CyberWire Daily - Deciphering the Acuity cybersecurity incident.
Episode Date: April 5, 2024Acuity downplays its recent breach. IcedID gives way to a new malware strain. Russia arrests alleged credit card thieves. Wiz uncovers security flaws in Hugging Face AI models. NERC and the E-ISAC rev...iew lessons learned from simulated attacks on the electrical grid. UK police track honey traps targeting MPs. Microsoft says China is actively trying to influence US elections. A major global lens maker suffers a cyber attack. Guest Dick O'Brien from the Symantec Threat Hunter Team shares how ransomware operators adapt to disruption. And SEO under threat of legal action. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Dick O'Brien from Symantec Threat Hunter Team by Broadcom shares how ransomware operators adapt to disruption. Get more details in the blog: Ransomware: Attacks Continue to Rise as Operators Adapt to Disruption. Selected Reading Acuity Responds to US Government Data Theft Claims, Says Hackers Obtained Old Info (SecurityWeek) New Latrodectus malware replaces IcedID in network breaches (bleepingcomputer) Magecart-style hackers charged by Russia in theft of 160,000 credit cards (The Record) Wiz Discovers Flaws in GenAI Models Enabling Customer Data Theft (Infosecurity Magazine) Lessons learned from electrical grid security exercise (nerc) British police investigating ‘honey trap’ WhatsApp messages sent to MPs (The Record) China is trying to influence US elections with AI, Microsoft claims (siliconrepublic) Lens Maker Hoya Scrambling to Restore Systems Following Cyberattack (SecurityWeek) A ‘Law Firm’ of AI Generated Lawyers Is Sending Fake Threats as an SEO Scam (404 Media) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Thank you. Russia arrests alleged credit card thieves. WIZ uncovers security flaws in hugging face AI models.
NERC and the EISAC review lessons learned from simulated attacks on the electrical grid.
UK police track honey traps targeting MPs.
Microsoft says China is actively trying to influence US elections.
A major global lens maker suffers a cyber attack.
Our guest, Dick O'Brien from the Symantec Threat Hunter team,
shares how ransomware operators adapt to disruption.
And SEO under threat of legal action.
It's Friday, April 5th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Music
Happy Friday, everyone. It is great to have you here with us.
In a follow-up to the recent cybersecurity incident at Acuity, a tech firm serving U.S. federal agencies,
the company has acknowledged the breach but downplayed the sensitivity of the compromised data.
Hacker Intel Broker claimed to have disseminated personal data from approximately 3,000 individuals, mainly linked to the U.S. Department of State, along with 2.5 gigabytes of files purportedly from Acuity.
Despite assertions of exposing classified communications, Acuity CEO Rui Garcia clarified the breach affected only outdated, non-sensitive GitHub repository information.
The company has since implemented security upgrades and, after thorough investigations, reported no impact on sensitive client data.
The State Department is conducting its own inquiry into the allegations.
LatroDectus, a new malware evolving from the IcedID loader, has been identified in malicious email campaigns since November 2023.
Discovered by Proofpoint and Team Cumry, its capabilities appear experimental.
IcedID, known since 2017 as a banking trojan, has evolved into a sophisticated loader for various malware types,
including ransomware. Recently, with the February 2024 guilty plea of an Iced ID leader,
researchers suggest LactroDectus, sharing infrastructure and tactics with Iced ID, may become its successor. Distributed mainly through phishing by threat actors TA-577 and TA-578, LactroDectus
initiates attacks via fake copyright infringement notices, leading victims to download a payload
designed to evade detection and perform sandbox checks before executing. It can retrieve further
malicious payloads from a command and control server, signaling a potential rise in its use for future cyberattacks.
In a rare public action against cybercrime within its borders,
Russia has charged six individuals with stealing details from 160,000 credit cards and online store payments.
The suspects employed malware and malicious code to pilfer payment information,
later selling it on darknet forums.
This operation utilized a mage cart style attack,
injecting code into e-commerce sites to capture sensitive data.
