CyberWire Daily - Grappling with a ransomware attack.
Episode Date: November 27, 2024Blue Yonder continues to grapple with ransomware attack. AI-powered scams surge this shopping season. Gaming engine exploited to deliver malware. Chinese hackers ride the router wave. TikTok’s beaut...y filter ban. Redefining cybersecurity education for the future. On our Industry Voices segment, Dave sits down with Damon Fleury, SpyCloud’s Chief Product Officer to discuss defending against what criminals know about you and the role of holistic digital identity in cyber defense. And when do cyber criminals start their holiday scheming? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today on our Industry Voices segment, guest Damon Fleury, SpyCloud’s Chief Product Officer, joins Dave to discuss defending against what criminals know about you and the role of holistic digital identity in cyber defense. Selected Reading Kevin Beaumont (@GossiTheDog) on Mastodon (Mastodon) Advanced Cyberthreats Targeting Holiday Shoppers (FortiGuard Labs) Black Friday Gets a Fakeover: Fake Stores Spike 110% by Using LLMs this Holiday Shopping Season (Netcraft) The Exploitation of Gaming Engines: A New Dimension in Cybercrime (Check Point Software) T-Mobile Engineers Spotted Hackers Running Commands on Routers (Bloomberg Law)  TikTok will block beauty filters for teens over mental health concerns (The Verge) Australia passes bill banning social media for children under 16 (The Washington Post) CISA debuts new cybersecurity training platform (Federal News Network) African cybercrime crackdown culminates in 1,006 captured and cuffed (The Record) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Blue Yonder continues to grapple with ransomware attack.
AI-powered scams surge this shopping season.
Gaming engine exploited to deliver malware.
Chinese hackers ride the router wave.
TikTok's beauty filter ban.
Redefining cybersecurity education for the future.
On our Industry Voices segment, Dave Bittner sits down with Damon Fleury,
Spy Cloud's chief product
officer, to discuss defending against what criminals know about you and the role of holistic
digital identity in cyber defense. And when do cyber criminals start their holiday scheming?
Today is November 27th, 2024.
I'm Maria Varmazis, host of the T-Minus Space Daily podcast, in for Dave Bittner.
And this is your CyberWire Intel briefing.
Quick programming note for you all. Our team is taking the next two days off to stuff ourselves silly with turkey, cranberry sauce, and pumpkin pie,
and then recover and eat more of the same as leftovers and maybe do a little bit of shopping.
We will be back in your inboxes and on your favorite podcast apps on Monday, December 2nd.
Cheers.
Following up on a story that we've been monitoring, as we noted yesterday, Starbucks is amongst the companies disrupted by a ransomware attack on supply chain management software provider Blue Yonder.
The coffee chain is using manual processes for employee payments.
Security researcher Kevin Beaumont, aka Gossy the Dog, said in a post on Mastodon that the attackers, quote,
got into Blue Yonder's private cloud environment at hypervisor level, deleted the DR and backup storage, and then encrypted all five data centers. The company has
not confirmed these details. Blue Yonder, for its part, says it's continuing to work around the
clock together with our external cybersecurity firms to safely restore systems, resulting in
steady progress. But the company does not, quote, have a timeline for restoration.
As we are in the midst of peak holiday shopping time,
also known as Cyber Week,
cyber criminals are intensifying their efforts
to exploit online consumers through advanced tactics.
Fortinet's FortiGuard Labs reports a surge
in AI-driven phishing schemes,
where attackers use generative AI models like ChatGPT
to craft convincing emails
and clone legitimate websites, aiming to steal sensitive information. Additionally, there's an
increase in holiday-themed domains mimicking trusted retailers, luring shoppers with fraudulent
offers. Netcraft highlights a 110% rise in fake online stores between August and October 2024,
with many employing large language
models or LLMs to generate authentic-looking product descriptions. These fake stores often
use platforms like Shopee to create convincing storefronts, targeting U.S. shoppers with
counterfeit or non-existent products. To mitigate these threats, consumers should verify website
URLs, use secure payment methods, and avoid deals that
just seem too good to be true. Be vigilant and use proactive security practices as you navigate
the heightened cyber risks during this peak shopping period. Buyer beware. Researchers at
Checkpoint have published a report on a new malware delivery technique exploiting the open-source
game engine Godot Engine. The researchers explain, quote,
Godot Engine provides an execution environment for GDScript,
enabling game developers to create gameplay logic, control scenes, and interact with game objects.
