CyberWire Daily - A quick look at some threats from China and North Korea, some engaged in collection, some in theft. BlackCat and other ransomware operators. And a view of cyberwar from Ukraine’s SSU.
Episode Date: September 18, 2023Cyber threats trending from East Asia. The Lazarus Group is suspected in the CoinEx crypto theft. Pig butchering, enabled by cryptocurrency. BlackCat is active against Azure storage. a Ukrainian view ...of cyber warfare. A US-Canadian water commission deals with a ransomware attack. Eric Goldstein from CISA shares insights on cyber threats from China. Neil Serebryany of Calypso explains the policies, tools and safeguards in place to enable the safe use of generative AI. And more details emerge in the Las Vegas casinos’ ransomware incidents. Danny Ocean, call your office. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/178 Selected reading. Sophistication, scope, and scale: Digital threats from East Asia increase in breadth and effectiveness (Microsoft Security Compliance and Identity) Evidence points to North Korea in CoinEx cryptocurrency hack, analysts say (Record) CoinEx invites hackers to negotiate after suffering data breach (The Times of India BlackCat ransomware hits Azure Storage with Sphynx encryptor (BleepingComputer) MGM websites up, but reservation systems still affected by hack (Las Vegas Review-Journal) The chaotic and cinematic MGM casino hack, explained (Vox) Massive MGM and Caesars Hacks Epitomize a Vicious Ransomware Cycle (WIRED) US-Canada water commission confirms 'cybersecurity incident' (Register) Ukraine's Fusion of Cyber and Kinetic Warfare: Illia Vitiuk's Stand Against Russian Cyber Operations (AFCEA International) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cyber threats trending from East Asia.
The Lazarus Group is suspected in the CoinX crypto theft.
Pig butchering enabled by cryptocurrency.
Black Cat is active against Azure storage.
A Ukrainian view of cyber warfare.
A U.S.-Canadian water commission deals with a ransomware attack.
Eric Goldstein from CISA shares insights on cyber threats from China.
Neil Serebrany of Calypso explains the policies, tools, and safeguards in place
to enable the safe use of generative AI.
And more details emerge in the Las Vegas casino's ransomware incidents.
Danny Ocean, all your office.
I'm Dave Bittner with your CyberWire Intel briefing for Monday, September 18th, 2023. Microsoft Microsoft describes the cyber capabilities of the Chinese and North Korean governments,
finding that Chinese influence operations have grown more effective over the past year.
Microsoft states,
China-aligned social media networks have engaged directly with authentic users on social media,
targeted specific candidates in content about U.S. elections, and posed as American voters.
Separately, China's state-affiliated multilingual social media influencer initiative
has successfully engaged target audiences in at least 40 languages and grown its audience to over 103 million.
The researchers note that China's cyber operations in 2023
have primarily focused on countries surrounding the South China Sea,
the U.S. defense industrial base,
especially satellite communications and telecommunications infrastructure in Guam,
and U.S. critical
infrastructure. North Korean cyber operations have increased in sophistication over the past year,
and Microsoft says Pyongyang's threat actors seem particularly interested in stealing information
related to maritime technology research. We note in full disclosure, Microsoft is a CyberWire partner.
Pyongyang is also interested in direct theft of funds, in this case cryptocurrency.
Researchers at Elliptic believe North Korea's Lazarus Group is responsible for the theft of $31 million worth of cryptocurrency from CoinEx last week, the record reports. Elliptic stated, our analysis confirms that some of the
funds stolen from CoinEx were sent to an address which was used by the Lazarus Group to launder
funds stolen from stake.com, albeit on a different blockchain. Elliptic has observed this mixing of
funds from separate hacks before from Lazarus, most recently when funds stolen from Stake.com
overlapped with funds stolen from Atomic Wallet. Sophos outlines a pig butchering scam that
attempts to trick victims into investing cryptocurrency in a phony liquidity pool.
Sophos says, fake pools use smart contracts that give the scammers access to their targets' wallets.
They may deposit cryptocurrencies into wallets to give the illusion of gains
or deposit counterfeit cryptocurrencies that have deceptive names and no inherent value.
