CyberWire Daily - New cybersecurity bill aims to untangle federal regulations.
Episode Date: May 31, 2024Draft legislation looks to streamline federal cybersecurity regulations. Clarity.fm exposed personal information of business leaders and celebrities. Researchers find european politicians’ personal ...info for sale on the dark web. The BBC’s pension scheme suffers a breach. OpenAI disrupts covert influence operations making use of their platform. Hackers brick over 600,000 routers. Cracked copies of Microsoft office deliver a malware mix. A senator calls for accountability in the Change Healthcare ransomware attack. On our Industry Voices segment, we hear from SpyCloud’s Chip Witt, on navigating the threat of digital identity exposure. Florida man becomes Moscow’s fake-news puppet. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, we hear from Chip Witt, SpyCloud's SVP, Product Management, discussing navigating the threat of digital identity exposure. To learn more, check out SpyCloud’s Annual Identity Exposure Report 2024. Selected Reading Senate chairman wants new White House-led panel to streamline federal cyber rules (The Record) Data Leak Exposes Business Leaders and Top Celebrity Data (Hackread) Information of Hundreds of European Politicians Found on Dark Web (SecurityWeek) BBC Pension Scheme Breached, Exposing Employee Data (Infosecurity Magazine) OpenAI accuses Russia, China, Iran, and Israel of misusing its GenAI tools for covert Ops (CSO Online) Mystery malware destroys 600,000 routers from a single ISP during 72-hour span (Ars Technica) Pirated Microsoft Office delivers malware cocktail on systems (Bleeping Computer) UnitedHealth leaders 'should be held responsible' for installing inexperienced CISO, senator says (The Record) Once a Sheriff’s Deputy in Florida, Now a Source of Disinformation From Russia (The New York Times) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Transcription by CastingWords Researchers find European politicians' personal info for sale on the dark web.
The BBC's pension scheme suffers a breach.
OpenAI disrupts covert influence operations making use of their platform.
Hackers brick over 600,000 routers.
Cracked copies of Microsoft Office deliver a malware mix.
A senator calls for accountability in the Change Healthcare ransomware attack.
mix. A senator calls for accountability in the change healthcare ransomware attack.
On our Industry Voices segment, we hear from spy cloud's Chip Witt on navigating the threat of digital identity exposure. And a Florida man becomes Moscow's fake news puppet.
It's Friday, May 31st, 2024.
I'm Dave Bittner, and thank you for joining us.
It is great to have you here with us.
Senator Gary Peters, a Democrat from Michigan, is proposing a bill to create an interagency committee to streamline federal cybersecurity regulations.
an interagency committee to streamline federal cybersecurity regulations.
The Office of the National Cyber Director would lead this effort,
aiming to reduce compliance burdens for industries.
This committee would identify and resolve conflicting cybersecurity requirements within a year and ensure regulatory updates are aligned.
The draft legislation mandates a pilot program for at
least three regulatory agencies to work with the committee on harmonizing rules.
The bill also would grant ONCD more authority in setting and coordinating cybersecurity regulations,
which has support from industry and some experts who see a need for centralized oversight.
The proposal follows recent cybersecurity regulations from CISA and the SEC,
highlighting the need for regulatory harmonization.
Key challenges include managing jurisdictional conflicts
among various congressional committees overseeing cybersecurity.
However, Senator Peters has a history of successfully passing cybersecurity legislation,
and the bill has bipartisan appeal.
If passed, the legislation would bolster ONCD's efforts to streamline cybersecurity rules,
ensuring better coordination across federal agencies.
A leak at Clarity.fm exposed personal information of business leaders and celebrities to public access.
The platform connects entrepreneurs with industry experts for on-demand consultations.
Cybersecurity researcher Jeremiah Fowler found a non-password-protected database containing over 155,000 records and 121,000 member accounts.
over 155,000 records and 121,000 member accounts. The exposed data included full names, phone numbers, email addresses, consultation content, and payment records. This breach raises significant
concerns about data security and the risks of targeted scams, phishing attacks, and blackmail.
Fowler secured the database and notified Clarity.fm, but it remains unclear how long the
data was exposed or if others accessed it. An intelligence study from security firm Proton,
in collaboration with Constella Intelligence, found the email addresses of hundreds of British,
French, and European Parliament politicians on dark web marketplaces.
Out of nearly 2,300 official government email addresses searched, 918 were leaked. British MPs were the most impacted, with 68% of their addresses found on the dark web. EU Parliament
members had a 44% exposure rate, while only 18% of French deputies and senators were affected.
These addresses, used on various third-party services
like Adobe, LinkedIn, and Dropbox,
were hacked and included 697 plain-text passwords.
The exposure risks not only the politicians,
but also the sensitive information they handle.
