CyberWire Daily - Disruptions to the internet.
Episode Date: January 5, 2024BGP attack disrupts Internet service. Data breach law firm breached. Remcos RAT returns. Poison packages in the PyPI repository. Hacktivist personae and GRU fronts. BreachForums impresario re-arrested.... Cyber National Mission Force gets a new leader. On our Solution Spotlight, Simone Petrella talks with ISC2 CEO Clar Rosso about putting a dent in the cybersecurity workforce gap. LinkedIn as a dating platform? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Solution Spotlight, N2K President Simone Petrella talks with ISC2 CEO Clar Rosso about putting a dent in the cybersecurity workforce gap through empowerment, breaking down barriers and expanding Diversity, Equity and Inclusion (DE&I) initiatives. Selected Reading BGP attack disrupts Internet service. Pirated Zeppelin ransomware source code for sale in a C2C souk. BreachForums impresario re-arrested. (CyberWire) Hacker hijacks Orange Spain RIPE account to cause BGP havoc (Bleeping Computer) RIPE Account Hacking Leads to Major Internet Outage at Orange Spain (SecurityWeek) Law firm that handles data breaches was hit by data breach (TechCrunch) UAC-0050 Group Using New Phishing Tactics to Distribute Remcos RAT (The Hacker News) EXPERTS FOUND 3 MALICIOUS PACKAGES HIDING CRYPTO MINERS IN PYPI REPOSITORY (SecurityAffairs) BreachForums administrator detained after violating parole (The Record) Russian hackers wiped thousands of systems in KyivStar attack (Bleeping Computer) US military’s Cyber National Mission Force gets a new chief (The Record) The Hottest New Dating Site: LinkedIn (Business Insider) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A BGP attack disrupts internet service.
A data breach law firm's been breached.
The Remco's rat returns.
Poison packages in the PiPi repository.
Activist persona and GRU fronts.
A breach forum's impresario is rearrested.
The Cyber National Mission Force gets a new leader.
In our Solution Spotlight, Simone Petrella talks with ISC2 CEO,
Clark Rosso, about putting a dent in the cybersecurity workforce gap.
And LinkedIn, as a dating platform?
It's Friday, January 5th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
We begin today with news that Orange Spain, one of that company's primary mobile network operators,
faced an internet outage after a hacker breached its RIPE account,
altering Border Gateway Protocol, that's BGP routing,
and Resource Public Key Infrastructure Configuration, that's RPKI.
RIPE is the Regional Internet Registry for
Europe, the Middle East, and Central Asia. BGP is crucial for directing internet traffic by allowing
organizations to link their IP addresses with autonomous system numbers and advertise to
connected routers. However, it's based on trust, making it vulnerable to hijackings when a rogue network falsely announces IP ranges associated with a number AS number, redirecting traffic maliciously. an invalid RPKI configuration, a cryptographic method to ensure only authorized routers
can advertise an AS number and its IP addresses.
This improper implementation caused Orange's IP addresses
to be incorrectly announced,
leading to network performance issues.
The breach likely occurred due to weak security,
specifically the absence of two-factor authentication on the RIPE account and a simple password, RIPEadmin.
The credentials were possibly stolen via information-stealing malware found in a public leak.
RIPE has restored control to Orange and urged all users to update passwords and enable multi-factor authentication.
In what has become an all-too-frequent story of bitter irony,
San Francisco-based Orrick, Harrington & Sutcliffe,
a law firm specializing in handling regulatory requirements for companies during security incidents,
suffered a cyber attack in March 2022,
during security incidents, suffered a cyber attack in March 2022, exposing personal and health data of over 637,000 individuals. Hackers access detailed information, including names,
birthdates, government IDs, and medical and financial details from clients like IMED Vision
Care, Delta Dental, Multiplan, Beacon Health Options, and the U.S. Small Business Administration.
Despite not detailing the breach method or ransom demands,
Oreck has settled class action lawsuits accusing it of delayed breach notifications.
The firm expressed regret and emphasized its commitment to data protection,
indicating no further notifications for additional businesses.
Researchers at Uptix report that UAC-0050, a threat actor active since 2020, is deploying
the Remcos RAT through phishing attacks while employing new methods to evade detection.
This group, known for targeting Ukrainian and Polish entities, now uses a pipe method for inter-process communication, increasing its adaptability and sophistication.
Recent attacks have involved a malicious LNK file targeting Ukrainian military personnel with fake consultancy roles.
The file bypasses security measures by collecting information about installed antivirus products and executing remote
scripts to download and launch Remco's RAT. This malware harvests system data and browser login
information, with its evasion tactics marking an advanced leap in UAC-0050's operational strategies.
Fortinet researchers identified three malicious packages in the PyPy repository
targeting Linux systems with a crypto miner.
Authored by Sastra, the packages, named Modular7, DriftMe, and CatMe,
amassed over 400 downloads before removal.
These packages' indicators of compromise matched a previously discovered package, Culture Streak.
The attack is initiated via an import statement,
which triggers the download of a shell script and a coin miner file from a remote server.
