CyberWire Daily - Key player unmasked in global ransomware takedown.
Episode Date: October 8, 2024Western authorities I.D. a key member of Evil Corp. A major U.S. water utility suffers a cyberattack. ODNI warns of influence campaigns targeting presidential and congressional races. A California dee...pfakes law gets blocked. Europol leads a global effort against human trafficking. Trinity ransomware targets the healthcare industry. Qualcomm patches a critical zero-day in its DSP service. ADT discloses a breach of encrypted employee data. North Korean hackers use stealthy Powershell exploits. On our Threat Vector segment, David Moulton and his guests tackle the pressing challenges of securing Operational Technology (OT) environments. Machine Learning pioneers win the Nobel Prize. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment In this segment of Threat Vector, David Moulton, Director of Thought Leadership at Palo Alto Networks, hosts cybersecurity experts Qiang Huang Chung hwang, Palo Alto Networks VP of Product Management for Cloud Delivered Security Services, and Michela Menting, Senior Research Director in Digital Security at ABI Research, discuss the pressing challenges of securing Operational Technology (OT) environments. Join us each Thursday for a new episode of Threat Vector on the N2K CyberWire network. To hear David, Michela and Qiang’s full discussion, check it out here. Selected Reading Police unmask Aleksandr Ryzhenkov as Evil Corp member and LockBit affiliate (The Record) American Water, the largest water utility in US, is targeted by a cyberattack (Associated Press) US Warns of Foreign Interference in Congressional Races (Infosecurity Magazine) US Judge Blocks California's Law Curbing Election Deepfakes (BankInfo Security) Global Police Track Human Traffickers in Online Crackdown (Infosecurity Magazine) Recently spotted Trinity ransomware spurs federal warning to healthcare industry (The Record) Qualcomm patches high-severity zero-day exploited in attacks (Bleeping Computer) ADT says hacker stole encrypted internal employee data after compromising business partner (The Record) North Korean Hackers Employ PowerShell-Based Malware With Serious Evasion Techniques (Cyber Security News) ‘Godfather of AI’ shares Nobel Prize in physics for work on machine learning (CNN) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Western authorities ID a key member of Evil Corps,
a major U.S. water utility suffers a cyber attack.
ODNI warns of influence campaigns targeting presidential and congressional races.
A California deepfakes law gets blocked.
Europol leads a global effort against human trafficking.
Trinity Ransomware targets the healthcare industry.
Qualcomm patches a critical zero day in its DSP service.
ADT discloses a breach of encrypted employee data.
North Korean hackers use stealthy PowerShell exploits.
On our Threat Vector segment, David Moulton and his guests tackle the pressing challenges of securing operational technology environments.
And machine learning pioneers win the Nobel Prize.
It's Tuesday, October 8th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing. briefing. Thanks for joining us here today. It is great to have you with us.
Western authorities have identified Russian national Alexander Rezenkov as a key member of the Evil Corp cybercrime group
and a LockBit affiliate, charging him with using BitPaymer ransomware. This revelation came
alongside multiple arrests related to the LockBit scheme, including suspected money launderers in
the UK and a LockBit developer in France. A bulletproof hosting provider was also arrested in Spain.
Rezenkov extorted U.S. businesses by encrypting their data and demanding ransom.
Authorities also linked former Russian intelligence officer Eduard Bendersky to EvilCore, accusing
him of protecting the hackers from internal Russian authorities.
accusing him of protecting the hackers from internal Russian authorities.
In response, the U.S., U.K., and Australia imposed financial sanctions on several individuals and entities linked to these cybercriminals.
LockBit's operations, while still active,
have been significantly weakened following law enforcement seizures of its infrastructure.
Officials believe many of LockBit's affiliates
have moved to alternative platforms as some data leaks on its darknet site are outdated or
falsified. The investigation also revealed that LockBit's system allowed the group to retain
victim data despite promising to delete it. American Water, the largest regulated water utility in the U.S., revealed a cyber
attack that led to the temporary suspension of customer billing. The company, serving over 14
million people in 14 states, detected unauthorized activity and took immediate protective measures,
including shutting down certain systems. Despite the breach, operations and facilities were unaffected.
The company is investigating the attack with law enforcement
and assured customers they won't face late fees while systems are down.
American Water operates over 500 systems across 1,700 communities.
