CyberWire Daily - Caught red-handed.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Interpol arrests eight in an international cybercrime crackdown. A Medusa locker variant targets financial organizations. Cloudflare mitigates a record DDoS attempt. Insights from the Counter Ransomware Initiative Summit.

Starting point is 00:02:14 Fin7 uses deep nudes as a lure for malware. Researchers discover critical vulnerabilities in DrayTek routers. CISA issues urgent alerts for products from Sinocor and Avanti. Thank you. founder and CEO of Strata Identity, to learn how the modern enterprise can orchestrate the seven A's of identity security to achieve zero trust. And Harvard students demonstrate glasses that can see through your privacy. It's Friday, October 4th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing.

Starting point is 00:03:23 Thanks for joining us here today. It is great to be back. We took the last couple days off for some in-house meetings, but we are back to our regular publishing schedule. Thanks for your patience. Interpol announced the arrest of eight suspected cyber criminals as part of an international operation targeting cybercrime. The group was involved in large-scale phishing scams

Starting point is 00:03:46 that defrauded Swiss citizens of over $1.4 million. They used QR codes to direct victims to fake websites where they collected sensitive information like login details and card numbers. The investigation, part of Interpol's ongoing Contender 2.0 operation, led to the arrest of the main suspect, who confessed to making over $1.9 million from the scheme. Five additional suspects were caught at the same location conducting similar activities. Contender 2.0 targets various cybercrimes, including business email compromise and romance scams in West Africa. In a related case, a dual Nigerian-UK citizen was sentenced to seven

Starting point is 00:04:33 years in U.S. prison for defrauding a North Carolina university and attempting to steal millions from Texas entities through BEC schemes. Cisco Talos has observed a financially motivated actor using the Baby Locker KZ ransomware variant, a version of Medusa Locker, targeting global organizations. Active since at least 2022, the group initially focused on European countries but shifted to South America in 2023, doubling the number of victims to about 200 IPs compromised monthly. By early 2024, attack volumes had decreased. The group uses publicly available tools like HR Sword and Advanced Port Scanner to disable security measures and map internal networks. They also deploy custom tools like Checkr to automate credential management and streamline lateral movement. The attackers

Starting point is 00:05:32 store tools in common system folders and are believed to be working as an initial access broker or an affiliate of a ransomware cartel. Cisco assesses the group as financially motivated with medium confidence. Cloudflare successfully mitigated a massive DDoS attack that peaked at 3.8 terabits per second and 2.14 billion packets per second, surpassing the previous records from 2021. The attack, part of a month-long campaign starting in September, involved over 100 volumetric DDoS attacks, many exceeding 3 terabytes per second, and primarily originated from Vietnam, Russia, Brazil, Spain, and the U.S. The attackers used a botnet of hijacked devices, including AsUS routers, exploiting a critical vulnerability.

Starting point is 00:06:28 Cloudflare's advanced traffic analysis and global server network effectively mitigated the attack, ensuring minimal disruption for customers across industries like finance and telecommunications. communications. Speaking of DDoS, a vulnerability in the common Unix printing system, CUPS, can be exploited for DDoS attacks with a 600x amplification factor, according to Akamai researchers. The flaw found in the CUPS-browsed daemon allows attackers to send a single malicious UDP packet, tricking CUPS servers into generating large IPP HTTP requests that overwhelm both the server and the target. Around 58,000 vulnerable servers could be exploited for DDoS attacks. Admins are urged to patch systems or disable the CUPS-browsed service. Earlier this week at the Counter-Ransomware Initiative Summit, global leaders discussed new strategies to combat ransomware gangs,

Starting point is 00:07:32 which are known for quickly regrouping after takedowns. Ann Neuberger, U.S. Deputy National Security Advisor for Cyber and Emerging Technology, emphasized the need for more frequent and broader disruption operations, focusing on dismantling ransomware infrastructure and financial exchanges involved in money laundering. The summit, now involving 68 countries, also highlighted new initiatives, such as a counter-ransomware fund led by USAID, enhanced guidance for ransomware victims, and a Canadian advisory panel to foster information sharing. A key focus of the summit was the intersection of artificial intelligence and cyber defense, with presentations from government agencies and leading AI companies.