The websites used to link wallets in these scams will display data promising daily payouts
and showing the victims
mounting but fake profits. The scammers in this case are targeting users of dating apps.
Dating apps have been a common field for pig butchering, which is described as a long-running
targeted scam in which the scammers cultivate a bogus online relationship with an individual victim,
in which the scammers cultivate a bogus online relationship with an individual victim,
metaphorically fattening the victim up for the kill.
Bleeping Computer reports that the Black Cat ransomware gang is using the newly discovered Sphinx encryptor in attacks against Azure cloud storage.
Researchers at Sophos describe one of these attacks observed in August,
stating,
The threat actors were able
to gain access to the customer's Azure portal where they obtained the Azure key required to
access the storage account programmatically. The adversary encoded the keys using Base64
and inserted them into the ransomware binary with execution command lines. During the intrusion, the threat actors were observed
leveraging various RMM tools like AnyDesk, Splashtop, and Atera,
and using Chrome to access the target's installed LastPass vault
via the browser extension,
where they obtained the one-time password
for accessing the target's Sophos Central account,
which is used by customers to manage their Sophos products.
There's an ongoing ransomware attack against infrastructure, and while there's no ocean in it,
there's plenty of water. The International Joint Commission, an organization that handles water
issues along the Canada-United States border, has experienced a ransomware attack. The commission has disclosed few details,
telling the record, the International Joint Commission has experienced a cybersecurity
incident. The organization is taking measures to investigate and resolve the situation.
The no-escape ransomware gang claimed responsibility for the attack, saying it's
taken 80 gigabytes of sensitive data, which it will begin leaking
if its demands aren't met. The data is said to include contracts, legal documents, personal
information belonging to people associated with the ICJ, financial data, insurance information,
geological files, and much other confidential and sensitive information. No Escape said in its leak notice,
If management continues to remain silent and does not take the step to negotiate with us,
all data will be published.
We have more than 50,000 confidential files,
and if they become public, a new wave of problems will be colossal.
For now, we will not disclose this data or operate with it,
but if you continue to lie further, you know what awaits you.
Signal reports that Ilya Vituik, head of the Cybersecurity Department in the Security Service
of Ukraine, offered a perspective on cyber warfare at the Billington Cybersecurity Summit.
Vituik asked rhetorically, what are the three main objectives of cyber attacks?
First, it is to gather important intelligence.
Second, it is destructive when you destroy systems,
digital systems, and cause direct damage.
And third, is psychological effect.
He also dismissed the notion that Russia's hacktivists
were genuinely what they represent themselves to be,
stating,
All of these groups, like Killnet, Anonymous, and Cyber Army of Russia with Deep Rock, etc., etc.,
we do believe that these are all groups created or orchestrated by the Russian intelligence agency, GRU.
So the hacktivists, like so many front groups before them,
are often run by Russian
security and intelligence units. The Las Vegas Review-Journal notes that the MGM ransomware
incident was accomplished by fraud, not by sophisticated attack code. While this particular
incident has been attributed to a cybergang and obviously had a significant effect on MGM Resorts' IT infrastructure.
It's the latest in what's been a rough patch of fraud
for Las Vegas resorts and casinos.
The IT disruptions continued into the weekend,
and MGM Resorts has restored much of its online presence.
The company says many of its properties
were unaffected by the incident
and that it's working to restore full service.
Wired argues that while there seems to be an element of frivolity in the attention high-profile incidents like the attacks against MGM Resorts and Caesars Entertainment attract,
nonetheless, such attention drives awareness, response, and sometimes effective public policy.
Wired quotes Leslie Carhart, director of incident response at Dragos, which specializes in industrial
cybersecurity, as stating, attacks against casinos are dramatic and draw attention. We have whole
movie and TV franchises about casino heists. A lot of life-impacting attacks on critical infrastructure
and healthcare occur far less visibly, and therefore, they aren't an easy draw for mass media.
I do not think this is an issue with cybersecurity or even media in its entirety. It's a human
psychology issue. We've had that problem for a long time in the industrial control system
cybersecurity space,
where attacks could really mean life or death, but are not a great story.
