CyberWire Daily - From dispossessor to disposed.
Episode Date: August 13, 2024The FBI is the repossessor of Dispossessor. The NCA collars and extradites a notorious cybercriminal. A German company loses sixty million dollars to business email compromise. DeathGrip is a new Rans...omware-as-a-Service (RaaS) platform. Russia blocks access to Signal. NIST publishes post-quantum cryptography standards. DARPA awards $14 million to teams competing in the AI Cyber Challenge. On our Solution Spotlight, N2K President Simone Petrella talks with Lee Parrish, CISO of Newell Brands, about his book "The Shortest Hour: An Applied Approach to Boardroom Governance of Cyber Security". AI generates impossible code - for knitters and crocheters. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Solution Spotlight, N2K President Simone Petrella talks with Lee Parrish, CISO of Newell Brands, about his book "The Shortest Hour: An Applied Approach to Boardroom Governance of Cyber Security" and security relationship management. Coming tomorrow, stay tuned for a special edition with Simone and Lee’s full conversation. Selected Reading FBI strikes down rumored LockBit reboot (CSO Online) Suspected head of prolific cybercrime groups arrested and extradited (National Crime Agency) Orion SA says scammers conned company out of $60 million (The Register) DeathGrip Ransomware Expanding Services Using RaaS Service (GB Hackers) Swiss manufacturer investigating ransomware attack that shut down IT network (The Record) Russia Blocks Signal Messaging App as Authorities Tighten Control Over Information (SecurityWeek) Post-Quantum Cryptography Standards Officially Announced by NIST – a History and Explanation (SecurityWeek) Need to know: NIST finalizes post-quantum encryption standards essential for cybersecurity (N2K CyberWire) NIST Releases First 3 Finalized Post-Quantum Encryption Standards (NIST)  DARPA Awards $14m to Seven Teams in AI Cyber Challenge (Infosecurity Magazine) The AI scams infiltrating the knitting and crochet world - and why it matters for everyone (ZDNET) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The FBI is the repossessor of dispossessor.
The NCA collars and extradites a notorious cybercriminal.
A German company loses $60 million to business email compromise.
Deathgrip is a new ransomware-as-a-service platform.
Russia blocks access to Signal.
NIST publishes post-quantum cryptography standards.
DARPA awards $14 million to teams competing in the AI Cyber Challenge.
On our Solution Spotlight, N2K President Simone Petrella talks with Lee Parrish,
CISO of Newell Brands, about his book, The Shortest Hour, an applied approach to boardroom
governance of cybersecurity. And AI generates impossible code for knitters and crocheters.
It's Tuesday, August 13th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. briefing. Thank you once again for joining us. It is great to have you with us. In a major international crackdown, the FBI and partners have dismantled the criminal ransomware group Dispossessor,
suspected to be a rebranded version of LockBit.
The operation, involving the FBI, UK's National Crime Agency, and German authorities,
led to the seizure of over 30 servers and domains across the US, UK, and Germany.
Dispossessor, which emerged in August 2023,
quickly gained notoriety for its ransomware-as-a-service model, allowing affiliates to launch attacks globally. The group was linked
to attacks on 43 companies in various countries. Speculation surrounds Dispossessor's connection
to LockBit, with evidence suggesting a possible rebranding effort. SockRadar noted that
Dispossessor's website closely resembled LockBit's, reinforcing these suspicions.
The takedown is a significant blow to the group, but with its decentralized structure,
law enforcement may still face challenges in fully eradicating their operations.
The investigation continues as authorities scrutinize the seized
servers. In another coordinated international operation, the National Crime Agency has
arrested and extradited Maxim Silnikov, a prominent Russian-speaking cybercriminal
linked to the notorious cybercrime network that borrowed the name J.P. Morgan for its branding.
