CyberWire Daily - LockBit reloaded: Unveiling the next chapter in cybercrime.
Episode Date: February 26, 2024LockBits reawakening. China's ramp up to safety for vital sectors. Data leak leaves China feeling exposed. Malware hidden by North Korea in fake developer job listings. UK Watchdog rebukes firm for bi...ometric scanning of staff at leisure centers. SVR found adapting for the cloud environment. DOE proposes cybersecurity guidelines for the electric sector. Wideness of breach in the financial industry revealed. Moving on to better things. Things are looking up in the cybersecurity startup ecosystem. UK's National Cyber Security Centre announced they are launching a Cyber Governance Training Pack for boards. N2K’s President Simone Petrella talks with Elastic's CISO Mandy Andress about the CISO role and the intersection of cybersecurity, law, and organizational strategy. And, there’s a facial recognition battle going on at Waterloo, the University of Waterloo that is. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Simone Petrella, N2K’s President, talks with Mandy Andress, Elastic's CISO, about the CISO role and the intersection of cybersecurity, law, and organizational strategy. Selected Reading LockBit Ransomware Gang Resurfaces With New Site (SecurityWeek) LockBit ransomware gang attempts to relaunch its services following takedown (The Record) China to increase protections against hacking for key industries (Reuters) The I-Soon data leak unveils China's cyber espionage tactics, techniques, procedures, and capabilities. (N2K CyberWire) Fake Developer Jobs Laced With Malware (Phylum Blog) Data watchdog tells off outsourcing giant for scanning staff biometrics despite 'power imbalance' (The Register) SVR cyber actors adapt tactics for initial cloud access (National Cyber Security Centre) New DOE-Funded Initiative Outlines Proposed Cybersecurity Baselines for Electric Distribution Systems (Energy.gov) LoanDepot says about 17 million customers had personal data and Social Security numbers stolen during cyberattack (TechCrunch) Actual filing to Office of Maine Attorney General: Data Breach Notifications - Consumer Protection (Maine.gov) U-Haul data breach affects 67,000 customers in US and Canada (AZ Central) Actual filing to Office of Maine AG: Data Breach Notifications - Consumer Protection (Maine.gov)  Funding Down, Optimism Up: The Bright Spots For Cybersecurity Startups In 2024 (Forbes) NCSC to Offer Cyber Governance Guidance to Boards (InfoSecurity Magazine) 'Facial recognition' error message on vending machine sparks concern at University of Waterloo (CTV News) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. BlockBit's reawakening. China's ramp up to safety for vital sectors.
Data leak leaves China feeling exposed.
Malware hidden by North Korea in fake developer job listings.
UK watchdog rebukes firm for biometric scanning of staff at leisure centers.
SVR found adapting for the cloud environment.
DOE proposes cybersecurity guidelines for the electric sector.
Wideness of breach in the financial industry revealed.
Things are starting to look up in the cybersecurity startup ecosystem.
UK's National Cybersecurity Centre announced they are launching a cyber governance training pack for boards.
N2K President Simone Petrella talks with Elastic CISO Mandy Andres about the CISO role in the intersection of cybersecurity, law, and organizational strategy.
And there's a facial recognition battle going on at Waterloo.
Today is February 26, 2024. I'm Trey Hester, filling in for Dave Bittner,
and this is your CyberWire Intel Briefing.
The LockBit ransomware gang has re-emerged with a new website, signaling its intent to continue malicious activities. This resurgence serves as a stark reminder for the persistent challenges
faced by organizations worldwide. Despite previous takedowns and disruptions, LockBit's return
demonstrates the resilience and adaptability of cybercriminal organizations. Unveiling a new
LockBit website reaffirms their commitment to expanding operations and attracting new victims.
A few key takeaways from this return of LockBit include resilience of cybercriminals, sophisticated attacks, the ransomware-as-a-service model, preventative measures, and collaborative defense.
Following the recent data breach of the Chinese Ministry of Public Security, China moves to bolster cybersecurity measures in key industries,
underscoring the global imperative to fortify defenses against cyber threats.
