CyberWire Daily - Major crackdown on international cybersecurity.
Episode Date: November 29, 2023A major ransomware gang is taken down in an international sweep. CISA and the WaterISAC respond to the Aliquippa cyberattack. Attacks against infrastructure operators hit business systems. Qlik Sense ...installations are hit with Cactus ransomware. Researchers discover a Google Workspace vulnerability. A hacktivist auxiliary compromises a Russian media site. In an exclusive interview, Eric Goldstein, Executive Assistant Director at CISA, describes their new Secure by Design Alerts program launching today. Tim Starks from the Washington Post shares some insights on the latest legislation dealing with section 702 surveillance. And security teams need not polish up that resumé after a breach. CyberWire Guest We have 2 guests today. First, Dave recently spoke with Eric Goldstein, Executive Assistant Director at CISA, about their new Secure by Design Alerts program that launched today. And, Tim Starks from the Washington Post’s Cybersecurity 202 stopped by to share some insight into some of the latest trending cybersecurity headlines. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/226 Selected Reading Police dismantle ransomware group behind attacks in 71 countries (Bleeping Computer) Ransomware group dismantled in Ukraine in a major international operation supported by Eurojust and Europol (Eurojust) Water and Wastewater Cybersecurity (CISA) (TLP:CLEAR) Water Utility Control System Cyber Incident Advisory: ICS/SCADA Incident at Municipal Water Authority of Aliquippa (Water ISAC) Iran hits Pennsylvania water utility. (CyberWire) North Texas water utility serving 2 million hit with cyberattack (The Record) DAIXIN TEAM GROUP CLAIMED THE HACK OF NORTH TEXAS MUNICIPAL WATER DISTRICT (Security Affairs) Slovenian power company hit by ransomware (Help Net Security) Qlik Sense Exploited in Cactus Ransomware Campaign (Arctic Wolf) Qlik Sense Enterprise for Windows - New Security Patches Available Now (Qlik) DeleFriend: Severe design flaw in Domain Wide Delegation could leave Google Workspace vulnerable for takeover (Hunters) Researchers Claim Design Flaw in Google Workspace Puts Organizations at Risk (Dark Reading) Use IAM securely (Google) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A major ransomware gang is taken down in an international sweep.
CISA and the Water ISAC respond to the Aliquippa cyber attack. A major ransomware gang is taken down in an international sweep.
CISA and the Water ISAC respond to the Al-Aqiba cyber attack.
Attacks against infrastructure operators hit business systems.
ClickSense installations are hit with cactus ransomware.
Researchers discover a Google Workspace vulnerability.
A hacktivist auxiliary compromises a Russian media site. In an exclusive interview, Eric Goldstein,
Executive Assistant Director at CISA,
describes their new Secure by Design alerts program launching today.
Tim Starks from the Washington Post
shares insights on the latest legislation
dealing with Section 702 surveillance.
And security teams need not polish up that resume after a breach.
It's November 29th, 2023. I'm Dave Bittner, and this is your CyberWire Intel Briefing. In a major international cybersecurity crackdown, law enforcement from seven countries with the support of Eurojust and Europol, targeted a sophisticated criminal network
responsible for ransomware attacks
on over 1,800 victims across 71 countries,
as reported by Bleeping Computer.
The operation culminated in the arrest
of the network's ringleader,
the detention of four suspects in Ukraine,
searches at 30 locations,
and the seizure of over 100 digital equipment tools.
The criminals, playing varied roles within the network, executed their attacks through multiple
methods. These included brute force attacks, SQL injection techniques, use of stolen credentials,
and phishing emails with malicious attachments to infiltrate IT networks. Once inside, they employed malware
such as TrickBot and post-exploitation frameworks like Cobalt Strike or PowerShell Empire to stay
undetected and further penetrate the systems. Often undetected for months, the attackers
eventually deployed various types of ransomware, including LockerGoga, Megacortex, Hive, or Dharma,
and then demanded ransoms in Bitcoin for decryption keys. This collaborative operation
involving law enforcement agencies from France, Germany, the Netherlands, Norway, Switzerland,
Ukraine, and the United States signifies a significant stride in the global fight against cybercrime.