Silna Kao, operating under various aliases, was apprehended in Spain and extradited to the U.S.
to face charges. His network, active since 2011, pioneered ransomware-as-a-service and exploit kits,
including the infamous Reviton and Angler exploit kit, which extorted millions from victims
worldwide. The NCA, working with global partners, traced and dismantled this group's activities,
leading to significant disruptions in their operations. Their malvertising campaigns affect
over half a billion victims globally. The investigation continues as authorities review evidence and
pursue additional suspects connected to this cybercrime ring. Luxembourg-based chemicals and
manufacturing giant Orion SA disclosed a $60 million loss due to a criminal wire fraud scheme,
likely a business email compromise attack. The fraud involved a company
employee being tricked into authorizing multiple fraudulent wire transfers to unknown accounts.
Despite the significant financial hit, Orion's operations and data remain unaffected,
with no system breaches reported. The company has informed law enforcement and is exploring all options, including insurance,
to recover the funds. Orion's overall financial outlook remains strong despite the incident.
Meanwhile, Swiss manufacturing giant Schlatter Group is investigating a ransomware attack that
disrupted its IT network and led to a blackmail attempt. The company, specializing in plant engineering and welding,
detected the attack on Friday,
initiating security measures and involving law enforcement.
Currently, Schlatter has no access to its email system
and is assessing potential data theft.
While no ransomware group has claimed responsibility,
Schlatter's ICT experts are working to restore systems.
The company reported nearly $150 million in sales last year.
A new ransomware-as-a-service platform, Deathgrip, has emerged, making sophisticated ransomware
tools accessible to cybercriminals with limited technical expertise. Promoted on Telegram and underground forums,
Death Grip offers advanced tools like LockBit 3.0 and Chaos Builders,
derived from leaked ransomware builders
enabling users to launch effective ransomware attacks with ease.
This platform underscores the increasing accessibility of cybercrime tools,
raising the threat level for businesses and individuals worldwide.
Real-world incidents involving death grip have already surfaced,
demonstrating its potential to cause significant harm.
The proliferation of such ransomware-as-a-service platforms
highlights the urgent need for enhanced cybersecurity measures,
including robust security protocols, regular
updates, and employee training. Collaborative efforts among governments, private sectors,
and cybersecurity experts are crucial in combating this evolving threat
and safeguarding sensitive data from ransomware attacks.
Russia's state communications watchdog, Roskomnadzor, has blocked access to the Signal messaging app,
citing violations of Russian legislation aimed at preventing its use for terrorist purposes.
This move is part of a broader crackdown on dissent and media freedom following Russia's invasion of Ukraine.
The government has previously blocked independent media, ex-Twitter, Facebook,
and Instagram. Additionally, YouTube has faced mass outages, which experts believe may be part
of the Kremlin's efforts to limit access to opposition views. NIST has officially published
three post-quantum cryptography standards, Kyber, Dilithium, and Sphinx Plus, with a fourth,
Falcon, chosen for future standardization. These standards aim to protect against quantum
computing threats, which could potentially decrypt current asymmetric encryption methods.
IBM played a significant role in developing these algorithms and worked with NIST in establishing the PQC
framework. While quantum computers pose the most immediate threat, other emerging technologies like
AI and optical computing could also challenge current encryption. The new PQC standards,
combined with crypto agility, allowing rapid adaptation to new algorithms, offer a stronger, though not absolute, defense against future decryption threats,
ensuring data remains adequately secure for the foreseeable future.
DARPA has awarded $14 million to seven teams competing in the AI Cyber Challenge,
a competition aimed at developing AI systems that can identify and
patch vulnerabilities in open-source software. The semi-finalist teams receive $2 million each
and will advance to the final competition in August 2025. The AI Cyber Challenge,
run in collaboration with the Advanced Research Projects Agency for Health,
in collaboration with the Advanced Research Projects Agency for Health,
challenges participants to create cyber reasoning systems capable of automatically finding and fixing vulnerabilities in critical software
like the Linux kernel and Jenkins.
The competition highlights the potential of AI to secure critical infrastructure
and may lead to commercializing and open sourcing these technologies
to enhance
cybersecurity across various sectors.
Coming up after the break, N2K President Simone Petrella speaks with Lee Parrish, CISO of
Newell Brands, about his book, The Shortest Hour, an applied approach to boardroom governance of cybersecurity.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
On today's Solution Spotlight,
our N2K president, Simone Petrella,
sits down with Lee Parrish,
Chief Information Security Officer of Newell Brands,
to speak about his book, The Shortest Hour,
an applied approach to boardroom governance of cybersecurity.
