CyberWire Daily - A digital leaker gets 40 years behind bars.
Episode Date: February 2, 2024Former CIA leaker sentenced to 40 years. Interpol arrests suspected cybercriminals and takes down servers. Cloudflare discloses a Thanksgiving Day data breach. The FBI removes malware from outdated ro...uters. President Biden plans to veto a Republican-led bill overturning cyber disclosure rules. Attackers target poorly managed Linux systems. Infected USB devices take advantage of popular websites for malware distribution. Blackbaud faces a data deletion mandate from the FTC. Our guest is Adam Marré, CISO of Arctic Wolf, to kick off our continuing discussion of 2024 election security. A cybersecurity incident in Georgia leads to a murder suspect on the run. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Adam Marré, CISO of Arctic Wolf, joins us to begin our discussion of election security in 2024. Adam will be sharing their Election Cybersecurity Survey outlining key cybersecurity threats to the 2024 election season. Selected Reading 40 years in prison for ex-CIA coder who leaked hacking tools to WikiLeaks (Digital Journey) Interpol arrests more than 30 cybercriminals in global ‘Synergia’ operation (The Record) Cloudflare Hacked After State Actor Leverages Okta Breach (HACKREAD) FBI removes malware from hundreds of routers across the US (Malwarebytes) Biden to Veto Attempt to Overturn SEC Cyber Incident Disclosure Rules (SecurityWeek) Threat Actors Installing Linux Backdoor Accounts (ASEC) USB Malware Chained with Text Strings on Legitimate Websites Attacks Users (Cybersecurity News) FTC settles with Blackbaud over poor data practices leading to massive hack (The Record) Murder suspect mistakenly released from jail after 'cybersecurity incident'  (ABC News)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A former CIA leaker is sentenced to 40 years.
Interpol arrests suspected cyber criminals and takes down servers.
Cloudflare discloses a Thanksgiving Day data breach.
The FBI removes malware from outdated routers.
President Biden plans to veto a Republican-led bill overturning cyber disclosure rules.
Attackers target poorly managed Linux systems.
Infected USB devices take advantage of popular websites for malware distribution. Thank you. of 2024 election security. And a cybersecurity incident in Georgia
leads to a murder suspect on the run.
It's Friday, February 2nd, 2024,
Groundhog Day here in the United States.
I'm Dave Bittner, and this is your
CyberWire Intel Briefing. Joshua Schulte, a former CIA programmer, was sentenced to 40 years in prison for a series of crimes,
including espionage. In 2022, he was found guilty of leaking the CIA's most critical
hacking tools to WikiLeaks, an act the agency described as a digital Pearl Harbor.
The breach was the largest in CIA history. U.S. Attorney Damian Williams condemned Schulte's actions as a severe betrayal
to the United States, motivated by revenge against the CIA for its response to his security breaches
while employed. The espionage, computer hacking, contempt of court, making false statements to the
FBI, and child pornography charges led to his 40-year sentence by U.S. District Judge Jesse Furman.
Schulte worked in the CIA's hacking unit from 2012 to 2016, during which he stole cyber tools
designed for breaking into technology systems. He leaked these tools to WikiLeaks in 2017,
which then published the classified data. This leak purportedly resulted in significant
damage to the CIA's intelligence collection capabilities, endangering personnel and costing
the agency hundreds of millions of dollars. The data exposed included malware, viruses,
trojans, and zero-day exploits, which became accessible to foreign intelligence, hackers,
which became accessible to foreign intelligence, hackers, and cyber extortionists globally.
Initially charged with possessing child pornography in 2017,
Schulte faced additional espionage charges later.
After a hung jury in 2020 on major charges,
a 2022 jury convicted him under the Espionage Act and for obstruction.
A global operation from Interpol called Synergia resulted in the arrest of 31 suspected cyber criminals and the identification of 1,300
malicious servers used for phishing attacks and malware distribution. This coordinated effort,
running from September to November of last year, involved nearly 60 law enforcement
agencies and several private companies. They successfully dismantled 70% of the command and
control servers they'd identified, primarily located in Europe, Hong Kong, and Singapore,
with ongoing investigations for others. Additionally, 70 more suspects were identified
for their roles in phishing, banking malware, and ransomware distribution,
although specific cybercrime groups uncovered during the operation were not disclosed.
