The CyberWire Daily Podcast 12.19.24
Ep 2213 | 12.19.24

Breached but not broken.

Transcript

CISA urges senior government officials to enhance mobile device security. Russian state-sponsored hacker group Sandworm is targeting Ukrainian soldiers. A website bug in GPS tracking firm Hapn is exposing customer information. Multiple critical vulnerabilities have been identified in Sharp branded routers. Ireland’s Data Protection Commission fines Meta $263 million for alleged GDPR violations. Google releases an urgent Chrome security update to address four high-rated vulnerabilities. Cyberattacks on India-based organizations surged 92% year-over-year. Cybercriminals target Google Calendar to launch phishing attacks. Fortinet patches a critical vulnerability in FortiWLM. Juniper Networks warns of a botnet infection targeting routers with default credentials. Our guest is Jeff Krull, principal and practice leader of Baker Tilly's cybersecurity practice, with advice on using employee access controls to limit internal cyber threats. When is “undesirable” a badge of honor?

Today is Thursday December 19th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CISA urges senior government officials to enhance mobile device security.

CISA has urged senior government officials to enhance mobile device security following the “Salt Typhoon” breach, where Chinese hackers accessed the phone data, messages, and calls of 150 top U.S. officials. The agency recommends using end-to-end encrypted apps and warns that all communications—government or personal—are at risk of interception or manipulation. High-profile targets include President-elect Donald Trump, Vice President Kamala Harris’ staff, and Senator Chuck Schumer.

CISA’s latest advisory emphasizes a whole-of-government effort to secure mobile ecosystems, with insights gathered from over five million devices across 94 agencies. The breach underscores the vulnerability of U.S. telecom networks, with Chinese hackers reportedly maintaining access to compromised systems.

The breach has escalated U.S.-China cyber tensions, prompting discussions about banning TP-Link routers, widely used in federal operations. China, in turn, accuses U.S. intelligence of cyberattacks against its tech firms, alleging the theft of sensitive data and exploitation of software vulnerabilities. The cyber standoff continues to intensify.

Russian state-sponsored hacker group Sandworm is targeting Ukrainian soldiers. 

Russian state-sponsored hacker group Sandworm is targeting Ukrainian soldiers in a new espionage campaign, according to MIL.CERT-UA. The hackers created fake websites mimicking the Ukrainian military app Army+ to trick users into downloading malicious software. Army+, launched earlier this year, streamlines bureaucratic tasks for soldiers, making it a critical tool.

The fake sites, hosted on Cloudflare Workers, deliver an installer crafted with NSIS. When executed, the file grants hackers hidden access to compromised systems, allowing data exfiltration via the Tor network. CERT-UA links this campaign to Sandworm, known for major attacks like the 2015 power grid disruption and the 2017 NotPetya incident.

This operation underscores ongoing Russian cyber aggression targeting Ukraine’s military infrastructure. Recent attacks include malware planted in messaging apps and campaigns aimed at conscripts, highlighting a persistent focus on disrupting Ukrainian forces.

A website bug in GPS tracking firm Hapn is exposing customer information. 

A website bug in GPS tracking firm Hapn is exposing customer names, affiliations, and data on over 8,600 GPS trackers, TechCrunch reports. While location data isn’t included, IMEI numbers and details about business affiliations of users are accessible through developer tools. Hapn, formerly Spytec, provides GPS tracking for vehicles and possessions and claims over 460,000 tracked devices, including Fortune 500 customers. The company hasn’t responded to multiple outreach attempts, leaving the data exposed.

Multiple critical vulnerabilities have been identified in Sharp branded routers. 

Multiple critical vulnerabilities have been identified in Sharp routers and models from NTT DOCOMO, SoftBank, and KDDI, requiring immediate firmware updates. The most severe flaw, CVE-2024-46873 (CVSS 9.8), allows remote exploitation without authentication, enabling attackers to execute commands with root privileges. Other issues include OS command injection, improper authentication, and buffer overflow risks. Users should check advisories and update firmware promptly to mitigate risks.

Ireland’s Data Protection Commission fines Meta $263 million for alleged GDPR violations. 

Ireland’s Data Protection Commission (DPC) fined Meta €251 million ($263 million) for alleged GDPR violations tied to a 2018 Facebook data breach affecting 29 million accounts globally. The breach, linked to a flaw in Meta’s video upload system, exposed sensitive user data, including locations, religions, genders, children’s personal data, phone numbers, and email addresses. The DPC cited Meta’s failure to integrate adequate data protection measures into its systems, poor breach documentation, and inadequate compliance practices. This fine follows several others against Meta, including €1.2 billion in May 2023 for improper EU-U.S. data transfers and €405 million in 2021 for mishandling minors’ data. Meta responded by highlighting its corrective actions and commitment to user safety. 

