CyberWire Daily - Hacktivism in the war between Hamas and Israel, with a possibility of escalation. Healthcare cybersecurity. Looting FTX. CISA releases resources to counter ransomware.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Activism and nation-state involvement in the cyber phases of the war in the Middle East and the use of telegram, Russian groups squabble online, healthcare cybersecurity and its implications for patient care, the looting of FTX on the day of its bankruptcy.

Starting point is 00:02:16 Joe Kerrigan shares research from the Johns Hopkins University Information Security Institute. Our guest is Mike Walters from Action One, marking the 20th anniversary of Patch Tuesday. And CISA releases two new resources against ransomware. I'm Dave Bittner with your CyberWire Intel briefing for Friday, October 13th, 2023. The Wall Street Journal reports increased cyberattacks as Israeli forces strike into Gaza in retaliation for attacks by Hamas over the weekend. Most of the offensive cyber action the journal describes is directed against Israel, and most of it remains the nuisance-level DDoS activity that typically characterizes hacktivism. Defacements, another hacktivist staple, have also been observed. Security firm

Starting point is 00:03:26 Checkpoint told CNBC that two smart billboards used for video advertising in Tel Aviv were briefly hijacked Thursday. The attackers managed to switch the commercials into anti-Israeli pro-Hamas footage. CNBC quotes Checkpoint's Gil Messing as saying, the substituted video showed the Palestinian flag, a burning Israeli flag, and images of the fighting. The incident was short-lived. The Wall Street Journal also describes threats of more significant cyber attacks. For the most part, these threats have been simply that, claims intended to intimidate and inspire fear, but there has been an increase in attempts against infrastructure. So far, these have been parried, but the threat remains a concern to Israel, particularly as

Starting point is 00:04:18 threat actors more capable than the ordinary hacktivists join the action. Security firm Sepio told the journal that they've seen a rise in activity from Iran and Syria, as well as from Russian hacktivist auxiliaries, including Killnet. Flashpoint researchers conclude that Telegram has become a principal communication channel for Hamas and groups that align themselves with that organization. and groups that align themselves with that organization. Flashpoint says, Telegram, with its 700 million plus strong user base,

Starting point is 00:04:55 has evolved into a pivotal communication hub for Hamas and Palestinian Islamic Jihad. Its robust privacy and encryption protocols safeguard communications while also providing a covert operational space for militant groups and cyber criminals. Researchers at Radware outline the course the cyber phases of the war have taken. Radware has been looking at hacktivist claims of DDoS on Telegram, where claimed attacks spiked on Saturday and have remained at elevated levels since then. Target selection, as reported by the hacktivists themselves, concentrated on Israeli government sites, then on news and media, travel, financial services, education, and finally health care.

Starting point is 00:05:35 Radware also observed a number of DDoS attacks. They ranged in duration from minutes to hours, in some cases up to 24 hours. Russian hacktivist auxiliaries have not been unanimous on the war in the Middle East. Kilnet has been outspoken against Israel during the current fighting Hamas initiated last weekend, as has Anonymous Sudan. The cyber army of Russia disagrees sharply, not because it wishes to engage on behalf of Israel, but because the cyber army sees war in the Middle East as a distraction from Russia's main concern, the war in Ukraine. Cyble's Cyber Express reports that the cyber army of Russia is seeking to organize sentiment against Killnet under the hashtag StopKillnet. to organize sentiment against Killnet under the hashtag StopKillnet.

Starting point is 00:06:31 Menacing texts and other messages represent a low-grade, targeted, and unpleasant form of influence operations. Israelis have been receiving threatening texts and WhatsApp messages, apparently from Hamas sympathizers in Yemen and Afghanistan. Bloomberg reports that Israeli partners and Jewish parents in other countries are having their children delete social media apps, especially Instagram and TikTok, to avoid exposure to violent images. Much of this is preventative, a precaution rather than a reaction, but Hamas has distributed images of executions and hostage-taking. The European Union is pursuing its investigation into X, the platform formerly known as Twitter. According to the

Starting point is 00:07:14 Financial Times, an EU commissioner wrote X, we have from qualified sources reports about potentially illegal content circulating on your service despite flags from relevant authorities. X's proprietor, Elon Musk, replied, Our policy is that everything is open source and transparent, an approach that I know the EU supports. Please list the violations you allude to on X so that the public can see them. After some other dismissals and protests of misunderstanding, X announced, according to Reuters, that it's removed hundreds of Hamas-affiliated accounts and taken action to remove or label tens of thousands of pieces of content. The EU is looking into the actions X took to moderate its content as it evaluates its next steps in the case.

