CyberWire Daily - Authorities bring down another hacker.
Episode Date: October 17, 2024Brazilian authorities arrest the alleged “USDoD” hacker. The DoJ indicts the alleged operators of Anonymous Sudan. CISA and its partners warn of Iranian brute force password attempts. A new report... questions online platforms’ ability to detect election disinformation. Recent security patches address critical vulnerabilities in widely-used platforms. North Korean threat actors escalate their fake IT worker schemes. CISA seeks comment on Product Security Bad Practices. Dealing effectively with post-breach stress. Tim Starks, Senior Reporter at CyberScoop, joins us to discuss “What’s new from this year’s Counter Ransomware Initiative summit.” Redbox DVD rental machines get a reboot. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We welcome back Tim Starks, Senior Reporter at CyberScoop, to discuss “What’s new from this year’s Counter Ransomware Initiative summit, and what’s next.” Selected Reading Hacker allegedly behind attacks on FBI, Airbus, National Public Data arrested in Brazil (The Record) Two Sudanese Nationals Indicted for Alleged Role in Anonymous Sudan Cyberattacks on Hospitals, Government Facilities, and Other Critical Infrastructure in Los Angeles and Around the World (US Department of Justice) Iranian Hackers Using Brute Force on Critical Infrastructure (GovInfo Security) Before US election, TikTok and Facebook fail to block harmful disinformation. YouTube succeeds (Global Witness) F5 BIG-IP Updates Patch High-Severity Elevation of Privilege Vulnerability (Security Week) Cisco Patches High-Severity Vulnerabilities in Analog Telephone Adapters (Security Week) GitHub patches critical vulnerability in its Enterprise Servers (CyberScoop) North Korea Escalates Fake IT Worker Schemes to Extort Employers (Infosecurity Magazine) CISA Seeks Feedback on Upcoming Product Security Flaws Guidance (Infosecurity Magazine) Helping Your Team Cope With the Stress of a Cyber Incident (BankInfo Security) Tinkerers Are Taking Old Redbox Kiosks Home and Reverse Engineering Them (404 Media) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Brazilian authorities arrest the alleged U.S. DOD hacker.
The DOJ indicts the alleged U.S. DOD hacker.
The DOJ indicts the alleged operators of anonymous Sudan.
CISA and its partners warn of Iranian brute force password attempts.
A new report questions online platform's ability to detect election disinformation.
Recent security patches address critical vulnerabilities in widely used platforms. North Korean threat actors escalate
their fake IT worker schemes. CISA seeks comments on product security bad practices. Dealing
effectively with post-breach stress. Tim Starks, senior reporter at CyberScoop, joins us to discuss
what's new from this year's Counter Ransomware Initiative Summit. And Redbox DVD rental machines
get a reboot.
It's Thursday, October 17th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing. Intel briefing. Thanks for joining us here today. It is great to have you with us.
Brazilian authorities recently arrested a hacker allegedly linked to the alias USDOD who is accused of multiple high-profile cyber attacks.
The individual was behind breaches of the FBI's InfraGard platform,
which connects law enforcement with private critical infrastructure organizations,
as well as attacks on Airbus, the U.S. Environmental Protection Agency, and others.
Airbus, the U.S. Environmental Protection Agency, and others. The hacker also claimed to have leaked a vast database with nearly 900 million social security numbers from U.S. background check firm
National Public Data. The arrest follows Operation Data Breach, a Brazilian federal police initiative
investigating breaches of their own systems and international targets.
The suspect, whose identity was linked to one Luan G., a 33-year-old man from Minas Gerais,
Brazil, admitted responsibility for the attacks in a public statement. He had long been under investigation by cybersecurity firms like CrowdStrike, which shared their findings with Brazilian authorities.
In a public confession, Luan acknowledged his defeat
and expressed readiness to face the consequences of his actions.
The suspect's activities included selling sensitive data
from breached organizations
and boasting of his involvement in cyber intrusions.
The operation to arrest him is part of a broader effort by Brazilian authorities
to crack down on cybercrime.
The U.S. Department of Justice has indicted two Sudanese nationals
for operating the cybercriminal group Anonymous Sudan,
responsible for launching over 35,000 DDoS attacks against U.S. and global targets.
These attacks impacted critical infrastructure, corporate networks, and government agencies,
including the FBI, Department of Justice, Microsoft, and Cedars-Sinai Medical Center.
Some attacks caused significant disruptions,
including shutting down Cedars-Sinai's emergency department for eight hours.
In March of this year, U.S. authorities seized and disabled the group's DDoS tool
as part of a coordinated international law enforcement effort.
The indictment alleges that the group not only performed these attacks
but also sold access to their DDoS tool
enabling other criminal actors to launch further assaults.
