CyberWire Daily - Operation Magnus strikes back.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Operation Magnus disrupts notorious info stealers. Pennsylvania officials debunk election disinformation attributed to Russia. Team TNT targets Docker daemons. Delta sues CrowdStrike.

Starting point is 00:02:14 NVIDIA releases a critical GPU display driver update. Fog and Akira ransomware exploits SonicWall VPNs. A researcher demonstrates downgrade attacks against Windows systems. Keelan Ransomware grows more evasive and disruptive. Pwn2Own Ireland awards over $1 million for more than 70 zero-day vulnerabilities. Our guest is Grant Geyer, Chief Strategy Officer at Clarity, talking about safeguarding our nation's critical food infrastructure. And speaking of food, at long last, it's legal to fix your McFlurry.

Starting point is 00:03:03 It's Monday, October 28th, 2024. I'm Dave Bittner, and this is for joining us here today. In a landmark operation, the Dutch National Police, the FBI, and international partners dismantled the infrastructure behind the Red Line and Meta Infostealer malware. This campaign, called Operation Magnus, targeted two notorious malware strains that had been stealing sensitive data like passwords and credit card information worldwide. Redline, an affordable malware tool, has been extensively used to steal data like passwords, cryptocurrency wallets, and authentication cookies, while Meta, an upgraded version launched in 2022, was designed to expand upon Redline's

Starting point is 00:04:07 capabilities. Through this seizure, law enforcement now holds vast amounts of data tied to the malware's users, including account credentials, IP addresses, and activity timestamps, making future arrests and prosecutions likely. Authorities also gained access to crucial back-end systems such as source code, license servers, and telegram bots, suggesting a unified infrastructure between Redline and Meta. Speculations have arisen that both malware strains could share the same creators, with further information expected to be disclosed on the Operation Magnus website. The operation, verified by Europol and the UK's NCA,

Starting point is 00:04:53 disrupts the activities of those behind these tools and sends a warning to cybercriminals. Their identities and actions are no longer hidden. With support from agencies like NCIS, DOJ, and law enforcement in Portugal and Belgium, Operation Magnus exemplifies the strength of international cooperation in fighting cybercrime, underscoring the law enforcement community's commitment to countering threats from information-stealing malware. In Pennsylvania, a video falsely depicting ballot destruction

Starting point is 00:05:27 circulated on social media, leading officials to warn it was a disinformation effort attributed to Russian actors. The video, posted on ex-Twitter and other platforms, showed an individual allegedly destroying ballots for Donald Trump while preserving those for Kamala Harris. But the Bucks County Board of Elections quickly dismissed it as fake, pointing out inconsistencies in the material shown. Federal agencies, including the FBI, identified the video as part of Moscow's attempts to question U.S. election integrity and stir division. attempts to question U.S. election integrity and stir division. Disinformation researcher Darren Linville linked the video to Storm 1516, a Russian group known for similar tactics.

Starting point is 00:06:14 This network aims to influence American political discourse through staged videos and misinformation campaigns. Additionally, domestic disinformation surfaced as Pennsylvania officials debunked unfounded claims of voter fraud involving nuns. As Pennsylvania remains a crucial swing state, it's expected to be a major target for foreign and domestic influence campaigns leading up to the election. Cybersecurity researchers at Aqua Nautilus have identified a new hacking campaign by the notorious group Adept Libra, also known as Team TNT, which exploits exposed Docker daemons to deploy sliver malware, crypto miners, and other malicious tools.

