CyberWire Daily - Hospitals on the hotplate after ransomware attacks.
Episode Date: November 28, 2023Ransomware targets healthcare organizations. WildCard deploys SysJoker malware. DPRK cryptocurrency theft. The status of Ukraine's IT Army. A Russian news outlet unmasks Killmilk. Our Industry Insight...s guest today is Guy Bejerano, CEO and Co-Founder of SafeBreach, discussing risk reduction in action. And there’s discord on dark markets about large language models. CyberWire Guest Our Industry Insights guest today is Guy Bejerano, CEO and Co-Founder of SafeBreach, discussing risk reduction in action: the future of BAS and continuous threat exposure management. You can connect with Guy on LinkedIn and find out more about SafeBreach on their website. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/225 Giving Tuesday Our team offers up some suggestions for Giving Tuesday should you feel inclined to join us in sharing your time, talents or treasures on this day of giving back. Arizona Cyber Initiative Association for Women in Science BlackGirlsHack Cyber Guild Exceptional Minds G{Code} Girls Who Code Lurie Children's Hospital NFAR Melwood Tech Kids Unlimited WiCyS Women of Cyberjutsu Selected Reading Cyberattack on US hospital owner diverts ambulances from emergency rooms in multiple states (CNN) Portneuf Medical Center experienced ransomware attack. Hospital is adapting with pencils and paper (East Idaho News) Ardent Health Services Reports Information Technology Security Incident (BusinessWire) Vanderbilt University Medical Center investigating cybersecurity incident (The Record) Criminal hacking group breaches data, including Premier Health (WDTN 2 News) Global Threat Intelligence Report (Blackberry) ISRAEL-HAMAS WAR SPOTLIGHT: SHAKING THE RUST OFF SYSJOKER (Check Point Research) Operation Electric Powder – Who is targeting Israel Electric Company? (ClearSky Cyber Security) New Rust-based SysJoker backdoor linked to Hamas hackers (Bleeping Computer) WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel (Intezer) DPRK Crypto Theft | macOS RustBucket Droppers Pivot to Deliver KandyKorn Payloads (SentinelOne) Leader of pro-Russia DDoS crew Killnet 'unmasked' by Russian state media (The Register) Ukraine’s Volunteer IT Army Confronts Tech, Legal Challenges (CEPA) Cybercriminals can’t agree on GPTs (Sophos) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ransomware targets healthcare organizations.
Wildcard deploys SysJoker malware.
DPRK cryptocurrency theft.
The status of Ukraine's IT army.
A Russian news outlet unmasks Kill Milk.
Our Industry Insights guest today is Guy Bejarano, CEO and co-founder of SafeBreach,
discussing the benefits of breach and attack simulation.
And there's discord on dark markets about large language models.
Today is Tuesday, November 28th, 2023. I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Our top story today involves a major ransomware attack targeting Ardent Health Services,
involves a major ransomware attack targeting Ardent Health Services, a Tennessee-based healthcare provider, on Thanksgiving, causing significant disruptions across hospitals in East
Texas, New Jersey, Idaho, New Mexico, and Oklahoma. The attack affected all 30 of Ardent's U.S.
hospitals, necessitating the diversion of ambulances to alternative facilities.
necessitating the diversion of ambulances to alternative facilities.
In response to the attack, Ardent's technology team immediately started working to protect data and restore system functionality.
They took their network offline, suspending access to various IT applications,
including corporate servers, the internet, and clinical programs.
The incident has been reported to law enforcement,
and Ardent is collaborating with third-party forensic and threat intelligence advisors.
The extent of any compromised patient health or financial data remains unclear.
In a related development, Vanderbilt University Medical Center in Nashville, Tennessee,
is probing a cybersecurity incident involving a compromised database.
Preliminary findings suggest that the database did not contain personal or protected information
about patients or employees. Furthermore, the patient engagement company WellTalk reported a
breach earlier this year following an attack by the Klopp ransomware gang. This incident exposed data of at least 426,000 patients from Premier Health in Ohio
and another company based in Georgia.
These stories highlight the vulnerability of healthcare organizations,
the degree to which attackers are finding them attractive targets,
and the challenges security professionals face when preparing for and responding to these
threats. BlackBerry's Global Threat Intelligence report for the third quarter of 2023 reveals a
significant rise in unique malware samples compared to the previous quarter. The financial
services sector remains the most frequently targeted, with evidence suggesting that the
same cybercriminal groups might be attacking various institutions across different economic sectors.
This trend is partly attributed to the growth of malware-as-a-service platforms like Rusty Stealer, Redline, and Lumna Stealer, which are widely available on underground forums and marketplaces.
widely available on underground forums and marketplaces.
These developments have led to a convergence of attacks on traditional cybercrime targets and critical infrastructure in various countries,
facilitated by the use of shared and commodified tools.
Additionally, the report highlights a notable 181% increase
in unique malware attacks in the healthcare industry.
Researchers have discovered a new variant of SysJoker malware written in Rust
that is actively targeting mostly Israeli entities amid the ongoing conflict between Hamas and Israel.
