CyberWire Daily - Cybercriminals at the service of the state, and an array of new underworld tools.
Episode Date: November 7, 2023Data brokers offer information on active US military personnel. Current BlueNoroff activity. A new Gootloader variant is active in the wild. Atlassian vulnerabilities actively exploited. The prevalenc...e of breaches. Update on a Barracuda vulnerability. Hacktivism and the cyber course of the Hamas-Israel war. Bot-hunting in Ukraine. Microsoft’s Ann Johnson from Afternoon Cyber Tea speaks with Sharon Barber, Chief Information Officer at Lloyds Banking Group, about cyber trends in financial services. Ben Yelin looks at the ease of purchasing US military personnel data from data brokers And election security is in the news–an off-year election is an election nonetheless. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/213 Selected reading. Researchers find sensitive personal data of US military personnel is for sale online (CNN) How foreigners can buy data on US military members, for the right price (POLITICO) GootBot - Gootloader's new approach to post-exploitation (Security Intelligence) BlueNoroff strikes again with new macOS malware (Jamf) GootBot - Gootloader's new approach to post-exploitation (Security Intelligence) Rapid7-Observed Exploitation of Atlassian Confluence CVE-2023-22518 (Rapid7) Armis Research Finds One-Third of Global Organizations Experienced Multiple Security Breaches in Last 12 Months (Armis) Technical analysis: Barracuda Email Security Gateway by Quentin Olagne (Vectra) Maccabi Tel Aviv basketball team website comes under cyber attack (The Jerusalem Post) The Digital Frontline of the Israel-Hamas Conflict Could Extend Long After the War (Inkstick) Five attack vectors that businesses should focus on in the wake of the Israel-Hamas war (SC Media) Israel’s cyber defense chief tells CNN he is concerned Iran could increase severity of its cyberattacks (CNN) SBU blocks 76 bot farms with 3 mln fake accounts since start of full-scale war (Interfax-Ukraine) On Election Day, CISA and Partners Coordinate on Security Operations (Cybersecurity and Infrastructure Security Agency) Cerby Releases “Threat Briefing: Social Media Security and Elections Volume II,” Providing a Detailed Analysis of Security Gaps in Social Media Platforms (Cerby) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Data brokers offer information on active U.S. military personnel,
current Blue Norov activity.
A new Gootloader variant is active in the wild.
Atlassian vulnerabilities are actively exploited.
The prevalence of breaches.
An update on a barracuda vulnerability.
Activism in the cyber course of the Hamas-Israel war.
Bot hunting in Ukraine.
Microsoft's Anne Johnson from Afternoon Cyber Tea speaks with Sharon Barber, chief information officer at Lloyd's Banking Group, about cyber trends and financial services.
Ben Yellen looks at data brokers offering information on active U.S. military personnel.
And election security is in the news. An off-year election is an election nonetheless.
I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, November 7th, 2023. Sensitive personal information belonging to thousands of active-duty U.S. military personnel can be purchased for as little as 12 cents per record from online data brokers,
researchers at Duke University have found.
The information includes health data, financial data, location data,
information about religious practices, and more.
And yes, religious practices are indeed the sort of data that is recorded.
Your religious affiliation, if any, is right there on your dog tags if you're in a U.S. service.
The researchers note that the availability of such data poses national security risks,
even though the data brokerage industry remains largely unregulated in the U.S.
Information about service members can be useful to hostile intelligence services interested in
building dossiers on potential targets for
compromise, recruitment, or harassment. The researchers said, in short, an industry that
builds and sells detailed profiles on Americans could be exploited by hostile actors to target
military service members and veterans as a subset of the U.S. population. Many veterans often still
know currently classified information, even if they are no longer active duty subset of the U.S. population. Many veterans often still know currently classified information,
even if they are no longer active-duty members of the military.
Justin Sherman, a senior fellow at Duke's Sanford School of Public Policy,
told CNN,
It was way too easy to obtain this data.
A simple domain, 12 cents a service member, and no background checks on our purchases.
If our research team, subject to university research ethics and privacy processes,
could do this in an academic study, a foreign adversary could get data in a heartbeat to
profile, blackmail, or target military personnel. So, if they could get it from Duke, it's a lead
pipe cinch the girls and boys over in the
moscow aquarium could do the same we'll have comments from my caveat co-host ben yellen on
this story later in the show jamf has published a report on a new mac os malware strain attributed
to north korea's blue noroff threat actor Blue Noroff is a suspected state-sponsored actor
that focuses on cryptocurrency theft.
Jamf says,
The activity seen here greatly aligns with the activity we've seen from Blue Noroff
in what Jamf Threat Labs tracks as the Rust Bucket campaign,
where the actor reaches out to a target claiming to be interested in partnering with or
offering them something beneficial under the disguise of an investor or headhunter.