GDScript includes most modern language features, including object support and multi-threading.
Threat actors take advantage of Godot Engine and GDScript,
which uses this new technique to execute malicious code, download malware, and deploy it while remaining undetected.
As GDScript is a fully functional language, it offers threat actors many functionalities, from anti-sandbox and anti-VM to executing remote payloads.
Threat actors maliciously craft GDScript code and then load it with a loader utilizing the Godot Engine.
maliciously craft GDScript code and then load it with a loader
utilizing the Godot engine.
The threat actor behind the Godloader malware loader
has used this technique
to infect more than 17,000 machines
since June 29th of this year.
The technique is currently undetected
by almost all antivirus engines in VirusTotal
and can be used to target Windows,
macOS, Linux, Android, and iOS.
Turns out Godot did arrive, just as malware.
Beckett will be facepalming right about now.
Godot was supposed to bring salvation, not ransomware.
T-Mobile engineers recently detected unauthorized activity on their network routers,
identifying hackers executing commands within the system.
This breach is part of a broader cyber espionage campaign, dubbed Salt Typhoon,
attributed to Chinese state-sponsored actors.
The attackers exploited vulnerabilities in Cisco Systems routers,
enabling them to access sensitive communication records,
including call logs and unencrypted texts of high-profile targets.
T-Mobile has stated that their systems and customer data
do not appear to have been significantly impacted.
TikTok is implementing age restrictions on
certain beauty filters to address mental health concerns among teenage users. Filters that
significantly alter appearance, such as those that smooth skin or slim faces, will be restricted for
users under 18. The company will also expand filter descriptions to clarify the changes that
they make. However, filters that are clearly humorous, like adding animal ears, are excluded from these restrictions. This move responds to
findings by Internet Matters, which highlighted the negative impact of beauty filters on teens,
who often feel pressured to conform to unrealistic beauty standards. Additionally, TikTok will roll
out new resources on 13 European countries to connect users reporting harmful content with
local helplines. TikTok emphasized its commitment to user safety and announced efforts to improve
detection of underage accounts using advanced machine learning technologies. And going hand
in hand with that news, Australia is advancing a bill to ban children under 16 from using social
media platforms, requiring age verification and imposing hefty fines on companies for noncompliance,
amidst mixed reactions from parents, tech companies, and youth advocates.
The Cybersecurity and Infrastructure Security Agency, or CISA, has launched CISA Learning,
a modernized training platform designed to enhance cybersecurity education
for both its internal staff and external
partners. This platform replaces the previous federal virtual training environment, or FedVTE,
offering a unified system that provides courses on topics such as cloud security, ethical hacking,
risk management, and malware analysis. CISA Learning aims to serve as a comprehensive
resource for the broader federal workforce, veterans, and other stakeholders, reflecting CISA's commitment to sharing its expertise and resources to strengthen national cybersecurity capabilities.
In a significant crackdown on cybercrime, Interpol and Afropol's Operation Serengeti led to the arrest of 1,006, exactly, suspects across 19 African countries between September and October
2024. The operation targeted various cyber offenses, including ransomware, business email
compromise, and online scams, uncovering losses exceeding $190 million and identifying over 35,000
victims. Notable cases include the dismantling of a $6 million Ponzi scheme in
Senegal and the apprehension of individuals in Kenya linked to an $8.6 million banking fraud.
This initiative underscores the growing sophistication of cyber threats and
highlights the importance of international collaboration in combating cybercrime.
Coming up on our Industry Voices segment,
SpyCloud's Chief Product Officer, Damon Fleury,
joins Dave Bittner to discuss defending what criminals know about you and the role of holistic digital identity in cyber defense.
We'll be right back.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
Today on our Industry Voices segment, we are joined by SpyCloud's Chief Product Officer, Damon Fleury,
who sits down with Dave to discuss defending against what criminals know about you and the role of holistic digital identity in cyber defense.
So many folks are becoming more and more concerned with the idea of securing the identity.
We see a lot of new products.
We see a lot of movement within enterprises to secure identities.
But for most companies, what that means is find everything you can within your own infrastructure
about the identities within that ecosystem and then take steps to
protect them. And the problem that we all have is that that's just not enough information. I mean,
what you know about a person from logging into your own systems, to your email system, to your
VPN, that is useful and you absolutely need to protect against anomalous behavior or against
misuse. But you don't know all the other things that have impacted that identity,
which bring more risk to your business.
