CyberWire Daily - Peach Sandstorm cyberespionage. Criminal attacks against a Colombian telco and two major US casino firms. A thief in the browser. And the Greater Manchester Police are on a virtual manhunt.
Episode Date: September 15, 2023"Peach Sandstorm" is an Iranian cyberespionage campaign. A Cyberattack against a telecom provider affects government and corporate online operations in Colombia. Python NodeStealer takes browser crede...ntials. Caesars Entertainment files its 8-K. Some MGM Entertainment systems remain down. Betsy Carmelite from Booz Allen talking about how to leverage cyber psychology. Ron Reiter of Sentra outlines the threats for connected cars. And a third-party incident exposes personal data of the Manchester police. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/177 Selected reading. Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets (Microsoft) Hackers Backed by Iran Caught in Apparent Global Spy Campaign (The Messenger) BNamericas - Colombia cyberattack hits government, corpor... (BNamericas.com) Colombia's judicial branch thrown offline in major cyber attack (Colombia Reports) Casino giant Caesars Entertainment reports cyberattack; MGM Resorts says some systems still down (AP News) Casino Operators Caesars and MGM Still Reeling From Cyber Attacks (Kiplinger.com) Groups linked to Las Vegas cyber attacks are prolific criminal hacking gangs (CyberScoop) MGM still responding to wide-ranging cyberattack as rumors run rampant (Record) Ransomware in the casinos. (CyberWire) MGM Resorts shuts down some systems. (CyberWire) Manchester police officers’ data stolen following ransomware attack on supplier (Record) Contractor Data Breach Impacts 8k Greater Manchester Police Officers (Hackread) A Second Major British Police Force Suffers a Cyberattack in Less Than a Month (SecurityWeek) Who is behind the latest wave of UK ransomware attacks? (the Guardian) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Peach Sandstorm is an Iranian cyber espionage campaign. A cyber attack against a telecom provider affects government and corporate online operations in Colombia.
Python Node Stealer takes browser credentials.
Caesars Entertainment files its 8K.
Meanwhile, some MGM Entertainment systems remain down.
Betsy Carmelite from Booz Allen talks about how to leverage cyber psychology.
Ron Reeder of Centra outlines the threats for connected cars. Betsy Carmelite from Booz Allen talks about how to leverage cyber psychology.
Ron Reeder of Centra outlines the threats for connected cars.
And a third-party incident exposes personal data of the Manchester police.
I'm Dave Bittner with your CyberWire Intel briefing for Friday, September 15th, 2023. Microsoft warns that the Iranian state-sponsored actor Peach Sandstorm,
which Microsoft formerly tracked as Holmium,
has been launching password-spraying campaigns against thousands of organizations since February 2023,
with a particular focus on the satellite defense and pharmaceutical sectors.
The goal of the campaign appears to be
espionage. In a small number of cases, the threat actor succeeded in breaching organizations and
exfiltrating data. Microsoft says the capabilities observed in this campaign are concerning as
Microsoft saw Peach Sandstorm use legitimate credentials gleaned from password spray attacks to authenticate to target systems,
persist in target's environments, and deploy a range of tools to carry out additional activity.
Peach Sandstorm also created new Azure subscriptions and leveraged the access these subscriptions provided
to conduct additional attacks in other organizations' environments.
We note, of course, in disclosure that Microsoft is a CyberWire partner.
An incident broadly characterized as a cyberattack that began Tuesday
hit Colombian Telco IFX networks and has affected the company's customers.
According to statements by Colombia's ICT ministry,
these include some 760 companies in Latin America, as well as at least 20 Colombian government agencies.
The agencies include the health ministry, the health regulator, and the Superior Council of the Judiciary.
Colombia's cybersecurity unit, PMU Cyber, has established a command post to cope with the emergency. The judiciary seems to
have been particularly hard hit, and many courts will suspend operations until September 20th.
Columbia Reports says that early indications are that IFX Networks was the target of a ransomware
attack, obviously criminal and presumably financially motivated.
Netscope describes a campaign that's using Python scripts to steal Facebook business account credentials,
along with all available cookies and credentials stored by the browser.
The malware is a new version of NodeStealer, distributed via Facebook Messenger.
Netscope says, The new Node Stealer variant we detected was hosted on the
Facebook CDN and was sent to victims as an attachment in Facebook messages. Images of
defective products were used as bait to convince owners or admins of Facebook business pages
to download the malware payload. Unlike previous Node Stealer campaigns, this one uses a batch file instead of an executable as the initial payload.
It can be easy to forget that stuff stored in the browser, even cookies, can be valuable.
We turn now to the recent attacks on Las Vegas casinos.
