CyberWire Daily - Don’t get snatched. Trends in phishing, cyber insurance claims, and threats to academic institutions. Hacktivism in the hybrid war. Updates on the ICC attack. MGM says its casinos are back.
Episode Date: September 21, 2023CISA and the FBI warn of Snatch ransomware. A look at phishing trends. Ransomware is increasingly cited in cyber insurance claims. Trends in cyber threats to academic institutions. A Russian hacktivis...t auxiliary disrupts Canadian border control and airport sites. The ICC remains tight-lipped concerning cyberattack. N2K’s Simone Petrella sits down with Chris Krebs at the mWise conference. In today’s Threat Vector segment, David Moulton from Unit 42 takes a peek into the modern threat landscape with Wendi Whitmore, SVP of Unit 42. And MGM Resorts says it’s well on the way to recovery. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/181 Threat Vector links. To learn what is top of mind each month from the experts at Unit 42 sign up for their Threat Intel Bulletin. Selected reading. #StopRansomware: Snatch Ransomware (Cybersecurity and Infrastructure Security Agency CISA) 2023 .Phishing Trends (ZeroFox) Cyber Insurance Claims Frequency and Severity Both Increased For Businesses in 1H 2023, Coalition Report Finds (Business Wire) 2023 Cyber Claims Report: Mid-year Update (Coalition) Since 2018, ransomware attacks on the education sector have cost the world economy over $53 billion in downtime alone (Comparitech) Canada blames border checkpoint outages on cyberattack (Record) Cyberattack hits International Criminal Court (SC Media) International Criminal Court hacked amid Russia probe (Register) International Criminal Court under siege in cyberattack that could constitute world’s first cyber war crime (Yahoo News) Our hotels and casinos are operating normally. (FAQ - MGM Resorts) MGM Resorts computers back up after 10 days as analysts eye effects of casino cyberattacks (AP News - 09-20-2023) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA and the FBI warn of snatch ransomware.
A look at phishing trends.
Ransomware is increasingly cited in cyber insurance claims.
Trends in cyber threats to academic institutions.
A Russian hacktivist auxiliary disrupts Canadian border control and airport sites.
The ICC remains tight-lipped concerning a cyber attack.
N2K's Simone Petrella sits down with Chris Krebs at the MWISE conference.
In today's Threat Vector segment, David Moulton from Unit 42 takes a peek into the modern threat landscape with Wendy Whitmore, Senior Vice President at Uniformity.
And MGM Resort says it's well on the way to recovery.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, September 21st, 2023. sysa and the fbi have released a joint cyber security advisory outlining tactics techniques
and procedures associated with the snatch ransomware. The advisory says,
since mid-2021, snatch threat actors have consistently evolved their tactics to take
advantage of current trends in the cybercriminal space and leverage successes of other ransomware
variance operations. Snatch threat actors have targeted a wide range of critical infrastructure
sectors, including the defense industrial base, food and agriculture, and information technology sectors. Snatch threat
actors conduct ransomware operations involving data exfiltration and double extortion. After
data exfiltration, often involving direct communications with victims demanding ransom,
snatch threat actors may threaten victims
with double extortion, where the victim's data will be posted on Snatch's extortion blog if the
ransom goes unpaid. Many of the steps the Snatch operators have been observed taking don't reveal
a deep technical sophistication. They've exploited weaknesses in remote desktop protocol instances, and they've
also purchased stolen credentials in criminal forums. Once they've achieved access to a target,
they seek to compromise an administrator account and then connections to a command and control
server over port 443. The C2 servers are, unsurprisingly, generally located on a Russian bulletproof hosting service.
So, be on the lookout for snatch.
Take the usual precautions, particularly with respect to credentials.
A report has found that threat actors are moving away from using Microsoft Office files to deliver malware, likely due to Microsoft disabling VBA macros by default last year.
Attackers are increasingly turning to malicious Windows image files, archive files, Windows shortcut files, OneNote files, restricted permission messages files, and Windows script files. The report also looks
at developments in the phishing as a service market. The company says, ZeroFox Intelligence
notes a range of capabilities becoming increasingly prevalent in phishing as a service offerings.