And so we believe it's really important that you understand much more broadly
what has happened to the users, how their information has been stolen,
both when they work for your company and potentially in their
personal life, if that data could be used against you, or even in some of their past work lives.
And all of that information together can form the holistic identity. And that in the end,
all that wealth of data is the data that the bad guys will use against your company when they
figure out that that individual works for you. And so it's really
important that enterprises start to think about going beyond a single identity within their own
company and think about the holistic identity and how all of that information can be used against
that company. Well, can we dig into the details of both sides of that coin then. I mean, can we start with what are the known knowns, if you will, the things that most
organizations know about someone who's working with them or working for them?
What sort of things are easy to unpack there?
Yeah, so the known knowns would really be associated to their login behavior within the organization
and sometimes extend as far as their access patterns or their security hygiene.
We do have a lot of efforts out there with varying levels of success that try to measure
whether somebody's good at avoiding phishy emails, for example, or have they passed their
compliance training.
avoiding phish emails, for example, or have they passed their compliance training.
And so those sets of things make up, those types of things make up the kind of known known,
as you're referring to it. Those are the things you can know about them in their work life within the company that they are currently working for that you are trying to protect. All right, well,
then let's extend it to beyond that. What are the types of things that we want to explore?
So going beyond that are, you know, what are the full set of passwords that this employee has used throughout their professional life and their internet life that could also be used to access your organization?
What are the things that this employee might do outside of their work life?
For example, do they access illicit sites or known criminal sites?
Has this employee repeatedly fallen prey to malware infections or to phishes?
And these types of things, the bad guys know.
The bad guys collect all this data and trade it amongst themselves constantly.
And this is information that you may not be able to understand if you're only looking
within the scope of your own infrastructure. Well, how do we go about collecting that sort
of relevant information? Yeah, so that type of data, I mean, it's all about working with
organizations that have access to the same data that the criminals do. And so, you know, if some
organizations, some larger enterprises, they will have their
own groups that interact with the dark net, interact with those criminals to see what
information is being traded. But it is really hard to go beyond just searching for your own company
and to understand more about which aspects of other additional details of that individual's
identity could be used against you. But that's what it takes at the end of the day to understand the full holistic identity.
And so to us, the important thing here is that you gain access to this data in a way that your systems can operationalize it and react to it.
And so really the best way is to work with a team of experts that are gathering this data all the time and then using it to help protect your business. What about privacy here? I mean, you know,
I can imagine an employee who maybe they're visiting a dating site or something like that,
you know, things in their personal life that they would like to keep personal. How do you walk that
line? Yeah, that is definitely an important point to discuss.
And probably the key point here to remember is that that data, if it's being traded amongst criminal actors, has lost its element of key privacy.
The darknet, elements of the darknet, criminals are using it.
They have that information themselves, and they're going to use it against the business. That said, our companies, our enterprises still have privacy requirements where they're not
interested in understanding those types of details about employees. They want to protect that
privacy, even though something has happened and that individual has lost control of that data.
That's not something you necessarily want to expose the enterprise to. So the job of companies like SpyCloud is to pull out only the relevant data points that
are really important and present them in such a way that they can be used within infrastructure
without exposing that company to any of those privacy-challenging details.
And so it's using the right filters.
It's selecting only the data that's
important to protect the enterprise, and then putting safeguards in place. Even though that
data has lost a lot of its element of privacy, we still want to control it as much as we can
going forward. That's a really interesting point, how engaging with a third party can kind of
insulate you from both the responsibility, perhaps the liability of coming
across information that you're not interested in. But I suppose it makes it a little more
clinical as well. There's a little buffer zone there. Yeah. Yeah. I think that's a great way
to think about this at the end of the day, is that there are organizations that are set up well with the right legal structures and the right processes and procedures, which can certainly be a challenging aspect of the business and can take the right steps to make sure that we're offering as much as we can around those privacy safeguards.
For the folks who are successfully integrating this sort of thing, can you contrast for me what it's like before and after some of the benefits that they get for going down this path?
I mean, I think the simplest way to characterize this is less to get into your enterprise and they've selected a member of your IT team that may have administrative credentials or a member of your leadership team, and they've decided to try to access the email or the VPN or look for any entry point, they then go and gather all the access details, session cookies, social engineering data, passwords that they might use to try to gain access to those types of accounts. And so the deeper, as we provide this data in an automated fashion to our customers,
they have the ability to block those things or to make sure those passwords are not in use or
those session cookies are not currently active so that they will fail when they try to use this
information against the enterprise.