The BBC has confirmed a breach of its pension scheme,
exposing personal data of over 25,000 current and former employees.
Attackers copied files from a cloud storage device,
revealing names, national insurance numbers, dates of birth, and home addresses.
The BBC assured that no phone numbers, email addresses,
bank details, or passwords were compromised, and the pension scheme's website was not affected.
No evidence of ransomware was found. The BBC is working with specialist teams to secure the
source and monitor the situation. Impacted employees are advised to watch for unsolicited
communications and monitor their bank accounts for unusual activity,
as exposed data could lead to fraud or phishing attacks.
A report from OpenAI revealed that its generative AI tools were used by actors from China, Russia, Iran, and Israel
to create and post propaganda on social media.
Over the past three months, OpenAI disrupted five covert influence operations
aiming to manipulate public opinion on various geopolitical and socioeconomic issues.
These campaigns produced fake comments, articles, and translated texts,
but did not significantly increase audience engagement.
Targets included issues like Russia's invasion of Ukraine,
Gaza conflicts, and U.S. and European politics.
OpenAI has enhanced its detection and analysis measures
to prevent misuse of its tools
and is sharing its findings to promote best practices among stakeholders.
Last October, subscribers of the ISP Windstream,
which serves residential customers in 18 states, reported that their ActionTech T3200 routers
suddenly stopped working, showing a steady red light and not responding to resets.
Users blamed Windstream for pushing updates that bricked the devices. The ISP sent
new routers to affected customers. Black Lotus Labs later revealed that the malware took out
over 600,000 routers, including those from Windstream, using Chalubo malware to permanently
overwrite firmware. The attack, named Pumpkin Eclipse, was deliberate and targeted a single
ISP's autonomous system number. The incident raised concerns about the impact on rural
communities and critical services. Researchers found no evidence of nation-state involvement
and advised standard cybersecurity measures to prevent future attacks. Researchers noted also that the attack was
deliberate, with the threat actor using common malware instead of custom-developed tools to
cover their tracks. Despite extensive analysis, the initial infection method remains unclear,
though weak credentials or exposed administrative panels are possible entry points.
Cybercriminals are distributing a mix of malware
through cracked Microsoft Office versions promoted on torrent sites. This malware includes remote
access trojans, cryptocurrency miners, downloaders, proxy tools, and anti-AV programs.
OnLab Security Intelligence Center identified the campaign, warning about the risks of pirated software.
The attackers use lures like Microsoft Office and other popular programs.
The cracked Office installer looks legitimate but launches obfuscated.NET malware,
contacting Telegram or Mastodon to fetch additional components from Google Drive or GitHub.
or Mastodon to fetch additional components from Google Drive or GitHub. Malware strains installed include Orcus RAT, XMRigMiner, 3Proxy, PureCryptor, and AntiAV with an updater module ensuring
persistence. Users should avoid pirated software to prevent such infections, but you already knew
that. Senator Ron Wyden, a Democrat from Oregon,
criticized UnitedHealth Group in a letter to regulators, calling for accountability from
the company's leaders following a ransomware attack on Change Healthcare. Wyden compared
the incident to the SolarWinds breach, blaming UHG's senior executives and board for poor decisions,
blaming UHG's senior executives and board for poor decisions,
including appointing an unqualified chief information security officer, Stephen Martin, in June 2023.
Wyden argued that the CEO and board should be responsible for cybersecurity failures,
including the lack of multi-factor authentication on a remote access server.
The attack severely impacted patients and providers,
with many left without medications and some providers forced to close or take loans.
Wyden urged the FTC and SEC to investigate UHG's cybersecurity lapses and hold senior officials accountable, citing similar enforcement actions against other companies. The FTC acknowledged receiving the letter but declined to comment, and the SEC did not respond.
Coming up after the break, on our Industry Voices segment, my conversation with SpyCloud's Chip Witt.
We're discussing navigating the threat
of digital identity exposure.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty. We could go skating. winter blues. We could try hot yoga. Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply. Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Chip Witt is SpyCloud's Senior Vice President for Product Management.
For our sponsored Industry Voices segment,
I caught up with him to discuss navigating the threat of digital identity exposure.
Traditionally, people think about credentials as kind of a mainstay around account,
takeover prevention, that sort of thing.
But our concept of digital identity is a little bit beyond that.
It includes things like
authenticated session tokens,
API keys, webhooks, passkeys,
and of course,
a lot of personally identifying information
that users have on their machines
or have in their interactions with the
applications that they use. So it's a lot of stuff going on behind the scenes that I suppose most
people don't think about day to day. Exactly. And it actually, it comes down to the fact that it's
not about traditional credentials. It's about access, right? So the way users access applications is buried in a lot of different things. And one of
the key pieces of this is identity is useful to criminals in a lot of different ways. To get
access to stuff, certainly, but also to create synthetic identities to hide under the radar of
other sorts of systems that detect and know your customer, know your employee in enterprises,
and allow them to look and feel, taste, smell just like a real user.
