CyberWire Daily - Ransomware as a public health crisis.
Episode Date: November 12, 2024At the U.N. Anne Neuberger frames ransomware as a growing public health crisis. Amazon confirms a MOVEit-related data breach. SAP provides patches and mitigations for a variety of flaws. Researchers i...dentify North Korean hackers embedding malware in macOS applications. Form I-9 Compliance reports a data breach impacting over 193,000 individuals. Hot Topic confirms a breach affecting over 54 million customers. Halliburton reports a $35 million ransomware event. Ymir ransomware follows in the footsteps of RustyStealer. Threat actors prepare for a second Trump presidency. A Venezuelan man gets 25 years for romance scam kidnappings. Our guest is Tim Starks from CyberScoop sharing what he’s hearing from Washington insiders as they prepare for the next Trump administration. The Secret Service wonders if warrants are really required. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Tim Starks from CyberScoop sharing what he’s hearing from Washington insiders as they prepare for the next Trump administration. Selected Reading White House Slams Russia Over Ransomware's Healthcare Hits (BankInfo Security) Amazon employee data stolen by hacker, company confirms (Silicon Republic) SAP Patches High-Severity Vulnerability in Web Dispatcher (SecurityWeek) North Korean-linked hackers were caught experimenting with new macOS malware (CyberScoop) Form I-9 Compliance Data Breach Impacts Over 190,000 People (SecurityWeek) Hot Topic Data Breach: A Massive Leak Exposes Millions of Customer Records (SOCRadar) Energy Giant Halliburton Reveals $35m Ransomware Loss (Infosecurity Magazine) New Ymir ransomware partners with RustyStealer in attacks (Bleeping Computer) How Global Threat Actors May Respond to a Second Trump Term (GovInfo Security) Man Gets 25 Years for Online Dating Hostage Scams Targeting Americans (Hackread) 'FYI. A Warrant Isn’t Needed': Secret Service Says You Agreed To Be Tracked With Location Data (404 Media) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
At the UN, Ann Neuberger frames ransomware as a growing public health crisis.
Amazon confirms a MoveIt-related data breach.
SAP provides patches and mitigations for a variety of flaws.
Researchers identify North Korean hackers embedding malware in macOS applications.
Hot Topic confirms a data breach affecting over 54 million customers.
Halliburton reports a $35 million ransomware event.
Yamir Ransomware follows in the footsteps of Rusty Steeler.
A Venezuelan man gets 25 years for romance scam kidnappings.
Our guest is Tim Starks from CyberScoop, sharing what he's hearing from Washington insiders as they prepare for the next Trump
administration. And the Secret Service wonders if warrants are really required.
It's Tuesday, November 12th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thank you for joining us here today. It is great to have you with us.
Ransomware is emerging as a public health crisis, not just a
cybersecurity issue, according to a Biden administration official's remarks at the United
Nations Security Council. Ann Neuberger, Deputy National Security Advisor, highlighted the
increasing danger ransomware poses, especially to healthcare systems, and called out Russia for allegedly sheltering
cybercriminals behind ransomware attacks. In a joint statement, 54 UN member states urged
collective action to bolster cybersecurity and protect critical infrastructure, particularly
in healthcare and emergency services. Neuberger pointed to major attacks by ransomware groups like Black Cat and Lockbit,
which accounted for over 30% of global healthcare ransomware incidents in recent years,
including attacks on hospitals in Croatia and France. The FBI recorded 249 ransomware attacks
on U.S. healthcare in 2023 alone, severely disrupting patient care and delaying medical procedures.
The U.S. has responded with a multi-pronged strategy, strengthening American cyber defenses,
treating ransomware as a national security threat, and using diplomacy to disrupt safe havens for
cyber criminals. The counter-ransomware initiative involving dozens of nations has made headway, with 41 countries pledging not to pay ransoms.
However, Russian President Vladimir Putin's regime allegedly uses ransomware groups as deniable assets, allowing attacks as long as they avoid Russian interests.
avoid Russian interests. As the international community steps up efforts, the uncertain future of U.S. leadership in combating ransomware may impact the global fight against this escalating
cybercrime. Amazon confirmed a data breach exposing employee names, work contact information,
and office locations, which appeared on a crime forum. The source of the breach was identified as MoveIt, the cloud data management tool,
through a vendor managing Amazon's property data.
Amazon stated its own systems are secure and emphasized that no sensitive employee data,
such as social security numbers or financial information, was exposed.
social security numbers, or financial information was exposed.
The vendor has reportedly resolved the vulnerability,
tied to an older zero-day in MoveIt transfer software.
SAP released eight new and two updated security notes in its November 2024 updates, with a high-priority focus on a cross-site scripting vulnerability in Web Dispatcher, scoring 8.8 in severity.
