CyberWire Daily - A battle against malware.
Episode Date: March 28, 2024PyPI puts a temporary hold on operations. OMB outlines federal AI governance. Germany sounds the alarm on Microsoft Exchange server updates. Cisco patches potential denial of service vulnerabilities. ...The US puts a big bounty on BlackCat. Darcula and Tycoon are sophisticated phishing as a service platforms. Don’t dilly-dally on the latest Chrome update. On our Threat Vector segment, host David Moulton has guest Sam Rubin, VP and Global Head of Operations at Unit 42, to discuss Sam's testimony to the US Congress on the multifaceted landscape of ransomware attacks, AI, and automation, the need for more cybersecurity education. And Data brokers reveal alleged visitors to pedophile island. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On the Threat Vector segment, host David Moulton has guest Sam Rubin, VP and Global Head of Operations at Unit 42. They discuss Sam's testimony to the US Congress on the multifaceted landscape of ransomware attacks, AI, and automation, the need for more cybersecurity education and more. Listen to the full episode with David and Sam's in-depth discussion. Read Sam Rubin's testimony. Selected Reading PyPi Is Under Attack: Project Creation and User Registration Suspended (Malware News) OMB Issues First Governmentwide AI Risk Mitigation Rules (GovInfo Security) German cyber agency warns 17,000 Microsoft Exchange servers are vulnerable to critical bugs (The Record) Cisco Patches DoS Vulnerabilities in Networking Products (Security Week) US offers a $10 million bounty for information on UnitedHealth hackers (ITPro) IPhone Users Beware! Darcula Phishing Service Attacking Via IMessage (GB Hackers) Tycoon 2FA, the popular phishing kit built to bypass Microsoft and Gmail 2FA security protections, just got a major upgrade — and it’s now even harder to detect (ITPro) Update Chrome now! Google patches possible drive-by vulnerability (Malwarebytes) Jeffrey Epstein's Island Visitors Exposed by Data Broker (WIRED) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2024 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. PiPi puts a temporary hold on operations.
OMB outlines federal AI governance.
Germany sounds the alarm on Microsoft Exchange server updates.
Cisco patches potential denial of service vulnerabilities.
The U.S. puts a big bounty on Black Cat. Thank you. at Unit 42 to discuss Sam's testimony to the U.S. Congress on the multifaceted landscape
of ransomware attacks, AI and automation, and the need for more cybersecurity education.
And data brokers reveal alleged visitors to Pedophile Island.
It's Thursday, March 28th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
To combat an ongoing malware upload campaign,
the Python Package Index, PyPy,
temporarily halted new project creations and user registrations earlier today.
Researchers from Checkmarks identified a series of malicious packages
linked to a typosquatting attack
aimed at installing these packages via the command line.
This sophisticated multi-stage attack targets the theft of cryptocurrency wallets, browser
data, and various credentials.
The malware, embedded within the setup.py file of each package, uses obfuscated and
encrypted code to execute upon installation, retrieving further encrypted payloads designed to pilfer sensitive information.
Additionally, it incorporates a mechanism to maintain its presence on infected systems across reboots.
PyPi later reported the issues as being resolved and resumed normal operations.
The White House has mandated U.S. federal agencies to implement AI safeguards
by December, including appointing chief AI officers and establishing AI governance boards.
This directive, outlined in a memo from the Office of Management and Budget, aims to ensure
responsible AI usage that benefits the public and enhances mission effectiveness
while acknowledging AI's limitations and risks.
Agencies are instructed to detail AI tool usage in annual reports
and make government-owned AI code public.
This is in addition to completion of all actions from President Biden's AI executive order
requiring agencies to cease using non-compliant
AI systems unless critical operations are at risk. The memo also emphasizes transparency,
encouraging the sharing of custom-developed AI code via open-source platforms,
and mentions a $5 million proposal to expand AI training within the government.
Germany's cybersecurity authority, the BSI,
is currently calling on thousands of organizations to update their Microsoft Exchange software,
highlighting that at least 17,000 servers are at risk from critical vulnerabilities.