Starting point is 00:08:19 Laura Gallant, director of the Cyber Threat Intelligence Integration Center, shared that ransomware attacks surged in recent years, but disruption efforts have made it harder for groups like Alpha Black Cat to reconstitute. The initiative welcomed 10 new member nations, including Argentina and Hungary. The FIN7 hacking group has launched a network of fake AI-powered deep nude generator sites to infect users with malware. Known for cybercrime and financial fraud since 2013, FIN7 has ties to ransomware groups like DarkSide and BlackCat. Their latest operation involves websites claiming to create fake nude images using AI. Visitors are tricked into downloading malware like LumaStealer and RedlineStealer instead of the promised images.

Starting point is 00:09:14 The sites, promoted through Black Hat SEO, appear legitimate but distribute malicious software that steals browser credentials, cryptocurrency wallets, and other data. The most recent round of Fin7's fake deep nude sites have been taken down, but users who downloaded files are likely infected. Fin7 also runs parallel campaigns, distributing malware like NetSupportRat through spoofed websites mimicking popular brands and apps like Zoom, Fortnite, and Putty. Four Scout researchers discovered 14 vulnerabilities in DrayTek routers, including two critical flaws. These vulnerabilities could allow attackers to take control of devices, leading to risks like cyber espionage, data theft, ransomware,

Starting point is 00:10:06 and DDoS attacks. Over 704,000 DrayTek routers in 168 countries are exposed online, with 75% used in commercial settings, posing significant business risks. The FBI recently dismantled a botnet exploiting DrayT vulnerabilities, and Draytek has since released security updates. However, no active attacks exploiting these flaws have been reported so far. CISA has issued an urgent alert regarding the active exploitation of critical vulnerabilities in Sinocor's Zimbra collaboration and Avanti's endpoint manager. The Zimbra flaw allows unauthenticated remote command execution, while the Avanti vulnerability enables SQL injection, allowing attackers to execute arbitrary code on the core server. Although no ransomware attacks have been linked to these flaws yet, the risk is significant.

Starting point is 00:11:06 CISA advises organizations to apply recommended mitigations immediately. Tina Peters, former Mesa County, Colorado, clerk, was sentenced to nine years in prison for her role in a significant data breach of voting system information after the 2020 election. significant data breach of voting system information after the 2020 election. Peters was convicted on seven felony counts related to the breach, which was fueled by false claims of election fraud. The stolen data, later posted online, revealed no evidence of fraud or vote tampering. At her sentencing, Judge Matthew Barrett condemned Peters for her actions and lack of remorse, calling her a charlatan. Mesa County officials reported over $1.4 million in costs due to Peters' actions, including legal fees and disruptions to county operations. Gerald Wood, whose identity was used in the breach, expressed his anger at being deceived by Peters,

Starting point is 00:12:05 who he said caused damage to election integrity both locally and nationally. Microsoft and the U.S. Department of Justice seized over 100 domains used by Russian Cold River Hacking Group, linked to Russia's FSB, to target U.S. government employees and non-profits through spear phishing attacks. Between January 2023 and August of this year, Cold River, also known as Cyborgium or Star Blizzard, attacked U.S. intelligence, defense, and energy personnel, as well as NGOs and journalists, to steal sensitive information. well as NGOs and journalists to steal sensitive information. Microsoft and the DOJ dismantled the group's infrastructure, with Microsoft seizing 66 domains and the DOJ 41. The group has been active since 2017, using social engineering and OSINT for espionage, especially targeting defense and government entities after Russia's 2022 invasion of Ukraine.

Starting point is 00:13:06 The U.S. State Department sanctioned two Cold River members and offers rewards for information leading to other operatives. Coming up after the break, my conversation with Eric Olden, founder and CEO of Strata Identity. We're going to talk about the seven A's of identity security and achieving zero trust. Stay with us. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,

Starting point is 00:14:00 but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for a thousand dollars off. And now a message from Black Cloak. Did you know

Starting point is 00:14:57 the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. Eric Olden is founder and CEO of Strata Identity. And in today's sponsored Industry Voices segment, we learn how the modern enterprise can orchestrate the seven A's of identity security to achieve zero trust.

Starting point is 00:15:55 It's been a long journey on zero trust. It started out early on a lot of good work coming out of Google's initial BeyondCorp idea, and they led by example. And a lot of people said, hey, if it's good enough for Google, we'll try it here as well. And then the hype took over and people were really using the term zero trust in a lot of different ways. And I think that's settled down over the last, I would say, two years so that now we're in a more consistent use of the notion and the term zero trust seems to be a bit more consistent when I talk to leaders in different organizations. In terms of the actual implementation, I think what we're seeing anyways, especially in this multi-cloud world, is that now you can just expect to be able to access an application.

