CyberWire Daily - Hacking the ICC. ShroudedSnooper active, simple, and novel. New criminal malware used against Chinese-speakers. More on the materiality of cyberattacks.
Episode Date: September 20, 2023The International Criminal Court reports a "cybersecurity incident." ShroudedSnooper intrusion activity is both novel and simple. Criminal malware targets Chinese-speaking victims. The costs of inside...r risk. More on the casino attacks (and related social engineering capers). In our Learning Layer segment, Sam Meisenberg drops into a CISSP tutoring session and offers some test-taking tips. Our guest is Aaron Brazelton, Dean of Admissions and Advancement at the Alabama School of Cyber Technology and Engineering. And the Clorox incident shows how one company navigates unfamiliar new SEC rules. Join Sam Meisenberg as he drops into a CISSP tutoring session talking about the difference between due diligence and due care along with some test-taking tips. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/180 Learning Layer. Learning about the CISSP certification from (ISC)² Selected reading. War crimes tribunal ICC says it has been hacked (Reuters) International Criminal Court says cybersecurity incident affected its information systems last week (AP News) Hackers breached International Criminal Court’s systems last week (BleepingComputer) New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants (Cisco Talos) ShroudedSnooper's HTTPSnoop Backdoor Targets Middle East Telecom Companies (The Hacker News) Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape (Proofpoint) Hackers who breached casino giants MGM, Caesars also hit 3 other firms, Okta says (Reuters) Las Vegas casino ransomware attacks: Okta in the spotlight (The Stack) MGM losing up to $8.4M per day as cyberattack paralyzes slot machines, hotels for 8th straight day: analyst (New York Post) Caesars reports cyberattack but did not go offline (Top Class Actions) What Las Vegas tourists need to know about casino hacks (Washington Post) MGM, Caesars Face Regulatory, Legal Maze After Cyber Incidents (Dark Reading) Clorox Cyberattack Brings Early Test of New SEC Cyber Rules (Wall Street Journal) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The International Criminal Court reports a cybersecurity incident.
Shrouded snooper intrusion activity is both novel and simple.
Criminal malware targets Chinese-speaking victims.
The costs of insider risk.
More on the casino attacks and related social engineering capers.
In our Learning Layer segment, Sam Meisenberg drops into a CISSP tutoring session and offers some test-taking tips.
Our guest is Aaron Broselton, Dean of Admissions and Advancement at the Alabama School of Cybertechnology and Engineering.
And the Clorox incident shows how one company navigates unfamiliar new SEC rules.
I'm Dave Bittner with your CyberWire Intel briefing for Wednesday, September 20th, 2023. Reuters reports that yesterday in The Hague, the International Criminal Court said
it had sustained a cybersecurity incident. Not only the ICC's staff, but also lawyers for both victims and
the accused were affected. The ICC's brief statement, communicated in its Twitter channel,
said that the court detected anomalous activity affecting its information systems,
at which time immediate measures were adopted to respond to this cybersecurity incident and to mitigate its impact.
The ICC is investigating with the help of Netherlands authorities, but beyond that,
the court has so far offered no further information. In particular, there is no
attribution, but the most prominent cases before the ICC involve allegations of war crimes and
crimes against humanity committed by Russia in the
course of its invasion of Ukraine. The AP reviewed some recent history of Russia's troubled relations
with the ICC, stating, last year a Dutch intelligence agency said it had foiled a
sophisticated attempt by a Russian spy using a false Brazilian identity to work as an intern at the court,
which is investigating allegations of Russian war crimes in Ukraine and has issued a war crimes
arrest warrant for President Vladimir Putin, accusing him of personal responsibility for the
abductions of children from Ukraine. Russia responded to the warrant, Security Week reminds readers, by placing ICC
prosecutor Kareem Khan on its own wanted list. So, no attribution yet, but if you bet on form,
put your money on Moscow. Cisco Talos describes a new intrusion set dubbed Shrouded Snooper
that's targeting telecommunications providers in the Middle East.
The threat actor is using two implants Cisco Talos calls HTTP Snoop and Pipe Snoop.