Anonymous Sudan's
attacks, conducted through a tool known as Godzilla, resulted in over $10 million in
damages to U.S. victims. The group's platform targeted critical sectors such as health care,
government, and private companies, causing prolonged outages and operational damage.
The FBI, with assistance from international law enforcement agencies and private sector partners,
took down the group's infrastructure as part of Operation Power Off,
the operation focused on dismantling global DDoS-for-Hire networks.
A joint cybersecurity advisory from CISA, the FBI, NSA, and other international authorities
warns that Iranian cyber actors are increasingly using brute force methods like password spraying
and push bombing to target global critical infrastructure sectors.
These attackers focus on healthcare, government, IT, and energy sectors to steal credentials
and gain deeper access to
systems. The advisory highlights that Iranian actors have exploited MFA vulnerabilities and
sold stolen credentials, urging organizations to enhance security by implementing phishing-resistant
MFA and monitoring for suspicious logins and behaviors. An investigation from the non-profit NGO Global Witness
tested YouTube, Facebook, and TikTok's ability to detect election disinformation.
Results showed mixed performance.
TikTok performed the worst, approving 50% of disinformation ads
despite a ban on political content.
approving 50% of disinformation ads despite a ban on political content.
Facebook improved significantly, rejecting 7 out of 8 ads,
though one containing false election information was accepted.
YouTube flagged half of the ads but required additional identification before publishing,
leaving room for improvement. The report says that social media platforms, especially TikTok,
must enhance their content moderation systems to prevent election disinformation,
especially with the 2024 U.S. presidential election looming.
We've got a roundup of recent security patches addressing critical vulnerabilities in widely
used platforms. A vulnerability in GitHub Enterprise Servers SSO and SAML authentication
could allow an attacker to bypass protections and impersonate users.
The flaw affects versions up to 3.10.4 and has been patched in newer releases.
Cisco issued fixes for high-severity flaws in its analog telephone adapters,
potentially allowing remote attackers to launch code execution or denial-of-service attacks.
And F5 patched a high-severity privilege escalation vulnerability in its Big IP product
that could allow attackers with restricted access to elevate privileges
and gain control of systems.
As always, hatch them if you got them.
North Korean threat actors, notably the Nickel Tapestry Group,
have escalated their attacks in their fake IT worker schemes, according to SecureWorks.
These actors, previously focused on collecting paychecks, now engage in data theft and extortion.
In one case, a contractor quickly stole proprietary data and demanded a ransom from their former employee, threatening to publish the data online.
This shift raises the risk for companies employing North Korean IT workers, who now seek larger sums through rapid data theft.
workers who now seek larger sums through rapid data theft. Tactics include using personal laptops,
rerouting corporate devices, masking IP addresses, and employing virtual desktop setups.
To mitigate risks, companies are advised to thoroughly vet candidates, monitor suspicious behavior, and restrict unauthorized access tools. This evolution reflects North Korea's ongoing efforts to fund its regime through cybercrime.
CISA has released a draft of its Product Security Bad Practices Guidance for Public Comment.
Part of CISA's Secure by Design initiative, this guidance highlights risky security practices,
especially for organizations supporting critical infrastructure.
It targets software manufacturers, offering non-binding recommendations to improve product security across on-premises software, cloud services, and SaaS.
The guidance covers product properties, security features, and organizational policies.
features and organizational policies. CISA seeks feedback from stakeholders by December 2nd of this year to refine the recommendations further. An article from Bank Info Security highlights the
intense stress often faced by cybersecurity professionals, particularly in the aftermath
of a breach. The pressure to contain damage, restore operations,
and protect sensitive data can be overwhelming.
Every decision feels critical,
as it impacts both the company's future and the individual's job security.
Additionally, leaders like CISOs are increasingly held accountable,
sometimes facing legal consequences, further raising the stakes.
Post-incident stress is worsened by scrutiny from management, clients, and regulators,
all demanding answers. The fear of making mistakes under pressure adds to the psychological burden,
often leading to burnout and, in severe cases, symptoms similar to PTSD.
and in severe cases, symptoms similar to PTSD.
Burnout has become a growing concern in the field,
driven by long hours and high expectations,
especially during post-breach recovery.
This can lead to mistakes, increasing the risk of future incidents and creating a vicious cycle of stress and burnout.
The article emphasizes the importance of organizational support,
clear post-incident protocols, mental health resources, and stress management workshops can help professionals cope
with these challenges. Building emotional resilience, encouraging mindfulness, and fostering
team collaboration are also key strategies to manage the demands of the job. By taking these steps, organizations can help their cybersecurity teams
manage post-incident stress more effectively,
ensuring both personal well-being and professional performance remain strong.
