CyberWire Daily - Costa Rica hit with another round of ransomware. Cyber phases of Russia’s hybrid war against Ukraine. CISOs and 3rd-party risk. Elasticsearch databases as extortion targets. And Razzlekhan!
Episode Date: June 1, 2022Costa Rica's healthcare system comes under renewed ransomware attack. Cyber phases of the hybrid war. Charity fraud exploits sympathy for Ukraine. US FBI attributes last year's attack on Boston Childr...en's Hospital to Iran. CISOs surveyed on their challenges (and they're particularly worried about exposure to 3rd-party risk). Robert M. Lee joins us for the launch of the new Control Loop podcast. Josh Ray from Accenture looks at ransomware trends. Razzlekhan and Dutch: a cryptocurrency love song. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/105 Selected reading. Latest cyberattack in Costa Rica targets hospital system (Reuters) Costa Rica’s public health agency hit by Hive ransomware (BleepingComputer) Costa Rican Social Security Fund hit with ransomware attack (The Record by Recorded Future) Costa Rica May Be Pawn in Conti Ransomware Group’s Bid to Rebrand, Evade Sanctions (KrebsOnSecurity) Ukraine joins its first NATO cyber defense center meeting (TheHill) US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command (Sky News) The FBI Warns of Scammers Soliciting Donations Related to the Crisis in Ukraine (Internet Crime Complaint Center (IC3)) FBI director blames Iran for ‘despicable’ attempted cyberattack on Boston Children’s Hospital (CNN) Hackers ransom 1,200 exposed Elasticsearch databases (TechTarget) The CISOs Report (Security Current) New York couple accused of laundering $4.5 bln in crypto still in plea talks (Reuters) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Costa Rica's healthcare system comes under renewed ransomware attack,
cyber phases of the hybrid war,
charity fraud exploits sympathy for Ukraine,
the US FBI attributes last year's attack on Boston Children's Hospital to Iran,
CISOs are surveyed on their challenges,
Robert M. Lee joins us for the launch of the new Control Loop podcast,
Josh Ray from Accenture looks at ransomware trends
and Razzlecon in Dutch, a cryptocurrency love song.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Wednesday, June 1st, 2022.
Costa Rica continues to struggle with its recovery from a ransomware attack by Conti
and has now seen its healthcare
system subjected to cyber attack. Reuters reports that the Costa Rican Social Security Fund,
the country's public health agency, has been forced to shut down its digital record-keeping
system. This has affected about 1,200 hospitals and clinics, with possible consequences for
thousands of patients. At the time Reuters filed, no group had claimed responsibility for the incident, but since
then, Bleeping Computer has reported that the Hive ransomware operators were behind
the attack.
It has generally been thought that Conti's earlier attacks against Costa Rican targets
represented a kind of misdirection, intended to cover the group's reorganization
and rebranding and to afford it an opportunity, Krebs on Security noted, to figure out how
better to evade the sanctions that were interfering with its receipts.
And indeed, the gang's calls for insurrection were unusual.
Conti does seem to be connected with Hive and with a range of other groups as well.
In Bleeping Computer's account, while Conti is now slowly shutting down operations,
it has partnered with numerous well-known ransomware operations,
including Hive and Hello Kitty, Avos Locker, Black Cat, Black Byte, and others.
Its members have now splintered into smaller semi-autonomous and autonomous groups
that have infiltrated the other ransomware-as-a-service groups.
They've also created independent groups focused on data exfiltration and not data encryption.
Ukraine, not a NATO member, of course,
has nonetheless joined the Atlantic Alliance's NATO Cooperative Cyber Defense Center of Excellence and is formalizing its membership to the group during meetings in Tallinn, Estonia.
The Hill quotes Ukraine's National Security Agency on what Kiev hopes to gain from the cooperation.
The COE is a significant achievement for our country in terms of strengthening international cooperation in the field of cybersecurity and cyber defense, as well as an important step toward Ukraine's NATO membership. and while there told Sky News that, quote, we've conducted a series of operations across the full spectrum,
offensive, defensive, and information operations in support of Ukraine.
He understandably declined to say what those measures were,
but stressed that they were all properly authorized, legal,
and conducted with appropriate civilian oversight.
He said, my job is to provide a series of options to the Secretary of Defense and the President,
and so that's what I do.
German authorities have issued a fresh warning of the likelihood of Russian cyberattacks
against infrastructure.
Reuters reports that Berlin sees the financial sector as being particularly at risk.
The U.S. FBI warns that scammers are trading on widespread sympathy for
Ukraine as they frame their come-ons to prospective victims. The FBI says criminal actors are taking
advantage of the crisis in Ukraine by posing as Ukrainian entities needing humanitarian aid or
developing fundraising efforts, including monetary and cryptocurrency donations.
Unfortunately, this isn't new, as the Bureau points out.
They say scammers similarly have used past crises as opportunities to target members of the public with fraudulent donation schemes.