Starting point is 00:08:06 A Ponemon Institute survey commissioned by Proofpoint looked at the consequences of cyber attacks against healthcare organizations. These attacks are both a business risk and a threat to patient care and patient privacy. The study found that 88% of healthcare organizations sustained an average of 40 cyber attacks over the past 12 months, with the average total cost of successful attacks reaching $4.5 million. Losses included all direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs, and lost business opportunities. The most expensive consequence of these attacks was disruption to normal healthcare operations because of system availability, causing an average of $1.3 million in losses. Elliptic has published an analysis of

Starting point is 00:09:00 the $477 million theft of cryptocurrency from FTX in November 2022, noting that of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges. The researchers add, whoever was behind the hack, the stolen assets continued to be moved and laundered through the blockchain. Various cross-asset and cross-chain laundering techniques

Starting point is 00:09:33 have been used to avoid seizures of these assets and to attempt to conceal the money trail. And finally, the U.S. Cybersecurity and Infrastructure Security Agency has released two resources for identifying vulnerabilities and misconfigurations exploited by ransomware. The first, a Known to be Used in Ransomware Campaigns column in the Known Exploited Vulnerabilities catalog, which identifies KEVs associated with ransomware campaigns. The second resource is titled Misconfigurations and Weaknesses Known to be Used in Ransomware Campaigns. It's on the stopransomware.gov website, which identifies misconfigurations and weaknesses associated with ransomware campaigns.

Starting point is 00:10:19 The table features a column that identifies the cyber performance goal action for each misconfiguration or weakness. Take a look. The advice is actionable and relevant. Coming up after the break, Joe Kerrigan shares research from the Johns Hopkins University Information Security Institute. Our guest is Mike Walters from Action One, marking the 20th anniversary of Patch Tuesday. Stay with us. Do you know the status of your compliance controls right now? Like, right now.

Starting point is 00:11:08 We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,

Starting point is 00:11:42 and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home,

Starting point is 00:12:33 your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 365 with Black Cloak. Learn more at blackcloak.io. This past Tuesday was this month's Patch Tuesday, a monthly event that's been around long enough now that its cadence is something folks in InfoSec hardly think twice about.

Starting point is 00:13:07 But how did Patch Tuesday start, and why did it catch on? Mike Walters is VP of Vulnerability and Threat Research and co-founder of security firm ActionOne, and I spoke with him about the legacy of Patch Tuesday. Microsoft introduced it back in October of 2003. So it's been almost 20 years, which also coincides with the 20th year anniversary of Cybersecurity Awareness Month. And prior to 2003, the approach to deploying security updates has been pretty much on an ad hoc basis, here and there, different vendors security updates. It's been pretty much on an ad hoc basis,

Starting point is 00:13:45 here and there, different vendors releasing updates. And then in October of 2003, Microsoft introduced this concept of Patch Tuesday, which is a monthly security patch release cycle, which set the cadence and made scheduling of security updates more predictable. On top of that, they added other information sources. So it's initially was security bulletin system. And then in 2017, they replaced it with the security update guide, which is a comprehensive vulnerability information

Starting point is 00:14:21 source. And then on top of security updates, they just use the same channels to make non-security updates, feature updates available along with security updates. But still, the main focus remains on setting the cadence for ensuring that security updates reach all of the systems that need those. There's been some mishaps along the way, of course. There's pretty much early on, so there's been some very well-known incidents like back in Windows XP Service Pack 2, 2004, so about a year since the introduction. So that caused major compatibility issues with some third-party applications and hardware. And then Windows Vista 2007.

Starting point is 00:15:07 Yeah, there's been issues which Microsoft took to heart. So they worked with the customers. They understood the concerns. Over time, they've been trying to improve the quality. There's still issues that remain, right? There's still, you know, as recent as actually August. As recent as actually August of this year, the cumulative update had issues with certain types of hardware causing blue screens of death. And that's a major thing because it's all about trust and reliability. Because if you don't deliver reliable updates on a consistent basis, then people lose trust and they stop installing

Starting point is 00:15:46 those updates. And that's not what you want to have. It's all over the news. There's security breaches. There's, well, some well-known attacks like WannaCry back in 2017 that showed the importance of timely patching. Because if you don't do this, then your attack surface is, you know, you're exposed. You basically have open doors for anyone to come in and hack your systems. And other organizations have sort of adopted this cadence as well, right? It's not just Microsoft anymore. Yeah, Adobe, Oracle, a few other vendors, vendors, they fit in the same cycle.