With escalating cyber espionage and attacks, organizations worldwide must prioritize robust
cybersecurity strategies. The growing sophistication of cyber adversaries necessitates
proactive defense measures, including comprehensive risk assessments, advanced threat detection systems, and employee training. Collaborative efforts within and across industries are crucial
for sharing threat intelligence and best practices to mitigate cyber risks effectively.
In a significant cybersecurity revelation, documents reportedly leaked on GitHub have
exposed the inner workings of iSoon, a Chinese information security company
allegedly involved in extensive cyber espionage attacks. The documents include contracts,
product manuals, and employee lists pointing to a comprehensive support system for Beijing's
hacking endeavors. These tools demonstrate iSoon's capability to infiltrate various systems
undetected. Targets span across continents and sectors,
implicating telecommunications firms,
government departments,
and even educational institutions
in countries including India, Thailand,
Vietnam, South Korea, and NATO members.
Analysis of the documents suggests
that ISUN functions as an APT for hire,
working with China's Ministry of Public Security
and possibly other state agencies.
The collaboration aligns with Beijing's increasingly aggressive cyber espionage strategies.
The leaked documents not only reveal the technical aspects of these operations,
but also shed light on the human element within iSoon.
Phylum's research arm has unveiled a sophisticated malware campaign
targeting developers through open-source NPM packages.
Attackers, disguising malicious code within seemingly benign packages like ExecutionTimeAsync,
aim to steal cryptocurrency and credentials. Techniques include masquerading as legitimate
software, exploiting service and dormant accounts, and self-hosting malicious dependencies to evade
detection. The campaign has evolved, responding
to NPM package takedowns by shifting tactics, including hosting malicious content on self-run
servers. Evidence suggests a connection to North Korean state-sponsored activities,
highlighting the significant risk to developers and the broader software supply chain. Developers
are urged to exercise caution, vetting any code from the internet closely to avoid falling victim to these sophisticated attacks.
The UK's Information Commissioner's Office has mandated Serco to halt the use of facial recognition and fingerprint scanning for monitoring over 2,000 employees across 38 leisure centers, citing unlawful biometric data processing.
citing unlawful biometric data processing.
Highlighting the power imbalance and lack of opt-out options,
the ICO demands the destruction of all unlawfully retained biometric data within three months.
Emphasizing the risk and irreversible nature of biometric breaches,
the ICO's enforcement stresses the need for fair and proportionate use of such technologies in the workplace.
And over to our pronunciations desk, we have Alice Carruth from the T-Minus Space Daily podcast to assist with the proper pronunciation of leisure.
It's leisure, Trey. Leisure. Thank you.
Be sure to check out the T-Minus Space Daily podcast on the N2K Space Network or wherever you get your podcasts.
A recent NCSC advisory highlights the threat posed by the SRV, also known as APT29,
as they adapt tactics for initial cloud access, targeting sectors from aviation to the military.
Using techniques like brute forcing and exploiting dormant accounts for initial access,
the SVR has moved beyond traditional on-premise network attacks. The use of residential proxies helps them stay undetected, posing significant challenges to cybersecurity risk management.
Effective mitigations remain multi-factor authentication and identity and device
enrollment policies. This evolution underscores the need for robust security measures against sophisticated threats,
especially as organizations increasingly rely on third-party cloud-based infrastructure.
The U.S. Department of Energy has announced new cybersecurity baselines
for electric distribution systems and distributed energy sources like solar and wind.
Developed in partnership with the National Association of
Regulatory Utility Commissioners, the initiative aims to protect America's energy infrastructure
against growing cyber threats. By providing uniform cybersecurity standards, the DOE seeks
to prevent a fragmented approach to cybersecurity across states, enhancing the resilience of the
nation's electric systems. The effort underscores a collaborative push towards safeguarding critical energy infrastructure
against major risks, with further work planned in 2024 to develop implementation strategies
and adoption guidelines for nationwide standardization.