The crackdown is notable in a country where cyber criminals often operate with impunity,
hinting at possible connections to a broader crackdown,
such as the 2022 arrest of the UniCC forum administrator
involved in a massive stolen card trade.
The suspects face up to seven years in prison if convicted.
Cloud security company Wiz discovered two critical flaws
in AI models on Hugging Face, a major AI model sharing platform, posing risks to AI-as-a-service providers.
The vulnerabilities include risks of shared inference infrastructure and CICD pipeline takeover. These flaws could allow attackers to execute malicious code or perform supply chain attacks by exploiting the pickle format used in serialized AI models or by compromising the automated software development workflow.
Wiz's investigation demonstrated potential exploitation methods, such as causing false predictions or remote code execution.
such as causing false predictions or remote code execution.
Despite limited tools for checking model integrity,
Hugging Face offers pickle scanning for verification.
Wizz and Hugging Face collaborated to address these issues.
A report from NERC and the E-ISAC look at lessons learned from the GRIDX-7 exercise, a simulated targeting of North America's electric grid
with cyber and physical attacks.
The exercise involved a broad spectrum of participants
from the electric sector and government,
emphasizing the grid's resilience and response strategies.
This simulation included distributed play
and an executive tabletop session,
spotlighting the urgent need for fortified
resilience against complex threats, better coordination among electric utilities,
government partners, and interconnected sectors, along with the enhancement of hybrid work
environment response strategies. Recommendations in the report include calls for improved
communication methods, better planning to ensure technical
information is accessible across diverse teams, and tailored support for organizations of different
sizes and experience levels. Future directions include deeper engagement across sectors,
making the exercise more accessible to a wide participant range, and enhancing materials,
especially for cyber scenarios,
to better prepare for and mitigate evolving cybersecurity threats to the grid.
UK Police and Parliament's Security Department are investigating a honey trap scheme targeting
Westminster politicians, officials and journalists, involving suggestive messages on WhatsApp aiming to obtain compromising
photos. This follows a Politico report highlighting the message's tailored nature and
sexually explicit progressions. While there's no direct evidence linking the scheme to state
espionage, concerns about such activities have risen after warnings about China's cyber targeting.
The situation came to light after William Ragg, a senior conservative MP, admitted to sharing colleagues' numbers under pressure from someone he met on Grindr. Investigations were sparked by a
report of unsolicited messages to a Leicestershire MP with impacted individuals' urge to report for their protection
against potential blackmail. Microsoft has reported that Chinese-affiliated actors
are employing fake social media accounts and AI-generated content to potentially influence
U.S. elections and sow divisions on contentious domestic issues. According to Microsoft Threat Intelligence,
these operations aim to gather intelligence
and possibly sway the outcomes of elections in the U.S. and other democracies,
with recent activities targeting the Taiwanese elections through AI content.
This assertion follows earlier criticisms of Microsoft
for mishandling a preventable breach attributed to China-linked hackers,
underscoring a complex backdrop of cybersecurity tensions between Western countries and China.
The tech giant emphasizes the enhanced sophistication and targets of China's influence operations,
despite little evidence of successful opinion manipulation.
despite little evidence of successful opinion manipulation.
Japan's Hoya Corporation is actively working to recover systems at some production plants affected by a cyber attack on March 30.
The attack led to the isolation of servers, disrupting IT systems at its headquarters and various divisions.
Immediate action was taken upon detecting abnormal system behavior at an
overseas office. The company, one of the world's largest manufacturers of optical products,
is collaborating with external forensic experts and has informed relevant authorities.
The incident has impacted production plants and product ordering systems,
but the extent and nature of the breach, including whether confidential information was compromised,
are still under investigation.
Hoya says they are prioritizing the restoration of affected systems
and minimizing customer impact,
with the investigation expected to take considerable time.
Coming up after the break, Dick O'Brien from the Symantec Threat Hunter team shares how ransomware operators adapt to disruption.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes! Yes! Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new
way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Dick O'Brien is a principal intelligence analyst
with Symantec's ThreatHunter team.
I recently caught up with him for insights
on how ransomware operators adapt to disruption.