Coming up after the break, my conversation with Tim Starks from CyberScoop.
We're discussing this year's Counter Ransomware Initiative Summit.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
It is always my pleasure to welcome back to the show Tim Starks.
He is senior reporter at CyberScoop.
Tim, welcome back.
Hi, Dave.
So I want to talk about your recent coverage in CyberScoop
about this year's Counter Ransomware Initiative Summit.
I want to say your write-up on this is by far the most in-depth reporting that I saw
on the event. So congratulations on that. And can we dig into some of the details here? I mean,
what prompts this event? What's some of the backstory here? Yeah, this has been going for
a few years now. White House-led initiative saying we need to join forces with other
countries on ransomware. It's a global
problem. And they've gotten up to 68 countries in the counter ransomware initiative now.
The idea is we can do it better together than alone. The US obviously has a lot of capabilities
in cyberspace, but there are countries that I hadn't even heard of that are now part of this
ransomware initiative. That's how far it's gone in terms
of allies and people that... There's a kind of a mix of people who are probably more needing help
than giving help. But I think the idea is over time, rising tide lifts all boats. So maybe those
countries that have lesser capabilities now could be helping us later. It's US-led, but there are
various pieces of this that are broken off and led by other allies. Like Australia has a piece, and Canada has a piece, and the U.K. has a piece.
And they've got more plans coming forward.
Even though we're coming to the end of an administration, they've already started laying the groundwork for what they want to do next year.
So what does the actual summit itself look like?
How do they organize this event?
This is something that they did this year. They have breakout sessions where they talk about both policy areas and regional developments. This
is something they told me was new this year, that this idea of having regional groups being able to
have meetings and talk about things they're facing in a specific region. So that's one way they do
it. I think the other way is just that I think that this was last week that they had...
I'm sorry if that timing doesn't work to explain, but I'll sort of...
For the week they did it, they had a total of three regular days where they broke it up and talked about different parts of things.
One of the days was actually focused on the overlap between AI and cybersecurity.
focused on the overlap between AI and cybersecurity.
And then they had another optional operational day where they would be able to really get into specific kind of capacity building.
This is how this works.
This is the way we do this.
That's the way it worked this year,
and that was different than previous years.
Are there any conspicuous nations missing from this?
You know, the usual suspects of our adversaries?
Yes, that's the one.
There has been some discussion in the past years
about whether Russia could get involved.
That doesn't seem to be in the cards right now.
You know, the nations that are probably
the biggest sponsors of ransomware
aren't going to be part of this alliance.
It is pretty much the allies. I mean, we're not going to see Iran joining this group, I don't think. The people who are
doing the harm or who are nations that are hosting the harm, we're not seeing them participate in
that. And that makes a certain amount of sense. Although, you know, in an ideal world, maybe the
Russian government would participate because they don't want ransomware hackers doing bad things to
the rest of the world. But as it happens, it's pretty
convenient for them that the ransomware hackers
can work for them sometimes and
make money and find things out
that they couldn't
find out on their own
or didn't find out on their own.
So when this wraps up and
everybody heads back to their
nations, are they
sent with action items? Are there agreements that,
you know, we're going to try to do these things before we get together again next year?
Yeah. So they actually kind of divided this up in terms of who was going to be leading
what pieces. So Germany and Nigeria are going to be heading up the diplomacy and capacity
billing part of this. Australia and Lithuania, they're going to be the operational task force.
Singapore and the UK are going to focus on policy.
Canada is leading that private sector advisory council
that was newly announced this year.
And the US is just kind of the overall chair.
In terms of what the specific action plans say, I don't have that.
But that was the way they left the meetings,
is that these are the things they were going to be doing and going to be leading action plans on. Is there optimism
about this? I mean, a group like this getting together, obviously there are diplomatic elements
here, but are there any practical things they can do? Yeah, I mean, in terms of the practical things,
I'll answer that part first.
They have essentially a website
where member nations can say,
we're under attack by the Strancy Margarita,
who can help us?
So that would be an example of an operational thing
or a thing that's a real tangible way
that countries are able to assist each other.
And according to the White House,
numerous countries have taken advantage of that website.
Yeah, it's not just a theoretical thing.
In terms of the optimism, I think people think it's good that this is happening, that this initiative exists is good.
I think maybe what they would like to see more if they were being critical would be more results.
I gave an example of results, but they would want to see more, and they would want to see more aggressive ways to topple this ransomware problem. Because even the participants in the White House are
saying, hey, look, we're not doing good enough on ransomware. The problem keeps getting worse.
So if you're measuring it by that kind of result, you can say this isn't by itself getting it done.
I think it has to be part of a bigger approach.