Starting point is 00:16:56 And you don't think about whether it's behind the firewall. You don't think about connecting to a VPN in order to get to, you know, work applications. They're available over your phone. They're available, you know, your laptop or working from, you know, the office campus. And I think it's gotten more ubiquitous where people just kind of take it for granted and they assume that, you know, they're going to have to authenticate and sign in. And most lay people, as I'm seeing it, they're pretty unaware about what's actually going on under the covers. I would say, my point of view is that zero trust is pretty stable and is almost being taken for granted nowadays. And I think that's a good thing. You and your colleagues there talk about zero trust architecture or ZTA.

Starting point is 00:17:54 Can you help us understand what exactly goes into that? Sure. Well, when you think about just the term zero trust. I'll start with that because often that is confusing. It's like, well, how are you relying on zero trust? And really what I think it comes down to is there was an expression back in the 80s when we were dealing with nuclear proliferation and reducing stockpiles. And we were dealing with nuclear proliferation and reducing stockpiles. And President Reagan came up with the expression, trust but verify. And when I hear zero trust, I think about that is every time someone wants to access an application or the data inside of an application, that we will authenticate who they are. First step, make sure that we're never giving free access to something because we're assuming a network perimeter did the job

Starting point is 00:18:54 or that the bouncer kept all the bad actors out of the place. The second part of the zero trust is that access control and continuously checking that someone has access and the permissions to get to the application and the data that they're trying to. So it's that combination of continuous authentication and continuous access control that is how you accomplish zero trust. And then when you parlay that into a architecture, we're talking about now like software that you deploy, then it shows up with, I think, a couple of hallmarks. The first one being it's out on the public internet and not behind a corporate firewall.

Starting point is 00:19:46 And that instead of using VPNs to connect a user to everything in a network, every URL that a user tries to click on and access, that is verified most often through a proxy. is verified most often through a proxy. And so you have proxies that are taking the place of VPNs. And so when we say zero-trust architecture, it's a way to use the public internet through a series of proxies without VPNs to continuously authenticate, verify who a user says they are,

Starting point is 00:20:23 and then continuously access or control access to make sure that the user only can get to the applications that they should. What about the challenges folks, I think, naturally face when we're dealing with multiple vendors and more and more multiple cloud environments? How do we achieve zero trust, you know, bridging those realities?

Starting point is 00:20:57 Multi-vendor is, I think, a second side of the coin of multi-cloud. And so when you start with the multi-cloud, in the very simplest implementation, most organizations that are moving from their own data centers or their own on-premises infrastructure, and they start to use the cloud, now they've got what a lot of people call private cloud and one cloud. And what we're seeing is that now when you look at how many organizations are moving to the public cloud, they're usually going to two or three different cloud platforms. And by that, I'm talking about things like Azure, Microsoft Azure, and Amazon's AWS, and Google's cloud platform. So there's a lot of things that go with that because now when you think about the identity standpoint and the security of that, you now have four or five things that you need to manage. And they're generally are not very well integrated,

Starting point is 00:22:02 you know, because there are different vendors offer different technologies. generally are not very well integrated because there are different vendors offer different technologies. So what that's created is this really interesting, highly distributed, meaning everything runs in all sorts of different places, unlike the old days when it was all in one data center. Then the other thing is that

Starting point is 00:22:22 you're using all these different technologies. So when you're really all these different technologies. And so when you're really trying to figure out how do we control access to our really sensitive applications and data, you no longer can just choose one system and say, this group of users can have access and these shall not. You need to think about, well, where is the application and what is the control mechanism on that cloud platform? And then how do I make the different universes all kind of play well together? orchestration, but then also this idea of identity fabric, creating an identity fabric to empower identity orchestration. Can you unpack that for us? Help us understand what that's all about. Yeah, absolutely. So when you think about an identity fabric, what it is, is the collection of identity systems that an organization uses to control access and verify identity. And in most cases, people call them IDPs or identity providers.

