CyberWire Daily - Cl0p ransomware at Hitachi Energy. Alleged TikTok surveillance of journalists. Hacktivist auxiliary hits Indian healthcare records. Cyberattack on Latitude: update. BreachForums arrest.
Episode Date: March 20, 2023Cl0p ransomware hits Hitachi Energy. The US Department of Justice investigates ByteDance in alleged surveillance of journalists. A Hacktivist auxiliary hits Indian healthcare records. Pirated software... is used to carry malware. The Effects of cyberattack on Latitude persist. Adam Meyers from CrowdStrike shares findings from the 2023 CrowdStrike Global Threat Report. Rick Howard has the latest preview of CSO Perspectives. And Pompompurin is arrested for an alleged role in BreachForums. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/53 Selected reading. Hitachi Energy confirms data breach after Clop GoAnywhere attacks (BleepingComputer) Hitachi Energy Group hit by cyber-attack, says network operations not compromised (cnbctv18.com) Justice Department Probes TikTok’s Tracking of U.S. Journalists (Wall Street Journal) The FBI And DOJ Are Investigating ByteDance’s Use Of TikTok To Spy On Journalists (Forbes) KillNet and affiliate hacktivist groups targeting healthcare with DDoS attacks (Azure Network Security Team) Pro-Russia hackers are increasingly targeting hospitals, researchers warns (Record) Russian hacktivist group targets India’s health ministry (CSO Online) Russian Hacktivist group Phoenix targets India’s Health Ministry Website (Threat Intelligence | CloudSEK) Ukraine warns that hacked software can be infected with Russian viruses (Kyiv Independent) Russian hackers spread infected software through torrents (SSSCIP) Australia's Latitude takes systems offline, Federal Police investigate cyberattack (Reuters) FBI targets notorious cybercrime market with teen’s arrest (Washington Post) Dark Web ‘BreachForums’ Operator Charged With Computer Crime (Bloomberg) Feds arrest alleged BreachForums owner linked to FBI hacks (The Verge) NY Man Charged as 'Pompompurin,' the Boss of BreachForums (KrebsOnSecurity) Breach Forums Admin 'Pompompurin' Arrested in New York (Cyber Kendra) Pompompurin Unmasked: Infamous BreachForums Mastermind Arrested in New York (The Hacker News) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Klopp ransomware hits Hitachi Energy.
The U.S. Department of Justice investigates ByteDance in alleged surveillance of journalists. Klopp ransomware hits Hitachi Energy.
The U.S. Department of Justice investigates ByteDance in alleged surveillance of journalists.
A hacktivist auxiliary hits Indian health care records.
Pirated software is used to carry malware.
The effects of cyber attack on latitude persist.
Adam Myers from CrowdStrike shares findings from the 2023 CrowdStrike Global Threat Report.
Rick Howard has the latest preview of CSO perspectives.
And Pom Pom Porin is elected for an alleged role in breach forums.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 20th, 2023.
Hitachi Energy, a subsidiary of the Japanese technology giant Hitachi,
has confirmed that it sustained a data breach after falling victim to a CLOP ransomware attack,
Leaping Computer reports.
The threat actor carried out the attack via a vulnerability CVE-2023-0669 in Fortra's Go Anywhere MFT. Hitachi Energy said in a press release that the threat
actor accessed employee data in some countries, but there's no evidence that any customer data
was breached. Forbes reported Friday that the fraud section of the U.S. Department of Justice
Criminal Division, working with the Office of the U.S. Attorney
for the Eastern District of Virginia,
has been investigating ByteDance
for attempts some of its employees made
to use TikTok in collecting location information
and other personal data pertaining to journalists.
ByteDance has distanced itself from the employees' actions,
saying,
We have strongly condemned the actions of the individuals found to have been involved,
and they are no longer employed at ByteDance.
Our internal investigation is still ongoing,
and we will cooperate with any official investigations when brought to us.
The Wall Street Journal has an overview of the internal investigation
ByteDance opened into the incident this past December.
That internal investigation is still in progress, but ByteDance's TikTok subsidiary says it's taken
some steps to prevent a recurrence. TikTok has said it was restructuring its internal audit and
risk control department and removed all user data access and permissions for the department.
and removed all user data access and permissions for the department.
CSO, citing observations made by security firm CloudSec,
reports that the Russian hacktivist auxiliaries of the Phoenix Group have compromised healthcare information in India.
Phoenix claimed to have obtained sensitive data
and posted samples in confirmation of their attack.
CloudSec writes,
An analysis of the samples shared concluded that the affected entity and posted samples in confirmation of their attack. CloudSec writes,
An analysis of the samples shared concluded that the affected entity is the health management information system belonging to the Indian Ministry of Health.
