CyberWire Daily - Ransomware and social engineering trends. Expired certificate addressed. Ransomware groups target schools. Cyber updates in the hybrid war.
Episode Date: May 11, 2023A Ransomware report highlights targeting and classification. Phishing remains a major threat. Cisco addresses an expired certificate issue. LockBit and Medusa hit school districts with ransomware. US ...and Canadian cyber units wrap up a hunt-forward mission in Latvia. Ben Yelin on NYPD surveillance. Our CyberWire producer Liz Irvin interviews Damien Lewke, a graduate student at MIT. And an unknown threat actor is collecting against both Russia and Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/91 Selected reading. GRIT Ransomware Report: April 2023 (GuidePoint Security) DNSFilter State of Internet Security - Q1 2023 (DNSFilter) Identify vEdge Certificate Expired on May 9th 2023 (Cisco) The State of Ransomware Attacks in Education 2023: Trends and Solutions (Veriti) US Cyber Command 'Hunts Forward' in Latvia (Voice of America) US cyber team unearths malware during ‘hunt-forward’ mission in Latvia (C4ISRNET) Uncovering RedStinger - Undetected APT cyber operations in Eastern Europe since 2020 (Malwarebytes) Bad magic: new APT found in the area of Russo-Ukrainian conflict (Kaspersky) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A ransomware report highlights targeting and classification.
Phishing remains a major threat.
Cisco addresses an expired certificate issue.
Lockbid and Medusa hit school districts with ransomware.
U.S. and Canadian cyber units wrap up a hunt-forward mission in Latvia.
Ben Yellen on NYPD surveillance.
Our Cyber Wire producer Liz Ervin interviews Damian Lukey,
a graduate student at MIT, and an unknown threat actor is collecting against both Russia and Ukraine.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, May 11th, 2023.
The United States is number one in ransomware attacks.
GuidePoint Security today released their GRIT ransomware report for April 2023.
While the total number of organizations affected dropped 22% from March to April,
the U.S. maintains its place atop the leaderboard when it comes to being victimized by ransomware.
The U.S. had 179 victims, whereas the runner-up, the United Kingdom, came in with a distant 18.
Most widespread ransomware threats to the U.S. have been LockBit, BNLian, and ALF-V.
Manufacturing was by far the most targeted industry, followed by healthcare and
technology. Looking at the gangs themselves, LockBit's numbers continued to grow this month.
AlfV nearly doubled the number of its victims in the past month, and the researchers say April
marked the most impactful month for BNLeon, which increased its victim count from 27 in March to 45 in April. As the weather warms up,
going out for a day of fishing may become more common. Cyber criminals think so too,
as fishing attacks remain on the top of the list in DNS Filter's State of Internet Security
First Quarter 2023 report. The report showed a 61% increase in traffic leading to websites containing
threats between October 2022 and March 2023 and named malware as the second threat behind phishing
with no domains in third. Employees should remain vigilant in vetting emails they receive by not
clicking on suspicious links and checking with their IT department when they receive enticing emails or opportunities from outside organizations.
Cisco released an informational post that describes how to identify a V-edge that has
an expired certificate affecting control plane connections, which eventually impacts data plane
connections resulting in loss of service.
The expired certificate could result in loss of service if improperly handled or not handled fast enough.
Cisco specifically tells users experiencing loss of connection to not reload their device
as this could lead to a complete loss of service.
Cisco writes, reloading the device causes the graceful restart timers to
reset and the router will not be able to reconnect to the fabric. Keeping the router up will help
ensure graceful restart does not occur, which will help to keep the data plane sessions up and
traffic will be able to pass while control connections are down. However, simply not
restarting your device might not be enough
to stave off loss of service, the register explained. And bear in mind, even if you don't
manually restart or update your equipment, there are timers in the devices that will, by default,
start a reload that will trigger disruption as a result of the now-dead cert.
Cisco has begun rolling out software updates. The company has
so far released 12 software patches to various versions of the V-Edge software, the register
writes. Based on the documentation, the patch likely amounts to certificate replacement.
Unfortunately, it doesn't appear that the update will do much good for devices that have already
been rendered inoperable by the expired certs.
Cisco recommends customers with bricked gateways contact Cisco for assistance.
Cisco has also released step-by-step processes to remedy the issue and correctly install the update,
along with remarks for customers who have reloaded their devices prior to reading the post.
for customers who have reloaded their devices prior to reading the post.
In a report released today by Verity, it was confirmed that two school districts,
the Uniondale Union Free School District in New York State and the Pineland Schools in New Jersey,
fell victim to the Medusa and LockBit gangs and saw their data posted on leak sites by the respective groups.
The Medusa ransomware group has been in action since June 2021.
The gang performs double extortion attacks,
or attacks that both steal and encrypt sensitive data against their targets, which have included school districts.
LockBit, a pervasive ransomware threat active since 2019,
also performs double extortion attacks.
The volume of its attacks is expected to increase over time. The Voice of America reports that a U.S.-Canadian
Hunt Forward mission in Latvia has completed its three-month engagement. Latvia has been a strong
supporter of Ukraine and, as such, has come under Russian cyber attacks. The Hunt Forward team focused on threats to Latvian infrastructure.