These flaws are being exploited by cybercriminals and state
actors for malware distribution, cyber espionage, and ransomware attacks. Particularly vulnerable
sectors include education, healthcare, judiciary, local government, and medium-sized businesses.
Despite repeated warnings and a red threat level declaration since 2021, many servers remain outdated,
with about 12% lacking security updates and 25% running on old patch versions of Exchange 2016
and 2019. BSI President Claudia Plattner emphasized the critical need for cybersecurity
prioritization, noting the unnecessary risks to IT systems, services,
and sensitive data due to neglect in updating these servers. Cisco announced patches for
several vulnerabilities in its iOS and iOS XE software that pose a risk of unauthorized denial
of service attacks. The most critical flaws have a CVSS score of 8.6.
Additionally, vulnerabilities were found in the multicast DNS OSPF version 2
and the ISIS protocol, all exploitable without authentication through crafted packets.
A secure boot bypass in AP software,
allowing modified software loading via physical access, was also patched.
Seven other medium severity issues were addressed, including privilege escalation and command
injection. Cisco has not observed these vulnerabilities being exploited in the wild,
but urges users to update their devices promptly to prevent potential attacks.
The U.S. State Department is offering a $10 million bounty
for information on the Black Cat Ransomware Group, responsible for the cyber attack on UnitedHealth.
This initiative, part of the Rewards for Justice program, seeks details leading to the identification
or location of individuals involved in state-sponsored cybercrime. The Black Cat Group, also known as ALF-V,
targeted UnitedHealth's tech unit Change Healthcare,
affecting over 100 applications and compromising sensitive data,
including medical records and payment details.
The attack severely disrupted healthcare payments and treatments,
with UnitedHealth only recently starting to address a
$14 billion medical claims backlog. Despite claims of a $22 million ransom payment to BlackCat,
it's unclear if system control has been restored. Cybersecurity analysts at Netcraft have uncovered
the use of the Darkula phishing-as-a-service platform by threat actors to launch sophisticated attacks via iMessage.
Darkula has supported over 20,000 phishing domains,
targeting more than 100 brands worldwide,
primarily impersonating postal services.
This service distinguishes itself by leveraging encrypted messaging platforms
like iMessage and RCS
for smishing attacks, bypassing traditional SMS scam defenses, and exploiting user trust.
Darkula offers easy-to-deploy phishing sites with numerous templates,
monetizing through paid subscriptions. Its anti-detection measures include obfuscating malicious content paths and using domains with cloaked front pages, significantly enhancing its invasion capabilities.
Researchers say about 120 new Darkula domains appear per day in 2024.
Meanwhile, the Tycoon 2FA phishing kit targeting Microsoft 365 and Gmail accounts has been updated to evade detection more effectively.
Active since August 2023 and discovered by Sequoia, this phishing-as-a-service platform uses an adversary-in-the-middle tactic to bypass multi-factor authentication by stealing session cookies. Recent enhancements to the kit's JavaScript and HTML coding, alongside improved evasion of security scans and selective traffic acceptance,
make tracking Tycoon 2FA more challenging. The kit, known for sophisticated phishing attacks
including email phishing links and imitation Microsoft login pages, has been linked to over 1,200 domains.
These updates have made Tycoon 2FA a more formidable tool in the phishing landscape.
Google has updated Chrome for Windows, Mac, and Linux,
addressing seven security issues.
Users are advised to update Chrome promptly,
especially due to a critical
vulnerability, a use-after-free flaw in the angle component, which handles WebGL content.
This vulnerability could allow attackers to exploit heap corruption via a crafted HTML page,
potentially leading to compromised systems. If you can, don't delay. Update Chrome today.
Coming up after the break on our Threat Vector segment, host David Moulton talks with Sam Rubin,
VP and Global Head of Operations at Unit 42, about Sam's testimony to the U.S. Congress
on the multifaceted landscape of ransomware attacks.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty. We could go skating. winter blues. We could try hot yoga. Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say so long to winter.
Visit Transat.com or contact your Marlin travel professional for details. Conditions apply. Air Transat. Travel moves us. Do you know the status of your compliance
controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
David Moulton is host of the Threat Vector podcast right here on the Cyber Wire network.