And I think other people agree with that too,
is that this can be one way you can approach the problem.
But I think specifically,
and Neuberger and another official had said,
we need to be doing more of these operations
where we take down the ransomware gangs infrastructure.
And even then they say, look, those haven't worked
because the gangs rebound so fast.
So they say we need to do more of them.
We need to do them faster so that we keep escalating the price.
And the way that's worked in some cases is, okay, yes,
they've actually been able to force these groups to scramble
and have to reform.
So they're forcing the bad guys to spend time
tackling us tackling them. So you could point to some results, but you can also point to things
that say, maybe it's not enough. And maybe it's not enough within the context of the overall
problem and also within the context of this initiative and what it's trying to achieve.
One of the things that caught my eye in your coverage, you quoted Ann Neuberger,
she was talking about insurance companies. And it struck me that she was kind of being
direct without being too direct. In a way, she was talking around the problem,
but anybody listening could tell what she was going after.
to the problem, but anybody listening could tell what she was going after.
Yeah, she's very careful
in how she speaks.
She doesn't want to get over
her skis too much.
But the White House
had explored the idea
of banning companies from paying
ransomware gangs, anything.
That's something
other countries have explored and mostly abandoned.
She's saying that's
the case too, but it seemed like she wants, she's like, we need these, she said, we need these
insurance companies to be involved because sometimes they're part of the people who are
paying the ransomware gangs. And so they're trying to discourage that without going all the way
toward forbidding it. And it'll be interesting to see how they manage that line
because one would require a law
and the other maybe you can get some stuff done without it,
but how much can you get done if you don't say,
here's the price you pay insurance companies
if you keep doing this.
And right now, I don't think they can do that.
They can only vocally, publicly discourage them from doing that.
Yeah.
I wonder, too, if they could encourage insurance companies to simply not provide that coverage, not sell it.
You know, in the same way that we see insurance companies pulling out of areas that are subject to storms and hurricanes.
that are subject to storms and hurricanes.
And they're saying,
this coverage isn't worth it for us if that would be an avenue to potentially pursue.
Potentially.
I mean, one of the things,
specifically in the cyber insurance world,
they have cut back on some of the kinds of coverage they provide,
saying, we need you to do these things, company, before we provide you the insurance. They say, we need you to do these things, company,
before we provide you the insurance.
They say, we need you to take these kinds of steps.
And I think it's possible to envision a world
where they have a set of steps that are specific for ransomware,
even though some of the ways you combat ransomware
are the same ways you combat any cyber attack,
there's not 100% overlap.
So I could see there being a case where
if this keeps getting expensive for the insurers,
one of the things I found interesting
about covering cyber insurance is,
I think people hear the word insurance
and they think that's boring.
But one of the things I find interesting about it
is the insurance industry has been around
for a very long time.
And they know what they're doing
and they know how to make money
and they know what the risks are
and they know how to counter the risks
in such a way so that they don't have to pay out.
So I think there could become a threshold point where the cyber insurance companies say,
look, we're paying too many of these ransomware gangs.
We're not going to keep doing it.
They might do that on their own, but certainly a little extra pressure
from the bully pulpit of the most powerful office in the land of the world,
you could see that having an impact.
Yeah, absolutely.
All right, well, Tim Starks is Senior Reporter at CyberScoop.
Tim, thanks so much for joining us.
Yeah, thanks, Dave.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And finally, our retail kiosk security desk reports that the code for Redbox DVD rental machines
has hit the internet,
and a community of tech tinkerers has dived right in
to see what makes those big red boxes tick. Naturally, someone decided the best use for
this newfound knowledge was to run Doom on one of the machines, because of course that's always
the first step in any reverse engineering project. According to 404 Media, in the wake of Redbox's parent company going bankrupt,
these kiosks are being abandoned at pharmacies, grocery stores, and other retailers.
Some folks have figured out that not only can they liberate DVDs from these machines,
but in some cases they can walk away with the entire Redbox. Walgreens alone is stuck with 5,400 of the clunky kiosks,
costing them $184,000 a month just to keep them powered.
As a result, tinkerers have begun asking
if they can just haul these things away,
and surprisingly, some store managers
are more than happy to oblige.
Reddit and Discord are now buzzing with stories
of people acquiring and tinkering with these machines.
Some are stripping them down,
reverse-engineering the software,
and even discovering old rental data,
including email addresses and partial credit card numbers.
Others are transforming the kiosks
into personalized DVD storage systems.
Or installing Minecraft.
Because why not?
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver
the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to CyberWire at N2K.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at N2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and
sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor
is Brandon Karp. Simone Petrella is our president. Peter Kilby is our publisher. And I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Simone Petrella is our president, Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.