CyberWire Daily - Cyber phases in two hybrid wars. A ransomware gang claims an attack against a major firm. Social engineering implicated in Shadow PC breach. Privateering, coin mining, and other worries.
Episode Date: October 16, 2023Hacktivism and disinformation in the war between Hamas and Israel. LockBit claims an attack on CDW. Shadow PC's breach. Void Rabisu deploys a lightweight RomCom backdoor against the Brussels conferenc...e. Rick Howard describes Radical Asymmetric Distribution. Our guest is Jason Birmingham from Broadridge Financial Solutions with a look at asset management. And coin mining as a potential front for espionage or a staging area for sabotage. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/197 Selected reading. How hackers piled onto the Israeli-Hamas conflict (POLITICO) Israel-Gaza War Now Includes Accompanying Cyber Warfare (Channel Futures) How Cyberattacks Could Affect the Israel-Hamas War (Bank Info Security) Medical aid for Palestinians website under cyber attack affecting relief efforts (mint) Rumors of a ‘Global Day of Jihad’ Have Unleashed a Dangerous Wave of Disinformation (WIRED) Hamas in rare English ‘press conference’ as it tries to counter global condemnation (The Telegraph) In Israel-Hamas conflict, social media become tools of propaganda and disinformation (DFRLab)  A flood of misinformation is shaping how panicked citizens, global public view the war (Washington Post) How Israel-Hamas War Misinformation Is Spreading Online (TIME) Misinformation Is Warfare (TIME) Meta responds to EU misinformation concerns regarding Israel-Hamas conflict (Engadget) Briefing: Meta Details Efforts to Remove War-Related Disinformation (The Information) Cloud gaming firm Shadow says hackers stole customers' personal data (TechCrunch) PC streaming service Shadow discloses security breach (The Verge) Shadow silent on data breach as hacked data appears genuine (TechCrunch) 530K people's info stolen from cloud PC gaming's Shadow (Register) CDW investigating ransomware gang claims of data theft (Record) Lockbit ransomware gang demanded an 80 million ransom to CDW (Security Affairs) Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant (Trend Micro) Women Political Leaders Summit targeted in RomCom malware phishing (BleepingComputer) Across U.S., Chinese Bitcoin Mines Draw National Security Scrutiny (New York Times) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Activism and disinformation in the war between Hamas and Israel.
LockBit claims an attack on CDW.
Shadow PC's breach.
Void Rabisu deploys a lightweight rom-com backdoor against the Brussels conference.
Rick Howard describes radical asymmetric distribution.
Our guest is Jason Birmingham from Broadridge Financial Solutions with a look at asset management.
This is Jason Birmingham from Broadridge Financial Solutions with a look at asset management and coin mining as a potential front for espionage or a staging area for sabotage.
I'm Dave Bittner with your CyberWire Intel briefing for Monday, October 16th, 2023. We begin with a quick look at the cyber dimensions of the war between Hamas and Israel.
Quick look at the cyber dimensions of the war between Hamas and Israel.
Pro-Hamas hacktivism, mostly at a low grade,
and to a significant extent overstated to the point of fiction,
continues to be the most prominent cyber feature of the war between Hamas and Israel, Politico reports.
Confirmed cyber attacks have, for the most part, been distributed denial of service activity. One organization, Medical Aid for Palestine,
says that its website had been disrupted by unspecified cyber attacks
that have impeded its delivery of humanitarian aid to Gaza.
A great deal of disinformation in the present war
has involved over-promising and under-delivery.
Last Friday, for example, was supposed to have been a day of global protest
in support of Palestinians throughout the Islamic and Arab worlds.
This was quickly glossed as a day of global jihad, which didn't materialize.
There have also been some attempts to walk back Hamas-inspired content
that, on reflection, Hamas thinks might not be polling well.
Things like Hamas fighters holding captured Israeli babies,
Hamas fighters spitting on desecrated civilian corpses,
and civilians being dragged into captivity.
Basim Naim, the Hamas head of international relations,
said in an English-language press conference that Hamas
fighters were under instruction not to target civilians and were keen to avoid doing so.