Starting point is 00:07:00 Team TNT hijacks resources for cryptocurrency mining by compromising Docker hub accounts. Using a tool dubbed Docker Gatling Gun, Team TNT scans millions of IPs for Docker daemon vulnerabilities on specific ports. Once accessed, they execute a malicious script that sets up further attacks, often searching for credentials and scanning networks. To evade detection, they disguise processes under familiar names and rely on sliver malware for stealth. This attack underscores Team TNT's evolving tactics and the importance of robust cybersecurity, especially for organizations using Docker or cloud-native environments. Delta Airlines has filed a lawsuit against cybersecurity firm CrowdStrike,

Starting point is 00:07:52 blaming its software for the July outage that led to 7,000 flight cancellations and $380 million in losses. Delta alleges that a faulty CrowdStrike update bypassed its disabled auto-update feature, affecting its systems and triggering widespread disruptions. Despite CrowdStrike CEO George Kurtz's apology, Delta accuses the company of neglecting proper testing, claiming it prioritized profits over reliability. CrowdStrike disputes Delta's claims, labeling them as misinformation and arguing that the airline's outdated IT infrastructure slowed its recovery compared to other airlines affected by the outage. CrowdStrike maintains that its liability should be capped at $10 million

Starting point is 00:08:40 and accuses Delta of misrepresenting the incident to deflect from its own IT shortcomings. NVIDIA released a critical security update last week for its GPU display driver to address vulnerabilities allowing remote code execution, privilege escalation, and other risks on Windows and Linux. Users should update immediately to mitigate these high-severity vulnerabilities, which could lead to data tampering, denial of service, and information disclosure. Key vulnerabilities pose significant security risks and affect both OS platforms. The Fog and Akira ransomware groups are increasingly breaching corporate networks through unpatched SonicWall VPN vulnerabilities, specifically exploiting a critical flaw in SonicOS. Despite a patch issued in August of this year, attacks continue as many endpoints remain unpatched.

Starting point is 00:09:46 endpoints remain unpatched. Arctic Wolf reports that Akira and Fog have conducted at least 30 intrusions using SonicWall VPNs, with Akira responsible for 75% of cases. The two groups appear to share infrastructure, indicating an ongoing unofficial collaboration. Attacks rapidly escalate from intrusion to encryption, sometimes within two hours, often bypassing security by using VPN-VPS to hide IP addresses. Most targeted organizations lacked multi-factor authentication and ran the vulnerable VPN on default ports. The ransomware groups primarily encrypted virtual machines and recent data, leaving older files untouched. Approximately 168,000 SonicWall endpoints remain exposed, and BlackBasta may also be exploiting the same flaw in recent attacks. Vulnerability in Windows allows attackers to downgrade security-critical components,

Starting point is 00:10:52 bypassing protections like driver signature enforcement to install rootkits on fully patched systems. SafeBreach researcher Alain Lévi demonstrated how attackers with admin access could exploit the Windows update process to reintroduce outdated vulnerable software. exploit the Windows update process to reintroduce outdated vulnerable software. This approach, termed It's Not a Security Boundary, bypasses kernel security enhancements, allowing for rollback attacks that compromise even the latest Windows 11 versions. Using Lviv's tool Windows Downdate, attackers can re-enable vulnerabilities and components like CI.DLL, critical for enforcing DSE, thereby facilitating rootkit deployment and disabling security checks. Additionally, attackers can disable virtualization-based security protections by modifying registry keys, exposing secure kernel elements to attack. Microsoft acknowledged the

Starting point is 00:11:47 risk and plans mitigations, but views admin access as outside traditional security boundaries. Until a fix is ready, Lviv urges security teams to monitor for downgrade attacks, which remain a significant threat. The Keylin Ransomware Group, also known as Agenda, has released a new variant, Keelin B, enhancing its capabilities to evade detection and disrupt defenses. The ransomware, deployed in high-profile attacks like the July incident against the UK's NHS provider Synovus, uses advanced encryption methods tailored for different

Starting point is 00:12:26 system architectures, making decryption virtually impossible without private keys. Written in Rust, the ransomware structure resists reverse engineering, making it hard to analyze. Keyland B aggressively disrupts backup systems, especially targeting Windows Volume Shadow Copy, while disabling security and virtualization tools from vendors like Sophos, Acronis, and Veeam. It initiates by gaining administrative privileges, clearing event logs, and deleting itself to minimize forensic traces. Encrypted files are marked with a unique extension linked to a company ID with ransom instructions provided in a Tor accessible note, making recovery without insider knowledge unfeasible.

