CyberWire Daily - Another day, another Blizzard attack.
Episode Date: January 25, 2024Cozy Bear breaches Hewlett Packard Enterprise. An investigation reveals global surveillance based on digital advertising. Cisco patches critical vulnerabilities. Meta aims to enhance the online safety... of minors. iOS notifications are exploited for tracking. EquiLend’s systems go offline after a cyberattack. A DC theater faced financial crisis after seeing their bank account drained. Critical infrastructure is targeted in Ukraine. The latest insights on ransomware. Guest Lance Hood joins us from TransUnion to share how fraud attacks on financial industry call centers are rising. And Teslas get POwned in Tokyo. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Lance Hood joins us from TransUnion to share how fraud attacks on financial industry call centers are rising. Selected Reading Hewlett Packard Enterprise tells SEC it was breached by Russia’s 'Cozy Bear' hackers (The Record) Inside a Global Phone Spy Tool Monitoring Billions (404 Media) Cisco Patches Critical Vulnerability in Enterprise Collaboration Products (SecurityWeek) Instagram and Facebook will now prevent strangers from messaging minors by default (The Verge) Research Reveals How iPhone Push Notifications Leak User Data (MacRumors) Financial tech firm EquiLend says recovery after cyberattack ‘may take several days’ (The Record) 'No gift is too small' | GALA Hispanic Theater asking for donations after hackers drain bank accounts (WUSA9) Ukrainian energy giant, postal service, transportation agencies hit by cyberattacks (The Record) The 2024 Ransomware Threat Landscape (Symantec Enterprise Blogs) Who pays, and why: A researcher examines the ransomware victim’s mindset (The Record) Tesla Hack Earns Researchers $100,000 at Pwn2Own Automotive - SecurityWeek (SecurityWeek) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cozy Bear breaches Hewlett-Packard Enterprise.
An investigation reveals global surveillance based on digital advertising.
Cisco patches critical vulnerabilities.
Meta aims to enhance the online safety of miners.
iOS notifications are exploited for tracking.
Equilens systems go offline after a cyber attack.
A DC theater faced financial crisis after seeing their bank account drained,
critical infrastructure is targeted in Ukraine, the latest insights on ransomware.
Our guest Lance Hood joins us from TransUnion to show how fraud attacks on financial industry
call centers are rising, and Teslas get pwned in Tokyo.
It's Thursday, January 25th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel briefing. Thank you for joining us today. It is great to have you here. Hewlett Packard Enterprise disclosed to the SEC that they suffered a data breach by Russia's Cozy Bear, also known as Midnight Blizzard or APT29.
The breach was reported on December 12 and involved unauthorized access to HPE's cloud-based
email environment starting from May 2023. Cozy Bear is linked to Russia's Foreign Intelligence
Service and has been responsible for significant cyber attacks,
including the 2020 SolarWinds hack
and the 2016 Democratic National Committee attack.
HPE initiated an immediate response
with external cybersecurity experts
to investigate, contain, and remediate the incident.
The attackers targeted a small number of HPE mailboxes
across various company functions. The attackers targeted a small number of HPE mailboxes across various company functions.
The company believes this incident is connected to a previous unauthorized access in June of 2023,
involving a limited number of SharePoint files. Despite the breach, HPE reported no material
impact on their operations or financial condition. They are continuing their
investigation in collaboration with law enforcement and plan to notify affected individuals. This
breach follows a similar incident at Microsoft, where Cozy Bear hacked senior leaders' email
accounts starting in November of 2023. An investigation led by Joseph Cox at 404 Media has revealed that hundreds of thousands of common apps,
including 9GAG, Kik, and various caller ID apps, are part of a global surveillance system.
This system begins with in-app ads and culminates in a mass monitoring tool called Patterns.
That's Patterns with a trailing Z, which is marketed
to national security agencies. Patterns can track users' locations, hobbies, family members,
and build extensive profiles. The surveillance capability stems from the real-time bidding
data supply chain in digital advertising, involving both small ad firms and giants like Google.
Patterns, created as a homeland security platform, can gather detailed information about individuals
from app data, including GPS coordinates, app usage, phone type, and even the individual's
interests. This tool monitors on a massive scale, processing over 90 terabytes of data daily from about 600,000 apps.
Unlike traditional app tracking, Patterns does not require direct involvement from app developers.
Instead, it operates through ad networks and platforms integrated into the apps.
Google and Pubmatic have severed ties with the company linked to patterns following queries from 404 Media.