Talos states,
Based on the HTTP URL patterns used in the implants,
such as those mimicking Microsoft's Exchange Web Services platform,
we assess that this threat actor likely exploits Internet-facing servers
and deploys HTTP Snoop to gain initial access.
HTTP Snoop is a simple yet effective backdoor
that consists of novel techniques to interface with Windows HTTP kernel drivers and devices
to listen to incoming requests for specific HTTP URLs
and execute that content on the infected endpoint.
There's no attribution yet,
and Talos says that the group's tactics, techniques, and procedures
don't match any known group,
so they're tracking the activity as representing something new.
The report notes, however, that state-sponsored
groups, particularly groups operating on behalf of Iran and China, have recently shown a strong
preference for attacking telecommunication providers, especially providers in the Middle
East and Asia. It's worth remembering that there are criminal gangs that operate in, from, and
around China that represent
a law enforcement problem not only for China's neighbors, but for China itself. Proofpoint is
tracking suspected Chinese cyber criminal campaigns that are targeting Chinese-speaking
users with malware-laden phishing emails. Proofpoint says campaigns are generally low
volume and typically sent to global organizations with operations in China. The email subjects, Proofpoint says, language names spelled with Chinese language characters or specific company email addresses
that appear to align with businesses' operations in China. While most of the activity is focused
on users in China, at least one campaign is targeting Japanese organizations, which the
researchers believe suggests a potential expansion of activity. Okta has told Reuters that the criminals from Alf V,
also known as Black Cat and Scattered Spider,
used vishing attacks against MGM Resorts and Caesars Entertainment.
They posed as employees and inveigled IT staff
into giving them access to the company's Okta client.
This enabled the attackers to obtain further
credentials within the Okta identity management system used by the organizations.
Okta said that three of its other customers, unnamed but said to be in the manufacturing,
retail, and technology sectors, have recently sustained similar attacks.
On August 31, the identity management provider warned of this trend, stating,
Okta has observed attacks in which a threat actor used social engineering to attain a highly
privileged role in an Okta customer organization. When successful, the threat actor demonstrated
novel methods of lateral movement and defense evasion. These methods are preventable and present
several detection opportunities for
defenders. Prevention would include adopting phishing-resistant methods for enrollment,
authentication, and recovery, tight privilege management, and implementation of dedicated
access policies for administrative users. OCTA also recommends close monitoring and swift
investigations of any anomalous use of functions reserved for privileged users.
Of the two casino chains hit,
Caesars Entertainment saw data belonging to its loyalty program affected,
but was able to keep its operations online during the incident.
The Form 8K the company filed with the SEC
strongly hinted that it had paid the
attacker's ransom. MGM Resorts has had, by all accounts, a more difficult time. The New York
Post reports that MGM continues to have trouble with its slot machines and hotel systems eight
days after the attack was detected. The company is estimated to be losing as much as $8.4 million per day in revenue.
The MGM and Caesars incidents come as public companies come to grips
with recently introduced U.S. Securities and Exchange Commission regulations
mandating quick disclosure of cyber incidents
deemed likely to have a material impact on a business.
These two companies face an
additional regulatory burden, Dark Reading points out, in the form of oversight by the Nevada Gaming
Control Board, whose Regulation 5260 requires covered entities, including casino operators,
to establish effective cybersecurity measures. In the event of an incident resulting in a material
loss of control, compromise, unauthorized disclosure of data or information, or any
other similar occurrence, a casino operator must disclose the incident to the board within 72 hours
and undertake both investigation and remediation of the incident.
There's another object lesson on compliance and materiality
underway at Clorox. The cyber attack that disrupted operations at the major consumer
products company was also among the first major incidents to fall under the SEC rules that went
into effect on September 5th. Compliance dates for mandatory reporting are somewhat later,
falling for most companies in December.
The Wall Street Journal reviews how the company has responded publicly to the incident,
and it seems to be doing about the best that can be done under fluid conditions with imperfect regulatory clarity.
Clorox has issued statements, including two Forms 8K, since the incident was disclosed on September 14th,
shortly after it was detected. There are at least two challenges. The first is keeping
reporting current as an investigation unfolds. One expert told the journal,
a stream of 8Ks will be the new norm, because after all, investigation takes time.
