CyberWire Daily - Protecting American data.
Episode Date: February 28, 2024President Biden is set to sign an executive order restricting overseas sharing by data brokers. US Federal agencies warn of exploited Ubiquiti EdgeRouters. A new ransomware operator claims to have hac...ked Epic Games. A cross-site scripting issue leaves millions of Wordpress sites vulnerable. The Rhysida ransomware group posts a multi-million dollar ransom demand on a Children’s Hospital in Chicago. Mandiant tracks Chinese threat actors targeting Ivanti VPNs. The former head of DHS weighs in on a federal cyber insurance backstop. Domain Registrars offer bulk name blocking for brands. Our guest is Magpie Graham, Principal Adversary Hunter Technical Director at Dragos, reviews the key findings of Dragos’ Cybersecurity Year in Review report. Cameo celebrities are taken out of context for political gains. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Magpie Graham, Principal Adversary Hunter Technical Director at Dragos, reviews the key findings of Dragos’ Cybersecurity Year in Review report. You can download a copy of the report here. To hear the full interview with Magpie, check out Control Loop. Selected Reading Biden Executive Order Targets Bulk Data Transfers to China (GovInfo Security) FBI Alert: Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation (HACKREAD) Fortnite game developer Epic Games allegedly hacked (Cyber Daily) LiteSpeed Cache Plugin XSS Flaw Exposes 4M+ Million Sites to Attack (Cyber Security News) Ransomware gang seeks $3.4 million after attacking children’s hospital (The Record) Chinese Cyberspies Use New Malware in Ivanti VPN Attacks (SecurityWeek) A Cyber Insurance Backstop (Schneier on Security) Cyberwar Podcast with Kate and Alex - Special Guest Michael Chertoff Registrars can now block all domains that resemble brand names (BleepingComputer) Cameo is being used for political propaganda — by tricking the stars involved (NPR) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's join delete me dot com slash N2K code N2K.
President Biden is set to sign an executive order restricting overseas sharing by data brokers.
U.S. federal agencies warn of exploited Ubiquiti edge routers.
A new ransomware operator claims to have hacked Epic Games.
A cross-site scripting issue leaves millions of WordPress sites vulnerable.
The Ryceta ransomware group hosts a multi-million dollar ransom demand on a children's hospital in Chicago.
Mandian tracks Chinese threat actors targeting Evante VPNs.
The former head of DHS weighs in on a federal cyber insurance backstop.
Domain registrars offer bulk name blocking for brands.
Our guest is Magpie Graham, principal adversary hunter and technical director at Dragos,
reviewing the key findings of Dragos' Cybersecurity Year in Review report.
And cameo celebrities are taken out of context for political gains.
It's Wednesday, February 28th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
So
President Joe Biden is set to sign an executive order to prevent the mass transfer of sensitive
personal data of Americans to countries like China, Russia, and Iran. Targeting data brokers,
the order mandates the Department of Justice to start a rulemaking process to restrict the
bulk sharing of data, including genomic, biometric, health, geolocation,
financial data, and personally identifiable information. Aimed at addressing national
security risks, the initiative emphasizes collaboration with industry stakeholders
to ensure the implementability of these rules while safeguarding national security interests.
The process, expected to extend over months or years,
will prohibit specific data broker transactions
and establish restricted data transaction categories
to protect critical security components.
Additionally, it directs key departments to review federal grants and contracts
to prevent sensitive health data from being transferred to the banned countries.
This order focuses on the transfer of data overseas without imposing new domestic data
handling standards. Previous administrations have highlighted concerns over foreign adversaries,
particularly China, acquiring Americans' data through hacking or commercial transactions, with potential uses ranging from identifying intelligence agents to training AI models.
The FBI, NSA, U.S. Cyber Command, and international partners have issued a cybersecurity advisory
warning about Russian state-sponsored actors exploiting ubiquity edge routers for cyber attacks.
