1 00:00:00,050 --> 00:00:03,950 Cybersecurity today would like to thank Meter for their support in bringing you 2 00:00:03,950 --> 00:00:09,770 This podcast Meter delivers a complete networking stack, wired, wireless and 3 00:00:09,770 --> 00:00:14,510 cellular in one integrated solution that's built for performance and scale. 4 00:00:15,050 --> 00:00:18,890 You can find them at meter.com/cst. 5 00:00:20,071 --> 00:00:24,841 Millions of devices freed from the clutches of nation state hackers. 6 00:00:25,381 --> 00:00:31,951 AI agents hijacked with a single URL single sign-on systems 7 00:00:31,951 --> 00:00:33,616 compromised through ving attacks. 8 00:00:34,846 --> 00:00:38,626 Polish energy infrastructure targeted by state link cyber 9 00:00:38,626 --> 00:00:44,116 ops and antivirus software allegedly used to deliver malware. 10 00:00:44,656 --> 00:00:48,976 This is cybersecurity today, and I'm your host, David Shipley. 11 00:00:49,906 --> 00:00:50,836 Let's get started. 12 00:00:52,786 --> 00:00:56,596 Millions of people were unknowingly letting criminals and nation state 13 00:00:56,596 --> 00:01:01,636 hackers use their home and mobile internet connections to hide cyber attacks. 14 00:01:02,881 --> 00:01:07,321 According to reporting by Android Central, Google has disrupted a massive 15 00:01:07,321 --> 00:01:13,681 residential proxy network known as IP Idea, which until recently was 16 00:01:13,681 --> 00:01:16,441 operating quietly at global scale. 17 00:01:17,041 --> 00:01:19,936 IP idea wasn't traditional malware. 18 00:01:20,671 --> 00:01:24,991 It was a proxy network embedded inside hundreds of Android 19 00:01:24,991 --> 00:01:26,851 apps and developer toolkits. 20 00:01:27,451 --> 00:01:32,911 Once installed, those apps could silently turn a device into an internet relay 21 00:01:33,271 --> 00:01:35,521 routing other people's traffic through it. 22 00:01:37,561 --> 00:01:41,401 That meant malicious activity didn't come from suspicious data centers. 23 00:01:41,491 --> 00:01:45,091 It came from real phones, real homes, real people. 24 00:01:46,171 --> 00:01:49,441 Google's threat Intelligence Group says The network was used by more 25 00:01:49,441 --> 00:01:55,951 than 550 tracked threat groups in a single week, including organized cyber 26 00:01:55,951 --> 00:02:01,321 criminals and state linked actors tied to China, Russia, Iran, and North Korea. 27 00:02:02,191 --> 00:02:06,121 The infrastructure supported credential theft, espionage, denial of service 28 00:02:06,126 --> 00:02:08,581 attacks, and command and control traffic. 29 00:02:09,721 --> 00:02:13,501 Last week, Google took legal and technical action to shut 30 00:02:13,501 --> 00:02:16,141 down IP idea related domains. 31 00:02:16,531 --> 00:02:21,691 Updated Google Play Protect to remove affected apps, and coordinated with 32 00:02:21,691 --> 00:02:24,331 partners to disrupt backend systems. 33 00:02:25,226 --> 00:02:29,996 Google says, roughly 9 million Android devices were removed from the network 34 00:02:30,206 --> 00:02:32,666 along with hundreds of compromised apps. 35 00:02:33,296 --> 00:02:37,136 Parts of the infrastructure may still exist, but the scale of 36 00:02:37,136 --> 00:02:39,446 abuse has been sharply reduced. 37 00:02:41,288 --> 00:02:46,448 If you wanted to take over every AI agent on one of the Internet's newest 38 00:02:46,448 --> 00:02:51,278 and most talked about AI platforms, you really didn't need to hack much. 39 00:02:51,908 --> 00:02:53,288 You just needed a URL. 40 00:02:53,918 --> 00:02:55,178 You heard that right? 