C4ISR.net quotes Baiba Kashkina, general manager of CERT-LV, as saying,
With our trusted allies, the US and Canada,
we are able to deter cyber threat actors and strengthen our mutual resilience.
Malware Bytes reports on a cyber espionage group
it's calling Red Stinger.
The group has been quietly active for at least three years
and Malwarebytes identifies it with the operation
Kaspersky has been tracking as bad magic.
Malwarebytes says that Red Stinger has pursued targets
on both sides of Russia's war against Ukraine
and that the victimology renders
attribution complex and unclear. Indeed, there is no credible attribution whatsoever, at least not
yet. Malwarebytes writes that it's clear that the principal motive of the attack was surveillance
and data gathering. There were many layers of protection implemented, an extensive tool set
at work, and evidence of the targeting of specific entities.
But Red Stinger has been at it for a while and in all probability will eventually betray itself
through coding or tradecraft. A lot of people will be watching.
Coming up after the break, Ben Yellen looks at NYPD surveillance.
Our CyberWire producer Liz Ervin interviews Damian Lukey, a graduate student from MIT.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
Thank you. so 27,001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your
executives and their families at home. Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
It seems like just yesterday we were all at the RSA conference
where our producer Liz Ervin was on the show floor conducting interviews.
She files this report with her conversation with Damian Lukey, a graduate student at MIT.
My name is Damian Lukey. I'm currently a graduate student at MIT.
Before MIT, I worked at CrowdStrike and then at Palo Alto Networks across product
marketing, solutions architecture, and sales engineering. And then when I graduate, I'm going
to be a product manager at Arctic Wolf. So first things first, how are you liking your RSA experience
so far? I've loved it. RSA is always kind of like a back-to-school reunion, right? Having been in
the industry for about eight years, it's really cool getting a chance to connect with some old friends. But it's really interesting to see some of the new
and interesting problems that people are solving. There's always kind of a buzzword of the conference.
So everything from SIM to EDR to XDR to now some of the use cases around AI and machine learning,
natural language processing. So it's cool. It's amazing to see how dynamic it is,
especially post-pandemic,
just to see the fact that, say,
the conference is back to its original vibrancy
and enthusiasm and dynamism.
It's amazing to be back, in short, short answer long.
So how do you think this year has compared
the last couple of years that you've been here,
especially with COVID and everything?
Have you seen much of a difference?
Comparing this year
to a few of the other years, in terms of the scale and number of companies out on, say, the expo floor,
it's certainly increased. I feel it gets a bit bigger and busier. Again, more people solving
interesting problems. I'd say what's been interesting to see from a sessions perspective is how the focus has shifted.
I think it used to be a lot of buzzwords and vendor pitches.
You see a lot more sessions around public-private partnership,
a lot of examples of government organizations and international government organizations
collaborating with folks in industry and working together to solve big problems. So I'd say in terms of comparison,
every year is unique. You know, RSA conference is kind of like a mansion. Every room is unique,
but there's room for everybody. I would say in terms of vibrancy and dynamism, it's never been
better. Yeah. So you mentioned down on the floor. Have you seen anything down on the floor that's really piqued your interest in new tech or anything like that?
Oh, yeah, of course.
So, I mean, XDR, of course.
It's interesting to see that that has gone from kind of a niche idea or a couple of vendors talking about it to something pretty ubiquitous.
In terms of really interesting, I've seen some pretty fascinating stuff around SOC automation and augmentation.
So folks looking at natural language processing assisting cyber defenders.
Also some really cool examples of new mobile application security techniques.
I mean, it's amazing. We use smart devices all the time.
I think a lot of folks think about mobile application security as MDM, but it's amazing. We use smart devices all the time. I think a lot of folks
think about mobile application security as MDM, but it's so much more than that. So looking at
a few folks out there on the back end of the South Hall, I thought that was really fascinating.
So the theme this year is stronger together for RSA. Do you think stronger together is a good theme in general?
I think so. Fundamentally, cybersecurity is a team sport and we are stronger together to use an old systems engineering adage.
The whole is truly greater than the sum of its parts.
And, you know, there are folks in government talking about the fact that there's a technology ecosystem where folks do have a place. And cybersecurity is a somewhat Byzantine industry, right?
A lot of folks solving very specific problems.
But at the same time, you know, coming together
and working not just as an industry,
but looking at government partnerships,
looking at partnerships with academia,
and synthesizing kind of those three legs
of the cybersecurity stool and being
stronger together, I think is great. I'd say in terms of just the vibe, I know that's not a very
technical term, but the vibe here is very jovial and dynamic and people seem very open and engaging,
which is really inspiring and exciting to see. I don't want to say it's been acrimonious in the past, but I certainly would say there's just a better feeling of, I'd almost say like cautious optimism today, which is amazing to see in here.
I'm sure you've heard the acronym for Chief Information Security Officer, correct?
How do you pronounce that?
CISO.
CISO. Okay. All right. Fantastic.
Although it should be CISO.
CISO? CISO. CISO. Okay. All right. Although it should be CISO. CISO? CISO. CISO. Okay. CISO.
