CyberWire Daily - LockBit picks a brawl with banks.
Episode Date: June 26, 2024LockBit drops files that may or may not be from the Federal Reserve. Progress Software patches additional flaws in MOVEit file transfer software. A popular polyfil open source library has been comprom...ised. DHS starts staffing up its AI Corps. Legislation has been introduced to evaluate the manual operations of critical infrastructure during cyber attacks. Researchers discover a new e-skimmer targeting CMS platforms. A breach at Neiman Marchus affects nearly 65,000 people. South African health services grapple with ransomware amidst a monkeypox outbreak. Medusa is back. On the Learning Layer, Sam and Joe discuss the CISSP's CAT format and how to walk into test day with confidence. The VA works to clear the backlog caused by the ransomware attack onChange Healthcare. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey using N2K’s comprehensive CISSP training course, which includes a simulated Computer Adaptive Test (CAT) final exam. Sam and Joe discuss the CISSP's CAT format and how to walk into test day with confidence. Good luck Joe! Selected Reading Lockbit Leaks Files for Evolve Bank & Trust in Its Alleged ‘Federal Reserve’ Data Dump (Metacurity) Progress Software warns of new vulnerabilities in MOVEit Transfer and MOVEit Gateway (Cyber Daily) Polyfill supply chain attack hits 100K+ sites (Sansec) Exclusive: DHS hires first 10 AI Corps members (Axios) US House bill seeks to assess manual operations of critical infrastructure during cyber attacks (Industrial Cyber) Caesar Cipher Skimmer targets popular CMS used by e-stores (Security Affairs) Neiman Marcus confirms breach. Is the customer data already for sale? (Malwarebytes) South Africa’s national health lab hit with ransomware attack amid mpox outbreak (The Record) New Medusa malware variants target Android users in seven countries (Bleeping Computer) After Crippling Ransomware Attack, VA Is Still Dealing with Fallout, Trying to Pay Providers (Military.com) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. LockBit drops files that may or may not be from the Federal Reserve.
Progress Software patches additional flaws in MoveIt file transfer software.
A popular Polyfill open source library has been compromised.
DHS starts staffing up its AI core. Legislation has been introduced to evaluate the manual
operations of critical infrastructure during cyber attacks. Researchers discover a new e-skimmer
targeting CMS platforms. A breach at Neiman Marcus affects nearly 65,000 people. South African health services grapple with ransomware amidst a monkeypox outbreak.
Medusa is back.
On the learning layer, Sam and Joe discuss the SISB's cat format
and how to walk into test day with confidence.
And the VA works to clear the backlog caused by the ransomware attack on Change Healthcare.
It's Wednesday, June 26, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thank you for joining us here today.
As always, it's great to have you with us.
Following an apparent failure in negotiations,
the LockBit ransomware gang published a trove of files it claims to have stolen from the U.S. Federal Reserve. This Russian-linked gang posted 21 links to files,
including directories, torrents, and archives from Evolve Bank and Trust. Recently, the feds
accused Evolve Bank Corp. of unsafe banking practices. LockBit had threatened to release
the data on June 25th if the ransom wasn't paid. They claim to have 33 terabytes of sensitive
banking information, and they criticize the U.S. central bank's negotiator. Cybersecurity experts
doubt LockBit's claims, suggesting the gang seeks attention after Operation Kronos damaged
its reputation. The release of Evolve's files supports this skepticism. This month, the Federal
Reserve Board issued a cease-and-desist order to Evolve Bank & Trust for deficiencies in anti-money
laundering, risk management, and consumer compliance. The Federal Reserve hasn't addressed LockBit's claims,
but some data may have been collected during their investigations.
Evolve, based in Memphis, Tennessee, serves individuals and small businesses in at least
17 states and reported $1.3 billion in assets in 2022. Known for partnerships with fintech platforms like MasterCard and Visa,
Evolve is investigating the breach and cooperating with law enforcement.
The bank plans to provide more information as it confirms the details.
Progress Software has issued a security alert about two new vulnerabilities in its MoveIt file transfer
software. The first is a critical authentication bypass issue in MoveIt Gateway, and the second
is a high-severity bypass flaw in MoveIt Transfer's SFTP service. Progress has released patches
and advises immediate upgrades to the latest versions. Testing by Rapid7 confirmed
the vulnerabilities in default configurations, highlighting risks if attackers know a username,
after which the account can authenticate remotely and the SFTP service is exposed.
Over 1,000 public-facing MoveIt transfer servers are mainly in the U.S.,
and hackers are already exploiting these vulnerabilities.
Previous similar vulnerabilities have led to widespread exploitation,
including by the CLOP ransomware gang.