Despite this, the investigation raises significant concerns about the misuse of advertising technology for government surveillance
and the lack of oversight in data sharing within the real-time bidding ecosystem.
within the real-time bidding ecosystem.
Cisco has released patches for a critical vulnerability in several of its Unified Communications and Contact Center Solutions products.
This flaw arises from improper processing of user-provided data,
which can lead to arbitrary command execution with web services' user privileges.
Attackers exploiting this vulnerability could potentially gain root access to devices.
Meta is implementing new measures it claims
will enhance the online safety of minors
on Instagram and Facebook Messenger.
The updates will automatically restrict users
under 16 or under 18 in certain regions
from receiving messages or being added to group
chats by individuals they don't follow or aren't connected with. These rules apply to all users,
regardless of age, expanding beyond the previous limitations that only affected adults over 19.
Instagram will notify users about these changes through a message in their feed.
Additionally, Meta is enhancing parental supervision tools on Instagram.
Parents will now have to approve or deny their child's request to change safety and privacy settings,
giving them direct control over whether their child can switch their profile from private to public.
child can switch their profile from private to public. Furthermore, Meta is developing a feature to shield users from receiving unwanted or inappropriate images and messages, even in
encrypted chats. This feature aims to protect users from such content from people they are
already connected with and discourage senders from sharing this kind of material. While there's no set launch date, more details
are expected later this year. Security researcher Tommy Misk has revealed that several popular iOS
apps, including TikTok, Facebook, Twitter, LinkedIn, and Bing, are covertly using iPhone
push notifications to send data about users. These apps are using the short
background execution time allowed for notification customization to transmit analytics information.
This practice bypasses iOS's usual limitations on background app activities, which are in place to
protect user privacy and optimize device performance.
The data sent includes unique device information for fingerprinting, a technique for creating user-specific identifiers based on hardware and software configurations.
This identifier can track user activities across different apps for purposes like targeted advertising.
Apple, which traditionally opposes fingerprinting,
plans to require developers to justify their need for access to APIs commonly used for this purpose
in an upcoming release. Equilend, a financial technology firm established by major global
financial institutions, has experienced a cyber attack, leading to several of its systems going offline.
The company, which plays a key role in the securities finance industry with its NGT platform,
handling over $2.4 trillion in transactions monthly, identified the issue on January 22nd
and later confirmed it as a cyber attack. Immediate steps were taken to secure systems,
and efforts to restore services are ongoing,
with external cybersecurity firms assisting in the investigation and recovery.
Clients have been informed that the recovery process may take several days.
During this downtime, financial institutions may need to resort to manual processes.
institutions may need to resort to manual processes. The Gala Hispanic Theater in northwest Washington, D.C. faced a financial crisis after hackers drained its bank account on January 11,
stealing over $250,000. The cyber attack severely impacted the theater's operations,
leaving them unable to pay their artists and crew. The recovery process for
the stolen funds was expected to be lengthy, with the theater's bank indicating it could take up to
eight months. However, following widespread media coverage, the theater's bank has agreed to restore
access to their funds. Turning to Russia's war on Ukraine, several state-owned Ukrainian critical infrastructure companies, including the National Postal Service provider, Ukraine's largest state-owned oil and gas company, and the State Railway, have reported cyberattacks on their systems.
The National Cyber Army, a Russian group of cyber volunteers, claimed responsibility for an attack on Ukraine's
transportation safety agency, but did not mention the other incidents. This wave of cyber attacks
follows recent attacks on Ukraine's online bank Monobank and the largest telecom operator
Kivstar, both attributed to Russian state-sponsored hackers. The aim of these attacks appears to be causing disruption,
psychological impact, and intelligence gathering. The ransomware threat landscape is detailed in a
report by the Symantec ThreatHunter team. The report notes a pivotal shift in attack strategies,
with cybercriminals now favoring the exploitation of vulnerabilities in public-facing applications over using botnets.
Additionally, there's a growing trend of attackers using legitimate software and
operating system features, particularly within the Windows environment, employing tools like
PSExec, PowerShell, and WMI. This living-off-the-land technique is complemented by the
introduction of remote desktop and administration software into targeted networks.
Notably, the Snakefly Group, also known as CLOP, has showcased a novel extortion approach by exploiting zero-day vulnerabilities in enterprise software to simultaneously attack multiple organizations.
attack multiple organizations. Staying with ransomware, a study led by Tom Mures from the University of Twente, which analyzed ransomware attacks in the Netherlands from 2019 to 2022,
found several key factors that influence whether a company is likely to pay the ransom.
The study found that companies working with third-party incident response firms
were more inclined to pay ransoms,
with a significantly higher likelihood compared to those that only reported incidents to the police.