In an update to our earlier coverage about the Lone Depot data breach, the company has
now confirmed that nearly 17 million customers were impacted by the
ransomware attack. The breach exposed sensitive personal information, including social security
numbers, names, dates of birth, and financial details. This incident marks a significant
escalation in cyber risks to the financial industry, with Lone Depot joining the ranks
of companies like Fidelity National Financial, which also have suffered major
cyber attacks recently. The full impact of this breach on Loan Depot's financial health remains
to be seen. In a recent breach notification filed with the Maine Attorney General, U-Haul confirms
a data breach impacting 67,000 customers in the U.S. and Canada, compromising names, birthdates,
and driver's license numbers. The breach occurred
throughout the second half of 2023 and was initially discovered in December of 2023.
Affected customers have been notified. The breach, due to unauthorized access with legitimate
credentials, led to enhanced security measures and free credit monitoring for affected individuals.
Friend of the show David DeWalt, also the managing director
of Night Dragon and former CEO of both FireEye and McAfee, just published the analysis and some
optimistic predictions for the cybersecurity startup market in 2024. David reports that in
2023, cybersecurity investments fell by 40% amidst a broader 35% decrease in global venture capital.
Despite this downturn,
customer demand continues to grow. CISOs report increased budgets for 2024,
with IT investment expected to rise by 8%. Seed rounds, making up 42% of the funding,
highlight a sustained interest in early-stage innovation. And significant raises, such as
Hill Security's $4.6 million, reflect confidence in startups tackling emerging risks like AI and quantum.
The shift to more sustainable investment and business models is the key, and David predicts a strong 2024 across mergers, AI, and early-stage companies.
And this is a UK-heavy briefing today. The UK's National Cyber Security Centre announced they are launching a Cyber Governance Training Pack for boards to enhance cyber risk management skills and knowledge.
This initiative emphasizes boards' vital role in cybersecurity governance, offering practical guidance to leverage technology benefits and mitigate threats like cybercrime and ransomware.
and ransomware. It also complements another initiative, a proposed cyber governance code of practice by the Department of Science, Technology, and Innovation, aiming to educate
boards on risk management without needing to be tech experts.
Coming up after the break, N2K President Simone Petrella talks with ElasticSysO Mandy Andres about the CISO role and the intersection of cybersecurity, law, and organizational strategy.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off. And now a message from Black Cloak. Did you know
the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
N2K President Simone Petrella sat with Elastic CISO Mandy Andres to talk about the CISO role
in the intersection of cybersecurity, law, and organizational strategy. Here's Simone.
Today we have Mandy Andres from Elastic, CISO at Elastic here. Mandy, I wanted to start by
asking you, I noticed that you have a law background as well. Besides wanting to know how you decided to come
into the practice of law after being in cybersecurity, I'm curious, you know, in light
of all these breaches, we saw editorially that the Biden administration was reporting to be
preparing an executive order that was going to try and really stay foreign government's ability to access personal
data on Americans, especially ones that could potentially jeopardize national security.
And in light of just the massive breach that occurred recently across all of these domains,
is there anything you can comment on from a policy perspective on the implications of
something like that if that executive order were to go into effect?
implications of something like that if that executive order were to go into effect?
I mean, at the end of the day, the United States, whether through executive order or other actions, we need to take action in cyber deterrence measures, whatever that looks like
for whatever is being targeted at that time. A lot of discussion, it's critical to the country,
critical to national security, and we're just continuing to
see that more and more. As an aside as to why I got into law, I became very, very fascinated being
in security, watching to try and see how older laws were being applied in modern day with current
technology and the challenges and interesting scenarios that
created that just sent me to law school because I like to learn new things.
Yeah. And I asked the question because I did the same thing. I was in security for 10 years and I
went back to law school and got a law degree. So I recognize the sort of desire in it.
Have there been any particular areas that you have found that degree helpful as the laws have, you know, they have changed significantly over the 10 years.
They move slowly.
But what are some of the things that you're seeing is that starts to impact our industry on the cybersecurity side?
our industry on the cybersecurity side? It largely gave me the language to communicate better with, whether it's regulators or counsel, and also interpretation. So we're
only getting more and more regulations and frameworks, and oftentimes on the surface,
what may appear to be conflicting requirements across regulations. But having that background can go through and read just the background of the regulation,
what was intended and understand how that was translated into what we see today and
then how it's being implemented in the guidelines and procedures that are coming out of that.