Starting point is 00:16:25 And some of them even integrated with Microsoft Update systems to provide the same update channel, essentially, and simplify lives of IT professionals. Unfortunately, not everyone does it, which makes patching of different applications really challenging, right? Because if you run a big stack of applications and you need to patch those, first of all, there's no consistency in the release cycles. Patch Tuesday is not every vendor's approach. And also the technology, how do you deploy those updates regularly and consistently? That's highly dependent on the vendor technology, unfortunately.

Starting point is 00:17:06 But there's been some industry developments that attempt to streamline that and make it more standardized. But so far, we have yet to see the actual results of that. Have we seen any examples of any of the adversaries taking advantage of this cadence of knowing that things are going to happen on this sort of schedule? Unfortunately, yes. Quite recent term somebody coined called Exploit Wednesday, which is Wednesday that follows Patch Tuesday.

Starting point is 00:17:34 Patch Tuesday, second Tuesday of the month, 10 a.m., Microsoft publishes all the CVs that they have patched in the cumulative update that's released on that day. And all the threat actors mostly know that the majority of organizations don't deploy those updates right away. And there's a testing requirement. So they take advantage of that. And as soon as the following day, we hear about massive exploitation attempts.

Starting point is 00:18:04 It becomes extremely easy because there's vulnerabilities well documented. Sometimes there's proofs of concept. Sometimes there's existing hacker tool sets that can be used to make those exploits, readily available exploits, basically. But there's been incidents taken advantage of that. But it's best to document

Starting point is 00:18:26 them, make patches available, and then there's probably better ways to do mitigation controls, such as in the future, I suppose there's going to be technologies that isolate vulnerabilities before they're patched. Maybe there are ways to tackle this. But yeah, to answer your question, so unfortunately it has its negative side effects as public vulnerability source, which is available to everyone, not just to the good people, but to bad people as well.

Starting point is 00:18:58 That's Mike Walters from Action One. one. And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast. Hey there, Joe. Hi, Dave. You have some interesting information to share with us that came out of your place of employment, the Johns Hopkins University. What's going on here, Joe? So we have finished up conducting a cybersecurity survey of Maryland residents. This was a survey commissioned by the Maryland Cybersecurity Council. We received some funding from the National Cryptologic Foundation and we provided some funding ourselves.

Starting point is 00:19:49 And this was a pilot study that we did to kind of get a gauge, put our finger on the pulse of Maryland cybersecurity awareness to see really how we would focus another research study to get a better look at what the cybersecurity posture of Maryland looks like. So this is sort of a preliminary study to better focus the next study that you will do. Exactly.

Starting point is 00:20:16 Right. So what are some of the interesting bits of information you all gathered here? So one of the things I want to talk about is we asked some basic knowledge questions. And we said, what is social engineering in information security context? 25% of people got that right out of a possible four answers with an I don't know. So I guess five answers. Yeah. 25% of people got that right. That's pretty close to a random guess. Right.

Starting point is 00:20:41 So it seems to me that people don't really know what the term social engineering means, which indicates that, well, once again, Joe was right. And this is a terrible term. Okay. And I've said this many times. I don't like the term social engineering. First time I heard it, I thought of something completely different than what it is. But in the security industry, we all call it social engineering. By contrast, 61% of people know what phishing is, but in the security industry, we all call it social engineering. By contrast, 61% of people know what phishing is, which actually in our study, we found pretty similar results to the most recent proof point state of the fish report where they found 58% of people were able to correctly identify that term. So we're pretty close there. 70% of people said they knew what

Starting point is 00:21:21 multi-factor authentication was. And when you break that down further, we found that 42% of people said they knew what multi-factor authentication was. And when you break that down further, we found that 42% of people say they use some form of multi-factor authentication on their more important accounts. And then other people use it on most accounts, like 25% of people say they use it on most accounts. And then only 23% say they use it everywhere it's offered. The fact that people are using it, that's good. It's a large percentage of people who are using it at some level. I don't use it everywhere it's offered. The fact that people are using it, that's good. It's a large percentage of people who are using it at some level. I don't use it on all my accounts.