Welcome to Solution Spotlights, where we talk about some of the most innovative strategies
shaping the future of cybersecurity leadership.
And today I am joined by Lee Parrish, CISO of Newell Brands
and author of a recently published book, The Shortest Hour.
Thanks for joining today, Lee.
Oh, not at all. It's my pleasure. Thank you for having me.
Well, to start us off, I was hoping you could tell us a little bit about your leadership philosophy when it comes to building cybersecurity programs throughout your career and now at Newell Brands.
Certainly. I've been doing this for about 23, 24 years now.
And I think if there's one consistent theme
across all of the companies I've worked for
and the strategies that I've built,
it's been a focus, a hyper-focus on the people,
the people aspect of the cybersecurity program.
So one thing I mention a lot to people,
and I mention it in the book as well, is as CISOs, we all have the same access to technology
as every other CISO. The security vendors are not selling to some of us and not others. I mean,
we're all on a level playing field. And when it comes to processes and policy and things like that, again, we're all on the same landscape.
Nobody has an edge in that area.
We have access to research firms, analysts, frameworks, cybersecurity frameworks, all kinds of things.
So, again, we're on an equal playing field.
The true differentiator in a cybersecurity program then lies in its people.
And as a result of that, I spend a lot of time selecting the right people,
selecting people who are curious and people who like to dive into unintended use cases for technology and things like that, people who are curious.
So that's what I've been doing consistently over my career.
And that always resonates with me as a recovering consultant where we focus so much on people processing technology. And I'm a huge advocate that people are kind of truly the long pole in
that tent. And the companies that you've worked with or the organizations that you advise,
obviously the budget and the sophistication
of some of those enterprises can be very different.
And so when it comes to selecting people,
what's that consistent thread
that you have maybe leveraged throughout that journey
to focus on the people?
Because I'm sure there have been organizations
where you have unlimited operating budget
to actually spend on salaries and you can kind of build the best or buy the best.
But then what happens when you're just looking for that curiosity and fostering them?
Or is it a balance between the two and it's been that way no matter what organization you've supported?
always a challenge in bringing on new folks, getting the budget and things like that for small to mid-cap companies.
So what you want to do is make sure that when you do get the funding for that, you fill
that share with the most optimal resource that you can find.
What I've seen in my career recently in the last 10 years
is the resumes that come across my desk
are usually people
who have one to three years of experience.
And so if a CISO has a strategy
to fill, let's say, 15 roles
in their cybersecurity program
and their strategy is,
I want to fill these with people who
have eight to 10 years of experience. That may not be realistic, not in today's environment,
unless you're willing to pay over market for those folks and have them work remote 100% of the time,
pay them an exorbitant amount of money above comp ranges,
you're not going to find those people.
So what I've done is I seed the team with three, four cybersecurity experts,
people who have that level of experience. And then the rest of the team I fill with people who are,
maybe they don't have a lot of experience in cybersecurity,
but it's all about, you know,
professionalism, the personality, you know, that curiosity is something that I continually
look for in people. So as a result, we have to work with the business. And if we have people who
are resistant to building relationships and just want to work, you know, kind of off on their own,
that typically doesn't work too well.
So I look for people who have, you know, high personalities,
very curious about things, and they inject into the team,
you know, the experts will provide them experience
and lessons learned from a career of doing this.
So that's what I found. Yeah. I think one of the most operative words that I just picked up on
that you said is the idea of having a strategy to begin with. And I know from personal experience,
I've worked with a number of colleagues and companies where the strategy is more just, you know, we have this
many openings and let's fill them as quickly as possible. And there hasn't been that thought put
into, is it a team of eight to 10 years of experience with a high salary cap? Or is it
something that we're going to kind of round out with smaller ones? What do you think, I guess,
my first question is like, why is it so hard for us as an industry to kind of like
wrap our heads around that strategy? If you're like building a team, you have to sort of think
about the constraints of the budget you have, and then what are you going to build? And how do you
think about those positions and those players before you actually start putting people on the
ground? But why has that been so hard for us? And my second kind of corollary to that is, what are
some of your recommendations to, you know, your peers and those coming up in the field to maybe integrate that
into more of their own program development strategies across cybersecurity? You know,
it is a challenge. I think that a lot of times, I think it's much better now than it was in the past. In the past, most of, I will say many of the security leadership
were comprised of people who were very technical
and didn't have a lot of business acumen.
