CyberWire Daily - A Typhoon counter.
Episode Date: January 30, 2024The U.S. counters a Chinese hacking campaign. Juniper issues out of band patches. Schneider Electric suffers a ransomware attack. Over a million and a half individuals are affected by an insurance con...sulting firm breach. AT&T finds DarkGate malware leveraging Microsoft teams. The White House is set to require AI developers to share safety test results. Resecurity finds high level credentials posted online. Zscaler says Zloader malware is back. The Georgia county prosecuting former President Trump got hit with a cyberattack. Microsoft’s Ann Johnson speaks with guest Deneen DeFiore, Vice President and Chief Information Security Officer at United Airlines, about cybersecurity at 35,000 feet. And yesterday’s airborne joker is off the hook. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Ann Johnson, host of Microsoft Security’s Afternoon Cyber Tea podcast, talks with guest Deneen DeFiore, Vice President and Chief Information Security Officer at United Airlines, about cybersecurity at 35,000 feet. Selected Reading Exclusive: US disabled Chinese hacking network targeting critical infrastructure (Reuters) China-Linked Hackers Target Myanmar's Top Ministries with Backdoor Blitz (The Hacker News) Juniper Networks Releases Urgent Junos OS Updates for High-Severity Flaws (The Hacker News) Schneider Electric confirms it was hit by ransomware attack (Silicon Republic) 1.5 Million Affected by Data Breach at Insurance Broker Keenan & Associates (SecurityWeek) DarkGate malware delivered via Microsoft Teams - detection and response (AT&T) AI companies will need to start reporting their safety tests to the US government (AP) Hundreds of network operators’ credentials found circulating in Dark Web (Security Affairs) New ZLoader Malware Variant Surfaces with 64-bit Windows Compatibility (The Hacker News) Cyberattack Hits Georgia County Where Trump Is Charged (Bloomberg) British man acquitted over London-Spain flight bomb hoax (BBC) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. counters a Chinese hacking campaign.
Juniper issues out-of-band patches.
Schneider Electric suffers a ransomware attack.
Over a million and a half individuals are affected by an insurance consulting firm breach.
AT&T finds DarkGate malware leveraging Microsoft Teams.
The White House is set to require AI developers to share safety test results.
ReSecurity finds high-level credentials posted online.
Zscaler says Zloader malware is back.
The Georgia County prosecuting former President Trump got hit with a cyber attack.
Microsoft's Ann Johnson speaks with guest Deneen DiFiore,
Vice President and Chief Information Security Officer at United Airlines,
about cybersecurity at 35,000 feet.
And yesterday's Airborne Joker is off the hook.
It's Tuesday, January 30th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thank you for joining us here today. It is good to have you with us.
Reuters reports that the U.S. government has
initiated a counter-operation against a substantial Chinese hacking campaign known as Volt Typhoon,
which compromised thousands of internet-connected devices globally. Authorized by the Justice
Department and FBI, the operation aims to disrupt the hackers' activities, especially given concerns about potential
disruptions to the U.S. election and corporate America. Volt Typhoon, which intensified its
operations recently, targets critical Western infrastructure such as naval ports, internet
service providers, and utilities, raising alarms about national security. The U.S. has engaged with
the private tech industry for assistance in tracking the hackers' activities.
This hacking campaign is particularly concerning
due to the potential for China
to disrupt important facilities in the Indo-Pacific,
impacting U.S. military operations,
especially amidst heightened tensions over Taiwan.
Despite China's denial of the hacking allegations,
U.S. officials remain vigilant. Volt Typhoon operates by controlling devices like routers
and security cameras, forming a botnet to conceal more targeted intrusions, complicating detection
for cyber defenders. This tactic allows the hackers to appear as local legitimate users
to target networks,
demonstrating a sophisticated approach to cyber espionage and warfare.
Meanwhile, the China-based threat actor Mustang Panda is suspected of targeting Myanmar's Ministry of Defense and Foreign Affairs
in twin campaigns aimed at deploying backdoors and remote-access Trojans.
aimed at deploying backdoors and remote-access Trojans.
According to C-Cert CTI, these activities took place in November of 2023 and January of 2024,
with evidence of the attacks uploaded to the VirusTotal platform.
The group utilized legitimate software to sideload malicious DLLs.
Mustang Panda, active since at least 2012 and known by various names,
has recently been involved in attacks against Southeast Asian governments, including the Philippines, to harvest sensitive information. Similar attack patterns by Mustang Panda were
previously identified by Eclectic IQ in February of last year, targeting government and public sector organizations in Asia and Europe.
C-Cert CTI noted that Mustang Panda's operations align with the geopolitical interests of the
Chinese government, evidenced by multiple cyber espionage operations against Myanmar.
Juniper Networks has released updates to address high-severity vulnerabilities in its SRX and EX series,
which could allow a threat actor to control affected systems.