Polyfill software is a JavaScript library
that enables old browsers to support modern web features
by providing necessary code implementations.
Researchers now say polyfill.js, a widely used open-source library, has been compromised.
Over 100,000 sites, including JSTOR, Intuit, and the World Economic Forum,
embed polyfill.js using cdn.polyfill.io.
In February, a Chinese company acquired the domain and GitHub account,
subsequently injecting malware into mobile devices via these sites.
Complaints on GitHub were quickly removed.
The malware, decoded by Sansec, redirects mobile users to a fake sports betting site using a domain mimicking
Google Analytics. It targets specific mobile devices at certain times, avoids admin users,
and delays execution when web analytics are detected. The original author advises against
using Polyfill as modern browsers no longer need it. Trustworthy alternatives are available from Fastly
and Cloudflare. The Department of Homeland Security has hired its first 10 members for its new 50-person
AI core, aiming to leverage artificial intelligence across its operations. The team will focus on
areas such as countering fentanyl trafficking, combating online child sexual exploitation, and enhancing cybersecurity.
DHS Secretary Alejandro Mayorkas highlighted the significant interest in this initiative,
which aims to safely and responsibly deploy AI within the federal government.
The initial hires come from diverse backgrounds,
including government, big tech,
startups, and research communities. Mayorkas noted the stiff competition for these roles,
with over 3,000 applications, facilitated by new flexible hiring practices for AI jobs.
Bipartisan legislation has been introduced in the U.S. House to create a public report for evaluating the manual operations of critical infrastructure during cyberattacks.
The bill, led by Congressman Dan Crenshaw and Representative Seth Magaziner, aims to address rising cyberthreats from nations like China, Russia, Iran, and North Korea.
from nations like China, Russia, Iran, and North Korea.
The Contingency Plan for Critical Infrastructure Act requires the Cybersecurity and Infrastructure Security Agency
and FEMA to assess how critical infrastructure
can transition to manual operation during cyber incidents
and evaluate current response plans.
This includes examining costs, challenges,
and policy recommendations to ensure continuous
operation. The bill underscores the need for private sector involvement in protecting vital
systems such as water, energy, transportation, and communications. Researchers at Sucuri discovered
a new e-skimmer, the Caesar Cipher Skimmer,
targeting e-stores using CMS platforms like WordPress, Magento, and OpenCart.
This skimmer modifies the WooCommerce checkout PHP page to steal credit card data, using tactics such as mimicking Google Analytics and obfuscating code.
Google Analytics, and obfuscating code.
The skimmer uses a Caesar cipher to conceal its payload by encoding the domain hosting the malicious code.
Attackers register domains with slight misspellings to evade detection.
The malware connects to a remote server via WebSocket,
customizing responses for each infected site.
Some scripts check for logged-in WordPress users.
Researchers found Russian comments in older script versions.
Luxury retail chain Neiman Marcus has informed customers of a May cyber attack
compromising a database with personal information. The breach affected just under 65,000 people,
exposing names, contact details, dates of birth, and gift card numbers, excluding pins.
The attacker, Spider, offered the data for sale on breach forums, including customer shopping records and employee data.
The breach is linked to the Snowflake incident, which has affected multiple brands.
The sale post has since disappeared from breach forums.
South Africa's National Health Laboratory Service is grappling with a ransomware attack
disrupting lab result dissemination amid an outbreak of monkeypox. The attack began Saturday,
deleting system sections, including backups, and requiring extensive rebuilding.
The NHLS, operating 265 labs nationwide, has shut down certain systems for repairs
and enlisted external cybersecurity firms. Despite functional labs, automated report
generation is disabled, forcing urgent results to be communicated manually.
is disabled, forcing urgent results to be communicated manually. The attack, using an unidentified ransomware strain, did not compromise patient databases. South Africa's health sector,
already strained by ransomware attacks, faces increased urgency due to the monkeypox outbreak
with three deaths and 16 confirmed cases. The government is under pressure to enhance cybersecurity,
especially as global healthcare systems face similar ransomware threats.
The Medusa banking trojan for Android, also known as Tanglebot,
has re-emerged after a year of relative inactivity,
targeting countries including France, Italy, the US, and the UK. The latest campaigns
use compact variants with fewer permissions and new features, like initiating transactions
directly from compromised devices. Discovered by researchers at Cleafy, these campaigns involve
24 different operations using SMS phishing to distribute malware through fake apps.
Medusa's updated versions now request fewer permissions, retain keylogging and SMS manipulation
capabilities, and introduce commands for actions like screen overlay and screenshot capturing.
