CyberWire Daily - Conspiracy theories in politics.
Episode Date: July 15, 2024The assassination attempt on former President Trump sparks online disinformation. AT&T pays to have stolen data deleted. Rite Aid recovers from ransomware. A hacktivist group claims to have breached D...isney’s Slack. Checkmarx researchers uncover Python packages exfiltrating user data. HardBit ransomware gets upgraded with enhanced obfuscation. Threat actors can weaponize proof-of-concept (PoC) exploits in as little as 22 minutes. Google may be in the market for Wiz. Rick Howard previews his analysis of the MITRE ATT&CK framework. Blockchain sleuths follow the money. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. This Week on CSO Perspectives Dave chats with Rick Howard, The CSO, Chief Analyst, and Senior Fellow at N2K Cyber, about his latest episode of CSO Perspectives which focuses on the current state of MITRE ATT&CK. If you are a N2K Pro subscriber, you can find this installment of CSO Perspectives here. The accompanying essay is available here. If you’re not a subscriber and want to check out a sample of the discussion Rick has with his Hash Table members about MITRE ATT&CK, you can find it here. Selected Reading Conspiracy theories spread swiftly in hours after Trump rally shooting (The Washington Post) AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records (WIRED) Pharmacy Giant Rite Aid Hit By Ransomware (Infosecurity Magazine) Disney's Internal Slack Breached? NullBulge Leaks 1.1 TiB of Data (HackRead) Malicious Python packages found exfiltrating user data to Telegram bot (Computing) HardBit ransomware version 4.0 supports new obfuscation techniques (Security Affairs) Hackers use PoC exploits in attacks 22 minutes after release (Bleeping Computer) Google is reportedly planning its biggest startup acquisition ever (The Verge) Automotive SaaS provider CDK paid $25 million ransom to hackers (BeyondMachines.net) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The assassination attempt on former President Trump
sparks online disinformation.
AT&T pays to have stolen data deleted.
Rite Aid recovers from ransomware.
A hacktivist group claims to have breached Disney's Slack.
Checkmark's researchers uncover Python packages exfiltrating user data.
Hardbit ransomware gets upgraded with enhanced obfuscation.
Threat actors can weaponize proof-of-concept exploits in as little as 22 minutes.
Google may be in the market for whiz.
Rick Howard previews his analysis of the MITRE ATT&CK framework.
And blockchain sleuths follow the money.
It's Monday, July 15th, 2024. I'm Dave Bittner, and this is for joining us here today.
The shooting of former President Donald Trump at his campaign rally on Saturday
quickly turned into a hotbed for conspiracy theories flooding social media with unverified claims.
Despite law enforcement efforts to clarify the situation, the political environment amplified these false narratives.
Investigators identified the shooter and confirmed some details, but conspiracies flourished.
Left-leaning accounts suggested a false flag operation by Trump's supporters,
while some far-right voices accused President Biden of orchestrating the attack.
Megan Squire from the Southern Poverty Law Center highlighted how such incidents are often exploited for political agendas.
Right-wing influencers and politicians like Representative Mike Collins insinuated high-level conspiracies,
adding fuel to the misinformation fire. Social media posts from various accounts propagated
claims of a deep state plot or fabricated scenes. These narratives found fertile ground in a divided
political landscape where consensus on basic facts is increasingly rare.
Online bots amplified the noise.
Experts like Graham Brookie of the Atlantic Council urged caution,
emphasizing the prevalence of false information during rapidly developing events.
Despite these warnings, far-right channels continued to buzz with conspiracy theories and extreme rhetoric,
including calls for civil war and blaming various groups like Antifa and the Deep State. Social media platforms
struggled to manage the spread of misinformation. Tech executives like Elon Musk speculated publicly,
contributing to the confusion. Influential accounts pushed unfounded claims
about the Secret Service's role and internal security policies,
further muddling the public discourse.
Amid this chaos, misinformation experts
stressed the importance of verifying information
before sharing it online.
The rapid spread of false narratives
in the wake of Trump's shooting
underscored the challenges of maintaining accurate public information in a polarized and digitally driven society.
