CyberWire Daily - Phishing threats unleashed.
Episode Date: February 13, 2024Attackers lock up Azure accounts with MFA. Bank of America alerts customers to a third party data breach. Malicious cyber activity targets elections worldwide. CISA highlights a vulnerability in Round...cube Webmail. Lawmakers introduce a bipartisan bill to enhance healthcare cybersecurity. Siemens and Schneider Electric address multiple industrial vulnerabilities. Perception in tech gender parity still has a ways to go. Dave Bittner speaks with Guests Andrew Scott, Associate Director of China Operations at CISA, and Brett Leatherman, Section Chief for Cyber at the FBI, about Chinese threat actor Volt Typhoon. And the scourge of online obituary spam. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guests Andrew Scott, Associate Director of China Operations at CISA, and Brett Leatherman, Section Chief at FBI, discussing PRC/Volt Typhoon advisory and living off the land guidance. Read the press release on “U.S. and International Partners Publish Cybersecurity Advisory on People’s Republic of China State-Sponsored Hacking of U.S. Critical Infrastructure.” Selected Reading Ongoing campaign compromises senior execs’ Azure accounts, locks them using MFA (Ars Technica) Bank of America warns customers of data breach after vendor hack (BleepingComputer) Global Malicious Activity Targeting Elections is Skyrocketing (Security Affairs) CISA Warns Of Active Attacks on Roundcube Webmail XSS Vulnerability (CISA) Bipartisan Senate Bill Requires HHS to Bolster Cyber Efforts (Gov Info Security) ICS Patch Tuesday: Siemens Addresses 270 Vulnerabilities (SecurityWeek) Four in five men in tech say women are treated equally, as women criticise ‘invisible challenges’ (Euronews) The rise of obituary spam (The Verge) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Attackers lock up Azure accounts with MFA. Bank of America alerts customers to a third-party data breach.
Malicious cyber activity targets elections worldwide.
CISA highlights a vulnerability in RoundCube webmail.
Lawmakers introduce a bipartisan bill to enhance healthcare security.
Siemens and Schneider Electric address multiple industrial vulnerabilities.
Perception and tech gender parity still has a long way to go.
Dave Bittner speaks with guest Andrew Scott, Associate Director of China Operations at CISA,
and Brett Leatherman, Section Chief for Cyber at the FBI,
about Chinese threat actor Volt Typhoon, and the scourge of online obituary spam.
Today is February 13th, 2024.
I'm not Dave Bittner, but Trey senior executives, aiming to steal data and financial assets.
Security firm Proofpoint discovered the attackers use sophisticated phishing techniques
to compromise Azure environments, affecting a broad spectrum of roles globally.
Once they gain access, attackers secure accounts with multi-factor authentication to hinder
password changes or access review by victims.
Post-compromise actions include data exfiltration, internal and external phishing for lateral
movement, financial fraud attempts, and creating mailbox rules to hide malicious activities. The attackers use proxies to match their IP's geographical location with
their targets and employ compromised domains and data hosting services to obfuscate their operations.
Indicators of compromise involve specific user agents and domains, with some proxy services
tracing back to Russia and Nigeria, though no specific threat actor has been identified by Proofpoint.
Organizations are advised to monitor user agents and source domains for signs of compromise
and employ security defenses against both initial and post-compromise activities.
Bank of America has alerted its customers to a data breach at Infosys McCamish Systems,
a service provider, exposing
personal information like names, social security numbers, and financial details of potentially
57,000 individuals. The breach, attributed to a cybersecurity event in November 2023,
led to unauthorized access to IMS systems but did not compromise Bank of America's own systems.
The LockBit ransomware gang claimed responsibility
for encrypting over 2,000 IMS systems during the breach. This incident is part of a larger
trend of cyberattacks by LockBit, which has targeted numerous organizations worldwide since
2019. Additionally, financial information of Bank of America customers was also exposed in a
separate breach of the Moovit transfer platform by the Klopp cybercrime gang in May of 2023.