Starting point is 00:21:49 I don't recommend that everybody use it on all their accounts. All their very important accounts, I say yes. Only seven and a half percent of people, though, were using hardware tokens, which we talk about frequently. There's some shocking information about passwords. 20% of people use the same password for most of their accounts. Wow. And only 26% said they use long, complex passwords. And that kind of lines up with the percentage of people that use a password manager at 28%. So that doesn't surprise me that those two numbers are very close because if you use a password manager, it'll generate the complex passwords for you. Right, right. And it removes the burden of having to remember them.

Starting point is 00:22:31 Exactly. Yeah. We also asked some questions about victimization, and we found that victims of crimes and scams, 20% of people said they had been a victim of ransomware. In the follow-on study, I want to do a more in-depth probe of that. Where were you a victim of ransomware? Is that at your workplace or is it at home? When we asked people, this was kind of shocking. We asked the respondents, has your information been breached to your knowledge?

Starting point is 00:23:00 45% said yes. The other 55% said no or they didn't know. 17% said they didn't know. 38% said yes. The other 55% said no or they didn't know. 17% said they didn't know. 38% said no. I'm sure everyone who listens to this podcast knows that just about everybody has had their data breached at some point in time. Right. I just got a couple of letters last week about another data breach that contained my personal information. So I'm shocked that less than half the people in Maryland are aware of this as an issue,

Starting point is 00:23:29 or at least it would seem that way. Wow. 23% of people said they were victims of a scam, online scam, where they had lost some kind of money, some amount of money. And we even had two, we asked them how much they had lost. We had two respondents who said they had lost $100,000. Wow. And nine people who said they had lost in the tens of thousands of dollars.

Starting point is 00:23:50 Now, I don't know if the two that said they lost $100,000 are accurate or they're just like outliers. I mean, they're definitely outliers, but are they accurate outliers? I am not shocked by the $100,000 number on these things. We've had all kinds of stories. We had a story on hacking humans coming out that you covered somebody who lost $600,000 on an online scam. Right, right. So $100,000 is not out of the realm of possibility for these things. Yeah.

Starting point is 00:24:20 The average loss was $3,000. That's a mean, just a simple mean. And even if you take out the two $100,000 losses, the mean is still around $1,500 a person who suffered a loss, which if you do the extrapolation out to the full population, a very naive extrapolation, albeit, you wind up with a total loss of about $2.1 million, or billion dollars, billion with a B. Wow. Which is a lot of money out of Maryland, just out of Maryland alone. Yeah. So next, we want to get some funding. We're going to try to get some funding for a broader survey that is more scientific. For this one, you used MTurk, which is fine for running a survey like this, but I really want to get a, and Dr. DeBoer and I want to get a really good sample and a really

Starting point is 00:25:13 good distribution. We're probably going to engage with somebody that has the infrastructure to do this. I mean, we're interested in this, but in the Information Security Institute and in computer science, we really don't have the infrastructure for this. Right. Maybe we'll reach over to someone in our social sciences departments to find out. Oh, there you go. But ultimately, we would like this to be the result or the result of these surveys to be policy around protecting the end user and the consumer, the average person in Maryland. Huh.

Starting point is 00:25:43 Are you looking to do an awareness campaign? An awareness campaign would be good, an education campaign. Changing the curriculum in schools would be awesome. Yeah. Understanding that just a basic, even ads, just running something from a public service announcement that says, Microsoft doesn't give you their phone number in pop-up ads. Right, right.

Starting point is 00:26:06 You know, they just don't do it. Yeah. Don't call them. Well, there's that saying, you know, you don't know where you're going if you don't know where you are. Right. So by establishing kind of ground truth through a survey like this, this sort of mechanism,

Starting point is 00:26:19 then you know where we got to go, how far away are we from the ideal. Yep. Yeah. And then we can also take follow-on surveys again to see if these have any results, see if these campaigns have any results. Yeah. All right.

Starting point is 00:26:33 Interesting stuff. Joe Kerrigan, thanks so much for joining us. It's my pleasure, Dave. Thank you. the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's edition of Research Saturday and my conversation with Amit Malik from Uptix. We're discussing their research, Unwanted Guests, Mitigating Remote Access Trojan Infection Risk.

Starting point is 00:27:57 That's Research Saturday. Do check it out. We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security Thank you. Learn more about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben.

Starting point is 00:28:53 Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilby and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.

Starting point is 00:29:53 Learn more at ai.domo.com. That's ai.domo.com.

CyberWire Daily - Hacktivism in the war between Hamas and Israel, with a possibility of escalation. Healthcare cybersecurity. Looting FTX. CISA releases resources to counter ransomware.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.