As expected, Caesars Entertainment filed its 8K with the SEC yesterday at roughly noon Eastern time.
The company said that its customer-facing operations, including physical properties
and online and mobile gaming applications, were unaffected. But customer-facing operations don't
extend to all customer data. In particular, Caesar' loyalty program database was compromised.
The information acquired by an unauthorized actor includes driver's license numbers and social security numbers for a significant number of members in the database.
The company is continuing to investigate, but so far has found no signs that members' credentials, bank account information, or pay card data were exposed. Despite that preliminary
finding, Caesars is extending credit monitoring and identity theft protection to affected customers,
whom it will be notifying over the coming weeks. Caesars said,
We have taken steps to ensure that the stolen data is deleted by the unauthorized actor,
although we cannot guarantee this result. This has been widely
interpreted as an acknowledgement that the company negotiated a ransom payment with the criminals
who took its data. The Wall Street Journal put the amount of ransom paid at $15 million,
half the $30 million the attackers demanded. In addition to hardening its own systems,
the company said it had taken steps to ensure that the specific outsourced IT support vendor involved in this matter
has implemented corrective measures to protect against future attacks that could pose a threat to their systems.
Caesars said it had incurred some expenses due to the attack and might incur others as investigation and remediation proceed.
It also acknowledged the difficulty of predicting the incident's effect on guest behavior.
Nonetheless, they said,
we currently do not expect that the incident will have material effect
on the company's financial condition and results of operations.
So, Caesars has made its assessment of materiality
and decided that, for now at least,
the incident is unlikely to have a material impact.
The other casino operator under attack this month is MGM Entertainment.
Cyber criminals appear to have stolen six terabytes of data from MGM Resorts and Caesars Entertainment, Reuters reports.
Scattered Spider, an Anglophone affiliate of ALF-V,
has been talking up its attack against MGM Resorts in particular. Members of the group have been boasting in their Telegram channels that their original plan was to rig slot machines and use
money mules to drain them, but when that didn't work out, they fell back on traditional social
engineering to gain access to the company's systems in a ransomware operation. The Financial Times writes that the spiders evaded detection from
the company's security team by using common remote login software and access to MGM's
corporate VPN to impersonate an employee's digital footprint. They ran their malware remotely and
claimed to have penetrated the system within five hours of starting the attack and evaded detection for eight days.
A principal key to the gang's social engineering success is its members' native proficiency in English and good idiomatic control,
which rendered their approach more plausible than the usual hello, dear one phishing emails so many non-native speaking
gangs use. The AP reports that some MGM entertainment systems remain unavailable
in the aftermath of the attack. According to Bleeping Computer, there was more to the attack
than data theft. The attackers claim they also encrypted more than 100 ESXi hypervisors.
A statement by Alf V, also known as Black Cat, said,
After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi
hypervisors in their environment on September 11, after trying to get in touch but failing.
This was after they brought in external firms for assistance in containing the incident.
after they brought in external firms for assistance in containing the incident.
Bleeping Computer also cites researchers at Mandiant who see a possible overlap between Scattered Spider and the Lapsus group.
In addition to overlapping tactics,
there's an unusual demographic similarity that circumstantially suggests a connection.
Both groups are largely composed of English-speaking teenagers and young adults
who are likely breaking their parents' hearts. And finally, someone is really after the police
in the UK. A ransomware attack against a third-party vendor has led to the theft of
personal data belonging to Manchester police officers, Bleeping Computer reports. Greater
Manchester Police Assistant Chief Constable Colin McFarlane said in a statement,
We are aware of a ransomware attack affecting a third-party supplier of various UK organizations, including GMP, which holds some information on those employed by GMP.
At this stage, it's not believed this data includes financial information.
age, it's not believed this data includes financial information. The record notes that the UK's National Crime Agency is, unsurprisingly, assisting in the investigation. To the NCA and
the Greater Manchester Police, we wish you good hunting and some quick collars.
Coming up after the break, Betsy Carmelite from Booz Allen speaks about how to leverage cyber psychology.
Ron Reeder of Centra outlines the threats for connected cars.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your
executives and their families at home. Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
We've grown accustomed to the reality that our connected mobile devices are continuously gathering and sharing all sorts of information about us.
And many of us put in a serious effort to minimize that data gathering.
But there's another truly mobile device that often gets overlooked.
Our cars.
Ron Reiter is co-founder and CTO at data security firm Centra.
There is basically two different challenges that connected cars have to deal with in terms of cybersecurity.
So we've touched both of them.
So the first one is the privacy aspect, right?
So there is petabytes of information collected every day from these connected cars.
