CyberWire Daily - Need a Lyft? Not if Anonymous Sudan has anything to say about it. Closing time, open all the doors and let KillNet into the world.
Episode Date: June 5, 2023Anonymous Sudan responds to remarks from the US Secretary of State by targeting Lyft and American hospitals. NSA releases an advisory on North Korean spearphishing campaigns. The US government’s Mo...onlighter satellite will test cybersecurity in orbit. "Operation Triangulation" offers an occasion for Russia to move closer to IT independence. The SEC drops cases over improper access to Adjudication Memoranda. Executives and board members are easy targets for threat actors trolling for sensitive information. Rick Howard targets Zero Trust. The FBI’s Deputy Assistant Director for Cyber Cynthia Kaiser shares trends from the IC3 Annual Report. And KillNet seems to say it's disbanding…or is it? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/107 Selected reading. U.S. Measures in Response to the Crisis in Sudan (US Department of State) U.S., ROK Agencies Alert: DPRK Cyber Actors Impersonating Targets to Collect Intelligence (US National Security Agency) North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media (Joint Cybersecurity Advisory) CISA Adds One Known Exploited Vulnerability to Catalog (Cybersecurity and Infrastructure Security Agency) CVE-2023-34362 Detail (National Institute of Standards and Technology) Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft (Mandiant) SpaceX launch sends upgraded solar arrays to International Space Station (Spaceflight Now) Moonlighter Fact Sheet (The Aerospace Corporation) Uncle Sam wants DEF CON hackers to pwn this Moonlighter satellite in space (The Register) Russia wants 2 million phones with home-grown Aurora OS for use by officials (The Record) Russia accuses U.S. of hacking thousands of iPhones (Axios) Operation Triangulation: iOS devices targeted with previously unknown malware (Kaspersky) Operation Triangulation: Mysterious attack on iPhones (ComputerBild) Killnet hacktivists say they’re disbanding (Cybernews) Second Commission Statement Relating to Certain Administrative Adjudications (US Securities and Exchange Commission) Ponemon: Understanding the Serious Risks to Executives’ Personal Cybersecurity & Digital Lives (BlackCloak) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Anonymous Sudan responds to remarks from the U.S. Secretary of State
by targeting Lyft and American hospitals.
NSA releases an advisory on North Korean spear phishing.
The U.S. government's Moonlighter satellite will test cybersecurity in orbit.
Operation Triangulation offers an occasion for Russia to move closer to IT independence.
The SEC drops cases over improper access to adjudication memoranda.
Executives and board members are easy targets for threat actors trolling for sensitive information.
Rick Howard targets zero trust.
The FBI's Deputy Assistant Director for Cyber, Cynthia Kaiser, shares trends from the IC3 annual report.
And Killnet seems to say it's disbanding. Or is it?
I'm Dave Bittner with your CyberWire Intel briefing for Monday, June 5th, 2023.
Anonymous Sudan began targeting U.S. organizations on Saturday in a newly distributed denial-of-service campaign after the hacktivists took offense at comments made by U.S. Secretary of State Anthony Blinken
regarding a possible U.S. involvement in Sudan. The hacktivist group posted a thread on its
Telegram page today, and targets included U.S. rideshare program Lyft and five U.S. health care organizations,
which the group has reportedly taken a break from as they are satisfied with their results.
It's unclear if more attacks are to occur,
but Anonymous Sudan seems dedicated to pursuing nuisance-level attacks on countries that displease them.
The U.S. National Security Agency stated in a press release that it
has partnered with five U.S. and Republic of Korea agencies to release a cybersecurity advisory.
In the advisory, the agencies note that North Korea's primary intelligence agency,
the Reconnaissance General Bureau, is responsible for spear phishing campaigns.
The statement named the threat actors associated
with these attacks as Kim Suk-hee, Thallium, APT-43, Velvet Colima, and Black Banshee. In many cases,
the threat actors will pretend to be real journalists to build rapport with their targets.
Typically, the actors will then ask questions regarding current events and U.S. expert opinion on North Korean affairs.
The actors will also masquerade as scholars, think tank advisors, and officials from the government in email correspondence.