Phoenix, a group associated with Kilnet,
indicated that the attack was retaliation for India's agreement
to the sanction and oil price cap the G20 imposed over Russia's invasion of Ukraine.
This interest in attacking healthcare organizations is not unusual.
Microsoft's Azure Network security team reported Friday
that the healthcare sector is now providing the principal target set to Killnet and its affiliates.
As had been the case in the past,
these attacks have shown a strong preference for botnet-driven distributed denial-of-service attacks.
The incident at the Indian Ministry of Health is thus an outlier in terms of attack type, but it's entirely consistent with the Russian auxiliary's target selection practices.
The Kiev Independent reports that pirated software offered by Russian threat actors commonly carries Trojan payloads.
The State Service of Special Communications and Information Protection of Ukraine warned yesterday
that torrent streaming of unlicensed software remains a threat to both organizations and individuals.
They state, hackers Trojanize ISO and installation files and old one, common in the near abroad, as the SSS-CIP points out, stating,
In many post-Soviet countries, system administrators working for organizations and companies of various forms of ownership still use unlicensed software, including operating systems, shared via torrent trackers.
shared via torrent trackers. By installing a copy of cracked software from a torrent,
they actually give Russian special agencies access to their workstation's drives.
Using cracked operating systems is especially dangerous, as cybercriminals have full administrator access to any device such a system is installed on. Australian fintech provider
Latitude has taken its systems offline as the cyber attack
it sustained last week remains active, Reuters reports. The company says that both the Australian
Federal Police and the Australian Cyber Security Centre were investigating and that it intends to
restore service gradually over the next few days. ABC describes the effects the incident has had
on a representative group of customers. And finally, Connor Brian Fitzpatrick,
who goes by the hacker name Pom Pom Puren, 19 years young, has been arrested in Peekskill,
New York by the FBI. A statement by John Longmire, the FBI special agent who made the arrest, reads in part,
at approximately 4.30 p.m. on March 15, 2023, I led a team of law enforcement agents that made
a probable cause arrest of the defendant in Peekskill, New York. Thereafter, I swore out a
criminal complaint on that day in the United States District Court for the Eastern District
of Virginia, in which I formally charged the defendant with one count of conspiring to solicit individuals
with the purpose of selling unauthorized access devices. Special Agent Longmire further stated,
When I arrested the defendant on March 15, 2023, he stated to me in substance and in part that
his name was Connor Brian Fitzpatrick, he used the alias
Pom Pom Poren, and he was the owner and administrator of Breach Forums, the data
breach website referred in the complaint. Breach Forums is generally regarded as the successor to
Raid Forums, the criminal market taken down by the FBI in 2022. Breach forums in general, and Pom Pom Porin in particular,
have been a thorn in the side of the FBI for the last several years, according to Krebs on Security.
In November of 2021, for example, Pom Pom Porin took credit for a caper in which thousands of
bogus emails were sent from FBI and associated email addresses. More recently, Raid Forum's participants were involved in the infiltration of InfraGard.
They applied for and obtained membership by impersonating the CEO of a financial services company.
From that membership, they were able to compromise information on roughly 80,000 InfraGard members.
That data was subsequently offered for sale on raid forums.
Mr. Fitzpatrick was presented in federal court in White Plains, New York, and released on a
$300,000 unsecured bond signed by his parents, Bloomberg reports. A note on his alleged hacker
name, Pom Pom Porin, is a golden retriever from the Hello Kitty universe, which suggests that precocious as he may be, Mr. Fitzgerald in some ways remains very young.
Coming up after the break, Adam Myers from CrowdStrike shares findings from the 2023 CrowdStrike Global Threat Report. Rick Howard has the latest preview of CSO Perspectives. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Adam Myers is head of intelligence at CrowdStrike, where they recently released their 2023 CrowdStrike Global Threat Report.
I reached out to Adam Myers for details on the report.
There's a calculus that goes into this stuff.
I call it a calculus at least.
And in ransomware, the calculus is measuring downtime
and trying to create enough downtime
that it effectively creates a situation
where it's cheaper to pay the ransom
than to continue trying to fight through it.
And with that extortion, that changes.
Now the calculus is no longer about the downtime.
The calculus is about what are the legal
and regulatory and compliance impacts
of losing all of the sensitive data
and it being published on the internet.
regulatory and compliance impacts of losing all of the sensitive data and it being published on the internet.
Think about GDPR and HIPAA and all the various privacy acts.
And a victim organization facing an extortion demand,
they do the math real quick and they recognize this could be
a $100 million problem or a $10 million problem.
And they're going to probably pick the smaller problem.
What are we tracking these days in terms of the criminals being good to their word? If you pay
them, do they hold up their end of the deal? They do, yeah. As you would expect,
they're coin-operated. They're financially motivated. And that's one of the big drivers of this change.
