CyberWire Daily - Precautions, preparations, and resilience against cybercrime and hacktivism.
Episode Date: November 6, 2023A precautionary shutdown at a major US mortgage lender. Call centers as targets. A push to decouple data and identity. The cyber front in the Hamas-Israeli war. Hacktivism and state-sponsored cyberatt...acks against Israel. The instructive case of TASS and managing influence operations. Deepen Desai from Zscaler talking about the TOITOIN Trojan. Our guest is Joe Nocera, of PwC sharing their latest Global Digital Trust Insights survey and the impact of the SEC's new cybersecurity disclosure rules. And cybercrime on the side of Ukraine (or at least, cybercrime against Russia). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/212 Selected reading. Mortgage Giant Mr. Cooper Shuts Down Systems Following Cyberattack (SecurityWeek) TransUnion Report Shows Fraud Attacks on Financial Industry Call Centers Rising (Transunion) A Bold New Plan to Make Cloud Computing More Secure (IEEE Spectrum)Â The Cyberwarfare Front of the Israel-Gaza War (The National Interest) Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors (Unit 42) GhostSec offers Ransomware-as-a-Service Possibly Used to Target Israel (Uptycs)Â Kremlin Sacks TASS Chief for Wagner Mutiny Coverage (The Moscow Times)Â Russia's 2nd-Largest Insurer Rosgosstrakh Hacked; 400GB of Data Sold Online (Hackread - Latest Cybersecurity News, Press Releases & Technology Today) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A precautionary shutdown at a major U.S. mortgage lender,
call centers as targets, a push to decouple data and identity, the cyber front in the Hamas-Israeli war,
hacktivism and state-sponsored cyber attacks against Israel, the instructive case of TASS and managing influence operations.
Deepen Desai from Zscaler talks about the Toitoin Trojan.
from Zscaler, talks about the Toitoin Trojan.
Our guest is Joe Nussera from PwC,
sharing their latest global digital insights survey and the impact of the SEC's new cybersecurity disclosure rules.
And cybercrime on the side of Ukraine,
or at least cybercrime against Russia.
I'm Dave Bittner with your CyberWire Intel briefing for Monday, November 6, 2023. Mortgage lender Mr. Cooper, which was previously known as Nation Star Mortgage LLC,
the largest mortgage lending company in the U.S., sustained a cyber attack last week that brought down its IT systems.
Leaping Computer reports that the incident affected the company's online payment portal.
The company itself said,
Customers trying to make payments will not incur fees or any negative impacts
as we work to fix this issue.
The company further disclosed,
On October 31st, Mr. Cooper became the target of a cybersecurity incident
and took immediate steps to lock down our systems
in order to keep your data safe.
Our systems remain locked down
and we are working on a resolution as quickly as possible.
It wasn't immediately clear
whether any customer data had been compromised.
The company added,
we are actively investigating this event
to determine if any data has been compromised.
If customers are impacted,
they will be notified and provided with identity protection services.
A report from TransUnion looks at fraud attacks targeting call centers in the financial industry,
finding that more than half of respondents say that fraud attacks on call centers are on the rise
based on growth from 2021 to 2022, with financial industry
respondents noting an even more acute increase, with a full 90% of respondents indicating at
least some observable growth in attacks. The company calls these attacks omni-channel fraud.
Lance Hood, senior director of omni- Authentication at TransUnion, stated,
Through the use of tactics such as spoofed phone numbers and social engineering, combined with personal information obtained from identity theft scams and data breaches, fraudsters have become more focused on call centers as a target to access and take over accounts.
takeover accounts. More than ever, it's critically important for call centers to find effective and efficient ways to separate legitimate callers from potentially fraudulent, high-risk ones in a way
that reduces friction for the customer. An article by Bruce Schneier and Bharath Raghavan in IEEE
Spectrum outlines a new approach to cloud security called decoupling that could provide better privacy for data stored in the cloud.
Schneier and Raghavan explain,
the less someone knows, the less they can put you and your data at risk.
In security, this is called least privilege.
The decoupling principle applies that idea to cloud services
by making sure systems know as little as possible while doing their jobs.
It states that we gain security and privacy by separating private data that today is unnecessarily
concentrated. They continue, to ensure that cloud services do not learn more than they should,
and that a breach of one does not pose a fundamental threat to our data, we need two
types of decoupling.
The first is organizational decoupling,
dividing private information among organizations such that no one knows the totality of what is going on.
The second is functional decoupling,
splitting information among layers of software.
Identifiers used to authenticate users, for example,
should be kept separate from identifiers
used to connect their users, for example, should be kept separate from identifiers used to connect
their devices to the network. This approach advocated is similar to the idea of a software-defined
perimeter in which resources are restricted based on identities. You may have heard something about
this in our podcast by Rick the Toolman Howard. The National Interest yesterday published an assessment
of cyber operations to date in the war between Hamas and Israel.
