CyberWire Daily - Cyberattack calls for an early dismissal.
Episode Date: August 6, 2024Thousands of education sector devices have been maliciously wiped after an attack on a UK MDM firm. A perceived design flaw in Microsoft Authenticator leaves users locked out of accounts. SharpRino ch...arges ahead to deploy ransomware. North Korea’s Stressed Pungsan provides initial access points for malware distribution. Magniber ransomware targets home users and SMBs. Google patches an Android zero-day. A new Senate bill aims to treat ransomware as terrorism. Microsoft ties security to employee compensation. Guest Kim Kischel, Director of Cybersecurity Product Marketing at Microsoft, discusses how AI is impacting the unified security operations center. A victim of business email compromise gets some good news. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Kim Kischel, Director of Cybersecurity Product Marketing at Microsoft, discusses how AI is impacting the unified security operations center and how it's changing the way defenders defend. Selected Reading Over 13,000 phones wiped clean as cyberattack cripples Mobile Guardian (CSO Online) Design Flaw Has Microsoft Authenticator Overwriting MFA Accounts, Locking Users Out (Slashdot) Network Admins Beware! SharpRhino Ransomware Attacking Mimic as Angry IP Scanner (Cyber Security News) North Korean Hackers Attacking Windows Users With Weaponized npm Files (Cyber Security News) Surge in Magniber ransomware attacks impact home users worldwide (Bleeping Computer) Google Patches Android Zero-Day Exploited in Targeted Attacks (SecurityWeek) Intelligence bill would elevate ransomware to a terrorist threat (CyberScoop) Microsoft is binding employee bonuses and promotions to security performance (TechSpot) Police Recover Over $40m Headed to BEC Scammers (Infosecurity Magazine) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Thousands of education sector devices have been maliciously wiped after an attack on a UK MDM firm.
A perceived design flaw in Microsoft Authenticator leaves users locked out of accounts.
Sharp Rhino charges ahead to deploy ransomware.
North Korea's stressed Pungsan provides initial access points for malware distribution.
MagnaBur ransomware targets home users and SMBs.
Google patches an Android Zero Day.
A new Senate bill aims to treat ransomware as terrorism.
Microsoft ties security to employee compensation.
Our guest is Kim Cashel,
Director of Cybersecurity Product Marketing at Microsoft,
discussing how AI is impacting the Unified Security Operations Center,
and a victim of business email compromise gets some good news.
It's Tuesday, August 6th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel briefing.
Thank you for once again joining us here today.
It is great to have you with us.
A massive cyber attack on Mobile Guardian, a UK-based mobile device management firm,
has disrupted schools and businesses globally, affecting North America, Europe, and Singapore.
Thousands of iOS and Chrome OS devices were remotely wiped, causing data loss.
The company is investigating and has temporarily halted services.
The attack severely impacted Singapore's education sector, with about 13,000 students from 26 secondary schools unable to access applications on their iPads and Chromebooks.
Singapore's Ministry of Education removed the Mobile Guardian app as a precaution unable to access applications on their iPads and Chromebooks.
Singapore's Ministry of Education removed the Mobile Guardian app as a precaution and is working to restore device functionality.
The attack underscores vulnerabilities in educational systems
and the need for stronger cybersecurity measures,
including multi-factor authentication and regular security audits,
to protect critical infrastructure from sophisticated cyber threats.
As multi-factor authentication becomes more prevalent,
users increasingly rely on apps like Microsoft Authenticator to secure their accounts.
CSO Online highlights what they describe as a significant design flaw
that causes users to be locked out
of their accounts. The problem arises when users add a new account via QR code scan,
a common setup method leading to Microsoft Authenticator overwriting accounts that share
the same username. This occurs because the app fails to append the issuer's name to the username, unlike other Authenticator apps such as Google Authenticator.
This oversight means that users frequently encounter issues when accessing their accounts,
often blaming the company issuing the authentication
rather than recognizing the flaw within Microsoft Authenticator.