When you think about organizations have really taken heed
and they've created robust backup solutions
and they've done all of this work to ensure that ransomware
isn't effective against them.
They've got EDR solutions that can detect ransomware
as it's executing and starting to encrypt files.
And even when they are successful,
there's this playbook that's been developed
over the past couple of years.
And I think of it almost like a hostage negotiation.
They're like, well, I don't know what Bitcoin is,
or I'm not authorized, it's a lot of money.
And then they start doing the, can you unlock this file
so you can prove that you can do what you say you can do?
And then they grind them down on price
and they kind of wait them out
because this threat actor wants to make money.
And that playbook is incredibly frustrating
for the threat actor.
And so with that extortion,
that playbook doesn't work anymore.
Right now it's like an express kidnapping
where they want $100,000 to get somebody back
and you're like, well, I can only do 50.
And they're like, for 50 you could have half of them.
That's not a palatable option.
So now the threat actor has the control.
They can pull the levers
and kind of drive the conversation forward.
And that's what data extortion allows them to do.
When that ransomware playbook comes out and they're like,
well, I don't know what Bitcoin is or I'm not authorized,
the threat actor can come back and say,
okay, well, we're going to release 10 gig of your sensitive customer data
to the internet and let's see if you figure it out.
And so now they're able to really control that conversation.
And to your point, encryption's hard.
It's noisy.
And ransomware attracts a lot of attention
and it can break things.
And so removing that complexity means
that the threat actor just has to steal the data
and it simplifies their whole process.
And ransomware as a service has been very prevalent over the past couple of years.. And ransomware as a service has been very prevalent
over the past couple of years.
And with ransomware as a service,
as the threat actor, you're using this ransomware platform
and you're paying them 20% of your ransom
for the use of their platform.
When you're doing that extortion, you don't need that.
You remove the complexity of all of the encryption,
you remove the complexity of the ransomware, and you get to keep 100% of the proceeds versus 80%.
Based on the information that you all have gathered here, what's the advice? What's the
actionable steps people can take to better defend themselves?
That's definitely a great question. When you look at data extortion in particular,
That's definitely a great question.
When you look at data extortion in particular,
which is really on the rise.
In fact, we mentioned in the report that 70% of the attacks that we observed this year
don't even involve malware.
They're what we call malware-free.
Where a lot of these threat actors are coming in,
and it's not just the extortionists.
There's lots of different threat actors
taking advantage of this.
They're coming in by stealing legitimate credentials
or phishing legitimate credentials.
And just yesterday, Microsoft released
something like 80 different vulnerabilities.
A number of them were critical.
One of them is in Microsoft Outlook.
And with a properly crafted calendar invite, effectively, you can force somebody to
pass their Windows authentication to an arbitrary server, meaning that they can capture your username
and password effectively just by sending you a calendar invite. And so once they have those
credentials, they're able to log in. Maybe an organization has multi-factor authentication.
I hope they do.
But that doesn't stop the attacker
because now they could social engineer
past that six-digit number
or they can do SIM swapping attacks
where they target their phone number
or they can do some social engineering
if it's one of those pop-up authentications.
So it hasn't stopped the attackers.
In fact, you probably remember last summer a group called Elapsus was pretty active.
And one of their victims was Microsoft itself.
And that was the work of a threat actor
that really wasn't using a lot of tooling.
They just used social engineering and sneakiness to get in.
And this is really only countered
with something like identity protection.
We used to say in this industry,
and this is a quote from Ronald Reagan,
trust but verify.
And that kind of guided a lot of the InfoSec world for a while.
But now I think we're in this world of zero trust
where you have to
make sure that just because Dave says he's Dave, that doesn't necessarily mean that he is Dave.
We have to verify that. And so we have to change that paradigm of trust but verify.
And now it has to be verified, then trust. And that is changing the process, that's changing the methodology,
and it's incorporating technology like identity protection,
which can look at every one of Dave's logins
and make sure that Dave is who he says he is.
Dave usually uses an iPhone coming in from New York,
but today it's an Android coming in from Oxford.
Why is that?
Let's do some digging and let's look for some behaviors
that we can pin of pin to that
and say, this is not how Dave typically operates.
And now we can contain Dave's user account,
not just his machine, but his user account.
And that is really the answer that a lot of organizations
have figured out they need to be moving into in the next year.
That's Adam Myers from CrowdStrike. It is always my pleasure to welcome back to the
show, Rick Howard. He is the CyberWire's Chief Security Officer and also our Chief Analyst. Rick, welcome back. Hey, Dave. So for the past couple of weeks, you and I have
both been traveling, not together, but to different places with different vacations.
I'm glad you specified that. Yeah, different work-related things and so on and so forth.
And so we have not crossed paths in a couple of weeks. We haven't had a chance to record
these conversations about what is coming up on your podcast, CSO Perspectives.
