CyberWire Daily - Biden vs. Trump: A tale of two cybersecurity strategies.
Episode Date: November 19, 2024Pundits predict Trump will overhaul U.S. cybersecurity policy. Experts examine escalating cybersecurity threats facing the U.S. energy sector. Palo Alto Networks patches a pair of zero-days. Akira and... SafePay ransomware groups claim dozens of new victims. A major pharmacy group is pressured to pay a $1.3 million ransomware installment. Threat actors are exploiting Spotify playlists and podcasts. An alleged Phobos ransomware admin has been extradited to the U.S. Rapper “Razzlekhan” gets 18 months in prison for her part in the Bitfinex cryptocurrency hack. On today’s Threat Vector, David Moulton speaks with Assaf Dahan, Director of Threat Research at Palo Alto Networks’ Cortex team, about the rising cyber threat from North Korea. Swiss scammers send snail mail. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment On this segment of Threat Vector, host David Moulton speaks with Assaf Dahan, Director of Threat Research at Palo Alto Networks’ Cortex team, about the rising cyber threat from North Korea. To hear the full conversation between David and Assaf, listen to Cyber Espionage and Financial Crime: North Korea’s Double Threat, and catch new episodes of Threat Vector every Thursday on your favorite podcast app! Selected Reading More Spyware, Fewer Rules: What Trump’s Return Means for US Cybersecurity (WIRED) How to remove the cybersecurity gridlock from the nation's energy lifelines (CyberScoop) Palo Alto Patches Firewall Zero-Day Exploited in Operation Lunar Peek (SecurityWeek) SafePay ransomware: Obscure group uses LockBit builder, claims 22 victims (SC Media) Akira Ransomware Drops 30 Victims on Leak Site in One Day (SecurityWeek) Gang Shaking Down Pharmacy Group for Second Ransom Payment (GovInfo Security) Spotify abused to promote pirated software and game cheats (Bleeping Computer) Suspected Phobos Ransomware Admin Extradited to US (Infosecurity Magazine) Heather ‘Razzlekhan’ Morgan sentenced to 18 months in prison, ending Bitfinex saga (The Record) Now Hackers Are Using Snail Mail In Cyber Attacks—Here’s How (Forbes) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Pundits predict Trump will overhaul U.S. cybersecurity policy.
Experts examine escalating cybersecurity threats facing the U.S. energy sector.
Palo Alto Networks patches apparel zero days.
Akira and SafePay ransomware groups claim dozens of new victims.
A major pharmacy group is pressured to pay a $1.3 million ransomware installment.
Threat actors are exploiting Spotify playlists and podcasts.
An alleged Phobos ransomware admin has been extradited to the U.S.
Rapper Razul Khan gets 18 months in prison for her part in the Bitfinex cryptocurrency hack.
On today's Threat Vector, David Moulton speaks with Asaf Dahan,
director of threat research at Palo Alto Network's Cortex team,
about the rising cyber threat from North Korea.
And Swiss scammers send snail mail.
It's Tuesday, January 19th, 2024.
I'm Dave Bittner, and this is your Cyber Wire Intel Briefing.
A second Trump administration is expected to overhaul U.S. cybersecurity policy, prioritizing business interests, aggressive offensive measures, and deregulation over the Biden-era focus on corporate accountability, spyware restrictions, and AI safeguards.
In an article for Wired, Eric Geller writes that Trump is likely to dismantle Biden's regulatory efforts on critical
infrastructure cybersecurity, citing industry burdens. Rules impacting rail, aviation,
and water systems could be scrapped or weakened with a shift toward voluntary compliance and
incentives. Efforts like CISA's disinformation campaigns and AI safety initiatives focused on societal harms may also end,
reflecting Trump's emphasis on free speech and reduced regulation.
Spyware policies are expected to favor market growth over human rights concerns,
benefiting firms like NSO Group. AI regulations requiring transparency and safety measures may be repealed, favoring innovation
over safeguards. Trump is poised to expand military cyber operations, emphasizing accountability for
Chinese and Russian cyber attacks. Cyber Command could see enhanced roles, including potentially
forming a separate military cyber branch. Policies blocking Chinese tech could also resurface.
Initiatives pushing companies to design secure software
and accept liability for vulnerabilities may stall.
While slogans like secure by design may persist,
new regulations are unlikely,
reflecting the administration's alignment with corporate interests.
CISA's cybersecurity incident reporting rules could be scaled back,
exempting sectors or limiting required disclosures.
Ultimately, Trump's cybersecurity agenda may favor deregulation and military action
while sidelining corporate accountability, spyware restrictions, and emerging AI safety policies.
accountability, spyware restrictions, and emerging AI safety policies.