The flaws are found in the JWeb component of all Junos OS versions.
Discovered and reported by Watchtower Labs, these vulnerabilities have been fixed in various Juno OS versions,
with users advised to disable J-Web or restrict its access as temporary mitigation.
Schneider Electric, the global energy services company, acknowledged a disruption to its systems due to a ransomware attack. The attack specifically targeted its sustainability
business division, affecting the resource advisor service and other division-specific systems.
The company's incident response team promptly mobilized to contain the incident and enhance security measures.
Schneider Electric confirmed that the incident did not impact other company entities and has informed affected customers.
and has informed affected customers.
An ongoing investigation revealed data access,
and the company is maintaining communication with impacted customers to provide information and assistance.
The attack, which occurred on January 17th,
is reportedly linked to the Cactus ransomware,
although Schneider Electric hasn't confirmed this.
Cactus, identified as a multipoint extortion group,
first appeared in March of 2023. Energy companies like Schneider Electric are attractive ransomware targets due
to their critical role in society and possession of valuable personal data. The company previously
fell victim to LockBit's MoveIt ransomware campaign in 2023. Insurance consulting and brokerage firm
Keenan & Associates is informing customers of a cyber attack from August 2023,
affecting over 1.5 million individuals. The breach was discovered on August 27th of last year due to
server disruptions and was quickly contained. The unauthorized access occurred intermittently
between August 21st and 27th, during which personal data was exfiltrated. The data includes
names, dates of birth, social security numbers, driver's license and passport numbers, health
insurance information, and general health details. While there is no evidence of misuse of the data,
the company has informed
the main Attorney General's Office of the breach and is offering two years of free identity
protection services. A report from AT&T Cybersecurity claims that Microsoft Teams chats
have emerged as a new phishing vector, leveraging the external access feature,
which allows users outside an organization to join chats.
The vulnerability was exploited recently
when an AT&T cybersecurity managed detection and response customer
reported an unsolicited Teams chat from an external user
to several internal members, suspected to be a phishing attempt.
The AT&T cybersecurity MDR SOC team, using provided user IDs,
identified target users and suspicious file downloads,
which were linked to DarkGate malware.
The proactive approach allowed the team to thwart the attack
before any significant damage occurred.
The Biden administration is set to enforce a new
requirement for AI system developers to disclose safety test results to the Commerce Department
under the Defense Production Act. The White House AI Council is reviewing progress on the executive
order, focusing on ensuring AI system safety before public release. While AI companies are committed to specific safety test
categories, a common standard for these tests is yet to be established. The National Institute of
Standards and Technology is tasked with developing a uniform framework for assessing AI safety.
The administration is also exploring congressional legislation and international collaboration for AI technology
management. The Commerce Department is drafting rules for U.S. cloud companies serving foreign
AI developers, and nine federal agencies have completed AI risk assessments for critical
national infrastructure. Security firm Resecurity has discovered nearly 1,600 compromised credentials of customers from major Internet registries like RIPE, APNIC, AFRINIC, and LACNIC on the dark web, originating from InfoStealer infections.
These credentials, including historical and new records identified in January 2024, belong to staff involved in network engineering and IT
infrastructure management. Despite notifying the victims and encouraging measures like password
changes and enabling two-factor authentication, 45% were unaware of the compromise and 20%
acknowledged the need for a deeper investigation. The compromised accounts,
valuable for cyber espionage, often used email accounts from free providers,
reportedly making them more susceptible to sophisticated malware or phishing campaigns.
Zscaler Threat Labs reports that the Zloader malware, an offshoot of the Zeus banking trojan, has resurfaced nearly two years after
its infrastructure was dismantled in April of 2022. A new variant of ZLoader, under development
since September of 2023, features significant changes including RSA encryption, an updated
domain generation algorithm, and 64-bit Windows compatibility. Previously distributed via
phishing emails and malicious ads, ZLoader's activities were significantly disrupted
after Microsoft's Digital Crimes Unit took over control domains. However, the latest versions
have added complexities like junk code and string obfuscation to evade analysis. The malware now encrypts its configuration
and relies on an updated domain generation algorithm for backup communication.
This development coincides with an increase in malware campaigns
using M6 files and the rise of a new stealer malware families
like Rage Stealer and Monster Stealer.
A cyber attack over the weekend targeted government
systems in Fulton County, Georgia, affecting various departments, including the office of
District Attorney Fannie Willis, who is prosecuting former President Donald Trump on election
interference charges. The attack disrupted desktop phones, intranet, and county server-linked devices.
The attack disrupted desktop phones, intranet, and county server-linked devices.
County Chairman Rob Pitts confirmed the incident as a cybersecurity issue with no specific time frame for restoration.