But here we are. We are near the end of March. And I realize that you are on your final episode
of this season. So please bring us up to speed and catch us up.
Well, that's right. Season 12 is coming to an end this week at CSO Perspectives. And so we'll be on hiatus until just after the big RSA security conference in April of next month.
So I guess the interns down in the Sanctum Sanctorum will need some time to bang away on their typewriters for season 13.
Is that right?
Yeah, it's true.
Every once in a while, we have to let them out of their cages for a bit
because, you know,
they start to get a little testy.
You know how they can be.
They want stuff like food and water.
They're so demanding, right?
And meaty, yeah.
So for this last show of the season, though,
I'm previewing a talk
that I will be giving at the RSA conference next month
with a friend of mine, Todd Inskey.
It's called The Emperor Has No Clothes,
The Current State of the CISO. Now, my recollection is that you interviewed Todd
sometime before the holiday break last year, and you guys were talking about
this relatively new development in the CISO career path. Refresh my memory. What was that?
Yeah, it's called a fractional CISO, right? It's essentially
a CISO consultant for organizations that don't have a CISO yet and need to start their fledgling
InfoSec programs. And you can hire one of these folks to get you started and maybe check in from
time to time to help with, you know, various projects. So after the interview, Todd and I
got to talking about the current state of the CISO career path.
And afterwards, we said, hey, this might make a great talk at some conference somewhere.
And much to our surprise, the RSA Security Conference Selection Committee accepted our proposal.
So, we're presenting at RSA this year.
Wow. Congratulations.
Why is it called the emperor has no clothes?
Well, you know, the bad news is that for the most part, the chief information security officer is not the chief of anything, really.
You know, people hold those positions are not at the same level as, say, the CFO, the CTO, or even the chief legal officer.
CISO is really just a fancy title that means you're in charge of security for the company, but probably buried a couple of layers down in the bureaucracy.
What's the good news then?
Well, there is good news because I love this job.
Okay.
So, in the past seven years or so, there have been a series of jobs open up that require CISO experience.
Like we have the CISO evangelist that you get for all the security vendors.
We got the new kind of CISO that understands software development. I call them the DevSecOps CISO evangelist that you get for all the security vendors. We got the new kind of CISO that understands software development.
I call them the DevSecOps CISO.
If you're following my podcast, you know we're trying to learn how to do cybersecurity risk.
We got that kind of a CISO.
And the latest one is the Chief Security Product Officer,
where vendors are hiring former CISOs to come in and help them secure their products.
So, if you're attending the RSA Security Conference next month, where vendors are hiring former CISOs to come in and help them secure their products.
So if you're attending the RSA Security Conference next month,
come join me and Todd on Thursday afternoon.
I promise it will be a lively discussion.
But for those that are not going to go to the conference,
this last episode will give you kind of a preview of what we're going to talk about.
So let me just, I mean, it's called the Emperor Has No Clothes,
but you will be fully clothed, right?
Well, no promises, okay?
No promises.
I don't know if that will attract people or repel them, Rick, but speaking of RSA— Well, try to get that out of your head now.
Try to go to sleep and not think about that.
It's a good thing there's no video here.
So speaking of RSA, there will be a lot of us from N2K in attendance doing our thing.
We interview people, meet people.
We're even hosting a lunch for all of the CyberWire's hash table members,
and that's going to be a lot of fun.
I would be remiss if I didn't mention the fact that N2K and Wiley Publishing
are releasing your new book in conjunction with the conference.
Tell us about the book.
What is the title and what is it all about?
So the title is Cybersecurity First Principles,
a Reboot of Strategy and Tactics.
And you know this, Dave, with the CSO Perspectives podcast,
we spent the last three years talking about
getting back to first principles in our field.
And that has been some of the most rewarding work I've done
in my entire career. The downside is that the information is scattered across the CyberWire
website and delivered in little small dollops of audio from the podcast. So the book is our
attempt to get all of it into one convenient container. And the hardcover book will be
released at the RSA conference, and you can pre-order it now on
Amazon and then the Kindle versions and the audio book will come out soon after that. In fact,
I'm currently right as I leave this interview, I'm going to begin recording the audio book.
So that's what I'm working on. Oh, nice. And you're going to be signing books at the conference
bookstore, right? Yeah. Immediately after my talk with Todd on Wednesday afternoon, I'll be signing my book outside the conference bookstore. So if anybody listening is attending
the conference, please come on by. I would love to meet you. All right, terrific. Well, Rick Howard
is the CyberWire's chief security officer, our chief analyst, but more important than any of
that, he is the host of the CSO Perspectives podcast. Rick, thanks for joining us. Thank you, sir.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. data and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, huh?
I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks
where all the fine podcasts are listed.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
This episode was produced by Liz Ervin
and senior producer Jennifer Ivan.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.