It's one month before the U.S. presidential election, and the U.S. intelligence
community is monitoring foreign interference from Russia, China, and Iran. The Office of the
Director of National Intelligence yesterday warned of influence campaigns targeting both
the presidential and congressional races. These efforts aim to undermine trust in the election, particularly if the results are contested.
Russia and Iran are focused on shaping voters' preferences towards specific candidates,
with Russia favoring Donald Trump and Iran supporting Kamala Harris.
China, while not interfering in the presidential race,
is targeting congressional candidates perceived as threats to its interests,
especially regarding Taiwan. Russia is also attempting to sway congressional races by
encouraging opposition to pro-Ukraine policies. The ODNI is monitoring additional influence
operations from other foreign actors, including Cuba. A U.S. federal judge has blocked most of California's new law aimed at restricting
election-related deepfakes, citing free speech concerns. The law, signed on September 17,
required online platforms to remove or label AI-generated content 120 days before an election.
Plaintiff Chris Coles, who creates political
videos using AI, challenged the law, arguing it violated First Amendment rights. U.S. District
Judge John A. Mendez agreed, granting a preliminary injunction, stating the law acted as a blunt tool
that stifled free expression. While Mendez rejected most of the law,
he upheld a provision requiring audio-only manipulated content
to include periodic audible disclosures.
California Governor Gavin Newsom's office expressed confidence in the regulation,
saying it protects elections while preserving free speech,
and pointed to similar laws in other states.
while preserving free speech and pointed to similar laws in other states.
Last month, global police forces collaborated in a Europol-led digital operation to identify human trafficking suspects and victims.
The MPACT hackathon involved 27 countries,
including 19 EU states and others like the UK, Brazil, and Ukraine.
Over four days, 76 experts focused on detecting online trafficking activities
involving legal business structures, social networks, cryptocurrency, and gaming platforms.
Investigators checked 252 entities, identifying 16 suspected traffickers and 60 potential victims.
identifying 16 suspected traffickers and 60 potential victims.
A dark web discovery revealed traffickers offering victims for sale or hire,
with individuals priced between $800 and $60,000.
Additionally, the operation targeted exploitation of Ukrainian refugees and uncovered disturbing e-pimping schemes.
This crime-as-a-service involves
online platforms offering courses to men on exploiting women through OnlyFans management.
Human trafficking, often digitally enabled,
continues to trap victims in forced labor, fraud, and sexual exploitation.
A new ransomware strain called Trinity has targeted at least one
U.S. healthcare entity, according to the U.S. Department of Health and Human Services.
In an advisory, HHS warned that Trinity poses a significant threat to the healthcare sector
with tactics resembling other ransomware strains like Venus and 2023 Lock.
First spotted in May 2024,
Trinity has already affected seven victims,
including healthcare providers in the US and UK.
The ransomware encrypts files
and demands payment in cryptocurrency within 24 hours,
threatening to leak stolen data.
It also scans networks to exploit vulnerabilities and spread.
No decryption method is available.
Trinity shares similarities in its code and ransom notes with Venus and 2023 Lock,
suggesting possible collaboration among these threat actors.
Qualcomm has released patches for a critical zero-day vulnerability in its digital signal processor service, affecting multiple chipsets.
The flaw, reported by Google Project Zero and Amnesty International Security Lab, is caused by a use-after-free weakness, leading to memory corruption.
Qualcomm warned that the vulnerability has been exploited in
targeted attacks. Patches have been provided to OEMs with recommendations for immediate deployment.
Qualcomm also fixed a high-severity issue in the WLAN resource manager.
Home security company ADT revealed in a regulatory filing that a hacker compromised a third-party business
partner's systems using stolen credentials to access ADT's network. The hacker exfiltrated
encrypted internal employee data, but ADT believes customer information and security systems were not
affected. ADT is working with federal law enforcement and has implemented countermeasures, though some disruptions occurred.
The breach follows a previous incident in which hackers stole customer order information, attempting to sell it on the dark web in July.
