CyberWire Daily - AI ain’t misbehavin’, except when it does. Also, privateers and hacktivist auxiliaries get busy.
Episode Date: October 25, 2023Teaching AI to misbehave. Ransomware's effect on healthcare downtime. Two reports on the state of cybersecurity in the financial services sector. Possible connections between Hamas and Quds Force. Ukr...ainian cyber authorities report a rise in privateering Smokeloader attacks. Russian hacktivist auxiliaries strike Czech targets. My conversation with Sherrod DeGrippo, host of The Microsoft Threat Intelligence Podcast. Jay Bhalodia from Microsoft Federal shares insights on multi-cloud security. And Winter Vivern exploits a mail service 0-day. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/204 Selected reading. AI vs. human deceit: Unravelling the new age of phishing tactics (Security Intelligence) Ransomware attacks on US healthcare organizations cost $20.8bn in 2020 (Comparitech) Cyberattack at 5 southwestern Ontario hospitals leaves patients awaiting care (CBC News) State of Security for Financial Services (Swimlane) Veracode Reveals Automation and Training Are Key Drivers of Software Security for Financial Services (Business Wire) Hamas’ online infrastructure reveals ties to Iran APT, researchers say (CSO Online) Hamas Application Infrastructure Reveals Possible Overlap With TAG-63 and Iranian Threat Activity | Recorded Future (Recorded Future) Ukraine cyber officials warn of a ‘surge’ in Smokeloader attacks on financial, government entities (Record) Bloomberg: Russia steps up cyberattacks to disrupt Ukraine’s key services (Euromaidan) Pro-Russia group behind today’s mass cyberattack against Czech institutions (Expats.cz) Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers (We Live Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Teaching AI to misbehave, ransomware's effect on healthcare downtime. Two reports on the state of cybersecurity in the financial services sector. Possible connections between Hamas and Quds Force. Ukrainian cyber authorities report a rise in privateering smoke loader attacks. Russian hacktivist auxiliaries strike Czech targets. My conversation with Sherrod DiGrippo, host of the Microsoft Threat Intelligence podcast.
Jay Baladia from
Microsoft Federal
shares insights
on multi-cloud security.
And Winter Viverne
exploits a mail service
zero day.
I'm Dave Bittner with your CyberWire Intel briefing for Wednesday, October 25th, 2023. Researchers at IBM X-Force Red outline ways in which legitimate generative AI tools like ChatGPT
can be tricked into creating malicious output like phishing email templates.
With only five simple prompts, they successfully manipulated a generative AI model to produce highly convincing phishing emails within just five minutes.
Their team usually spends approximately 16 hours crafting a phishing email, excluding infrastructure setup.
Consequently, attackers could potentially save almost two days of work by utilizing generative AI models. The phishing email
generated by AI was incredibly persuasive, nearly matching the quality of those created by
experienced social engineers. This close resemblance marks a significant advancement in the technology.
The researchers tested the AI-generated phishing lure against a template crafted by humans
and found that the human-made template was slightly more effective at deceiving recipients.
That said, the AI doesn't need to be excellent.
It just needs to be good enough.
Comparatech has studied the effects of ransomware on healthcare organizations.
They've found that the downtime caused by these attacks has cost the U.S.
economy $77.5 billion since 2016. The researchers state medical entities suffered an average
downtime of nearly 14 days following an attack. So far, 2023 has reported the highest average
downtime at 18.7 days, closely followed by 2022, which was just
under 16 days. Based on these figures, ransomware attacks may have caused 6,300 days or 17.4 years
of downtime. They add, the cost of downtime to medical organizations over the past three years is estimated at $9.4 million for 2021,
$16.2 million for 2022, and $15.5 million so far in 2023. None of these figures exceed 2020s,
however, with an estimated $19.3 million lost to downtime.