In an editorial for CyberScoop, Sachin Bansal, president of Security Scorecard,
and Brian Harrell, former assistant secretary for infrastructure protection at the Department of Homeland Security, say the U.S. energy sector faces escalating cybersecurity threats as it integrates complex
supply chains, clean energy technologies, and digital systems. National Security Advisor
Jake Sullivan recently highlighted the critical need for supply chain security
as vulnerabilities in software and third-party vendors present significant risks to vital
infrastructure. A KPMG report revealed that
third-party risk accounts for 45% of breaches in the sector, compared to a global average of 29%.
The shift to greener, software-driven energy grids introduces additional risks,
with renewable energy companies scoring lowest on cybersecurity metrics.
Coupled with the potential for foreign
exploitation, particularly by China, these factors underscore the urgency of a unified strategy.
Efforts to enhance resilience include the Department of Energy's supply chain cybersecurity
principles, supported by major firms like GE, Vrnova, and Siemens. Regulators, such as the Federal Energy Regulatory Commission,
are revising standards to address supply chain risks.
Meanwhile, the White House is exploring cybersecurity ratings
for infrastructure sectors.
However, challenges remain.
Attacks, such as the Colonial Pipeline ransomware incident,
show how breaches in IT systems disrupt
operations. Utilities struggle with the resources and expertise to counter growing threats.
The authors say a collective effort between government and industry is vital to secure
every link in the supply chain by adopting consistent frameworks, measuring progress,
and fostering transparency. The energy sector can bolster cybersecurity resilience, safeguarding critical infrastructure, and global stability.
Palo Alto Networks has patched two zero-day vulnerabilities exploited in Operation Lunar Peak.
Lunar Peak. The first is a critical authentication bypass flaw, allowing attackers to gain admin access via the PanOS management interface. The second is a privilege escalation issue
enabling root access. These vulnerabilities targeted exposed firewall management interfaces
and have been addressed in PanOS updates. CISA has added the flaws to its known exploited vulnerabilities catalog,
urging fixes by December 9th to mitigate risks.
The SafePay cybercrime operation,
a new ransomware group deploying lockbit-based malware,
has claimed 22 victims as of November of this year, according to Huntress.
The group exploits remote desktop protocol access to encrypt files and exfiltrate data.
SafePay's ransomware is derived from a well-documented lock-bit variant and incorporates
tactics from other groups like Alfie Blackcat, including UAC bypasses and living off the land binaries
for privilege escalation.
Huntress identified vulnerabilities in SafePay's Tor site, enabling deeper insights into its
operations.
SafePay employs tools like WinRAR for archiving stolen data and FileZilla for file transfers,
often uninstalling them afterward
to cover their tracks. The ransomware includes a Cyrillic language-based kill switch to avoid
attacks in the Commonwealth of Independent States countries. Meanwhile, the Akira ransomware group
leaked data from 32 new victims in a single day last week, according to CyberInt. Active since
March of 2023, Akira operates as a ransomware as a service and has impacted over 350 organizations
globally, earning an estimated $42 million. Targeting business services, critical infrastructure,
and other sectors, Akira primarily focuses on U.S.-based
organizations but also attacks entities in Canada, Europe, and beyond. CyberInt reports that most
victims were directly added to Akira's leaks sections on its Tor site, bypassing the usual
news section. This aggressive activity, which aligns with trends of escalating ransomware operations,
mirrors similar mass victim disclosures by groups like LockBit. Akira's rapid growth and
record-breaking victim counts indicate its expanding influence in the global cybercrime ecosystem.
The embargo ransomware group is pressuring American Associated Pharmacies
to pay a second $1.3 million installment of an alleged $2.6 million ransomware deal
after already receiving the first payment.
The group, which claims to have stolen 1.5 terabytes of data,
has threatened to leak the information by midweek if the payment isn't made.
Embargo accuses AAP of prioritizing system restoration over customer data protection.
Embargo's tactics include double extortion, a common strategy among ransomware gangs.
Researchers note Embargo targets various sectors worldwide and has increasingly targeted health care,
including Georgia's Memorial Hospital and Manor. Embargo, which surfaced this year,
denies political affiliations, focusing instead on opportunistic attacks. Experts warn of potential class action suits and growing risks without stronger privacy laws to deter such cybercrime.
risks without stronger privacy laws to deter such cybercrime.
Threat actors are exploiting Spotify playlists and podcasts to promote pirated software,
game cheats, spam links, and dubious websites, leveraging Spotify's strong reputation and SEO presence to boost visibility.