Blue Noroff often creates a domain that looks like it belongs to a legitimate crypto company
in order to blend in with network activity. North Korea has long used cybercrime as a means
of redressing economic shortfalls caused by international
sanctions and the pariah state's own failed policies. If commerce isn't working for you,
try theft. SEO poisoning is when a victim's search histories are used against them,
and that seems to be the initial point of entry for a new bootOOT loader variant IBM's X-Force has discovered.
The researchers call the malicious implant
GOOTBOT and say it
facilitates stealthy lateral movement
and makes detection and blocking of
GOOT loader campaigns more difficult
within enterprise environments.
They describe GOOTBOT as a
lightweight obfuscated PS
script containing only a
single C2 server. It's an alternative to other
more familiar post-exploitation tools like Cobalt Strike. Once installed, GootBot implants spread
across an infected enterprise domain looking for domain controllers. X-Force says, at the time of
writing, GootBot implants maintain zero AV detections on virus total, enabling the malware to spread stealthily.
Rapid7 is tracking ongoing exploitation of a recently disclosed improper authorization vulnerability affecting Confluence data center and Confluence server.
The security firm says the vulnerability has been exploited in multiple customer environments,
including for ransomware deployment. Rapid7 says the process execution chain, for the most part,
is consistent across multiple environments, indicating possible mass exploitation of
vulnerable internet-facing Atlassian Confluence servers. Atlassian issued patches for the flaws last week,
urging customers to apply the fixes immediately.
Armis has published a survey conducted by Vanson Born looking at cyber trends over the past year,
finding that 61% of global organizations confirmed they had been breached at least
once over the past 12 months, with 31% experiencing
multiple breaches during the same period. The top countries with organizations most likely to report
breaches were the United States, Singapore, Australia, and New Zealand. The researchers note,
on an average business day, 55,686 physical and virtual assets are connected to organizational networks.
Global respondents shared that only 60% of these assets are monitored, leaving 40% unmonitored.
Researchers at Vectra AI have found a way to bypass a rule designed to detect exploitation of a vulnerability that affects Barracuda's email security gateways.
The rule, which was developed by Proofpoint's Emerging Threats team, failed to alert on a
specific proof-of-concept exploit despite successful delivery of the exploit payload.
Proofpoint has since released a new rule that addresses Vectra AI's findings.
The cyberattacks Israel has sustained during
the present war with Hamas have for the most part not risen above nuisance-level hacktivism.
A typical example is the defacement of the Maccabee Tel Aviv basketball team's website
with the message, Allah's victory is near. Such hacktivism is likely to persist beyond whatever end the physical
fighting reaches. SC Magazine inventories the kind of war-driven threats businesses in particular
should be alert for. It's a familiar looking list which includes DDoS attacks, disinformation,
and other influence operations, cyber espionage, data theft and doxing, and website defacements. The most consequential
cyber attacks of the war so far have emanated from Iran, and the head of Israel's National
Cyber Directorate, Gabi Portnoy, sees the prospect of an intensified Iranian campaign as his biggest
worry. Portnoy told CNN, Iran knows that they can act more freely in cyberspace than in the physical space.
We are prepared for that as much as we can.
Interfax Ukraine reports the SBU's tally of bot takedowns.
Since the beginning of the current war in February of 2022,
the Ukrainian Security Service says it's taken down 76 bot farms operating on Ukrainian territory and pushing pro-Russian narratives.
SBU Cybersecurity Department head Ilya Vituik said,
This is no longer just about professional intelligence services.
We have information that a number of educational institutions are already teaching the subjects of cyber attacks on civilian
infrastructure. They want to increase the scale of attacks and the number of people who can do
this professionally. By the way, they teach how to attack not only Ukrainian systems,
but also partner countries. In other words, the Russians are looking at you too, Collective West.
The SBU thinks that students and criminals are prime recruits into the Russian
cyber services and their auxiliaries. They've got the skills and they're appropriately biddable.
And finally, today is election day in the U.S. It's an off-year election and so attracts less
attention than presidential or midterm voting, but the cybersecurity experts
are nonetheless watching the conduct of voting. The U.S. Cybersecurity and Infrastructure Security
Agency is running an election operations center to help secure the vote. The agency said,
this elections operations center brings together federal partners, state and local election
officials, and private sector election partners
to share real-time threat information. CISA stands ready to provide technical security support
to the election infrastructure community. We look forward to seeing any lessons learned.
In the meantime, access management platform provider Serbi has released a study of social
media and election security that assesses
various platforms for their vulnerability to account takeover and the spread of disinformation.
Compared to last year, platforms increased their use of multi-factor authentication,
but enterprise-grade authentication and authorization, the study concluded, continue to lag.
