The CyberWire Daily Podcast 12.16.24
Ep 2210 | 12.16.24

Rhode Island cyberattack exposes sensitive data.

Transcript

A cyberattack in Rhode Island targets those who applied for government assistance programs. U.S. Senators propose a three billion dollar budget item to “rip and replace” Chinese telecom equipment. The Clop ransomware gang confirms exploiting vulnerabilities in Cleo’s managed file transfer platforms. A major Southern California healthcare provider suffers a ransomware attack. A leading US auto parts provider discloses a cyberattack on its Canadian business unit.SRP Federal Credit Union notifies over 240,000 individuals of cyberattack. A sophisticated phishing campaign targets YouTube creators.  Researchers identify a high-severity vulnerability in Mullvad VPN. A horrific dark web forum moderator gets 30 years in prison. Our guests are Perry Carpenter and Mason Amadeus, hosts of the new FAIK Files podcast. Jailbreaking your license plate. 

Today is Monday December 16th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A cyberattack in Rhode Island targets those who applied for government assistance programs. 

A cyberattack on Rhode Island’s RIBridges system has potentially exposed sensitive personal information of hundreds of thousands of people who applied for government assistance programs since 2016, including SNAP, Medicaid, and other social services. Hackers, part of an international cybercriminal group, threatened to release the data unless paid, though this was classified as extortion rather than ransomware. Highly sensitive details like Social Security and bank account numbers may have been stolen. The breach was confirmed on December 10 after hackers provided evidence to Deloitte, the system’s vendor. Malicious code was found, prompting officials to shut down the system to mitigate further risk.

State officials, along with Deloitte and law enforcement, are investigating. Impacted individuals will receive free credit monitoring and access to support. Benefits for December were distributed, but new applications must be filed on paper for now. Open enrollment for health insurance continues, with enrollment unaffected so far.

U.S. Senators propose a three billion dollar budget item to “rip and replace” Chinese telecom equipment. 

The $3 billion added to the 2025 National Defense Authorization Act (NDAA) for removing Chinese-made telecom equipment is being framed as a critical step in preventing breaches like the Salt Typhoon cyberespionage campaign. Salt Typhoon, linked to Chinese government hackers, has highlighted vulnerabilities in U.S. networks, especially those relying on Huawei and ZTE equipment.

The Federal Communications Commission (FCC) previously identified a $3.08 billion funding gap in its “rip and replace” program, which aims to remove such technology from 126 carriers’ systems. Without full funding, rural carriers remain exposed, lacking resources to upgrade or replace compromised equipment. Salt Typhoon’s success against major operators underscores the risks for smaller networks with fewer defenses.

Senators from both parties stressed the urgency of securing networks. While some criticized expanding FCC regulations, others highlighted the need for swift action to eliminate known vulnerabilities. The Salt Typhoon attacks serve as a stark warning: securing telecom infrastructure is a matter of national security.

The Clop ransomware gang confirms exploiting vulnerabilities in Cleo’s managed file transfer platforms. 

The Clop ransomware gang has confirmed to BleepingComputer their involvement in exploiting vulnerabilities in Cleo’s managed file transfer platforms, including Harmony, VLTrader, and LexiCom. The attacks utilized a zero-day vulnerability (CVE-2024-50623) that Cleo initially patched in October. However, cybersecurity firm Huntress discovered last week that the patch was incomplete, allowing attackers to bypass it, upload backdoors, and steal data. While Cleo did not publicly disclose prior exploits, BleepingComputer reports Clop admitted responsibility, linking the attacks to their previous methods, including similar exploits in the MOVEit breaches.

A major Southern California healthcare provider suffers a ransomware attack. 

A ransomware attack on PIH Health, a Southern California healthcare provider serving over 3 million residents, has disrupted IT systems, impacting hospitals, urgent care centers, pharmacies, and more. Cybercriminals claim to have stolen 17 million patient records and threatened to publish 2 terabytes of sensitive data unless a deal is made. PIH Health confirmed it is working with forensic specialists and law enforcement but has not acknowledged the hackers’ claims publicly.

The attack has forced PIH to rely on downtime procedures, delaying test results, surgeries, and prescription refills. Online services, including appointment scheduling, are unavailable. The breach could become one of the largest healthcare data breaches this year if the hackers’ claims are verified.

Cybersecurity experts warn that such attacks will persist without stronger federal intervention, including measures like preauthorized traffic filtering and comprehensive national privacy laws. PIH also faced a phishing breach in 2020, leading to lawsuits.

Meanwhile, ConnectOnCall.com, a Phreesia subsidiary offering communication tools for healthcare providers, experienced a data breach affecting 914,138 individuals. The breach, lasting from February 16 to May 12, 2024, exposed sensitive data, including patient names, phone numbers, medical record numbers, health conditions, and prescription details. Social Security numbers of some individuals were also compromised. The platform was taken offline immediately, investigated by third-party cybersecurity experts, and later relaunched with enhanced security. Affected individuals received notifications, with credit monitoring offered to those whose Social Security numbers were exposed.

A leading US auto parts provider discloses a cyberattack on its Canadian business unit.

