CyberWire Daily - Change Healthcare hackers cash in $22 million ransom.
Episode Date: March 5, 2024Is the ALPHV gang pulling up a twenty two million dollar rug? Meta platforms are experiencing outages. Ukraine claims a cyberattack on the Russian Ministry of Defense. Malicious phishers hope to hoo...k hashes. TeamCity users are warned of critical vulnerabilities. The Discord leaker pleads guilty. AmEx suffers a third-party data breach. Amazon is flooded with fake copycat publications. Our guest is Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division to discuss Volt Typhoon. And, Dude, she is just not that into you. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division joins us to discuss Volt Typhoon. Selected Reading Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment (WIRED) Ukraine claims it hacked Russian Ministry of Defense servers (Bleeping Computer) Hundreds of orgs targeted with emails aimed at stealing NTLM authentication hashes (Help Net Security) TeamCity Users Urged to Patch Critical Vulnerabilities (Infosecurity Magazine) Pentagon leak defendant Jack Teixeira pleads guilty, faces years in prison (Reuters) American Express credit cards exposed in third-party data breach (Bleeping Computer) Tech writer Kara Swisher has a new book. Enter the AI-generated scams. (Bleeping Computer) Retired Army officer charged with sharing classified information about Ukraine on foreign dating site (CBS News) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Is the Alfie gang pulling up a $22 million rug?
Meta platforms are experiencing outages.
Ukraine claims a cyber attack on the Russian Ministry of Defense.
Malicious phishers hope to hook hashes.
Team City users are warned of critical vulnerabilities.
The Discord leaker pleads guilty.
Amex suffers a third-party data breach.
Amazon is flooded with fake copycat publications.
Our guest is Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division to discuss Volt Typhoon.
And dude, she is just not that into you.
It's Tuesday, March 5th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thank you for joining us here today.
It is great to have you with us. The ransomware gang ALF-V, also known as Black Cat,
implicated in the attack on Change Healthcare,
has been embroiled in controversy with allegations of a $22 million ransom payment
and internal disputes. A Bitcoin
transaction of 350 Bitcoins valued at around $22 million was made to an address connected to AlfV,
leading to speculation that Change Healthcare paid a ransom. Security firms Recorded Future
and TRM Labs have linked this Bitcoin address to AlfV
and to payments from other victims. Subsequently, an affiliate accused AlfV of withholding their
share of the ransom, providing the transaction as evidence. This dispute raises concerns that
sensitive data accessed during the attack could still be at risk of exposure.
Furthermore, Alfie's leak site displayed what appeared to be a law enforcement seizure notice,
sparking speculation about the gang's current status and whether this signals a takedown by
authorities or a strategic withdrawal by the gang amidst the fallout from their recent activities.
withdrawal by the gang amidst the fallout from their recent activities. There's strong speculation from cybersecurity experts on social media that the takedown notice is bogus and that Alfie is
indeed pulling the rug out from under its affiliates. This one is still developing, so stay tuned.
As we record today, Meta's platforms, Instagram, Facebook, and Threads are experiencing global outages, impacting many users since reports began at 10 a.m. Eastern Time.
Facebook and Threads are not loading and Instagram is partially accessible.
The outage coincides with Super Tuesday in the U.S., potentially affecting presidential campaigns' ability to
communicate with voters. Meta acknowledges the issue and says they're working on a resolution.
Concurrently, YouTube and Gmail users report loading and email delivery problems,
but it's unclear if these are related to Meta's outage.
The Ukrainian main intelligence directorate, the GUR,
claims to have hacked the Russian Ministry of Defense,
stealing sensitive data.
The operation, described as a special operation by the GUR,
led to the acquisition of software for data protection and encryption,
secret service documents,
and details on the ministry's structure and personnel,
including the Deputy Minister of Defense, Timur Ivanov.
Evidence of the breach was posted online, though its authenticity remains unconfirmed.
This incident follows previous unverified GUR cyberattacks on Russian agencies,
with this latest attack not involving operational disruption.
Researchers at Proofpoint highlight a threat actor using phishing emails with malicious attachments
to steal employees' NTLM hashes, which are encoded passwords critical for user authentication on Windows.
Microsoft aims to replace NTLM with a more secure Kerberos protocol due to vulnerabilities like password cracking and pass-the-hash attacks.