These include kits that are able to account for regional differences with geo-blocking, prevent engagement
from unwanted sources such as researchers, and leverage multiple detection evasion techniques.
Xerofox Intelligence has observed an increase in phishing-as-a-service packages leveraging
domain generation algorithms, which generate random domains threat actors can pivot to
during attacks,
making it harder for victims to block and remove these domains.
What's driving cyber insurance claims these days?
No surprise, it's ransomware.
Coalition has published a report looking at cyber trends in the first half of 2023,
finding that there was a 12% increase in cyberclaims
over the first six months of the year,
driven by the notable spikes in ransomware
and funds transfer fraud.
The researchers note,
companies with over $100 million in revenue
saw the largest increase in the number of claims,
as well as more substantial losses from attacks,
with a 72% increase in
claims severity from the second half of 2022. The report adds that the average ransom demand
in the first half of 2023 was $1.62 million, a 74% increase compared to 2022.
Another trend we're hearing about is the growing effect of ransomware on academic institutions.
Researchers at Comparatech have determined that downtime caused by ransomware in the education sector
has caused approximately $53 billion in losses since 2018.
Comparatech says,
Comparatech says, Although ransom demands may be lower in the education sector, downtime is high.
Causing downtime is one of the main priorities for cybercriminals when carrying out a ransomware attack.
Schools can ill afford for systems to go down, as this often means lessons are disrupted or even cancelled as a result.
As our findings suggest, downtime can extend for weeks
and the effects felt for months after.
The researchers also note an increase in ransomware attacks
against academic institutions,
with 85 attacks targeting schools and universities in the first half of 2023
compared to 45 in the first half of 2022.
Turning to Russia's hybrid war and its international effects,
we see that Moscow's hacktivist auxiliaries have been turning their attention to Canada.
No name 05716 has claimed responsibility for recent attacks against Canadian sites,
notably airports, according to La Presse.
The record summarizes some of the
auxiliary's recent activity in Canada. Canada has been a prominent and vocal supporter of Ukraine
throughout Russia's war. On September 15th, the Canadian Center for Cybersecurity issued an alert
warning that Canadian organizations, particularly government agencies, were the targets of distributed denial-of-service attacks. The center offered a measured attribution of the activity to
pro-Russian actors, saying, open-source reporting links some of this activity to Russian state-sponsored
cyber threat actors whose tactics, techniques, and procedures have been extensively documented.
In July 2022, the Cyber Center
assessed that Russian state-sponsored cyber threat actors would almost certainly continue
to perform actions in support of the Russian military's strategic and tactical objectives
in Ukraine. On February 24, 2023, the Cyber Center reported on similar activity involving DDoS campaigns toward Ukraine-aligned nations.
The Register reports that the International Criminal Court, the ICC,
is closely holding information about the recent cyber attack it sustained.
Circumstantial evidence, mostly motive, opportunity, and a record of attempts to compromise the court,
still points to Russia,
but little more is known at this time. The new voice of Ukraine argues that the ICC might well
construe an attack on itself as a war crime. The essay cites a foreign policy analytics report by
leading prosecutor Karim Khan, who warned that such cyber attacks might be integrated into future
war crimes investigations. Khan wrote, disinformation, destruction, the alteration of data,
and the leaking of confidential information may obstruct the administration of justice at the ICC
and, as such, constitute crimes within the ICC's jurisdiction that might be investigated or
prosecuted. Finally, MGM Resorts says that it's returned operations to normal after the ransomware
that's troubled it for more than a week. At least, operations seem to be more or less normal from the
customer's perspective. The casino operator posted a message on its site late yesterday stating,
we are pleased that all of our hotels and casinos are operating normally. Our amazing employees are
ready to help guests with any intermittent issues. We thank you for your patience and look forward to
welcoming you soon. So Danny Ocean and the boys are in custody, or at least they've been 86 from the casino.
And you can put on your evening wear and go back to pretending that you're in Monte Carlo in a James Bond movie.