The Bureau would like anyone who's encountered one of these scams to let them know by filing
a report with the FBI's Internet Crime
Complaint Center at ic3.gov. CNN reports that FBI Director Wray has publicly attributed a cyber
attack on Boston Children's Hospital to a threat actor run by the Iranian government. It was,
he said, one of the most despicable cyber attacks I've ever seen.
And he used the occasion to point out that the attack, which was for the most part unsuccessful,
should serve as a reminder that the Russian government isn't the only bad actor in cyberspace.
Moscow, Tehran, Beijing, and Pyongyang are the familiar four regimes given to hostile action in cyberspace.
That said, Director Wray emphasized that the FBI is currently most concerned about Russia.
Since the Russian invasion of Ukraine, the bureau has operated at combat tempo, he said.
When it comes to Russia today, we're focused on acting as early,
as far left of boom as they say, as we can.
We're watching for their cyber activities to become more destructive as the war keeps going poorly for them. SecureWorks' counter-threat unit reported today
that they've found that a threat actor has replaced data in 1,200 Elasticsearch databases
with a ransom note and a contact email address. 450 individual ransom requests were found by researchers, and despite the wide
span of this campaign, the ransom requests have been pretty low, averaging around $620.
The money is payable to one of two Bitcoin wallets, but as of the publication of the report,
there are no transactions. Researchers say that while this campaign may be considered unsuccessful due to a
lack of payments, this shows that the risk to companies and individuals with unsecured infrastructure
is high. Aimpoint Group, CISOs Connect, and W2 Communications have released a report detailing
the vulnerabilities that CISOs face. Researchers found that CISOs view today's threat landscape as worse than
a year ago and report that they find third parties, such as suppliers and partners, to be their biggest
security threat. The report shows that many CISOs are prioritizing both the implementation of zero
trust models within the next year, as well as ease of use and simplicity in their security solutions.
year, as well as ease of use and simplicity in their security solutions.
And finally, hey everybody, remember Razelkhan, the crocodile of Wall Street, and her husband Dutch?
Or as they're more formerly known in court documents, Ms. Heather Morgan, age 32, and
Mr. Ilya Lichtenstein, age 34.
They're accused in connection with the laundering of a cool $4.5 billion cyber criminals
ripped off from altcoin exchange Bitfinex back in 2016. The two were to have appeared in U.S.
federal court on Friday, but prosecutors have asked that their hearing be postponed until August 2nd
so they have a chance to review the evidence the feds have assembled in their case
and therefore make an informed decision about what they'll plead. There's lots of evidence.
The prosecutors who worked on this over the Memorial Day weekend mentioned voluminous
financial records, and Reuters says there are some 1.1 gigabytes of data to consider.
Dutch is being held without bond. Rasalklecon is presently under house arrest.
This seems unfair, in a way.
Ms. Razzlecon is also a rap artist, bringing her stylings to the New York Financial District,
and the prospect of her posting more performances seems more worrisome than simply being a flight
risk.
Trust us, we've heard a rap.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And it is my pleasure to welcome to the show Robert M. Lee.
He is the CEO at Dragos.
Rob, I am excited to say that we are heading off on a collaborative project here, the Control Loop podcast, sponsored by Dragos.
And you all are, of course, heading up large parts of this effort.
Let's start with some basics here. Why this? Why now?
Yeah. So good to collaborate with you. I feel like we've been in orbit with each other for a while,
so it's good to put a ring on it, as Beyonce would say. When I look at why now, the reality is OT security has become such a main topic now.
It is truly a global, up from executives on down to practitioners discussion.
It's not just this little community that we've been...
A decade ago, we could all sit around the fire,
literally at a conference and know everybody around us.
Now it's much bigger, which is awesome.
But with that comes a lot of information overload.
And there is a lot of good guidance getting out there
and there's a lot of bad guidance.
And there's also just too much information sometimes
for anybody to reasonably consume when you're busy day to day.
So why now?
Because there's that plethora of information we can synthesize down.
Here is the things that you need to be aware of.
What we're hoping to accomplish with it
is exactly that.
I'd like to make the podcast kind of two things,
and that's what you and I have talked about for a while.
The first thing is kind of the news capturing
of all the different stuff out there,
of all the new papers, of all the new research,
of all the new news bites.
What's your 15-minute or so digest of this and just make this
accessible to people? I mean, again, we're all overly busy. Just to be able to have audio for
a commute or even just preparing around the house for the morning, to be able to synthesize all the
information, that's a good service to provide to people. So that's part of it. The second part is we are welcoming in a significant increase
of percentage of professionals into the OT community versus what's there today.
In other words, you onboard 500 new people into InfoSec,
doesn't put a dent in the size of InfoSec. You onboard 500 new people into OT
security, that's a significant contribution to the percentage of the current state
of the community.
And so we need to have a forum of source to kind of like onboard
them and make sure that they are getting
some basic concepts and understanding.