They were hands on keyboard.
And when the need arose for someone to take a CISO role,
the logical selection was somebody who's been involved in it. And that usually was a technical
person. I think a lot of times as CISOs, we jump into something, we're given budget and we're
saying, okay, what do we want to do? And let's go forward and build this. That's not the time to
actually think about that. You should be thinking about that before you get the money and before
you even start talking to vendors or before you even do an interview. The analogy that I use quite
a bit is when you go into a car dealership to purchase a car, you don't walk on the lot and say,
show me everything. I want to see SUVs. I want to see electric cars. I want to see compact cars. I want to see sports cars. I want to see
electric vehicles. No, you already have an understanding of some of the models that you
want to see. And you probably have an understanding of the price range you're probably going to pay.
It's the same thing for cybersecurity. You should already know what it is that you want,
who you're going to talk to, and kind of sort of know how much
you're going to pay. As far as the people aspect goes, I would say one of the things that I like
to do is to make a quad chart. So that's kind of the way that I've done it. And then I meet with,
before I even give the strategy to the CEO, what I'll do is I'll go to each of the individual leaders and I'll talk about how
the security solutions I'm proposing may interoperate with what's already in the
environment. You just want to make sure that the whole strategy fits together. And you don't want
to have people on the team that have all the same skill sets. You don't want a bunch of people who
are really good at threat intelligence and
then they don't understand other domains within cybersecurity. So it really is a chess match.
Yeah. Well, and it really hits on another theme that obviously is part of what you implement in
your own leadership roles, but also is in your book that is, I know, geared towards independent
directors, but probably just as helpful for existing CISOs. And it's that kind of theme concept around security relationship
management. I think there's kind of that executive responsibility for all those other stakeholders
in an organization to kind of think about how security impacts what they do as well.
And I say that to pivot into what inspired you to write this book,
because if I have it correct, really the shortest hour is meant to help inform new directors on
boards to understand how they can actually conduct and not only ask the right questions as they execute cybersecurity oversight,
but also understand enough to make, you know, some real actionable decisions out of that
and evaluate where things are. So, can you talk to me a little bit about what, you know,
what inspired you and what are some of the things that you hope directors who have an opportunity
to read this take away from it? Yeah, absolutely. I was blessed very early on
in my career where I was surrounded by leaders who were very engaging and they wanted me to
participate and they gave me invitations to participate. I realized that a lot of listeners
who are CISOs may not have that same level of support and they have to fight their way in.
So I do realize that I was very blessed early on.
And throughout my career, again, I've been extremely blessed.
And every company I've worked for, there was an opportunity for me to present to senior leaders
and to the board of directors and to committees as well in an unfiltered way
to be able to explain risk and not be toned down by leaders and things. Well, don't say that.
They were very open. So that's the baseline. I mean, if you don't have that, the game is over.
baseline. I mean, if you don't have that, the game is over. But very early on, I was interacting with some very, very serious people on different boards. And there was a White House chief of
staff, a U.S. presidential candidate, all of these different folks in my very first time
working with the board. So I learned very quickly. And it was really nice to be able to have that experience.
And then as I moved throughout my career, I had experiences with working with the board,
not just in a presentation format, but actually like one-on-one to be able to fly to a location
and meet with a new director who's coming on board. And so access and then that deep relationship has really helped. So it's been a
great journey. I really enjoyed doing it and hopefully people will enjoy it and provide good
feedback. Well, Lee, thank you so much for taking some time to share some of your experiences with
us, as well as some of the nuggets out of your newly published book. So congratulations
on getting that out there. It's really been an amazing thing to read as I've started to delve
into it. And for those who have not had a chance, Lee, I'll let you give one last plug. Where can
someone go get a copy, their hands on a copy of The Shortest Hour? Yeah, so it's available to all
the favorite booksellers, you know, Barnes & Noble,
Amazon. You can go to Taylor & Francis, Rulage, you know, it's all over the place. But thank you
for the support. I really, really appreciate it. Great. Thank you.