Infosys, the parent company of IMS, has yet to comment on the breach.
Security firm Resecurity reports a significant uptake in malicious cyber activities aimed at influencing sovereign elections globally.
2024 has seen an unprecedented number of voters participating in elections across 64 countries,
including a pivotal U.S. presidential election.
This cyberactivity, which has doubled since the previous analysis period,
targets nations worldwide, aiming to disrupt democratic processes
and manipulate public opinion through cyberespionage
and the dissemination of targeted propaganda.
Threat actors driven by profit, ideology, or under the
direction of nation-states seek to undermine the integrity of elections by exploiting leaked voter
data and personal information. ReSecurity emphasizes the urgent need for robust identity
protection measures to safeguard the democratic process against evolving cyber threats and foreign
interference campaigns. CISA has alerted users to an actively exploited
cross-site scripting vulnerability in the RoundCube webmail, identified by Zscaler researcher
Neeraj Shiptarka, with a CVSS score of 6.1. This flaw threatens to expose sensitive data
via malicious links and plain-text emails. This issue on September 15th of last year affects
a widely used PHP-based IMAP email client compatible with various web servers and databases.
Over 132,000 RoundCube servers are publicly accessible online, raising concerns about
potential security risks. CISA has urged vendors to apply mitigations or discontinue using vulnerable versions to protect
against this security threat. U.S. lawmakers are introducing a bipartisan bill aimed at enhancing
cybersecurity in the healthcare sector amidst a surge of cyberattacks. The Strengthening
Cybersecurity in Healthcare Act, proposed by Senators Angus King and Marco Rubio, mandates
the Department of Health and Human Services to conduct biannual cybersecurity reviews and tests of its IT systems.
This requirement comes in response to the department's management of data
for 65 million Medicare patients and the record 734 breaches reported in 2023,
affecting over 135 million people.
The bill seeks to update HHS's cybersecurity strategy to address
evolving threats, requiring biannual reports to Congress on progress and plans.
Siemens and Schneider Electric have released 18 security advisories addressing a combined
total of 275 vulnerabilities for their industrial products. Siemens' advisories covers 270
vulnerabilities across various products,
including scalant switches, the SYNEC industrial network management solution,
and several others, with most issues rated as critical or high severity.
These factors could lead to arbitrary code execution,
denial of service attacks, or information disclosure,
with updates available for most affected products.
Schneider Electric's three advisories detail five vulnerabilities in products like
EcoStruxure Control Expert and Harmony Relay NFC,
addressing issues such as unauthorized access to PLCs and unauthentication bypass.
Siemens is also implementing CVSS 4.0 severity ratings.
An article in Euronews outlines that despite 80% of men in the tech industry
believing in gender parity, women in tech challenge this perception, pointing out structural
challenges and biases that still exist. A survey by recruitment company Nigel Frank International
revealed that only a small fraction of men disagree with the notion that there is currently
gender equality in tech, contrasting sharply with women's experiences of sexism and inequality in the workplace.
The issue extends to venture funding, where women founders face significant hurdles
due to the male-dominated investor landscape.
Recommendations for improvement include hiring and properly compensating women,
calling out sexism, ensuring inclusive decision-making,
and increasing the presence of women in senior and investor roles to combat deep-rooted gender biases and foster equality
in the tech industry. Coming up after the break, Dave Bittner sits down with CISA's Andrew Scott
and the FBI's Brett Leatherman.
They share the latest joint advisory from their respective agencies on the People's Republic of China and Volt Typhoon and offer some living off the land guidance.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now, a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
The Chinese threat actor, Volt Typhoon, has been top of mind for cybersecurity professionals in the federal government,
with recent testimony from both FBI Director Christopher Wray and CISA Director Jen Easterly
highlighting the degree to which Volt Typhoon and China represent a capable and persistent threat.