So the second half of the
Control Loop podcast, if you will,
is meant to just be a very educational,
hey, here's how a Control Loop works.
Hey, here's what a gas turbine is
and where you might find them and what they do.
Hey, here's why OT is different than IT.
So just have these educational things.
And I think as we've talked,
the idea is to launch each episode and it's full,
but to take that second half of the episode
and create a library of content for people
that can come back and just up-level
their knowledge of ICS security.
Who's the target audience here?
I mean, obviously, we want folks within OT security to listen,
but it strikes me like there's a lot here for folks
who are outside of that specific community as well.
Yeah, I think the first half will be kind of an everybody thing.
And I hate to say it that way, but it really is.
There's nobody out there that's not interested
in what's happening in our infrastructure security
and kind of being up to date with the news.
And if you're trying to keep up to date with everything,
you can't, but a 15 to 30 minute digest
of here's the stuff you need to know,
literally you'll have not only CSOs and executives
and practitioners and all that,
but you're going to have bankers and financial analysts
and market analysts and everybody else
trying to keep up to date.
So I think it's going to be a lot wider
than people realize in that first part.
That second part will be more practitioner-focused.
That will be where you've got maybe the CSO
who's trying to get more familiar
with what programs are about to roll out,
but definitely IT security professionals trying to onboard more familiar with what programs are about to roll out. But definitely IT security professionals
trying to onboard into operations.
I think that'll be the core segment,
our core audience for that portion of the show.
All right, well, excited to launch the new show.
It's called Control Loop.
Robert M. Lee from Dragos, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Josh Ray.
He is Managing Director and Global Cyber Defense Lead at Accenture Security.
Josh, it is always great to welcome you back to the show.
I want to touch base with you on some of the trends that you and your colleagues are tracking there at Accenture when it comes to ransomware.
Thanks, Dave. I appreciate you having me back.
Dave. I appreciate you having me back. The team has done some continued research on this,
dating back to 2021 to really the beginning of 2022. Yeah, and I think we've got some pretty interesting things to share with the listenership, especially things that have taken place in the
previous months. One of the things that I think is heightened and a trend that I want to kind of foot stomp is that threat actors are moving quickly to kind of extortion.
And then sometimes they're just not even encrypting a lot of the data.
We've seen, even through a general lack of transparency from some companies,
about 48 large companies that we were able to
kind of pick up in open source have been affected. And these are companies roughly around over $1
billion in value. These companies, about 11 have reported that they've been actually paid
the ransom. And this notion of paying the ransoms, I think, is kind of a key trend as well.
So companies are actually paying ransoms less than they have in previous years. And we think
this is due in part to the visibility of some of these particular threats, but also that some of
these security mitigations that people are putting in place actually seem to be working.
Additionally, I think the threat actors are becoming much more astute with regards to
the actual amount of the ransomware demanded based on the target's value and the ability
for them to pay.
And as I said before, this notion of kind of skipping the stolen data encryption step
and go straight to extortion seems very much like an important
trend.
And I think, lastly, speaking more broadly, the threat is demonstrating a significant
amount of business acumen by reinvesting a lot of the funds from the folks that are paying
these ransoms into enhancing their own operations and capabilities. So
threat actors are actively integrating new data exfiltration capabilities,
encryption features into their malware, and creating high-end exploit development and
social engineering service offerings. You know, we're seeing a lot of volatility in the
cryptocurrency world. Is that having any effect on ransomware operators?
Do we expect that it could in either way? Yeah. So what we've seen is approximately
one fourth to a third of victims that pay the ransom actually face much higher hidden costs.
In some cases, that ranges from $50 to $100 million.
And after the initial attack, they're still subject to follow-on targeting. For example,
many victims who pay a ransom often retrieve corrupted data or incomplete data and still
remain vulnerable to these attacks. And this repeat targeting is something that we're seeing typically about a couple of weeks after the initial payment. So companies pay the ransom,
and then they're often extorted for more money not to leak the data.
So who do you see being targeted here? Are there any particular
verticals that they seem to have in the crosshairs?
particular verticals that they seem to have in the crosshairs? Yeah, I think the top three really are manufacturing, public sector, and professional services, I think are probably among the hardest
hit sectors. Manufacturing is high on the list because downtime for this particular sector is
just not an option, right? They can't afford not to be in business.
And there are usually some smaller companies
with small budgets for cybersecurity,
and they're not necessarily as highly regulated
as some of the other industries like financial services.
Professional services is also top target
because, as we spoke of before,
it's the ecosystem that they serve.
It enables a lot of these supply chain types of attacks on clients of the professional services company.
And they, of course, have some very, you know, intimate information that can be used for follow on social engineering purposes as well.
All right. Well, Josh Ray, thanks for joining us. And that's The Cyber Wire. For links to all of today's stories, check out our daily
briefing at thecyberwire.com. The Cyber Wire podcast is proudly produced in Maryland out of
the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfman, Liz Ervin, Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.