These actors, identified as APT28 or Fancy Bear, have targeted various sectors across
multiple countries since 2022, using compromised routers for operations like credential theft
and establishing malicious landing pages. They've exploited vulnerabilities,
including a patched ZeroDay,
to install tools enabling further attacks. The FBI has discovered indicators of compromise
and recommends remediating affected routers through hardware resets, firmware updates,
and enhanced security measures. Network owners are advised to update systems and
Outlook to protect against specific vulnerabilities exploited by these actors.
A report out of Australia says the Mogilevich gang,
a new player in the ransomware arena,
claims to have hacked Epic Games,
the studio famous for Fortnite, Unreal Tournament, and Gears of War.
Mogilevich alleges possession of 189 gigabytes of
data, including emails, passwords, payment information, and source code. The data is
advertised for sale on their Darknet site, with a hyperlink directing potential buyers to a contact
page. Despite setting a deadline for March 4th for Epic Games to respond or for someone to buy
the data, Mogilevich has not disclosed a ransom amount or provided evidence of the hack.
A critical stored cross-site scripting vulnerability has been found in the Lightspeed
cache plugin for WordPress, affecting over 4 million WordPress sites. This flaw could let attackers
execute malicious scripts by failing to sanitize user input. The vulnerability puts unpatched sites
at risk of data theft and unauthorized access. Users are urged to update to version 5.7.0.1
or later for protection. A ransomware attack by the Ryceta Group on Chicago's Lurie Children's Hospital
has led to a $3.4 million ransom demand.
Lurie Children's Hospital is a major pediatric center in the Midwest.
The facility remains operational but has experienced disruptions,
including canceled appointments and surgeries.
The hospital is actively working on system recovery but has experienced disruptions, including canceled appointments and surgeries.
The hospital is actively working on system recovery and advises patients to bring printed insurance cards and medication lists to appointments.
The Ryceta Group, known for targeting healthcare institutions,
has listed the stolen data for sale for 60 Bitcoin.
The U.S. Department of Health and Human Services has previously issued
warnings about Ryceta's increasing focus on the healthcare sector. Chinese cyber espionage group
UNC5325 has exploited vulnerabilities in Avanti Connect Secure VPN to deploy new malware for
persistence despite patches. These attacks, following initial zero-day exploits reported by Veloxity,
involve sophisticated malware like LittleLambWoolT and PitStop,
aimed at U.S. and Asia-Pacific region targets in defense, technology, and telecom.
Mandiant's analysis reveals UNC-5325's deep understanding of Ivanti appliances,
using malware and modified tools to evade detection and persist through updates.
Despite their sophistication, Mandiant says the group's attempt to persist through a factory reset
failed due to encryption key changes.
This activity underscores the ongoing threat from Chinese actors
leveraging zero-day vulnerabilities against critical infrastructure.
In the wake of the devastating NotPetya cyberattack in 2017,
pharmaceutical giant Merck found itself in a protracted legal battle
over a $700 million insurance claim.
This case spotlighted a growing concern in the digital age.
Who bears the financial responsibility for massive state-sponsored cyber attacks?
Insurers contested Merck's claim,
arguing that the attack attributed to the Russian government
was a hostile or warlike act,
excluding it from standard property and casualty coverage.
This dispute underscored a critical gap in the cybersecurity insurance market,
the difficulty in covering losses from cyberattacks that have the scale and impact of military actions.
In a recent appearance on the Cyber War podcast,
former Department of Homeland Security Secretary Michael Chertoff proposed a
solution akin to the Terrorism Risk Insurance Act of 2002, which was created in response to the 9-11
attacks and provided a federal backstop for insurance claims related to terrorism. Chertoff's
suggestion was for the federal government to serve as a financial backstop for insurers in the event of catastrophic cyberattacks,
offering a layer of security to both insurers and policyholders against the unpredictable and potentially immense costs of such incidents.
The debate over a federal backstop highlights the need for clear criteria and definitions for what constitutes a cyber attack warranting government support.
This includes considerations around the attack's perpetrator,
motives, and the extent of damage caused.
The complexity of attributing cyber attacks to specific actors
and understanding their impacts complicates the establishment of such a framework.
Moreover, the proposal raises questions about moral hazard,
where companies might underinvest in cybersecurity measures
if they expect government bailouts for significant attacks.