So, as CISA would say, shields up.
Coming up after the break, Ben Yellen looks at data brokers offering information on active U.S. military personnel.
Microsoft's Anne Johnson from the afternoon Cyber Tea podcast speaks with Sharon Barber, Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Microsoft's Anne Johnson is host of the Afternoon Cyber Tea podcast right here on the Cyber Wire podcast network.
In her most recent episode, she speaks with Sharon Barber, Chief Information Officer at
Lloyd's Banking Group, about cyber trends in financial services. Here's part of their conversation.
Today, I'm joined by Sharon Barber, Chief Information Officer at Lloyd's Banking Group.
Sharon is responsible for group-wide IT service, cloud and traditional technology infrastructure, security and technology resilience at Lloyd's.
And prior to this, as Chief Resilience and Security Officer, Sharon headed up teams
responsible for cyber, physical, and information security activities, along with sourcing,
supply chain management, and divestments. As part of this role, Sharon led Lloyd's operational
resilience strategy and implementation and the group's response to regulatory policy requirements.
Sharon also led the group's incident response to the COVID-19 crisis.
Sharon is co-chair of the UK National Cyber Advisory Board. That's a lot, Sharon. Do you
expect to see more of that in the future? And do you think that more CISOs have ambitions to rise to the CIO role?
I'd like to think so. Maybe they don't realize they have the ambition to do that. I think we should definitely talk about it more. And it these days and has either IT experience or worked closely with the IT teams.
And I think it's a great career path and opportunity
and people should start to consider it.
And if you think in many areas,
technology and security are very closely linked.
Everything is digital and online.
And so it is very similar.
And the non-technical skills are very transferable,
especially those leadership
skills you need in security and managing stakeholders at executive and board levels,
and then also building high-performing teams. So I definitely think it is a good transition.
Though I would say it's a different hat that you wear, no surprise. You go from setting the
security standards, running the operations, and setting expectations and security being top
priority to having to trade off the risks across the ecosystem.
And it doesn't mean security isn't top priority.
It just means you have to think about it end to end on the risk side.
But what I would say that has been great is that as a CIO with a security background,
it gives you the experience and the mandate to drive security ownership right through
the organization and ensure that security is considered at the outset rather than it's somebody else's job to consider.
Look, one of the reasons I love cyber and I've been doing it forever is it's a rapidly evolving
industry. That rapid evolution, though, also requires constant innovation. Can you talk
about your perspective on innovation and cyber? Absolutely. I'm a firm believer that innovation
is not just a nice to have, and it's critical for all of us to keep pace with the threat and
stay ahead. And that's not just in cyber, that's in all of our businesses. And what we need to do
is individual firms and as industries, we need to be thirsty for new and innovative ideas.
There are some great startup hotbeds here in London,
but particularly in the US and Tel Aviv, we're trying to support the UK as much as we can.
We're a founding partner of Lorca, the London Office of Cybersecurity Rapid Advancement. That's
not easily slip off the tongue, but I think it's really important that we work together and we
support the government cybersecurity strategy. So that's a key one for us in the UK. And as you interact with these great
startups, you know, over the years, we've found some really useful technologies through these
engagements. But it is wider than just, you know, leading edge technologies. It's important to build
a culture and build innovation into business as usual
and what you do every day,
making sure that your labs are building innovative ideas
into their backlogs and strategies
and not being afraid to fail as well.
You know, so it's very much a mindset.
We have to think differently
and ensure innovation is a core part
of our business processes
and not just something exciting
done by a few people on the side.
You can hear the afternoon Cyber Tea podcast hosted by Microsoft's Anne Johnson
right here on the CyberWire podcast network.
And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security and also my co-host on the Caveat podcast.
Hey, Ben.
Hello, Dave.
Interesting article from the folks at MIT Technology Review.
This is written by Tate Ryan Mosley.
And this is about how easy it is to buy data
about U.S. military personnel
from some of the online data brokers,
folks that we certainly talk about a lot
over on the Caveat podcast.
What do you make of this, Ben?
So this is actually a pretty disturbing story.
It comes from a study by Duke University.
They approached 12 data brokers in the U.S.
and asked basically what would be
necessary to buy information on service members. They were looking for things like their names,
home addresses, geolocation, net worth, even things as personal as religion, their children,
and health conditions. And it turns out that these companies are not only able to sell this
very sensitive data, but they are doing so on the cheap. So the study quotes as little as 12 cents per record. Data brokers in the U.S.
are selling sensitive private data. There are many disturbing elements to the story. One is that
these companies, these data brokers, have offered to sell the data with basically no vetting.
And the Duke University researchers used email domains based in both the United States
and in various Asian countries.