And the second challenge is determining whether an incident
has a material impact on a public company.
Materiality is a reasonable investor common-sense standard
that will doubtless undergo some clarification over time.
In the meantime, when in doubt, file those 8Ks.
Coming up after the break, in our Learning Layer segment, Sam Meisenberg drops into a CISSP tutoring session and offers some test-taking tips.
Our guest is Aaron Broselton, Dean of Admissions and Advancement at the Alabama School of Cyber
Technology and Engineering.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Many have said that if we want to meet the workforce gaps facing cybersecurity,
we need to reach kids earlier in their educational journey, provide them with experiences and
opportunities to get a head start on a potential cybersecurity career.
The U.S. state of Alabama is doing just that.
Back in 2018, Alabama Governor Kay Ivey signed legislation establishing the Alabama School of Cybertechnology and Engineering,
a high school located in Huntsville.
Aaron Brazelton is director of admissions and advancement at the
school. When you're in a traditional high school, you know, your class selection is like a booklet.
You can pick your classes. It's a buffet. You know, you can decide, do you want to take this
or you want to take that? At our school, it's more of a seated dinner, chicken or fish. We prescribe
to you the classes that you're going to take in order for you to get through your program in three years.
That's another thing that makes us different is our entry points are ninth grade and 10th grade.
So we enroll rising ninth graders. So current eighth graders going into ninth grade and rising 10th graders.
So current ninth graders going into 10th grade and the students, they come in, they learn in ninth grade on campus.
They learn in 10th grade on campus. They learn in 11th grade on campus. But their senior year, they are full time and internship
with one of our 75 partners. And you can go online, you can check out all of our partners
in education. And two of our biggest gifts came from Raytheon Technologies and also Redstone
Federal Credit Union. But our partners span the spectrum of
industry. We have partners from commercial industry, from private industry, from DOD,
from government, from K-12, from higher education. And so that senior year, kids take everything
they've learned in theory for the past three years and they apply it in practice their senior
year full-time in an internship. Well, I would imagine with an
opportunity like this, there's a lot of demand. How do you select who's going to be able to go
through the program? So our admissions demand far exceeds our capacity to enroll. So our admissions
process is definitely research-based. We look at academic factors and non-academic factors. We look at cognitive factors
and non-cognitive factors to try and get a full view of the students coming in. So we ask for
three years of academic transcripts. So those are your grades, attendance, and discipline.
There's a parent letter of interest. There's a student letter of interest. There are some short
essays that you have to write. And then there's also a recommendation from your current math teacher and a recommendation
from your current counselor or school administrator to supplement your application.
For those students applying from virtual situations or homeschool situations or private school,
we do require a nationally recognized standardized test, such as the ACT, the SAT, or the SSAT.
And what about for folks who come from underrepresented groups, women or people of
color? Absolutely. So one thing that has made our school so attractive for industry is the fact that
we are disrupting what representation can look like in the STEM field. So at our school this
year, 38% of our students
are students of color and 35% are female students. We've done that very intentionally by partnering
with community-based organizations like Boys and Girls Clubs, Girls Inc., Girl Scouts, NAACP.
We're partnering with churches across the state. I'll actually be headed down to Mobile
in just a couple of days to meet with the Boys and Girls Club down there to talk about our program. Now, it is important to note that
with the recent decision from the Supreme Court to just reaffirm our stance that we actually don't
look at race or gender in the application process, but we do work to increase the number of female
students applying to our school and to increase the number of students of color applying to our
school because we know that if they're represented at higher levels in the application process,
then naturally more will be accepted when it comes to enrollment. Now, as the students make
their way through this program, are most of them college bound or will some of them be
heading right into industry when they finish high school? It's an interesting conundrum that we face because with our students in internship full-time and just the talent and quality of our students
enrolled at our school, industry does want to hire students right out of high school.
But we are a high school and our goal is for 100% of our seniors to matriculate to the college
or university of their choice. We just graduated our first senior class.
There were only 17 in that class.
They were our first group of kids that came in.
Those seniors, the average ACT score was a 31.