I think it has been very apparent, particularly over the last 12 months, about how adaptable ransomware organizations can be to disruption that either directly or indirectly affects their operations.
And I think the real signifier of this,
or the real thing to look at has been their distribution channels.
So if you maybe look back more than 12 months,
go back to 2021, 2022,
botnets were very much the favorite distribution channel
for ransomware operators.
And what would happen is that botnets grow themselves
by using the botnet to send out these massive spam campaigns
that are laced with malware.
And any computer, anybody who opens that malware
then gets added to the botnet.
And what botnet operators were doing then
were selling off access to their more interesting victims
to ransomware operators.
In some cases, the ransomware operators had close ties with the botnets themselves.
And in at least one case, we think they owned one.
But this was usually the preferred way of getting into organizations.
So botnets, they had a large pool of potential victims,
and they could sell off the interesting ones to the ransomware groups.
So we saw a lot of ransomware attacks,
beginning with the likes of TrickBot,
IcedID, and QuackBot, amongst others.
And then what happened is,
is for one reason or another,
the various big botnets kind of got knocked offline.
There was some disruption efforts in law enforcement operations
that hit TrickBot, and then more recently,
they hit QuackBot in the middle of last year.
And if you had told me about this, I guess, 12 months ago,
I would have said, oh, that would probably be a problem
for the ransomware operators, and we'll probably see less attacks.
And what happened instead was, after the loss of the big botnets went away,
Quackbot, ransomware attacks actually increased.
They increased by a significant amount in Q3 of 2023.
And what happened was that ransomware operators,
they found other and probably better infection vectors
to get into organizations.
And those vectors are the exploit of known vulnerabilities in public-facing applications.
I think it probably started with the discovery of a string of vulnerabilities over the space
of a year or so in Microsoft Exchange Server.
So those things like proxy shell, proxy not shell,
proxy log on, things like that.
And they kind of came in quick succession.
And I think it probably opens the eyes,
the attacker's eyes to the potential
of these vulnerabilities in public facing applications that are widely used.
And they began looking around for more similar types of vulns. And what you are seeing now
is that shortly after a vulnerability is patched, you're going to see a lot of scanning campaigns looking for unpatched servers.
And invariably, there are some.
And then in some cases,
it may be the ransomware operators
that can do the scanning.
In a lot of cases,
it's probably what are known as access brokers
and they're scanning
and then selling off interesting victims
onto ransomware groups for further exploitation.
So they pretty much switched from one infection vector to another.
And not only did they keep their business growing,
they managed to grow it.
What about when we see, with great fanfare,
a takedown by international law enforcement?
You know, and there's a big announcement.
We see perhaps, you know, some infrastructure go down.
Don't typically see arrests because these folks are often out of reach.
But it seems to me like not long after that announcement and that takedown,
maybe you'll see the group isn't as dead
as we had thought or hoped they might be?
I think a takedown is always good news.
It's always positive news.
Even if it doesn't make your attackers go away completely,
it means that they have to work harder
to get back to where they are.
It's not business as usual anymore.
I think you probably have to see law enforcement operations
as each one as being a piece of the jigsaw.
And maybe over time, they will collectively put a bigger dent in cybercrime
than maybe each individual operation may appear to be.
But you're right, the lack of arrests, in cybercrime than maybe each individual operation may appear to be.
But you're right, the lack of arrests,
which is because a lot of suspects are in jurisdictions that don't have extradition treaties with countries like the U.S.,
does make it a lot more difficult.
Where do you suppose we're headed here?
I mean, you make the point that rather than resignation, takedowns or patches
seem to lead to innovation. Is there hope on the horizon that perhaps the defenders can
get a hold of this, or does this seem to be here to stay for the foreseeable future?
or does this seem to be here to stay for the foreseeable future?
I think there is hope on the horizon.
I think in relation to the current infection vector du jour, I think as awareness grows about these exploit campaigns,
organizations are going to be quick to move on it
and be much more proactive about patching software
and identifying unpatched instances and things like that.
So that avenue could be shut off really quickly.