This misunderstanding results in wasted help desk resources as
companies attempt to resolve an issue beyond their control. Experts have noted that this issue has
persisted since the app's release in 2016. Despite the availability of workarounds, such as using
alternative authentication apps or manually entering codes, the problem highlights a significant gap in Microsoft's design approach.
Critics argue that Microsoft's decision not to align with industry standards,
which would prevent such overriding issues,
reflects a lack of consideration for user experience.
The situation highlights the importance of designing software
with both security and usability in mind.
Ransomware as a service group Hunters International has developed Sharp Rhino,
a new C-sharp malware used as an initial infection vector and persistent remote access trojan.
Delivered via a typosquatting domain mimicking Angry IP Scanner, Sharp Rhino increases privileges and moves laterally to deploy ransomware.
Hunters International emerged in October 2023 and ranks among the top 10 ransomware actors.
Strongly linked to the defunct Hive group,
it uses a Rust-based encryptor to lock files with the.locked extension after exfiltration.
Sharp Rhino disguises itself as a legitimate network tool using a valid code certificate.
It communicates with a Cloudflare serverless architecture endpoint, the command and control
infrastructure, using obfuscated C-sharp code and fileless malware tactics.
sharp code, and fileless malware tactics.
GuardDog Software identified two malicious packages in PyPy and NPM linked to a North Korean-aligned threat actor cluster known as StressedPungsan,
aligning with Microsoft's Moonstone sleet.
These packages serve as initial access points for malware distribution,
facilitating data exfiltration,
credential theft, and lateral movement within targeted environments.
On July 7th of this year, an MPM user named Nagasiren978 uploaded files which downloaded
malware from a North Korean command and control server, using malicious batch scripts and
DLLs to target Windows systems.
These packages employed a pre-install script to download and execute a DLL using the runDLL32
utility and then self-destruct to avoid detection.
Analysis revealed these packages impersonated legitimate ones by mimicking their names.
The downloaded DLL appeared benign,
suggesting it might be an incomplete version or part of testing,
indicating possible experimentation by the threat actors.
The MagnaBur ransomware campaign is aggressively targeting home users worldwide,
encrypting devices and demanding ransoms starting at $1,000. MagnaBurr, which
began in 2017 as a successor to the Cerber ransomware, has used various methods over the
years, including exploiting Windows Zero days, fake updates, and trojanized software cracks.
This ransomware mainly targets individual users and small businesses who unwittingly download and execute malicious software.
Recent spikes in MagnaBur activity have been noted since July 30th, with victims reporting infections after using software cracks or key generators.
Once activated, MagnaBur encrypts files and leaves a ransom note with a URL to a Tor site for payment.
Currently, there's no free decryptor for MagnaBurr's latest versions. Users are advised
against using illegal software cracks as they pose significant security risks. But you already
knew that. Google announced its August 2024 security patches for Android, addressing over 40 vulnerabilities, including a zero-day flaw.
This high-severity kernel vulnerability, potentially exploited in targeted attacks, can lead to remote code execution with system privileges.
Discovered by Google's Clement Lecine, it involves a use-after-free condition. Other patched vulnerabilities
affect the framework, system, arm, imagination technologies, media tech, and Qualcomm components,
including one critical Qualcomm flaw allowing a permanent denial-of-service condition.
These updates aim to enhance Android security against privilege escalation,
information disclosure, and denial
of service attacks. A new proposal from the Senate Intelligence Committee aims to combat ransomware
by treating it like terrorism. Sponsored by Mark Warner, a Democrat from Virginia,
the bill seeks to name and shame ransomware gangs as hostile foreign cyber actors and designate countries that harbor them as state
sponsors of ransomware, allowing sanctions similar to those for terrorism. This would be the first
U.S. law directly linking ransomware to terrorism. The bill is intended to elevate ransomware to a
national intelligence priority, empowering U.S. agencies to act more aggressively against threats.
However, experts question its effectiveness, noting that ransomware groups and their state
sponsors are often already under sanctions and questioning if new ones would have any real impact.