Or at least not one that's likely to be made into a movie starring Frank Sinatra,
Dean Martin, Sammy Davis Jr., Peter Lawford, Richard Conti, Joey Bishop, Henry Silva, Buddy Lester, Richard Benedict, Norman Fell, Clem Harvey, and last but certainly not
least, Angie Dickinson. Sure, the remake with George Clooney and Julia Roberts is worth a look,
but for our money, we'll stick with the original.
Coming up after the break, Eric Goldstein from CISA shares insights on cyber threats from China.
Neil Serebrani of Calypso explains the policies, tools, and safeguards in place
to enable the safe use of generative AI. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
In our ERC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families at home. Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Ever since generative AI tools like ChatGPT captured the general public's imagination,
enterprise security folks have been faced with the challenge of balancing users' desire to make use
of what are potentially huge time-saving tools versus the security risks that come with them.
Neil Serebrani is founder and CEO of Calypso AI, and I checked
in with him for insights on finding the right balance. Everyone who had spent the last couple
of years on the machine learning side of the house knew that the underlying frameworks and techniques,
the transformer architecture, was not new in any way. It had been out for five years,
but you finally had a product that just seemed magical to the broad public. And because the
product seemed so magical, 10 times better than anything that had existed prior, it got to the
fastest adoption of any product in human history. So a combination of excitement to see
that happen and also the worry that comes with knowing of what this entire new risk surface
means for everyone. I can imagine you and your colleagues being there kind of like
Dr. Ian Malcolm in Jurassic Park,
you know, with an understanding of what's going on, but also the worry of what could possibly happen here. Yeah, that's exactly right. We spent over four years now focused on the risks in AI.
And it's been really interesting to see what's happened over the last couple of years.
You know, at first, like most kind of cybersecurity-oriented threats, the threat surface, as well as the attacks, were really occurring with some of the most sophisticated actors out there.
Really what I would describe at this, you know, nation state or near nation state level.
And in the last couple of years, we've gone from, you know, these really, really sophisticated organizations being the ones that are leveraging these tools to now communities on Twitter that
are popularizing ways to jailbreak or evade these models and sort of the rise of the proverbial script kitty
in the context of AI attacks and AI risk. We've seen a spectrum of responses from
organizations to these tools. Some of them are embracing them and at the other end,
some are outright banning them. What do you think is a reasonable approach here?
and some are outright banning them.
What do you think is a reasonable approach here?
So ultimately, it starts with what is the impact of the technology on your organization?
On a medium to long-term basis, organizations are going to have to embrace these technologies for the sole reason that it increases productivity to such a degree, as the McKinsey study recently pointed out in terms of
the four and a half trillion in worldwide economic impact a year, that they will need these tools
or their competitors will outpace them. In the short to medium term, it's around how are you
defining the security risks inside of your organization? How are you defining the mitigations,
the controls that you want to put in place? And how are you rolling out these technologies in a
secure way? So I would say a combination of the understanding that we need these technologies
combined with putting in place a smart risk posture.
It strikes me that this is the kind of technology that is really susceptible to shadow IT here.
If your employees see the potential here of them being able to be more efficient at their jobs
and the technical folks in the organization put up roadblocks,
those employees are likely to find a way around that.
Correct. And that's why what you need to do is not just outright block these technologies,
but figure out how do you enable your employees and your teams to use them in a secure manner.
I almost think of it, to use another analogy use another analogy here as sort of, you know,
when everyone started using smartphones and suddenly you had all of these enterprise security
questions around my employees, you know, want to have their work email on their smartphones.
How do I enable that? How do I allow that? How do I put in place the controls to be able to do that
securely? Except that this is at a much more kind of massive and perhaps more kind of impactful
scale than folks using their own personal smartphones or iPads or other devices.
Do you have any practical tips for folks who are looking for ways to come at this? Any words of wisdom?
would be as you start your kind of phased unlock to be able to start with individual groups or smaller subsets of employees inside of your organization and test out what are the controls,
what are the risks that you want to put in place, meaning go and, you know, crawl, walk, and then run in terms of what you're doing inside of your organization.