That's our N2K President, Simone Petrella, speaking with Lee Parrish, CISO of Newell Brands.
The book is titled The Shortest Hour, An Applied Approach to Boardroom Governance of Cybersecurity. Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And finally, it's no shock that scammers would embrace AI.
It's a match made in cyber heaven for nefarious activities.
But here's a twist.
They've set their sights on crafters and makers.
Yes, the crafty folks on platforms like Etsy are now dealing with AI-generated patterns
that can turn your knitting or crochet dreams
into a nightmare.
Imagine spending weeks on a project
only to find out the pattern was flawed from the start,
courtesy of AI.
From impossibly intricate stitches to bizarre, unusable designs,
these fake patterns are causing headaches and wasting time.
For more on this story, I'm joined by our CyberWire special knitting and crocheting correspondent, Maria Vermazes.
Maria, thank you for taking time away from the T-minus Space Daily to offer your insights on this important story. I mean, this is a real
big deal for folks who are both professionals and into this hobby, right? It is, and it's becoming
a really annoying problem, and it's been proliferating quite a bit. So, I mean, it is a
moneymaker. Buying patterns online is actually a big source of income
for a lot of people who are professional fiber artists.
And these fake patterns that are just everywhere
on all the hobbyist platforms
and pretty much anywhere you can think of,
they are causing a lot of people to sink a lot of money
into patterns that are just not craftable.
And what ends up happening is they're spending a lot of money
and it gets wasted.
They show up at crafting stores going,
what the heck's wrong with the thing I did or that I bought from you?
Why doesn't this work?
So you have bad vibes all around.
But more importantly, people are spending a lot of money
on things that physically cannot be made.
And that is a really big problem.
One of the things that struck me here about this story,
something I had not realized having no experience with this, is that essentially these knitting and crocheting patterns are code.
They are, yes.
They are.
And it's really fascinating.
There's a couple of different ways that you can write the code.
The instructions is what we often call them for the pattern, for whatever you're making.
But you can think of them really like an algorithm.
They are just basic instructions, sort of like basic back in the day where you have go-tos
essentially. But you just read it and it just tells you what you need to be doing. And AI can
generate very convincing looking instructions for a pattern. And there's actually some really funny
videos out there from professional crafters who try to follow these patterns.
And they will point out like in a whole bunch of places, you can't actually do anything here, even though the AI very convincingly tells you that you can.
But if you are a beginner crocheter or knitter, you wouldn't know that.
So you would just wonder, what am I doing wrong?
And the answer is it really isn't you.
It's the pattern, which is not how it used to be.
which is not how it used to be.
Are there any particular tells or, I guess, advice for folks who may be starting out to kind of spot these sorts of impossible patterns?
Yeah, for beginners, it is tough.
The images that often accompany these patterns can be the best way to tell if something's real or not.
There are a lot of gorgeous-looking AI-generated images of objects that have been supposedly crocheted or knitted,
but they're impossible to make.
So they look impossibly beautiful, impossibly ornate.
The scale is off, like it's either massive or super tiny.
And these trick a lot of people.
So don't feel bad if you can't tell the difference.
The patterns themselves,
you would have to be a very experienced crafter
to be able to tell whether or not it's legitimate.
So usually the images are a big giveaway. So be skeptical of things that are looking too bright, too perfect,
corners that are too sharp, things like that. And just make sure that the seller that you're
buying from is reputable. They've got a lot of other patterns that have been reviewed well,
and maybe that they show you actually how to make it. Because most fiber artists who do this
professionally are very happy to help out and they'll show you how to. An AI generated one will just be,
here's a pattern. So that's kind of a big tell. All right. Maria Vermazes is host of the T-Minus
Space Daily podcast. Maria, thank you for helping us get to the knitting gritty.
I'm glad my hobby could be helpful for once.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing
at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at N2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music
and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.