Critics argue the bill might be more symbolic than practical,
signaling Washington's commitment to addressing
ransomware attacks. To address recent criticism for security issues in its products, Microsoft
is now linking security performance to employee reviews and compensation. An internal memo from
Microsoft's chief people officer, Kathleen Hogan, outlines a new security core priority policy,
emphasizing security over other considerations.
Lack of focus on security may impact promotions, salary increases, and bonuses.
Employees are expected to integrate security into their work
and demonstrate improvement in performance reviews,
tracked through the company's Connect tool.
This initiative extends to all roles,
with executives having security deliverables tied to their reviews.
The policy aims to solidify Microsoft's security-first mindset
across its workforce,
crucial for maintaining trust in its software and services around the world.
Coming up after the break, my conversation with Kim Cashel, Director of Cybersecurity Product Marketing at Microsoft.
We're discussing how AI is impacting the Unified Security Operations Center.
Stay with us. Thank you. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com
slash cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak.
Learn more at blackcloak.io.
Tim Cashel is Director of Cybersecurity Product Marketing at Microsoft.
I recently caught up with her to discuss how AI is impacting the Unified Security Operations Center. I think AI, to start us off, is fundamentally changing the game for security as an industry.
And I think that goes on both sides, the adversaries as well as the defenders on the other side.
And with that comes a tremendous amount of opportunity.
And the way I like to talk about it from the defender side is AI is really, we're at the early stages, but it's really exciting
what we're already starting to see because it's really changing security on two fronts. It's one,
how are we building AI into the solutions to drive effectiveness, to have this inherent
better protection for security teams?
And then secondly, how are we giving generative AI to security operations teams to, you know,
up-level their own skillset effectively?
Can you give us some specific examples
of where you think AI is best suited
to kind of amplify the capabilities
of a security operations team?
Yeah, absolutely.
We've been for years talking about the security skills gap, right?
That is only one example.
I think the latest number is somewhere around 3.5 million unfilled jobs.
But also most organizations will tell you that they, you know,
the security team, security operations team can never be big enough.
That's really where Gen AI can come in and really help. And a couple of examples,
information is critical to responding to attacks effectively, to understand really the end-to-end
impact of an attack. And often that means really hunting into the details of the signal and writing
complex scripts to sometimes understand that data.
And that's one great example where Gen AI can come in and you can, you know, use natural language to say, this is what I'm trying to do and have Gen AI ultimately generate those scripts for you.
And just turn them around in seconds where, you know, where that can take hours sometimes for even more seasoned security operations teams to write them.
Do you understand a little bit of the hesitancy that some folks have here?
I mean, there's certainly no shortage of hype when it comes to AI.
And I imagine a lot of folks are careful about separating that hype from the reality.
careful about separating that hype from the reality?
Absolutely. Gen AI or AI in general is a technology that we're going to have to prove out and actually showcase that it works. And one other example of, you know, we just talked about,
hey, what are the tools that we're helping upskill AI? But the other side that I mentioned
earlier is really, well, how are we using AI to build better tools and to build better protection?
And I think that's where we're really heading into the direction of what I would refer to as better autonomous protection.
So ultimately, how can we use AI to respond more effectively to the sophistication of attacks that we're seeing?
And that's really where a unified
approach is so important. One, really unifying all of the security tools. And our research shows
that organizations have somewhat close to 80 tools still that operate in silos. And unification is
going to be key for AI to really work effectively.
And one example that I love to give here is, I talked about autonomous protection for a second,
is in a unified approach, signals are correlated and shared by design, which is really, you know,
that fundamental shift in communication of the tools between themselves, if you will.
shift in communication of the tools between themselves, if you will. And where autonomous protection comes in is recognizing active attack patterns that aren't just specific to one asset
type, right? Attackers don't think in silos. They don't just look at your endpoints. They try to
move across the various asset types. And one great example here that we have from a recent
customer that we saw is where the attacker had access to domain admin accounts. It was an attack
that lasted over several waves for about three and a half hours with a goal of ransoming,
ultimately, right? Encrypting the device, but it started from the identity and here where i came in was it
recognized the patterns of the attack and we were looking at an estate of about 4 000 devices all up
and what happened was that the unified approach to security here with this autonomous protection was able to save 99.6% of all devices.
