CyberWire Daily - From breach to battle: The escalating threat of Midnight Blizzard.
Episode Date: March 8, 2024Russian hackers persist against Microsoft’s internal systems. Change Healthcare systems are slowly coming back online. Russian propaganda sites masquerade as local news. Swiss government info is lea...ked on the darknet. Krebs on Security turns the tables on the Radaris online data broker. The NSA highlights the fundamentals of Zero Trust. The British Library publishes lessons learned from their ransomware attack. Researchers run a global prompt hacking competition. CheckPoint looks at Magnet Goblin. Experts highlight the need for psychological safety in cyber security. Our guest is Dinah Davis, Founder and Editor-In-Chief of Code Like A Girl, sharing the work they do to inspire young women to consider a career in technology. And the I-Soon leak reveals the seedy underbelly of Chinese cyber operations. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest is Dinah Davis, Founder and Editor-In-Chief of Code Like A Girl, sharing the work they do to inspire young women to consider a career in technology. Selected Reading Microsoft says Russian-state sponsored hackers have been able to access internal systems  (Reuters) Change Healthcare brings some systems back online after cyberattack (The Record) Spate of Mock News Sites With Russian Ties Pop Up in U.S  (The New York Times) Play ransomware attack on Xplain exposed 65,000 files containing data relevant to the Swiss Federal Administration (Security Affairs) A Close Up Look at the Consumer Data Broker Radaris (krebsonsecurity) NSA Details Seven Pillars Of Zero Trust (GB Hackers) LEARNING LESSONS FROM THE CYBER-ATTACK British Library cyber incident review (British Library) A Taxonomy of Prompt Injection Attacks  (Schneier on Security) https://arxiv.org/pdf/2311.16119.pdf (Research) Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities  (Check Point Research) Why 'psychological safety' is so important for building a robust security culture (ITPro) Inside Chinese hacking company’s culture of influence, alcohol and sex (C4isernet) International Women's Day (International Women’s Day) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Russian hackers persist against Microsoft's internal systems.
Change healthcare systems are slowly coming back online.
Russian propaganda sites masquerade as local news.
Swiss government info is leaked on the darknet.
Krebs on security turns the tables on the Redaris online data broker.
The NSA highlights the fundamentals of zero trust.
The British Library publishes lessons learned from their ransomware attack.
Researchers run a global prompt hacking competition.
Checkpoint looks at Magnet
Goblin. Experts highlight
the need for psychological safety in
cybersecurity. Our guest is
Dinah Davis, founder and editor-in-chief
of Code Like a Girl, sharing the work
they do to inspire young women
to consider a career in technology.
And the iSoon leak
reveals the seedy underbelly of Chinese cyber operations.
It's Friday, March 8, 2024, International Women's Day.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thank you for joining us here today.
It is great to have you with us.
Russian state-sponsored hackers known as Midnight Blizzard or Nobelium
have again targeted Microsoft,
leveraging data from a January breach of the company's corporate emails.
In that initial attack, the group accessed and stole staff emails and documents.
Recently, Microsoft detected attempts by Midnight Blizzard
to use this stolen information to access its source code repositories and internal systems.
The tech giant noted an escalation in the hackers' tactics, including a significant increase in password spray attacks.
Despite the concerning activity, Microsoft assures there's no evidence of compromise to its customer-facing systems.
The company has been contacting customers potentially affected by the initial data theft
to help implement protective measures. This ongoing cyber conflict has slightly affected
Microsoft's stock value, and there's been no response from the Russian embassy regarding
these incidents. Change Healthcare, part of UnitedHealth Group,
is gradually restoring its systems after the late February cyberattack
that severely impacted its operations,
disrupting the U.S. health system's claims and payment infrastructure.
As of Friday, electronic prescribing services for pharmacies are fully functional,
with the broader payments platform expected to be operational by March 15.
The company is working to re-establish connectivity for its medical claims technology,
with testing set to begin in the week of March 18.
UnitedHealth says they are committed to mitigating the attack's effects on consumers and care providers,
offering funding support to those affected.