And that didn't make a difference
as to whether the brokers were willing to sell the records.
Really, this is a story about the utter lack of regulation
we have around data brokers.
And this just might be a type of catalyst
for our policymakers to get involved and to institute some type of protections.
If you're a data broker, I mean, besides morality, what do you care if this data is getting sold and what it's being used for?
Well, presumably, somewhere along the lines, there was a EULA, right, where these service members agreed to having their data shared.
Absolutely.
With whatever application they were using to share that data.
Right.
The EULA, I'm sure they read all 600 pages of it.
Of course, as we all do.
Yeah, exactly.
You know, before I order my Dunkin' Donuts coffee,
I just make sure that I go through the terms and conditions.
That's right.
But yeah, and this has become kind of a Wild West unregulated field.
And like I said, it's hard to blame the data brokers here because this is their industry.
They're making money off of it.
Right.
Not illegal.
It's not illegal.
And yes, this Duke University study has now found the most sensitive group of individuals whose data is being stolen.
All of us admire
our servicemen and women. They are our best and brightest. And to see their data, especially
their personal data, being used in this way, I think is very disturbing. So maybe this can help
be a catalyst to institute a broad data privacy protection that requires the equivalent of some type of Fourth Amendment search,
if it's the government,
or extra privacy protections,
if it's simply private industry,
to obtain this data from data brokers.
I think that's really the ultimate goal here,
is to take this out of the wild west of regulation
and to bring it under a regime
that is more protective of this sensitive data.
Yeah. Indeed, they reached out, or they being MIT Technology Review, reached out to
Senator Elizabeth Warren, who I think it's safe to say is a usual suspect when it comes to these
sort of data privacy things. Absolutely.
Right? But she also serves on the U.S. Senate Armed Services Committee, and she said that data brokers are selling
sensitive information about service members and their families for nickels without considering
the serious national security risks. This report makes clear that we need real guardrails to
protect the personal data of service members, veterans, and their families. To what degree
do you agree that this could pose a national security risk?
You know, it's hard to say. I mean, I think there's always a risk that with this type of
sensitive information, if it gets into the wrong hands, it could be used as a method to attack
service members, especially if we're talking about geolocation data. So for things like
attempts at terrorist attacks, I mean, this could be a weapon that's deployed.
If you're thinking about terrorist organizations,
this would be a cheap way for them to obtain data
in ways that they previously just would not have been able to do.
So yeah, I certainly think there is a risk out there.
It's not a reason for any of us to panic,
but because this data is so personal and so sensitive
and it's targeting service members,
I think there absolutely is that risk that it affects our national security.
Yeah.
Another thing that this report highlights is that some of the brokers ask the researchers to sign non-disclosure agreements.
So in other words, you're going to buy this data from us, but you can't tell anybody.
Yeah, that's something that's very interesting and disturbing to me. I mean, I think that was
an interesting part of the study is that the Duke researchers weren't just passively observing how
this industry works. They were actively purchasing the data and kind of showing us, bearing to the
rest of us who aren't familiar with the world of data brokers,
how this all works. So the fact that they're trying to force them to agree to these NDAs,
I think is really illuminating. I think that it kind of reveals a consciousness in some sense on
the part of these companies that they are dealing with sensitive data and they are just trying to
protect their own legal interests instead of actually wanting to solve the problem, which is to institute more privacy protections.
So yeah, I definitely think that is a disturbing element to it. It's what one of the researchers
called a veil of secrecy that data brokers are drawing around their practices.
Yeah. MIT also reached out to Senator Ron Wyden, another usual suspect.
Absolutely.
He said, not to sound like a broken record, but our country desperately needs a comprehensive consumer privacy law here to limit the collection, retention, and sale of sensitive personal information from the start.
I feel like Senator Wyden could have that tattooed across his forehead.
I think so. Yeah, that could be the outgoing message on his Senate office phone voicemail.
Right.
Yeah, I wonder if they're going to bring
some of these representatives
from some of these companies
and for a good old-fashioned congressional grilling,
maybe in front of the Armed Services Committee,
and bring some service members
who've had their data brokered,
just like the study seems to indicate, and make a real show of it.
Good old-fashioned naming and shaming.
Absolutely.
It's very effective.
I mean, how do you think we got those tobacco companies finally?
Get them in front of there and shame them to their face.
Yeah.
Yeah.
All right.
Well, again, this is an article from MIT Technology Review written by Tate Ryan Mosley.
It's titled, It's Shockingly Easy to Buy Sensitive Data About U.S. Military Personnel.
Ben Yellen, thanks for joining us.
Thank you.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence
routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent
intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the Thank you. Our mixer is Trey Hester, with original music by Elliot Peltzman. The show is written by our editorial staff.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.