PowerShell-based malware is a type of fileless malware that exploits PowerShell to execute malicious scripts in memory,
helping it evade detection by antivirus solutions. Recently, North Korean hackers,
specifically the APT37 group, launched a cyber campaign called Shrouded Sleep,
targeting Southeast Asian countries, particularly Cambodia. The campaign begins with phishing emails containing malicious
zip files disguised as PDFs or Excel documents. These trigger a sophisticated PowerShell-based
attack chain that deploys multiple payloads, including a backdoor called VeilShell,
enabling remote access to compromised systems. The malware uses advanced evasion techniques like extended
sleep intervals and app domain manager hijacking to maintain stealth. It communicates with command
and control servers via HTTPS, executing JavaScript to maintain persistence. Recommendations to
prevent infection include avoiding unsolicited file downloads,
monitoring the Windows registry, and using endpoint logging tools like Sysmon.
Coming up after the break on our Threat Vector segment, David Moulton and his guests tackle the pressing challenges of securing operational technology environments.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
On this week's excerpt from the Threat Vector podcast, host David Moulton is joined by his
guests to tackle the pressing challenges of securing operational technology environments.
75% of industrial operators experience a cyber attack in their OT environments.
We really need to dispel the myth that such attacks are rare in OT.
You know, on the contrary, they're terribly common, just like they are in IT.
And for sure, the research shows that the majority of operators have experienced an attack on their OT, and this on a monthly basis.
Welcome to Threat Factor, the Palo Alto podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends.
I'm your host, David Moulton, Director of Thought Leadership.
Today I'm talking to Cheng Huan, VP of Product Management at Palo Alto Networks,
and Michaela Menting, Senior Research Director at ABI Research.
In this episode, we're going to explore the critical topic of OT security or operational technology.
Michaela Menting, Xiang Huan, welcome to ThreatVector. Excited to have you here today.
Thanks, David. It's my pleasure to be here.
Thanks, David. Nice to be here.
Cheng, can you provide a high-level overview of the most prevalent OT threats we're seeing from our vantage point here at Palo Alto Networks?
Sure, David.
Before we talk about the OT threat, I think it's important for us to understand what's
going on in these OT industries across manufacturing, energy, and utility.
On the business side, we're seeing profound digital transformation that's driving fundamental
change of the underlying network.
This could be industrial 4.0, smart manufacturing,
remote operation, adoption of 5G, and cloud migration.
So all of these are really dramatically increased
stress surface in the OT environment.
So these legacy vulnerable OT assets
that are used to be air-gapped
now are getting increasingly exposed to IT and cloud.
So with that, no wonder we're seeing
a lot more OT threats in the industrial organizations.
So some of them are even becoming worse
in terms of shutting down OT operations.
In our recent survey to about 18,000 industrial organizations,
we see about almost 70% of them have experienced one cyber attack in the last year.
And unfortunately, one out of four experienced a shutdown of the operation.
So based on our understanding and the survey,
the top threats can be ransomware continuing
to be a top concern and top threat
in the OT environment.
Unsanctioned remote
connection is another one.
Also in different parts of the
world, I just came back from Europe,
nation-state attack
is also a big concern.
Okay, like Chung just walked us
through some of the things that we're seeing here at Palo Alto Networks.
I know you've got a different perspective
from your vantage point as a researcher.
Are you seeing other areas of high concern,
other things that you would want to add into
some of those most prevalent OT threats?
Yeah, yeah.
I mean, what we're seeing is a kind of history
repeating itself a little bit, right?
We had, you know, when IT environments started coming online, started being connected,
we're in that same phase now with OT, but just 20 years later, right?
We've been covering critical infrastructure and kind of industrial systems for a number of years,
for a good decade at least.
And those patterns are becoming much more common now,
much more prevalent.
You know, unfortunately, attacks against OT are very frequent, right?
And Chung mentioned it, you know,
75% of industrial operators experience a cyber attack
in their OT environments.
We really need to dispel the myth that such attacks are rare in OT.
On the contrary, they're terribly common, just like they are in IT.
And for sure, the research shows that the majority of operators
have experienced an attack on their OT, and this on a monthly basis.
So it's become recurring and you know
this repeated engagement um what it means is that threat actors are they're able to achieve a
frightening level of success you know in their attacks um and she mentioned it you know one in
four operators had to shut down their operations last year.
So that alone should put everyone on edge, right? It's a very high-level warning sign that something's not going right and that we're not doing enough from a security perspective.
Cheng, what is it about OT environments that is causing them to be increasingly targeted by cyber threat actors?
Yeah, so David, if you look at these OT environments, on one side, for manufacturers, that's where they make their revenue in terms of critical infrastructure.
