Sri Lanka says ‘no more’ to financial fakers!

Authorities arrest over 200 Chinese nationals in Sri Lanka over financial scams. Officials in Finland take down an online drug market. Cisco investigates an alleged data breach. A major apparel provider suffers a data breach. Oracle’s latest patch update includes 35 critical issues. Microsoft has patched several high-severity vulnerabilities. The NCSC’s new boss calls for global collaboration to fight cybercrime. CISA warns of critical vulnerabilities affecting software from Microsoft, Mozilla, and SolarWinds.Hackers steal data from Verizon’s push-to-talk (PTT) system. On our CertByte segment, Chris Hare is joined by resident Microsoft SME George Monsalvatge to break down a question from N2K's Microsoft Azure Administrator (AZ-104) Practice Test. Robot vacuums go rogue. 

Today is Wednesday October 16th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Authorities arrest over 200 Chinese nationals in Sri Lanka over financial scams. 

Authorities in Sri Lanka have arrested over 200 Chinese nationals involved in large-scale financial scams targeting victims across Asia. The arrests followed seven raids across the country, with most suspects linked to “pig-butchering” scams, where victims are tricked into investing in fake businesses or stocks. These operations align with reports from the U.N. and U.S. Institute of Peace highlighting the rise of sophisticated crime syndicates in Asia, which stole up to $37 billion in 2023. Many of these cartels, originating from online gambling operations banned in China, have expanded into Myanmar, Cambodia, and Laos. The largest raid in Sri Lanka netted 126 Chinese nationals running a money laundering operation from a luxury hotel. The Chinese government has expressed support for Sri Lanka’s law enforcement efforts, emphasizing its commitment to combating transnational online fraud that damages both countries’ reputations and relationships.

Officials in Finland take down an online drug market. 

Customs officials in Finland, in cooperation with the Swedish Police, have shut down the Sipulitie marketplace, a Tor-based platform used for anonymous drug sales since February 2023. The site, operating in Finnish and English, facilitated criminal activities, including narcotics sales, with an estimated turnover of 1.3 million euros. Sipulitie was created after the closure of its predecessor, Sipulimarket, in 2020, which had a turnover exceeding two million euros. Authorities have identified the administrator behind both marketplaces and a 2022 chat-based sales platform called Tsätti, which has also been closed. The investigation has also uncovered identities of sellers, buyers, and those in support roles, such as moderators. Finnish Customs has worked closely with the Swedish Police, Europol, and Finnish police units, with the investigation still ongoing.

Cisco investigates an alleged data breach.  

Cisco is investigating claims of a data breach after a threat actor named “IntelBroker” alleged they, along with two others, accessed Cisco’s data on October 6, 2024. The hacker posted on a forum offering stolen data, including source code, customer information, credentials, API tokens, and confidential documents. IntelBroker shared samples of the data but did not explain how it was obtained. Cisco has confirmed it is aware of the reports and is actively investigating. It remains unclear if this breach is connected to previous attacks involving companies like T-Mobile, AMD, and Apple in June.

A major apparel provider suffers a data breach. 

Varsity Brands, a major apparel provider for sports teams and schools, disclosed a data breach affecting over 65,000 individuals. Detected in May 2024, the breach involved “unusual activity” on its systems, prompting Varsity to take systems offline and launch an investigation with external cybersecurity experts. The breach exposed a small subset of company files containing personal information. Affected individuals have been offered 24 months of free credit monitoring and identity theft protection. While ransomware involvement is suspected, no group has claimed responsibility.

Oracle’s latest patch update includes 35 critical issues. 

Oracle’s October 2024 Critical Patch Update (CPU) addresses 198 CVEs with 334 security patches across 28 product families, including 35 critical patches. The Oracle Commerce family received the most patches (100), followed by Oracle Hyperion with 45 patches. Many vulnerabilities, particularly in Oracle Commerce, can be exploited remotely without authentication. Products like Oracle Financial Services, Oracle SQL Developer, and Oracle Java SE also received significant updates. Oracle advises customers to apply all relevant patches promptly. Full details, including a breakdown of patches by product family and severity, can be found in Oracle’s October 2024 advisory.

Microsoft has patched several high-severity vulnerabilities. 