Coming up after the break, our own Simone Petrella sits down with Chris Krebs at the MWISE conference.
In today's Threat Vector segment, David Moulton from Unit 42 takes a peek into the modern threat landscape with Wendy Whitmore, Senior Vice President of Uniformity.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
In today's sponsored Threat Vector segment,
David Moulton from Palo Alto Network's Unit 42 speaks with Wendy Whitmore, Senior Vice President at Uniformity. Here's their conversation.
AI is game-changing in terms of the impact it's going to have on attacks,
and then in particular, attackers' ability to move faster.
Welcome to Threat Factor, a segment where Uni42 shares unique threat intelligence insights,
new threat actor TTPs, and real-world case studies.
intelligence insights, new threat actor TTPs, and real-world case studies.
Uni42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world.
I'm your host, David Moulmore, SVP of Unit 42.
Her career is full of highlights, including being an inaugural member of the first ever
Cyber Safety Review Board launched by the United States Department of Homeland Security.
She serves on the Industry Advisory Board for Duke University's Master of Engineering in Cybersecurity
and as a member of the World Economic Forum's Global Future Council on Cybersecurity.
At Unit 42, we're thrilled to have Wendy leading our team,
and today she's here to share her thoughts on the current threat landscape.
Let's get right into it. Wendy, give us some insight into the current on the current threat landscape. Let's get right into it.
Wendy, give us some insight into the current state of the threat landscape.
Hey, David, thanks for having me today. So I think what's going on is that attacks are happening at
a scale, a sophistication, and a speed that we really haven't seen before altogether. And the
reality is that makes the work we do even more valuable than it's been before.
So when we talk about scale, the reality is that businesses rely on more applications and third-party software than they ever have before. And vulnerabilities in that same software are
increasing in scope to a massive degree. That's resulting in organizations being compromised,
oftentimes within hours of the public disclosure of a vulnerability.
organizations being compromised, oftentimes within hours of the public disclosure of a vulnerability. One of the most recent examples is the MUVIT case where the Klopp ransomware group
exploited over 600 organizations starting in May of 2023. And this number continues to grow.
When we look at sophistication, though, and you couple this in particular with scale,
you're seeing that nation-state actors in particular,
groups like Russian APT-cloaked URSA, who's famous for the SolarWinds attack,
we're seeing them really demonstrate in-depth knowledge of business processes.
And especially today, if you move into cybercriminal landscape, what's in the news right
now with muddled Libra or scattered spider, you see those organizations really
have a strong understanding of business processes and how IT departments work in particular.
And then lastly, what they're doing is leveraging so many apps, trusted applications like Office
365, Google Drive, for example, Dropbox that we use and really trust and then using those
to get information out of the environment.
and really trust and then using those to get information out of the environment.
Lastly, when we talk about speed, as if the sophistication and scale weren't enough,
the reality is it used to take these attackers days, weeks, and even months in some cases to carry out an attack. And today, we're seeing them do that same attack in a span of hours.
I think the biggest concern there is that the attackers are operating by and large
faster than organizations are able to respond. Especially when we look at the mean time to
respond being six days, which it is today, it's absolutely critical that the mean time to respond
decreases and becomes faster than the time it actually takes for the attacker to carry out that same attack. Wendy, how is AI coming into play here?
So AI is, in particular, generative AI is really increasing the speed with which attackers are
able to operate. So if you think about the work that they do today, there's the human component
of it with social engineering, and generative AI in particular enables them to move faster,
reduces language barriers, and increases their effectiveness of social engineering tactics used by these same threat actors.
And then when we look at new tools coming into play like Worm GPT and Fraud GPT, we're going to see that enabling them to be able to move more effectively going forward.
What do businesses need to consider when looking to protect themselves against quicker,
more creative, and large-scale threat actors? First and foremost, speed. So what I mean by that
is businesses need to be able to respond at machine speed or the speed of the attack, right?
So they need to be able to implement detections at the speed of the attacker, and they're going
to have to leverage technology to do that. The second challenge I see relates to integration.
So there's too many tools today that organizations are using
that require manual integration.