The attack, attributed to the ALF-V or Black Cat ransomware group,
has led to significant cash flow issues among large health care providers.
UnitedHealthcare has not disclosed whether a ransom was paid,
but that comes amidst reports of a $22 million payment
and ongoing scams within the ransomware group.
The New York Times chronicles a series of fake news websites with names like DC Weekly, New York News Daily,
Chicago Chronicle, and Miami Chronicle, which are falsely presenting themselves as local news outlets.
They are, in fact, Russian creations aimed at disseminating Kremlin propaganda,
interlacing legitimate news with fabricated stories to influence public discourse in the U.S.
This strategy reflects Russia's longstanding efforts to manipulate American opinions,
especially as the presidential election approaches.
to manipulate American opinions, especially as the presidential election approaches.
Researchers from Clemson University's Media Forensics Hub have identified these sites as part of a larger network potentially set up for disinformation campaigns.
Despite appearing genuine at first glance, these websites often contain inaccuracies
and sometimes blatant falsehoods.
The discovery underscores the
sophisticated and targeted nature of modern disinformation efforts, posing a significant
threat to electoral integrity and public trust. The UK's National Cyber Security Centre reported
a significant data breach at the IT firm X-Plane, attributed to the Play ransomware gang, on May 23rd of last year.
X-Plane serves key Swiss government departments, including the Army and Police. The breach exposed
sensitive and classified information, including data from the Federal Office of Police and the
Federal Office for Customs and Border Security, and the information was subsequently published on the darknet.
Analysis revealed 1.3 million files were leaked,
65,000 deemed relevant to the federal administration,
with the majority relating to the Federal Department of Justice and Police.
Personal data, technical documents, classified information,
and readable passwords were among the compromised
data. The Swiss government has initiated an administrative investigation into the breach,
emphasizing the importance of collaborative efforts in managing cybersecurity incidents.
Krebs on Security takes a closer look at Radaris, a data broker that specializes in selling detailed information on individuals, including addresses, phone numbers, and relatives.
Despite its significant online presence, it faces criticism for not allowing easy removal of personal information, resulting in an F rating from the Better Business Bureau.
from the Better Business Bureau.
The co-founders have diverse business interests,
including Russian-language dating services and ties to a California marketing firm
working with a sanctioned Russian media conglomerate.
Ray Doris' practices have drawn legal attention,
including a class-action lawsuit
for violating the Fair Credit Reporting Act
and a recent lawsuit for misusing names
for commercial purposes in Illinois.
Despite regulatory efforts,
the broad legal exemptions for public records
may limit significant changes to Redaris
and similar people search companies' operations.
The National Security Agency issued
a cybersecurity information sheet
that outlines the fundamental elements of zero trust,
with the goal of limiting adversary lateral movement within an organization's network to access sensitive data and vital systems.
Sam Meisenberg is the host of N2K CyberWire's Learning Layer, and I asked him to explain the details of the NSA's report
and why it matters.
So the most interesting thing about the NSA's take on zero trust is really the context or
where they start.
So what's interesting is they explain that zero trust is basically a defense against
lateral movement.
So they are assuming that this is post-breach
or they're assuming that breaches
sort of occur inside the network.
So that's a pretty interesting,
unique perspective and take to have.
It's the concept of some people call,
you know, no more squishy insides.
It's like a hard candy.
We don't want things to be hard on the outside
but soft and squishy on the middle.
We want to assume that the worst has happened.
So the NSA with their zero trust pillars
are sort of helping you get into that mindset.
And the meat of the actual documentation
comes from their seven different pillars.
So I will just quickly sort of give you a brief summary of what those seven pillars are. So they explain, you have to think about one,
the user. So this is like, okay, things that we normally think about, authentication and access.
Two, the device. So basically understanding the health and status of all the different
connected devices.
Three is application and workload.
Is it really a third pillar when there's multiple words?
I don't know.
But basically what they're trying to say is that you have to secure your cloud-based environments as well.
Fourth is data.
So you want data transparency and data encryption and a good inventory through data tagging.
Five is network and environment.
So this is the things that we think about traditionally when we think about zero trust, things like network segmentation.
Six is automation and orchestration.