Information like,
where are you right now? Who is in the car? How awake are you? Where are you looking? What are
you saying? It's basically the most intimate parts of your life are being recorded and uploaded to
the cloud for many different purposes, whether it's for training
models for connected cars so they can eventually provide the capability of autonomous driving,
whether it's for security aspects, whether it's for functionality-wise, right?
You want to have some sort of safety mechanism on the road and you have to maybe know how
fast you're driving or who's
driving fast near you. So there's many different reasons that data needs to be collected. But
I think the core issue that needs to be addressed is the privacy aspect. Because
if people would have access to this type of information on other people, it's definitely
the most intimate type of information that
one can collect in a person.
So I think that's the first challenge that we have to address and face and understand,
you know, to understand how the data is being protected, how privacy is being preserved.
When is the data deleted?
What happens if, you know, a user is concerned about where his data is going? Which third-party vendors are using it?
So that's one big aspect.
And as again, you said you've touched the second aspect, which is the security aspect.
So obviously, the most frightening, I would say, scenario would be to have some hacker control your car and drive you into a cliff without you noticing.
That's really like the nightmare.
Unfortunately, I would have to say that I'm pretty sure it would eventually happen.
There is virtually no way to actually avoid such a terrible scenario because the shift to connect the cars to the internet is so strong.
The software of these machines are so complicated that it's virtually impossible to avoid, in 100% of the cases, a cybersecurity breach that would severely impact or be fatal to a person. So I think both are very important to protect and they require different technologies and practices, but that's definitely the two major challenges.
And where do we stand right now when it comes to a regulatory regime?
I mean, do the manufacturers have a responsibility
to allow buyers to opt out of these things?
So, first of all, there's GDPR, CCPA,
and all the data privacy, data regulation frameworks that already exist today.
And they're also effectively basically guaranteeing that the user will also be protected under the connected car scenario.
The user cannot have its data collected without proper consent, without the ability to delete the data,
without proper consent, without the ability to delete the data, without the understanding of who else is getting the data from him. If a third-party vendor also gets the data from the
data collector, the customer must also know which vendors are accepting the data. So in that sense,
I think the data privacy frameworks are pretty much adequate in terms of controlling that aspect.
So I would say, I think today, in today's world, we are covered. I would say I'm not into the
details in terms of how Tesla operates, for example, but it is possible that in order to
have a Tesla, it would be virtually impossible to drive a Tesla without consenting to data collection. So, and it's, it makes sense. Again, I'm not sure I'm not,
I haven't read all the details of the terms of service of a Tesla car, but you know, it
very much is possible that the only way to avoid in the future, the connected car experience
is to not have a connected car.
I think that's probably where we're going because a lot of the features that cars will eventually have
actually would require being connected to the cloud.
It just makes the developers of cars much,
it makes the work for them easier, right?
If they require some sort of internet connectivity
so they can offload some of the work to the cloud.
So I think that's kind of inevitable.
Today, it's not the case.
Today, a car is very much self-sustaining.
But as time goes on, I think as connectivity
kind of becomes abundant and trivial,
I think it will be more and more a requirement
to be collected to the cloud and to collect data
if you would actually want to use the features of the connected card.
We could see a resurgence in interest in 67 Chevys, right?
Yeah, definitely.
What are your recommendations then?
I mean, for folks who are interested in these features,
but also mindful of their privacy and safety,
how should they be coming at this?
Is this a matter of going through all the menus in the car,
reading the user manual, that sort of stuff?
Yeah, I would say at the end of the day,
there's probably no way to escape
having both the data being collected
and fully utilizing all the different features of the card.
I would say some maybe aspects would allow a driver to disallow the use of his data
being passed for advertising purposes. So he might go
through all the menu and find some options that would restrict
the data collection or what the company can do with it. But at the end of the
day, once you buy a car from a specific vendor, I would say the vendor
would almost always, by default, require
the data collection to their own cloud.
Because I think data is king, right?
The more data that the manufacturers collect,
the more the value of the company becomes.
It goes up and up because it now has data
that it collected from the core.
So it can research and they can develop
new technologies using this data and test it.
So I think it's something that the manufacturers, car manufacturers would never give up on.
They would never make it an optional feature.
That's Ron Re more to this conversation.
If you want to hear more, head on over to the CyberWire Pro
and sign up for Interview Selects,
where you'll get access to this and many more extended interviews.
And joining me once again is Betsy Carmelite.
She is a principal at Booz Allen Hamilton for Cyber Defense Operations.
Betsy, it's my pleasure to welcome you back. You know, in a previous segment, you mentioned something called cyber psychology,
and I thought that deserved a little deeper dive here today.
What exactly are we talking about here?
What exactly are we talking about here?