This phishing campaign, identified in late February 2024, involved emails urging recipients to open a zip file that triggers a connection to an attacker-controlled SMB server,
capturing NTLM challenge response pairs
without deploying malware.
This method reveals sensitive data,
such as domain names and usernames,
helping attackers gauge further exploitation potential.
Known for distributing malware like Qbot and Peekabot,
this marks the actor's first known attempt
at NTLM credential theft,
highlighting their adaptability and resources.
Organizations are advised to block outbound SMB connections to counteract these tactics.
JetBrains has alerted users of their TeamCity build management and continuous integration tools to urgently patch two newly disclosed vulnerabilities
identified by Rapid7.
One of the vulnerabilities is a critical authentication bypass flaw with a 9.8 CVSS score,
which could allow remote attackers to fully compromise servers via an alternative path issue.
The second, with a 7.3 CVSS score, permits limited information disclosure and system
alteration through a path traversal issue.
These flaws pose a significant risk, potentially enabling attackers to control projects and
launch supply chain attacks.
JetBrains has released an updated software version
and a security patch plugin for users unable to upgrade,
ensuring all TeamCity on-premises versions are covered.
They say TeamCity Cloud customers have been patched and secured.
Jack Teixeira, a Massachusetts Air National Guard member,
pleaded guilty yesterday to leaking classified documents on Discord.
He admitted to willful retention and transmission of national defense information and faces a proposed sentence of over 16 years.
The 22-year-old's actions included sharing sensitive data related to international affairs with his fellow online gamers under the
alias the Excalibur Effect. Despite previous warnings about his handling of classified
information, Tashara accessed and leaked details on topics like Russia's invasion of Ukraine.
His sentencing is set for September 27th after a plea deal that prevents further Espionage Act charges.
The incident has prompted the Air Force to discipline 15 personnel and the Department
of Defense to review its classified information access protocols.
American Express has notified customers of a third-party data breach at a merchant processor
leading to the exposure of credit card details.
The breach did not affect American Express's systems directly,
but involved a service provider used by several merchants.
The compromised data includes American Express card numbers,
names, and expiration dates.
The specifics of the affected merchant processor
and the scope of impacted customers remain undisclosed.
American Express has informed regulatory authorities and is contacting affected customers,
assuring that they won't be held liable for any fraudulent charges.
Customers are advised to monitor their account statements for suspicious activity over the next 12 to 24 months.
In the weeks leading up to the publishing of her memoir,
tech journalist Kara Swisher noticed a disturbing proliferation
of fake biographies on Amazon,
featuring AI-generated images of her
and authored by unknown individuals,
posing as genuine accounts of her life.
Swisher initially dismissed it as a curiosity,
but the issue quickly escalated when dozens of these AI-generated knockoffs flooded Amazon.
This incident highlights a growing challenge on Amazon, the influx of AI-generated books
designed to mimic and compete with legitimate publications. Amazon has implemented measures like limiting self-publishing volumes
and mandating disclosure of AI-generated content,
but the effectiveness of these policies
remains questionable at best.
Swisher reached out directly to Amazon CEO Andy Jassy,
which led to the removal of some fake listings.
But of course, most aspiring authors
don't have direct access to high-level executives. The episode underscores the broader issue of AI
driven content undermining genuine creative efforts, necessitating stronger verification
and authentication processes to protect authors and maintain the integrity of digital publishing platforms.
Coming up after the break, my conversation with Deputy Assistant Director Cynthia Kaiser
from the FBI Cyber Division. We're discussing Volt Typhoon. Stay with us.
Do you know the status of your compliance controls right now, like right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. And it is my pleasure to welcome back to the show,
Deputy Assistant Director for the FBI's Cyber Division, Cynthia Kaiser. Cynthia, welcome back.
Happy to be back. Thank you. So a lot of things I want to touch base with you on today
and get your perspective on. Can we start off talking about Volt Typhoon and the efforts the
FBI has been putting in here lately when it comes to that particular organization?
