0:00

Cybersecurity Today is brought to you

0:02

by the generous support of our

0:04

sponsor, Beauceron Security. You can

0:06

get their 2024 State of Cybersecurity

0:08

Awareness Report at beauceronsecurity.com, and there's

0:10

a link you can follow in

0:12

the show notes. Hundreds

0:17

of thousands of routers are wiped,

0:20

warnings to Okta and Snowflake

0:22

administrators, and more. Welcome

0:25

to Cybersecurity Today. It's Friday, May

0:27

31st, 2024. I'm

0:30

Howard Solomon, contributing reporter

0:33

on cybersecurity for

0:35

technewsday.com. Over

0:39

600,000 small office and

0:41

home routers used by customers

0:43

of an unnamed internet service

0:45

provider were wiped last

0:48

October by an unknown threat actor.

0:50

That's according to researchers at

0:53

Lumen Technologies. They

0:55

said Thursday that 49% of

0:57

the ISP's modems were hit

0:59

by a commodity remote access

1:02

trojan dubbed Chalubo,

1:05

which likely implanted a fatal firmware update

1:07

to the modems. So

1:09

fatal, they all had to be replaced. Lumen

1:12

believes the modems affected

1:14

were particular models from

1:16

ActionTech and Sagemcom.

1:19

The report doesn't say how the attacker

1:21

was able to plant the update. This

1:25

particular ISP served rural and

1:27

underserved communities in an unnamed

1:29

country. However, several

1:31

news agencies said the ISP was

1:34

in the United States. Experts

1:37

are puzzled why one ISP would

1:39

be targeted. Roger

1:41

Grimes at KnowBefore wonders

1:44

if the attacker tried to extort

1:46

the internet provider. Lumen

1:48

warns ISPs that manage customers'

1:51

routers to make sure the

1:53

devices don't have common default

1:55

passwords and that the

1:57

providers' device management interfaces aren't

2:00

open to the internet. As

2:03

for users, they should regularly reboot

2:05

their routers to Flush malware, and

2:08

they should also install the latest

2:10

security updates. Identity

2:13

and Access Management Provider, Okta,

2:16

has warned customers of another credential

2:18

stuffing attack. Vulnerable

2:21

are implementations that have

2:23

the cross-origin authentication feature

2:25

enabled in Okta

2:28

Customer Identity Cloud. Attacks

2:30

started as far back as April 15th.

2:34

IT departments are urged to look

2:36

for suspicious activity in logs from

2:38

that date forward. Suspicious

2:41

signs include failed

2:43

cross-origin authentication and

2:46

an alert that someone attempted to log in with

2:48

a leaked password. A

2:51

threat actor is using stolen

2:53

credentials to break into organizations

2:55

using the Snowflake Cloud database.

2:59

The warning comes from researchers at

3:01

Mitiga. The threat

3:03

actor, dubbed UNC5537

3:06

by some researchers, has

3:09

mainly exploited environments that

3:11

haven't implemented two-factor authentication

3:13

as an extra login

3:15

step. The attacker

3:18

steals data, then tries

3:20

to extort organizations to pay up, or

3:23

the information will be put up for sale

3:25

on hacker forums. Administrators

3:27

are urged to check logs

3:29

for suspicious activity. Over

3:33

100 servers distributing malware

3:35

in 10 countries, including

3:37

the US, Canada and

3:39

Europe, have been taken down and

3:41

four people were arrested this week

3:43

in an operation coordinated by the

3:45

Europol Police Cooperative. The

3:48

IT infrastructures were distributing

3:50

well-known malware droppers, such

3:52

as Trickbot, Iced ID,

3:55

System BC, as well as

3:57

Ransomware. closing

4:00

the servers, over 2000 criminal

4:03

domains are now under the control of

4:05

law enforcement. It's alleged

4:07

that one suspect earned at least 69 million

4:10

euros in cryptocurrency by renting

4:13

out the IT infrastructure to

4:15

deploy ransomware. The

4:18

US now says it seized

4:21

the IT infrastructure running the

4:23

911 S5 botnet in addition

4:25

to arresting two people allegedly

4:27

behind it. You may

4:29

recall that on Wednesday I reported on the

4:32

arrests. This botnet

4:34

of millions of hacked home computers

4:36

helped crooks hide their tracks. The

4:39

botnet was controlled through 150 servers around the world

4:41

including 76 leased from US

4:45

based online service providers.

4:50

The dark website known as Breach

4:52

Forums is back after being seized

4:54

by the FBI earlier this month.

4:56

Well, maybe it's back. Researchers

4:59

at Malwarebytes say at least one

5:01

Breach Forums domain is now live.

5:05

It's selling data of 560

5:07

million people allegedly copied from

5:10

Ticketmaster. The price? Half

5:13

a million dollars. This

5:15

wouldn't be the first time a

5:17

seized criminal operation has resurfaced. But

5:20

is it real? Or a trap set

5:22

by law enforcement? The

5:26

consumer spyware app called

5:28

PCTattletail has closed after

5:30

a hacker published links to a

5:32

large amount of customer data from

5:34

the company's servers. According

5:37

to TechCrunch, the company's

5:39

founder said he deleted all of its

5:41

data because the data breach could have

5:44

exposed information of customers from screenshots taken

5:46

by the app. And

5:49

finally, an American debt collection

5:52

company called Financial Business and

5:54

Consumer Solutions has updated

5:56

the number of victims from a

5:58

February data breach. It.

6:01

Now says data on three point

6:03

two million people were stolen. The.

6:05

Original estimate was just over one

6:07

point. nine million victims. As

6:11

that's it for now, the

6:13

later Today the week Review

6:15

podcast will be out. Guess

6:17

commentator Carry Cutler of Scientology

6:19

Labs will discuss Microsofts controversy

6:21

over new tool and weather

6:23

is helpful or a privacy

6:25

risk. The lessons learned

6:27

from the hack of the Mitre Organization

6:29

and how to implement a zero trust

6:32

model. Links. To details

6:34

about news mentioned in this podcast

6:36

episode or in the text version

6:38

at Tech News day.com. Follow

6:41

Cyber Security today on Apple

6:43

podcasts, Spotter Fi or at

6:45

Us to your flash briefing

6:47

on your smart speaker. Thanks

6:51

for listening on Howard Solomon.