Eventually, they will send a fake email pretending to be the target's email service provider,
requesting that they reset their password, threatening to
permanently delete their account if they fail to follow the instructions. NSA advises all potential
targets to consider the risks before clicking on links sent over email from unverified sources.
Additionally, they suggest training employees on spear phishing awareness.
employees on spear phishing awareness. CISA added the Progress Move-It Transfer SQL Injection Vulnerability, CVE-2023-34-362, to its known exploited vulnerabilities catalog on June 2.
Mandiant reports that this vulnerability seems to have been used on May 27 by UNC UNC4857 and describes it as a newly created threat cluster
with unknown motivations.
Industries in Canada, India, and the U.S.
have found themselves targets.
Mandiant's researchers add that the threat actors
have been seen deploying a newly discovered web shell
called Lemur Loot, which is used for data theft.
Mandiant adds that it's unable to conclusively attribute this new activity to an established threat group,
but they list FIN11 and UNC2546 as groups of interest due to shared tactics, techniques, and procedures.
The researchers add that they have also noticed CLOP searching for partners that utilize SQL injection,
so it may be possible that the ransomware group is associated with this exploit.
The launch of the Moonlighter satellite, a government-funded satellite coined the world's first and only hacking sandbox in space,
was delayed from yesterday to today due to high winds, SpaceflightNow reports.
The launch was scheduled for liftoff from the Kennedy Space Center
aboard a SpaceX Falcon 9 on a resupply mission to the International Space Station.
Earlier Sunday, the outlet reports,
another Falcon 9 rocket saw a launch from the neighboring Cape Canaveral Space Force Station.
The Moonlighter was built by the Aerospace Corporation,
a federally funded research and development center in Southern California,
in partnership with the U.S. Space Systems Command and the Air Force Research Laboratory.
The satellite will support cybersecurity training and exercises in orbit,
with the software developed by those working in the info security
and aerospace engineering fields. The record reports that in response to FSB claims that
Apple colluded with the U.S. National Security Agency to facilitate NSA access to Russian users'
iPhones, Russia is moving to equip officials with phones running Rostelecom's Aurora operating system.
Apple has denied working with NSA or any other intelligence service to compromise the security of the devices it sells.
The move toward greater self-sufficiency has a dual motivation.
The first concern is for security.
The second is concern to maintain a national IT capability in the face of international
sanctions levied in response to Russia's war against Ukraine. A campaign dubbed Operation
Triangulation by Kaspersky researchers, which they say they detected in iOS devices and may
presumably be the same campaign the FSB complained of, remains mysterious.
Computer Build offers a rundown of how the campaign may have unfolded and notes some possible similarities to other operations using commercial spyware.
Citing chatter in the hacktivist auxiliary's VKontakte channel,
CyberNews reports that Killnet says it's disbanding.
The reasons are unclear, but the group's admin posted,
I do not intend to single out the rest.
No one deserves an acclaim and a comment.
Killnet has been completely disbanded.
The announcement came after resignations and expressions of dissatisfaction.
How seriously the announcement should be taken remains to be seen.
dissatisfaction. How seriously the announcement should be taken remains to be seen. In some ways,
the announcement looks more like a dasvidaniya to a disgruntled member than a dissolution.
The U.S. Securities and Exchange Commission on Friday announced that it was dropping a number of cases in which enforcement staff received improper access to restricted adjudication
memoranda. The SEC attributed the incident
to inadequate internal controls over sensitive information, saying that they deeply regret that
the agency's internal systems lacked sufficient safeguards surrounding access to adjudication
memoranda. They promise appropriate safeguards in the future. And finally, companies spend millions on cybersecurity to protect their
corporate infrastructure, but what are the cybersecurity mitigations in place to protect
the devices of the executives of the company when not at work? This is the question posed in a study
by Black Cloak in their report titled, Understanding the Serious Risk to Executives' Personal
Cybersecurity and Digital
Lives. Apparently, most companies don't protect the personal devices of their executives and board
members. 58% of companies polled didn't incorporate the risk of key executive members' personal
devices into their cybersecurity risk portfolio, and 62% of the companies had no dedicated services to respond to attacks on
the high-ranking members. So, executives, keep an extra close eye on your smartphones and tablets.