This concern underscores the importance of tying any federal support
to stringent cybersecurity standards,
ensuring that only those who take reasonable precautions
to secure their
networks can qualify for assistance. Domain name registrars are now offering a service called
GlobalBlock, which enables businesses to block registration of domain names infringing on their
brand, including homoglyphs and variations. This service provides subscription-based protection
against domain squatting and phishing attacks.
For instance, it can prevent the registration of domains
that misuse or mimic brand names,
addressing issues like typosquatting and homograph attacks.
While the service could streamline brand protection
and reduce the need for manual domain registration,
it does raise concerns about free speech and domain hoarding. Critics, including the EFF, argue that such
automated blocking might suppress legitimate expression and discussion about brands, as domains
themselves can be a form of speech. The debate centers on finding a balance between protecting trademarks
and ensuring freedom of expression online.
Coming up after the break, my conversation with Magpie Graham, Principal Adversary Hunter
and Technical Director at Dragos. We're reviewing the key findings of Dragos' Cybersecurity Year in Review report.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Magpie Graham is Principal Adversary Hunter and Technical Director at Dragos,
and I recently had a conversation with him over on the Control Loop podcast
about Dragos' Cybersecurity-in-review report.
Here's part of our conversation.
So this is something that we've been doing for, well, pretty much every year that Dragos has been around.
It's an opportunity really to be able to kind of summarize what we've seen over the last 12 months,
bring additional context to maybe some of the blog posts
that we've put out during that time
and share other insights that have maybe been in our private reporting,
but really is a great channel to be able to talk about
the things we've seen through service engagements
and talk a little bit about maybe where we're going
as OT security or cybersecurity in terms of maturity.
It's not new OT, but security in OT, cybersecurity in particular,
I think is something that's still very much a nascent thing for many organizations.
And this is a great way for us to be able to reinforce the messages
of what does need to be done, but also highlight success stories as well.
Well, let's dig into some of the details here because there is a lot to
cover. One of the things that caught my eye was this notion of assessing your external
infrastructure and the importance of that. Can you flesh that out for us? Yeah, so I think one of the
things where we've seen a lot of change, it's partially due to the pandemic, but I think it
comes from the moving
forward to kind of that digital transformation, which happened with OT and IT a long time
ago, but continues today, particularly with more cloud-connected devices, vendors baking
in that ability to manage things more remotely through their own service offerings, but also
the use of the kind of IoT devices there, particularly for
monitoring, but not necessarily exclusively one way in terms of their communications,
that provide that route into the OT environment. It used to be that you probably had to connect
to your IT network and pivot through to manage the OT assets, if that was even possible.
Certainly with folk working from home during the pandemic,
we saw a rise of more remote administration of those OT networks and in many cases, directly connecting to them.
Now, the controlling infrastructure, I guess,
the VPNs and firewalls that are there,
often badge differently,
but usually the same types of device that we see in the enterprise IT world.
And that's something where we saw a huge rise in the development of exploits for vulnerabilities in these devices
and then the subsequent exploitation of those kind of en masse.
So it does pose a larger risk to be able to directly get into that environment now more so than ever before.
into that environment now more so than ever before.
And so that's why really being able to kind of take those hard-learned lessons from the enterprise IT side, penetration testing, good patching policy,
checking that those rules are really on the firewall,
deleting users that perhaps are no longer with the organization,
and also just maintaining that separation,
not necessarily from a network perspective,
but things like credentials.
Do you have the same credentials being used
in those two environments?
Maybe that's something you can change.
Additional layers of authentication
that perhaps weren't originally thought to be required
when accessing the OT environment internally,
but now that the external route is the way forward,
then that's something that you
know maybe needs to be considered as well well you mentioned separation and that reminds me of
segmentation that's something that the report highlights as well yeah i think one of the one
of the things that we you know stress quite frequently really is the the sans five critical
controls and this is a great sort of way to to
really take stock of of where you can make big impacts in the security of your network and that
does include things like secure remote access as we've just discussed but that whole notion of
defensible architecture admittedly a lot of ot environments have been around a long time
to change those is you know difficult and. But for any kind of new development or
where there is that opportunity to re-architect, thinking about different zones, the ability to
have those kind of different layers of security built into the different logical layers of where
the devices are, the notion of the zones and conduits to allow access to only certain devices
from certain areas of that network.