Joining me today are experts from both the FBI and CISA. Andrew Scott
is Associate Director for China Operations at CISA, and Brett Leatherman is Acting Deputy
Assistant for FBI Cyber Operations. Brett, let me start with you. Can you give us some of the
backstory and current state of things when it comes to Volt Typhoon? So in December 2023 and January 2024,
the FBI conducted a technical operation pursuant to warrants issued out of U.S. District Court
under Rule 41 authorities. The warrants authorized the FBI to seize and remove malware associated
with the KV botnet from compromised small office home office routers,
often referred to as SOHO routers, located throughout the United States. SOHO devices
are typically used by private citizens or small businesses who have limited IT and security
resources. The KV botnet malware was unlikely to be identified and mitigated by these device owners. So the FBI
technical operation really leveraged commands native to the botnet itself to delete the malware
from the SOHO devices. It also prevented the device from being reinfected by stopping further
communications between those devices and the botnet's command and control infrastructure.
It's important to note that we didn't actually patch these devices or make persistent changes
to the devices themselves. What we did was we prevented the device from further communicating
with the actor's infrastructure. Those changes really are non-persistent, and really they can
be removed by the device
owner with a simple reboot of the device. That's why we went public with the Joint Cybersecurity
Advisory to help the public to understand exactly what the Volt Typhoon actors were using these
devices for and how they can better mitigate the threats to the U.S. in general by allowing these end-of-life devices to stay on
their networks. Andrew, can you give us some details from CISA's perspective of who we're
dealing with here? I mean, what should we know about Volt Typhoon, what they're up to, and who's
behind it? Sure, thanks for the question. So I would just build off of my colleague at FBI's answer
to wind the clock back a little less than a year to last spring, when many of our US
government partners and international partners released a cybersecurity advisory highlighting investigating Bolt Typhoon's use of living off the land techniques to hide on victim networks.
Subsequent to that advisory, over the course of the intervening months,
CISA then worked extensively with our industry partners to identify potential victims of Bolt Typhoon activity,
which is, our belief, is the PRC state-spphoon activity, which is our belief is the PRC state sponsored activity and identify
and provide victim support to multiple entities across multiple sectors.
And as a result of our incident response activities, what we've determined is that those actors
have compromised the IT environments of multiple critical infrastructure organizations in the United States, primarily in communications, energy, transportation, really highlighting and emphasizing the concerns,
the risk, and issuing guidance that industry partners can use to help harden their networks
and improve their defenses. Can we go into some of the details here? What are the recommendations
that your organizations have put out there? So I think what we're seeing here is a use of what we call living off the land tradecraft.
What that means is that these actors are using native tools on the network
to sort of imitate basic user behavior.
And so what they're doing is compromising the identity and credentials for
just regular users on these networks to include administrators, and then using that access to
maintain access in the environment, which would allow them to do all kinds of malicious activity
if they chose to do so. So a couple of the pieces of guidance that we're really emphasizing,
prioritizing, patching your internet-facing systems and vulnerabilities
that are known to be exploited by the Chinese or other actors.
CISA offers the known exploited vulnerabilities database as a key service
that we offer to help folks figure out what to patch.
Implementing phishing-resistant multi-factor authentication
to ensure that your credentials can't be stolen
through just, you know, regular spear phishing techniques,
and really ensuring that logging is turned on
and that centralized logging is stored
so that if you're concerned about the kind of activity
that we're highlighting,
you have the ability to find it on your network
and determine how to take defensive measures.
Brett, how about from the FBI's perspective?
Yeah, I would just add a couple thoughts on that, covered by both the Joint Cybersecurity
Advisory as well as kind of our prior recommendations.
In addition to what Andrew said, we would recommend that organizations were able to build network and host baselines.
When an adversary like Vault Typhoon are trying to hide within the network, it's important to understand what those anomalies are to behavior on the network. building a baseline, understanding how your network operates is important because the adversary has a
vested interest in understanding how your network deviates as well and to staying within that.