In a recent episode, he spoke with Sam Rubin,
VP and Global Head of Operations at Unit 42,
to discuss Sam's testimony to the U.S. Congress
on the multifaceted landscape of ransomware attacks,
AI, and automation,
and the need for more cybersecurity education.
There was a hospital actually from my home state of Vermont there,
coincidentally, and there was a school district from Texas,
and they both spoke about their experience
as victims of ransomware attacks.
And the administrator from the Vermont hospital,
what he said was pretty remarkable in that they ended up spending more in the ransomware response
and recovery at the hospital than they did through all of COVID in sort of adjusting their protocols
to providing patient care during that pandemic. So just incredibly painful and impactful experience for them to go through.
Welcome to Uni42's Threat Vector, where we share unique threat intelligence insights,
new threat actor TTPs, and real-world
case studies.
Uni42 has a global team of threat intelligence experts, incident responders, and proactive
security consultants dedicated to safeguarding our digital world.
I'm your host, David Moulton, Director of Thought Leadership for Unit 42. Today, I'm talking with Sam Rubin, VP and Global Head of Operations at
Unit 42, about his testimony to Congress. Sam shared insights about the evolving
sophistication and speed of ransomware attacks, the changing tactics of threat actors, and the
impact on sectors like education, healthcare, and government. He also talked about the importance
of AI and automation in cybersecurity defenses and the importance of public-private partnerships
in combating cyber threats. Let's get right into this conversation.
Sam, you traveled to Washington, D.C., set before Congress. What prompted you to go out to DC and talk to our legislators? As a company, Palo Alto Networks is very
engaged with the federal government as well as state and local governments.
And we got this opportunity just because of the relationships that we have with various lawmakers.
They had scheduled a hearing in September on the threat of ransomware and how it's impacting organizations.
And so just as part of Palo Alto Network's relationships, we had this opportunity and it was offered to me and I jumped on it.
So your testimony placed a significant emphasis on the evolving sophistication of ransomware attacks.
emphasis on the evolving sophistication of ransomware attacks. What have you seen in this regard and how should this evolution change the approach to cybersecurity? I've been in this space
doing incident response for 20 years and really helping organizations respond to ransomware
ever since it's been sort of a threat out there that organizations have
faced at least 10 years. And there's been quite an evolution over that time. Back when we started,
I would characterize the attacks as sort of spray and pray, indiscriminate targeting based on
phishing. And then what would happen from a demand standpoint, you're looking at $500,
$1,000 to decrypt. Contrast that with where we are today, where many of the targets are
large enterprises, large state or federal government entities. The demands are in the
hundreds of thousands to millions of dollars. I think our median demand is around $650,000 that we see.
And the tactics that are being used are much more sophisticated
in terms of how they're getting in
and also what they do after the threat actors break in.
Just a constant evolution of sophistication and speed, really.
Talk to me about that sophistication and speed a bit more.
First of all, let's talk about how they break in.
If you're thinking of it from a MITRE ATT&CK standpoint, it's the intrusion vector.
How are they getting into the organization?
And one of the things that we see in terms of sophistication is rapid weaponization of disclosed vulnerabilities.
to see weaponization of those vulnerabilities.
And our incident response team starts to get the call for attacks that have followed
from those very newly disclosed vulnerabilities.
I think, for example, right now,
the past week or two,
we've seen the Avanti VPN being an example of that.
But it's constant.
It's sort of what's disclosed
leads to very quickly rapid weaponization,
and that's a newer trend.
Then when we talk about after they break in, sort of post-exploitation,
the sophistication is coming in how quickly they're moving
from intrusion to exfiltration.
And we're seeing that drop.
This is something that we've measured for some time.
And between, I think, where we were in 2021,
where that dwell time was about 30 days or so,
we're seeing it now one to two days.
So just they're getting in,
they're going much more quickly
in terms of when they're taking data, locking files up, and that's making it very, very hard to defend against.
AI and automation were key topics in your testimony.
What led you to emphasize those technologies and how do you foresee them shaping the future of cybersecurity defenses against threats like ransomware?
defenses against threats like ransomware? Congress was really interested in hearing from Palo Alto Networks about both AI as a threat, as well as AI and cyber defense.
