state actors to target critical IoT and OT systems. Dell releases patches for a pair of critical vulnerabilities. A federal court indicts 14 North Korean nationals for a scheme funding North Korea’s weapons programs. Texas accuses a data broker of sharing sensitive driving data without consent. Tim Starks, senior reporter at CyberScoop, joins Dave to explore the FCC's groundbreaking proposal to introduce cybersecurity rules linked to wiretapping laws. How the bots stole Christmas. 

Today is FRIDAY, December 13th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The U.S. dismantles the Rydox criminal marketplace. 

The U.S. has dismantled Rydox, a marketplace for stolen personal data and fraud tools, and unsealed charges against its alleged administrators. Three suspects from Kosovo, Ardit Kutleshi, 26, Jetmir Kutleshi, 28, and Shpend Sokoli, were arrested in a coordinated operation. Ardit and Jetmir were detained in Kosovo and await U.S. extradition, while Sokoli was arrested in Albania and will be prosecuted there.

Active since 2016, Rydox facilitated the sale of stolen personal data, credit card details, and credentials from thousands of U.S. victims. The site hosted over 18,000 users and sold over 321,000 cybercrime-related products, generating $230,000. U.S. authorities seized the Rydox domain, its servers in collaboration with Malaysian police, and $225,000 in cryptocurrency.

Ardit and Jetmir face charges of identity theft, device fraud, and money laundering, with potential decades-long sentences. Sokoli’s arrest also led to the seizure of computers, phones, and cryptocurrency.

 File-sharing provider Cleo urges customers to immediately patch a critical vulnerability.

Cleo has urged customers to immediately apply a new patch for a critical vulnerability in its popular file-sharing products—Cleo Harmony, VLTrader, and LexiCom—used by enterprises across industries. Initially addressed in October (CVE-2024-50623), researchers at Huntress found systems remained vulnerable. Cleo released a new patch Wednesday and is generating a new CVE.

The vulnerability, exploited by sophisticated threat actors, has affected consumer products, shipping, and retail supply chains, with 24 confirmed compromised organizations. Attackers have deployed malware named Malichus, using Cleo software for initial access and persistence. Notably, the Termite ransomware gang exploited this flaw, possibly linked to the Clop gang.

Huntress observed 160 vulnerable endpoints globally, with ransomware activity yet to emerge. Cybersecurity firms, including Sophos and Arctic Wolf, report primarily U.S.-based retail victims. Experts credit rapid industry response with mitigating potential large-scale impacts.

A Japanese giant reportedly paid nearly $3 million to a Russia-linked ransomware group. 

Japanese media giant Kadokawa reportedly paid nearly $3 million to Russia-linked ransomware group BlackSuit following a major cyberattack in June. The hackers accessed 1.5 TB of data, including contracts, internal documents, and employee personal information. Kadokawa’s subsidiary Niconico temporarily shut down its live-streaming platform due to the breach.

Evidence of the payment includes emails from BlackSuit claiming receipt of the ransom and a $2.98 million cryptocurrency transaction discovered by security firm Unknown Technologies. The hackers initially demanded $8.25 million but allegedly agreed to $3 million, stating they would delete the stolen data. However, some information was leaked despite the payment.

Kadokawa expects a $15 million fiscal loss due to the attack. Amid criticism of its handling of the breach, the company faces a potential acquisition by Sony, which employees view as a positive change.

The largest Bitcoin ATM operator in the U.S. confirms a data breach. 

Byte Federal, the largest Bitcoin ATM operator in the U.S., confirmed a data breach affecting 58,000 customers. The breach, caused by a vulnerability in third-party software GitLab, occurred on September 30, 2024, but was discovered on November 18. Compromised data includes names, addresses, Social Security numbers, transaction histories, and more. Byte Federal secured the server, implemented additional protections, and notified affected customers. While no misuse of data or funds has been reported, experts warn of potential phishing risks.

Microsoft quietly patches two potentially critical vulnerabilities. 

Microsoft announced the patching of two potentially critical vulnerabilities in Update Catalog and Windows Defender. These flaws, tracked as CVE-2024-49071 and CVE-2024-49147, have been fully mitigated and require no user action.

The Windows Defender flaw, rated medium-severity based on CVSS scores, could have allowed unauthorized disclosure of sensitive file content over a network due to improper index authorization. The Update Catalog vulnerability, involving deserialization of untrusted data, was a privilege escalation issue on the webserver.