They're different screens and different panes of glass.
And having a platform approach to detection
really helps organizations prevent.
So one detect, prevent, and respond at every stage of the attack,
which includes network, endpoint, and respond at every stage of the attack, which includes network, endpoint,
and cloud. And then lastly, we really need these operationalized capabilities and processes.
So we can't stop at just having speed to detect and then integration of tooling,
but it really has to be operationalized with strong repeatable processes in order for it
to be consistently effective, but also continually matured within an organization.
Wendy, thanks for joining me on Threat Vector today.
It's great to hear directly from you.
For our listeners that want to learn more
about the threat actor groups,
muddled Libra or cloaked URSA that Wendy mentioned today,
or to go deeper on many more threat actors,
visit the Uni42 Threat Research Center. And if you think that you may be under attack,
contact the experts at Unit 42 to help assess your risk and exposure. We'll be back on the
Cyber Wire Daily in two weeks. Until then, stay secure, stay vigilant. Goodbye for now.
Goodbye for now. Chris Krebs is well-known and respected in the cybersecurity world
as former director of the Cybersecurity and Infrastructure Security Agency,
now a partner at the Krebs-Stamos Group, and an advisor to Sentinel-1.
My N2K colleague, Simone Petrella, sat down with Chris Krebs at the MWISE conference
in Washington, D.C., hosted by Mandiant and Google Cloud. Here's their conversation.
So I know one thing that has been on kind of all of your talking points is how technological
systems have really become part of enterprise risk management writ large. And then in addition,
business strategy. So I guess maybe to kick it off,
what are some of the things that you think security executives
and the teams in particular need to do
to navigate between this kind of inevitable inseparation
between technology systems, security risk,
and business objectives?
Yeah, so there are two immediate thoughts.
One is that we really need security teams and
security program leads to make sure that they're thinking strategically and not get trapped in the
day-to-day shiny object procurement cycles. Really start thinking about the broader risk to the
enterprise rather than, again, diving down into a single capability. And part of that is starting,
as I see it, with a real full analysis and understanding of what your threat model looks like.
You know, we do see a lot of organizations that get wrapped around the axel on ransomware,
which is important, and it's also probably the single greatest threat to any organization.
But at the same time, there's an increasing number of organizations that kind of fit into an adversary's playbook.
And what we're seeing lately is much more aggressive behavior by particularly the Chinese
Ministry of State Security and the PLA, as evidenced by the bold typhoon and crimson
typhoon activity that reported earlier this summer out of Microsoft, that shows that they're
preparing for conflict. And in doing so, they would try to win the fight before the fight's
actually begun. And part of that is going after U.S. critical infrastructure and our ability to
support the military as well as just general civil society. So, you know, I do think it's
critically important that organizations take a step back and say, how would I fit into an adversary's game plan?
And what do I need to do to step up from a security perspective?
But also, you know, how do I need to work better with government and make sure I understand the threats coming my way?
That's great, right?
That's exactly where you need to start.
How you get that done is actually quite complicated, though. You start with a threat model, you run a gap
analysis against your current security program, and then you pull together the roadmap on how you
do that. A CISO or a security team lead in their own positions will not be able to get that done
in any sort of realistic timeframe or practically execute. It really does require high-level
executive engagement to ensure that
you're pulling together a team that can communicate the risks to the business. And it's going to take
a collective approach here to make sure you're working across industry. ISACs are great tools
to make sure that you kind of know what else is happening in the sector across the industry. And
then, of course, keep working with government, whether it's CISA or the intelligence community and the FBI or foreign partners that play a similar role.
So switching gears on you here a little bit, but since you left CISA,
the agency has been pretty much on the lead or pegged as the U.S. government's efforts
to help attract, retain, and bring in additional cybersecurity talent.
And I'm curious, even from your time and what you're seeing now,
what are some of the skill sets that the agencies you've worked with need the most
when we think about kind of cybersecurity profession?
Yeah, I think one of the real turning points over the last several years,
particularly at CISA, is the ability as a—
actually, it's not too different from the private sector, right?
