CyberWire Daily - A dark web take down.
Episode Date: December 19, 2023The FBI takes down ALPHV/BlackCat. Comcast reveals breach of nearly 36 million Xfinity customers. Microsoft and Cyberspace Solarium Commission release water sector security report. Malware increasingl...y uses public infrastructure. Iran's Seedworm and its telco targets. QR code scams. Feds release joint analysis of 2022 election integrity. Joint advisory on Play ransomware group. In today’s Mr Security Answer Person, John Pescatore considers the risks of AI. Rick Howard talks with Lauren Brennan of GuidePoint Security about evaluating and maturing your SOC. Iranian gas stations running on empty. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guests John Pescastore joins us for Mr. Security Answer Person to address the question, “Things seem to be moving quickly with AI, what is your feeling about that positioning for early 2024?” Today’s guest is Lauren Brennan of GuidePoint Security. N2K’s Rick Howard caught up with Lauren recently at the MITRE ATT&CKcon 4.0. They discussed evaluating and maturing your SOC. Selected Reading Authorities claim seizure of notorious ALPHV ransomware gang’s dark web leak site (TechCrunch+) Comcast says hackers stole data of close to 36 million Xfinity customers (TechCrunch+) Microsoft, Cyberspace Solarium Commission propose measures to strengthen water sector cybersecurity (Industrial Cyber) Malware leveraging public infrastructure like GitHub on the rise (Reversing Labs) Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa (Symantec) “Quishing” you a Happy Holiday Season (netcraft) 2022 Election Not Impacted by Chinese, Russian Cyber Activity: DOJ, DHS (Securityweek) US and Australia Warn of Play Ransomware Threat (Infosecurity Magazine) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The FBI takes down Alfie Blackcat.
Comcast reveals the breach of nearly 36 million Xfinity customers. Microsoft and the Cyberspace Solarium Commission release water sector security report. Malware increasingly uses public infrastructure. Iran's seed worm and its telco targets. our code scams. The feds release a joint analysis of 2022 election integrity, a joint advisory on
play ransomware group. In today's Mr. Security Answer Person, John Pescatori considers the risks
of AI. Rick Howard talks with Lauren Brennan of GuidePoint Security about evaluating and
maturing your sock. And Iranian gas stations are running on empty.
It's Tuesday, December 19th, 2023.
I'm Dave Bittner, and this UK, has confirmed the takedown of a leak site operated by the AlfV Black Cat ransomware
group. This ransomware-as-a-service gang faced a significant disruption, with the FBI playing a
key role in developing a decryption tool that has aided over 500 victims. Victims are encouraged to
seek further assistance from the Department of Justice. The FBI's seizure of the site is
displayed on a splash page, indicating the ongoing coordinated law enforcement action.
This takedown also features the U.S. State Department's Rewards for Justice program,
hinting that efforts to apprehend the group members continue. Despite this action,
experts like Michael McPherson of ReliaQuest caution that such
takedowns typically result in only temporary disruptions. Ransomware groups often re-emerge,
sometimes rebranding and restructuring from remnants of other criminal organizations.
AlfV itself is thought to have originated from groups like DarkSide, BlackMatter, and R-Evil.
is thought to have originated from groups like DarkSide, BlackMatter, and AreEvil.
Therefore, while the takedown is a significant hit to the ransomware ecosystem,
it may not completely eradicate the threat posed by AlfV and similar groups.
Comcast has revealed that a critical security flaw dubbed Citrix Bleed in Citrix networking devices led to the breach of nearly 36 million Xfinity
customers' sensitive data. This vulnerability has been exploited by hackers since August,
with Citrix releasing patches in early October. Despite this, many organizations, including
Xfinity, failed to patch in time. The breach at Xfinity, Comcast's cable TV and internet division,
occurred between October 16th and 19th, but was only detected on October 25th.
By November 16th, it was clear that customer data,
including usernames, hashed passwords, contact information,
dates of birth, partial social security numbers,
and secret questions
and answers had been accessed. The extent of the breach, which potentially affects most of Comcast's
over 32 million broadband customers, is still being evaluated. Comcast has not disclosed specific
details regarding ransom demands or regulatory filings. The company insists there's no evidence
of customer data leakage or attacks on customers.
Xfinity is now urging customers to reset their passwords
and recommends using two-factor or multi-factor authentication.
Microsoft and the Cyberspace Solarium Commission
have released a report addressing cybersecurity vulnerabilities
in the
water and wastewater sector. The report, based on expert roundtables, highlights significant
cybersecurity gaps and resource deficiencies. Key recommendations include increased funding
and support for the U.S. Environmental Protection Agency, expansion of existing federal programs, and enhanced public-private partnerships.