Google releases an urgent Chrome security update to address four high-rated vulnerabilities. 

Google has released an urgent Chrome security update to address four high-rated vulnerabilities affecting over 3 billion users. The issues include type confusion, out-of-bounds memory access, and use-after-free flaws in the Chrome V8 JavaScript engine and browser compositing function. Security researchers earned $75,000 in bounties for identifying these risks. Users are urged to update Chrome and restart the browser to activate protection.

Cyberattacks on India-based organizations surged 92% year-over-year. 

DarkReading reports that cyberattacks on India-based organizations surged 92% year-over-year in Q3 2024, with nearly 1.2 billion attacks recorded, up from 600 million the previous year, according to Indusface. The attacks, including 377 million denial-of-service (DoS) events and 215 million bot-driven API requests, are increasingly exploiting vulnerabilities in APIs and websites, fueled by AI tools like large language models (LLMs). These tools lower the barrier for hackers, enabling rapid exploitation of issues like SQL injection.

The banking, financial services, and utilities sectors were heavily targeted, with geopolitical motives driving disruptions. Despite rising threats, only 19% of Indian companies use automated API security scanners, while over 30% of critical vulnerabilities remain unpatched after six months. With 44% of Indian businesses reporting data breaches costing over $500,000 in three years, cybersecurity is now a top priority for 61% of executives, according to PwC.

Cybercriminals target Google Calendar to launch phishing attacks. 

Cybercriminals are targeting Google Calendar, used by over 500 million people, to launch phishing attacks, according to Check Point research. Attackers exploit Google Calendar’s features, like Google Drawings and Google Forms, to send emails with malicious links that bypass traditional security filters. These links often redirect victims to fake login pages or fraudulent websites, stealing sensitive data like passwords or financial details. Over 4,000 phishing emails affecting 300 brands were detected in a recent four-week period.

Fortinet patches a critical vulnerability in FortiWLM. 

Fortinet has released patches for a critical vulnerability (CVE-2023-34990, CVSS 9.6) in FortiWLM, a wireless management tool, which could allow unauthenticated remote attackers to execute arbitrary code or access sensitive files via a path traversal flaw. The issue affects FortiWLM versions 8.6.0–8.6.5 and 8.5.0–8.5.4, with updates in versions 8.6.6 and 8.5.5 resolving the issue. Security researcher Zach Hanley of Horizon3.ai reported the flaw, noting it could allow attackers to hijack admin sessions. Fortinet also patched a related OS command injection bug in FortiManager (CVE-2024-48889).

Juniper Networks warns of a botnet infection targeting routers with default credentials. 

Juniper Networks warns of a botnet infection campaign targeting routers with default credentials, exploiting Mirai malware. Customers reported unusual activity on session smart routers (SSR), which were compromised and used in distributed denial-of-service (DDoS) attacks. The malware scans for devices using default passwords, gains access, and executes malicious commands. Juniper advises changing default credentials, using strong passwords, monitoring for unusual behavior, blocking unauthorized access with firewalls, and keeping devices updated. Reimaging infected devices is the only surefire way to eliminate the threat.

 

On our guest segment next, I speak with Baker Tilly principal and cybersecurity practice leader Jeff Krull about using employee access controls to limit internal cyber threats.And, after, looks like Russia just unfriended Recorded Future—guess they couldn't handle the spoiler alerts!

We’ll be right back

Welcome back

When is “undesirable” a badge of honor?

And finally, Russia has labeled cybersecurity firm Recorded Future as “undesirable,” a badge CEO Christopher Ahlberg cheekily dubbed a “rare compliment.” The Russian Prosecutor General accused the firm of aiding Ukraine in “offensive information operations” and supporting the West’s propaganda campaign. Ahlberg and team, undeterred, probably framed the notice.

Recorded Future has actively supported Ukraine since Russia’s full-scale invasion, providing $10M in Intelligence Cloud access, $20M in aid in 2023 alone, and collaborating with 16 Ukrainian agencies to protect critical infrastructure and investigate war crimes. Their Insikt Group’s research, often spotlighting Russian cyber antics, likely didn’t win them any fans in Moscow.

Interestingly, they’re the first cybersecurity company to make Russia’s undesirable list, typically reserved for NGOs and media. Imagine being so effective that an entire country bans you. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.