They were accepted to 37 colleges and universities,
and they earned about $3.7 million in merit aid scholarships alone.
And they 100% went to university. How are you all measuring success
here? And what are your hopes to grow the program in the future? Absolutely. So our metrics of
success are trifold. First, are we getting kids into the college or university of their choice?
And how are they performing once they are there. And those
numbers are coming back pretty strong with our first senior class being accepted to most of their
first choice options. The second thing that we're doing is, or how we measure success, is the fact
that all of our kids are going into internship and we need to know that they are prepared to address the
challenges in the current workforce. And we're starting to get that data back from industry
saying, hey, your kids know X, Y, and Z, and it will be helpful for them to know A, B, and C as
well. So one thing that I'm proud of as a school is that we are reflective practitioners. We're
not a school that can rest on our laurels and say that,
hey, this is what we need to do. This is how it's always been done. This is how we're going to do it.
But every year we look at what works and what doesn't work and we pivot to meet the demands
of both higher education and industry. The third metric of success for us is really
increasing the number of partners in education that we have. Our foundation does incredible work under the leadership of Alicia Ryan and Peggy Lee Wright
to ensure that the partners in education that are coming into our portfolio are not just mission fit,
but that they are also able to provide opportunities for our students to gain real world experience.
So to become a partner in education, not only do you provide mentorship,
field experiences, or internship opportunities for students, but you also have the opportunity
to have naming rights for a building or for, you know, part of our campus. So if you look at how
our school is funded, we receive a line item from the governor every year. And that allows us to operate as a school. It
covers utilities. It covers salary and personnel, food costs. But the actual brick and mortar of
our campus, the buildings that we're in, that is all privately raised from our partners in education.
So our foundation has done an incredible job. They've raised over $25 million in the past two
and a half years to support the construction of this permanent campus. And with a grant that we received from
the state of Alabama, we're going to be actually erecting a new student activity center in January,
a $13 million building that is half privately funded, half state funded, that will also service
campus. Our growth and how many students we're able to have on campus
completely depends on our partnership levels.
We do have plans in the works
to add another academic building
and another residential building
that would allow for our enrollment
to exceed 650, 700 students.
But that will all happen as those donations roll in
to construct our physical campus.
That's Aaron Brazelton from the Alabama School of Cyber Technology and Engineering.
Coming up in our Learning Layer segment,
host Sam Meisenberg drops into a CISSP tutoring session and offers some test-taking tips.
Here's Sam.
Welcome to Learning Layer.
On this segment, we're going to be dropping you into the middle of a CSSP tutoring session. So I'm actually going to be working with a student named Ethan, and we're going to be going over some tricky content from the CSSP exam.
Now, even if you are not studying for the CSSP, I think the topic that we're going to talk about is still relevant and we're going to be going over some general test taking and exam prep approach tactics.
So I think no matter what exam you're studying for, it will be relevant. So without further ado,
let's get to the session. So I think overall you're doing, you know, the right things. Seems like you have a good
strategy and approach, but is there any content that you are struggling with?
Yeah, I think something that I've been struggling a lot with in my studies is the difference between
due care and due diligence. These things aren't just really making sense when I'm
reviewing my notes and going over it. So don't feel bad. It's a tricky concept that,
you know, a lot of students wrestle with. But the good news is like once you know it,
you really know it. It kind of makes sense. So before we get into like defining the words though,
let's take a step back, right?
It's always important to see the forest, you know, and the trees.
So what domain or what sort of umbrella topic area
does this stuff fall under?
Yeah, if I remember correctly, it falls under domain one,
which is like a lot of the managerial stuff
and talking about what businesses should be doing to maintain cyber practices.
Right.
So domain one is called security and risk management.
That risk management piece is about sort of, it's like the least technical, right, of all the domains.
It's like, as you said, what the business should be doing.
Now, due care and due diligence are actually like legal words.
So we're talking about concepts that protects the
business, right? So you're making sure you're doing things in a proper way so that if something
were to go wrong, we are protecting the business because we're doing things to, as you said,
help secure the business. So it's about like if a compliance lawsuit ever came about, we're making
sure that the senior leadership is protected and the business is protected. So with that context,
let's get into the topics themselves. So easy way to think about it. Due diligence is sort of the
precursor to due care. That's how they're related. What I mean by that is due diligence is like research.