Late last week, AT&T disclosed a significant data breach involving hackers stealing call records for tens of millions of customers.
tens of millions of customers. In an exclusive for Wired, Kim Zetter reports the company paid over $300,000 in Bitcoin to a hacker from the Shiny Hunters group to delete the stolen data
and provide proof of deletion. This payment was confirmed by blockchain tracking tools.
A security researcher who goes by the name Reddington facilitated the negotiation between AT&T and the hackers.
The breach involved unsecure Snowflake cloud storage accounts.
The stolen AT&T data included call and text metadata, but not content or names.
Despite payment, some data may still be at risk.
Despite payment, some data may still be at risk.
John Aaron Binns, believed to be responsible for the breach,
was arrested in Turkey for a previous hack on T-Mobile.
The breach's delayed disclosure was due to national security concerns.
U.S. pharmacy chain Rite Aid recently fell victim to a ransomware attack by the Ransom Hub group, which claimed to have stolen 10
gigabytes of data, including personal information of customers, such as names, addresses, and birth
dates. Rite Aid announced it has restored its systems with the help of third-party cybersecurity
experts and is fully operational again. The company emphasized its commitment to safeguarding
personal information and is
finalizing its incident response investigation. Ransom Hub, emerging in February 2024 and
including former Alpha Black Cat affiliates, has been involved in several high-profile attacks.
It's known for its aggressive tactics, including a second extortion attempt on Change Healthcare.
Rite Aid, the third largest U.S. pharmacy chain, operates over 2,000 locations with revenues
exceeding $24 billion. Hacktivist group Null Bulge claims to have breached Disney,
leaking 1.2 terabytes of internal Slack data.
The leaked data supposedly includes messages, files, code, and more,
involving nearly 10,000 channels and sensitive information like unreleased projects and internal API links.
Null Bulge announced the breach on breach forums and ex-Twitter,
highlighting their mission to protect artists' rights and
ensure fair compensation. The breach is yet to be verified, but it follows recent cyberattacks
on AT&T and Ticketmaster. Null Bulge is rumored to be linked to the Lockbit ransomware gang.
Disney has faced criticism for not paying royalties to artists and writers,
with notable figures like
Neil Gaiman and Alan Dean Foster speaking out against the company. Researchers at Checkmarks
have discovered an Iraq-based operation using malware hosted on the Python repository PyPy
to search for files on victims' devices and exfiltrate them to a Telegram bot.
Malicious packages named in the research have been removed from PyPi.
These packages contained malicious code in an init.py file
that targeted files with.py,.php,.zip,.png, and.jpg extensions,
sending them to a Telegram bot.
and.jpg extensions, sending them to a Telegram bot.
The bot, active since 2022, contains over 90,000 messages, mostly in Arabic,
and is involved in various criminal activities like spam, login fraud, and data theft.
Researchers found the bot's operator maintaining several other bots for different nefarious activities.
This attack highlights the persistent threat of supply chain attacks on PyPy, a popular target due to Python's widespread
use. Users are advised to employ vulnerability scanners and threat intelligence before using
third-party modules. Researchers from Cyber Reason have identified a new version of hardbit ransomware featuring advanced obfuscation techniques to avoid detection.
Version 4.0 includes binary obfuscated by a custom packer.
Hardbit ransomware, first seen in October 2022, does not employ double extortion but threatens further attacks if ransom demands are unmet.
The ransomware deletes volume shadow copy services
and alters boot configurations to prevent recovery.
It disables Windows Defender antivirus features
and ensures persistence by copying itself to the startup folder,
mimicking the svchost.exe file.
Hardbit shares similarities with Lockbit, possibly as a marketing tactic.
The initial access method remains unconfirmed, but brute force of OpenRDP and SMB services is suspected.
The attackers use tools like Mimikatz for credential theft and deploy Hardbit via a zip file named 111.zip.
Version 3.0 and 4.0 also support a wiper mode.
According to Cloudflare's 2024 Application Security Report,
threat actors can weaponize proof-of-concept exploits as quickly as 22 minutes after they're made public.
The report, covering May 2023 through March 2024,
highlights a rise in scanning activity for disclosed CVEs, command injections, and attempts to use available POCs.