There's an ongoing attack against hospitals in Ontario, where five facilities report
disruptions that have delayed patient care. CBC reports that the hospitals share a common IT
provider, Transform, which CBC describes as a non-profit founded by the hospitals to run IT,
supply chain, and accounts. The incident remains under investigation and details remain unclear,
but there's no lack of clarity about the extent of the disruption.
It's been a problem.
A report by Swimlane on the state of cybersecurity and financial services
finds that 20% of respondents have had at least one breach
with a total cost of $5 million in the past 12 months.
Additionally, 42% of respondents had a breach that cost at least $1 million in the past year.
The top threats seen by financial services organizations are phishing, ransomware,
cloud security threats, and insider threats. The report notes, the impact of successful cyber attacks is assessed differently
depending on the type of financial institution. Wealth management and investment banks rate
downtime as the largest concern associated with cyber breaches, but retail banks, whose customers
can more easily change service providers, are more concerned with loss of reputation and customer
trust. Another look at the sector comes from Veracode,
which this morning released a report looking at the key factors
influencing flaw introduction and accumulation in the financial services sector.
The researchers found that while nearly 72% of applications
in the financial services sector contain security flaws,
this is the lowest of all
industries analyzed, and an improvement since last year. So, while there's work yet to be done,
on balance and compared to other sectors, financial services organizations have upped their game,
probably with the help of government regulation. Recorded Futures' Insikt Group has found an application distributed
over Telegram and used by Hamas operators. The application is configured to communicate with
Hamas' Iz-Ad-Din al-Qassam Brigade's website. Infrastructure analysis associated with the
website led to the identification of a cluster of domains that mimic the domain registration tradecraft of TAG-63, also known as Arid Viper, APTC-23, or Desert Falcon. That's a
cyber group that they believe operate at the behest of the Hamas terrorist organization.
The Quds Force, a unit of Iran's Islamic Revolutionary Guard Corps, is known to provide cyber technical assistance to Hamas, and the Insect Group thinks it's likely they're doing so in this case.
Russia has stepped up cyber attacks directed against Ukraine and Ukraine's international supporters.
Some have been financially motivated, others aiming simply at disruption.
have been financially motivated, others aiming simply at disruption.
Kyiv's National Cybersecurity Coordination Center reported Tuesday that it was investigating an increase in Russian criminal attacks using smokeloader malware.
The NCCC explicitly characterizes the threat actors as financially motivated cybercriminals.
Effectively, that makes them privateers who supplement the efforts of the
Russian intelligence and security services and of the hacktivist auxiliaries those services direct.
SmokeLoader is commodity criminal malware bought and sold on the C2C market. The record notes that
it trades in underworld markets from $400 for the basic model up to $1,650, nicely loaded. The NCCC's full report,
available in both Ukrainian and English language versions, explains that a variety of Russian
criminal groups are using Smoke Loader and that in some cases they've achieved their payoff by
diverting funds from online transactions. The report includes a set of indicators of compromise
and advice to organizations on how they might present the privateers with a harder target.
Expats.cz reports that hacktivist auxiliaries
have been engaged in disruptive attacks against Czech targets.
DDoS attacks interrupted online services at the Prague airport, the Czech interior
ministry, and the Chamber of Deputies. Researchers at the security firm Avast note that the use of
the DDoSia platform points clearly to no-name 057, the well-known Russian hacktivist auxiliary.
The attacks were apparently intended as retaliation for Czech support for Ukraine at
the Crimea Platform Summit, which met in Prague on Tuesday. It's worth noting that the attacks
achieved no more than the familiar nuisance results, neither compromising data nor interrupting
operations. ESET warns that the Winter Wyvern threat actor has been exploiting a cross-site scripting zero-day vulnerability in the Roundcube webmail server since October 11, 2023.
Roundcube released patches for the flaw on October 16.
Winter Wyvern used the flaw to conduct cyber espionage operations against European government entities and a think tank. The researchers don't attribute
Winter Wyvern to any particular nation state, but they do note that it may be tied to the Belarus
aligned threat actor Mustached Bouncer. ESET concludes, despite the low sophistication of
the group's toolset, it is a threat to governments in Europe because of its persistence, very regular
running of phishing campaigns,
and because a significant number of internet-facing applications are not regularly updated,
although they are known to contain vulnerabilities.