Threat actors may be after more than just your playlists and grocery lists.
Coming up after the break, Rick Howard targets zero trust.
The FBI's Deputy Assistant Director for Cyber, Cynthia Kaiser,
shares trends from the IC3 annual report.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And it is always my pleasure to welcome back to the show Rick Howard.
He is the CyberWire's Chief Security Officer.
I suppose I should say N2K's Chief Security Officer. That's exactly right. Get it right, Dave. Get it right.
I'm just a half step behind.
Also, our Chief Analyst.
Rick, your podcast, CSO Perspectives, and the book that you just published spends a lot of time talking about cybersecurity first principles.
And one of the key strategies that you advocate for is zero trust.
Now, we're not talking about the vendor hype version of zero trust, about how their products are all zero trust capable and all that stuff.
Right.
how their products are all zero trust capable and all that stuff.
But you're talking about the strategy and tactics that network defenders can use to actually implement the philosophy.
Right.
Now, you and I were talking on some of our Slack channels this week about how zero trust,
since its inception back in 2010 or so, has kind of been a bit of a moving target.
And I thought maybe this would be a good opportunity that we could chat about that.
Maybe you could help improve could chat about that. Maybe
you could help improve my understanding about that. Why is it a moving target? Well, you're
right, Dave. I fundamentally believe that for the right organization, zero trust is a highly
impactful strategy that will help you buy down the risk to your own organization. But when John
Kiernavog wrote the original white paper back in 2010, we were mostly talking about limiting access to our employees and contractors based on a need to know, right?
But as the time slipped by and we got to around 2013 or so, when it started to become acceptable to allow our employees to use their personal devices to do work, you know, like tablets and laptops and phones. We started thinking about how to limit device access, too.
And then just this year, the U.S. National Cybersecurity Center for Excellence announced
its research on data classification processes.
A really boring name, by the way, but it's a great aspirational idea for being able to
apply the same kinds of internal zero-trust controls that you and I might use with our own internal digital infrastructure to data that leaves your organizations like, you know, email and files stored in public repositories, Dropbox and, you know, Amazon S3 plugins.
And then you and I just published a Cyber Wire X podcast on that very subject.
It's called What is Data-Centric Security and Why Should You Care?
Yeah.
But in 2020, we were all relearning what a supply chain attack was when the hackers behind APT discovered the Log4j vulnerability and the risk of open-source software,
we started to get serious about applying zero-trust rules
to commercial applications that we buy,
software that we build ourselves,
and open-source code libraries that are used by everybody.
And that is what you are talking about
in this week's episode of CSO Perspectives.
That's right.
It's called Zero Trust in an App-Centric World,
and we invited two guests, one from Okta and one from Cato, to join us here at the CyberWire
Hash Table to discuss it. All right. Well, look forward to that. Before I let you go,
what is the phrase of the day over on your WordNotes podcast this week?
The phrase is SEO poisoning, and we're going to demonstrate how the attack activity
is the Great Waldo in the InfoSec space. If you don't know what the Great Waldo is,
you have to come and listen to the episode. All right, fair enough. We'll check it out.
Rick Howard is the Cyber Wire and N2K's Chief Security Officer. Rick, thanks for joining us.
Thank you, sir.
It is my pleasure to welcome to the show Cynthia Kaiser. She is Deputy Assistant Director for Cyber at the FBI. Cynthia, welcome to the show.
Glad to be here. So I want to touch with you today on the IC3 annual report, which you and
your colleagues have recently put out. Before we dig into the report, for folks who might not be
intimately aware, can you give us a little overview of the IC3 and the mission there?
you give us a little overview of the IC3 and the mission there? Sure. So the FBI's Internet Crime Complaint Center, also known as IC3, it serves as a really convenient mechanism to report suspected
internet facilitated crime to the FBI. But it's also much more than that. Information gathered
from IC3 through the public reporting is analyzed and disseminated for investigative and intelligence
purposes for us to be able to conduct law enforcement actions or just for public awareness.