Israel shut down internet connectivity in Gaza
during the first weeks of the war
and tightened the shutdown over the weekend.
And Israel has sustained a variety of hacktivist assaults.
Most of these have achieved, at most, nuisance-level effects. The most prominent were the successful hacktivist assaults. Most of these have achieved at most nuisance-level effects.
The most prominent were the successful hacktivist intrusion into the Red Alert Civil Defense Missile
Warning System on October 8th and the October 12th hack of smart billboards in Tel Aviv to display
pro-Hamas messages. Israeli defenses seem to have been largely successful in blunting state-directed attacks.
Whatever the effectiveness of Israeli cyber defenses, some state-sponsored threat actors have intervened on the side of Hamas.
Much of this activity is Iranian, some of it Russian.
Palo Alto Network's Unit 42 this morning reported that an Iranian threat group,
Unit 42 this morning reported that an Iranian threat group, Agonizing Serpents, which other researchers call Agrius, Black Shadow, Pink Sandstorm, or DEV-0022, is conducting a two-phase
campaign against Israeli universities and research organizations. The first stage is data theft,
with the data subsequently used to dox the victims. Unit 42 sees this as fundamentally an influence operation
as opposed to traditional espionage.
The information stolen is both personal and proprietary,
and doxing is central to the operation.
Its goal is to sow fear or inflict reputational damage.
The second stage is a wiper attack,
which the researchers characterize as a scorched-earth
approach that renders affected endpoints unusable. The attackers gain access through vulnerable web
servers, through which they deploy web shells. Unit 42 describes three tools used in the wiper
phase as novel, not previously seen, multilayer, which covers the attacker's tracks, multilist,
which inventories files on the affected system, and multiwipe, the wiper proper.
Uptix reports that one hacktivist group, GhostSec, formerly an anonymous affiliate,
may be turning its attention to Israel. Uptix says, previously dedicated to tracking and disrupting ISIS-related
online propaganda, they notably collaborate more closely with law enforcement and intelligence
agencies than their predecessor, Anonymous. Their recent activity against Israeli targets, however,
suggests a shift in the group's interests and focus, especially since that activity is centered
on its ghost locker
ransomware-as-a-service operation. The evident profit motive suggests a new complexity
to GhostSec's goals and objectives. The chief of the major Russian news service
TASS was replaced on July 5, a few days after the Wagner Group's abortive march on Moscow.
The Moscow Times reported that the removal
was indeed a sacking and not a retirement or voluntary resignation. The paper quotes an
unnamed Russian government official on the change in leadership at TASS, stating,
TASS covered all this, that is, the Wagnerite mutiny, in too much detail and promptly. Some
kind of insanity has happened to them.
They have forgotten that their main task is not to report the news. It's to create an ideologically
correct narrative for the Kremlin. The official added that an assessment that TASS now understood
its role and that it would be properly aligned in the future. Stating, the neutrality of TASS
is of no use to anyone right now.
It's wartime and presidential elections are looming. The chief must win on record. Under
the new director general, TASS will be more aggressive and provocative. While cyber criminals
have worked for Russia in the hybrid war, either as privateers or co-opted contractors,
they've been much less in evidence
on the Ukrainian side. Hackreed reports, however, a departure from this pattern.
Russia's second-largest insurer, Roskostrok, has apparently sustained a significant data breach.
Someone with the hacker name Apathy has offered the stolen data for sale on breach forums. The asking price is $50,000, payable in Bitcoin or Monero.
Hackreed summarizes the data that appear to be on offer, stating,
The compromised data includes full access to the investment and life insurance department records dating back to 2010.
The breach, which has put approximately 3 million bank statements at risk,
The breach, which has put approximately 3 million bank statements at risk,
has also compromised data on 730,000 individuals, with approximately 80,000 individuals' Russian social security numbers
and 45,000 individuals' complete bank routing information now in jeopardy.
The breach also includes access to all life insurance policies and contracts,
as well as associated attachments,
such as passports and scanned documents of public officials or their immediate relatives. The attack seems to be
criminally motivated with no obvious admixture of political or military purpose. The compromised
data do seem to include relatively full information on three Russian GRU agents,
relatively full information on three Russian GRU agents, but that's hardly enough to qualify the hack as a wartime coup. Insofar, however, as the cyber attack inconveniences and embarrasses a
major Russian enterprise, objectively, it works in the interests of Ukraine.
Coming up after the break, Deepan Desai from Zscaler talks about the Toitoin Trojan. Our guest is Joe Nassera from PwC, sharing their latest Global Digital Trust Insights survey
and the impact of the SEC's new cybersecurity disclosure rules.