Additionally, companies with insurance coverage tended to pay substantially higher ransoms,
potentially due to the moral hazard posed by insurance.
Interestingly, companies with data backups were less likely to pay,
but when they did, their payments were higher than those without backups. This trend suggests
that companies with valuable data are more prepared for cyberattacks, yet face higher
ransom demands. The study also observed that companies are more likely to pay ransoms in
cases of data exfiltration,
with these payments being considerably higher.
Furthermore, IT companies, despite having higher rates of backups,
were identified as lucrative targets for ransomware actors due to their critical role
and the cascading impact of attacks on their clients. Coming up after the break, our guest Lance Hood joins us from TransUnion
to share how fraud attacks on financial industry call centers are rising. Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
a report from transunion featured findings from their recent 2023 state of omni-channel authentication survey of call center organizations aiming to help organizational leaders across
industries apply authentication to improve customer experience and fraud mitigation.
Lance Hood is Senior Director of Authentication at TransUnion.
Well, I think that there is generally not as much recognition of the role that call centers play
within the overall fraud landscape as really the source for many account takeover attempts
at your bank or at your gaming site. And part of the goal of the study is to really raise
the visibility of both the risk that call centers represent and also some of the trends in how fraudsters are attacking
organizations through call centers and how organizations are looking to mitigate those
attacks. Well, let's dig into some of the details here. What are some of the things
from the report that caught your eye? Well, I think one of the most important things is that most organizations are still continuing to use relatively weak technologies to try to protect call centers.
And the most common technology, and it might even be a stretch to call it technology, is interrogating people by asking them questions.
And you've probably all been through that experience of, you know, what's your favorite pet and that type of thing.
And that approach is just inherently weak because criminals are able to get the answers to most of these questions either through just scanning your social networking site where a lot of that personal information can be harvested.
Or there have been a number of data hacks.
information can be harvested, or there have been a number of data hacks. There are thousands of data hacks every year that end up distributing your financial information under the dark web.
So fraudsters can get answers to many of these types of questions. And yet, according to the
survey, still about two-thirds of organizations are only using this approach called knowledge-based
authentication to try to authenticate and determine someone is who they claim to be.
Do you have any sense for what's holding them back from using more secure methods?
Well, I think that there has been a trend over the past five to ten years
of looking at the digital channels as the primary threat that needs to be protected.
And so there's been a lot of investment into different technologies to improve authentication and risk assessment in the digital
channels, such as the website or your mobile phone. There just has not been as much investment made in
call centers. And that has been exploited by criminals. And the organization, many feel, and the survey reflects this,
that call centers are really the main source of where account takeover fraud starts now.
So fraudsters are exploiting that lack of investment.
Call centers are just not, as we would say,
hardened against fraud as strongly as the digital channels.
So they take advantage of that.
And it's particularly challenging because
call centers are staffed by humans and humans ultimately don't execute their role as well as
software code does in the digital channel. And humans are often, someone explained to me once,
people in call centers have the helping gene. They want to help. And that makes it easy to
manipulate them, what's called social engineering, in order to get them to do things they maybe shouldn't do in order to try to help out, such as maybe resetting the password on an account or changing the phone number on an account, even though that may not be the policy.
So that human element makes call centers very attractive for the fraudsters. Are there any particular sectors that they're
targeting here specifically? Did any organizations get hit more than others?
Well, I think it all depends on the value of the asset that the account is protecting. So certainly
the organizations that are in the financial services area, banks, credit card companies, wealth management companies, are much more attuned to those risks.
And they tend to have adopted some of the technologies that can protect call centers more rapidly than some of the other segments have.
But it is important to note that fraudsters are clever.
They almost have a networking approach sometimes to these account takeovers.
So they may attack a life insurance company or a health insurance company in order to gather personal information about an intended victim and then use that information to actually take over that victim's account at their bank or their credit union.
at their bank or their credit union.
It's important for all sectors that either have valuable data or are protecting valuable assets
to really be conscious of the vulnerability
they may have within their call centers.
Help me understand here.
I mean, is what I'm hearing that,
you know, let's say I'm a consumer
and I'm doing business with a company that has a call center
that I may have put the effort into securing things on my mobile phone
or the ways that I interact with them online,
but that call center could be hanging out there
even if I don't use it
and it might be vulnerable
for folks going after my accounts.
That's absolutely right.
And the fraudsters really kind of employ
two different overall strategies.
One strategy is to try to call into the call center directly and to basically social engineer, manipulate an agent into giving them access to an account.