That's where they're running mission-critical operations.
That's why often it could be a high outcome target for attackers.
So we can break it up into a few buckets. One is really
financially motivated. We just talked about
for ransomware, it could be ranged to the tens of
millions when you get hold of these OTSs and then
use ransomware as a way to get
financial motivation achieved.
It could be for some of the high-tech manufacturing,
this could be espionage to steal
intellectual capital from that environment.
On the other side, for critical infrastructures,
we also see motivations in terms of nation-state
or cyberterror terrorism that really
create the impact in terms of a critical infrastructure for political motivation.
How do IT-borne threats typically make their way into OT systems? This is honestly something that
I've always been curious about. Sure. Well, I think, I mean, there's two, if you're looking at it from a very high level perspective, maybe there's two primary ways.
One is, you know, you can exploit vulnerabilities in industrial control systems, right?
Build a zero day around it, you know, do some smart coding and maybe brute force your way in.
But, you know, that's complex, requires a lot of skills.
It's not everyone that can do that.
The easier way and the very common way is through social engineering, unfortunately.
And that is just immensely popular because it works all the time.
Not all the time, but it works more often than not, right?
You have email compromise,
you have phishing,
and threat actors are able to obtain credentials
that they then use for remote access.
And quite often,
it starts in the IT space
and then they escalate their privileges
and there's a lot of lateral movement that happens
until they can hit those OT assets. But I think increasingly you'll see some of that happen
target directly OT, right? So they won't even need to go through the IT space to get to those OT
assets. So unfortunately today, I mean, it's still very much, you know, kind of whacking someone over the head for the password rather than trying to, you know, crowbar their way in through an iron door or something like that.
So social engineering, unfortunately, is highly prevalent and still highly successful, even against OT.
Cheng, what is the most important thing that a
listener should remember from this conversation?
Yeah, actually I'd like to highlight
two things, if that's okay.
I think one is really
in the light of all this trend,
make sure that
you work with your organization,
work with your management
to really have that
top-down alignment
to make OT security
a key initiative.
That's very important
to get to that alignment
at the OT collaboration.
Then from the technology side,
it's really about
make sure you gain the visibility
of your OT environment
and then think about
the platform approach
to really provide
that holistic visibility
and security at the same time
for multiple, you know,
threat surfaces we're observing.
So that's also very important
for you to be able to scale
for today and also for the future.
Michaela Chung, thank you for a great conversation today. I appreciate you sharing all of your insights on OT security and the convergence that you've seen between OT and IT and some of the insights that you brought forward from your great report.
Thank you, David.
Appreciate it.
It was great being here and I think we had a great discussion.
Thanks for listening to this segment of the Threat Vector podcast.
If you want to hear the whole conversation, you can find the show in your podcast player.
Just search for Threat Vector by Palo Alto Networks.
Each week, I interview leaders from across our industry and from Palo Alto Networks
to get their insights on cybersecurity, the threat landscape, and the constant changes we face.
See you there.
Don't forget you can find the complete Threat Vector podcast right here on the N2K Cyber Wire network
or wherever you get your favorite podcasts.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And finally, the 2024 Nobel Prize in Physics was awarded to John Hopfield and Jeffrey Hinton
for their pioneering work in machine learning, which laid the foundation for today's AI advancements.
Hinton, often called the godfather of AI, and Hopfield, a Princeton professor,
developed artificial neural networks based on the brain's structure,
enabling machines to learn from experience rather than following preset instructions.
Their discoveries, including Hopfield's 1982 network and Hinton's Boltzmann machine,
revolutionized AI, transforming fields like healthcare and space exploration.
Hinton has expressed growing concern about the potential dangers of AI, transforming fields like healthcare and space exploration.
Hinton has expressed growing concern about the potential dangers of AI even leaving his role at Google to raise awareness.
While he acknowledges AI's incredible potential to improve productivity
he worries that AI could surpass human intelligence and become uncontrollable.
Despite these concerns, Hinton remains proud of
his work, recognizing both its promise and risks as AI continues to shape our future.
Still, no Nobel Prize for podcasting. Priorities, people. Priorities.
priorities.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy
for companies to optimize your biggest investment, your people. We make you smarter about your teams
while making your team smarter. Learn how at n2k.com. This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and
sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor
is Brandon Karp. Simone Petrella is our president. Peter Kilby is our publisher.
And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.