Stay with us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Joe Nocera is a principal in PwC's cybersecurity practice. PwC recently published
their Global Digital Trust Insights Survey, and I reached out to Joe Nocera for insights on that,
as well as how the SEC's new cybersecurity disclosure rules will impact companies as they prepare for compliance.
One of the interesting things that caught our eye was only about one third of the organizations that responded said that they were consistently performing the eight leading cyber practices that we kind of laid out in the report. And that was a
little bit surprising. We thought that we'd see a little bit more of an uptick there. I think the
other thing that was a key takeaway was cloud-related threats was one of the top priorities
that organizations were most concerned about. That came up time and time again. And then lastly,
that came up time and time again. And then lastly, you know, 79% of the organizations that we surveyed had a plan to increase their cyber budget in 2024. And so those were,
I think, some of the key takeaways. You mentioned being a little surprised that
folks weren't perhaps up to the level that you expected them to be. Were there any other
surprises in the results here? You know, I'd say an insight. I don't know if it was a surprise given what was happening in the media,
but concerns around AI and responsible use of AI and potential regulation in AI kind of jumped off
the page at us a little bit. That was a top concern. And as I said, I don't know that I
was surprised given the media coverage that we were seeing around that topic in the spring when we designed the survey. Maybe the other thing is the number of large
breaches, and we classified large breaches as breaches that were a million dollars or more,
increased significantly. It went up from, I believe, let me pull the exact data here,
it went up from essentially about 26% of the respondents had experienced what we would have classified as a large breach, and it
went up to 36% of the respondents experienced a breach of a million dollars or more.
And so that was quite a bit of an increase over prior years.
I know one thing you and your colleagues have an eye on is the increased scrutiny from the
SEC when it comes to cybersecurity disclosure.
Any insights there to share with us? Sure. So I think there's no question that
that's going to be a major enforcement priority for the SEC. And so they issued a proposed rule
about 18 months ago, and then they finalized that rule back in July. And then it goes into effect
in the late December, early January timeframe,
depending on when your annual reports need to be filed and when you potentially would
have an incident.
The rule itself really clarifies some of the existing guidance that the SEC always felt
like was the law of the land as it related to the need to file an 8K disclosure if you
have a material cyber incident.
the need to file an 8K disclosure if you have a material cyber incident. What the proposed rule and final rule tried to do was be more prescriptive in what needed to be included in that 8K.
And more particularly, it put in a notice period, right? It said that there was a four-day
reporting window once you had determined a material breach had occurred. And so that's really,
really, I think a key aspect of the rule itself is that ticking clock. And a lot of the questions
that we get from clients are really around materiality. How do they think about whether
or not a breach is material? Because we see breaches happen every day. Sometimes it's an
individual user that gets hit
with ransomware. It is something that's very widespread. And how do they begin to put some
guardrails around the way they think about materiality? And what we've said there is
really, there's obviously the financial aspect. I think you very quickly can get your arms around
your financial materiality. Most of our clients already have a financial materiality threshold
that they use for financial reporting. And so you can look at your current breach costs and any other
expected costs that are likely to come from the breach, and you can land on a materiality
figure financially pretty quickly. Where it gets to be more tricky, in our view,
is on the intangible aspects of the breach. So think about the loss of
intellectual property. Think about the erosion of brand in the market, customer trust. How do you
begin to put some guardrails or some considerations around whether or not a specific breach is going
to impact your competitive positioning in the market to a
degree that a reasonable investor would want to know that information. There's a lot more gray
area there, and I think there's room for judgment. And many of our clients are asking for our help
in defining the framework by which they make those types of considerations. And I think the
other piece of this that's going to be equally important is the documentation that companies
preserve after a breach
that really allows them to show their math, if you will,
to really allow them to demonstrate their thinking and rationale for why they determined either something was material
or to the extent they determined that it was not material,
that it was supported by a framework that was approved and accepted by the company.
And so that's really on the 8K side.
The other aspect of the rule itself is on the 10K disclosure side.
That requires an annual disclosure of how the firm manages their cyber risk.
It includes a description of the management expertise that you have on board.
It includes any risk assessments that you do, any programmatic things that you do to manage the risk,
and then ultimately how that risk gets reported up to senior management and the board.
And so I think there's going to be increased scrutiny that what gets described in that 10-K filing is, one, adequate,
and then, two, accurately reflects the reality on the ground of the way you're managing your cybersecurity program every day.
Going back to the Global Digital Trust Insights report, what are the takeaways here?
What do you hope people take away from the report?
So we talked about it from the perspective of six things that we think clients should do.
First and foremost is we think every C-suite executive needs to learn
to speak a new language. And what we mean by that is the CISO needs to be prepared to talk in
business terms. And we need business leaders, whether it be the general counsel, the chief
compliance officer, the CFO, to learn a little bit more technical language and be comfortable
talking about cyber risk. The second thing that we encourage clients to do is to really
think about new ways of managing cyber risk, particularly looking at the ability to quantify their cyber risk. That's going to be very important.