I would also say that in the cyber defense world, we've often talked about, you know,
the importance of inventory in our hardware and not having hardware out there that we don't know
is network administrators. Those are points of vulnerability.
This demonstrates it's also important to have software inventories to understand what software is being used within our environment, especially those tools that can be used to live off the land
by the actors and either disable tools that we're not using or build appropriate safeguards in place
with those tools. And this also demonstrates the importance of retiring end-of-life devices.
As network cybersecurity professionals, we're taught to patch, patch, patch whenever vulnerabilities are exposed.
This demonstrates that end-of-life devices, there are no patches available.
And at that point, they become vulnerable to exploitation.
And at that point, they become vulnerable to exploitation, and it's really important that we retire those devices and bring new devices into our environment, which are built with security as a baseline to them. the FBI of going in to help secure these end-of-life devices. What sort of thing goes on
in terms of notifying the owners here, and what has the response been from industry so far?
Yeah, that's an important point. When we operate via Rule 41, we are conducting a law enforcement
operation, which requires, at the conclusion, notification to victims. And we want to do that. We partner with victims to help them build resiliency in their
networks. One thing that we are big advocates of here in the FBI is that cybersecurity is national
security. And this operation demonstrates that we all play a vital role in protecting our national interests,
whether you're a small business, medium business, or otherwise an individual or large business.
Your data, your information is important to the adversary and can have impact on the
national security, but also your systems are vulnerable and can have an impact as well.
So after this operation concluded, we conducted victim
notification to hundreds of endpoint victims who were compromised, in some cases directly,
and in some cases through the internet service providers that they were riding on top of,
and provided them with some context around what the operation was, who was utilizing their devices,
and how to better protect
those devices in the future. Andrew, I'm curious as we look forward here, I mean, Volt Typhoon
presumably coming out of China, I think we can assume that they are well-funded and will
probably be persistent. This won't be the last that we see of them. What sort of things should we look for moving forward
to help mitigate what could be the next wave of activity from this group?
Thanks for that.
I think what I'd offer is thinking about this not as waves of activity,
but persistent, ongoing action.
If you look back at what the Director of National Intelligence
highlighted in the
Unclassified Annual Threat Assessment
from 2023,
she talked about the fact
that the PRC sort of sees cyber
as a key means of achieving
its military objectives
in the event of a crisis
or conflict with the United States.
And so from CISA's perspective,
what we're deeply concerned about
is that we're seeing these actors
burrow into our critical infrastructure
to maintain access
in the event that they ultimately choose
to take more disruptive or destructive activity.
And so what that means is really
that this should be seen as a call to collective action for government, for industry partners in the cybersecurity field, and for critical infrastructure owners and operators.
And so I'd highlight a couple of things here.
The first, every victim of a cyber incident should report it to Susan and FBI every time.
Because as Brett just noted, cybersecurity is national security
and a threat to one could result in a threat to many.
The second is really encouraging
every critical infrastructure entity
to establish a relationship with their local CISA team
and enroll in the free services that we have,
like vulnerability scanning,
where we can help entities understand the risks that they have, like vulnerability scanning, where we can help entities understand the
risk that they have on their network and repair the vulnerability that are being exploited
by Chinese actors.
The third I'd highlight is that every critical infrastructure entity, really outside of the
cyber dimension of this, doubling down on a commitment to resilience, expecting and
preparing for potential attacks in the future,
testing and exercising the continuity of their critical systems
to ensure that they can operate through disruption
and that they can recover rapidly.
But really, everything that I just highlighted is only achievable
if CEOs, boards, and every leader of a critical infrastructure organization
recognizes and treats cyber risk as core business risk and recognize that managing them is both a matter of good governance and national security.
Brad, anything to add to that idea?
Yeah, absolutely.
I think China represents the broadest, most active, and persistent cyber threat to the United States today.
And last week on The Hill, the FBI director tried to give everybody a sense of the scale of the Chinese cyber threat by indicating that if all FBI cyber agents and all our cyber intelligence analysts focus solely on China and not ransomware, Iran, Russia, or other cyber threats.