Checkpoint, who analyzed the malware, hasn't attributed it to any specific group
but observes its use aligns with Hamas interests.
CISJOKR, previously developed in C++, has been employed since 2021 in attacks against
infrastructure, potentially linked to the electric powder operation targeting Israel
Electric Company, attributed to the Gaza cyber gang. Intezer, first to report on CISJOKR, identifies the current activity as
the work of an advanced persistent threat group they name Wildcard. This APT engages in social
engineering tactics like phishing emails, fake social media profiles, and bogus news sites,
and also exploits legitimate cloud services. Inteser notes that Wildcard, whose exact affiliation is unclear,
consistently targets Israeli critical sectors,
including education, IT infrastructure, and possibly electric power generation.
Researchers at Sentinel-1 have identified two North Korean cryptocurrency theft campaigns
named Rust Bucket and Candy Corn. The Rust Bucket
campaign initially employed a secondary malware called Swift Loader disguised as a PDF viewer.
This malware activated while victims engaged with a lure document, subsequently retrieving and
executing another stage of malware written in Rust. The Candy Corn campaign was more complex,
a multi-stage operation aimed at blockchain engineers
working for a cryptocurrency exchange.
It utilized Python scripts to deploy malware
that compromised the host's Discord app,
eventually introducing a backdoor remote access trojan
named Candy Corn, developed in C++.
Recently, there's been a convergence of these campaigns with elements of Rust Bucket, specifically Swift Loader droppers,
being used to deliver the Candy Corn payloads. The Moscow-based news outlet Gazeta has reportedly
identified the person behind the hacker alias Kill Milk as Nikolai Serafimov.
Serafimov, known for being media savvy yet maintaining a concealed identity,
often appeared with his face hidden by a balaclava resembling a stereotypical hacker image.
Despite his marketing acumen, he is considered technically unskilled and more of a self-promoter.
His reputation has been tarnished by accusations from former colleagues who labeled him a thief involved in running a DDoS-for-hire service and participating in various charity scams.
These actions are alleged to harm the Russian cause. His former associates have been hesitant to disassociate
from him due to fear of retaliation, as Killmilk allegedly possesses compromising information about
their identities. The public exposure of his identity indicates a potential decline in his
influence and reputation in the hacking community. The Center for European Policy Analysis published an essay analyzing the
IT army of Ukraine, highlighting the legal ambiguities often surrounding such organizations.
The IT army is compared to U.S. military auxiliaries like the Civil Air Patrol and the
Military Auxiliary Radio Systems, serving as an auxiliary force with a different mission but
similar status. Operating under effective authority, the IT Army claims to be a non-combatant
entity that adheres to the laws and customs of war, a claim supported by current evidence.
SIPA notes that the IT Army primarily engages in DDoS attacks. The essay also proposes that the IT Army could serve as a model
for smaller or less resource-endowed nations
that are unable to sustain a full-scale military cyber command,
offering an alternative approach to cyber defense and warfare.
Coming up after the break our guest guy begerano ceo and co-founder of safe breach discusses the benefits of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of
new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
A growing number of organizations are finding that breach and attack simulation plays a critical role in their enterprise security programs,
automating threat vector testing to enhance defenses.
In this sponsored Industry Voices segment, Guy Bejarano, a former CISO himself and now
CEO at SafeBreach, shares insights on
developing effective breach and attack simulation strategies. First of all, you need to understand
as an organization, what is your strategy? What are the business scenarios that you are protecting?
And once you have that, to apply a breach and attack simulation technology to actually challenge that and to make sure that you're doing the right things is everything.
And so it doesn't matter if you're an organization that relies on detection, for example.
A lot of OT organizations are not really preventing because preventative controls in an OT environment is really challenging.
So if you're relying on detection, you want to make sure that whatever detection rule you have will actually fire at the right moment.
And the only way to do that is either waiting for an attack to happen, which is not that good, or to test it.
And so that type of strategy can be tested continuously.
continuously. If you are an organization that relies on segmentation or prevention,
you can actually test your controls to make sure that you're getting the most out of them in those fields as well. So using BaaS technology to really test your strategy and make sure that
it's operating as expected is a critical path. I think BaaS is still relatively new on the block.
I'm curious what you've found with your customers
in terms of strategies for getting buy-in
from other teams in the organization
to adopt a deployment of a proactive BaaS program.
What we see and where BaaS really shines
is the ability to focus on the security program.
So instead of just chasing a long tail of problems, which are generic and doesn't really say how much you've impacted in terms of reducing
the risk, a good BaaS program and technology can help you to, first of all, measure and in an
empirical way to prove out to other teams on what's the impact you're making here.
And so you're getting a lot of buy-in from other teams.
The other one is that you're dealing with less issues because, again, when you're tuning
your program to be around the critical business scenarios and you're testing against those
threats that will make the most impact on your business, all of a sudden the discussion is elevated in terms of being strategic
and you're focusing on less issues.
So it's not about patching for vulnerabilities,
but it's making sure that the attacker's path is almost impossible.
It makes everything around it more accurate and actually easier.
So working with other teams,
we found the best solutions really help to the security team
to explain and to show data,
and there you're getting more support from other teams.