Using targeted keywords and links in titles and descriptions,
scammers direct users to malware-laden sites or fake surveys.
Some playlists, like one advertising a Sony Vegas Pro crack
and spammy podcasts, use synthesized speech to lure users into clicking links,
leading to ad-heavy or malicious sites.
These tactics extend to promoting game cheats and pirated e-books.
Cybercriminals often exploit third-party podcast distribution services
to bypass platform safeguards.
Spotify has removed some flagged content
and emphasized its rules against malicious practices,
but the challenge of combating such spam campaigns persists.
Russian national Evgeny Tsitsin, age 42,
has been extradited to the U.S. to face charges related to administrating the Phobos ransomware,
according to the Department of Justice.
Accused of running a ransomware-as-a-service
scheme since 2020, Sitsin allegedly developed and sold Phobos ransomware to affiliates who
targeted over 1,000 victims worldwide, including schools and hospitals, extorting over $16 million.
Affiliates used stolen credentials to encrypt and exfiltrate data, pressuring victims to pay ransom.
Sitsin faces up to 120 years in prison if convicted.
Heather Razelkhan Morgan, a self-proclaimed rapper and entrepreneur,
was sentenced to 18 months in prison for assisting her husband, Ilya Lichtenstein,
in laundering Bitcoin stolen during the infamous
2016 Bitfinex cryptocurrency hack. Lichtenstein, who received a five-year sentence, stole over
119,000 Bitcoin, worth $71 million then and now valued at $10.8 billion. Morgan, aware of the fund's illicit origins since 2020, helped conceal them
through financial accounts, virtual currency exchanges, and mixers like Bitcoin Fog.
Prosecutors recommended leniency, citing her clean record and limited personal gain.
personal gain. Coming up after the break on today's Threat Vector, David Moulton speaks with Asaf Dahan about the rising cyber threat from North Korea. Stay with us. Thank you. Innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that
are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network.
Continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI. over 500 billion daily transactions. Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. DeleteMe's team does all
the work for you with detailed reports so you know exactly what's been done. Take control of
your data and keep your private life private by signing up for DeleteMe. Now at a special
discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash N2K, code N2K and enter code N2K at checkout. That's join delete me.com slash N2K code N2K.
On today's segment from the Threat Vector podcast, host David Moulton speaks with Asaf
Dehan, Director of Threat Research at Palo Alto Network's Cortex team.
They're discussing the rising cyber threat from North Korea.
North Korean threat actors are not script kiddies.
They are a major cyber force to be reckoned with. And the global reach of their cyber operations
should be taken very seriously,
not just by governments
or government-affiliated organizations,
but it crosses many industries
and regions.
The financial motivation
of the North Korean threat actors
that really sets them apart from other
nation-state threat actors. And that aspect makes them more relevant to more organizations worldwide.
Welcome to Threat Factor, the Palo Alto Network's podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends.
I'm your host, David Moulton, Director of Thought Leadership.
Today I'm speaking with Asaf Dehaan, Director of Threat Research at Palo Alto Network's Cortex team.
Director of Threat Research at Palo Alto Network's Cortex team.
Asaf is a seasoned cybersecurity expert with over 18 years in experience in both military and civilian domains.
Throughout his career, Asaf has worn many hats, from malware analyst to threat hunter to team leader and director,
working with top-tier security companies and contributing to a variety of international security conferences. His experience spans across malware analysis, reverse engineering, threat hunting, threat intelligence,
red teaming, and application security, giving him a well-rounded perspective on the ever-evolving cybersecurity landscape.
Currently leading the threat research for Cortex,
Asoftworks focuses on providing insights into some of the most sophisticated cyber threats,
including those coming from state-sponsored actors like North Korea.
Asaf Dehan, welcome to ThreatVector. I'm really excited to have you here today.
Thanks for having me. I'm really happy to be here.
Today we're going to be talking about some of the research you and your team have done on North Korean threat actors that have shown up consistently in the news.
From your research, what makes North Korean hackers such a formidable shown up consistently in the news. From your research,
what makes North Korean hackers such a formidable force on the global cyber landscape?
That's an excellent question, David. So when we talk about major players in global cybersecurity,
North Korea might not be the first nation that comes to mind, right? But over the last decade
or so, they've really earned their spot in what we might call the Hall of Fame of nation states' threat actors.
And let me tell you, their rise to cyber's, I guess, prominence is a fascinating story.
For me, at least, the pivotal year was 2014 and what became known as the Sony Pictures hack.
and what became known as the Sony Pictures hack.