Interpol highlighted the collaborative nature of the effort.
Cloud services provider CloudFlare has disclosed that on Thanksgiving Day last year,
they experienced a security breach in their internal Atlassian server.
Despite unauthorized access, no customer data or systems were compromised,
and the intrusion was contained within 24 hours.
An investigation named Project Code Red and conducted with CrowdStrike
concluded that attackers used credentials stolen during an Okta breach in October of
2023.
The attackers sought information about Cloudflare's network architecture and security, accessing
internal tools like Confluence and Jira.
Cloudflare's investigation revealed that the attackers, potentially a nation-state actor,
accessed their Confluence wiki, Jira bug database, and Bitbucket source code
management system on the 14th of November in 2023. They also attempted to infiltrate a Sao Paulo
data center, which was thwarted. Cloudflare responded by rotating 5,000 unique production
credentials, segregating test and staging systems, conducting forensic analysis, and re-imaging
network systems. Remediation efforts were completed by the 5th of January of this year,
with ongoing focus on software security and credential management.
The FBI removed malware from hundreds of outdated Netgear and Cisco routers in the U.S. after receiving a court order to do so.
These routers, no longer updatable and therefore vulnerable, were part of a botnet controlled by
Volt Typhoon, a group with ties to the Chinese government. This action aimed to block Volt
Typhoon's access to sensitive infrastructure. The FBI says they will inform affected router owners or their
providers. Router owners can undo the FBI's changes by restarting their routers, but this
may leave them susceptible to future attacks. The FBI recommends replacing these end-of-life routers.
The White House announced President Biden's intention to veto a Republican-led effort to overturn the SEC's new cyber incident disclosure rules.
These rules mandate public companies to report material breaches within four business days
of recognizing their significant impact.
The aim is to provide investors with timely, relevant information on cybersecurity incidents.
Critics, including some Republican
lawmakers, argue that early disclosure of incomplete information could harm investors
and aid attackers. They also believe these rules conflict with existing reporting requirements.
Despite these concerns, the Biden administration supports the rules, citing the need for
transparency to encourage
corporate investment in cybersecurity and risk management. The White House argues that reversing
the SEC's decision would disadvantage investors and lead to underinvestment in cybersecurity,
affecting economic and national security. The SEC clarified that the required disclosures are
limited and won't include detailed technical information mitigating risks to cybersecurity.
Additionally, disclosures can be delayed if they pose a substantial risk to national security or public safety.
The OnLab Security Intelligence Center, ASEC, is using an SSH honeypot to monitor attacks on Linux systems.
Attackers targeting poorly managed Linux systems install malware via brute force and dictionary
attacks.
These attacks often involve creating backdoor accounts or altering existing high-privilege
accounts like the root account.
Attackers can then control the infected systems and install various malware,
including ransomware and coin miners.
ASEC's analysis reveals that the attackers use specific commands
to add new accounts or change root account passwords.
They also register self-generated SSH keys,
allowing passwordless access to the compromised systems.
Attack logs suggest automated scripts are employed following successful system breaches.
To protect against such attacks, ASEC recommends using strong, regularly changed passwords,
employing SSH key-based authentication, restricting root account SSH access,
limiting SSH access to certain IP addresses, and using firewalls.
UNC-4990, a financially motivated threat actor active since 2020,
employs traditional methods like USB devices for malicious attacks. Recently, they've adapted
tactics using popular websites like GitHub, GitLab, Ars Technica, and Vimeo to
distribute malware. They utilize the Empty Space Downloader and QuietBoard backdoor, with Empty
Space executing payloads from command and control servers and delivering QuietBoard. The attack
begins with social engineering to distribute USB drives containing a malicious shortcut.
with social engineering to distribute USB drives containing a malicious shortcut. When connected to a victim's device, the shortcut triggers a PowerShell script, which fetches the empty space
downloader. In 2023, UNC-4990 started using Vimeo, embedding payloads in video descriptions.
They also employed an image on Ars Technica with an embedded payload.
UNC-4990 has utilized various versions of the empty space loader,
with the Python-based QuietBoard capable of executing arbitrary code,
stealing cryptocurrency, infecting USB drives,
screenshotting, gathering information, and communicating with C2 servers.