It's the ability to communicate risk in a way that makes business sense. How do you talk to
not just the defenders that understand how to, they know what a yard rule is,
how do you talk to their executives that set their budget, that give them, that have the governance
and policy responsibilities? And that's one of the big things that we really try to emphasize in my time. And I see Jen
continuing to do working at the senior levels to help them understand, hey, the best example that
I have here is in 2020, at the very end, January 2nd, when the U.S. government took out General
Soleimani with the IRGC, we were able to immediately get not
just some tactical information out to defenders on here, the common TTPs for Iranian threat actors
and their proxies, but also flip it into an executive version that said, here's why this
matters to you in the private sector and the things they've done in the past going after banks and other critical infrastructure when they're agitated and how they've hit regionally
as well as they've hit. So trying to put into context why events matter to executives, not just
at the technical security level, but also at the business risk level. That's the sort of thing,
again, we need more people that understand how to communicate in business terms. I also think,
you know, the thing that I've been really kind of heartened by
is the continued emphasis on building out
this is a field force.
Jen Easterly a couple,
it was a month or so ago,
announced that they're going to be election
state coordinators out.
And I understand they're in the process
of hiring and interviewing for this.
I think that's fantastic
to have dedicated election support teams
out in the regions as well as the continued cybersecurity advisor
so that you can get that last mile engagement,
that last mile tailoring of engagement.
Because otherwise, if you're pushing this out of D.C.,
it's just not going to land.
It's not going to resonate uniformly.
I know one of the things we talk about is this idea that, you know,
we in the cybersecurity community have spent so much of our time
kind of focused on like finding those unicorns
or finding someone who has all that experience
and then can all of a sudden communicate it.
And it's partly because we focus on the individual
and try and hire those superstars right off the gate.
But in reality, a lot of times they just don't exist until we grow them.
So, you know, should we shift our attention from finding those diamonds in the rough
and grow that workforce more than we have necessarily in the past?
Well, I think some of the programs that have been put into place for hiring over the last year,
including the cyber talent management system,
is going to give a bigger kind of top of the funnel for recruiting to bring in more technical people that don't stick to the
traditional GS scale that really is more of an administrative management approach. And, you know,
you don't really know how within the GS scale, how to hire and retain someone that may have been,
you know, hacking boxes since they were, you know, 10, 11, 12,
and now they just finished either a two-year school
or maybe didn't even go to college.
And it really does prioritize the GS scale, you know, for your degrees.
And that may not always be relevant.
And so CTMS should give an advantage.
But, you know, there are still challenges in hiring the government.
It takes too long. It's far too bureaucratic. You have security clearance challenges at times as
well. So, you know, we need to continue looking to make sure that we're not over-classifying and
over-speccing positions. And, you know, within my role at the Aspen Institute in the cyber working
group there, we have done some work on hiring recommendations, including making sure you're not over-spec-ing
and things like that.
Yeah.
Well, my last question is probably
the most important question slash statement,
which is I have been told that you are known for your socks.
Oh.
And I wanted to, even though I can't see them,
I wanted to share with everyone your socks.
Oysters.
Oysters.
All right.
Just in time for fall.
Yes.
No.
I kind of got away from socks for a little bit.
And then it mainly just would not wear them during the summer.
We're just coming back into it.
Right. There we go.
Awesome. Well, Chris, thank you so much for taking the time with us this morning.
Really appreciate it.
Yep. Thanks. Have a great day.
That's Chris Krebs speaking with my N2K colleague, Simone Petrella.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. This episode is brought to you by RBC Student Banking.
Here's an RBC student offer that turns a feel-good moment into a feel-great moment.
Students, get $100 when you open a no-monthly fee RBC Advantage Banking account
and we'll give another $100 to a charity of your choice.
This great perk and more only at RBC.
Visit rbc.com slash get 100, give 100.
Conditions apply.
Ends January 31st, 2025.
Complete offer eligibility criteria by March 31st, 2025.
Choose one of five eligible charities.
Up to $500,000 in total contributions.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilpie and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. AI, and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.