So this is an interesting one because they explicitly mention AI.
This is trying to automate our security defenses using AI.
And then their seventh and final pillar
is visibility and analytics.
Again, in the same theme,
they mentioned AI and machine learning explicitly,
just trying to build models
that help security teams automate some of these defenses.
As I was going through the seven pillars,
you're probably wondering, why does this matter?
Like, why should I care about this?
Well, if you zoom out, I think the significance of this
is that the NSA is sort of acknowledging the reality
of cyber attack and defenses in the modern day,
meaning they are acknowledging that breaches might happen.
And it's not about blocking every single breach.
It's about being prepared when there is a breach
and how you limit the damage.
That's my N2K CyberWire colleague Sam Meisenberg, host of The Learning Layer.
The British Library has published a detailed report documenting their response to a ransomware cyber attack in October of 2023 by the Ryceta gang.
The report outlines the attack's impact, response, recovery efforts, and lessons learned.
It highlights the exfiltration of 600 gigabytes of data,
including personal information, and the destruction of server infrastructure,
severely affecting the library's operations and services.
The report outlines the transition from crisis response to recovery with a program they call
Rebuild and Renew, aiming for a more secure, resilient, and innovative library.
Key lessons emphasize the importance of network monitoring, external security expertise,
multi-factor authentication,
intrusion response, network segmentation, business continuity, cyber risk awareness,
and the management of legacy technology. Researchers from a number of universities
and research organizations organized a prompt hacking competition where the goal was to exploit vulnerabilities in AI models
to achieve specific outcomes. Participants engaged in creative prompt engineering,
employing various techniques to manipulate the AI's responses. The winning team's approach
combined manual prompt engineering with keen observations of the model's behavior in response to specific keywords and adversarial inputs.
For advanced levels, participants explored the use of different languages, special characters,
and formatting to bypass model restrictions or exploit its processing behavior.
This included strategic use of Unicode representations and changing input languages to influence the model's output.
The competition revealed the creativity and ingenuity required to manipulate AI models
effectively. Teams used a mix of manual experimentation, observation, and even
automated tools to refine their prompts and achieve the desired outcomes. The challenge
of prompt hacking showcased the potential
for both exploiting and understanding AI model vulnerabilities,
emphasizing the importance of robust model design
and the need for ongoing research into AI security
and prompt engineering techniques.
Researchers at Checkpoint described the activities of Magnet Goblin,
a financially motivated threat actor
exploiting one-day vulnerabilities in systems like Avanti Connect Secure VPN, Magento,
ClickSense, and possibly Apache ActiveMQ. Magnet Goblin employs custom malware,
including a Linux variant of NERBIAN RAT and MININERBIAN. The report also covers Magnet Goblin's use of
compromised Magento servers in its campaigns and the deployment of MININERBIAN to establish
footholds. The infrastructure analysis reveals the utilization of multiple tools and suggests
potential links to other campaigns and malware, including C ransomware. The report concludes by emphasizing the challenge of distinguishing unique actors
amidst widespread exploitation and underscores the strategic leveraging of vulnerabilities
by actors like Magnet Goblin.
Creating a culture of psychological safety is essential for enhancing cyber resilience,
The culture of psychological safety is essential for enhancing cyber resilience, according to security experts participating in a fireside chat at the IgniteOnTour conference in London. Palo Alto Network's CTO, Hader Pasha, highlighted the importance of fostering open communication across teams to address breaches or vulnerabilities efficiently.
Pasha noted the shift towards making cybersecurity
a collective responsibility within organizations,
a change driven by the recent prioritization of security
due to digitalization's risks.
Dr. Hai stressed the necessity of a culture
where staff can report incidents without fear of blame, underscoring the importance of leadership
in nurturing an environment where raising concerns is encouraged. This approach is vital as cyber
attacks become quicker and costlier, with potential legal repercussions for CISOs.
quicker and costlier, with potential legal repercussions for CISOs. The discussion also covered the dire consequences of security incidents in critical infrastructure,
emphasizing the need for trust and accountability to improve a company's security stance.