Yeah, that's interesting. I mean, it's really an awareness thing here where you can go to your
employees and say, hey, there's an old password from a few years ago that is out there floating
around and let's take care of this together. Well, I think you can take it one step further
and make it protective in nature in that there are
tools available that you can take those passwords,
and then you can fuzz them to find the root of the password,
and then you can test it against your identity provider,
like your Active Directory installation.
Then you can automatically force the reset if you find a match.
So in our tests and in our customer deployments,
as we look at the holistic identity,
we see so many additional matches
where we see customers, employees,
I'm sorry, we see the enterprises employees
using passwords they used in their past lives.
And they thought, I haven't used this one in 20 years.
And then they change a few digits.
Well, this is exactly the kind of thing
that the bad actor is going to do against you.
We can see all of those passwords from their past life or their personal life that was connected to them,
and we can make sure that that's not being used.
And it's a simple password reset function to make sure that there isn't a known password
that we've been able to discover that could be used by a bad actor in a variant form
that could be used to access their enterprise.
How do you ensure when someone is adding this sort of thing to their procedures that we're
not introducing undue friction?
Yeah, I mean, there certainly is a little bit of friction that is added to the end user
and that they are forced to do a password reset or they may be required to log in again,
you can certainly introduce controls
about how often you allow this to happen.
But because we are limiting it
specifically to the passwords
we can connect to the end user,
we find the friction to be quite limited.
It's unusual that a lot of end users
will actually see a direct match
that they have to go reset.
But when you find one,
you're really glad you reset it.
There are other ways to approach this
that check against an entire list
of billions of passwords on the dark net.
That is where I think you see a lot of friction.
And so with this targeted approach to focus on the holistic identity, that is where I think you see a lot of friction. And so with this targeted
approach to focus on the holistic identity, this really limits the friction to use cases that we
know exist out there. So what are your recommendations for people who want to get
started down this path? What's the best way to get started here? I mean, the best way to get started
is to find a provider that can find this kind of information and connect it to the holistic digital identity and then look for ways to integrate that into your identity provider to protect your enterprise.
And then you'll need to take the steps to integrate that into your identity solution.
I suspect this is a pretty eye-opening exercise for a lot of people out there.
It absolutely is.
And it's often our job to help people kind of understand how could this have happened.
And we find that most individuals, it's getting to the point where people understand it better.
But a lot of individuals just don't understand the scale of data that has been stolen from literally tens of thousands of
third parties out there. Or we ingest tens of millions of malware infections that have stolen
all the data off of your computer, or tens of millions of phishes that are occurring every month
where they're stealing this data from information when you believe you're logging into a legitimate site.
The scale of this is so large that it connects everyone who's ever logged into the internet.
And that works in the bad guy's favor. And so this gives you a way to try to understand that and turn the tables on that conversation. We hope you enjoyed our latest Industry Voices
segment featuring Damon Fleury and Dave Bittner, diving into how criminals exploit what they know about you and exploring the vital role
of holistic digital identity in strengthening cyber defenses.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. Our very own Liz Stokes
wraps up today's show
with a fan favorite segment,
Fun Fact Friday.
Every Friday, Liz dives into fascinating
and fun tidbits about cybersecurity
and space that are sure to inform and entertain.
This week, we're getting a little jump on the holiday season as Liz uncovers how cybercriminals start plotting their holiday schemes a little earlier than you might think.
Welcome to a very special Fun Fact Friday. I'm your host Liz Stokes here at N2K Cyberwire.
This week, as the U.S. celebrates Thanksgiving, I want to take a moment and wish everyone a peaceful and joyful holiday season.
Now, as we're all gearing up for the holiday hustle, let's talk about the real early birds of Black Friday.
Spoiler alert, they're not after the deals. They're after your data.
Spoiler alert, they're not after the deals. They're after your data. Believe it in September, bam, those search numbers double
as scammers get ready to pounce. So this year, remember, while you're shopping,
they've been plotting for months. See you soon.
If you enjoyed this week's fun fact, there's plenty more where that came from.
Head over to our YouTube page to explore Liz's library of entertaining and insightful videos.
Don't miss out. Check it out.
And that's The Cyber Wire.
So thanks for all of today's stories.
Check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like the show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector.
From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment, your people. Thank you. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Maria Varmosis in for Dave Bittner.
Thanks for listening.
We'll see you next time. Bye.