And from a lawmaker's perspective, they're really looking at, you know, what do we need to do to be
thinking about how we protect our citizens from the risks of AI,
whether that's sort of discriminatory lending practices, whether it's the bad guys using
AI.
But they also acknowledge that AI can be used as a force for good.
And really, that's a lot of what I focused on in my testimony is how, as defenders, we can be using AI to do a better job in protecting our organizations.
You discussed the importance of preparing the cyber workforce for tomorrow.
How should educational institutions or training programs approach cybersecurity education?
I think we've seen tremendous progress
in it being even part of the curriculum.
Certainly when I went to college,
while there was sort of CS as a discipline,
there certainly wasn't really cybersecurity.
Now a lot of universities and colleges
have cybersecurity-specific programs.
We partner with a number of universities
to talk to their students, to recruit.
And so I think just first of all,
recognizing that there's a need
and there is a tremendous shortage in the workforce
for having trained cybersecurity experts
and having people who are ready to enter the workforce in this area is a huge step in the right direction.
Absolutely. Sam, thanks for joining me today on Threat Vector.
Yeah, my pleasure. Thanks for having me on, David.
If you're concerned about ransomware and extortion, you should check out our webinar,
Unabashed, Unashamed, and Unpredictable, The Changing Face of Ransomware. Sam, along with Unit 42's managing partner, Chris Scott, and consulting directors, David Ferron and Leanne
Peltzner, share what it takes to keep your organization protected. I'll include a link to that webinar in the show notes. That's it for Threat Vector this week. I want to thank our
executive producer, Michael Heller, our content and production teams, which includes Shada Azimi,
Sheila Drosky, Tanya Wilkins, and Danny Milrad. I edit the show and Elliot Peltzman is our audio
engineer. We'll be back in two weeks. Until then,
stay secure, stay vigilant. Goodbye for now.
Be sure to check out the Threat Vector podcast
right here on the Cyber Wire network and wherever you get your podcasts. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, the recent discovery from Wired that nearly 200 mobile devices left a digital breadcrumb trail from Jeffrey Epstein's notorious island back to their owners' homes and workplaces is a disturbing testament to the pervasive lack of privacy in our digital age.
to Epstein's pedophile island may have been engaged in morally reprehensible activities,
the fact that their movements were tracked and exposed by data broker Near Intelligence throws a stark light on the double-edged sword of surveillance technology.
Wired's uncovering of this data demonstrates not just the potential for holding the corrupt
accountable, but also the terrifying precision with which
individuals can be monitored. This capability, rooted in the murky dealings of data brokers
under the lax privacy regulations of the U.S., shows a concerning disregard for personal boundaries.
The data accurately tracked individuals from luxury accommodations to Epstein's lair,
highlighting the ease with which personal movements are commodified.
This incident should serve as a wake-up call
for the urgent need for robust privacy protections.
While the individual's track to Epstein's island
may not evoke sympathy due to the island's dark reputation,
the broader implications for privacy rights cannot be ignored.
The readiness with which detailed location data can be exploited underscores the dire consequences of the U.S.'s fragmented privacy laws compared to stronger protections like those in Europe.
The revelation about Epstein's island visitors, while showcasing the potential to uncover illicit activities, primarily exposes
a gaping hole in our privacy defenses. It's a glaring example of how individuals' whereabouts,
regardless of their actions, can be traced and traded like currency. This should alarm not just
privacy advocates, but anyone who believes in the fundamental right to personal privacy
without unwarranted intrusion.
The ongoing failure of Congress to pass comprehensive privacy legislation
not only leaves citizens exposed to surveillance capitalism,
but also to the whims of any entity willing to exploit their data for gain or scrutiny.
Over on our Caveat podcast, my co-host Ben Yellen and I often wonder just what it's going
to take to get our dysfunctional U.S. Congress to act on federal privacy legislation. It is a sad
reality that maybe, just maybe, something like this, where the rich and powerful are caught
being where they should not be, could be the thing that moves the needle. Maybe.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.