Other Hamas officials said that their attack, quote, targeted only Israeli military bases and
compounds that were suffocating the people of Gaza for more than 17 years, end quote. And as for the massacre at the Supernova
Music Festival, Hamas officials suggested that their fighters probably mistook the roughly 260
concertgoers they murdered for arresting Israeli soldiers. Where are false or dubious claims
concentrated? The DFR Lab reports that pro-Israeli accounts,
especially in English,
have tended to show a preference for X,
the platform formerly known as Twitter,
despite X's recent difficulties
with its hosting of pro-Hamas posts.
The Hamas-run accounts have gravitated to Telegram.
Much of the amplification of disinformation
is achieved
through the use of accounts that impersonate trusted sources.
Technology services giant CDW is investigating claims of data theft
made by the LockBit ransomware gang, the record reports.
A CDW spokesperson said the company is addressing an isolated IT security matter associated with data on a few servers dedicated solely to the internal support of Sirius Federal, a small U.S. subsidiary of CDWG.
CDW added,
We are aware that a third party has made data available on the dark web which it claims to have taken from this environment.
has made data available on the dark web which it claims to have taken from this environment.
As part of the ongoing investigation,
we are reviewing this data
and will take appropriate action in response,
including directly notifying anyone affected as appropriate.
The LockBit gang said it demanded $80 million
in exchange for not publishing the stolen data,
but was offered only $1.1 million.
Cloud-based gaming company Shadow has confirmed a data breach in which attackers were able to
obtain customers' full names, email addresses, dates of birth, billing addresses, and credit
card expiration dates, TechCrunch reports. Shadow CEO Eric Saleh said in an email,
at the end of September, we were the victim of a social engineering attack targeting one of our
employees. This highly sophisticated attack began on the Discord platform with the downloading of
malware under cover of a game on the Steam platform proposed by an acquaintance of our employee, himself a victim of the same attack.
An individual who has claimed responsibility for the attack is selling the data on an underground
forum alleging that the database contains the information of more than 530,000 Shadow customers.
Trend Micro describes the recent activities of Void Rabisu, which it describes as an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine.
In this case, the intrusion was directed against the Women Political Leaders Summit that convened in Brussels between June 7th and 8th of this year. The summit's goal was to
increase the participation of women in politics, and while that may not have been something the
threat actors necessarily approved of, it seems likelier that the conference was simply a target
of opportunity, an occasion to prospect and compromise devices and systems belonging to political leaders.
The ultimate payload Void Rabi Su delivered was a new version of the RomCom backdoor that they've dubbed RomCom 4.0, also known as Peapod.
Void Rabi Su is an interesting mixed case of an organization that has been financially motivated,
that trades in the criminal-to-criminal market,
but which engages in espionage and, once it's on its target, acts like an advanced persistent
threat. Some of its earlier, more clearly financially motivated actions have been
thought to be associated with a Cuba ransomware affiliate, Bleeping Computer Notes, but the
activity now seems focused on zero-day exploitation for the
purposes of espionage. There's no attribution of the activity so far, Trend Micro writes.
While we have no evidence that Void Rabisu is nation-state sponsored, it's possible that it
is one of the financially motivated threat actors from the criminal underground that got pulled into
cyber espionage activities
due to the extraordinary geopolitical circumstances caused by the war in Ukraine.
And in general, Void Robisu has consistently acted against Ukrainian interests.
And finally, coin mining is famously hungry for both electrical power and computational power.
Coin mining is famously hungry for both electrical power and computational power.
It's now far advanced from the days when it might have been possible for some regular Joe to make some money on their laptop.
Coin mining operations are now effectively large, powerful, single-purpose data centers.
Some of the mines are owned by the Chinese government or Chinese corporations, and the U.S. has begun taking note.
The New York Times reports,
in at least 12 states, including Arkansas, Ohio, Oklahoma, Tennessee, Texas, and Wyoming,
the Times identified Chinese-owned or operated Bitcoin mines that together use as much energy as 1.5 million homes.
At full capacity, the Cayenne-Wyoming mine alone
would require enough electricity to power 55,000 houses.
The Wyoming mine is particularly interesting.