The effectiveness of this international cooperation highlights the growing emphasis on tackling cyber threats that cross national boundaries.
The U.S. Cybersecurity and Infrastructure Security Agency
has identified Unitronics programmable logic controllers as the compromised systems
in the recent attack on the Municipal Water Authority of Aliquippa, Pennsylvania. CISA has issued urgent recommendations for water utilities using these PLCs.
These include changing default passwords, implementing multi-factor authentication for all remote access,
disconnecting PLCs from the open Internet and using a firewall or VPN for necessary remote access, disconnecting PLCs from the open internet and using a firewall
or VPN for necessary remote access, regularly backing up logic and configurations, changing
the default TCP port to avoid targeted cyber attacks, and updating PLC and HMI to the latest
versions. The Water Information Sharing and Analysis Center, the Water ISAC, also highlighted
the need for better operational security, especially when releasing information to the media,
as evidenced by an image released by the Water Authority that inadvertently revealed sensitive
system details. This incident emphasizes the critical need for enhanced cybersecurity measures in essential public utilities.
Ransomware attacks continue to target infrastructure operators,
with recent incidents focusing on utility business systems rather than control systems.
The North Texas Municipal Water District experienced a cyberattack impacting its business network,
as reported by The Record.
Alex Johnson, NTMWD's Director of
Communications, confirmed that while most of their business network has been restored,
their core water, wastewater, and solid waste services remain unaffected. However, their phone
system was compromised, and an investigation with third-party forensic specialists is underway
to determine the extent of any unauthorized activity and potential data impact.
Additionally, Security Affairs notes that the Dyaxin Team cybercriminal group
has claimed responsibility for the NTMWD attack,
alleging the theft of sensitive information, including board meeting minutes and personnel details.
In a separate incident, Slovenia's state-owned power generation company, HSE,
was hit by a ransomware attack affecting its communication and information infrastructure, according to HelpNet Security.
HSE's general director assured that control over power plants was maintained,
general director assured that control over power plants was maintained, safety was ensured,
and electricity trading continued, albeit with some limitations on transactions as a precaution.
These incidents highlight the evolving nature of cyber threats facing infrastructure sectors,
where attackers are increasingly targeting business systems,
but so far have not disrupted core operational functions.
Arctic Wolf has identified a ransomware campaign by Cactus that is exploiting vulnerabilities in publicly exposed installations of the Qlik Sense cloud analytics and business intelligence platform.
Qlik had previously issued patches for these vulnerabilities earlier in the year.
According to Arctic Wolf's researchers,
the campaign represents the first known instance where threat actors deploying Cactus ransomware
have utilized Qlik Sense vulnerabilities for initial access into systems. This development
highlights the importance of promptly applying security patches to protect against such exploits.
patches to protect against such exploits. Researchers at Hunter's Security have uncovered a design flaw in the domain-wide delegation feature of Google Workspace.
This flaw, termed Delafriend, could potentially be exploited for privilege escalation and
unauthorized access to Workspace APIs without requiring super admin privileges.
The vulnerability opens the door for a range of unauthorized activities,
such as the theft of emails from Gmail, data exfiltration from Google Drive, and other illicit actions within Google Workspace APIs across all identities in the targeted domain.
Upon discovering this flaw, hunters reported it to Google.
They are now collaborating with Google's security team
and products teams to develop effective mitigations.
However, a Google spokesperson has stated to Dark Reading
that the issue reported by hunters
does not constitute an inherent security flaw
in Google's products.
Google emphasizes the importance of adhering
to best practices, such as ensuring all accounts have the minimum necessary privileges,
as a fundamental strategy to counter these sort of threats.
Inform Napalm reports that hacktivists of Ukraine's cyber resistance have succeeded in
penetrating networks belonging to the Department of Information and Mass Communication at the Russian Defense Ministry.