Starting point is 00:23:37 And when you have this collection of identity providers, you need to think, of identity providers, you need to think, well, if I have users that are going to access applications that sit behind different identity providers, wouldn't it be helpful if we can think about not just the trees, but the whole forest? And that's really, you know, metaphorically what an identity fabric is. It's like the forest of all of your identity provider trees. And so you can think about a forest in a different way or a fabric in a different way than each one of them as an individual silo. But more, how do you work with all of these together in concert? And the way that you link them together is through an abstraction layer. Or if you think about how VMware did this back in the early days of virtualization,

Starting point is 00:24:34 they turned hardware into virtual servers and were able to move and mix and match different workloads on the virtualization layer because it was abstracting the underlying hardware. Well, that's what identity orchestration is doing. It's abstracting the different identity providers, or this forest example, and saying, you know, it doesn't matter which of the different identity providers is going to be used. We want to work with them interchangeably so that we don't lock ourselves in to just using one or the other. So Identity Fabric integrates and brings together all of your different identity providers.

Starting point is 00:25:20 And then orchestration is the way that you link them together at runtime. And then orchestration is the way that you link them together at runtime. You know, you all have a clever system here to help folks who remember what some of the critical things are when it comes to identity security. You all call it the seven A's, authentication, access control, authorization, attributes, administration, audit, and availability. We don't have time to go through each one of those individually, but collecting those seven items here, to me, I mean, it's an easier way to remember these key elements that are so critical to identity security. Yeah, it's a heuristic device that originally started with, and I've been doing this for a long time, Dave. I've been doing it since the 90s. Early on, it was the three A's, authentication, access, and audit. So you made sure you checked everybody, verified what they're

Starting point is 00:26:20 going to do, and had a record of it. And then over time, we realized with identity, there's more nuanced things besides the initial three A's. And so people started to think about the attributes that a user had. And this could be something like what nationality, where their passport is held, are they an employee or a contractor? Things like that. And then when you think about the administration, a lot of people call that governance.

Starting point is 00:26:51 And really having processes that manage the way that you think about onboarding and offboarding user identities and giving them appropriate access. So those are the ones that really started to extend the A's. Then the most recent one is the availability. I think what we've seen is that in the world of identity, we've long known that if your sign-on system goes down, you have an outage, then all of your applications are unavailable. And that's led to a lot of painful outages where organizations are trying to maintain uptime and availability, but an identity provider has a bad day.

Starting point is 00:27:41 And everyone does. All identity providers, even the biggest of the big you know they have outages and they i guess a question less of will it happen but more a matter of when it does happen are you ready for it and now with thinking about identity and saying how do we make sure that this does not become a single point of failure and make sure that we've got an alternate identity provider in the event that the first one goes down? So that's, I think, kind of the latest of the additions in the A's is availability. And I think a lot of us had a wake-up call earlier this summer when that big outage happened, and everyone's looking at the blue screen of death and thinking, how did this happen? The next thought is, how do I make sure this doesn't happen to me?

Starting point is 00:28:35 And that's really raised the concern around making sure that not just an identity, but especially an identity. How do you avoid single points of failure? And that's the latest of the seven A's. That's Eric Olden, founder and CEO of Strata Identity. You can check out Strata's blog on understanding the seven A's of IAM and their book, Identity Orchestration for Dummies. We'll have links in our show notes. Cyber threats are evolving every second, and staying ahead is more than just a challenge.

Starting point is 00:29:24 It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And finally, two Harvard students have created smart glasses that do what big tech has long avoided,

Starting point is 00:30:19 using facial recognition to instantly identify strangers and pull personal information from the web. Their project, called EyeXRay, uses Meta's Ray-Ban smart glasses, which look like ordinary eyewear. In a demo, the glasses linked to a facial recognition site, finding details like home addresses and phone numbers within minutes. Though the duo claims their aim is to raise awareness of privacy risks, the project highlights the thin line between anonymity and instant doxing. The glasses startled test subjects, with one person saying, How do you know my mom's phone number? While their code won't be released, the project shows how easily existing technology can be weaponized for stalking or pranks. I understand and respect the privacy concerns of this sort of technology, but at the same time, wouldn't this be a wonderful way to avoid those awkward moments at parties and social events where you cross paths with someone who looks familiar, but you just can't place their name?

Starting point is 00:31:27 And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Joshua Miller from Proofpoint. We're discussing their research, Best Laid Plans, TA-453 targets religious figureigious Figure, with Fake Podcast Invite delivering new Blacksmith malware toolset. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that

Starting point is 00:31:57 keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter.

Starting point is 00:32:36 Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Carve. Simone Petrella is our president. Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you.

CyberWire Daily - Caught red-handed.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.