And really being able to put all of that together and have translated into what does that mean
for my organization and being able to
communicate this regulation says you need to take X, Y, Z steps. And we recognize that doesn't make
sense just literally as written in our environment, but we can go back and see, well, this is what was
intended and this is how we can meet that intention of the regulation. And here's how we show that and
explain that. And that's been a key skill that I
really gained out of the law school experience. In that vein, what are some recommendations that
you would give to your colleagues that are serving as CISOs and organizations impacted by
the new SEC disclosure rules? And is there anything that you would recommend they put in place,
given some of the up for debate components or language that's been used in defining materiality
and things like that? I think the key thing to me is if you are not already best friends with your
general counsel or chief legal officer, go do that right now. Build that relationship. You will be working hand in hand with them
because ultimately as a CISO,
we're managing risk and protecting an organization,
but there's much broader business context
that goes into what the SEC is looking for
in the determination of materiality.
That's not something that a CISO can do on its own
and it's something that a broader organization needs to define for itself. So CISOs, general counsels, chief legal officers,
working hand in hand are the ones that are working with the rest of senior leadership and boards to
define what are those measures and what are the lines that we're drawing in materiality,
pictures that we're drawing for our company to then continue to implement and follow the new SEC guidelines?
Great takeaway.
And really a reminder that cybersecurity is truly a team sport and there is a paradigm shift that's kind of happening in the way that we think about CISOs jobs or job roles and where they fit within the organization.
You know,
you've been in the industry for so long. What is some of the major areas you have seen evolved when it comes to just that approach to cybersecurity from an organizational standpoint?
And are we improving? Are we getting better? Are we moving the needle in the right direction?
Definitely moving the needle in the right direction. The biggest change that I have seen is the recognition and acknowledgement
that security is a core business risk and business issue. When I first started, it was very small,
highly technical teams within IT. And now we've seen the evolution where CISOs are oftentimes
reporting directly to the CEO and having input into business strategy and how does that impact and somehow either decrease
or increase risks for the organization that we need to mitigate. So that's the biggest piece
that I've seen. I've also just seen awareness grow. When I first came into internet security
and websites and web hacking was a thing. And I was demonstrating to an internal
auditor at a company that I was at. And they looked at me and was like, why would anyone do that?
I was showing a SQL injection and how you just put all of this garbage into this field. And it was
hard at that time for people to comprehend why would someone not use the website in the way
that it was intended.
And we've only seen that continue to grow and expand.
And to where now, earlier and earlier in the cycle, look at it and go, okay, there's some really good things that we could do here.
But there's also some things that are maybe not so good that could happen.
And what do we do with that?
How do we approach that?
How do we try to head that off?
So that's probably the second big change that I've seen. That's N2K President Simone Petrella speaking with ElasticSysO,
Mandy Andres.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant.
With TD Direct Investing, new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%!
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply.
Offer ends January 31st, 2025.
Visit td.com slash dioffer to learn more. I was defeated, you are the one. Waterloo, I promise to love you forevermore.
And finally, there's a facial recognition battle going on at Waterloo, the University of Waterloo.
An error showed up on a candy vending machine at the University of Waterloo.
A student recognized the error, and soon a photo of the error was circulated around the university.
A student recognized the error, and soon a photo of the error was circulated around the university.
M&M machines throughout the university have been altered by students covering up the tiny hole in the front that is thought to house the camera for facial recognition.
Noting that the demographics of the university tend to be those in their late teens and early twenties, students question the violation of privacy and the use of the technology. They've taken it upon themselves to add their own sweets to the vending machines,
as those on campus now have creatively covered the holes
with gum and other sticky substances.
The vending machine company claims no ownership
of the demographic data collected,
and M&M Mars has not responded to inquiries.
It doesn't look like this battle of Waterloo
will have a sweet ending for the candy machines,
as students cleverly outsmart the facial recognition systems.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback
helps us ensure we're delivering the information and insights that help keep you a step ahead in
the rapidly changing world of cybersecurity. This episode was produced by Liz Stokes. Our mixer is
me with original music by Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon
Karp. Our executive editor is Peter Kilpie. And I'm Trey Hester filling in for Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.