So we're seeing research, and I'm going to quote or pull from Verizon's 2023 Data Breach Investigations Report,
that shows that 82% of all breaches are caused by mistakes people make in the course of everyday work.
So in other words, our behavior is the target, and it's often targeting that fight or flight response that we all kind of face when we're making decisions. So traditionally, cybersecurity has been focused on protecting systems and information.
But as this data makes clear, it's not simply the networks that need protection, but the people using them.
protection but the people using them so also again by the numbers just 10 percent of attacks are the result of vulnerabilities while we're seeing the majority stem from credential harvesting
credential stealing and from phishing so is this a matter of kind of helping protect people
against themselves you know their own human nature There are a few ways that we can help people shift their mindset.
And rather than relying on security of the devices, let's protect our own thinking
and how we understand the adversary.
And there are a few ways that we recommend that we can begin to prioritize that mindset shift to the human being the target here, less the technology and the devices.
Well, let's dig into that. What do you recommend?
So first, understand the adversary. It's funny. I sent my daughter up the street today to play with a friend, and I always say, don't talk to strangers.
One of my favorite phrases is, be aware of your surroundings and have that awareness, awareness, awareness. that into predictable ways that online attacks occur and how threat actors are trying to
understand us, we can leverage cyber psychology and determine what are the predictable ways
that we are being scammed online? What is our awareness in our workforce? Are they trying to
disable irrational and clear thinking? So what is the adversary trying
to do to us? Verizon's research shows that human errors, again, remain at the top for vectors of
malicious activity. They take advantage of how we work, our expectations at work. And paired with
neuroscience research that suggests the human brain will always take the easiest path, we can begin to see why errors continue to lead as the reason for breaches.
Understanding how to counter motives such as money, ideology, coercion, and ego can make an attack more difficult or not worth the investment.
can make an attack more difficult or not worth the investment.
And cyber psychology potentially shows that focusing security efforts on the ease of entry point may have better return on investment for businesses.
So that's one way we're looking at that, how to understand the adversary.
How do you suggest an organization come at this? I mean, is it appropriate for the cybersecurity people to be handling the cyber psychology? It strikes me that that may be a misalignment.
Yeah, so that's a really good starting point for kind of the next two thoughts on how to proceed and counter this.
So number one, companies should avoid the blame game.
Invest in understanding the cyber psychology of our workforces.
So if you take this statistic,
the average employee uses 16 different applications in a day to get work done.
That's creating fatigue.
That's creating multiple transitions in a day
between or among platforms.
The decisions that you have to make,
and we've talked about this on previous podcasts,
like cybersecurity analysts are faced with so many tasks,
so much analysis.
How much decision-making are they doing in the day to properly
do their jobs.
And these mental stressors are often the critical catalyst for missed red flags, careless errors.
So organizations can put the same amount of energy into figuring out why alerts are missed,
why alerts are missed, Why alerts are missed?
What's going on in my workforce? How can I understand the psychology of my workforce?
What decision-making processes occurred that led up to this point? And then after locating
the root cause, prescribe corrective actions as opposed to pointing the fingers or punitive measures. And then organizations can
really model good behavior. A significant number of attacks we see today are the result of stolen
credentials, which means it's essential to crack down on the human side of cybersecurity. And
organizations have been much too tactical, we believe, in the past
in how they think about defending against threats.
So bringing in someone like a cyber psychologist
can help teams with stepping back,
think more broadly about understanding the adversary,
seeing the forest through the trees.
Secondly, organizations can narrow their scope and security teams can
limit the attack paths. So one of the things that I know I've done with my team, like we talk about
periodically, what sort of phishing campaigns are we specifically seeing and how are they
specifically targeting organizations? How is our information in LinkedIn?
How can that be better locked down
so as to not fully expose who we are,
what we're doing, what we're working on?
And that's all part of monitoring the open internet too.
Look at the phishing lures
and what adversaries could uncover
to build a threat model and profile
against us as an organization or other organizations. A lot of those recommendations
really come down to, while I'm not the security team, I can also model good behavior
and spread that throughout the organization and not just put the reliance on all of the security teams as well.
All right. Well, Betsy Carmelite is a principal at Booz Allen Hamilton for Cyber Defense Operations.
Betsy, thanks for joining us.
Thanks, Dave. Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this
weekend's Research Saturday and my conversation with Manuel Hepfer from iStory. He's sharing
their research on cyber resilience. Check it out. We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the
information and insights that help keep you a step ahead in the rapidly changing world of Thank you. team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest
investment, your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Ivan.
Our mixer is Trey Hester with original music by Elliot Peltzman. The show was produced by Liz Ervin and senior producer Jennifer Ivan. Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.