The report emphasizes the importance of robust collaboration across sectors and levels of
government. It also recommends public-private research on water system security and
international norms to deter state-sponsored cyberattacks. The report notes the critical
role of water systems in various
sectors and underlines the need for a comprehensive, collaborative approach to cybersecurity.
Additionally, Microsoft, CRI, and FDD have initiated a cybersecurity pilot program for
small and medium-sized water utilities to bolster defenses in this vital infrastructure sector.
water utilities to bolster defenses in this vital infrastructure sector. Researchers at Reversing Labs have discovered two novel malware campaigns exploiting GitHub in previously unseen ways.
The first campaign used GitHub Gists to host second-stage malware payloads disguised as
network proxying libraries in PyPy packages. These packages contained Base64 encoded strings that pointed to secret GISTs.
The second campaign, likely from the same perpetrator,
utilized Git command messages to relay malware commands.
These methods of using GitHub for command and control infrastructure,
particularly through GISTs and common messages,
are new and undocumented in prior reports.
The similar execution techniques
and the abuse of uncommon GitHub features in both campaigns
suggests the same malware author is responsible for these attacks.
Researchers at Symantec warn
that the Iranian cyber espionage group Seedworm, also known as Muddy Water, is actively targeting telecommunications organizations in Egypt, Sudan, and Tanzania.
Seedworm, known for its interest in the telecom sector, is notably focusing on African organizations in this campaign. While Seedworm has previously targeted African entities,
its primary focus has generally been on the Middle East.
The group's attention to an organization in Egypt
is particularly significant
due to Egypt's proximity to Israel,
a frequent target of Seedworm's activities.
Netcraft reports a recent phishing attack
where attackers used a fake multi-factor authentication notification, seemingly from Microsoft, to deceive recipients.
The notification included a QR code which, when scanned, redirected users to a credential harvesting site.
The attackers cleverly exploited the common association of QR codes with setting up two-factor authentication.
Victims were tricked into entering their Microsoft credentials on the phishing site, thereby compromising their login information.
FBI, DHS, and CISA found no evidence that foreign government-affiliated actors compromised the 2022 U.S. federal elections integrity or security. The declassified report acknowledges that actors
linked to Russia and China engaged in cyber activities targeting the election. Russian-affiliated
hacktivists conducted a DDoS attack on a state election office's website,
while Chinese-linked actors scanned state government websites and gathered publicly available voter information.
However, these activities did not impact voting processes, change votes, disrupt vote tallying or transmission,
alter voting technology, or compromise voter registration or ballots.
The U.S. intelligence community had previously assessed the difficulty for foreign actors to
manipulate elections at a scale undetected. A separate ODNI report indicates that China,
Russia, Iran, and others tried to influence voting and undermine confidence in U.S. institutions
and elections, focusing on
voter persuasion and opinion rather than election integrity. In a joint advisory, the U.S. FBI,
CISA, and Australia's ASD report that the Play ransomware group has launched around 300 attacks
globally since June 2022, focusing on businesses and critical infrastructure.
This group, known for its double extortion method, exfiltrates and encrypts data demanding
ransoms and cryptocurrency. Play's techniques include exploiting public-facing applications,
abusing valid accounts, and using services like RDP and VPN.
To combat these threats, the advisory recommends implementing effective data recovery plans,
enforcing strong password protocols, using multi-factor authentication, regularly updating systems, segmenting networks,
and continuously monitoring and filtering network traffic.
Additionally, it suggests validating security measures against frameworks like MITRE ATT&CK for enterprises.
Coming up after the break, Mr. Security Answer Person John Pescatori considers the risk of AI. Rick Howard talks with Lauren Brennan of GuidePoint Security about evaluating and maturing your SOC.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io. Mr. Security Answer Person
Hi, I'm John Pescatori, Mr. Security Answer Person.
Our listener question for today's episode,
Earlier this year, you put generative AI use by bad guys
at the peak of overinflated expectations on a hype cycle,
and it's used by good guys just starting off from the trigger point. Things seem to be moving
quickly with AI. What is your feeling about that positioning for early 2024?
Hmm, analysts always hate when people check up on their predictions. First, a short definition for
those not familiar with Gartner hype cycles, which which Gardner started in 1995 and were one of the more fun Gardner research notes I did over my 14 years there.
A Gardner hype cycle tracks and predicts technology issues from inception, or trigger point,
to peak of overinflated expectations, down into the trough of disillusionment,
then up the slope of enlightenment, for some, not all, to reach the plateau of
productivity.
I think what I predicted has been pretty accurate.
Where I screwed up was in what I left out.
What I said about AI was, from a cybersecurity perspective, there are two major things to
think about in relation to artificial intelligence.
One, how will it be used against us?
But also, two, how can we use it against the bad guys?
What I should have listed as number one risk to think about was, how will we misuse and misadminister business use of generators AI to cause self-inflicted wounds?
Many businesses and some government agencies move rapidly to use new technologies, and out of the box, every new technology is riddled with vulnerabilities and insecure default choices.