It's situated between a big Microsoft data center
that supports the U.S. Department of Defense
and F.E. Warren Air Force Base,
a command center for U.S. intercontinental ballistic
missiles. Now, physical proximity isn't any more closely connected with cyber access than correlation
is with causation, but the coin mine's neighbors are at least suggestive. Microsoft warned the U.S.
Treasury Department's Committee on Foreign Investment in the United States last year
of the threat such installations could pose.
The mines are positioned to be able to collect intelligence on sensitive activity,
and their consumption of electrical power is so high that they can stress the power grid,
or, by cycling that consumption, upset the balance on which a reliable grid depends.
The prospect of destabilizing the grid is probably the more serious of the risks.
Coin mines are largely unregulated, and U.S. agencies are considering the possibility of
prescribing how rapidly they can start and stop their active mining operations.
Coming up after the break,
Rick Howard describes radical asymmetric distribution.
Our guest is Jason Birmingham from Broadridge Financial Solutions with a look at asset management.
Stay with us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
Jason Birmingham is Chief Technology Officer at Broadridge Financial Solutions.
I spoke with him about the challenges facing financial institutions,
specifically when it comes to asset management.
Asset management is a hot sector in general. And from a cybersecurity perspective, it's a very, very attractive space if you're looking to cause some mischief. Obviously,
a lot of customer financial data is in play in the asset management space.
The intellectual property that's in some of these
trading strategies and the algorithmic trading increasingly is very attractive to hackers,
both in terms of disrupting the flow of the financial markets, but also looking for ways
to actually fund some other activities going forward. Obviously, I think there's a little
bit of a perception that maybe security isn't
uh as big of a focus in this space as it would be in some of the more uh you know traditional
banking sectors or capital market sectors where there's you know discrete programs that people
are running on cyber as you know part of you know the bank for example um you know so I think people look at the sector as ripe for a potential intrusion. And so I think
if you're an asset manager and you haven't been paying attention to this so far, I think now is
the time to really start paying attention to it. What are your recommendations then in terms of
best practices? The number one path of intrusion still, even today, 10 or 15 years
into discussions about cyber, is still people. Phishing attacks remain at the top of the list
in terms of how intruders and hackers get into firms to begin with. And I think the notion that
firms have to spend a ton of money on having good cyber practice is a bit of a misnomer. Obviously, you need to have good tools around multi-factor, endpoint detection, secure backups. I mean,
there's certainly a technical aspect of all this, but getting the basics right around making sure
you have good employee training programs related to phishing, making sure that your employees know
what to do if they suspect that there might be a breach, having proper, you know, controls and policies and practices and procedures that get drilled regularly, you know, something that doesn't cost anything.
But, you know, oftentimes it's something that will either prevent an issue from happening altogether or certainly will limit the blast radius if something does start to happen. So I think just getting clarity on what you can do from the training and the incident response perspective, that's essentially free.
And I think going from there and just some good foundational technology practices.
I mentioned multi-factor.
As I mentioned, multi-factor, you know, I think having endpoint detection or, you know, moving into the cloud, for example, where you get a lot of these controls somewhat natively from your cloud providers, at least there's a base level of protection versus what you would have if you were still trying to run your own infrastructure on-prem, you know, certainly is a good perspective there. But I think as you get into the discussion further, certainly role-based access and understanding what people can do and decision rights and access rights is very,
very critical. Oftentimes, when we're helping customers talk through some of this stuff,
it's part of what we do. Just understanding who can do what and who has access to what,
we do, just understanding who can do what and who has access to what, and even what your inventory of assets is, becomes a series of projects for a lot of firms. And so I think, again,
just the good discipline around having that inventory, knowing who can access things and
change things, very, very important. With the folks that you all work with there,
Very, very important.
With the folks that you all work with there, do you find that as you're engaging, are there common errors that people make when it comes to asset management or common misunderstandings that folks have?
You know, the asset management space, when you look at the firms that make up the space, obviously you have very, very large firms that are very sophisticated.
And with them, I think there's a very strong understanding of the right practices and the right technologies and how you manage cyber appropriately.
But the other end of that spectrum are very small shops, boutique firms that spin up around strategy or smaller shops that are trading or maybe family offices, people that don't have
the resources and the wherewithal to really understand the full breadth of the discussion.