To combat this rapid exploitation, Cloudflare emphasizes using AI to develop quick detection rules, as human response alone is insufficient.
The report also notes that 6.8% of daily internet traffic is DDoS attacks,
up from 6% the previous year, with spikes reaching 12% during major attacks.
Google is considering a $23 billion acquisition of Wiz, a cloud cybersecurity startup, according to the Wall Street Journal,
this potential purchase would be Google's largest ever, nearly double the amount spent on Motorola Mobility in 2012.
Wiz, based in New York City, provides security tools and scanners for enterprises, enhancing cloud infrastructure security by normalizing
layers across environments to identify and mitigate risks quickly. Observers speculate
this acquisition targets Microsoft, which has faced multiple high-profile security breaches
recently. Google Cloud's Thomas Kurian is spearheading the acquisition, which aims to bolster Google's reputation as a
secure cloud provider. This follows Google's previous security-focused acquisitions,
including a $500 million cloud security startup in 2022 and the $5.4 billion purchase of Mandiant.
However, the deal may face regulatory scrutiny under the Biden administration's antitrust actions.
Coming up after the break, Rick Howard previews his analysis of the MITRE attack framework.
Stay with us. Do you know the status of your compliance controls right now?
Like right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io. it is always my pleasure to welcome back to the show rick howard he is n2k cyber wires chief
security officer also our chief analyst and host of the cso perspectives podcast rick welcome back
hey dave so in this upcoming episode of CSO Perspectives...
Easy for you to say, sir.
I know, right?
You are taking a look at the MITRE ATT&CK framework and kind of where we stand with that.
What can you share today, Rick?
Well, you know, Dave, I'm a gigantic fan of the MITRE ATT&CK framework.
I've been singing its praises, geez, for almost a decade now.
Yeah.
And much to my chagrin, it hasn't really caught on universally across the cybersecurity profession.
And so I thought it was time to take a look and see what's going right with the minor attack framework
and what are the obstacles that make it slow to adopt.
Well, for folks who aren't familiar with it, can you give us a little bit of the backstory here?
Yeah, there's a strategy for cybersecurity that was made famous by the famous Lockheed Martin research paper called Intrusion Kill Chain Prevention.
And the idea there was instead of just blocking technical things like, you know, malware or viruses or exploit code without any concern about what the adversary was trying to accomplish.
The Lockheed Martin people said, you know, it makes sense that every adversary, regardless of their motivation, they have to kind of go through a sequence of activity, okay? And it's like they have to recon, they have to
your network for weaknesses, they find those weaknesses, they build software that takes
advantage of those weaknesses, they deliver that to some victim zero, right? And then they do other
things to find the stuff they came to destroy or to steal, like lateral movement.
And then they infiltrated out through their command and control channel.
And that was a revelation back when that came out back in 2010.
And then three years later, MITRE decided they were going to build this thing that we've affectionately called the MITRE ATT&CK Framework.
I call it a wiki, which they're basically tracking all the tactics, techniques,
and procedures for known adversary campaigns across the kill chain, right? And so I thought
this was a brilliant idea, right? Instead of just blocking the latest malware, we're going to
actually try to block Wicked Spider, try to prevent Wicked Spider from having a success,
right? And so I thought that was an obvious thing to do,
but it turns out it's really hard to do well
and hard to deploy and pretty expensive.
Well, let's talk about that then.
I mean, is that the primary set of things
that are keeping it from having wider adoption?
Is it one of those easier said than done situations?
Yeah, yeah.
It makes it sound easier when I say it fast like that.
And there's also confusion
in the industry too, because the Lockheed Martin paper came out back in 2010. A year after that,
the Department of Defense released the Diamond Model, which takes that idea and expands it to
intelligence teams about how they can actually track adversaries across the kill chain. And then
two years after that, MITRE came up with their framework. And for the people not paying attention,
that looks like three separate models, right? And it turns out that they're not. They all go
together, right? You need the Lockheed Martin paper for strategy. You need the diamond model
from the Department of Defense for how do you run your intel team to do that for strategy. You need the diamond model from the Department of Defense for
how do you run your intel team to do that. And then you need the minor attack framework to
collect the actual intelligence, right? So I think that's one of the things. There's confusion
in the cybersecurity profession about what all those things mean.