Starting point is 00:13:15 At the inaugural Hone to Own Ireland event, a Vietnamese team from Vytel Cybersecurity claimed the top prize, winning just over $200,000 for discovering exploits in multiple products, including TrueNAS storage, Lorex cameras, QNAP routers, and HP and Lexmark printers. The event, hosted by Trend Micro's Zero Day Initiative in Cork, awarded over $1 million for more than 70 zero-day vulnerabilities, with findings set to be disclosed to vendors for patching. End-users will benefit from the competition's outcomes, as identified vulnerabilities lead to security enhancements in affected devices. The competition saw growing manufacturer participation, aiming to safeguard

Starting point is 00:14:03 their products against future cyber threats. Meta joined as a sponsor, though no workable exploits were found for WhatsApp in the new Messenger app category. The next Pwn2Own will take place in Tokyo in January 2025, focusing on vulnerabilities in automotive systems, including Tesla and electric vehicle chargers. Coming up after the break, Grant Geyer from Clarity talks about safeguarding our nation's critical food infrastructure. Stay with us. Do you know the status of your compliance controls right now? Like right now. We know that real-time visibility is critical for security,

Starting point is 00:15:07 but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.

Starting point is 00:15:23 Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform

Starting point is 00:16:20 secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. The FBI recently held an agriculture threat symposium in Nebraska, spotlighting growing concerns over the security of the nation's critical food infrastructure amid rising threats. For insights on that, I caught up with Grant Geyer, Chief Strategy Officer at Clarity,

Starting point is 00:17:13 to discuss safeguarding our nation's critical food infrastructure. We're so used to thinking about farm-to-table as an adage referring to fresh organic food when you walk into a restaurant. But when we think about farm-to-table in the context of critical infrastructure, the estate that it covers and the supply chain that needs to be working to make it all happen is astounding. It covers over 1.9 million farms, 700,000 restaurants, 220,000 food and beverage manufacturing, processing, storage, and distribution, over 62,000 supermarkets and grocery stores. And for that all to be working effectively, every cog in that wheel needs to run in ways that can help support their downstream supply chain and customers.

Starting point is 00:18:05 Well, can you give us some insights? I mean, for the cybersecurity professionals in our audience, what are some of the elements of this supply chain that will resonate with them? Well, look, there's been a number of notable attacks against the food and agriculture space over the past, you know, even over the past three years. As a result of the non-Petya worm, Mondelez and Maersk were impacted. Mondelez, as we may know, is the manufacturer of a lot of stack products,

Starting point is 00:18:37 including Oreos. Maersk is one of the world's largest shippers that helps ensure that containers can get from manufacturers to their destinations. There was an attack against ransomware against Dole in 2021. JBS Ransomware, which is one of four meat suppliers that I think produces over 75% of meat production in the United States, had a ransomware attack in 2023. And finally, AmeriCold, which is one of the key cold distribution vendors that helps in cold

Starting point is 00:19:13 storage and cold distribution, which is incredibly important in food products such as raw meats or raw products, was hit with ransomware both in 2020 and 2023. So each of these have had non-trivial impacts to the supply chain, non-trivial impacts to lost production and lost revenue, and also to some customer frustration. Well, in terms of the food supply chain being prepared for these threats, where do you suppose they stand? these threats, where do you suppose they stand? Look, I think it's a situation where there's those that are incredibly well-prepared. And again, we at Clarity provide OT security capabilities to some of the largest food and beverage manufacturers in the world. And

Starting point is 00:20:01 they have very robust products. But those same companies that we speak with, companies in the supply chain, that the whole number of employees in the company may be only as big as the security team within the manufacturer. So a number of very small organizations that don't understand the cybersecurity challenges, don't have proper controls in place,