And I think the mistake that gets made is realizing that too late.
If you're in this space, if you have customers' money, you have their data, I think you have to view yourself as a target.
The asset management space is kind of at the junction of a lot of things in financial services. You have retail data and access to the retail markets with
the consumers. You're obviously tapped into the broader financial services ecosystem through
payments and the trading infrastructure that's out there. And so a hacker or somebody looks at you
as kind of an interstate, right? Or at least a junction on how to get into a place,
they can exploit one asset manager.
They then have access potentially to other things.
And so I think understanding that that's how you're viewed
in the land of the bad guys I think is important,
and that's usually where people fall down.
Once people understand the magnitude of that,
I think the best practices and the
playbooks are pretty standard at this point and quite straightforward to understand. But most
people miss the, maybe I'm smaller than most and nobody's paying attention to me. I think in some
ways that makes you a more attractive target. But you don't have to spend a fortune. You don't have
to have a big bank or a big hedge fund sort of budget to be
able to protect yourself, I think is the good news. I think it does take a bit of management
discipline and the ability to really focus the resources you do have, which might be people's
time rather than going out and spending money, focusing people's time and their attention,
and maybe aligning their incentives to getting the
basics right. That's Jason Birmingham, Chief Technology Officer at Broadridge Financial Solutions.
And it is always my pleasure to welcome back to the show Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, welcome back.
Hey, Dave.
So, I saw the topic of today's discussion, and I have to say it captivated my imagination. And it is radical asymmetric distribution, which I have to say flows
trippingly off the tongue. Yes, we should be marketeers, I think, because that's going to be great.
How did this come to your attention, Rick, and bring me up to speed? Why are we talking about this today?
Well, a couple of weeks ago, a bunch of us went down to the NY's conference here
in DC. This is the Google slash Mandiant's big security conference every year. And we talked to
a bunch of really smart people. But the end conference keynote was done by one of my, I'm a
fan favorite of Malcolm Gladwell, right? And, you know, for those who don't know Gladwell, he wrote a bunch of books
that I love, The Tipping Point, Blink, Outliers, Talking to Strangers, and The Bomber Mafia. And
he has this excellent podcast called Revisionist History that I listen to almost every week. It's
fantastic. So I was going to be there to hear what Malcolm Gladwell was going to say about
cybersecurity because he's not a cyber guy. I just,
you know, just like to point that out. Yeah. So, he comes on stage and he goes, he learned a long
time ago that he should never come into an auditorium full of experts in the field and tell
them how to do their job, right? So, he said that's a bad thing to do. Good life advice there, I think.
Yeah. He said, though, but he was doing some research and he noticed this
pattern of things called radical asymmetric distribution that he thinks might apply to
cybersecurity. And he was looking for feedback on whether or not it was. So let me explain what it
is. Yeah. He used a case study of the COVID infectious rates. You know, back in when we,
when it was, everybody was locking down, we all assumed, meaning all the
scientists in the world, assumed that if Dave was infected and Rick was infected, that we had the
equal chance of distributing that infection to somebody else. You know, it was an equal probability.
Yeah. And a bunch of MIT students were doing a study in the early days of the lockdown. This is
March 2020. and they were tracking
infectious vectors coming into Boston.
And there was 300 people that came into the city in that timeframe that were infected
with COVID.
And what they discovered was all those things died down.
You know, they got sick, but nobody got hurt.
Nobody died.
Nobody went to the hospital out of those 300, except for one.
One guy went to a business meeting,
infected a bunch of people, and killed 300 people because of that infection, right?
Wow.
And the reason was, according to the paper, was that the amount of water modules coming out of
that guy's breath was exponential compared to what normal people had. Okay. So he was more likely to infect
somebody than anybody else in the world. And this was just a random habit of the way that
this person talked. Yeah. It's just his body makeup. You know, he has the ability to, he's a
super spreader, you know, that's kind of what he is. right? And so Gladwell says that, you know, if you knew that going in, that your strategies for reducing the pandemic, reducing infection rates, might be different if you realized that the distribution scheme of the infection was asymmetric as opposed to evenly distributed.