They can all be really, really useful tools
in terms of creating a more difficult environment
for an adversary to operate in.
And alongside that, I think the monitoring piece
is probably the piece that we're best known for,
but also the piece that is just not as developed
in OT SAP security as it needs to be.
I think we estimate less than 5% of OT networks are actually monitored globally.
You could never imagine that that would be the statistics for an enterprise IT network
that 5% is the only number or the only proportion
that would have any form of monitoring appliances within it.
So I think that's something that really needs to change.
One of the things that your report highlights
is the importance of monitoring outbound communications.
Can you go through that for us?
What are some of the details here?
I think one of the things that always surprises me,
even though I've been at Dragos for over two years now,
is the fact that there are external connections
from the ICS environment.
Most people that seem to, you know,
have worked in that area for a long time,
and I'm not necessarily talking, you know,
OT, SAP security,
those professionals are still quite,
you know, few in number.
But I'm talking about the folk
who are operating those devices day to day,
responsible for the, you know, the configuration and the correct running of those systems.
There is, I think, a misconception that there is air gaps or better segregation than there is,
and that there isn't those abilities or opportunities for external communications to leave that environment.
And that's not really true. We still see not just the ability for PLCs and historians and all manner of ICS equipment to be able to talk
out to the internet, generally, not even just via a channel to maybe the vendor that created the
device. But in about 20% of those engagements that we've had, we actually see directly externally facing ICS equipment.
So that's the HMI is directly addressable on the internet.
And this is something that I think we've seen,
you know, is kind of low hanging fruit
when you think about it from an attacker's perspective,
particularly with kind of hacktivist activity.
We've seen most recently, I guess,
the Cyber Avengers compromising a number of devices,
you know, in support of obviously a cause that they stand behind.
But I think the impact was obviously far outside the Middle East in terms of the regions that were targeted.
And this does in some ways, you ways, link to, I guess,
where those devices are in the world.
But particularly, I think, the ability to scan for a common host
that you have a working exploit against
or some vulnerability that you know you can exploit,
even if it is a baked-in password.
This has a huge impact when it comes to being able to push that message
to be able to show that maybe not everything is safe as you might think.
So in this case, it was the Unitronics Vision PLCs,
but our investigation showed that other Unistream series PLCs
were vulnerable as well.
And that's not just that one particular vendor.
I think this is something that is occasionally discovered,
but is more and more on the focus of that kind of research
that threat actors are doing.
And I think it's just something where actually
it can have that global impact.
It can hit the news cycle.
And particularly in the terms of,
or in the, I guess, the support of hacktivism,
when there's more of a message and ideology perhaps to push,
this is a great way to be able to do it,
as we probably saw with website defacements
in the 90s and early 2000s.
I think this is now, you feel like perhaps they're able to strike
at something a little bit more sensitive.
And here, we didn't see them necessarily go for a disruptive attack
or a destructive attack, but we would regard that as stage two.
Nevertheless, they're in the OT environment.
They have the capability to operate there.
So I think this is one of the cases where if you're conducting that kind of external
testing, you might be able to find those weaknesses.
But it is also thinking about the placement of those devices.
Sometimes it's better in terms of, I guess, usability, particularly with remote
connectivity. And a lot of sites don't necessarily have human staff working there. It might be that
someone visits every six months or 12 months. But that's where you need to focus your efforts in
terms of doing that additional monitoring, that additional locking down of those assets,
because it could be the weak link in the chain. For the folks out there who are working day to day, those practitioners who are tasked with
protecting the organization and also getting the support from their leadership, what are the
take-homes from this report? What are the tips and words of wisdom for them?
