CyberWire Daily - CISA’s news trifecta.
Episode Date: March 11, 2024A roundup of news out of CISA. California reveals data brokers selling the sensitive information of minors. Permiso Security shares an open-source cloud intrusion detection tool. Darktrace highlights ...a campaign exploiting DropBox. EU's Cyber Solidarity Act forges ahead. A White House committee urges new economic incentives for securing OT systems. Paysign investigates claims of a data breach. Our guest is Alex Cox, Director Threat Intelligence, Mitigation, and Escalation at LastPass, to discuss what to expect after LockBit. And Axios highlights the clowns and fools behind ransomware attacks. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Alex Cox, Director, Threat Intelligence, Mitigation, Escalation (TIME) at LastPass, joins us to discuss what to expect after LockBit. Selected Reading Top US cybersecurity agency hacked and forced to take some systems offline (CNN Politics) CISA’s open source software security initiatives detailed (SC Media) GAO uncovers mixed feedback on CISA's OT cybersecurity services when it comes to addressing risks (Industrial Cyber) Dozens of data brokers disclose selling reproductive healthcare info, precise geolocation and data belonging to minors (The Record) New Open Source Tool Hunts for APT Activity in the Cloud (SecurityWeek) Dropbox Abused in New Phishing, Malspam Scam to Steal SaaS Logins (HACKREAD) Everything you need to know about the EU's Cyber Solidarity Act (ITPro) White House advisory group says market forces ‘insufficient’ to drive cybersecurity in critical infrastructure (CyberScoop) Paysign investigating reports of consumer information data breach (The Record) The clowns and fools behind ransomware attacks (Axios) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A roundup of news out of CISA.
California reveals data brokers selling the sensitive information of miners.
Permisso Security shares an open source cloud intrusion detection tool.
Darktrace highlights a campaign exploiting Dropbox.
The EU's Cybersecurity Solidarity Act forges ahead.
A White House committee urges new economic incentives for securing OT systems.
Hayesine investigates claims of a data breach. Our guest is Alex Cox, Director of Threat
Intelligence Mitigation and Escalation at LastPass to discuss what to expect after LockBit.
And Axios highlights the clowns and fools behind ransomware attacks.
It's Monday, March 11th, 2024.
I'm Dave Bittner, and this is your N2K CyberWire Intel Briefing. Intel briefing. Happy Monday, everyone.
It is great to have you here with us.
We begin today with a roundup of news out of CISA.
Last month, the Cybersecurity and Infrastructure Security Agency discovered it
had been hacked, leading to the shutdown of two key computer systems. These systems were
instrumental in sharing cyber and physical security tools among various government levels
and for assessing chemical facility security. Despite the breach, CISA reported no operational impact,
emphasizing their ongoing efforts to modernize and enhance system security. The incident exploited
vulnerabilities in virtual private networking software by Avanti, which had been previously
identified by CISA as a risk. This breach, suspected to be linked to a Chinese espionage group,
highlights the universal risk of cyber vulnerabilities
even among cybersecurity entities.
The irony underscores the importance of prepared incident response plans
for all organizations.
Meanwhile, CISA announced steps to enhance open-source software security
following a summit with OSS community leaders. Initiatives include promoting package repository
security principles, enabling better collaboration with OSS infrastructure operators, and publishing
materials to aid in vulnerability and incident response improvements. Significant contributions include the Rust Foundation's plans for public key infrastructure
on crates.io, the Python Software Foundation's expansion of PyPy for secure publishing,
and enhanced security measures by Packagist, Composer, NPM, and Maven Central.
Packagist, Composer, NPM, and Maven Central. These actions involve implementing multi-factor authentication, digital attestations, and security audits, aiming to secure critical infrastructure
reliant on OSS. CISA Director Jen Easterly emphasized the importance of these efforts
in partnership with the OSS community to bolster the ecosystem's security.
partnership with the OSS community to bolster the ecosystem's security.
Staying with CISA for just a bit longer, the U.S. Government Accountability Office reviewed CISA's 13 operational technology cybersecurity products and services,
revealing positive feedback from 12 out of 13 non-federal entities.
