CyberWire Daily - Midnight Blizzard brings the storm.
Episode Date: January 22, 2024Russian state hackers breach Microsoft. LockBit claims Subway restaurants hack. A Swedish datacenter is hit with ransomware. VMware patches a vulnerability targeted by Chinese espionage groups. Sentin...el Labs warns of North Korean APTs focus on cybersecurity pros. FTC order another data broker to restrict location data. US Feds release security guidance for water and wastewater sectors. Senators question the DOJ on facial recognition technology. Ukraine’s Monobank gets DDoSed. N2K’s CSO Rick Howard joins us to share some insight into what he and the Hash Table are cooking up for the upcoming season of his CSO Perspectives podcast. The passing of a Time Lord. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest N2K’s CSO Rick Howard joins us to share some insight into what he and the Hash Table are cooking up for the upcoming season of his CSO Perspectives podcast launching next month.   Selected Reading Microsoft: Russian Hackers Had Access to Executives' Emails (GovInfo Security) LockBit ransomware gang claims the attack on the sandwich chain Subway (Security Affairs) Ransomware hits cloud service Tietoevry; numerous Swedish customers affected (The Record) Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021 (Mandiant) North Korea’s ScarCruft APT group targets infosec pros (CSO Online) FTC Order Will Ban InMarket from Selling Precise Consumer Location Data (Federal Trade Commission) US Gov Publishes Cybersecurity Guidance for Water and Wastewater Utilities (SecurityWeek) Ukraine’s Monobank hit with massive DDoS attack (Silicon Republic) Senators ask DOJ to investigate whether facial recognition tech violates Civil Rights Act (The Record) RIP, Internet’s Time Lord (On My Om) Network Time Protocol (NTP) attack (noun) (Word Notes podcast) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Russian state hackers breach Microsoft.
LockBit claims subway restaurants.
A Swedish data center is hit with ransomware.
VMware patches a vulnerability targeted by Chinese espionage groups.
Sentinel Labs warns of North Korean APT's focus on cybersecurity pros.
The FTC orders another data broker to restrict location data.
U.S. feds release security guidance
for water and wastewater sectors,
and senators question the DOJ
on facial recognition technology,
Ukraine's Monobank gets DDoSed,
and 2K's CSO Rick Howard joins us
to share some insights into what he and the Hashtable
are cooking up for the upcoming season
of his CSO Perspectives podcast.
And the passing of a time lord.
It's Monday, January 22nd, 2024.
I'm Dave Bittner, and this is your CyberWire Intel briefing. Thank you for joining us. It is great to have you with us here today.
We begin with news that Russian state hackers, identified as Midnight Blizzard, also known as Nobelium or APT29,
infiltrated the email accounts of Microsoft's senior executives and staff within its
cybersecurity and legal departments. The breach, disclosed by Microsoft in a regulatory filing
with the SEC, occurred for approximately six weeks, with the company detecting the intrusion on January 12
and severing access by January 13. The attack was initiated via a password-spraying technique
on a non-production account and enabled access to a limited portion of corporate emails,
primarily targeting information about Midnight Blizzard itself. Microsoft says there was no evidence of the hackers reaching customer data,
production systems, source code, or AI systems.
The extent of data accessed and the implications of the breach are still under investigation.
We note for disclosure that Microsoft is a CyberWire partner.
The LockBit ransomware gang has claimed responsibility for hacking Subway,
the leading multinational fast food franchise.
Announcing this on their Tor data leak site,
LockBit threatened to release the stolen data,
compromising hundreds of gigabytes, this coming February 2nd.
The compromised data reportedly includes sensitive financial information
such as employee salaries, franchise royalty and commission payments, and restaurant turnovers.
LockBit accuses Subway of ignoring the breach and warns of selling the data to competitors if Subway fails to secure it. Cloud hosting service provider Tietoevri disclosed that its Swedish data center experienced what it's calling a partial ransomware attack, impacting numerous clients and leading to store closures nationwide.
The Finland-based tech company stated the attack was confined to a segment of the data center, primarily affecting services for some Swedish customers.
primarily affecting services for some Swedish customers.
This includes Primula, a major payroll and HR firm used by most Swedish universities and over 30 government authorities, disrupting personal leave and expense submissions.
While January salaries have been processed, future remediation plans remain unclear.
No confirmation was given regarding the theft of sensitive data.
Mandiant and VMware Product Security discovered that UNC-3886, an advanced espionage group with
links to China, has been exploiting a VMware vulnerability since late 2021, although it was
only publicly reported and patched in October of 2023.
This group, known for targeting technologies without endpoint detection and response systems,
has a history of using zero-day vulnerabilities for undetected operations.
The exploitation was traced back to vCenter system crash logs,
which revealed the VM DIRD service crashing just before the deployment
of attacker backdoors.
Analysts linked these crashes to an out-of-bounds write vulnerability in vCenter's DCE RPC
protocol, allowing unauthenticated remote command execution.