They've made off with internal files that show how the department monitors international media coverage of Russia's war,
summarizes it for internal ministry consumption, and then selectively repurposes its take to support disinformation campaigns.
repurposes its take to support disinformation campaigns. The general tenor of the department's information operations is to represent the war as going well according to plan
and depict Russian forces as capable and effective.
Coming up after the break, my conversation with Eric Goldstein, Executive Assistant Director at CISA, describing their new Secure by Design Alerts program launching today.
Tim Starks from The Washington Post shares insights on the latest legislation dealing with Section 702 surveillance.
Stay with us. Do you know the status of your compliance controls right now?
Like right now. We know that real-time visibility is critical for security,
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
It is always my pleasure to welcome back to the show Eric Goldstein.
He is Executive Assistant Director for Cybersecurity at CISA.
Eric, welcome back.
Thanks, David. It's always good to be here.
So, exciting announcement today from you and your colleagues at CISA.
You are launching a new program.
This is called the Secure by Design Alerts Program.
Bring us up to date here.
What does this entail and why is CISA launching this program?
Thanks, Dave. As you and many of your listeners will recall, we at CISA, as well as partners across the community,
have been focused on this concept of Secure by design really for well over a year.
And the idea here is that we can most effectively reduce the prevalence of damaging intrusions, not only by steps taken by individual enterprises, but by designing technology in a way that is more secure by design and default. And of course, we released a major piece of guidance earlier in the fall
that was joint-sealed by 14 other countries.
But we also realized that sometimes, for some in the community,
this concept of secure by design can seem a bit abstract,
can seem a bit separated from the lived realities of organizations that are experiencing
breaches like damaging ransomware attacks far too frequently. And so our new Secure by Design
Alert product series is really focusing on how Secure by Design decisions actually lead to
specific harms for organizations, school districts, small businesses, water utilities
across the country. And so our first Secure by Design alert is focused on exposed web interfaces,
which we know are often targeted by adversaries. There have been recent examples where major
adversary campaigns have targeted exposed web interfaces on edge devices.
But we also know that it is a design decision about whether a web interface is exposed as a default. And that's a design decision where vendors can wipe out thousands of intrusions just by making a simple configuration change for how the product is deployed.
configuration change for how the product is deployed. And we're going to keep doing these secure by design alerts to really call attention to how design decisions relate to real world
impacts and harms for organizations around the world. And how do you imagine folks out there
who are responsible for the security in their organizations implementing this?
You know, our goal is really to help organizations ask better questions of
their vendors. And so just using the example of our first Secure by Design alert, you know,
a lot of our guidance specific to this risk of exposed web interfaces have been to tell enterprises,
for goodness sakes, remove your web interface from the open internet, or if you have to expose it, make sure that it's
well-controlled. And that has caused just a surge of activity and churn for organizations large and
small around the world. We want organizations to do that work, but also to start asking,
hey, why is this configuration setting insecure to begin with? And start asking their vendors to make better, safer decisions in how their products are designed and the default configurations they come with.
And for vendors to take more accountability for the security outcomes of their customers to make design decisions that lead to more secure outcomes.
What do you say to folks out there who are going to say, oh, I see, you know, CIS is naming and shaming now.
Yeah, you know, our goal here isn't to name and shame
in part because the problem is so pervasive.
There is no vendor out there
that is doing a perfect job of secure by design.
Every vendor, and most acknowledge this,
have room to grow and room to mature.
And so our hope here is to help the community as a whole
focus on an equilibrium of responsibility
between enterprises and vendors
such that every vendor can take steps
to advance security across their customers.
What do you imagine the cadence being of these sorts of alerts?
I wish I could say that the cadence will be infrequent,
but we know that most of the intrusion campaigns and vulnerabilities that we see do have some
secure by design issue at their root. And so, you know, these certainly won't be a weekly cadence,
but we do expect to issue these periodically throughout the year as we see major vulnerabilities
or intrusion campaigns that could have been to some degree addressed through different decisions made by different
vendors. What's the best way for folks to keep up on these alerts to keep current?
As always, our website is sysad.gov. There is an easy way to sign up for email alerts on our
webpage. And of course, we also blast them out via all relevant social media platforms.