Starting point is 00:20:24 don't understand the specialized needs of OT security, and those represent risk. Looking at the other side of it, what are the opportunities here? Are there chances to increase the efficiency of this supply chain as global population changes and we need more food to eat? One of the amazing opportunities is that the more efficient and effective the supply chain operates, the lower the cost of food production, lower bills for groceries, and the more food that we can put on people's tables. why I think the U.S. Congress is trying to take up this issue in the recent draft legislation in the 2024 Farm Bill. There's four different sections, and they're trying to focus on

Starting point is 00:21:12 investment in cybersecurity protection for the food and agriculture industry, one of which is around a grant program to conduct research into risks of chemical biological cybersecurity or bioterrorism attacks against the segment and also another section around a center of excellence to help engage in research and education activities to the sector so there's a lot going on because i think congress recognizes there's risks to the sector as we talked about that not all of the practitioners are fully capable or knowledgeable on how to defend themselves. Can we talk about the global aspect of this here? I mean, you know, so much of our food comes from around the world. I suspect it's hard for us to keep track of all those suppliers, to have a close eye on what their cybersecurity posture is?

Starting point is 00:22:06 I think it's kind of imperative for each organization to have careful tracking of who their suppliers are, to have some degree of vendor management of their supply chain, tiering of vendors. I think the key word here is resilience. So that if one of your vendors or your supply chain fails, how do you ensure that you have a resilient program, especially given the fact that we have multiple kinetic conflicts going on in the world, cyber attacks that could disrupt supply chain? You know, having a strategy of resilience and really understanding who your key suppliers are helps ensure that you can de-risk the challenges in the case of a cyber attack. When you look at the folks that you work with, you and your colleagues at Clarity, when you're helping folks in the food supply chain, what does success look like? Are there common elements that organizations who are doing well, things that they have in common? organizations who are doing well, things that they have in common? Ultimately, the goal of every one of our customers is to make money, save money, and reduce risk.

Starting point is 00:23:20 And I think that when it comes to cybersecurity, the savvy customers recognize that you can't patch every vulnerability out there. There are simply too many of them, and especially in OT environments with obsolescent equipment, not everything is even patchable. Or if you can, you have to wait for an approved downtime window. So what we see the best-in-class organizations doing is the IT security team partners very closely with their peers in manufacturing, build strong relationships. It's not about cyber being the no team, but the how do we get it done, but get it done securely team. That's what we see. It's like everything.

Starting point is 00:23:53 It's not a technology problem. These are human problems and relationship problems that need to be overcome. Our thanks to Grant Geyer from Clarity for joining us. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing

Starting point is 00:24:36 sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And finally, good news for ice cream lovers and DIY repair fans. It's now legal to hack McDonald's McFlurry machines and certain other restaurant equipment, thanks to a new federal rule. Frustrated with ice cream machines constantly breaking down?

Starting point is 00:25:18 Well, McDonald's franchises can now legally bypass software locks to fix them without waiting for authorized repair professionals. The same goes for other commercial kitchen devices that might be hogging downtime due to pesky technical protection measures, or TPMs. This exemption, part of an updated Section 1201 of the Digital Millennium Copyright Act, also extends to medical devices, preventing manufacturers from monopolizing repair services. The Copyright Office was inspired by years of McFlurry malfunctions and persistent franchise workarounds. There is a catch. While bypassing locks is now legal, selling or sharing the necessary tools isn't, meaning most franchise owners won't

Starting point is 00:26:07 find it easy to repair machines independently. iFixit CEO Kyle Wiens calls it a mixed bag, emphasizing the need for Congress to fully legalize repair. While the door is technically open, many small businesses may still find it hard to step through without these specialized tools. Now, if we can just find a way to convince McDonald's to offer the McRib year-round, and the shamrock shake, and that Rick and Morty schezwan sauce, I gotta go get some lunch. Go get some lunch. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.

Starting point is 00:26:57 Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world

Starting point is 00:27:13 of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.

Starting point is 00:27:27 We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Keltzman.

Starting point is 00:27:59 Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,

Starting point is 00:28:51 helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

CyberWire Daily - Operation Magnus strikes back.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.