So, unsophisticated, espionage-focused, and targeting European governments.
Circumstantially, that sounds like Belarus.
Belarus, it should be noted, is one of two unambivalent supporters of Russia's war against Ukraine.
The other is North Korea, and that's hardly the company one wants to keep,
regardless of how epic their mustache may be.
Coming up after the break, my conversation with Sherrod DiGrippo, host of the Microsoft Threat Intelligence podcast,
and Jay Belodia from Microsoft Federal shares insights on multi-cloud security.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
As federal agencies have adopted multiple clouds for their analytic and compute capabilities,
a strong security strategy has been a critical necessity.
Jay Belodia is Managing Director for Security and Customer Success at Microsoft Federal,
and in this sponsored Industry Voices segment,
he shares insights on the multi-cloud experiences
of stakeholders in the federal space.
For our federal customers,
they're all invested in a multi-cloud strategy.
When you look at directional signal,
for example, like the Department of Defense
announcing the Joint Warfighting Cloud Capability,
or JWCC, that contract was announced in December.
It's a major step and signal that the federal government,
the DoD, is in a multi-cloud journey.
As we look across the full landscape of our federal customers,
whether they're in the civilian space, the DoD space,
or the intelligence space, they all have a strategy
that includes engaging with multiple cloud vendors,
and Microsoft is pleased to be one of those cloud service providers providing that support to the customer.
Can we go through some of both the opportunities and the challenges for organizations that are embracing a multi-cloud approach?
Yeah, absolutely.
You know, one of the lenses that I'm going to look at that is because of where I sit,
I'm going to look at that in the context of security.
You know, the customers have determined and made a decision to go down a multi-vendor,
multi-cloud service provider model.
There are great opportunities to use a set of capabilities that are unique to each cloud,
provide opportunities for mission, for their business,
and really accelerate the transformation of the services,
how efficiently, how effectively they can provide those.
And at the same time,
when you look at it from a security lens,
anytime you increase complexity of your digital estate,
it's an opportunity for a tax surface.
It's an opportunity for an adversary
to leverage a weakness in one
place to be able to move across your entire state. So there are opportunities for greater
transformation, greater services, greater capabilities to the citizens that our federal
customers serve. And through that process, there are also opportunities for us to strengthen
security if done correctly. If not done correctly, there are opportunities and disadvantages to creating more gaps for our adversary.
As one of the major players in this space,
how do you approach the reality of a multi-cloud environment
that your customers want to work with you
but also with other providers
and it's in your best interest
to make that as frictionless as possible?
It's a great question.
One of the things about Microsoft is we're not only a cloud service provider, but we're also a security vendor.
And so it's very natural for us to look at the broader landscape of our customers.
As a cloud service provider with Azure, we're operating capabilities and we're protecting the customer on our premises.
As an industry-leading security vendor, we've been providing and protecting the customers
on their premises for a long time.
And it's just natural for us to extend into protecting the customers in other clouds.
So we've been in that multi-vendor responsibility set for a while.
We've secured and defended Linux, iPhones, the IoT devices that are sitting on your network, which you may or may not even know about.
But we also have the opportunity to take our Azure security capabilities, not just to secure to Azure, but to be able to provide that across all various cloud platforms.
Could you give us some examples of some of the common operational models that you all see here?
Yeah, that's a great question.
Our customers, they benefit from having this common view
into the operational picture.
When you look at something like identity,
is your user the same person on their laptop
as they are on the server when they're there,
as they are in your
cloud properties, whether that's Azure, GCP, AWS. So without an effective multi-cloud strategy,
you turn multi-cloud into multiple silos. And so for Microsoft, I think identity is a big area
of consideration there. We recently released our digital defense report, and that
is looking across all the signals and telemetry we get as one of the largest cloud service providers.