41 00:02:55,778 --> 00:02:59,348 The AI agent platform Jim noted about last week. 42 00:03:00,458 --> 00:03:02,798 It was a security hot mess. 43 00:03:03,338 --> 00:03:05,318 According to reporting by 4 0 4. 44 00:03:05,318 --> 00:03:10,178 Media on Saturday, MT book, build As a Social Network for autonomous 45 00:03:10,178 --> 00:03:16,568 AI agents left its backend database completely exposed, allowing anyone 46 00:03:16,568 --> 00:03:19,293 to take control of any agent on the. 47 00:03:20,658 --> 00:03:24,678 Security researcher Jameson O'Reilly discovered that MT. Book's super 48 00:03:24,678 --> 00:03:29,778 base database exposed API, keys verification tokens, and ownership 49 00:03:29,778 --> 00:03:33,138 data for every registered agent. 50 00:03:33,708 --> 00:03:38,838 Those keys effectively act as passwords, allowing agents to post and act online. 51 00:03:39,563 --> 00:03:42,923 The issue stemmed from a basic configuration failure. 52 00:03:43,433 --> 00:03:47,813 Supera base exposes API by default, but relies on row level 53 00:03:47,813 --> 00:03:49,733 security rules to protect data. 54 00:03:50,183 --> 00:03:53,813 In this case, those protections were either never enabled or 55 00:03:53,813 --> 00:03:55,163 never properly configured. 56 00:03:55,913 --> 00:04:00,353 Compounding the issue, the database URL and publishable keys were 57 00:04:00,353 --> 00:04:03,383 visible in MT. Book's own code. 58 00:04:04,568 --> 00:04:09,128 Anyone who found them could retrieve agent secrets and post whatever they 59 00:04:09,128 --> 00:04:16,448 wanted to as any agent 4 0 4, media verified the exposure and demonstrated 60 00:04:16,448 --> 00:04:18,308 account takeover with permission. 61 00:04:18,848 --> 00:04:23,948 O'Reilly says the flaw could have been prevented with just two sequel statements. 62 00:04:25,028 --> 00:04:29,198 Some affected agents belong to high profile figures in the AI community 63 00:04:29,318 --> 00:04:32,528 raising the risk of impersonation, scams, and reputational damage. 64 00:04:33,608 --> 00:04:36,968 The database has since been secured and there's no evidence of malicious 65 00:04:36,968 --> 00:04:39,338 exploitation prior to disclosure. 66 00:04:40,001 --> 00:04:41,651 Welcome to 2020 six's. 67 00:04:41,651 --> 00:04:44,666 Answer to unsecured AWS S3 buckets. 68 00:04:46,836 --> 00:04:51,216 Our next story shows how attackers are abusing single sign-on platforms to 69 00:04:51,216 --> 00:04:53,346 move quickly through cloud environments. 70 00:04:53,946 --> 00:04:58,236 According to new reporting from Mandiant, the shiny hunters extortion group and 71 00:04:58,236 --> 00:05:03,186 its affiliates are stealing large volumes of cloud data by targeting SSO platforms 72 00:05:03,186 --> 00:05:05,946 like Okta, Microsoft, Enterra, and Google. 73 00:05:06,711 --> 00:05:11,001 The attacks begin with voice phishing or phishing threat. 74 00:05:11,001 --> 00:05:15,021 Actors impersonate corporate IT or help desk staff and call employees 75 00:05:15,021 --> 00:05:18,891 directly claiming there's an issue with multifactor authentication. 76 00:05:19,596 --> 00:05:22,626 During the call, the employee is directed to a company branded 77 00:05:22,626 --> 00:05:26,166 phishing site designed to look like a legitimate login portal. 78 00:05:26,646 --> 00:05:29,796 These sites use advanced phishing kits that allow attackers to 79 00:05:29,796 --> 00:05:31,926 interact with victims in real time. 80 00:05:32,586 --> 00:05:36,336 As credentials are entered, attackers immediately relay them, trigger 81 00:05:36,366 --> 00:05:39,936 legitimate MFA challenges, and instruct the employees on how to 82 00:05:39,936 --> 00:05:44,766 respond, approving push notifications, or entering in one-time codes. 