CyberWire Daily - A digital disappearance in Utah.
Episode Date: January 3, 2024Cyber-kidnapping in Utah. Hospitals sue for data recovery. The US Department of Homeland Security assesses cyber threats to the US. Mac malware is on the rise. Cameras hacked by Russian intelligence s...ervices provide targeting information. Ransomware roundup. An NPM dependency campaign. Google recommends enhanced safe browsing. Rob Boyce from Accenture describes the Five Families and the trend of hacker collaboration. And the FTC wants to hear your cloned voice. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, we are joined by Rob Boyce from Accenture talking about the Five Families, the trend of hacker collaboration. Selected Reading Missing Riverdale foreign exchange student found near Brigham City in case of ‘cyber kidnapping’ (ABC4) What is ‘cyber kidnapping’ and what can you do to stay safe online? (Deseret News) Hospitals ask courts to force cloud storage firm to return stolen data (BleepingComputer) Homeland Threat Assessment (US Department of Homeland Security) The Mac Malware of 2023 (Objective-See) SBU blocks webcams that ‘flashed’ operation of air defense during missile attack on Kyiv on Jan 2 (Interfax-Ukraine) Ukraine says Russia hacked web cameras to spy on targets in Kyiv (The Record) Akumin radiology and oncology reports ransomware attack and data breach (beyondmachines) Coop supermarket chain hit by ransomware cyberattack (beyondmachines) When “Everything” Goes Wrong: NPM Dependency-Hell Campaign – 2024 Edition (Checkmarx) Accounts in danger: Google recommends enhanced safe browsing and extra care (cybernews) The FTC Voice Cloning Challenge (FTC) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cyber kidnapping in Utah.
Hospitals sue for data recovery.
The U.S. Department of Homeland Security assesses cyber threats to the U.S.
Mac malware is on the rise.
Cameras are hacked by Russian intelligence services and provide targeting information.
A ransomware roundup.
An NPM dependency campaign.
Google recommends enhanced safe browsing.
Rob Boyce from Accenture describes the five families and the trend of hacker collaboration.
And the FTC wants to hear your cloned voice.
It's Wednesday, January 3rd, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
We begin today with the strange and disturbing case of Kai Zhang, a 17-year-old Chinese foreign exchange student
who became the center of a complex cyber-kidnapping case
after disappearing from his host city, Riverdale, Utah.
Initially feared kidnapped following a ransom demand to his parents in China,
Zhang was eventually found cold and scared in a tent near Brigham City. Earlier concerns feared
a forced abduction, but Zhang had in fact left his host family's home voluntarily. Investigators
believe he was manipulated by these cyber kidnappers
targeting foreign exchange students, particularly from China.
The criminals deceive both the student and their family,
demanding ransoms while convincing the victim to isolate themselves and simulate captivity.
Local police, collaborating with the FBI and both U.S. and Chinese embassies,
collaborating with the FBI and both U.S. and Chinese embassies, learned that Zhang's family in China had paid around $80,000 to Chinese bank accounts after receiving threats and a photo
indicating Zhang's peril. This case falls into a pattern of what's being called cyber kidnappings,
where the kidnappers maintain control over the victim and extort the family using fear tactics.
The search for Zhang involved warrants for various records and surveillance footage analysis.
He was located after extensive efforts, including the use of drones.
Local police are advocating for vigilance against these sorts of crimes
and stress the importance of trusting and cooperating with law enforcement.
of crimes and stressed the importance of trusting and cooperating with law enforcement.
The investigation continues as authorities seek to apprehend the cyber kidnappers involved.
Despite the cold and his ordeal, Zhang was medically cleared and eager to reconnect with his family. Once found, he reportedly requested a nice hot cheeseburger.
requested a nice hot cheeseburger. Two New York not-for-profit hospitals, Carthage Area Hospital and Claxton Hepburn Medical Center, part of the North Star Health Alliance, are seeking a court
order to recover data stolen in an August ransomware attack by the Lockbit gang. The hospitals,
serving over 220,000 residents in various counties, had sensitive files including patient information compromised, forcing patient redirection for urgent care.
Post-attack, the hospital's IT teams worked on system stabilization with plans to reschedule affected appointments.
The stolen data, including personal and health information, was found stored on Wasabi technology servers in Boston.
In response, the hospitals filed a lawsuit assisted by the FBI against the cybercriminals.
They request the court to compel Wasabi to return the data and mandate the ransomware group to destroy all copied data.
to destroy all copied data.
This incident is part of LockBit's broader patterns of attack,
including disruptions in German hospitals and Toronto's Hospital for Sick Children,
causing delays in emergency care and treatment.
LockBit, the ransomware-as-a-service operation
active since 2019,
has targeted major organizations globally,
extorting approximately $91 million from U.S. entities alone over 1,700 attacks since 2020.
The hospital's legal action aims to safeguard their stolen data and mitigate further risks to patient privacy and care continuity.