The script fetches a configuration file and the mining executable,
with the attacker disabling features for compatibility
and using the nohub command for background execution and persistence.
These packages showcased advanced tactics to evade detection and maintain malicious functions
by storing critical commands remotely, enhancing concealment and control over the disclosure of
malicious code. Connor Brian Fitzpatrick, age 23, of Peekskill, New York,
and better known by his hacker name Pom Pom Puran,
who took a guilty plea in July to charges related to the operation of the criminal breach forum site and his possession of child pornography, has been rearrested.
He's been out on bond awaiting sentencing,
and he was taken back into custody for reported violations of his parole,
the record reports.
Sleeping Computer describes the effects of the wiper phase of the recent cyber attack
against Kevstar. Ilya Vituik of the Ukrainian SBU described it as extensive and devastating,
with challenging recovery efforts. Kevstar, which fully restored services by December 20th,
hasn't confirmed the SBU's account and denied data loss or theft.
An ongoing investigation is exploring various lines of inquiry.
Adam Myers of CrowdStrike attributes the attack to Russia's GRU,
specifically the Voodoo Bear group,
which likely operated under the pro-Russian hacktivist persona
Solzhenitsyn. The attack, coinciding with disruptions across Kyiv, is seen as part of
Russia's broader cyber and psychological operations aimed at undermining public trust
in Ukrainian institutions and demonstrating the power of combined physical and digital warfare.
and demonstrating the power of combined physical and digital warfare.
U.S. Cyber Command's Cyber National Mission Force will see a leadership change as Marine Corps Major General Lorna Malik takes over for Army Major General William Hartman.
The CNMF, activated in 2014 with 39 joint cyber teams,
plays a pivotal role in Cyber Command's operations and was made a
permanent organization in 2022. Malik, the first Black woman to become a Brigadier General in the
Marine Corps and the service's first female Chief Information Officer, recently served as the
Military Deputy Director for the National Security Agency's Cybersecurity Directorate.
Her appointment was delayed due to a blanket hold on military promotions,
but proceeded after Senator Tommy Tuberville lifted the hold.
Hartman is set to become Cyber Command's new Deputy Chief,
while Malik's former role at NSA will be assumed by Brigadier General Jerry Carter.
Congratulations, Major General Mauer.
Coming up after the break, on our Solutions Spotlight, N2K President Simone Petrella speaks with ISC2 CEO Claire Rosso about putting a dent in the cybersecurity workforce gap through
empowerment,
breaking down barriers, and expanding diversity, equity, and inclusion initiatives.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
In our ongoing Solutions Spotlight series,
today N2K President Simone Petrello returns
with a conversation with ISC2 CEO Claire Rosso
about putting a dent in the cybersecurity workforce gap. Here's their conversation.
One organization that's been representing the cyber workforce since I believe it's 1989
is ISC2. And I am so excited to be joined today by Claire Rosso. And you've spearheaded some
pretty amazing initiatives in your tenure since
joining. But Claire, I'm excited to talk today about some things that you all are doing to help
tackle that, especially around diversity initiatives as well. Before we dive into all of that,
one of the first things I noticed about you is that you have a long history with associations,
but of accountants. So I would love to hear a little bit about your background, but then
also your perspective on the similarities and maybe differences that you've noticed in the
field since joining cybersecurity. Thank you, Simone. So thanks. It's great to be here. Great
to be talking to you. Thanks for having me. And it's fascinating, actually, that I come from
working for decades for the accounting and finance profession because
I actually think my experiences there are not dissimilar to what we're doing here. And there's
a lot to be learned both ways in that relationship. So accounting and finance has an underlying need
to have a deep knowledge and understanding of risk management. And if you think about what cybersecurity, but it's nothing but risk management.
So the overlap there was a super pleasant surprise for me when I joined the organization.
And then personally, I think that plus the fact that in my career, I had had so many
opportunities as a business leader to be involved.
had so many opportunities as a business leader to be involved. But when I think about the profession,
there's a couple areas that some of what I learned when working with accountants is actually serving me really well here with cybersecurity. So one is just thinking about
the professionals. And in accounting, we had a workforce gap, nothing on the scale like we have in cybersecurity.
But that challenged us about a decade or so ago to really think, how do we think differently about who we hire?
And how can we challenge our traditional beliefs that we need to have people who have technical accounting skills and really think about what are the core competencies that make
someone a good accountant? Well, guess what? They're problem solvers and analytical thinkers
and critical thinkers. They need to, in writing and in verbal communications, they need to be
great. And gosh, that sounds really similar to what we need in cybersecurity. So I think that is a pleasant area of overlap
that we can leverage.
Yeah, I mean, it always has struck me,
being in the cybersecurity industry
for as long as I've been in there,
we are an industry of professionals,
but we haven't professionalized.
Yeah.
And what I think you're describing
is this concept of like professionalization,
you know, and those standards are part of it.
So switching back to kind of the meat of the topic, ISC2 is known for putting out its annual
cybersecurity workforce study, and the most recent came out in early November of 2023.
Would you mind sharing some key takeaways or themes that you saw from this most recent study?