Microsoft has patched several high-severity vulnerabilities in Power Platform, Dataverse, and the Imagine Cup website. These vulnerabilities, rated ‘critical’ by Microsoft, include CVE-2024-38190, a missing authorization flaw in Power Platform that could allow unauthorized access to sensitive information, and CVE-2024-38139 in Dataverse, which could enable privilege escalation by an authenticated user. Additionally, an improper access control issue (CVE-2024-38204) in the Imagine Cup website was addressed. All issues have been mitigated server-side, and no user action is required. Microsoft confirmed no evidence of exploitation before the fixes. In a move toward transparency, the company now assigns CVE identifiers even to cloud service vulnerabilities that require no user intervention, while allowing users to filter out such flaws in their Security Update Guide.

The NCSC’s new boss calls for global collaboration to fight cybercrime. 

The UK’s National Cyber Security Centre (NCSC) has reported a 50% increase in “nationally significant” cyberattacks compared to last year, according to its new chief executive, Richard Horne. Speaking at Singapore International Cyber Week, Horne highlighted the growing gap between cyber threats and global defenses, emphasizing the increasing complexity of the threat landscape. He warned that rising dependence on technology exposes societies to greater cyber risks and called for coordinated global efforts to strengthen cyber resilience. Horne, the first NCSC chief with a technical background, stressed that security must be built into technology from the start. He also urged governments to take a more active role in guiding businesses and public services to defend against and recover from cyberattacks. Horne’s comments echo earlier concerns that current regulations are failing to keep up with rapid technological advancements.

Just last month a report from Spotlight on Corruption noted that the UK’s National Crime Agency (NCA), also tasked with tackling cybercrime, is facing a crisis.  The agency is experiencing a “braindrain,” with nearly 20% of its cyber capacity lost annually due to staff departures, largely attributed to a broken pay system. This has led to increased costs as the NCA relies on temporary labor and consultants, consuming over 10% of its budget. The report urges urgent government reforms and investment to restore the agency’s effectiveness.

CISA warns of critical vulnerabilities affecting software from Microsoft, Mozilla, and SolarWinds.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about three critical vulnerabilities affecting widely used software from Microsoft, Mozilla, and SolarWinds. These vulnerabilities are currently being exploited in the wild, making timely action crucial to prevent potential attacks.

The first vulnerability, CVE-2024-30088, is a race condition in the Microsoft Windows Kernel that could allow attackers to escalate privileges on a compromised system. Although it’s unclear if this flaw is being used in ransomware campaigns, the risk remains high.Next, CVE-2024-9680 impacts Mozilla Firefox and involves a use-after-free vulnerability that could enable arbitrary code execution.

Lastly, CVE-2024-28987 affects SolarWinds Web Help Desk and involves hardcoded credentials, allowing unauthorized access to internal systems.

CISA advises organizations to apply patches or mitigations by November 5, 2024, to safeguard against exploitation, emphasizing the importance of proactive security measures.

Hackers steal data from Verizon’s push-to-talk (PTT) system. 

Hackers have stolen data from Verizon’s push-to-talk (PTT) system, which is marketed to government agencies and first responders, and are now selling the data on a Russian cybercrime forum. 404 Media reports the breach did not affect Verizon’s main consumer network, but it targeted a third-party provider supporting the PTT system. The stolen data includes call logs, emails, and phone numbers. Verizon confirmed that a small subset of customer data was exposed but noted that no sensitive information such as Social Security numbers was leaked. The hackers, including Cyberphantom and Judische, are part of a cybercriminal group known as the “Com,” responsible for numerous high-profile breaches. The hackers are selling the stolen data instead of extorting Verizon. 

We’ve got our CertByte segment up next. N2K’s Chris Hare and George Monsalvatge break down a question from N2K's Microsoft Azure Administrator (AZ-104) Practice Test.

We’ll be right back

Welcome back. You can find links in our show notes. 

Robot vacuums go rogue. 

And finally, our automated appliances desk tells us the story of tech gone awry. Ecovacs Deebot X2 robotic vacuums were reportedly hacked earlier this year, turning them into tiny, terrorizing menaces in U.S. cities. ABC News in Australia shared stories of these vacuums chasing pets and yelling racist slurs at their owners. Minnesota lawyer Daniel Swenson described his Deebot blaring static, which quickly turned into a teen-like voice shouting slurs. Other incidents in El Paso and Los Angeles involved similar chaos, including a rogue vacuum harassing a dog.

Ecovacs responded, citing a “credential stuffing event” and blocking the hacker’s IP, but assured everyone that no usernames or passwords were stolen. Last year, researchers showed how to bypass the Deebot’s PIN, but Ecovacs promises a security update soon. It’s a reminder of the risks of cloud-connected devices—where  instead of cleaning your floors, your vacuum might become a foul-mouthed prankster.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberWire dot com 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.