Challenges were noted, including difficulties experienced by seven
entities, such as the DoD's Defense Cyber Crime Center and the Department of Energy's Office of
Cybersecurity. Key issues included delays in vulnerability reporting and insufficient CISA
staff with OT skills. Despite these challenges, positive experiences with CISA's advisories, tools, and training were highlighted.
GAO recommends CISA improve customer service measurement and workforce planning for its OT services.
CISA, recognizing these challenges, has initiatives like the Industrial Control Systems Working Group to enhance OT security.
Control Systems Working Group to enhance OT security. DHS has concurred with GAO's recommendations,
indicating plans for implementation to bolster OT cybersecurity collaboration and services.
A report out of California reveals that out of 480 data brokers registered with the California Privacy Protection Agency, 24 sell data on minors, 79 trade in precise geolocation, and 25 deal in reproductive health information.
This disclosure, mandated by California's DELETE Act, highlights the trade in sensitive personal data. The DELETE Act becomes effective in 2026
and will allow consumers to request the deletion of their personal data with ease.
Experts criticize the current system's failure to protect children's privacy,
noting that federal laws like COPPA are inadequate.
The Act also introduces penalties for non-registration
are inadequate. The Act also introduces penalties for non-registration and mandates periodic audits of data brokers to ensure compliance, aiming to enhance consumer privacy and data protection.
Permisso Security has introduced CloudGrappler, an open-source tool designed to enhance the
detection of cloud environment intrusions by APTs.
Leveraging Cato Security's CloudGrep tool,
Cloud Grappler supports searches in AWS, Azure, and Google Cloud Storage,
focusing on the TTPs of major threat actors.
It provides a granular analysis of security incidents,
helping to quickly identify anomalies. The tool includes a data sources JSON
file for scan scope definition and a queries JSON file with predefined and customizable TTPs.
Upon completion, Cloud Grappler generates a detailed JSON report of findings,
aiding security teams in prompt response. Security firm Darktrace has identified a sophisticated phishing and mouthspam campaign
exploiting Dropbox to target Software-as-a-Service platform users.
This new attack bypasses multi-factor authentication,
encouraging recipients to download malware and compromise their login details.
Attackers send emails from legitimate Dropbox addresses containing malicious links.
A specific instance on January 25th of this year
involved an email to 16 Darktrace Software-as-a-Service users,
leading to a PDF hosted on Dropbox with a link to a fake Microsoft 365 login page,
aiming to harvest credentials.
Despite Darktrace's security measures, the campaign saw some success, with suspicious SaaS activity observed, including logins from unusual locations via VPNs.
This incident underscores the sophistication of phishing attacks and the challenge of securing SAS environments against credential theft,
even with MFA in place.
The EU's Cyber Solidarity Act,
a proposal introduced to bolster cyber resilience,
received preliminary approval on March 5th,
marking a significant legislative development.
This act outlines measures to enhance EU-wide cyber defense capabilities.
Key features include establishing a European Cybersecurity Alert System,
powered by AI and analytics, for swift threat communication,
a cybersecurity emergency mechanism for preparedness testing in critical sectors,
and a EU cybersecurity reserve
offering incident response services. Additionally, it provides for financial support for mutual
assistance in cyber incidents, encouraging collaboration among member states during
severe attacks. Thierry Breton, EU Commissioner for Internal Markets, emphasized its critical role in establishing a European cyber shield
for quicker threat detection and collective support mechanisms.
Pending formal approval, the Act envisions stronger EU-level cyber cooperation
and mandates for critical infrastructure on preparedness testing,
enhancing security for citizens.
The National Security Telecommunications Advisory Committee, made up of representatives from the
nation's largest telecommunications companies as well as cybersecurity firms, urges the federal
government to introduce economic incentives and new liability protections to boost cybersecurity
and critical infrastructure. Recognizing that market forces alone are inadequate for encouraging
essential cybersecurity investments, the committee suggests tax deductions, federal grants, and a
nationwide educational push on available federal cybersecurity services, like those from CISA, NSA, and NIST.