Absolutely. So as many of your listeners probably are tracking, the FBI and our partners identified
a cluster of activity
associated with a People's Republic of China state-sponsored actor, tracked as Volt Typhoon
in the private sector. And what we were tracking is that they were pre-positioning for disruptive
or destructive cyber attacks against U.S. critical infrastructure. And what we think that is,
is for the event of a major crisis or conflict with the
United States. Now, for years, they've been targeting critical infrastructure in Guam and
elsewhere in the United States. And really through a variety of sources, including FBI technical
deployments and close FBI engagement with the private sector, we know that their targets include
numerous sectors. For example, communications,
manufacturing, transportation, maritime, IT, and education.
To what degree do we think this is related to potential tensions in Taiwan?
So you don't have to look any further than the ODNI's annual threat assessment from last year that noted that China was seeking to develop a field-ready military by 2027 to be able to take Taiwan at a time of their choosing.
We believe that this pre-positioning is connected to that or the potential for other, you know, unspecified potential conflicts in the future
with the United States. But it's really about giving China choices to be able to try to
dissuade the U.S. from entering any conflict that they don't want us there for.
And so with these revelations, what happens within the agency? You and your colleagues there at the FBI, what are next steps in terms of countering this threat?
We've already been working to counter the threat.
That includes when we learn about information from a potential victim, we deploy.
Like we did in February 2023 when our cyber action team, our CAT team,
deployed to a telecommunications
company to perform incident response.
And through that two-week deployment, our CAT team was able to identify malicious activity
within the network associated with Volt Typhoon and provide the company with the information
it needed to mitigate the compromise across the system.
We're continuing to also look through all of our other sources. I mean,
I think what's most worrisome about this suite of activity is it's not the only group that's
seeking to target our critical infrastructure. In fact, we only know about certain incidents
because of FBI FISA 702. I also kind of want to hit on the operation that we recently announced that targeted the
infrastructure that Volt Typhoon actors used to conduct their activity. Through a series of
operations, including with our partners, we were able to take down the obfuscation network, so
essentially the botnet of small business and home routers that the Volt Typhoon actors were staging on to conduct their activity and hide their tracks.
We were able to remove the Chinese from that network and set back their ability to conduct these activities, especially to conduct these activities anonymously.
to conduct these activities anonymously.
You know, we often talk in the conversations I have with you and your colleagues there at the FBI about the importance of the private sector partnering with the FBI and the FBI's
eagerness to do that.
And it strikes me that these efforts against Volt Typhoon are really an example of
those efforts paying off. That's exactly right. We know more about the Volt Typhoon actors because
of our close collaboration with the private sector. And really where we've seen a lot of
great growth and interest in the private sector and partnering with the FBI too
is on the targeted entity or victim side. We do a lot of things in the FBI, but our North Star
is seeking to assist victims and prevent people and companies from becoming additional victims
in the future. And that takes a lot of forms. Assisting victims
might mean deploying one of our CAT teams, our cyber action teams to the incident to help them
identify what occurred on their network so that they can mitigate their own network. It might mean
just providing them with the indicators of compromise and other technical information
so their third party can, or doing a lot of other victim assistance.
But preventing it means also partnering with our private sector partners to know more,
partnering with our private sector partners to be actually able to conduct operations,
to take down the infrastructure that our actors are using, and also partnering with our private sector partners to be able to combine what
they know and we know and put that out to the American public, put that out to net defenders
in advisories so others can protect their networks.
Cynthia Kaiser is Deputy Assistant Director with the FBI's Cyber Division.
Cynthia, thanks so much for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. Thank you. smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And finally, our loose-lips-sink-ships desk tells us of one David Franklin Slater, a 63-year-old retired Army lieutenant colonel and former civilian employee at United States Strategic Command,
who was arrested for allegedly disclosing sensitive national defense information
to an individual claiming to be a woman from Ukraine through a foreign dating site.
While employed at U.S. STRATCOM, where he had top-secret security clearance,
Slater reportedly sent secret Pentagon documents about Russia's war in Ukraine
and discussed national defense information via email and messaging platforms.
He was charged with one count of conspiracy
and two counts of unauthorized disclosure of national defense information,
actions described as potentially causing serious damage to national security.
So here's a bit of advice.
If your online crush suddenly shows undue interest in the mundane yet highly classified details of your day job,
chances are they are not really that into you.
Cut your losses, tell your bosses, and move on with your life. We'd love to know what you think of this show. You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive
producers are Jennifer Ivan and Brandon Karp. Our executive editor is Peter Kilby, and I'm Dave
Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.