All right.
Well, Eric Goldstein is Executive Assistant Director
for Cybersecurity at CISA.
Mr. Goldstein, thank you so much for joining us.
Thanks to you, David.
Happy holidays. And it is always my pleasure to welcome back to the show Tim Starks.
He is the author of the Cybersecurity 202 at the Washington Post.
Tim, welcome back.
Thank you.
And by the way, it is my pleasure, Dave.
Well, it's likewise.
I think we have a mutual admiration society for each other.
I've been reading your coverage in the Post about some movements here with Section 702 and Senator Mark Warner, who I think it's fair to call a usual suspect when it comes to this sort of thing.
Bring us up to date here. What's the latest?
Yeah, even if he wasn't a usual suspect, and I think that's accurate, his committee is
the Intelligence Committee, and they're one of the two committees, well, four if you count
the House side, one of the two committees, Intelligence and Judiciary, that do deal with
this Section 702 spying power.
As we know, expiring at the end of this year. The administration has been making a big press on Congress to do something about this,
especially because they say they've been using these surveillance powers to go after cyber attacks and cyber attackers.
So Senator Warner, we've been waiting all year for someone to introduce legislation on the Section 702 thing,
knowing that it expires at the end of the year.
And as of Tuesday, that happened with Senator Warner.
We have seen a couple other proposals
floating around out there.
But Senator Warner is, I would say,
potentially the most important so far,
partially because of the jurisdiction
that his committee has,
partially because it has a co-sponsor
on the Republican side
who is his top committee member
on the Republican side.
That's Marco Rubio.
It also has a top Republican member on the Judiciary Committee. That's Lindsey Graham. So you're
talking about some important players here. You're talking about some coordination that's
happened with the administration and with the House Intelligence Committee leadership.
So it looks like perhaps the biggest so far. There had been another one from some very,
very, very skeptical members about how Section 702 has been used on the privacy side.
Senator Wyden and some other senators like that, as well as House members like that, including some very far-right members as well, in addition to the very liberal types,
that have been much more focused on reauthorizing it with warrant requirements for when they seek information on U.S. communications.
This one doesn't quite go that far, and naturally the civil liberty groups are not happy about it.
But this does seem like an important marker of where some of the sides are coming down.
And that way, at minimum, it's a very important proposal.
Yeah, Senator Warner strikes me as being practical, and I think that's what's happening
here. I mean, you're reporting, I believe you refer to this as trying to thread that needle.
Yeah, and it's a very difficult needle to thread. You know, this issue of the warrant requirement
is the biggest deal, with the side that is very, very, very upset about the way Section 702 has
been used. You know, the administration keeps saying, we've made improvements. These abuses you've seen, we're going to get rid of them.
We've taken these steps to make sure it doesn't happen. We're taking these steps to make sure it
doesn't happen. But the civil liberties types do not trust that. They say, we've heard that from
you before. We've heard that from you many past years. And we keep hearing about more abuses.
So if you're going to go in and get communications where you're querying American names or identifiers to get those communications, we need you to have a warrant for that.
The Warner proposal does not do that entirely.
It does say you can't go in there and query for evidence of crime.
That had been something of a concern because this was supposed to be an anti-terrorism law.
So people were like, wait, how much are we using this for?
What are we using this for that?
The issue, though, is that there aren't very many of those that have happened that we know about.
According to the FBI, anyway, that is a very, very tiny, minute number.
And that's where the civil liberty groups say, yeah, okay, thanks for taking care of that one little thing.
But that's not what we're really concerned about.
So we're on a bit of a time crunch here
with this expiring at the end of the year.
What are the odds that this will go through?
You know, I've been skeptical for a long time.
Once it started getting into the summertime
and we weren't having any proposals put forward,
I was like, that's kind of a bad sign.
It takes Congress a while to have hearings.
May have had hearings, don't get me wrong, but to have hearings on the legislation, to have markups, and we're just now in the last few weeks really starting to get a sense of where people are going to come down on this.
I am of the mind that probably the likeliest thing that happens would be an attempt to put a short-term extension through.