And one of the things that really stood out to me is the tenfold year-over-year increase in
password-based attacks. So attackers are getting increasingly focused on the identity-based attacks.
And so when you have these multi-clouds, including your premises,
you potentially can create identity silos
across your premises, across your enterprise.
You increase your attack surface
for those identity-based attacks.
With the permission models being what they are,
if you get compromised in one of these silos,
the attacker is looking to pivot
across your entire digital estate.
So this kind of creates a nightmare, not only of Surface,
but it also creates a situation where your SOC analysts and your responders,
when minutes matter, they're sitting there correlating,
was this the right person, was this the same person?
So building a multi-cloud identity strategy,
I think that is a critical aspect to building a multi-cloud strategy in general.
I'm wondering if you could give us a little view behind the scenes here.
It's my understanding that while organizations like Microsoft and the other major cloud providers are healthy competitors,
there's a good amount of collaboration that goes on behind the scenes, particularly when it comes to security.
I love that question.
I'm a big believer in all of us are better than one of us.
Like we just talked about,
attackers don't limit their attacks
to a compliance boundary or a cloud boundary.
In fact, they look for greater opportunities
to exploit across these clouds.
Really proud of Microsoft in this space.
We've been an industry leader.
It was almost seven years ago
that our president, Brad Smith, stood on stage at RSA and talked about a digital Geneva convention.
The foundation of that was greater collaboration across industry. So I also appreciate the
partnership and the leadership from government, whether that's CISA providing the joint cyber
defense collaborative, better known as JCDC, or whether that's the acting national cyber director in
Kemba Walden, showing up at DEF CON to meet industry, to meet our security research folks.
There's a lot of leadership from our government entities pulling all of industry together.
But we've also seen industry partnership too, independent of leadership from government.
We've also seen industry partnership too, independent of leadership from government.
I really appreciate stories.
There's a recent HTTP DDoS attack,
one of the largest in history,
and all the cloud service providers, including Microsoft,
were involved in how do we work together
and how do we share this information, this telemetry,
and so we can protect the internet whole.
You know, at the end of the day,
if one of our cloud service providers comes back and says,
hey, customer,
if we say Azure wasn't breached,
but their other cloud service provider was,
that's not a win for our customer.
And I think as service providers,
we see that there is that
to make our successful customer,
we have to meet them where they are
and we have to be able to partner together.
That's Jay Belodia,
Managing Director for Security and Customer Success at Microsoft Federal.
It is my pleasure to welcome to the podcast, Sherrod DiGrippo.
She is the host of the Microsoft Threat Intelligence Podcast right here on the Cyber Wire Network.
She is also Director of Threat Intelligence Strategy at Microsoft.
Sherrod, thank you so much for joining us today.
Hey, Dave. I'm so happy to be here. This is so cool.
Well, let's start with the beginning here.
What prompted your desire to host the
Microsoft Threat Intelligence Podcast? Well, I started at Microsoft earlier this year.
I've been in information security for 19 years. And Microsoft has always had that
mystique of what are they doing back there? What's going on? What does it look like
behind the scenes? And I was really lucky because my leadership was super supportive of, hey,
let's tell the stories about the threat actors. And let's tell the stories of the threat
intelligence analysts, security researchers, incident responders that are doing this work
day to day. And it's been fascinating finding out what goes on.
Well, describe to me what the breadth is of the things that you're hoping to cover here on the
show. Primarily, we want to talk about what's going on in the threat landscape. Like, what are
the threat actors doing? What are they thinking? What is their next move? Why do they do the things
that they do? And then understanding what drives the individual analysts and researchers that are doing threat intelligence
and security work at Microsoft every day. It's really interesting. Some of them are driven by
worry. Some of them are driven by the puzzle, the game, the mystery. It's interesting hearing
the way that each of them have a point of view on the threat actors
that they chase every day. I was listening to one of the recent episodes. This was episode two,
incident response with empathy. And that word empathy really caught my eye here. Why focus on
that? Well, that guest is Matthew Zorich from Microsoft Incident Response.