In September, Microsoft, the 13th largest company on Earth who was betting their future on AI, gave us an example of that.
Microsoft accidentally exposed 38 terabytes of private data on the company's AI GitHub repository.
The sensitive data was made public when Microsoft published a bucket of open source training data that also included a disk backup of two former employees' workstations containing secrets, keys,
passwords, and over 30,000 internal Teams messages. Exposure was enabled by an overly permissive
shared access signature or SaaS token on Azure
that made sharing easier, but unfortunately ignored
need-to-know common-sense security rules.
Oops!
Before I go on, take a second to splash some cold water on your face.
I'm going to use a sleep-inducing term, governance. Data is the main ingredient for AI to provide value. Business mission use of AI
requires governance processes to be in place to make sure that AI data does not expose business
and customer information, as well as to provide transparency to enable trust in the output of the
AI models. Still with me? I may
use a few other snoozer terms like risk and compliance, so keep that cold water handy.
In 2008, the global financial crisis was caused by widespread use of financial models
that claimed to enable creation of low-risk financial instruments known as derivatives.
Unfortunately, no one really understood what the models were creating,
and it turned out that often low risk meant really high risk,
just not the highest possible risk.
Back then in the U.S., the Securities and Exchange Commission
issued requirements that all such models be audited,
and in 2023, the SEC did the same for any business use of AI models
that might have meaningful impact on the
business's bottom line, including the use of artificial intelligence or machine learning
models in security controls being used to reduce risk. Essentially, governance and transparency
are now required by law, thus the compliance term coming into play. A good place to get started on
thinking through AI governance is NISC's Trustworthy and Responsible
AI Resource Center
and the NISC Risk Management Framework.
If your organization is a Gartner client,
they have also put out some very useful tools.
I'm sticking with my original prediction
that in February 2024,
we will probably not be using
genitive AI to send our significant others Valentine's Day messages. But I will add a
prediction. Through year-end 2024, more business damage from AI will be caused by self-inflicted
wounds than by attacker use of AI. On that note, happy holidays and thanks for listening i'm john pescatori
mr security answer please mr security answer person
that is john pescatori mr security answer person Corey, Mr. Security Answer Person.
Back in October, the Mitre Corporation hosted the ATT&CKON Ford Auto Conference at their company headquarters in McLean, Virginia. I got to sit down with Lauren
Brennan, the team lead for SOC optimization at GuidePoint Security, after she gave her keynote
at the conference. And one of the reasons that I wanted to talk to her was the fact that here she
is, a young, relatively junior member to the InfoSec community, just three years now, and she's
standing up in front of this MITRE ATT&CK crowd. You know the
types, and I include myself among them, grumpy seasoned professionals who have seen it all,
done it all, and a bag of chips. It takes a lot to impress this group, and Lauren knocked it out
of the park. Now, a lot of newbies ask me how to break into cybersecurity, and I always tell them
to start networking right now, and one of the ways to do that is to present at conferences. Pick a topic and make your case,
and Lauren delivered that in spades. I started out by asking her about the speaking experience.
Well, I'd be remiss if I didn't point this out. We're sitting here at the Minor Attack Con 4.0
conference, right? And you gave your very first security presentation.
Is that right?
Yes.
How was that?
Oh, it was fantastic.
I was a little bit nervous.
I mean, still a little bit nervous.
Still nerves are still coming down.
But I mean, everybody here was so welcoming.
I mean, it was so—nobody here was giving me any sort of you're doing bad kind of look.
Everybody was just so encouraging.
And that was fantastic. Well, I sat through the presentation.
I told you before, but I wanted to tell everybody here, right,
I couldn't believe it was your first presentation in front of a big crowd like that.
Thank you.
It was a lot of poise, a lot of great information.
You did fantastic.
I really appreciate that.
But we want to talk about applying MITRE ATT&CK to SOC operations, right,
in kind of the current state,
because you've been doing this for a while now,
and MITRE ATT&CK's been going on for over 10 years.
But I have this feeling that the community is kind of stuck
in things we did two or three years ago.
We really haven't progressed that far.
I just want, I shouldn't have front-loaded that question that way, right?
But my question is,
do you feel like SOCs really utilize the MITRE ATT&CK framework to their best ability?
No. I don't think so either. And I think that they don't use it because I don't think that they see
all the areas that the MITRE ATT&CK framework can be applied. So, and I talked about this in my talk,
is, you know, I consider, you
know, there's four pillars that I consider of a SOC. You know, you have your operations, your
procedures, your tooling, and your collaborations. Almost everybody applies the MITRE ATT&CK framework
to your tooling, to your detections, to your tooling. However, it can be really, really helpful
to apply it to these other pillars. You know, if you apply it to your operations, it can help you
identify the broad level threats, the behaviors that you're looking for.