The Chinese hackers would still outnumber the FBI cyber personnel by at least 50 to 1.
And I think that most, if not all, Americans at this point are tracking the persistent threat
that China poses in the realm of cyber espionage to us today. But what many Americans may not be
tracking quite as closely
is that they are pre-positioning, in some cases, its enormous hacking enterprise, again, 50 to 1,
to give themselves the ability to physically wreak havoc on our critical infrastructure
at a time of their choosing. And this demonstrates that the PRC is willing to compromise IT
environments, information technology environments, to
potentially target operational technology or OT environments within critical infrastructure
to deploy capabilities at a time of their choosing. So I think us remaining conscious
about that, continuing to partner across the U.S. government and in private sector,
will help us to best defend against those kind of attacks in the future.
So, Brett, when I talk to folks in the FBI, one of the things that comes up over and over again
is this idea of proactively starting a relationship with your local FBI field office,
but also being able to
communicate online, what are the best ways for folks to do that?
Yeah, appreciate that question, Dave. We recommend, number one, like you indicated,
that folks build a relationship with their local FBI field office. We have 56 field offices across
the United States, a four-deployed workforce. And within every company's
area, there is an FBI office and there is a cyber task force there. And we encourage folks to build
a relationship in advance of a breach with that field office and to report any breach or anomaly
with that field office. We bring, along with our partners at CISA, tremendous intelligence to bear to victim
organizations, and we prioritize victim engagement, remediation, mitigation, along with our partners
at CISA on a regular basis. And if an organization suffers a breach, in addition to reaching out to
their local FBI field office, they're always welcome to provide information via IC3, the
Internet Crime Complaint Center, and they can reach that at www.ic3.gov.
Andrew, how do folks get in touch with CISA?
Sure, thanks for the question.
And I'd start by just noting, as Brett just said, CISA and FBI work very closely and jointly,
both here at the headquarters elements in Washington,
as well as out in the field.
For CISA, we similarly,
although not at the scale of FBI,
have regional personnel deployed around the country that provide
physical security and cybersecurity support and
assistance to critical infrastructure and
any other entity in the sector that is
interested in need support. So would encourage, just as Brett noted, reporting through the FBI
field office, but also to CISA, where any anomalous cyber activity or incident can report it 24-7 to report at CISA.gov or by our phone number at 1-888-282-0870.
All right. Well, Andrew Scott is Associate Director for China Operations at CISA,
and Brett Leatherman is Acting Deputy Assistant for FBI Cyber Operations.
Gentlemen, thank you so much for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
With TD Direct Investing, new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%... Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31st, 2025. Visit td.com slash dioffer to learn more.
And finally, Miyasato reports for The Verge about the ghoulish trend of online obituary spam.
In late December of 2023, Brian Vastog was shocked to find fake obituaries online claiming both he and his late
partner, Beth Mazur, had died. While Mazur did pass away on December 21st of 2023, Vastog was
very much alive, contrary to the misleading reports spread by several spammy websites.
These sites exploited Mazur's death for clicks, using SEO tactics to appear at the top of Google
search results.
The misinformation, suspected to be generated by AI tools, included over a dozen sites and YouTube videos, impacting Vistage and friends deeply. This case highlights the broader issue
of obituary scraping, where low-quality, often inaccurate obituaries are published at scale,
sometimes even affecting private individuals, not in the public eye.
Despite efforts to correct the record, platforms like Google struggle to manage the deluge of such
deceitful content, underscoring the challenges in combating digital information and respecting
the deceased's legacy. So here's to looking forward to the day where we can write the
obituary for this kind of despicable online misinformation.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
This episode was produced by Liz Stokes. Our mixer is me with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp. Our executive editor is Peter
Kilby. And I'm Trey Hester filling in for Dave Bittner. Thanks for listening. We'll see you back
here tomorrow. Thank you. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.