I don't know if that's even likely.
And then there are questions about whether it's even necessary. At least on the civil liberties side, they say, look,
there was an authorization they got for this kind of warrantless surveillance
back in April of last year. That'll hold through a year. So they might have a few more months,
depending on who you ask. I don't see anyone suddenly fixing everything on this in time, because one of the things we've left out here is that while the Senate Judiciary Committee seems to be pretty much simpatico with what's going on with this bill,
I say that a little speculatively just based on what I've heard about Senator Durbin, who's the chairman of that committee.
We obviously know where Senator Graham's coming down, but I think he's going to be amenable to this based on what I know. Congressman Jim Jordan,
who's the judiciary chairman on the House side, has very much been more talking about,
well, maybe the FBI shouldn't even be involved in 702. And he suggested that he likes that
Wyden bill I mentioned that has a warrant requirement for all of that communications,
for the American side. So his role in this, what the House might be able to do
in terms of exploring ways of attaching this to other legislation, that seems a little difficult.
I just don't see a resolution to this by the end of the year that will be neat. I could see a
potential short-term resolution, or I could see it dragging into next year. So might we see throughout
the beginning of next year what things look like with Section 702 having been sunset?
It really kind of depends.
I mean, you know, one of the things I've talked to about people who have been involved in this, you know, actual program is that they need what they call certainty.
If they're going to start planning ahead.
are planning ahead. So if we assume that what the groups say that the short-term extension is not needed, that the authorization that the court put into place last year will last for a few months,
then maybe we won't see an immediate effect. We might start seeing some panic from the NSA and
the agencies that work on this about what they're going to do once they start trying to prepare for
the next batch of surveillance. That might be where we see some complications, but it might not
actually lead to the surveillance completely going away until a few months later.
All right. Well, as we like to say, time will tell. Tim Starks is the author of the Cybersecurity
202 at the Washington Post. Tim, thanks so much for joining us.
Hey, thank you, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. At Enterprise, we know you're constantly on the move. Getting this. Thanks, mom.
Getting this.
Thanks, Mom.
Fixing that.
You reach a destination.
And then it's on to the next.
And when life is moving at the speed of, well, life,
Enterprise is right there with you,
around the corner and around the globe.
We'll keep you moving forward.
Enterprise.
For lives in drive.
And finally, according to a report from Trilix,
cybersecurity teams are now more likely to receive support from their boards than face job termination following a cyber attack.
This counters the long-standing fear among cybersecurity professionals of being
scapegoated and fired post-incident. Key findings from Trellix's The Mind of the CISO report,
which surveyed 500 chief information security officers, revealed that only 13% of companies
reduced staff or fired personnel within the first year after a major cybersecurity incident.
staff or fired personnel within the first year after a major cybersecurity incident.
However, job cuts do occur over time, with 23% and 31% reporting staff reductions one to three years and over three years post-incident, respectively. In fact, companies are more
inclined to bolster their cybersecurity efforts immediately after an attack. 46% of CISOs reported increased budgets
for new tools and technology, 38% noted the creation of new jobs, and 44% added contracted
services to enhance cybersecurity measures. Still, the report highlights that job losses
still transpire as companies gain a clearer understanding of the breach's circumstances.
This ongoing risk, compounded by impending Securities and Exchange Commission regulations,
places CISOs under heightened liability concerns. The evolving landscape illustrates a shift towards
proactive support in the immediate aftermath of cyber incidents, yet underscores the lingering
challenges faced by cybersecurity leaders in the longer term.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. We'd love to know what you
think of this podcast. You can email us at cyberwire at n2k.com. Your feedback helps us
ensure we're delivering the information and insights that help keep you a step ahead in
the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like
The Cyber Wire are part of the daily intelligence routine of many of the
most influential leaders and operators in the public and private sector, as well as the critical
security teams supporting the Fortune 500 and many of the world's preeminent intelligence and
law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest
investment, your people. We make you smarter about your team while making your team smarter. Thank you. Producer is Brandon Karp. Our executive editor is Peter Kilby. And I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.