LKQ Corporation, a leading US auto parts provider, disclosed a cyberattack on its Canadian business unit, causing weeks of disruption starting November 13. LKQ, which operates in 24 countries with 45,000 employees, reported the incident in an SEC filing, stating the unit is now near full capacity and the threat has been contained. The company does not expect significant financial impact and plans to seek reimbursement through cybersecurity insurance. No threat actors have claimed responsibility.

SRP Federal Credit Union notifies over 240,000 individuals of cyberattack. 

SRP Federal Credit Union is notifying 240,742 individuals about a cyberattack that exposed sensitive personal information, including names, Social Security numbers, driver’s license details, and financial data. The breach occurred between September 5 and November 4, 2024, and was discovered after the credit union secured its systems and reviewed compromised files. While SRP has no evidence of misuse, it is offering one year of free identity protection services to affected individuals.

The ransomware group Nitrogen, active since September 2024, has claimed responsibility, alleging it stole 650GB of data and is selling it online. SRP has not confirmed the nature of the attack but reported the incident to law enforcement and attorneys general in Texas and Maine. Founded in 1960, SRP serves over 200,000 members across Georgia and South Carolina with a workforce of 400 employees.

A sophisticated phishing campaign targets YouTube creators. 

CloudSEK has uncovered a sophisticated phishing campaign targeting YouTube creators, leveraging fake brand collaboration emails to steal accounts and spread scams. Scammers use specialized tools to scrape email addresses from YouTube channels and send bulk phishing emails via browser automation. These emails, posing as lucrative collaboration offers, include attachments disguised as contracts or promotional materials hosted on platforms like OneDrive, protected by passwords to appear legitimate.

The malicious attachments often contain malware hidden within files such as “Digital Agreement Terms” or “Payments Comprehensive Evaluation.exe.” Once downloaded, the malware can steal login credentials, financial data, intellectual property, or grant remote access to attackers. Over 200,000 creators have been targeted, with attackers using hundreds of SMTP servers to execute the campaign globally.

YouTube creators are advised to verify unsolicited collaboration offers, avoid downloading suspicious attachments, and confirm the sender’s legitimacy directly with the brand.

Researchers identify a high-severity vulnerability in Mullvad VPN. 

Security researchers at X41 D-Sec GmbH have identified high-severity vulnerabilities in Mullvad VPN, including race conditions and temporal safety violations in its signal handler code. These flaws could lead to memory corruption and potential code execution if an attacker triggers a signal at the right moment, though exploitation is complex. Additionally, a DLL sideloading vulnerability in Mullvad’s Windows installer could allow attackers to execute malicious code during installation. Mullvad users are urged to update their software to mitigate these risks.

A horrific dark web forum moderator gets 30 years in prison. 

The depths of human depravity are truly staggering. Robert Shouse, a 37-year-old Texan, has been sentenced to 30 years in prison for his heinous crimes against children. This monster ran a dark web forum where pedophiles could exchange and discuss child sex abuse material (CSAM), including videos and images of babies and toddlers. He personally abused one child for six years, creating hundreds of instances of CSAM with the boy, and even bribed the child's family with gifts and money.

But that's not all - Shouse also secretly recorded two other minors and asked two others to send him naked pictures of themselves. The FBI found over 117,000 CSAM images and 1,100 videos on his seized computers and storage drives. This is a man who has no regard for human life or dignity, and has spent years preying on the most vulnerable members of society.

The US Attorney aptly described Shouse as "the embodiment of evil", and it's hard to disagree with that assessment. His crimes are a stark reminder of the importance of holding perpetrators accountable for their actions, and the need for law enforcement to remain vigilant in protecting our children from these monsters. In addition to the 30 years in the slammer, Shouse will now face 10 years of supervised release, pay $153,500 in restitution to his victims, and be registered as a sex offender for life. But even this may not be enough to bring justice to those he has harmed.

 

Next up, I speak with Perry Carpenter and Mason Amadeus about their new podcast here on the N2K CyberWire Network, The FAIK Files podcast. And, we talk about digital license plates: because sometimes, even your car wants to go incognito. We’ll be right back.

Welcome back. There’s a link to Perry and Mason’s show in our show notes. You can hear new episodes of The FAIK Files every Friday on the N2K CyberWire network. 

Jailbreaking your license plate. 

And finally, Digital license plates, the high-tech replacements for boring metal ones, offer features like theft alerts and custom messages. But security researcher Josep Rodriguez has revealed a darker side: they can be hacked. With a few tools and a little ingenuity, Rodriguez demonstrated how to jailbreak Reviver’s plates, allowing users to change plate numbers at will—perfect for dodging tickets or pinning them on someone else. Think James Bond, or KITT from Knight Rider but more petty criminal than secret agent or supercar. 

By tweaking the plate’s firmware, Rodriguez could swap out its display with just a smartphone app. Worse, a hacker could track a driver or wreak havoc by selling pre-jailbroken plates online. Reviver insists it’s a “highly unlikely” scenario, but Rodriguez disagrees, calling it relatively simple.

So, while digital plates might sound futuristic, they also come with risks—like suddenly being blamed for someone else’s speeding tickets. Drive safe, and maybe stick to old-school metal for now!

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.