The site's also a fantastic resource to review recent consumer alerts, industry alerts, and
other relevant cybersecurity information. Well, let's dig into the annual report here
together. What are some of the things that caught your eye?
Every year, IAC3 produces that annual report on trends that impact the public,
as well as just routinely providing the public reporting about the trends that we're seeing.
The information submitted to IAC3 is in individual complaints,
and then it's combined with other data to come out with this report.
So just to kind of give you a little bit more background on the report itself. So in 2022, I think what
struck me is the IC3 received over 800,000 complaints, and that's actually a 5% decrease
from 2021. But the potential total loss has grown from just about $7 billion in 2021 to over $10 billion in 2022. So we saw
less reporting, but much larger sums. And to what do you attribute that shift?
In part, we've seen a big increase in investment fraud, and that includes cryptocurrency scams.
We also have seen just a larger amount of business email compromise,
the kind of tech support fraud that will happen when people just get a call from a call center
and it sounds legit and you're going to try to get yourself back online or give your password
information and all of a sudden you've lost money. So, you know, we did see growth in several areas, but I do think overall, some of what we also saw was a little
bit of a decrease in ransomware complaints overall. Now, I think it's too soon to tell
why exactly we saw that decrease. And we saw really a leveling off of the amount
from ransomware complaints. But overall, we have seen actors
trying to recalibrate given the better cyber hygiene that's going on across the nation,
given just industry and private sector options that are available now for being able to
counter ransomware. And we're continuing to monitor that to see if that's a downward trend, if it's
a leveling off trend, et cetera. But we also know, and we were able, it's kind of fun to see,
we have this reporting, we have the public reporting. And then we also see what's going
on in our operations. And I think Hive's a great example where we're able to match up the two to better understand what's going on with reporting overall.
So because of the access that we had during our Hive operation, we were able to see that only about 20% of victims from Hive were reporting to the FBI.
In terms of the reporting to the IC3, is that primarily consumers or is it businesses or a mix of both?
A mix of both.
So we see anything from individual Americans who are being targeted in individual scams, especially elder fraud scams, to large businesses.
scams, to large businesses. This is where a lot of our private sector partners are going to put in a report when they've had a ransomware attack or their outside counsels or other entities that
are assisting them are helping us by submitting these reports, ensuring that we're able to keep
record of it, we're able to keep track of it and engage with them in an appropriate way.
Well, based on the information that you all
have gathered here, what are your recommendations for folks to better protect themselves?
You know, I think we encourage anyone who is victimized by a cyber attack or intrusion to
alert us of that as early as possible. The sooner we're made aware, the sooner we can respond,
assist, and mitigate damage to the victim and other potential victims. A good example of that is our financial fraud kill chain. Over 70% of reports that were made into IC3 in a certain
category, we were able to help recover those funds because the report happened early on in the
process. And that's over, I'm talking over 400 million recovered.
So it's a huge amount.
So we're able to assist further.
So I think that early reporting is the best thing we can do.
But backing up before something happens.
Some of the best practices we recommend
are backing up data,
system images and configurations,
testing backups
and making sure those backups
are not connected, they're
offline, using multi-factor authentication, updating and patching systems, making sure
security solutions are up to date, and then overall reviewing and exercising an incident
response plan, including ensuring that you have the FBI point of contact who you're going to call.
They're not just kind of an unknown number, but you know
that person, you have that person in your cell phone, and we're happy to facilitate that. It's
great to call us ahead of time so that we're able to be a part of that. Yeah, I mean, that's a
message we've shared, I think, multiple times here, that if you're a CISO out there, it's in
your best interest to make that introduction to your local FBI field office.
Exactly. And I think as a CISO, you want options. You want to know all the people you can call. You want to know who you're going to call for incident response. You want to know
who you're going to call for legal advice, including the FBI, and that is really important.
Cynthia Kaiser is Deputy Assistant Director for Cyber with the FBI.
Cynthia, thank you so much for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Thank you. on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the
information and insights that help keep you a step ahead in the rapidly changing world of
cybersecurity. We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people. We make you smarter about your team Thank you. Hester, with original music by Elliot Peltzman. The show was written by Rachel Gelfand. Our
executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back
here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.