Okay. As usual, it's a good news, bad news scenario, which is really ultimately good news.
So the workforce grew. It grew 8.7% to 5.5 million professionals. We count fractional people
in cybersecurity as part of the workforce. And because it is really illustrative
of what the cybersecurity workforce looks like.
So anybody who spends more than 25% of their time
on cyber roles, we include as part of the workforce.
So 5.5 million, we grew the supply, always good news.
We've had ourselves on the back.
But at the same time, the demand grew even more.
So our unfilled roles in cybersecurity
now globally are around 4 million, which is huge. It was about a 12 point something percent
increase year over year. And while that's worrisome, I actually think it's positive too,
because what that tells me, because this is demand for unveiled roles,
is that organizations are prioritizing cyber professionals on their team, which is they
understand the value of cybersecurity professionals in the workforce. This year, we dug into the
difference between people and skills. And so not just do you have a gap in your workforce, but do you have a skills
gap? And perhaps it has really shown a spotlight on the fact that we need to be paying more
attention to the skills gap. So I think that really points to thinking about what are the
skills we need? How do we take the time? And that's the hard part, right?
You're a cyber professional.
You know this.
That's the hard part.
How do we take the time to develop the skills that we deem essential to our organization so that we can really address our security posture?
And in some cases, take the time to identify which skills are required for the roles that we need.
I know a part of that is also addressing diversity and inclusion, and that's a priority for ISE, too, as well.
How are you approaching those particular issues in the cybersecurity community and what initiatives are in place now to promote diversity? All right. Well, so we kicked off a DEI initiative three years ago
when I first joined, and we brought a group together globally to say, what's the landscape
look like here, and what do we need to do? And the data is super clear. We bring diverse
individuals in, and they don't stay. And it's the worst with women, right? We bring women in and they don't
stay in cyber and we need to change that. We need to understand what the root causes of that.
So our approach has been, first and foremost, that we're not going in alone on this.
So there are so many wonderful nonprofits all across the globe that are focused on helping
different kinds of diverse or underrepresented groups enter
the cybersecurity profession. So we are partnering with them to understand what we can do to help
people be successful. And one of the things that we found out, and we held a global DEI summit in
Washington, D.C. last summer to bring that group together and talk about what can we do that's most important.
And where we landed was sort of a two-way path on employability. How do we, for individuals beyond our certified in cybersecurity, how do we help provide them with the tools and the confidence
they need to consider a job in cyber, to interview for a job,
to create that resume, to successfully onboard in a job. And especially when you might be
onboarding in an organization where you don't see a whole lot of people like you there.
And then how do you help them just navigate the workplace in a way where they feel included and they belong and that's
somewhere where they want to stay. So, a whole bunch of work starting in that area. And there's
a lot going on there. We just want to amplify and scale that. And we now need to also address
the employer side of the equation. And I bet you have stories you could tell me.
So many. But we need to work
with employers to say, what are those best practices? Let's work together because your
heads are all nodding when we talk about hiring differently. So let's talk about that. How does
that mean you change your job descriptions? How does that mean you change, how do you change how you filter for who you interview? How might that even change how you
interview and consider who's a qualified candidate for a job? And so we're going to work on the
employer side with all those things. We're going to talk about pay equity with people. We're going
to talk about their advancement practices and how to do it. And then we're going to start to spotlight the organizations that are doing it well.
So we think if we add this other level,
those employers will be the employers that people are beating down their door for.
And I do think I absolutely see a strong willingness across the profession
to head in this direction. And this goes back to,
we want to do it, help us on how we do it. We know they're resistors and there's really vocal
resistors, but they are absolutely positively the minority in the profession, not the majority.
Most people are very inclusive. I actually have been really impressed,
you know, moving from working
with a different profession
before to coming to cybersecurity
at how much cyber professionals
want to help bring along
the next generation of cyber professionals.
So I think we're ripe for change here.
That's N2K President Simone Petrella
with ISC2 CEO Claire Rosso.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and And finally, Business Insider reports a trend.
People are looking for love on LinkedIn.
There's a view, apparently, that it's easier to filth out posers, creeps, and losers there
than it is on other more traditional lonely hearts sites.
The potential for catfishing is obvious. Our lovelorn desk reminds us of the saga of Robin Sage, the fictitious online persona
created in 2009 by white hat hacker Thomas Ryan. Accounts on popular social media platforms presented Robin Sage as a 25-year-old cyber threat analyst at the Naval Network Warfare Command with a MIT background and a decade of experience. intelligence agents. Despite being entirely fictitious, she was approached for consulting
roles by prominent companies like Google and Lockheed Martin and received dinner invites from
male contacts. We actually know someone who brought a resume to a first date. Maybe that
acquaintance was ahead of the curve and not just a little bit odd.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this week's Research Saturday and my conversation with Guilherme Venere from Cisco Telos.
We're discussing a deep dive into Phobos ransomware recently deployed by 8BASE Group. Thank you. and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester
with original music by Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon
Karp. Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you
back here next week.
Thank you. you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.