The core dumps, typically preserved indefinitely, were found removed in most cases, indicating
deliberate action by the
attackers to hide their tracks. VMware released patches for this vulnerability, and Mandiant
advises users to update to the latest vCenter version to mitigate the risk. Cybersecurity
researchers and threat analysts are increasingly targeted by nation-state advanced persistent threat actors, such as North
Korea's StarCraft group. These actors employ various tactics, like creating fake social media
profiles and GitHub accounts, to lure security professionals into downloading malware. A recent
report from Sentinel Labs highlights StarCraft's persistent campaign targeting experts in North Korean affairs,
including those from South Korea's academic sector and a news organization.
They use malware disguised as threat research reports as decoys,
which Sentinel Labs says is a new strategy.
This malware is believed to be in the testing phase
and includes shellcode variants and LNK files
named after intelligence and news topics
targeting those interested in North Korean cybersecurity developments.
The goal is to gather non-public threat intelligence
and improve their attack techniques.
Sentinel Labs warns that cybersecurity professionals
should remain vigilant,
as these sophisticated social engineering and phishing campaigns
could target a wide range of professionals in the industry.
Data aggregator InMarket Media has agreed to stop selling precise location data
following charges from the Federal Trade Commission
of not adequately informing consumers or obtaining their consent
for collecting and using their location data for advertising.
Under the proposed order, in-market is also barred from categorizing or targeting consumers based on sensitive location data.
This action by the FTC, its second in the last few weeks, addresses in-market's practices of collecting location data from sources including its apps and third-party apps using its SDK.
The proposed order requires in-market to delete or de-identify previously collected data,
provide opt-out mechanisms, notify consumers about FTC action,
limit data collection without informed consent, and establish a privacy program and data retention schedule.
The U.S. government released new guidance to enhance cyber resilience and incident response
in the water and wastewater sector, the WWS,
addressing threats from financially and politically motivated actors.
The Water and Wastewater Sector Incident Response Guide,
developed by CISA, the FBI, EPA, and other federal and WWS partners, provides comprehensive strategies for water utility owners and operators to prepare for, mitigate, and respond to cyber incidents.
The guide emphasizes the sector's vulnerabilities to various cyber events like unauthorized access and ransomware,
with potential widespread impacts on critical infrastructure. It outlines federal roles,
resources, and responsibilities throughout the incident response lifecycle, offering guidelines for incident reporting, resources, services, and training. The guide encourages WWS organizations
to build cybersecurity baselines, interact with local cyber communities, and share information on cyber attacks with federal partners.
It also advises on strengthening incident response plans covering preparation, detection, analysis, containment, recovery, and post-incident review.
incident review. While prioritizing water system operations, WWS utilities are urged to participate in collective response efforts and share lessons learned after incidents. A group of 18 senators,
led by Democrats Dick Durbin and Raphael Warnock, expressed concerns to the Department of Justice
regarding the use and accuracy of facial recognition
technology, particularly its frequent misidentification of black individuals.
Highlighting an instance of a wrongful jailing due to this technology, the Senators questioned
the DOJ's funding and oversight of such systems, suggesting potential violations of Title VI of the Civil Rights Act of 1964.
They sought information on DOJ's measures to ensure compliance with civil rights laws and policies
to track the deployment of facial recognition technology.
This technology has also faced scrutiny from privacy advocates and the Federal Trade Commission
with recent cases like Rite Aid's settlement for misuse. The DOJ
acknowledged receipt of the letter but did not comment further. Monobank, a prominent online
bank in Ukraine, experienced a significant DDoS attack as confirmed by their CEO Oleg Horikovsky.
Despite the attack's scale, Monobank's services remain uninterrupted.
This incident follows a similar DDoS attack on Ukraine's broadband and mobile services,
previously targeting Kyivstar.
The origin of the attack is unclear,
but Ukraine has faced numerous cyberattacks targeting its critical infrastructure,
especially since the onset of the Russian invasion.
Coming up after the break, our own Rick Howard joins us to share some insights into what he and the Hashtable are cooking up for the upcoming season of his CSO Perspectives podcast. Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
cloak.io. It is always my pleasure to welcome back to the show, Rick Howard. He is the CyberWire's chief security officer and also our chief analyst, but more important than any of that,
he's the host of the CSO Perspectives podcast right here on the CyberWire. Rick, how are you,
my friend? Hey, Dave, how are you? A long time no talk, my friend.
I know. I know. So, listen, I called you in today. I summoned you, as it were.
And I always do what you tell me to do, Dave. I just want you to know that.
I lit up the Rick Howard bat signal. And the reason is that when I am out and about,
either on social media or just running into folks around here, one of the questions that I get quite often is, where do we stand with CSO Perspectives?
You have a lot of fans with that show, and people want more.
So they're wondering, where are we?
Has the show been on hiatus, or are you cooking up more episodes?
Where do we stand?