So to those of you who may not be as familiar,
back in 2014, Sony was about to release the interview, a Seth Rogen parody about the assassination of the North Korean leader Kim Jong-un.
And as you might imagine, North Korea wasn't exactly thrilled about this premise.
And their response was a devastating cyber attack that caused a massive financial and
reputational damage to Sony Pictures, ultimately forcing them to cancel the movie's theatrical
release. And this was, at least for me, it was one of North Korea's first true cyber, how shall I say, tour de force, and perhaps a trailer for what's to come.
And in the following years, we started observing the formation of a more, I guess, cohesive or coherent cyber warfare strategy.
coherent cyber warfare strategy. Less vendetta motivated, if you will, but something more robust that you can feel that there's a strategy. And a crucial part of this strategy really
revolves around financial gain and generating revenue through cyber crime. You have to remember
North Korea is a very impoverished country. It's under a lot of embargoes and sanctions.
So for instance, in 2016, they attempted what could have been possibly one of the largest bank heists in history.
And they targeted the Bangladeshi Central Bank.
And their goal was to get away with $1 billion.
And this is where it gets kind of comical um their entire operation was nearly successful uh but it was ultimately foiled due
to a typo that kind of raised flags uh in the banking system so if you want to talk about a
billion dollar spelling mistake right um so they did manage to get away, I think, with $80 million, I think,
and the bank was able to retrieve it at some point.
But in later years, we've seen this trend of going directly after banks
and conducting bank heists in other parts of the world
quite as part of their strategy.
Some of them were more successful,
some were not as successful,
but we've seen this direct pitting
or targeting of banks.
Asaf, with your background
on both the offensive and defensive sides
of cybersecurity,
what do you think the key human factors are
that make defending
against North Korean hackers so challenging? Well, I guess if we're talking about human factor,
I always say, and based on my experiences, that the human factor or the human link is the weakest link in the chain of cybersecurity.
You can have the best products out there,
but it only takes a certain individual
to click on a link, open an attachment,
reveal to a caller the password for their Okta,
because these things happen all the time.
So the human factor here
when it comes to social engineering is crucial
because the technology that we have today,
especially I can speak about Palo Alto's,
but in general, we see across other vendors as well,
the technology is great.
We are able to detect and prevent
a lot of the stuff that we're seeing.
But the one thing that is still very challenging
is the human aspect of cybersecurity attacks.
And that usually has to do with social engineering.
And the only thing to, I guess, fight it
is by raising awareness, doing a lot of social engineering trainings, and also maybe with the introduction of new technologies such as LLMs, which can also worsen some aspects of social engineering because they can come off as very convincing.
social engineering because they can come off as very convincing.
But on the flip side, you can use LLMs and AI technology for defensive purposes as well.
So it's going to be interesting. But if I had to put my money
on this, it's really combating
social engineering attacks. The rest, the technology
is quite good at detecting and preventing.
Asaf, thanks for a great conversation today. I really appreciate you diving into some of the
insights on the North Korean threat actors that you and your team have been researching and
publishing on and unpacking some of the forces behind their cyber activities.
Thank you so much, David.
I had a great pleasure.
I had a blast.
Thanks for having me.
Thanks for listening to this segment of the Threat Vector podcast.
If you want to hear the whole conversation,
you can find the show in your podcast player.
Just search for Threat Vector by Palo Alto Networks.
Each week, I interview leaders from across our industry and from Palo Alto Networks to get their insights on cybersecurity,
the threat landscape, and the constant changes we face. See you there.
Be sure to check out the complete Threat Vector podcast right here on the N2K CyberWire network
or wherever you get your podcasts.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta
brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And finally, in a twist straight out of a cybercrime time machine,
hackers in Switzerland are using snail mail,
with actual paper letters and stamps, to deliver malware.
The Swiss National Cyber Security Center revealed
that scammers are
posing as Mateo Swiss, the federal meteorology office, and sending fake weather alert letters
with QR codes. Scan the code, and instead of staying dry, you'll download malware named
Copper, designed to pilfer sensitive data from Android devices. The fraudulent letters mimic official apps to exploit trust,
catching victims off guard.
Experts warn that while most of us have a healthy skepticism
for digital phishing attempts,
we're less suspicious of old-school postal scams.
Fortunately, this throwback hack targets only Android users in Switzerland,
so iPhone owners can relax for now.
I can only imagine that the next stop on this nostalgia train
could be telegrams.
Dear victim, kindly scan this code to ruin your life.
Stop. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your team smarter.
Learn how at N2K.com.
This episode was produced by Liz Stokes. Thanks for listening. We'll see you back here tomorrow. Cyber threats are evolving every second Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.