This flaw, exploitable by unauthenticated attackers, could allow full system compromise through cross-site scripting and SSRF attacks.
SAP advises users to update or mitigate by disabling the admin UI.
to update or mitigate by disabling the admin UI.
Another high-priority update addresses an issue in product design cost estimating,
preventing unauthorized data access.
SAP urges immediate patching to protect systems.
Researchers at Jamf have identified North Korean hackers embedding malware in macOS applications developed using an open-source SDK,
particularly targeting cryptocurrency sectors.
This malware, discovered on VirusTotal, was initially undetected due to heavy code obfuscation,
especially in apps built with Google's Flutter framework.
Jamf found three malware versions written in Golang, Python, and Flutter
with techniques and infrastructure closely resembling North Korea's Lazarus Group.
The malware exploited Apple's notarization process, bypassing security checks, and was
hidden within a cloned version of the Minesweeper game. Although the malware triggered a URL request to a malicious domain,
the domain returned a 404 error by the time of analysis. This same domain was previously
associated with a North Korean campaign targeting blockchain engineers, reinforcing the attribution
to North Korea's financially motivated cyber activities.
Korea's financially motivated cyber activities. Form I-9 Compliance, a company that handles employee eligibility verification, reported a significant data breach impacting over 193,000
individuals, up from their initial estimate of 27,000. The breach, detected in April but dating
back to February, exposed sensitive data, including names and social security numbers.
Impacted individuals are being offered free identity theft protection and credit monitoring.
It remains uncertain if ransomware was involved, and no group has claimed responsibility for the attack.
Hot Topic suffered a significant data breach affecting over 54 million customers,
exposing sensitive information like emails, phone numbers, addresses, and weekly encrypted
credit card data. The breach includes data from affiliated brands BoxLunch and Torrid,
and spans from 2011 through October of this year. Initially posted for ransom on a dark
web forum, the data was later offered for sale at a reduced price. Researchers believe the breach
originated from malware that compromised credentials for Hot Topic's third-party cloud services,
granting attackers access to sensitive data. The threat actor, using aliases, promoted the breach across
multiple forums, targeting a wide audience of potential buyers.
Halliburton, a major energy services company, reported a $35 million cost due to an August
ransomware attack, revealing the financial toll of cyber threats. The breach caused disruptions, limiting
access to some business systems, and led to lost revenue, impacting earnings by two cents per share.
Although Halliburton's quarterly revenue reached $5.7 billion, the incident underscores the
financial risks of ransomware. Halliburton activated a cybersecurity response involving external
advisors and law enforcement, but further details about stolen data or ransom payments remain
unclear. Researchers at Kaspersky say a new ransomware family, Ymir, has emerged,
targeting systems previously compromised by the Rusty Stealer malware.
Initially documented in 2021, Rusty Stealer is a credential harvesting tool that enables
hackers to infiltrate systems using tools like Windows Remote Management and PowerShell
for lateral movement.
Once access is established, Ymir ransomware is deployed, executing entirely from memory to evade detection.
It uses the ChaCha20 encryption algorithm, appending random extensions to encrypted files
and creating ransom notes in PDF format. Ymir also modifies the Windows registry to display
extortion demands on startup. Although Yir hints at data exfiltration,
it lacks a confirmed data leak site. With Rusty Steeler serving as an access broker,
Yamir could soon pose a widespread threat.
Researchers note Yamir's in-memory execution and use of unusual tools as notable elements.
In a report from GovInfo Security, cyber security experts
warn that threat actors are preparing for potential shifts under a second Trump presidency,
with Russia expected to intensify hacktivism and cyber attacks against pro-Western regions,
particularly in the Balkans and Moldova. Experts anticipate AI-powered disinformation campaigns across Europe,
with Moscow aiming to destabilize governments aligning with the EU.
In the Middle East, Iran may escalate attacks on Western infrastructure,
while regional groups ramp up DDoS efforts against Israel's allies.
A renewed Trump administration might alter federal cyber policy, impacting NATO
alliances and possibly leaving vulnerabilities in ransomware prevention efforts developed under
President Biden. Additionally, China and North Korea are expected to increase attacks. China
could target critical infrastructure, similar to the Salt Typhoon campaign, while North Korea
focuses on cryptocurrency theft to fund cyber capabilities. Experts stress the importance of
robust defenses, with CISA playing a critical role in safeguarding government and guiding
private sector cybersecurity to combat evolving threats during this transitional period.
to combat evolving threats during this transitional period.
Divi Jose Rodriguez Delgado, a Venezuelan known as Sebastian, was sentenced to 25 years for luring U.S. citizens via online dating platforms
into hostage situations in the Dominican Republic.