Can you give us a little bit of a sense for where we find ourselves right now when it comes to
digital identity and people's efforts to protect it?
You know, it's kind of interesting as just looking at the stats from our recent identity exposure report is that you have a lot of users, over 60% are still reusing passwords.
That's a fundamental thing that kind of goes back to the old credential set.
So people aren't learning the lesson. Some of the most prevalent breaches and cyber crimes that have been committed out there,
most of them start with some sense of credential or access that the user has let get out in the open.
Passwords and password reuse is a big part of that.
The other thing is the prevalence of malware.
Info-stealing malware is a new toolkit that criminals are leveraging to get access to a broader set of information
that completes
that full identity story that we were just describing. And that's tremendously dangerous.
If we look at InfoStealers, there are 52 InfoStealing malware families that were active,
and four are entirely new families. AtomicStealer, Mystic, Excella, and Latita all are gathering information about the user and are infecting and oftentimes doing their business and then uninstalling themselves, escaping detection with EDR, XDR, and other sorts of tools.
And we have evidence of that because one of the things that SpyCloud does is we recover the data that's actually in use and being actively traded by criminals.
And this means that it has escaped the standard protections.
It's in criminals' hands and it's in active use.
And that tells an interesting story.
Well, help me understand that.
I mean, does that mean that you all are seeing the data that is out there that the bad guys are trying to sell?
And then you can sort of correlate that with
someone who may or may not know that they've been victimized? Exactly right. So, we are actively
looking for information in the underground, infiltrating circles to gather that information
up and understand what the criminals are actively using in terms of threat. So we see an increase in shared cookies
for session hijacking.
A huge, huge uptick in that in the last year, year and a half.
And they're using InfoStealing malware
as a way to gain access to that
because InfoStealing malware, if you don't know,
it installs on the machine
and it is capable of pulling down
everything that that machine has,
including example files and things of that nature, credentials, autofills from the browser, cookies, both session cookies and authenticated device or trusted device cookies for bypassing MFA, all this wealth of information.
And it can be captured in moments from that info-stealing malware. And then that info-stealing malware disappears. Enterprises don't know or individuals don't know that they've been attacked. And then that information is packaged up by criminals and bought and sold, traded. Some of it's actively used into the ecosystem to perpetrate other sorts of crime, like targeted ATO attacks.
I mentioned synthetic identity, so basically formulating identities to commit fraud.
And my favorite, ransomware.
There is a direct linkage to info-stealing malware and ransomware attacks that can follow.
Do you have a sense for how widespread this is? I mean, how many people are being hit with this? A lot. We actually have, in just 2023 alone, we captured 43.7 billion
distinct digital identity assets. We have over 580 billion recaptured data assets in our repositories.
You can see that that's a pretty big number
year over year and in total in what we have.
And the thing is that we actually see
that the average user,
average digital identity,
appears in as many as nine breaches
and is associated with, on average,
15 different breach records, which are independent
records containing data, credentials, PII, other information, one in four of which contained
information about the network or physical location of the user, which is tremendously scary when you
start to think about that. There's also a one in five chance that the user has already been the
victim of an info-stealing malware infection. And the average digital identity includes four unique exposed usernames and emails,
and each has a two out of three chance of being accompanied by a password. So that information is
pretty prevalent, pretty useful from a standpoint of understanding the scope of the problem.
And how do you rank the severity of the different
types of information? I mean, if someone has my username and password for my password manager,
that is a whole different kettle of fish than if they have some, I don't know, my browser
fingerprinted or something like that. We actually look at the data in a lot of different ways.
The criticality of the information really is bifurcated on where it was sourced from.
So you think about traditional ATO, it's primarily looking at third-party breaches,
information that you entered data into a website, that website was compromised,
that information was pilfered and then is used for perpetrating credential stuffing attacks, password spraying things.
That information is largely
commoditized. And it's the business of threat intel. So if you think about threat intelligence
solution providers who are looking at indicators of compromise, that's usually the narrow window
that they're focused on. Our focus most recently, while we still continue to focus on that
information, we're looking at active malware information because that's more timely. It's
usually a very narrow window, say seven to 10 days of when that information is captured to when
criminals are actively trying to put it to use in some fashion. And so that's the high priority
information that organizations need to understand to invalidate sessions that are likely to be hijacked by virtue of cookies,
change passwords more broadly. InfoStealing malware, because it's capturing information
from the browser, for instance, it knows all the cloud applications that that user visited
and the credentials that were used to access those systems. And in many cases, some of those
systems don't match the systems organizations even know their users are using.