Despite no presence on Google Play, the threat is growing as its distribution methods evolve.
Coming up after the break
on our Learning Layer segment,
Sam Meisenberg and Joe Kerrigan
continue their discussion
of Joe's ISC2 CISPI certification journey.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot. Yeah, with pools could book a vacation. Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter. Visit Transat.com or contact your Marlin Travel Professional for details.
Conditions apply.
Air Transat. Travel moves us.
Conditions apply. Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
On today's Learning Layer segment,
our host Sam Meisenberg is joined once again by my Hacking Humans co-host Joe Kerrigan
to continue their discussion of Joe's ISE2 CISPI certification journey.
Today, they're discussing the CAT format and how to walk into test day with confidence. Welcome back to the Learning Layer segment.
Today, we're continuing our conversation with Joe Kerrigan
as he gets ready for his CISSP.
And this is a special one because we keep saying,
I think last time we said you're in the home stretch, Joe.
Yes.
You're in the home stretch.
This is real.
This is like right before you cross the finish line.
That's right.
So this is where you're sprinting.
Right.
So let's start with the, I was about to say elephant in the room.
That's the cat in the room,
which is this test is going to be different
than other tests that you've taken.
On an adaptive test, you can't go backwards.
Right.
Because this actually makes sense.
It needs to adapt to you in real time
depending on if you get the question right or wrong.
Right.
So it's scoring you in real time.
And therefore, since you chose it and you moved on,
you can't go back and change your answer.
So what does adaptive mean?
Like what's happening behind the scenes? Well, basically, let's just pretend we're on question
one, right? We're on question number one. If you get that question right, the engine, the cat engine
behind the scenes is saying, oh, Joe got this question right. So I'm going to feed him a question
that's slightly harder. You get that one wrong. Oh, it's going to feed him a question that's slightly harder. You get that one wrong.
Oh, it's going to feed you a question that's slightly easier.
That's what we mean by adaptive.
So that's it.
That's the whole thing.
That's what's happening behind the scenes.
If you were to open the hood of a cat,
how it basically works is it's trying to get you to a point
where you get every other question wrong.
So it's trying to get you, the average test taker,
to basically where you're hovering or straddling
something called the passing threshold. So basically what's happening is it's saying
at the end of this test, the minimum, how many questions, Joe, is a minimum on the test?
100.
100. At question 100, is Joe completely above this passing threshold? And if you're above, you pass.
If you are below at question 100, you fail.
If you're straddling the line, what happens next, Joe?
You get more questions.
You get more questions.
Up to how many?
Up to 50 more.
It can end at any point.
It could be 101, it could be 102, 110, whatever.
Right.
Now, there's something unique about those questions
from 101 to potentially 150
that's different from questions one to 100.
Do you know the difference?
I do.
I don't.
There are no experimental questions.
There are no experimental questions.
In 101 to 150.
Okay.
So, what is an experimental question?
I feel like I'm being used as a guinea pig here.
You are.
You actually are.
What they do is they need to test out the validity of questions.
So they give it to real test takers.
And then they use that data to say, is this a fair question?
Are enough people getting it right?
Are enough people getting it wrong?
And then if it passes all the rounds of testing, it will show up on a future exam.
Okay.
The experimental question
is unscored.
The thing is,
you don't know
which questions
are experimental,
which aren't.
So you need to approach
every question
like it's the real deal.
Okay, hold on.
So in the first 100 questions,
there are going to be
some number
of experimental questions.
I'll tell you the number.
Okay, what is it?
Well, let me ask you.
If you were a test maker, how many questions,
how many experimental questions would you put on the test? How many do you think is fair?
10. That's what CompTIA does. About 10. CompTIA or this is ISC squared? I bring up CompTIA to
compare them to ISC2. CompTIA says 10. ISC2 says 25. 25% of the questions are experimental.
Wow is right.
Yeah.
So this is why people walk out of the test and they're like, what just happened?
Right.
They feel like they failed, even though they didn't.
They feel floored.
They feel confused.
They are like, I didn't study that content.
What happened?
Right.
Partly is because they're throwing you experimental questions.
And this is why it's so important not to spend too much time on one single question
because there's a 25% chance it actually doesn't matter.
So I take 100 questions.
Yes.
25 of them don't count.
Correct.
If I'm above the passing threshold with the 75 that do count.
Correct. Test is over. Correct. So when they feed you more questions from 101 to 150, they all count.
It's all real. I think it was like over time. Every question matters. And it could,
that could be the one question that puts you above or below. I like to tell people,
you should bank enough time
to make sure you have more time
towards the end of those questions.
Okay.