In its annual Homeland Threat Assessment for 2024,
In its annual Homeland Threat Assessment for 2024, the U.S. Department of Homeland Security'stivist auxiliaries, and cyber espionage by intelligence services. Iran and China are also prominently
mentioned among the cyber threats expected to be active against the U.S. this year. Much of Iran's
activity can be expected to be connected to the war between Hamas and Israel. China represents a major
continuing threat. Tensions over Taiwan are expected to continue and probably increase,
but most of China's activity in cyberspace will in all likelihood be directed toward long-term
political and especially economic competition with the U.S. and other rivals. Notably absent
from the threat assessment is North Korea.
Security expert Patrick Wardle published a detailed blog analyzing a significant increase
in macOS-targeted malware in 2023, with 21 new families identified, marking a 50% rise from 2022.
These threats include ransomware like LockBit and Turtle, and a predominant number
of information stealers like PureLand and Realst. Notably, North Korean APT groups were highly
active, producing malware such as SmoothOperator and RustBucket. Other threats include the SparkRat
backdoor, Geekin backdoor, and WS Client proxy.
Persistent threats like iWeb updater and new variants of CoinMiner and Xloader are also observed,
alongside unverified reports of malware like HVNC and ShadowVault.
The surge underscores the growing interest of cybercriminals in targeting Apple devices.
Ukrainian authorities have dismantled two surveillance cameras in Kiev,
alleging they were hacked by Russia to spy on air defense and critical infrastructure.
These cameras, originally for residents to monitor their surroundings,
were reportedly manipulated by Russian intelligence to stream sensitive footage on YouTube,
aiding in directing drones and missiles during an attack on Kiev and Kharkiv. reportedly manipulated by Russian intelligence to stream sensitive footage on YouTube,
aiding in directing drones and missiles during an attack on Kiev and Kharkiv.
This assault resulted in casualties and injuries.
Since Russia's invasion in February 2022,
Ukraine's security service, the SBU, has blocked around 10,000 cameras potentially used by Moscow for missile strike planning.
Investigations revealed many Ukrainian cameras using Russian Trasir software,
capable of detailed surveillance, were linked to servers in Moscow
and accessible to Russian security services.
Ukrainian law prohibits sharing imagery of attack sites
to prevent aiding enemy targeting with violations carrying severe penalties.
We have a number of reports of ransomware incidents to share.
The U.S. Division of Xerox has sustained a cyber attack that may have involved the theft of personal information, the record reports.
Bleeping Computer notes that the INC ransomware gang added the company to its data
leak site on December 29th. Coincidentally, on December 29th, Florida-based Acumen Inc.,
a provider of radiology and oncology services, disclosed a data breach stemming from an October
11th ransomware attack. The breach exposed a range of sensitive information, including names, contact details,
birthdates, social security and driver's license numbers, as well as health insurance and medical
data. While taking its systems offline and conducting an investigation, Akumen confirmed
the intrusion involved confidential patient information. And Sweden's co-op supermarket
chain is dealing with a cyber attack by the
Cactus ransomware gang on its Varmland branch since December 22nd. The gang, targeting large
entities since March, breached co-op's network through VPN vulnerabilities and malicious online
ads. The attack disrupted card payments, prompting co-op to spin up a temporary website and seek external cybersecurity aid.
Though stores stayed open with alternative communication channels, this isn't Co-op's first ransomware ordeal.
They had a 2021 incident with Kaseya Ransomware impacting 800 stores.
impacting 800 stores.
Checkmarks warns of an apparent troll campaign in the NPM registry that could lead to denial-of-service incidents.
A user uploaded a package named Everything to the registry,
which relies on every other public NPM package,
resulting in millions of transitive dependencies.
As a result, users who installed the package
will experience issues like storage space exhaustion
and disruptions in build pipelines.
The user is remorseful and says they didn't realize
they wouldn't be able to delete the package
once it was incorporated into other users' projects.
Cyber News reports that a new hack exploiting
the OAuth2 protocol is compromising Google accounts, allowing cyber attackers to maintain
valid sessions and regenerate cookies even after IP or password resets. Google has acknowledged
the issue, stating that such attacks are not new and that they have taken action to secure affected accounts.
Contrary to reports, Google affirms that stolen sessions can be invalidated by users signing out or revoking access remotely.
Users are advised to remove any malware and enable enhanced safe browsing in Chrome.
safe browsing in Chrome. The exploit, part of the Luma InfoStealer malware, manipulates the GAIAID token and is quickly being adopted by various InfoStealer groups. At least five such exploits
are reportedly using this technique, with one developer claiming to have discovered the exploit
in October 2023. Cybersecurity firm Hudson Rock has observed the trend
and interacted with a developer who provided them a demonstration.
Coming up after the break, Rob Boyce from Accenture talks about the five families,
the trend of hacker collaboration.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365 365 with Black Cloak.
Learn more at blackcloak.io.
And it is always my pleasure to welcome back to the show Robert Boyce.
He is Managing Director and Global Lead for Cyber Resilience at Accenture.
Rob, welcome back.
Thanks, Dave. Thanks for having me.
So the topic that we are discussing today has to do with the five families.
And I have to say that this makes me think that we're going to be reviewing a Francis Ford Coppola film,
but that is not in fact the case.
What are we talking about here, Rob?