Two, understand what the policies that you want to put in place are, and then figure out what the technical controls are, whether they're products from external vendors like ours, or whether they're policy driven.
And then third, you know, also experiment with what are the use cases
inside of your enterprise. Ultimately, a lot of the value unlock from these technologies
is going to come from the integration of these technologies into enterprise apps provided by
external vendors and also enterprise apps that you're building internally.
Understand what those are, understand where the risks lie, and understand what you want
your strategy to be.
That's Neil Serebrany from Calypso AI. And joining me once again is Eric Goldstein.
He is Executive Assistant Director at CISA.
Eric, it's always my pleasure to welcome you back to the show.
I would love to touch base with you today on the cyber threat that our nation sees from China specifically,
and some of the efforts that you and your colleagues there at CISA have taken on to address
that. Thanks so much, Dave. It's really good to be here. And this is a really important topic,
so it's a privilege to be on discussing it. And many of your listeners might have seen,
with perhaps some alarm, a recent assessment by the Office of the Director of National Intelligence, which noted that China represents the broadest, most active, and persistent cyber threat and is capable of launching cyber attacks that could disrupt critical infrastructure within the U.S.
That's a pretty stark statement.
That's a pretty stark statement.
And at CISA, as the nation's cyber defense agency, we are taking this really seriously on a number of fronts.
With our partners, we recently released a report on Chinese actors living off the land.
This was done with some great work with our partners at NSA and other agencies.
And the way to read this advisory is the extraordinary sophistication of Chinese
actors and the threat that that poses to organizations across sectors. And then to read
that in intersection with the intent that's described in the ODNI's annual threat assessment.
And so what we are confronting is an adversary that may have
the intent to launch destructive attacks in the future against U.S. assets with an actor that is
extraordinarily sophisticated and using techniques like living off the land, which are very hard to
detect and, in fact, require a different approach to cybersecurity than just looking for known indicators of compromise, malware, and the like.
And so that's why we have stood up a new Office of China Operations within CISA and hired an experienced leader,
a gentleman named Andrew Scott, who brings to bear extraordinary expertise in this area to ensure that we as an agency
and we as a country have a strategy and roadmap against this possible threat.
And what will be some of the things that that office will be focused on?
Really, the main goal is to make sure that we are providing critical infrastructure entities across sectors
with a clear understanding of the threat as it evolves, the tactics, techniques, and procedures that we are seeing and anticipating, and then the specific steps that can be taken in response.
And really importantly here, we know that cyber defense is not going to be the only
tool that we have here.
We know that we also need to focus on resilience.
So we know we are not going to prevent every possible intrusion, and we need to focus on
detecting more quickly, responding more quickly, and most importantly, ensuring that if there is
an intrusion, we can recover critical functions as quickly as possible. You know, I think a lot
of folks, when looking at Russia's invasion of Ukraine and the cyber attacks there, thinking that perhaps Russia
underperformed relative to where we thought their capabilities were. I'm curious, how confident are
you and your colleagues in your assessment of where we stand with China? It is very hard to
speculate the intent of any given adversary, but we do know that as documented in the DNI's public annual threat
assessment, certainly the prospect exists that particularly around a future geopolitical
conflict, Chinese cyber actors may have the intent and almost certainly have the capability
to launch destructive attacks. And so it is our duty at CISA, as well as every owner-operator's duty,
to make sure that we are prepared for that eventuality. And if it does not manifest,
all to the better. If it does manifest, we have to say that we've done everything possible to be
ready and ensure that the services upon which all Americans depend are secure and resilient
under all conditions. That's why we brought in Andrew
to lead a small team. It's a new position in the organization within our cybersecurity division
intended to bring together and cohere all of our disparate activities against this threat to make
sure that we're making needed progress. All right. Well, Eric Goldstein is Executive Assistant
Director at CISA.
Eric, thanks so much for joining us. Thanks so much, Dave. And I'll just
note if listeners want to learn more, they can visit cisa.gov slash China.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent
intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the
value of your biggest investment, your people. We make you smarter about your team while making
your team smarter. Learn more at n2k.com.
This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.