And you want to give yourself enough time
in case you go to overtime
because all those questions are real,
they impact your score so much,
and you want to spend a lot of time on those questions
since they're so important.
What else you want to know about the CAT?
Maybe we should tell people what CAT stands for,
Computer Adaptive Test.
Yes, yes.
And all it means is just adapting to you as a test taker
whether you get a question right or not.
Did we cover that?
I don't know if we did.
Now people know.
Right.
And also, what you don't want to do,
you don't want to look silly in front of your friends,
you can't say CAT test or cat exam.
That's like an ATM machine.
There you go.
When are you taking your test?
What day of the week?
It's Monday.
What time of day?
Three o'clock, 3.30 in the afternoon.
Is it three or 3.30, Joe?
It's 3.30.
Okay, you got to make sure.
3.30 to 6.30.
Okay.
I got the email today.
Excellent.
It might be a good idea
to actually take
your practice cat
on a Monday
at 3.30
okay
so you get
used to
you know
like are you hungry
at that time
what is your body doing
you know
you can sort of
it's just a clever way
to get you more ready
for game day
I will eat lunch
before I do this
normally I don't eat lunch
because I
you know
eat breakfast and then I don't eat lunch because I, you know,
eat breakfast and then I don't get hungry again
until like five o'clock.
Yeah.
Exactly.
And you don't want to get hungry
during the test
because then you're thinking
about food
and you're thinking
about the content.
Right.
Also,
about food,
test day is not the time
to experiment
with that new
Indian place
that you're thinking about.
Don't change your routine at all for exam day is what I would say.
Okay.
So just stick with what you normally would.
Think of it as like just another practice test.
That's how comfortable you want to be on exam day.
They actually, whether you love them or hate them, Tom Brady talks a lot about like performing well and, you well and the biggest stage in the Super Bowl.
And basically what he says is, it's just another game. It's not. Of course it's not. You can't
trick yourself, but you have to trust all the reps you've put in. And if you treat every moment
during practice in the regular season as those high stress moments, then when the real thing happens at the highest stakes,
it's just going to feel like another one of those practice tests. Cool. I guess as we wrap up here,
Joe, and you're getting ready for the test day, what questions do you have? There's nothing I'm
wondering about. I'm just the, you know, the thing is that I,
one of the big things
that I'm going to need to do
is to try to focus and relax
when I go in there.
Yeah.
And like you said,
I put the work in.
I should be able to go in there
and pass this test.
It shouldn't really be a problem.
And I've got to go in with that mindset
and get into the mental state.
Exactly.
So Joe, I am our betting man.
I'm putting all my money on you.
I know you're going to do it.
Next time we talk, you will be a,
well, you have to go through the credential process, but you'll be one step closer to being a CISSP.
Okay.
So good luck.
I hope so.
Thank you.
That's Sam Meisenberg and Joe Kerrigan.
Good luck, Joe. Cyber threats are evolving every second and staying ahead is more than just
a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And finally, four months after a devastating ransomware attack
on Change Healthcare, which handles prescription processing and community provider payments for the Department of Veteran Affairs, efforts to clear the backlog of payments to pharmacies and medical providers are ongoing.
attack disrupted services at hospitals and clinics, including those under the Defense Department and the VA. Despite immediate disconnection from the affected networks and thorough system checks,
the VA faced a significant backlog of claims and invoices for services and prescriptions.
The attack caused delays in pharmacy services for some veterans and greatly impacted the
companies managing the VA's network
of community and non-network providers. This disruption led to over 1 million delayed pharmacy
prescriptions and 6 million delayed invoices handled by Optum Public Sector Solutions and
TriWest Healthcare Alliance. During a press conference, VA officials shared that the
backlog of pharmacy prescriptions should be cleared by August, with payments completed by October 1st.
They also aim to restore claims processing payments by July and regularize direct VA provider payments by February.
Despite these challenges, officials reassured that patient care remains unaffected.
Despite these challenges, officials reassured that patient care remains unaffected.
Some providers have struggled due to delayed payments, but VA Secretary Dennis McDonough emphasized that the department prioritize payments to non-network providers, ensuring
continuity of care.
While the breach exposed some VA data, the full extent remains unclear, as Change Healthcare
has not provided detailed information.
Cyber attacks on the U.S. healthcare industry have increased significantly,
with the Department of Health and Human Services noting a 256% rise over the past five years.
In response, the VA has enhanced its IT security measures and continuous training for employees
to prevent future attacks.
It's frustrating to see our military veterans, who have sacrificed so much,
caught up in the middle of this cyber attack.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders
and operators in the public and private sector, from the Fortune 500 to many of the world's
preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to
optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.