Right?
So if it's evenly distributed, we're going to do all the things that we did, you know, mask and distancing and vaccines and, you know, shut down schools and blah, blah, blah.
We would do all those things, let's say. But if you knew it was asymmetrically distributed, we would just spend some time trying to find those people and lock those people away.
Right. And not worry about everybody else. Right. So that's a really complex story let me tell you a second one the one he his big pet peeve was
you know we all have to go into the mechanics every year and get our catalytic converters
inspected okay everybody does it we pay 50 bucks a year and we get it checked and and he says you
know how many times do the mechanics find something wrong with your catalytic converter
never you know it never happens, right?
It only happens if your car is old or there's some major mechanical problem, right?
But we assume that the fix is evenly distributed.
That means everybody has to go through this inspection.
When we've had the technology over 20 years that you could have a collector on the side of the street
that would just watch cars go by and they
could identify it pretty quickly that it was, you know, a malfunctioning catalytic converter.
Because we assume the problem was that it was evenly distributed.
Sure.
So, okay.
So, what, and he says, he thinks that maybe cybersecurity is an asymmetrically distributed
problem also.
And it just dawned on me that he might be right,
right? Because I've been saying for, I don't know, a couple of years now, if you just do the stats on
publicly announced breaches, I think the FBI back in 2021, you know, they said that there were 5,000
reported breaches to their agency in that year. All right. So 5,000 reported breaches. Okay. Let's
assume that, I don't know, let's go big. Let's say there was a hundred thousand total because 75,000
said, we're not going to tell anybody. Right. So let's say a hundred thousand. There's like
6 million organizations in the United States. All right. So if you do a hundred thousand divided by
6 million, that's a really small number, really small number, right?
And, but the industry for 30 years have been spending money like the problem was evenly
distributed, meaning that any organization of that 6 million would have the equal chance to get hit
by a bad guy in the cyberspace than any other. When it turns out, that's probably not true. Bad guys
are going to go after financials, going to go after healthcare sectors. They're going to go
after Fortune 500s, right? But all the other companies are, you know, their chances of
getting hit are pretty small, right? And so the strategies that you use to defend yourself when
you realize it's an asymmetrically distributed problem, are completely different
than if it's evenly distributed to everybody. If it's evenly distributed, you're going to buy
intrusion detection, firewalls, you're going to build socks, you're going to have 24 by 7 coverage,
because at any moment, this bad thing is going to happen. But if it's asymmetrically distributed,
this is a black swan event. You know, it's likely not going to happen, but if it does, it's catastrophic. So the strategy you might use is something completely different.
It'd be like a resilience strategy. You're going to try to put resources in to survive it and not
worry so much about preventing it. I just thought it was a fantastic idea. That was a long explanation.
Did I put you to sleep when I was doing that? No, no, it's interesting. I mean, a couple of things come to mind. It makes me wonder, you know, to what degree is this kind
of like, you know, your life insurance policy is going to cost a different amount than mine
if your hobby is skydiving. Yeah, that's right. I mean, does it align with that sort of type of
thinking? That's right, because, yeah, I think skydiving is an asymmetric problem.
Not everybody has that, right?
Right.
I shouldn't have to put a lot of money on everybody just because grandma likes to jump out of airplanes when nobody else does, right?
Yeah.
So as you've been thinking about this, I mean, how do you suppose folks can take this notion and apply it to their own strategies?
Well, you know, I've been thinking about, you know, how do you calculate cyber risk for a number of years now?
And I think I finally figured it out, right?
And what has come to my conclusion is that for, you know, really small companies to maybe medium-sized companies,
medium-sized companies, the best strategy for your organization is probably resilience and not prevention in the form of zero trust or intrusion kill chain prevention.
All right. Because like I said, it's likely not to happen, but if you put a small amount
of resources into things like backups and encryption and, you know, just a couple of
little things like that, your chances of survival of a ransomware attack, say next year,
will be, you know, really high compared to the other things you might invest in. So that kind
of aligns directly with what I've been thinking for the last, I don't know, two or three years.
Yeah. All right. Well, interesting stuff for sure. Thanks for sharing it with us.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent
intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive
alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.