So it's a great example for how AI can be the difference between something that's maybe
a little bit annoying, right?
You got 0.4% of devices that you had to bring back into a healthy state and bring them back
online versus the entire company losing productivity
and being encrypted. What are your recommendations for best practices for folks to get started with
this? Are there particular places or strategies that are best to start that integration process?
integration process? Yeah, of course. So I think the first key to this is really look for that unified approach of your security solutions estate, which vendors ultimately can offer
one broad native breadth when it comes to extended detection and response, or XDR for short.
extended detection and response or XDR for short.
But then within the same tool set,
complement that with a SIM solution that ultimately allows you to bring in
any kind of security relevant data
from within your network.
And breaking down those silos
of how the tools work together
is going to be the first fundamental step. And then secondly,
it's really about how do you improve the communication between the various teams that
you need to make security work in your organization. Here, one of my favorite examples is
when you think about identity, the security operations team, they're going to be at the
front line of detecting threats
and detecting identity attacks, which are so prevalent today.
But then that information needs to seamlessly flow to the identity admin team so they can
really adjust the controls that define how does access work in my organization.
And in many companies, we still see that as a starting point.
A, unify your tool set,
and B, create more seamless communication flows
between the teams that you need to up-level your defenses.
You mentioned that we're still kind of in early days
with this sort of thing.
Do you have any sense for where this might be headed,
what the future might look like for these sorts of tools? I mean, I can only speculate, of thing. Do you have any sense for where this might be headed? What the future might look like for these sorts of tools?
I mean, I can only speculate, of course,
and speak a little bit to what I know
that Microsoft is doing on that front.
But I think, like I said, we're at the beginning of AI,
but we're already seeing the significant impact
that it's having.
For Gen AI, it's really all about, to me, how do we reduce
the mean time to respond, right, for security teams themselves? How do we enable them with
AI-powered capabilities to ultimately understand attacks faster and respond more effectively? And
I think at the end of the day, that's what security operations teams care about.
It's really bringing down that mean time to respond.
And then secondly, I think unification is going to be
the number one key for AI to get more and more effective
and really drive towards that more autonomous protection,
which is in no way to say
we're going to be able to work with
super skilled security operations teams,
but it's just how do we help them?
How do we help defenders with built-in capabilities
that are smart enough to respond
to some of the most sophisticated attacks?
That's Kim Cashel,
Director of Cybersecurity Product Marketing at Microsoft.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Thank you. Thank you. Thank you. Thank you. Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you. Thank you. Thank you. Thank you. Thank you. And finally, it's nice to be able to share good news from time to time.
A Singaporean commodity firm narrowly escaped a significant loss
when police intervened to recover nearly all of the $42.3 million
taken in a business email compromise scam.
Interpol reported that the firm mistakenly transferred the funds to a bank account on July 15
after receiving a fraudulent email that appeared to be from a legitimate supplier.
The scam was discovered four days later when the actual supplier reported non-payment.
The Singapore police force utilized Interpol's global rapid intervention of payments to track and withhold $39 million from the scammers' account.
Authorities arrested seven individuals and recovered an additional $2 million.
Interpol praised the swift cooperation between local law enforcement agencies in recovering the funds and identifying the perpetrators.
law enforcement agencies in recovering the funds and identifying the perpetrators.
BEC scams netted over $2.9 billion in 2023,
underscoring the importance of such international collaboration.
And that's The Cyber Wire. We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine
of the most influential leaders and operators in the public and private sector, from the Fortune
500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy
for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with
original music and sound design by Elliot Peltzman. Our executive producer is Jennifer
Iben. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kielty
is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.