In the intervening years, have there been updates or has there been anything to keep this relevant?
Oh, yeah, yeah, yeah.
I criticize, but I love the thing, right?
The MITRE folks have improved it immensely over the years.
They updated about every year and a half or so, but they are completely understaffed.
It's a very small intel team.
So they don't update it in real time, which I would prefer to have happen, right?
And they only cover nation-state activity, which is great.
But there's a whole set of cybercrime campaigns out there that I would love to have that kind of intel for.
And so I guess that the bottom line to all this is I would like somebody,
some benefactor to come out and say, let's give MITRE a bunch of money so they can get this fully functional, all right, so that everybody can adopt it. So in terms of this week's episode of CSO
Perspectives, how are you approaching the topic here? Well, we did is we went out and got one of
the original contributors to it, Frank Duff.
He is now the chief innovation officer at a company called Tidal.
But he was on the ground floor when they started trying to make it work, you know, back in 2013.
So we get his perspective about how it all started.
And then we talked to Amy Robertson.
She's a chief intelligence engineer at MITRE and kind of the face for,
the current face for MITRE ATT&CK. And she gives us the modern view of it. So it's a really
interesting conversation with all three of us. You know, looking back through your own career
here, I mean, this came out when you were chief security officer at Palo Alto Networks, right?
Yes, it was. How did you integrate this into the stuff that you did there? I mean,
was it sort of a, was it a light bulb moment for you? Like, aha, here's the thing we've been
waiting for, folks? It really was for me. It was a Eureka moment for me, but I have to admit,
I struggled commencing the powers that be at Palo Alto Networks to understand what I was
talking about. Underneath me at that job, I ran the public-facing intelligence team called Unit 42.
So we changed our whole schema for how do we track bad guys inside the Palo Alto Networks data
to track adversaries across the kill chain using the MITRE ATT&CK framework, right?
But you've heard me talking about this, Dave.
What I really want from vendors,
and what I try to convince Palo Alto Networks to do,
is I need a dashboard, you know, that says, you know,
let's say Wicked Spider, they do 100 things in their attack sequence.
If you see one of those things in your network,
yeah, it might be Wicked Spider.
But if you see 80 of the 100 in your network, that, it might be Wicked Spider. But if you see 80 of the 100 in your
network, that's Wicked Spider, right? And so, you know, and you better make sure you have all the
prevention controls in place, right, to stop that guy from being successful. Yeah. All right. Well,
Rick Howard is N2K CyberWire's Chief Security Officer, also our Chief Analyst and the host
of CSO Perspectives, which you can find right here on the N2K Cyber Wire network
and wherever you get your favorite podcasts.
Rick, thanks so much for joining us.
Thank you, sir.
Cyber threats are evolving every second Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And finally, CDK Global, a top software provider for car dealerships in North America,
reportedly forked out a hefty $25 million ransom in Bitcoin to resolve a massive cyber attack. The attack had disrupted
operations at over 15,000 car dealerships across the U.S. Blockchain sleuth ZaxxBT revealed that
the ransom, amounting to just over 387 Bitcoin, about $25 million, was paid on June 22, 2024, to a blockchain address controlled by
the BlackSuit ransomware gang. CDK didn't handle the transaction directly, but enlisted a specialized
firm to deal with the demands. Following the payment, CDK Global's services were swiftly
restored. Though the company kept mum about the
details, blockchain intelligence platform TRM Labs confirmed the transaction. They noted the funds
were later moved to centralized exchanges. Curiously, CDK Global took a week after the
payment to restart services, likely to beef up security and patch vulnerabilities.
This incident stands as the largest ransomware payment of 2024,
topping Change Healthcare's $22 million payout in March.
CDK Global paid the ransom, but it was the blockchain sleuths who stole the show by following the money.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment on Jason and Brian's show every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. We'll see you next time. please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine
of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence
and law enforcement agencies.
N2K makes it easy for companies to
optimize your biggest investment, your people. We make you smarter about your teams while making
your teams smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer
is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer
is Jennifer Iben. Our executive editor is Brandon Karp. Simone Pet see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.