Between July 5th and July 30th of 2022, Delgado kidnapped three victims,
coercing them into vehicles where accomplices joined to hold them at knife point. Victims were
forced to call family and friends, pleading for ransom payments directed to Delgado's online
accounts, such as Cash App. Hostages were robbed and released only after payments were received.
An investigation launched in August 2022 by Dominican authorities traced a kidnapping
vehicle back to Delgado, resulting in his arrest on September 14th. Police found serrated knives
in the vehicle, linking him to the crimes. This case underscores the dangers of online dating
scams, with Delgado exploiting romance to trap and extort his victims.
Coming up after the break, Tim Starks from CyberScoop joins us to discuss what he's hearing from Washington insiders as they prepare for the next Trump administration.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Tim Starks. He is senior reporter at CyberScoop. Tim, welcome back.
Mighty Dave Bittner.
Good to see you. It's always the pleasure is mine, sir. The pleasure is mine. As you and I record this, it is just a few days after the big U.S. presidential election here. And of course,
Donald Trump was victorious in his effort to be the next president of the United States.
in his effort to be the next president of the United States.
You are my man on the ground when it comes to having the inside track in Washington, D.C.
What are you hearing?
How are folks in cyber anticipating a second Trump term?
Well, they've been anticipating the possibility of this for a while, and so have I.
I've written at least a couple stories about what we might expect out of the Trump administration.
One was a little more focused on the kind of personnel that he might be looking to hire,
and another was focused, you know, it was around the time of the Republican National Convention and examining what few tea leaves we could read from the platform.
But there are tea leaves to be read, and there are people who have insight on what's going
on.
And one thing to keep in mind when we're talking about Donald Trump is he is ideologically
unpredictable.
You might think, oh, he's talking about cutting the size of government, and he is, but does
that mean he'll necessarily cut the cybersecurity budget?
Those are some of the questions that people have. I'm happy to talk about where I think
philosophically some things will land. Yeah. Well, I don't think it's controversial or unusual to say
that in his last term, a lot of things were chaotic in the Trump White House. I've spoken to folks in the
intelligence community about the challenges that they faced interacting with the Trump White House
and just trying to do their day-to-day jobs of keeping the U.S. safe and looking out for our
allies as well. I'd love to hear your opinion of how do you think things are going to repeat what we had
the last time and may we see some change? Yeah, I mean, I think we'll see more chaos,
to be honest. I mean, I think that's an across-the-board prediction that we're
seeing from a lot of people for good reason. A lot of the people who might have been putting
on the guardrails for Trump in the last administration, those people are probably
not going to be around this time.
Most of them have said they don't want him to be president.
So he's going to have to find new people, people who will probably be more compliant
with what he wants.
I think we can say safely that he has now a personal investment in Chinese hackers,
specifically, that he might not have had prior.
He's always been talking about China.
He's always been talking about that issue.
But now with the confirmed news accounts
of Chinese hackers trying to get into his phone,
we know he's animated by personal grievance at times.
And that means he might be looking to ramp that up.
At the same time, there's some conflicting personal grievance at times, and that means he might be looking to ramp that up. At the same time,
there's some conflicting personal grievances. He still probably has hard feelings toward CISA,
the Subsecurity and Infrastructure Security Agency, over what happened at the end of his last term,
where the leader of that agency undermined some of his election security claims.
And so if you look at that combined with what has happened
with Project 2025,
whether you take that as gospel
for what the Trump administration
wants to do or not,
I think it's fair to say
it's a reflection of at least
some of the things
that the Trump administration believes.
And that is an area
where they basically have talked about
really undercutting CISA,
taking away its election security mission.
And I think you could see that
being an effect on CISA as an entity. At the mission. And I think you could see that being an effect on CISA
as an entity. At the same time,
I was talking to somebody who had served in both
administrations, and they had said
that's still a pretty small percentage of
CISA's budget. So what
CISA's role will be going forward
is a good question. Whether the regulation
they have pertaining to
the
cybersecurity incident notification law,
SIRSIA, whether that might get curtailed or rolled back.
That's a source of speculation from people I'm talking to.
There's a broader regulatory question we can get into.
That's what we just started there.
There's the question of what kind of new entities that they've been,
new things that have cropped up since they were around,
things like the Office of National Cyber Director.
That's something they haven't dealt with.
The AI executive order.
There's a whole host of things.
And then there's this sort of general approach to things that could be different.
How they handle these issues, cybersecurity enjoyed bipartisan support,
broad bipartisan support.
To what degree, these years later,
is that still the case?
I think it's always been a little overstated
that that's the case, personally.
That's my personal viewpoint.