He's an incident responder on that side of the house.
And he really approaches his work with this extreme empathy for people who can't necessarily do a lot of this themselves.
A lot of free tools, guides, workflows for organizations that maybe don't have the ability to call in Microsoft's top tier incident response teams to drop in out of a helicopter and come in
and take over. He really thinks about those smaller organizations, the small businesses.
And a lot of what he does is takes those practices from his large enterprise engagements and provides some guidance
to help secure small and medium business and individuals that I found really fascinating.
Can we dig in a little bit on empathy itself? I mean, I have a sense that empathy is kind of
having a moment right now in cybersecurity that folks, well, I mean, I think it's fair to say
it's been a long time coming, but
I feel like I'm seeing more and more of an emphasis on it and an acknowledgement that,
you know, this isn't just ones and zeros, but this human side is critical as well.
Is that your experience? That is my experience. And I want that to be more of my experience.
I love it. I think people really understand insecurity, the impact
that they have, and they see day-to-day the impacts that breaches and incidents have on the victims.
And, you know, insecurity, a lot of us are, you know, driven by anxiety, driven by paranoia,
driven by, you know, this weaponization of our own kind of clinical focus on what could go wrong. And I think that
we've really come to empathize with some of those victims. And I think that's really healthy and
important. Yeah. What has your own journey been like since you've joined Microsoft here? I mean,
as I think you alluded to, Microsoft is huge, one of the most major players in the industry,
been around a long time. What's it like for an individual to join an organization of that size?
That's definitely been an interesting experience. I think the overwhelming theme has been,
wait, what? I say that about 10 times a day. What? We do what? Everything from telemetry on
every possible source you could think of. We've got so much telemetry, everything from
Bing to host-based, network-based. We've got cloud, we've got email, we've got telemetry
coming from every direction. And the question is always, how do we leverage that telemetry to make our customers safer and more informed about the threat landscape, what threat actors are doing, creating intelligence?
It's quite a firehose, obviously.
But I think what people suspect who've never worked at Microsoft and can see, the people here are super, super smart.
who've never worked at Microsoft and can see the people here are super, super smart.
And they're really focused, especially in the threat intelligence org,
they're really focused on making people safer, whether it's consumer, enterprise,
the network as a whole, the internet as a whole.
Everybody wants to do the right thing. And there's just a lot, lot more people than I'm used to doing it.
Well, you've got some interesting guests coming up. Can you give us a little bit of a sneak
preview of some of the things we can look forward to? Sure. We're going to release next, in addition
to the three that are up already, we've got a focus on the typhoon threat landscape actors,
which are primarily based out of China. And a look at what that landscape is doing, is going to do. We focus on several threat actor groups, and China is one
that we're always watching. So we've got that coming up next. We're also doing some deep dives
with some detection engineers where we watch the movie Heat, and we kind of talk about some of the social engineering from the classic Michael Mann film
that is really, in my opinion,
the best threat actor psychology
that you can see on display.
Because, I mean, it's got Robert De Niro, Al Pacino.
Like, it's got incredible actors.
But they really expose their inner thoughts as criminals.
One last heist.
Doing it for whatever reasons they're doing it for.
And so we kind of watch some scenes in the movie and talk about, you know, how does this apply, for example, to the social engineering landscape in email?
And in one case, you know, Robert De Niro is a masterful social engineer. Well, the podcast is the Microsoft Threat Intelligence Podcast
and its host is Sherrod DiGrippo, Director of Threat Intelligence Strategy at Microsoft
Sherrod, thank you so much for joining us
Thanks for having me, Dave, good to talk to you
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
With TD Direct Investing,
new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%!
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply.
Offer ends January 31st, 2025.
Visit td.com slash dioffer to learn more. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure
we're delivering the information and insights
that help keep you a step ahead
in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like
The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector, as well as the critical security teams supporting
the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. practical, and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.