How do you measure success?
When you're looking at things like KPIs and metrics,
what sort of things should people be focusing on
to see how well they're doing?
So that's a great question.
So in terms of KPIs, there are a few measurements that can be used here.
And it really depends on the way in your risk appetite and how you're looking at security in terms of strategy.
Definitely measure your time to detect.
So think about an organization that relies on a lot of detection rules and detection engineering.
You'll be able to actually test your detection mechanisms and making sure that, first of all, they will fire
at the right time, that the alert is getting to the right person, that the right ticket is opening
in your ticketing system, and you can close the entire operational cycle. Very easy to measure.
I think that detection time is critical, obviously, because your ability to actually take action
before something materialized would be a real issue.
You can measure, so KPI can be around reducing your attack
surface over time. So you can fire
millions of attacks, let's say different permutations of ransomware
against your controls, and you can see how over time you're reducing the ability of an attacker to exploit your systems,
again, in a certain way.
And that's also very measurable and easy to show for.
You can look at things like in terms of, again, KPIs,
what's the ROI I'm getting from my security controls?
So I want to make sure that if my security budget is increasing in 20%,
I can show my board that I'm reducing my risk in whatever percent you choose to.
But it's all measurable.
That's another KPI.
It can be a business API.
And it can be operational KPI like I have 50 different gateways
and I have the same solution that protects all gateways.
I want to make sure
that I'm getting the same output for my security control. So hold your vendors accountable for
what they promise. And with a BaaS solution, you can actually do that. So you can make sure that
your Palo Alto, your CrowdStrike, your Splunk will actually work as expected across the organization.
You know, if I'm a CISO and I need to make this case that this is something I want to
implement, I'm imagining myself walking in and talking to my board of directors.
Any tips on how I communicate the value of this for the various decision makers and stakeholders?
Well, first of all, I think that regardless of what best technology you deploy, I think that, you know, for a CISO, and again, coming from a CISO position, in my history, it's most important to, whenever you're in the boardroom, to talk about business impact and not just security.
You don't do security for security.
It's all about the business and what the business impact. you're able to establish that type of legal with your board and create a repeatable model where
you present data and show for, you know, what's your exposure against certain threats and what's
the impact to the business can be a downtime, can be loss of data, et cetera. And if you can
have that empirical way of measuring the impact and provide that information to the board,
I think that's very interesting and what we see around. So first of all, define
the strategy you're going after and then tie it to data. Data
is everything. And if you can repeat that quarter over quarter
and be predictable, much like CFOs, then you're starting to
create value to the board. I know you are a former
CISO yourself,
and I'm curious, based on your experience,
where do you suppose that we're headed here
in terms of proactive security
as you look towards the horizon
and some of the challenges that we're facing?
Yeah, as you look at the horizon
and the fact that attackers are becoming more sophisticated,
everything is more automated. Obviously, with the insertion of AI, and the fact that attackers are becoming more sophisticated,
everything is more automated.
Obviously, with the insertion of AI and other technologies,
you want to have the level of correctiveness to a point where you have enough time to act before an impact is carried.
So if you look at the time that it takes for a new threat to be materialized in the market,
and if it's a matter of days,
it's around six or seven days,
something like an SLA around understanding
how am I exposed to a threat
before the time of materialization in the market,
I think it's critical.
So automation embeds within everything
that you do in your operations, testing capabilities. So you'll be able to know firsthand
and to be the first one to know about something that can happen and you can take action. We have,
for example, a 24 hours SLA. So whenever there's a cert alert or an FBI alert and the IOCs or TTPs are available,
we add it to the product in 24 hours.
That's our promise to our customers
so they can take action
before that certain threat
is populated through the entire market.
That's Guy Bejarano,
CEO at SafeBreach.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
With TD Direct Investing,
new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%...
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31, 2025.
Visit td.com slash dioffer to learn more.
And finally, the emergence of large language models like WormGPT and FraudGPT sold on underground forums has sparked widespread attention.
Sophos XOps conducted an in-depth study
revealing a mixed reception among cybercriminals.
While several GPT derivatives boast capabilities akin to these models,
skepticism prevails, with some labeled as scams.
Many in the criminal community find tools like ChatGPT overrated
and unsuitable for malware creation, citing operational security
concerns and detection risks. While some use LLMs for mundane coding or forum enhancements,
their application in generating malware remains largely aspirational and limited to proof of
concept. Unskilled actors struggle with prompt restrictions and code errors, highlighting a gap
between interest and practical application. Intriguingly, these forums also host discussions
on AI's broader implications, echoing the same logical, philosophical, and ethical debates
seen elsewhere.
seen elsewhere. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Before we go, a quick reminder that today is Giving Tuesday,
an opportunity to show your support for your favorite charitable organization or nonprofit.
We hope you'll spare
a moment and consider giving to an organization that has meaning for you. We've included a list
of some of our team's favorite worthy causes in our show notes. We'd love to know what you think
of this podcast. You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're
delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence
routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman. Our executive producer is
Brandon Karp. Our executive editor is Peter Kilby. And I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.