Third is really understanding the regulatory guardrails and participating in industry organizations that are shaping the next round of regulation, because we know that this is going to be an area of topics.
of regulation because we know that this is going to be an area of topics. You've got to get used to cyber being in the boardroom as a fourth priority. It's clear with the SEC guidance and,
frankly, just industry trends that the CISO is going to need a seat at the table at the boardroom.
We need the CISO to begin to think like a business owner, to think about how the company makes money
and grows their revenue and delights their customers and making sure that you do that
in a secure way that doesn't impact that customer experience or the ability to get new products to market.
And lastly, it's going to require creative thinking. As we think about new technologies
like generative AI, robotic process automation, augmented reality, blockchain, etc., each of those
is going to introduce new risk and new opportunities. And it's important for security
professionals to really embrace those
new technologies and to think creatively about the ways they can create value for the organization.
That's Joe Nocera from PwC.
It is always my pleasure to welcome back to the show Deepan Desai.
He is the Global CISO and Head of Security Research and Operations at Zscaler.
Deepan, it's great to have you back. You and your colleagues recently published some research on the Toitoin Trojan,
analyzing a new multi-stage attack targeting the Latin American region.
What can you share with us here today?
Thank you, Dave.
So, yes, Toitoin, interesting name, right?
The malware campaign that the team discovered over here signifies that we're in the time where
the attacks no longer start or end with
an executable or a final stage payload. There's multiple stages
involved. It starts from the stage one
downloader, which does some basic recon.
In this case, we saw the stage one was a simple downloader module
that attempts to evade things like sandboxing, security analysis,
and then it tries to establish some level of persistence.
It then progresses to a second stage payload
which attempts to perform certain known vulnerability exploits.
And this is where there's a loader module,
there's an injector module,
and then there is a privilege escalation module
where a combination of these three payloads,
the main goal over here is,
A, to achieve escalated privilege.
So if it's running as a user mode,
they're trying to get to the kernel mode.
That way they're able to do much more
like disabling endpoint security solutions,
monitoring solutions, deleting backups,
and things like that.
And then the final stage payload
after the previous stages successfully executed is the ToyToyn Trojan, which is aimed at stealing sensitive information from the endpoints.
And they're targeting organizations businesses in Latin American region.
And there were certain things that we observed that further signified,
like one of the protection modules that they were specifically looking out.
So let me actually take a step back.
So once the attack is successful, the ToyToy Trojan gets installed. That Trojan will then transmit system information,
things like what kind of web browsers are installed on the system.
And then it will check for a very specific protection module.
It's called Topaz OFD.
For those of you that don't know, it's basically a security plugin.
And I was myself not aware of it until the team discovered this.
This is apparently mandated in the Latin American region for online banking.
And so this is where it's a Topaz OFD Warsaw core.exe file
that will be running on these systems.
The attacker is basically looking for that
and looking for what version of this security module
is installed on the system,
which further signifies that this malware is aimed
at businesses and consumers in Latin American region.
And ultimately, is this a banking trojan?
They're going after money here?
Yes.
So the goal over here is two things.
One is stealing information.
We only saw early recon stage, but the next level stage is where they will go after
banking, financial information, and an attempt to perform scams,
leveraging users' credentials.
And what are your recommendations here for folks to best protect themselves?
The way this specific malware attack starts
is with a phishing email.
It's an email with a link.
So the link actually points to Amazon EC2 instance,
so I'm not going to tell the users,
hey, look at the domain,
because domain may appear to be legitimate.
But this is where the organization needs to have
that full TLS inspection,
inspecting all the content that's landing
on your end user's laptop.
And then having inline phishing inspection.
Very, very important.
The final point over here that I've made before as well is
you need to have security awareness training,
which is built in these inline security controls.
So to elaborate on that, what we do,
and I do this for Zscaler employees as well,
when someone is about to make a mistake,
say they clicked on a link in this phishing email,
a page pops up that says you're about to visit a destination
that is not trusted.
That is, you should not be entering your credentials.
Do not download files from this destination.
Do not post your financial information like credit card.
And the user has to click a button
to then end up on the destination page.
This by itself provides that security awareness training
the time the user is about to make the mistake
rather than doing the training after the mistake happens.
Now, look, don't get me wrong.
The awareness training offline is also important.
But having investment in this in-line control makes it very, very powerful,
enabling your end users to do the right thing.
All right, well, interesting insights as always.
Deepan Desai from Zscaler, thank you so much for joining us. Thank you. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.com. Your feedback helps us ensure we're
delivering the information and insights that help keep you a step ahead in the rapidly changing world
of cybersecurity. We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people. We make you smarter of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.