Well, we chatted a little bit there about ransomware, and I think although this can feel like a problem that plagues networks day in, day out, in terms of the focus on industrial organizations and those that have the potential to impact OT networks, we did see that a quarter of those attacks all came from Lockbit.
those attacks all came from lock bit so in terms of kind of uh putting the uh the focus into particular areas i would say if you can protect your network from the ttps of the lock bit group
then you've already reduced the the potential for uh you know that attack to affect your ot network
considerably then looking at the kind of next levels down, we've got Black Cat or Alpha V and
Black Buster, each accounting for a 9% themselves. So those top three groups already mean that you,
you know, you're fairly well protected from ransomware attacks if you can just, you know,
essentially run through those TDPs, use the MITRE attack framework, ensure that you have safeguards
in place for the way that they might operate.
One other thing that I think really is, you know,
is something that we don't necessarily see very often in the more IT-centric threat intelligence reporting,
but it's certainly something that Dragos has, you know,
really strives to try and, I guess,
correct and put out there with our customers
is the notion of vulnerabilities and what you can
do in terms of patching and how you can prioritize that patching or mitigation. So the statistics are
all there in the year in review, but I think we're seeing a continued trend that the bulletins that
are released by vendors are full of incorrect information. So this tends to be the prioritization methodology.
Is this high severity or is it low severity?
We often find that those are completely wrong.
We do find that there's missing versions
that are also vulnerable to something.
And this is something where we break down every bulletin
that comes out as well as doing our own research
to find these vulnerabilities,
but also release information that says,
well, this is maybe how you can mitigate if patching is something that you just can't do, as well as doing their own research to find these vulnerabilities, but also release information that says,
well, this is maybe how you can mitigate if patching is something that you just can't do,
which is very much the case for OT networks,
not necessarily so difficult in an IT network.
But I think when you look at the prioritization process as well, we have a now, next, never methodology.
And only 3 percent of those vulnerabilities
in the in the last 12 months would we say that you need to you know you need to put a mitigation
or a patch in place right now those are the ones that are likely being exploited in the wild
or they're so severe that the loss of visibility or the loss of control you know could have serious
effects that could lead to dangerous conditions within a plant.
68% of those, they can wait until their next patch cycle.
When you take that kit out of circulation
and you're doing the other maintenance on it,
that's the time when it would be reasonable
to make those changes, whether it's a patch
or another form of mitigation.
But almost a third, they're probably never going to be exploited.
They're so deep within the environment that it would be very difficult for an adversary to
use them in a real world context. Or they pose no threat at all. Yes, it's a vulnerability,
but to exploit it doesn't buy that threat or anything. And I think that's something really
where you can help sort through what might seem an insurmountable problem
by having a way to prioritize exactly where you put your resources and your time,
because it's not a trivial process to go and apply these changes to your environment.
So this is a real great way of making you feel like you can, you know,
tick some boxes and feel like you've made a real impact in the security of your network.
That's Magpie Graham from Dragos.
You can hear the rest of our conversation on the Control Loop podcast.
You can find that on our website or wherever you find your podcasts.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
can keep your company safe and compliant.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And finally, our B-list celebrity desk tells us of a strange but ultimately predictable case of online misinformation. A TikTok video using paid cameo messages from celebrities like Dolph Lundgren and Lindsay Lohan
falsely claimed Hollywood stars supported overthrowing Moldova's pro-European
president, Mai Sandu. The celebrities, unaware of the video's political motive,
were tricked into participating, believing they were offering personal messages.
Cameo is a platform where ordinary folks can pay celebrities to record short greetings and
messages for family members and loved ones,
wishing them a happy birthday or congratulating them on a promotion or an anniversary.
Cameo, of course, condemns misuse and faces serious challenges in preventing its platform
from being exploited for deceptive purposes. Of course, clever editing of video clips to
achieve a specific outcome is nothing new.
Way back in season five of The Simpsons,
Smithers accidentally shared with Lisa Simpson a clip he had hastily assembled of Mr. Burns.
Hello, Smithers. You're quite good at turning me on.
Um, you probably should ignore that.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. We're privileged that N2K and podcasts like the Cyber Wire are part of the daily intelligence routine of many of the most
influential leaders and operators in the public and private sector, as well as the critical
security teams supporting the Fortune 500 and many of the world's preeminent intelligence and
law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.