Coming up after the break, my conversation with Dinah Davis,
founder and editor-in-chief of Code Like a Girl.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
It is my pleasure to welcome back to the show, Dinah Davis.
She is the founder of Code Like a Girl and also a former technology executive.
Dinah, it's great to have you back.
Yeah, I'm pretty excited. It's been a while, so it's pretty fun to be here.
It's been too long, and I appreciate that.
I wanted to kind of swing back all the way around to the beginning with you,
which is, I believe, one of the first conversations you and I ever had here
a few years ago on the Cyber Wire was about Code Like a Girl and your efforts there.
And I would love to reintroduce the organization to our audience.
Surely, we've got folks who are listening now who weren't listening then.
Yeah, I mean, I think that was like at least six years ago.
Yeah.
Yeah, it was a while.
So let's pretend like we're part of the Marvel Universe here and give me your origin story.
The origin story. Okay, I will do that. Yeah, so I spent a lot of my career in tech. And about halfway through my career around year eight or nine,
I went to a new company. And previous to that, I was like, heads down. I don't want to make any
noise. Don't call me a feminist. I'm just going to do my work. And I just want to be one of the guys
as a software developer. And even though I went in with that attitude at this place,
I had a misogynistic bully for a boss that was just horrible to me, just horrible.
And it was a terrible experience.
And I realized that if other companies or other jobs didn't like it, if I talked about what it was like to be a
woman in tech, then I didn't want to work for them. And so I started blogging about my experiences
on Medium. That was probably around 2012. And after a few years and moving to a better place
and getting involved in a lot of other women in tech initiatives,
I was trying to find better places to publish my stories
because I wanted to change perceptions of women in technology,
so I wanted it to have more voice and a wider set.
So I was looking for publications in Medium
that would allow me to publish with them.
And there really wasn't any. And the one that there was, was very picky about what they wanted.
And I thought to myself, this is early 2016. I thought, like, how hard is it to start a publication?
And like, it turns out it's like three clicks. That's really all you have to do. And then now
you've taken yourself on a journey that you That's really all you have to do. And then now you've taken
yourself on a journey that you didn't know you were going to have. So that's what I did because
I thought, what's more powerful than my voice? But hundreds of voices at that time. And I would
say at this point, thousands of voices. We have so many writers now. And the interesting thing is when I started that, our stories were really about
being a woman in tech, right? And we grew that publication and everything. And, you know,
in the early days, I would scour Medium for technical articles written by women. Because
part of changing those perceptions isn't just about talking about it. It's about showcasing their technical abilities. And that was really hard
to find. And now, eight years later, I would say half of our content is technical articles
written by women. It's just blowing my mind. So a year ago, almost exactly a year ago, actually,
I left Arctic Wolf. I retired from my executive cybersecurity career. And I've been really focused
on mentoring and Code Like a Girl. And it's been really exciting over the last year to see the
different types of stories that we're getting, to see these technical stories.
We got recognized by Medium and introduced to their booster program, which is just fantastic.
It allows me to choose up to 20 stories a month to suggest to them that they should maybe share those a little bit more widely with their following.
And that's been helping us a lot.
But yeah, I thought I would get a little bit back into it after I left Arctic Wolf,
and now I'm probably spending four to five hours a day on it.
Well, so in the decade plus that you've been at this, what is changed when it comes to the newbies that are coming to you for help?
I mean, to what degree, if at all, is it a different story, a different environment
that someone just starting out has to contend with? Yeah, I would say that at the more junior levels, we are seeing far, far, far more women, right?
Concerted efforts went in 10 years ago or so to universities to start recruiting and graduating more women.
And we're definitely seeing that.
We're still not seeing a lot of women in more senior positions, whether they're individual contributor or leadership.
And I think a good portion of people will still be one of the only women on the team, but less so than it used to be.
So for software development, I would say it's more common to have a couple women on your team now, which is a great change.
You know, long way to go, but a great
change. In cybersecurity, I would say that's not there yet, even at those entry levels that, you
know, you may be an only, the only woman or, you know, only non-binary person or only transgendered,
only racial minority. I think in cybersecurity, we have a lot farther to go,
where I think they're just behind the curve of what has been happening in tech, right?