Additionally, it calls for clear liability protections to facilitate freer information
sharing on cyber threats. The recommendations aim to bridge the cybersecurity investment gap
and simplify the complex cyber regulatory landscape, enhancing the protection of national security against
heightened threats, as exemplified by the Chinese government-linked hacking group
Volt Typhoon's activities in American infrastructure. Financial services firm
PaySign is probing allegations of a data breach after a hacker purportedly offered to sell a
database with millions of consumer records tied to the company.
Despite these reports, PaySign says there's been no disruption to their services,
allowing cardholders to continue using their accounts.
The company is known for its prepaid card programs and digital banking services
and recently partnered with MasterCard for product development.
A hacker named Emo claims to have stolen over 1.2 million records banking services and recently partnered with MasterCard for product development.
A hacker named Emo claims to have stolen over 1.2 million records,
including sensitive customer information, asserting the breach happened recently.
Coming up after the break, my conversation with Alex Cox from LastPass.
We're discussing what to expect after LockBit.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. cybercriminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your
executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
I recently had the pleasure of speaking with Alex Cox, Director of Threat Intelligence, Mitigation, and Escalation at LastPass.
Our conversation centers on what to expect after LockBit.
You know, we see regularly connected action to take down some of these larger cybercriminal groups, especially when they are as impactful as LockBit has been historically.
groups, especially when they are as impactful as LockBit has been historically. But I've been around long enough and I've been exposed to enough of these takedowns to know the reality of them.
And that's that, you know, they are often temporary and that the bad guys have gotten
pretty good at learning about, you know, how takedowns operate and how they can mitigate
the damage that, you know, the good guys can do to their operation.
Yeah. And in your estimation,
how permanent does this one seem to be so far?
Well, being that they were back up within a week,
not permanent at all.
So one of the things when we talk about ransomware and the ransomware groups that I like to talk about
is how ransomware became to be a thing.
And it really goes back to the banking Trojans
of 15, 20 years ago,
because the threat actors, the cyber criminals
kind of got started in the banking Trojan world.
They went, okay, cool, we can infect grandma's machine.
When she logs into her bank, we can steal her credentials
and then we can steal her money.
And that worked for a while
and the good guys kind of went, okay, this is happening.
The banks figured it out.
They started doing some detection
and they were able to mitigate that to a certain extent.
So the bad guys backed up a little bit,
and they went back to the drawing board,
and they said, okay, that worked pretty well
with getting money and getting access to an account.
What's the next thing we could do?
Well, the next thing was fake AP.
So if you remember fake antivirus,
everywhere you logged in, it was like,
hey, your machine's infected.
Download this tool, and we'll fix your problem.
So the advantage that they got there is it was kind of a three-part punch, right?
You downloaded the tool for $30.
So they got $30.
They got access to your machine and they got your credit card.
So whereas they were typically just getting credit card or access to your account to begin with,
the second stage was, oh, hey, I'm going to scare you.
And then that way I'm going to get you. And then that way, I'm going
to get your credit card, your access to your machine in 30 bucks. So that worked for a while.
And the good guys kind of went, okay, the stake AV thing is a thing. Let's figure it out. And
they mitigated it to a certain extent. Well, so the bad guys went, okay, so the fear thing worked
really well. How can we leverage that? And then they went, okay, now we're going to infect these
machines with this ransomware. It's going to encrypt all of this person's data, and we're
going to make them pay me a Bitcoin or two to get it back. And so they had figured out that both
stealing the financial information and the fear part of it worked, and that sort of resulted in
ransomware. And then sort of the fourth stage that we're seeing is the data ransom. So now they're using that fear tactic on another level where they're getting into an organization, they're infecting the place with ransomware, they're getting access to valuable data, they're exporting it off the victim network, and then they're going, oh, by the way, we have all this data, and if you don't pay us within a week we're going to release it publicly so you know the industrial intellectual property
secrets and financial information email and all that jazz you know so they've kind of gone from a
a single you know a single compromise of grandma's machine to i'm going to release this data from
this giant corporation to try to harm them so you know it's what we call big hunting from that standpoint, where they're going after these giant corporations with lots of data.