I think that there's been partisan conflict
that you can point to on cyber going back a long way. But I do think it's fair to say it's been less political than some other
issues. I think if you look at the way CISA has been treated by Republicans versus Democrats,
there are some Republicans that are very still much in favor of CISA organizationally and what
role I think it is. But then you have senators like Senator Rand Paul, who simply refuses to
give it any new authorities because he's so hostile toward it. I think that there are some issues that are still bipartisan,
specifically between Trump and Biden, if we're looking at a continuation.
If you looked at the RNC platform, they did talk about wanting minimum standards for
cybersecurity for critical infrastructure sectors. That is something that this administration,
the Biden administration, has really, really pushed hard. Now, are there going to be degrees of difference? I think so.
I think there are going to be levels of this that Trump might be more comfortable with than Biden
in terms of how far they want to go or how far they don't want to go.
So there are areas where I think there is some bipartisanship.
I think that there's some, interestingly enough, one of the somewhat bipartisan elements of what might be going on with, say, the responsibilities of the Office of National Cyber Director is that, you know, Trump got rid of a White House role for cyber, the cyber czar.
The Biden administration had indicated behind the scenes that they did not really want this office.
And so there might be some weird sort of bipartisanship and a sort of negative direction toward one of the agencies that does this.
Now, that doesn't mean that this entity is the same as the entity that Trump had.
It's a different entity.
So there might be some ways in which he's more open to it.
But there's some innate resistance that I think might have to be overcome that already existed underiden and could continue based on what we saw
from trump last time around toward that particular office do you have any sense for the folks that
you've talked to uh that given the type of chaos that we saw in the first trump administration that
they've been using this time to prepare for the possibility of President Trump's return to be in a better place to handle that particular kind of chaos.
Yeah, maybe not on cyber specifically because everybody I've talked to has suggested that there are other priorities they have.
Let's take even an example of within specific agencies.
Within our world, the SEC's cybersecurity regulations are very, very controversial, very divisive.
But at the SEC, Trump is going to have different things he's going to be wanting to figure out, is what I've been told.
People are thinking about who's going to even lead the SEC.
There's also issues related to independence of agencies.
That's something that could actually enhance the chaos.
If you're talking about agencies that had had a sort of independent standing,
how much will Trump saying he wants to rein them in and put them under his control more directly,
how much more chaotic does that get?
I suppose you could see more cohesion in a roundabout sort of way if that's the case.
Going back to the thing you said about bipartisanship,
in a roundabout sort of way if that's the case.
Going back to the thing you said about bipartisanship,
I'll say that I think
it's not necessarily the case that the executive
order that the
Biden administration is putting together,
the second executive order on cybersecurity,
is dead on arrival because it's
touching on things that
to some degree happened under the Trump
administration. There are some similar issues that they're touching
on there. It's not so much a matter of,
we're going to play some more regulations,
which we might run into some bipartisanship about.
It's about how we want to secure our government,
and some of those things could have carryover.
So in terms of how much chaos there is,
I think one of the things that another thing that someone told me,
same person I mentioned this before,
who worked in both administrations,
said the Biden administration was very top-down
in terms of how it managed things.
That led to some order, perhaps,
but also some stifling of things that might bubble up from beneath
and ideas that people might have.
So in some ways, that could have been a little more chaotic,
especially at the agency level,
because you're talking about a difference of approach
and how much chaos there is in that.
Whereas with the prior administration,
the sentiment was, here's our goals,
agencies, go figure it out.
And that may be less orderly,
but it also may, in a roundabout sort of way,
be less chaotic for the agencies
themselves because they're not coming up with ideas
and then having them shot down and then having to go back to the drawing
board. They're coming up with the ideas and they're being
trusted to come up with those things.
Alright, well,
as we always say, time will
tell. Tim Starks.
Time will
in fact tell.
Tim Starks is Senior Reporter at CyberScoop.
Tim, thanks so much for joining us.
Yeah, thanks, Tim.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant.
And finally, in a piece for 404 Media, Joseph Cox describes internal emails which reveal that Secret Service officials disagreed over whether using an online surveillance tool required a
warrant, sparking a legal and ethical debate within the agency. The app collects user location data from ordinary smartphone apps,
which is then sold to third parties like Babel Street.
Some Secret Service staff argued that agreeing to an app's terms of service
effectively waives user privacy,
while others questioned whether the practice violated the Fourth Amendment,
referencing the Carpenter v. U.S. Supreme Court ruling,
which requires a warrant for cell site data.
Babel Street claimed no warrant was necessary since data was opt-in and hashed,
supposedly keeping users anonymous,
though a demonstration showed the tool could track individuals based on unique identifiers.
Despite growing criticisms, including from Senator Ron Wyden,
the Secret Service maintained it followed applicable laws.
As the great musical philosopher Tom Waits said,
the large print giveth and the small print taketh away.
taketh away.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Carve.
Simone Petrella is our president.
Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Thank you. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.