And a lot of the layoffs that we've been seeing over the last year and a half are disproportionately hitting women because, you know, they, if we're
talking about all those new, new women that graduated from universities and colleges, you
know, they're now less senior tenure, right? So all this diversity hiring that has been happening,
then, you know, when you do layoffs, you let go usually the latest last in, first out kind of
situation. So a lot of that diversity hiring is getting undone with the layoffs. So that's
something to think about when people and companies are doing these layoffs is like,
am I disproportionately hitting my diversity numbers?
Because we know that diversity increases innovation and the bottom line, really.
So it's something we should be cognizant about.
Do you have any sense for what sort of activities or things to be deliberate about? I'm either a young woman coming into the industry or perhaps someone who's changing careers. What do they get the most bang for
their buck out of for being able to join this industry? So I think one of the easier,
not necessarily easier, but if you're choosing between, let's say, software development or security, I think it's easier to get into security.
I think there are more well-respected, you know, one-year master style programs that you can do that will then get you into your entry-level cybersecurity role.
I've seen people come from so many different
backgrounds. My barista once became a cybersecurity expert working for Arctic Wolf, a chemist.
And I think entry-level cybersecurity roles, you can come from so many different backgrounds,
and it needs a little less time to get to that entry
level role rather than software development takes a little bit longer. For me, there's many well-run
programs. Roger CyberSecure in Canada is a fantastic one. Obviously, SANS courses, any of
that kind of stuff is a really great way. And I think, you know, many people can transition within a year.
The amazing thing I've seen too
is when people have transitioned,
how quickly they can move up
the promotion ladder at companies
because we're just so starved
for cybersecurity professionals.
Yeah.
For folks who want to find out more
about Code Like a Girl,
what's the best way to get in touch?
CodeLikeAGirl.io.
Just check it out.
We're on LinkedIn, and we're also on Facebook and Instagram,
but you can go just directly to our site, and that will be great.
All right.
Dinah Davis is the founder of Code Like a Girl.
Dinah, thanks you so much for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Whether you own a bustling hair salon,
a painting company that just landed a big job.
Or the hottest new bakery in town.
You need business insurance that can keep up with your evolving needs.
With flexible coverage options from TD Insurance, you only pay for what you need.
Get a quote in minutes from TD Insurance today.
TD. Ready for you.
And finally, the recent leak of documents from iSoon, a private contractor with ties to China's government, has exposed the underbelly of the country's hacking industry, revealing a world where sex, alcohol, and lavish dinners
are tools of the trade to curry favor with government officials.
Executives at iSoon were seen arranging opulent banquets and karaoke sessions with women
as part of their strategy to secure lucrative contracts,
showcasing a blatant mix of business and pleasure
aimed at winning over clients and officials.
The documents also reveal instances of paying substantial introduction fees
to intermediaries who could connect them with high-value projects,
emphasizing the lengths to which these companies will go
to maintain and expand their influence.
Behind the facade of slick marketing and professed patriotism,
the reality of the hacking industry in China
is one of competitive maneuvering and questionable ethics.
The leaked chats detail late-night binge drinking and gift exchanges
designed to solidify relationships with both officials and competitors,
highlighting the importance of personal connections
over professional merit. The leak not only casts a shadow over the Chinese hacking industry's
practices, but also exposes the complex relationship between private contractors like
iSoon and the Chinese state. Despite their reliance on each other, the industry's reliance
on unsavory methods to secure contracts
and intelligence paints a troubling picture of the lengths to which these entities will go to
advance their interest. So, winning those lucrative contracts with the Chinese government
might require sophisticated algorithms and stealthy cyber attacks,
but at the end of the day, liquor is quicker. And that's the Cyber Wire. For links
to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check
out this weekend's Research Saturday and my conversation with Jamie McCall and Dr. Pia
Hoosh from the Royal United Services Institute.
We're discussing their work, Ransomware, Victim Insights on Harms to Individuals, Organizations and Society.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence optimizes the value of your biggest
investment, your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with
original music by Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon Carr. Thank you. also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.