Blackbaud, a data and software services company,
has been mandated by the FTC to erase unnecessary personal data following a 2020 breach where lax security practices
led to the exposure of sensitive customer data.
The breach, affecting millions,
involved unencrypted personal financial and medical information. Blackbaud, serving 45, affecting millions, involved unencrypted personal, financial, and medical information.
Blackbaud, serving 45,000 entities, failed to encrypt critical data, including Social Security and bank account numbers.
Despite earning $1.1 billion in 2022, Blackbaud provided limited post-breach support and delayed notifying customers,
initially downplaying the breach's
severity. The FTC's proposed order requires Blackbaud to delete superfluous data, abstain
from misleading statements about data security, establish a comprehensive security program,
and implement a detailed data retention and deletion policy.
Coming up after the break,
our guest Adam Marais from Arctic Wolf kicks off our continuing discussion
of 2024 election security.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
You are no doubt aware that it is a big election year here in the U.S.
Coming up next, my conversation with Arctic Wolf CISO Adam Marais. He joins us to share key cybersecurity threats in the 2024 election season.
Here's our conversation.
in the 2024 election season. Here's our conversation.
We wanted to gauge state and local government leaders' preparedness, basically to gauge their attitudes and beliefs about their cybersecurity preparedness for the upcoming election. That's
what we thought was unique about this. Obviously, many people are thinking about election security
and making sure that the critical infrastructure we have for
our elections and the integrity of the elections themselves is secure. And we wanted to know how
were people feeling about that, the people who will actually be running these elections,
what are their attitudes and beliefs as they prepare for the election?
Yeah, it's certainly a hot topic here. And I think it's fair to say there's a good amount of
anxiety about it as well. What did you find? I mean, starting out at a high level here, and I think it's fair to say there's a good amount of anxiety about it as well.
What did you find? I mean, starting out at a high level here, where do we stand?
Well, one of the most interesting findings that we can talk about right from the top
is that about half of our respondents across state and local governments across the United States,
about half of them felt they were either not at all prepared or only somewhat prepared to detect and respond to cybersecurity election interference.
So that shows that there is a significant room for improvement to get better measures
in place and better confidence in our state and local leaders as we prepare for the election.
What's driving that feeling of insecurity here? I mean, is it the usual lack of funding when it
comes to local governments? What do you think's at play? Well, I think that is definitely part of it.
In my experience working with these great local and state government leaders is that they're
typically underfunded, overburdened, overwhelmed.
Oftentimes you have the same people who are doing information technology are also doing
security.
And that's just for the day-to-day running of their organizations, let alone putting
a national election on top of that.
So I'm sure that that is part of it.
But another part is this new threat environment that we're looking at.
So one of our other findings that was interesting is when we asked our respondents to tell us
what are the types of election interference cyber activities that they're most concerned about,
number one was disinformation and number two was phishing. Now, what's interesting about both of those is those are two types of activities that are supercharged by generative AI and the AI tools that are ubiquitous out there and available to just about anybody who has an internet connection.
folks are putting those puzzle pieces together and really understanding that those types of attacks are going to be much more convincing, much more successful, a lot easier to create.
And so in the face of that, they're anticipating that these attacks are going to come to them.
That's a really fascinating finding. And it strikes me that both of those things are things that take place outside of, you know, that proverbial castle wall
that these folks who are in charge of election security would really have control over.
You know, misinformation and phishing, that's not the kind of thing that it's easy for them
to have direct influence on.
Is that an accurate perception on my part?
Yeah, I think so.
And that's probably where some of the anxiety is coming from.
However, though, I do think there are a number of things that state and local leaders who are in charge of elections can do about both of those.
Of course, with phishing attacks, the goal is to get a toehold in the organization by using that attack.
to get a toehold in the organization by using that attack.
And we know from breach reports year after year that a large percentage, 70% to 80% of successful breaches,
there's phishing or some type of social engineering involved.
And so that really is a method that attackers are going to use
to try to get into these systems, get that first toehold.
And knowing now with generative AI and AI tools that, you know,
gone are the days where we can detect phishing with misspellings or bad logos or awkward grammar.
These can look perfect.
These phishing attacks can look perfect now.