You are doing preemptive measures
to make sure that you're not introducing unnecessary risk.
And then due care is sort of the fall onto that,
meaning after you make some sort of business decision,
you are then doing upkeep, right?
Sometimes you see it as
like all reasonable measures is a favorite phrase of IOC squared. You basically are taking actions
after a decision has been made. So does that sort of make sense? Yeah. So if I'm following right,
the due diligence takes place before you would do anything. That's making sure we have all our bases covered, kind of to say. Whereas due care, that happens afterwards to make sure that we're
routinely following and making sure our business is protected months, weeks, years after down the
line. Absolutely. Absolutely. I think that's a pretty good summary. Also, I think you had a
question that you wanted to ask. Yeah. This was one of the questions that I kind of got wrong,
came back to, still was struggling with it, which is why I kind of brought this up with you, which is the question is,
before closing business deals, a best practice is to assess third-party vendors to find what risks exist and develop ways to manage known risks.
All right, stop.
So just from that question stem itself, right?
Because I think the question itself then goes on to ask,
what is this best practice known as?
So even at that point, you should know the answer.
Yeah.
What is it?
The answer is going to be due diligence in here.
Right.
Because like some of the keywords that I'm looking at,
you know, instantly kind of popping off is like before,
you know, seeing in the word assess,
you know, kind of developing and finding,
you know, it's things that you would do before entering that deal rather than afterwards.
Right. And the word assess, to be clear, you can do assessments as part of due care, right?
Like, for example, vulnerability assessments, pen testing, that's all sort of part of staying compliant and doing, you know, those actions after, for example, this business deal has closed.
But in the context of a question, they're talking about assessing before you actually merge,
before you actually, you know, close that business deal. So in this case, that's right.
It's due diligence. So what just happened, by the way, we should check the right answer.
Is due diligence one of the answer choices? It is the right answer choice.
Great. Perfect. So what just happened is you predicted the right answer.
You read the question stem, you thought about it,
and then before reading the answer choices,
you just went and found that.
And that's how you go fast on exam day.
That's how you get the right answer.
So, Ethan, I think you told me one time you're a football fan.
Yes.
Is that right?
I'm a diehard Eagles fan.
Eagle, okay. Sorry, apologies for the a football fan. Yes. Is that right? Diehard Eagles fan.
Eagle, okay.
Sorry, apologies for the Super Bowl loss.
Thank you for that.
Can you name somebody who plays defense?
Yeah, Darius Sly, probably.
Cornerback.
Cornerback?
Yeah.
So, you know that play where they, I think it's called jumping the route?
They sort of anticipate the throw or the route,
and they kind of jump in front, intercept the ball.
That's the feeling you should have on exam day when you're going through a question.
You got to be proactive, not reactive.
The answer choices are the scary, confusing places.
The question stem is where you want to do all that hard work
of thinking about the answer choice, predicting it.
That way you don't get confused by the answer choices.
And if you predict and it's not there, then it's time to panic, right? Then you can sort of figure things
out. But all of the sort of thinking and hard work should be happening in the question stem.
Like if you do a question, it takes you a minute and a half. The minute, the 60 seconds should
really be spent on the question stem before you get to the answer choices.
That makes sense.
Thank you for joining me on today's Learning Layer. Hopefully you got something out of that
tutoring session with Ethan. And if you yourself are studying for a cybersecurity certification
exam, whether it be CSSP or another one, and you have some tough questions that you want to throw
my way, please feel free to email me at learninglayer at n2k.com. Happy studying.
That's my N2K colleague Sam Meisenberg with The Learning Layer. Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. and we'll give another $100 to a charity of your choice. This great perk and more only at RBC.
Visit rbc.com slash get 100, give 100.
Conditions apply.
Ends January 31st, 2025.
Complete offer eligibility criteria by March 31st, 2025.
Choose one of five eligible charities.
Up to $500,000 in total contributions. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff. Our executive editor is Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.