You know, so when you look at ransomware these days, you know, that's the history behind what
they're doing and why they're doing it. And the other thing that the bad guys learned over that
time was that, you know, when I attack, you know, if I'm going to do this major cybercrime operation,
I have to expect takedown activity from the defenders, and I have to be able to mitigate that.
So when you look at Lockbit, the way they mitigated that is they didn't run all of their servers on PHP, which is what the attackers or the defenders used to take them down, law enforcement used to take them down.
So they were able to keep some servers up, and then they had backups.
So as soon as all the PHP servers were taken down,
they just stood their backups up,
redirected all their bots,
and they're active again.
And it took about a week.
And that is something that we see
over and over again these days.
So to what degree do you think a takedown like this
actually moves the needle, if at all?
Yeah, it depends.
I mean, so modern takedowns are super complex. You know, you have
to have, there's typically a bunch of moving parts, you know, like I said, the bad guys are
good at hiding stuff. And, you know, what you'll see is there are typically multiple security
companies, law enforcement, some legal teams. And, you know, if you look at the way Microsoft
has approached this problem with their digital crimes unit, you know, they're attacking it
legally, right? They're saying, hey, this person's harming the business. This person is, you know, has approached this problem with their digital crimes unit, they're attacking it legally.
They're saying, hey, this person's harming the business. This person is stealing our intellectual property.
And they've had some success doing that. But it's one of those situations where if you don't get everything,
then the bad guys are likely to bring it back up. So it really depends on the takedown and how
completely the good guys understand the operation as to whether it's going to stick or not.
But most recently, it doesn't stick super well.
We typically see the bad guys bring their stuff back up within weeks or months.
Well, the organizations that you see who are having success here
in terms of not falling victim to ransomware
or being able to get back up and running if they do fall victim here?
What are the common elements that they have to see some success?
So it's really around security hygiene.
I mean, there are some basic security hygiene things that you can do that will help protect you.
Like, number one is patching.
that you can do that will help protect you.
Like the number one is patching.
You know, if you look statistically,
when a company is hacked,
the vulnerability that we use to get in to begin with is typically about 18 months old, right?
So that means that that company or that entity
had 18 months to patch that and it did not.
You know, if that's the situation, right?
Having this very robust and active
and regular patching program, you know,
kind of helps with that foothold that the bad guys try to get. You know, so that's the first one.
The second one is around password management, right? Not reusing passwords, using unique
passwords for each site you have, you know, using a password manager, you know, sort of
understanding that like things like service accounts and
administrator accounts are highly targeted. So having a little bit more scrutiny, a little bit
more process around getting that level of rights or getting access to those accounts.
And then the third one is using two-factor authentication. One of the ways I like to
describe that is to think about your front door, right? Your front door has both a deadbolt and a door lock.
One of those makes the door secure most of the time.
But in that case, you only have to beat one to get in.
You know, the old military saying of, you know,
two is one and one is none.
If I'm going to use, you know,
if you look at multi-factor authentication,
you've got a password and you've got your multi-factor.
So you've got your door lock and your deadbolt.
If you use both of them,
you're more secure than just the password.
So that's how I like to explain multi-factor. So those three things, right? So you've got your door lock and your deadbolt. If you use both of them, you're more secure than just the password.
So that's how I like to explain multi-factor.
So those three things, right?
Patching, not reusing your passwords, and using password management, and multi-factor authentication.
Those are the base security hygiene things that will help most companies kind of help with this problem.
And then the other one is people, right? So a lot of the intrusion work that happens starts with a person, right? And that's either via a phishing email or
some social engineering. So that's the education piece. And of course, the education piece is not
100% effective because we all know that you educate your employees on not clicking on phishing
emails and a certain percentage of them are going to click on them anyway.
But it's just part of the puzzle that we kind of put together to do that.
But if you look at the companies like big banks and big technology firms that have all this robust patching and security management, they're less likely.
security management, they're less likely.
And that's one of the reasons that the ransomware folks have been targeting,
like small businesses and legal and healthcare and, you know, those education,
those entities that aren't quite as capable,
don't have as much resource to devote towards security measures.