Microsoft emphasized that neither flaw was disclosed publicly nor exploited before patching. The company is now assigning CVE identifiers to cloud service vulnerabilities for transparency, following industry trends. Similar measures have been adopted by Google Cloud, reflecting growing emphasis on proactive security and communication about server-side vulnerabilities.

Researchers at Claroty a malware tool used by nation-state actors to target critical IoT and OT systems. 

Researchers at Claroty’s Team82 have identified IOCONTROL, a malware tool used by nation-state actors to target critical IoT and OT systems, including SCADA devices. Linked to Iran’s IRGC-CEC CyberAv3ngers group, IOCONTROL has compromised devices such as fuel management systems, IP cameras, and PLCs from vendors like D-Link, Hikvision, and Orpak. One campaign impacted U.S. and Israeli fuel systems. The U.S. Treasury has sanctioned IRGC-CEC officials and offers a $10 million bounty for information on those involved.

Dell releases patches for a pair of critical vulnerabilities. 

Dell disclosed two critical vulnerabilities, CVE-2024-37143 and CVE-2024-37144, affecting PowerFlex appliances, racks, InsightIQ, and Data Lakehouse products. CVE-2024-37143, with a CVSS score of 10.0, allows unauthenticated remote code execution through improper link resolution. CVE-2024-37144, scoring 8.2, involves insecure storage of sensitive information, enabling high-privileged local attackers to access cluster pods. Dell has released patches for impacted systems and urges users to update immediately. 

A federal court indicts 14 North Korean nationals for a scheme funding North Korea’s weapons programs. 

A federal court in St. Louis has indicted 14 North Korean nationals for a scheme generating $88 million to fund North Korea’s weapons programs. Over six years, IT workers from North Korea-linked companies Yanbian Silverstar and Volasys Silverstar used false identities to secure remote jobs with U.S. companies. They not only collected salaries but also stole sensitive data, threatening extortion. The Justice Department seized $1.5 million and 17 domains as part of the case. The scheme highlights cybersecurity risks and the misuse of remote work. U.S. companies are urged to rigorously vet IT workers. Rewards up to $5 million are offered for leads on suspects. Authorities continue efforts to thwart North Korea’s attempts to bypass sanctions.

Texas accuses a data broker of sharing sensitive driving data without consent. 

Texas Attorney General Ken Paxton has accused data broker Arity, owned by Allstate, of sharing sensitive consumer driving data without clear notice or consent. Arity gathers driving behavior data via SDKs embedded in partner apps, such as MyRadar, GasBuddy, and Life360, then sells it to insurers to inform pricing decisions. Texas alleges Arity violated its privacy law by failing to obtain affirmative consent and not providing opt-out options. Sensitive data collected includes geolocation and driving patterns.

The state’s investigation revealed Arity’s partnerships with apps often lack transparency, with some apps failing to disclose these relationships in their privacy policies. While MyRadar claims its data sharing is anonymized and opt-in, Texas accuses other apps of improperly sharing data. The broader investigation reflects growing scrutiny of data brokers exploiting consumer information, particularly in the automotive and insurance sectors.

 

Up next, Tim Starks from CyberScoop and I explore the FCC's proposal to introduce cybersecurity rules linked to wiretapping laws. And, malicious bots are turning holiday shopping into a Hunger Games-style scramble for overpriced gifts! We’ll be right back.

Welcome back

How the bots stole Christmas. 

This Christmas, the Grinch isn’t stealing presents—he’s programming bots. According to Imperva, 71% of UK shoppers blame malicious bots for ruining their holiday cheer by scalping the season’s hottest gifts. These sneaky bots snatch up stock faster than Santa can load a sleigh, leaving parents with two options: overpaying on resale sites (where prices can soar 105%) or settling for the dreaded “alternative gift.”

A staggering 19% of shoppers reported paying more for replacements, while 10% succumbed to inflated prices on secondary marketplaces. Imperva’s Tim Ayling warns that AI-powered bots are turbocharging the chaos, scalping gifts at record speed. The result? Disappointed kids, frustrated parents, and a retailer reputation nosedive.

But retailers don’t have to play the victim. Imperva suggests bot-fighting strategies like rate-limiting, blocking outdated browsers, and sniffing out headless browsers. With these tips, retailers might just save Christmas—and keep the bots on the naughty list.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.