There's no evidence of sensitive data transfer,
and the FBI's Atlanta field office is in contact with county officials.
officials. Coming up after the break, Microsoft's Anne Johnson speaks with United Airlines'
Deneen DiFiore, Vice President and Chief Information Security Officer. Stay with us. Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io. Thank you. at United Airlines. Here's part of their conversation. Today, I am joined by Deneen
DeFiore, Vice President and Chief Information Security Officer at United Airlines. Deneen is
an accomplished technology and risk management executive with experience across multiple
critical infrastructure sectors. She has developed expertise in advising global companies and their
most senior executives on technology, cybersecurity, compliance, and
digital risk-related decisions related to products, services, significant initiatives, and ongoing
operations. At United, Deneen is responsible for the leading of the cybersecurity organization to
ensure the company is prepared to prevent, detect, and respond to evolving cyber threats, as well as
commercial aviation cyber safety risk initiatives
and improving cyber resilience across the aviation ecosystem as the chairperson of the Aviation Information and Sharing and Analysis Center, AISEC.
What's more, Deneen is passionate about diversity in tech and promoting STEM education.
Welcome to Afternoon Cyber Tea, Deneen.
Thanks, Dan. It's great to be here.
When you get on a plane, you expect to go where you're going on time, safely, etc.
But it's really complex, the operations that go on behind the scenes.
There's a lot of security, both physical and cyber considerations.
Can you tell us a little more about the scope and scale of security in aviation
and what that means for your role at United?
Sure. Yeah, air travel is amazing when you think about it. The technology, not just the
digital technology, but the ability and resiliency of the whole system is amazing. So from getting
safely to point A to point B, there's a lot that needs to go on. At United, if you think about it,
we are one of the largest commercial airlines. We're actually the world's
largest airline now in measured by available seat miles. We've got about over 800 planes in our
fleet, in our mainline fleet, and over 500 in our regional fleet. And if you're following the news,
lots of airlines are adding to their fleet. We'll have about 700 new aircraft
introduced to our fleet by 2032.
So this historic unprecedented growth is amazing
and it's amazing to be part of that journey here at United.
But as that growth occurs,
the scope and complexity of digital risk
increases as well too.
So what we do and my team does at United
is really take a look at cybersecurity and digital risk management across that entire ecosystem and the whole business portfolio. and engineering for airworthiness requirements to also being a part of that collective defense
and risk management in the aviation ecosystem.
So the scope is really kind of the whole business portfolio
at the airline.
And if you think about it,
there's really that cybersecurity
and digital risk management aspect
in every part of the travel experience and the operation.
When you think about technology and you think about the
current landscape and you think about your industry, what are you excited about? What are
you thinking that could be really revolutionary for you? And then, you know, I hate the question,
what keeps you up at night, but what keeps you up at night? Sure. Yeah, there are so many innovations
happening within the aviation sector. And I'll just probably give you two examples. I think about generative AI,
that I'm very excited about that.
And I'm also, you know,
that keeps you up at night as well too,
because of just the pace of which the technology is moving.
But there's some really unique use cases
in the travel industry that we can use.
Everything to maybe your customer experience
be more safe and effective by using that technology
to personalization around your experience
based on dynamic changes that are happening to you at that moment.
If it's irregular operations concerning a weather event or a delay or whatever, using
generative AI to help that get you the most efficient, effective, and safe customer journey.
So those are really exciting things.
But there's also a lot of risks that go around with that as being a technology that is new,
that needs to be responsibly implemented and understanding the ways that it could be exploited
or misused or abused as well, too. So we're putting a lot of focus on that right now.
You can hear more of this conversation on the Afternoon Cyber Tea podcast hosted by Microsoft's Ann Johnson. That's right here on the Cyber Wire podcast network.
Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And finally, following up on yesterday's report,
a Spanish court acquitted British man Aditya Verma
of public disorder charges
after he jokingly told friends
he was going to blow up the plane
and claim to be a Taliban member on a flight from London Gatwick to Menorca, Spain in July of 2022.
The joke, made in a private Snapchat group, was never intended to cause distress.
UK security services, however, picked up the message and alerted Spanish authorities.
and alerted Spanish authorities.
This led to the scrambling of two Spanish F-18 fighter jets and Verma's arrest upon landing,
followed by two days in police custody and release on bail.
The judge in Madrid ruled there was no evidence of a real threat
as no explosives were found.
Verma faced a potential fine and additional expenses
for the fighter jets if convicted.
The court emphasized that the joke was made in a private context
and Verma could not have anticipated it being intercepted.
The method of interception remains unclear,
and Gatwick Airport stated its Wi-Fi network doesn't have such capabilities.
Snapchat, while not commenting on this specific case,
Snapchat, while not commenting on this specific case, highlighted its cooperation with law enforcement in emergency situations involving threats to life.
We will leave it up to you to connect those dots.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at N2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.