It can help you when you're determining your mission for your SOC.
If you apply it to your procedures, it can help you connect the dots between your procedures and your technology.
It's a way to tell the story.
It's a way to tell the story. provide the language that you need to do to talk with the other business units, the other leaders,
people who might not understand all of what you're doing day-to-day in your SOC,
it can give you that structured language to talk with them about it in your collaborative
activities across. So while I see a lot of SOCs applying it to their tooling, not a lot of them
apply it to other aspects. And so that's really where I want to see the MITRE ATT&CK framework being utilized more is in the non-technology specific spaces. So you can let it out of the cage, right? You can
talk to business leaders about the MITRE ATT&CK framework and it's okay, right? It's not something
we should protect and be precious about. Yes. And it is a very, very technical framework.
There's a lot of detail in it. It's very technical. There's tons of techniques.
You can go into a lot of depth with it,
but it's also very easy to lift that detail up
and to be visual with it, to showcase it.
So being able to visually just show your leadership,
this is where we are now,
this is where we have some gaps,
and this is how we want to get to that new end state
is very important.
And the MITRE Tech Framework can help you do that in a very structured way because it is really easy to
understand from a definition perspective of what each thing is doing and what each technique and
tactic and what the goals are and the procedures. And you can then take that and translate that
more visually, lift up the technical aspect, lift up the in the weeds details of it to talk to
your leadership, to talk to somebody. I mean, I was able to explain my talk and give my talk to my mom
two days ago, you know, when I was practicing for this and she didn't really understand
my data attack framework. And then I was able to kind of explain to her what it was. And she was
like, oh, okay, that makes sense. You know, and so she got the visual aspect of it. She got it.
Even if she didn't understand the details,
she still got what I was trying to do in the end state
that I was trying to talk about.
Listeners of this show know that I'm a giant fan
of the MITRE ATT&CK framework,
but I do have some nitpicks about it, right?
And I would like it to get better, okay?
And the reason I think it's a fantastic idea
is it changed our mindset
about how to protect the enterprise, right?
As opposed to just
being passive and doing defensive operations that would affect any kind of adversary.
The minor attack framework allows us to speak the same language, like you said in your talk,
about how very specific adversaries attack their victims. And if you know that they do 10 things
on their campaign, wouldn't it make sense that
we should block all 10 things and try to defeat the adversary and not just defeat the tools
that any kind of adversary? I guess the question is, why is it hard?
So I think there are a couple areas here. So one, there is just so much to the framework.
You have to sift through it. You have to understand. You have to know your own systems really well
in order to be able to identify
kind of some of the techniques.
Better than the bad guys.
Better than the bad guy.
And so I didn't really touch on it in my talk.
I mean, I could have done a whole talk about,
you know, one of the foundational activities is
what do you have in your system?
What are your assets?
Have you done an asset inventory?
So like that's a big part of it
is knowing your system is better than the adversary. And that takes time.
And that takes effort. How to actually disseminate the information from threat reports that makes it
actionable for your SOC to be able to build new detections for is hard. Well, how do I look at
that information and be able to apply it to my SOC?
You know, if it's hard for, you know, to determine what the audience is, it's hard to pull out that
information. Well, perfect. Thank you for doing this. Yeah, thank you. And congratulations on
your first presentation at a security conference. It's fantastic. Thank you. This is also my very
first podcast. Well, there you go. So, it's a lot of firsts for me today. Hopefully, I did well.
Well, you can go home and take the rest of the year off, I'm thinking, okay,
because you've pretty much done it all right here today.
I think so, yeah.
Thank you so much.
That was Lauren Brennan, the team lead for SOC optimization at GuidePoint Security.
Thank you. which can keep your company safe and compliant. And finally, on Monday, a cyber attack, initially reported as a software problem,
disabled about 70% of Iran's gasoline stations.
Iran's oil minister, Javad Aouji, confirmed the incident as a cyber attack,
while Iranian media pointed fingers at Predatory Sparrow, a group allegedly linked to Israel.
Predatory Sparrow has a notable history of regional cyber operations.
The group claimed responsibility for the attack on their Telegram channel,
stating it was in response to the aggression of the Islamic Republic and its proxies.
They had previously warned of consequences for Iran's actions.
The attack targeted gas station point-of-sale systems,
payment systems, and central servers.
Iranian gas distributors are now resorting
to manual backups to mitigate the disruption.
It looks like predatory Sparrow decided
to give Iran a lesson in fueling tensions.
and that's the cyber wire for links to all of today's stories check out our daily briefing at the cyberwire.com we'd love to know what you think of this podcast you can email us at
cyberwire at n2k.com we're privileged that n2K and podcasts like The Cyber Wire are part of the daily
intelligence routine of many of the most influential leaders and operators in the
public and private sector, as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people. We make you smarter of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.