Well, you know, right before Christmas break, we brought all the interns in and locked them
into the Sanctum Sanctorum and said, get busy on season 14, right? And so we've been working
on all that and discussing various interesting topics with our crew that approaches the CyberWire hash table.
These are our list of experts that come on and make sure that I'm not completely crazy with my ideas.
And so that has been going back and forth.
And so we have been working hard to get that first season out for the new year.
All right. And can you give us any sort of sneak preview here?
What are some of the
things you're considering for this season? One of the things I'm really excited about is we got the
hash table members working on what is a generic, but maybe a standard slide for board reporting,
right? And so what I'm talking about is it doesn't matter what vertical you're in or how big you are,
but if you're going to report to the board about cybersecurity,
what are the essential elements of information that we should be presenting to these leaders
so they can help us make a better program?
And so the ideas are flying across the hash table,
and so that's going to be a really interesting episode.
Yeah, that's interesting.
What else is on the table here?
You and I talked last year, this idea of radically asymmetrical distribution of problems, right?
And I was listening to a presentation by Malcolm Gladwell, who's one of my favorite podcasters, right?
He came out to a cybersecurity conference and he said,
you know, I don't want to be claimed that I'm a cyber expert because I'm not,
but it occurred to him that maybe cybersecurity
should not be handled the same way for every organization,
which is exactly what we all do, Dave, right?
We say everybody implement NIST cybersecurity framework or the ISO standards or, you know,
pick your thing that you like, and everybody do it the same way, basically. And what he suggested
was that maybe it's not the same for everybody. It might be one set of problems for a Fortune 500,
but a completely different set of problems for a
startup like N2K. So, we're going to take a look at that and see if that's true.
Interesting. Give me one more, one more tidbit here.
Well, you know, I've been particularly interested in what the SEC did to SolarWinds, the company,
and the CISO, Tim Brown, in conjunction with their new ruling
about materiality.
And I will tell you, I've been talking to a lot of CISOs about this.
There is a big bag of confusion about what all that means to everybody, right?
Right, right.
And so, and just to give you a, for instance, you know, the SEC charged Tim Brown, who wasn't even the CISO at the time.
He was just the VP of security.
The SEC charged him with fraud, okay, for not reporting the exact way, the way to describe the security posture of SolarWinds, right? And it just boggles my mind, Dave, that the SEC would reach past the
board, reach past the two CEOs who were involved in all this during that time period, and grab the
non-CISO and charge that guy, right? It's like, that doesn't make any sense. So, we're going to
explore all that and see if we can figure out what it means going forward. I'm curious, you know, back in your days at Palo Alto Networks,
when you were sitting in, you know, one of those seats,
did you ever imagine that you'd see this sort of thing,
something like the SEC coming after someone in your position?
It didn't occur to me because, you know, Dave, you and I have talked about this, right?
The CISO is chief in name only.
You know, he's not part of the,
or he or she is not part of the senior leadership team normally.
That's not true in every case, but normally it's not the case.
Right.
And the CISO is not part of the board, right?
So they have no, there's no legal responsibility
assigned to the chief information security officer like you would get normally with a company's suite of officers, right?
They're not in your errors and omissions policy.
Yeah, it's not in part of that, right?
Right.
So, for most of us, in the best cases, we might have input to what is presented to the public in terms of materiality.
But in the worst case, we're not even brought in the room, right?
So that's why it's so, like I said, gobsmacked that the SEC reached in and grabbed Tim Brown for that charge.
It's like, you've got to be kidding me.
So maybe I'm crazy, but we'll see what the rest of the hash table members say.
But that's kind of where I'm leaning.
All right. Well, we will stay tuned for that. And I know we don't have an exact timeline yet
on when to expect the next season of CSO Perspectives, but I know the fans will be
glad to hear that it is being worked on. There are some past seasons of CSO Perspectives that
are publicly available. So do check that out if you're unfamiliar with it. That is on our website,
thecyberwire.com. Until next time, Rick Howard, thanks so much for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant. And finally, we note the passing of David Mills,
an engineer and computer scientist who was creator of the Network Time Protocol, a fundamental element of networks and the Internet itself.
In 1977, David Mills joined ComSat and became involved in the ARPANET, a precursor to the Internet.
Recognizing the need for synchronized time across the network, Mills developed the
Network Time Protocol, a system for timekeeping on the internet. His protocol differentiated
reliable true chimers from misleading false tickers, and by 1988, NTP could synchronize
clocks to within milliseconds. Mills was known for his eccentricity and expertise in various fields
and nicknamed the internet's time lord by his peers. He passed away on January 17th at the
age of 85. May his memory be a blessing to those who knew and loved him.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
We're privileged that N2K and podcasts like the Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams supporting the Fortune 500
and many of the world's
preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people. We make you smarter about your team
while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben
and Brandon Karp.
Our executive editor is Peter Kilby
and I'm Dave Fittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.