And then after that, yeah, they could innovate again,
but I think it might be an awful lot harder than this time around, you know?
You know, you're cutting off the low-hanging fruit.
So I don't think they're going to continue to,
it's going to continue to be so easy for them.
Well, given where we find ourselves at this moment,
what are your current recommendations
for organizations to best defend themselves?
Awareness
of vectors,
you know, how they
are getting in is obviously
key, you know, and if you can stop
them at the first step, that's the best
possible defense,
you know, so awareness of what
applications you're running and ensuring
that you are updating as and when patches are released.
In some cases, we have seen scanning campaigns for recently patched vulnerabilities begin within 24 hours of the patch coming out.
So that's your window.
You can't afford to be complacent about this and and also the other
i think takeaway when it comes to ransomware is the realization that the tgps they're using
involve very very little malware uh we're seeing an explosion in the number of what we call
dual use tools so they're essentially legit software packages
that are installed by the attackers themselves
and used to their own ends.
In particular, remote desktop, remote admin tools,
an awful lot of them are being used,
but also these kind of ORNM solutions,
remote management and monitoring solutions.
Some of them are used, ironically, to roll out software updates across an entire network.
But ransomware groups have kind of cottoned on to their potential, and they're using it
to roll out ransomware across networks.
ransomware across networks.
An awareness of what kind of tool set
is now being used, and
having oversight and monitoring
of what software is being used
on your network.
You know, and almost
you need to have a whitelist of
authorized applications.
These are the applications we use,
and anything else
should be treated with suspicion.
That's Dick O'Brien from Symantec's Threat Hunter team.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant. And finally, Ernie Smith, author and proprietor of the popular website Tedium,
recently encountered a sophisticated scam operation disguised as a copyright enforcement action.
Smith received a communication from a supposed law firm, Commonwealth Legal,
which alleged a copyright infringement
related to an image used on his website.
The notice, rather than demanding the removal of the image
or threatening a lawsuit,
instructed Smith to place a visible and clickable link
under the disputed photo,
directing to a website named Tech for Gods.
The message warned of legal action should he fail to comply.
Upon closer inspection, Smith discovered numerous red flags
pointing to the illegitimacy of Commonwealth Legal.
The firm's website featured generic design elements populated with stock images,
and the portraits of its lawyers appeared eerily lifeless,
typical of faces generated by AI through generative adversarial networks.
Further investigations into the firm's listed address revealed it as non-existent,
and attempts to reach the firm through provided contact details led nowhere.
This peculiar situation unveiled not a genuine copyright enforcement effort, but an elaborate
SEO scam. The scam aimed to improve the Google ranking of Tech for Gods, a gadget review website.
This incident sheds light on a new, more insidious form of SEO scamming that mimics
the structure and threat of legal copyright actions. These scams exploit the fear and
formalities associated with legal disputes to coerce website owners into unknowingly participating
in manipulative SEO practices. Our legal desk tells us the lawyers at Commonwealth Legal are so advanced,
they've already passed the bar exam in the metaverse. Before we go, a quick note of thanks.
One of the most gratifying parts of being part of this team is when a kind listener takes the
time to let us know how much they value and appreciate our work. We got an anonymous care package in the mail
from a listener in Texas
who sent along an amazing collection of goodies,
snacks, and knickknacks for our N2K CyberWire
and T-Minus podcasting teams,
along with a handwritten letter
expressing gratitude for the work we do.
To our Texas superfan on behalf of everyone here,
thank you for taking the time and effort to
reach out and share your kind thoughts. You've got a lot of folks smiling from ear to ear here at the
N2K CyberWire studios, and it's a great way for all of us to head into the weekend. So thanks.
Have a great weekend, everybody.
Have a great weekend, everybody.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Noah Pack, a SANS Internet Storm Center intern.
We're discussing what happens when you accidentally leak your AWS API keys.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about
your team while making your team smarter. Learn more at n2k.com. This episode was produced by
Liz Stokes. Our mixer is Trey Hester with original music by Elliot Peltzman. Our executive producers
are Jennifer Iben and Brandon Karp. Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.