So it's the shadow IT problem, where your exposure is.
And that's where that lateral movement, getting access to information they shouldn't have, gets deeper and deeper by virtue of information that's stolen through them for stealing malware.
Where do you suppose we're headed with this?
I mean, when you look at the trend lines that you all are tracking, where are we going?
Well, I mean, the thing that is always true is criminals adapt.
They adapt very quickly.
Quicker than we often do on the defensive side.
And that's, you know, SpikeLoud exists to prevent criminals from profiting off the data that they steal.
We want to make the internet a safer place.
So, we try to stay ahead.
And part of that is tracking what criminals are actively using, what they're asking about,
what they're talking about in their closed circles, what they're actively trading.
Because that is the stuff that is going to be used by those criminals tomorrow to attack
you, right?
A lot of threat intelligence is focused on yesterday
and preventing that from attacking you today.
And so you need to stay ahead.
You need to understand what the criminals are doing
and how they're adapting.
And that's, I think, the game, right?
Is to stay ahead of them by virtue of understanding
what they're using and shore up those defenses
where you need to.
Right now, we're seeing a lot of, like I said,
a lot of the session hijacking piece
is a huge piece of what we're seeing out there
being actively traded, actively used.
We're also beginning to see conversations around passkeys,
and that's going to become the direction of the future
as people move away from passwords.
There are still exposures.
There's still ways.
It's still tied to
an identity, and it's an identity focus. And we need to move away from a device-centric view of
the credential world and focus more on identity because identity spreads over a lot of different
resources, and the criminal knows this, and that's what they're leveraging.
So what are your recommendations here? I mean, for somebody who is beginning this journey
and wants to get a handle on their digital identity risk
and what they can do to better protect it,
where should they begin?
They need to be monitoring what's going on
with their credentials and their username,
email address, domains,
and understand what the criminal is using.
And that requires using expertise that
is outside of the organization very often. And so that's what SpyCloud offers is the ability for you
to understand and contextualize what the criminal understands about you and your identity so that
you have that information in hand and can remediate it. The other piece of this is doing it manually
is difficult, if not impossible. So you have to have a very clear signal to then force or feed
into automation. And automation is basically understanding where you're exposed and
automatically pushing yourself down a remediation path for those users that have those
exposures so that the criminal doesn't have a leg up. When they go to use it, you should already
have addressed that and closed that door. That's Chip Witt from SpyCloud. Be sure to
check out SpyCloud's annual Identity Exposure Report. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution
trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you
total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe
and compliant.
And finally, the New York Times shares the strange case of John Mark Dugan,
finally, the New York Times shares the strange case of John Mark Dugan, a former deputy sheriff in Palm Beach County, Florida. About 12 years ago, Dugan allegedly began a run of deceptive
endeavors by emailing voters, posing as a county commissioner to oppose the sheriff's re-election.
He later posed online as a Russian tech worker to leak confidential information
and created a fictional New York City heir named Jessica to trick an advisor into revealing improper conduct.
These early exploits set the stage for Dugin's current role in Russia's disinformation campaigns.
Now 51 years old, Dugin resides in Moscow under political asylum,
orchestrating a complex network of over 160 fake news websites.
Using commercially available AI tools,
he fills these sites with tens of thousands of articles
interspersed with bespoke fabrications attributed to Russian intelligence.
Despite Dugin's denials, digital trails and confirmations from a friend
suggest he is behind these sites.
This marks a significant escalation from his troubled life in the U.S.,
which included accusations of excessive force and sexual harassment,
leading to costly lawsuits and his eventual flight from 21 felony charges.
Dugin's activities include impersonating
an FBI agent in a call to Stephen Brill of NewsGuard, a company tracking his fake news sites.
This led to an FBI investigation tracing the call to Russia. Researchers and officials believe
Dugan's disinformation network, largely focused on Russian narratives
about the Ukraine war, is poised to interfere in upcoming elections worldwide, targeting diverse
audiences to destabilize democratic systems. John Mark Dugin's evolution from local trickster to a
key player in Kremlin-backed disinformation illustrates the escalating threat of fake news and cyber
deception. His actions underscore the importance of robust cybersecurity measures and vigilance
against disinformation. It would seem that Dugin went from chasing crooks in Palm Beach
to chasing cliques in Moscow.
in Moscow.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Amit Malik,
Director of Threat Research at Uptix.
We're discussing their work, New Threat Detected,
inside our discovery of the Log4J campaign and its XM rig malware.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes Thank you. and 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode was
produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot
Peltzman. Our executive producer is
Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter
Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here
next week. Thank you. only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Receive alerts and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.