Yeah, we've been seeing some calls lately from some, you know, former government officials and even some security companies suggesting that perhaps
banning ransomware payments could be a potential solution here. Do you have any thoughts on that
possibility? Yeah, I mean, so paying the ransom is a double-edged sword. I mean,
you know, I think the last statistic I saw on that was that about 25% of folks that pay their ransom get their data back.
So it's not huge.
It's not a good bet from that standpoint.
And then the other thing is, obviously, the pay the ransom has sort of fueled the cyber insurance industry
because now cyber insurance has to consider that a major ransomware issue could be huge. So, you know, you've got that as well. You know, you've got to worry about
cyber insurance. So, you know, it's definitely something that I wouldn't recommend as far as,
you know, how to deal with a ransomware event. It's certainly an option and it's, you know,
it's a thing to have in the toolbox, but it definitely wouldn't be my first choice.
Are you optimistic that, you optimistic that we have a chance here
to really make a difference when it comes to ransomware?
Or is this something that's here to stay?
I think it's here to stay for a little while, at least.
I can't think of any particular technology
or otherwise that's kind of on the horizon
that's going to solve the problem.
And if you look at things like zero trust, where, you know, you've got a,
you know, you've got a network that's,
that's built around the idea that nobody trusts anybody unless you, you know,
unless you're doing it in real time or, you know,
you're doing it at the time you're trying to do the access, you know,
that has some potential because a large part of what,
what makes ransomware effective is the access piece.
So if I'm a ransomware actor, I hack into your machine, I get access to a single foothold.
Maybe I pull some accounts off of that foothold and hope that one's an admin account.
If I have an admin account, maybe I can get access to a service account.
If that service account has access to a large swath of desktops, I use that service account to push the ransomware everywhere.
a large swath of desktops.
I use that service account to push the ransomware everywhere.
So if you think about zero trust
and the fact that
with a properly implemented
zero trust architecture,
you wouldn't necessarily have
that capability
or there would be some steps
that would prevent the ransomware
from being able to spread uncontrollably.
That has some play too.
But again,
we're in that situation
where that is a huge re-architecture
of most people's networks and most people's process.
And it's going to take some time.
So yeah, I think we'll see ransomware
be a problem continually for a while
until we start getting some bigger deployments
of that sort of process, that sort of concept.
And then the bad guys will adjust to whatever's next.
Then we'll have to deal with the next thing
because this arms race goes back and forth like that.
It has for the past, really for the whole time
I've been in this industry, which is over 20 years.
That's Alex Cox, Director of Threat Intelligence,
Mitigation, and Escalation at LastPass. Thank you. we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
With TD Direct Investing, new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%.
cash back. Great. That's 1% closer to being part of the 1%. Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing. Conditions apply. Offer ends January 31st,
2025. Visit td.com slash DI offer to learn more.
And finally, experts argue that many hackers behind ransomware attacks are driven more by ego and a lack of impulse control
rather than being organized criminal masterminds, Axios reports.
This perception challenges the common belief among victim organizations that they are
dealing with highly organized groups. Former FBI agent James Tergal highlighted the self-centered
and egotistical nature of these cyber criminals, noting a lack of honor among thieves. Recent
incidents, such as the ransomware attack on Change Healthcare and the subsequent implosion of the ransomware gang ALF-V over disputed ransom payments underscore the internal conflicts and scams within these groups.
The ransomware-as-a-service model has made entry-level hackers more valuable, facilitating their participation in cybercrime without needing advanced skills.
in cybercrime without needing advanced skills.
This has led to frequent infighting and scams,
even as victims often overestimate the sophistication of their adversaries.
It's a point well taken.
How many times has an organization's breathless initial reporting on a cyber incident included something along the lines of,
we are dealing with sophisticated nation-state threat actors,
and we feel there's very little
anyone could have done to protect themselves
against an organization
with these sorts of limitless resources.
To be fair, sometimes that is indeed the case,
but it's also sometimes the case that,
turns out, that sophisticated threat actor
is just some kid with too much time on their hands
and an overactive sense of curiosity.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast
where I contribute to a regular segment
on Jason and Brian's show every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter.
Learn more at N2K dot com. This episode was produced by Liz Stokes. Our mixer is Trey Hester
with original music by Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon
Karp. Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. practical, and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.