83 00:05:45,326 --> 00:05:49,796 That allows attackers to authenticate and register their own MFA devices. 84 00:05:50,306 --> 00:05:55,406 Once inside attackers log into the organization's SSO dashboard, which in 85 00:05:55,406 --> 00:06:00,806 some cases may list every connected SaaS application the user can access, including 86 00:06:00,806 --> 00:06:05,876 Salesforce, Microsoft 365, SharePoint, DocuSign, slack, Google Drive, and so on. 87 00:06:07,491 --> 00:06:11,841 Manian observed bulk data downloads scripted to access using PowerShell and 88 00:06:11,841 --> 00:06:16,281 attackers deleting security notification emails to conceal new MFA enrollment. 89 00:06:17,001 --> 00:06:20,931 MANIAN is tracking multiple threat clusters involved with shiny hunters 90 00:06:20,931 --> 00:06:24,981 handling extortion and stolen data already appearing on leak sites. 91 00:06:28,121 --> 00:06:30,911 Earlier this month, we told you about a failed cyber attack 92 00:06:30,911 --> 00:06:32,771 targeting Poland's energy sector. 93 00:06:33,101 --> 00:06:37,301 Now, new details from Polish authorities reveal how broad and 94 00:06:37,301 --> 00:06:38,621 coordinated that operation was. 95 00:06:40,001 --> 00:06:45,281 Poland's National Computer Emergency Response Team Cert Polska says Attackers 96 00:06:45,281 --> 00:06:49,511 linked to Russian State Security Services targeted more than 30 wind and solar 97 00:06:49,511 --> 00:06:54,341 Farm, a manufacturing company, and a large combined heat and power plant. 98 00:06:55,001 --> 00:06:59,411 The attacks took place on December 29th, 2025, and are attributed to a 99 00:06:59,411 --> 00:07:05,201 threat cluster known as Static Tundra, which Cert Polska assesses is connected 100 00:07:05,201 --> 00:07:07,301 to Russia's Federal security service. 101 00:07:08,186 --> 00:07:11,906 According to Cert Pol sc, the attacks had a destructive objective. 102 00:07:12,056 --> 00:07:15,506 Communications between renewable energy facilities and grid operators 103 00:07:15,626 --> 00:07:19,196 were disrupted, but electricity production thankfully continued. 104 00:07:20,261 --> 00:07:23,471 An attempted attack on a combined heat and power plant supplying 105 00:07:23,471 --> 00:07:28,361 nearly 500,000 customers also, thankfully failed to cause an outage. 106 00:07:29,021 --> 00:07:33,281 Investigators say attackers accessed internal networks tied to substations, 107 00:07:33,281 --> 00:07:37,841 conducted reconnaissance, damaged firmware on industrial controllers, deleted 108 00:07:37,841 --> 00:07:43,211 system files, and attempted to deploy custom wiper malware known as dyno wiper. 109 00:07:44,126 --> 00:07:48,746 . The malware was deployed on industrial human machine interface systems and 110 00:07:48,746 --> 00:07:53,816 network shares after attackers granted access through vulnerable FortiGate 111 00:07:53,816 --> 00:07:56,911 devices and S-S-L-V-P-N services. 112 00:07:58,161 --> 00:08:03,171 Cert Polska also reports months long data theft, lateral movement, and the use of 113 00:08:03,171 --> 00:08:08,781 stolen credentials to access Microsoft 365 exchange teams and SharePoint 114 00:08:09,141 --> 00:08:13,311 with particular interest in SCADA and operational technology projects. 115 00:08:15,716 --> 00:08:20,396 Our final story today is a reminder that even security software can be an attack. 