Yeah, aside from also loving the name, Dave,
I think this is interesting. This is not the first time we've seen threat actors working together, but it's really one of the first times we've seen it publicly announced, right? And so
we're actually seeing five distinct threat actor groups all coming together under one moniker that
you had mentioned, the five families, which is interesting to me for many reasons. One, I think, is these five threat actor groups don't also share the same motivations.
Some are very financially motivated. Some will declare themselves as hacktivists.
Even one that just says they want to create chaos. And so there's a lot of really interesting,
very different motivations across the group.
There's even some, I would say, conflict of motivations in some ways.
So we have one threat actor group as an example saying that they would not target health care.
And then we have another threat actor in the same family who has no issue with that,
is actively targeting health care.
One who is supporting Russia,
one that is supporting Ukraine. And so while this is really interesting and potentially, you know,
drives a lot more concern for us, you know, in the public sector and government,
I think it's time to tell whether this is going to be an alliance that will hold or maybe falls apart because of the separation and alignment of motivations and targeting.
It strikes me as being either a lot of swagger or perhaps cockiness here to make such an announcement here.
I mean, does that track as well?
It seems to me like these folks would be putting a target on their backs. Yeah, I think it's a lot of notoriety that's being gained from
this. You know, like a lot of the threat actor groups are newer. So maybe it's a way for them
to, you know, just become more well-known quickly. I do think it will, you know, it provides heightened
awareness at least of what they're about. So, you know So they're getting talked about more than maybe they would have
if they would have stayed distinct and separate.
So I think there's some of that.
I think one of the other things that is interesting to me
is we're starting to see a little bit of collaboration here.
So one of the threat actors in this Five Families,
Gosek, had recently released Ghost Locker.
And at least one other threat actor within this five families
has now agreed to publicly actively use that malware
as part of their campaigns.
And so I think there's going to be a lot of collaboration
that could potentially happen across these groups
to maybe move them from somewhat relevant
to maybe more relevant faster
because now they have more you
know resources at their disposal they're learning faster they're able to collaborate across the
different groups in a way that they may not have been able to do before or may just not been
interested in doing before you know a couple of interesting things about this ransomware in
particular um you know because you know what's one more ransomware as a service? This one is really written in Python.
And again, it's not the first thing we've seen in Python,
but it is very different.
It's starting to show the power of how Python can be used
for things like ransomware.
It's making use of libraries that are already on the system.
You do have to deploy a compiler with it,
and there's a lot of different ways to be able to spot this,
but it's not a traditional method that we've seen in the past. And I think we're going to
start seeing more of this. One other thing that I think is very interesting about this,
and this is completely a hypothesis, 100% hypothesis. But if you're looking at trying
to create malware quickly using technology, say like ChatGPT, it's much easier to do in Python
than it is to do in, say, C or C++. We've actually done some testing ourselves to show that the
efficacy of which we can create malware using, say, like WormGPT or other GPT services is much
better with Python, like much, much better with Python than it is with C and C++. So there is an element of this
maybe even starting to experiment a little bit more
with those technologies to see how, you know,
this can translate into active threats.
What's the advice for the defenders in our audience here
as you look at this sort of trend?
I mean, there's a few things.
So as I said, a lot of the threat actors within
this group have different motivations and a lot of organizations will pay attention more to threat
actors that are targeting them or targeting their industry, targeting their geography.
And so now I think that has to be widened a little bit more potentially by understanding
these relationships in the broader threat actor ecosystem to better plan your defenses.
And otherwise, when it pertains to things like GhostLocker,
it's a lot of the same advice
from a ransomware preparedness point of view.
Do the tabletop exercises,
make sure you have EDRs, et cetera.
But I think with this in particular,
there are additional identifiers
or additional IOCs that can be used
to spot this type of ransomware
or malware in your environment.
That being, there's additional compilers
or Python compilers that would need to be installed
as part of the packages.
Those things can be easily hunted for
across the environment
to see if they're actually being installed
or have been installed
because they're very, very rarely ever going to be used
for business or corporate applications.
And so those types of additional IOCs are something that organizations can start to
look for now.
Robert Boyce is Managing Director and Global Lead for Cyber Resilience at Accenture.
Rob, thanks so much for joining us.
Thanks, Dave.
That was a pleasure. Thank you. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And finally, the U.S. Federal Trade Commission, the FTC,
today opened submissions for its voice cloning challenge.
the FTC, today opened submissions for its voice cloning challenge. According to the agency,
while voice cloning technology offers potential benefits like medical aid for individuals who've lost their voices, it also poses significant risks, including fraud and the misuse of biometric data.
The FTC has initiated this exploratory challenge to develop comprehensive solutions from products to policies aimed at protecting consumers from these harms.
The challenge seeks to spur preventative solutions and, if unsuccessful, will signal to policymakers the need for stricter controls on this emerging technology.
This is, of course, ridiculous.
Who would possibly fall for a cloned version of the voice of one of their favorite presenters,
especially one that they listen to every day?
The idea is absurd.
I'm Dave Bittner. I'm Dave Bittner.
I'm Dave Bittner.
I'm Dave Bittner.
I'm Dave Bittner.
I'm Dave Bittner.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.