And so, yes, these attacks are difficult to defend,
but there's a lot that can be done as far as training, making sure everybody's aware that this is the new environment, and setting up procedures and protocols that make it difficult for people to take action based on those emails, be it clicking on a link or transferring some money or something like that, making sure that protocols are in place so that they can resist even those kinds of sophisticated phishing attacks. Was there anything in the survey results that was unexpected
or things that may have surprised you? I think the other surprising finding that we had is when we
asked our respondents which region they were most concerned about as a source of election
interference. In the top four, we got what we expected, China,
Russia, and Iran. We expect these leaders to understand that those are where some of these
activities may come from. But coming in at number two was the United States. And that was a little
bit surprising. They're anticipating attacks coming from within the House, as it will.
But this could also be seen as a positive because,
as you know, Dave, attacks can come from anywhere. They can also appear to come from anywhere if
someone is spoofing an attack. So we shouldn't have a blind spot toward the United States.
So I think this is a positive in that the folks who are in charge of protecting our elections
are now very aware that attacks can come from within as well as without.
And so that was actually a good finding to see.
So what are your recommendations then based on the information you and your colleagues have gathered here?
What sort of things should folks put in place?
Well, one additional finding I'll talk about is that about half of our respondents said they had not received election-specific cybersecurity training. And I think it's really important that that's one
of the things that we do. We make sure that our folks in state and local governments,
those who are going to be involved in the election, are receiving that election-specific
cybersecurity awareness training. And it can cover things like the new threat environment
regarding generative AI and those kinds of tools.
And it can cover things like disinformation and how we're going to ensure that voters
know where they can go to get real information, solid information that they can depend on,
and not just be blown about on the wind from anything that comes in through their social
media feed.
So conducting awareness campaigns,
both for the election workers and some awareness campaigns of voters, so they know where to get
good information. That's a really good place to start. And then in addition to that, what I would
recommend, and there are many state and local governments that are doing this, they should run
tabletop exercises. That is one of the most effective, and it does not have to be expensive,
type of trainings that we
can run where people can really understand how prepared are we are the measures that we have in
place efficient and we can identify blind spots gaps and and other things like that that we can
say hey we should have a way to double verify instructions that are coming down from uh you
know a high level leader let's say there was a deep fake of their voice
and you get a phone call from a high-level leader.
Well, if you put measures in place like passphrases,
code words, or even double verify
through a messaging service or email,
that makes you resistant to those types
of social engineering attacks.
And those are things you can identify
when conducting tabletop exercises.
You know, I'm curious for the folks who came in on the other side of the survey who were confident in their abilities, what were some of the common threads there?
So that's a really good question.
I think it does show that the good news here, the good news from the survey is that many of the, you know, half of people did receive election specific cybersecurity training.
of people did receive election-specific cybersecurity training. Half of folks do feel like they are prepared for the election and for the attacks that are going to come their way.
So that does show that many state and local governments, municipalities are preparing for
this. They understand the threat environment and they're getting ready. I think there are many
states that are doing tabletop exercises and thinking specifically about how they can resist
social engineering. So the good news is that lots of these organizations are doing the right things,
but we just need to make sure that everyone is and bring everyone up to the same level.
That's Arctic Wolf's Chief Information Security Officer, Adam Marais. Thank you. we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant. cash back. Great. That's 1% closer to being part of the 1%. Maybe, but definitely 100% closer to
getting 1% cash back with TD Direct Investing. Conditions apply. Offer ends January 31st, And finally, ABC News reports that a 30-year-old murder suspect named Zion River Shaka
was mistakenly released by Clayton County authorities in Georgia last week
following a cybersecurity incident.
Shaka, who has been in Fulton County Jail since 2020,
was transferred to Clayton County for a hearing
with instructions to return to Fulton County Jail afterward.
However, after the hearing, he was erroneously released.
Earlier this week, we reported that Fulton County,
which includes most of Atlanta,
experienced a widespread
system outage due to a cybersecurity incident affecting phone, court, and tax systems.
Authorities are now actively searching for him. Looks like the suspect found a real-life
backdoor vulnerability in the jail's security protocol.
security protocol.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Johannes Ulrich
from the SANS Technology Institute.
We're talking about the Internet Storm Center
and how they do research.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
We're privileged that N2K and podcasts like the Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music by
Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon Karp. Our executive
editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.