I learned something today. It's a CISO. There you go. All right. Change of minds, I guess.
All right. Thank you so much for the interview. Thank you. Appreciate it.
That's Cyber Wire producer Liz Ervin speaking with Damian Lukey.
And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security and also my co-host on the Caveat podcast.
Ben, welcome back.
Good to be with you, Dave.
So the NYPD, which I guess is probably our nation's largest police department.
I believe so.
I would imagine so, yeah.
They recently had a little event where they were highlighting some of the new initiatives that they have.
And one of them caught my eye.
They have the ability to, they have a gun, Ben.
They have a gun that they can launch a sticky GPS tracker at your car.
Does this feel like a James Bond tool here?
MacGyver or maybe just Austin Powers? I was going to say Inspector Gadget,
but those are fine. But the utility of this is that it is supposed to cut down on high-speed
pursuits, which I think is a good thing. I know lots of police forces have been trying to dial
that down because they're potentially dangerous to everyone involved, but more importantly than that, pedestrians or innocent bystanders. They also came out and said
that they would love people in areas of the city where they're having trouble with vehicle thefts
to purchase themselves an Apple AirPod tracker and put that in their vehicle. In fact, the NYPD is giving away 500 of these
so that it's easier for folks to track their vehicles if they have been stolen.
What do we think of all these initiatives, Ben? Are there any problems here?
There are some problems. I think, you know, we should acknowledge that the New York Police
Department has a very difficult job. There has been
an uptick in crime over the past several years,
although I know crime has, actually violent crime
has gone down for one or two
consecutive years. But there are
certainly some serious problems to solve.
High-speed car chases are
extremely dangerous to those involved,
to law enforcement, and to pedestrians.
So to the extent that you can cut
down on those high-speed chases
by using this gun that shoots out a GPS device
that attaches to a car,
I think that would be a valuable tool
for the NYPD to use.
I don't see any major constitutional problems
with this type of tactic,
largely because if you reasonably believe that
somebody is going to be involved in a car chase, that they're not responding to the siren or the
police lights that they're not going to pull over, then that's a pretty good probable cause for you
to deploy this tool. Granted, it's extrajudicial. It's not like you're calling up the magistrate judge and saying, hey, can I fire this gun at a moving vehicle?
But I do think it could be a useful tool as long as it's not abused.
Of course, there's always the potential to abuse it.
We've seen that happen with some of these surveillance tools in the past.
I've met more of a problem with urging people and suggesting that people put Apple AirTags inside their vehicles.
This sounds like a good idea.
I mean, it's sort of like how police departments have been encouraging people to use Amazon Ring devices on their homes and have been giving them out at various events.
But those AirTags could be used against people and could certainly violate those people's civil liberties in a number of circumstances.
So if the New York Police Department is keeping a record of which vehicles have air tags, let's say you're suspected of some type of petty crime, nonviolent crime, law enforcement already has the ability to track you down.
What if you're just delinquent on parking tickets?
the ability to track you down? What if you're just delinquent on parking tickets? What if the New York City Police Department has an interest in your political activities or your religious activities?
Once they've encouraged you to install that air tag, that subjects you to a novel form of
surveillance, real-time vehicle tracking, which I think can be problematic. Now, it is voluntary,
but I think people should
know that if they're going to be involved in this crime-fighting effort, that they're potentially
creating a risk for themselves by putting such a device in their vehicle. I think there's obviously
justification for cutting down on these high-speed chases to make it easier for police to recover
stolen vehicles, but there's certainly, all this doesn't come without risk.
Yeah.
Would the police have to or have the opportunity to go to Apple, say,
for some of this tracking data if they needed it or wanted it?
So yes, they definitely have the opportunity to do it.
Apple might be one of the few companies that might fight back
against this type of request,
given that Apple prides itself on digital privacy.
Yeah.
You'd really have a hard time suppressing this type of evidence in court
because a person, at least theoretically, would have installed the device in their own vehicles.
So certainly you lose that expectation of privacy in your movement.
so certainly you lose that expectation of privacy in your movement.
And I think Apple, even if it resisted a response to a subpoena,
they can't really do anything if the government ends up getting a warrant for it, and I think it would be pretty easy to obtain a warrant in the right circumstances.
So I don't think that's going to be a major help to individuals.
It is advantageous for privacy that it's Apple,
since they're one of the few companies that fights these requests regularly.
But I don't think it's going to be the type of situation
where Apple saves you from this type of law enforcement surveillance.
Interesting.
Yeah.
I kept wondering if some clever entrepreneur is going to come out
with some special kind of car wax that is extra slippery.
I mean, they already have robot dogs.
So we're talking about a department that, I mean, it's almost comedic at this point.
The New York City Police Department has every conceivable surveillance tool.
Many of them, there have been documented cases of abuse.
So, you know, I, proper oversight of this department
is certainly in order.
Oh, they're embracing technology.
Yeah, we'll put it that way. That's what they say in their press conferences.
Right, right.
Alright, well, it's interesting stuff to keep an eye on
for sure. As always, Ben Yellen,
thanks so much for joining us. Thank you. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
and the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter
Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.