116 00:08:20,396 --> 00:08:25,706 Vector Security Week reports that some customers of Ecan antivirus were 117 00:08:25,706 --> 00:08:30,416 infected with malware after attackers compromised an official update server 118 00:08:30,626 --> 00:08:32,906 operated by Microworld Technologies. 119 00:08:33,446 --> 00:08:37,796 The incident became public on January 29th after cybersecurity firm morph. 120 00:08:37,796 --> 00:08:41,781 EEC warned that malicious updates were actively tampering with user systems. 121 00:08:42,761 --> 00:08:46,151 According to Morphy, EC attackers distributed a malicious file 122 00:08:46,151 --> 00:08:50,951 called Reload Exe through eScan n's legitimate update infrastructure. 123 00:08:51,431 --> 00:08:54,881 Once installed it blocked future updates, altered antivirus 124 00:08:54,881 --> 00:08:59,111 functionality, established persistence, and downloaded additional payloads. 125 00:09:00,581 --> 00:09:04,841 Because compromise services were cut off from update servers, automatic remediation 126 00:09:04,841 --> 00:09:09,731 was impossible, forcing users to contact eScan directly for a cleanup utility. 127 00:09:10,526 --> 00:09:14,786 Microworld technology says it detected unauthorized access on January 20th and 128 00:09:14,961 --> 00:09:16,626 isolated the affected update server. 129 00:09:17,576 --> 00:09:22,466 In a customer advisory, eScan confirmed a regional update server was compromised 130 00:09:22,466 --> 00:09:26,726 and acknowledged medium to high impact for some enterprise customers. 131 00:09:27,356 --> 00:09:30,986 The company has disputed morphy sex characterization of the incident 132 00:09:31,046 --> 00:09:35,076 as a supply chain attack, and has indicated is working with legal 133 00:09:35,076 --> 00:09:37,266 counsel in response to the disclosure. 134 00:09:38,181 --> 00:09:41,451 eScan says remediation tools have been released and normal 135 00:09:41,451 --> 00:09:43,221 update operations restored. 136 00:09:45,051 --> 00:09:48,021 Those are the stories for Monday, February 2nd. 137 00:09:49,101 --> 00:09:54,021 If you enjoy the show, please consider giving us a like subscribing or a 138 00:09:54,021 --> 00:09:56,451 review on your favorite podcast service. 139 00:09:56,931 --> 00:10:00,831 We'd love to reach even more people and we continue to need your help. 140 00:10:01,491 --> 00:10:04,491 Consider telling folks about cybersecurity today. 141 00:10:05,346 --> 00:10:06,426 I'm David Shipley. 142 00:10:06,726 --> 00:10:07,836 Thanks for listening. 143 00:10:08,136 --> 00:10:09,996 Have a great week, Jim. 144 00:10:09,996 --> 00:10:12,666 Love will be back on the news desk on Wednesday. 145 00:10:13,690 --> 00:10:17,170 we'd like to thank Meter for their support in bringing you this podcast 146 00:10:17,530 --> 00:10:21,910 Meter delivers full stack networking infrastructure, wired, wireless, 147 00:10:22,000 --> 00:10:24,520 and cellular to leading enterprises. 148 00:10:24,760 --> 00:10:28,330 Working with their partners meter designs, deploys and manages 149 00:10:28,330 --> 00:10:30,640 everything required to get performant. 150 00:10:30,690 --> 00:10:34,860 Reliable and secure connectivity in your space. 151 00:10:35,250 --> 00:10:38,490 They design the hardware, the firmware, build the software, 152 00:10:38,610 --> 00:10:41,130 manage deployments, and run support. 153 00:10:41,460 --> 00:10:45,660 It's a single integrated solution that scales from branch offices 154 00:10:45,810 --> 00:10:50,040 to warehouses to large campuses, all the way to data centers. 155 00:10:50,520 --> 00:10:53,970 Book a demo at me.com/cst. 156 00:10:54,330 --> 00:10:58,590 That's METE r.com/cst.