There's another rising trend that we see, which is they'll take those social engineering skills and they'll actually target them directly at the victim. They will call the victim and claim
that they're actually calling from their bank and that there are some unusual activity on their
account. And before they can proceed to address that, they need to verify the authenticity of
the person they've called and they're going to send them a one-time passcode. But what they're
actually doing in the background is they're either going to have a partner on a phone call with the call center,
or they are on the website and they're about ready to trigger that step that we always see,
we're going to send you that one-time passcode through a text message. So they'll trigger that.
And even though that message says, we'll never call you and ask you for this number,
that victim is already stressed out thinking that their accounts have been taken over.
They'll read that number back to the fraudster.
The fraudster will use that code
to actually take over the account.
So those social engineering skills
that historically were really targeted agents
are now actually being used to target
much more vulnerable consumers
of banks and other organizations.
So what are the recommendations here based on
the information that you all have gathered in this report here? What do you suggest?
Well, I think that the current technologies, which relies, as I said, heavily on knowledge
based authentication, needs to be replaced. And we need to look at other technologies to do that.
Certainly one that we think is very powerful is to look at the way
phone calls are actually made into call centers in order to determine if that's really a legitimate
caller calling in or potentially a fraudster. And the background to that really is that criminals,
you know, they're motivated to steal something, but also they're motivated to not get caught.
And that's why they will always seek to be anonymous and untraceable. So just as an example, if somebody robs a bank, they'll wear
a mask into the bank in order to be anonymous, and they'll change the license plates on the
getaway car to be untraceable. Turns out, if you're trying to commit a crime by taking over
someone's account at that same bank, you're going to want to make a phone call in a way that you're anonymous
and untraceable. And so criminals will do things like spoof phone numbers. They'll use a tool that
you can download from the internet and fake the phone number that you're calling from. They'll
use services like virtualized call services. Think of Google Voice or Skype, for example.
These services, you can make phone calls from anywhere in the world on millions of different devices.
So you basically can't get caught.
And so if we look at how a phone call is being made, and we can actually inspect that phone
call from the originating device into a call center to establish whether it's legitimate
or not, and look at other factors, is it a virtualized service making that call?
Is there identity data associated with that phone number?
Again, all of us who've used our phone numbers for a long time,
we will tend to associate that phone number with a lot of identity data.
And if we examine for a phone number how much identity data is, guess what?
Broadsters almost always have zero.
Nothing is attached to that phone number.
So there are many things we can do in order to
look at how the call is made into a call center to determine if it's being made in a trustworthy
way, like a legitimate customer, or in a much more risky manner as a fraudster would do.
So that's, and what's nice about that also is you can make that assessment as soon as the phone call
is answered by an organization.
And therefore, immediately understand whether you're dealing probably with a trustworthy call or a risky one.
You can arm your agents accordingly to be more on guard for those risky callers.
And correspondingly, if you have a trustworthy caller, give them a great experience.
Reduce the amount of authentication friction they have to go through.
Increase their permissions. Let them make the kind of transactions they want on them.
So give better treatment to legitimate callers and very quickly flag those risky callers
for the fraud team to look at. That's Lance Hood from TransUnion. Thank you. we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And finally, at the Pwn2Own automotive event held alongside the Automotive World Conference in Tokyo,
the Synactive team has taken a notable lead, earning $430,000 in the first two days,
with significant achievements in exploiting Tesla vehicles.
On day one, they successfully hacked the Tesla modem, earning them $100,000,
followed by another $100,000 on day two for breaching the
Tesla infotainment system. Additionally, they secured $35,000 for exploiting automotive-grade
Linux using a 3Bug exploit chain. Other participants also earned notable rewards,
though smaller in comparison. Successful exploits of Phoenix
Contact, ChargePoint, Autel, and JuiceBox EV chargers each garnered $30,000. Hacks involving
the Alpine infotainment system and a particularly successful Autel EV charger exploit were awarded
$20,000 each. Lower bounties ranging from $10,000 to $15,000 were given for partially
successful EV charger and infotainment exploits, especially those involving previously known
vulnerabilities. The event's final day includes seven attempts to hack EV chargers and two
infotainment system exploits. This inaugural automotive-focused pwn-to-own
has already seen payouts exceeding $1 million in just its first two days.
It goes to show that no matter how fast a Tesla may be,
it still cannot outrun the speed of the Synactive hacking team.
hacking team. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email
us at cyberwire at n2k.com. We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders
and operators in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent
intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Teltzman.
Our executive producers are Jennifer Iden and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.