CyberWire Daily - Ransomware is just a prescription for chaos.
Episode Date: April 30, 2024UnitedHealth’s CEO testimony before congress reveals details of the massive data breach. Major US mobile carriers are hit with hefty fines for sharing customer data. Muddling Meerkat manipulates DNS.... A report from Sophos says ransomware payments skyrocketed this past year. The DOE addresses risks and benefits of AI. LightSpy malware targets macOS. A crucial Kansas City weather and traffic system is disabled by a cyberattack. A Canadian pharmacy chain shuts down temporarily following a cyberattack. Guest Kayla Williams, CISO from Devo, joins us to share CISO insights into the pressure of their roles they feel mounting on them and gives us a look into their plans for RSAC 2024. Pay attention - that AWS meter may be running. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Kayla Williams, CISO from Devo, joins us to share CISO insights into the pressure of their roles they feel mounting on them and gives us a look into their plans for RSAC 2024. Selected Reading Change Healthcare hackers broke in using stolen credentials — and no MFA, says UHG CEO (TechCrunch) FCC Fines Carriers $200m For Selling User Location Data (Infosecurity Magazine) Muddling Meerkat hackers manipulate DNS using China’s Great Firewall (Bleeping Computer) Ransom Payments Surge by 500% to an Average of $2m (Infosecurity Magazine) US DOE rolls out initial assessment report on AI benefits and risks for critical energy infrastructure (Industrial Cyber) LightSpy malware has made a comeback, and this time it's coming after your macOS devices (ITPro) Kansas City system providing roadside weather, traffic info taken down by cyberattack (The Record) London Drugs pharmacy chain closes stores after cyberattack (Bleeping Computer) An Empty S3 Bucket Can Make Your AWS Bills Explode (GB Hackers) - kicker How an empty S3 bucket can make your AWS bill explode (Medium) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Thank you. change shuts down temporarily following a cyber attack. Our guest, Kayla Williams,
Chief Information Security Officer from Devo, joins us to share CISO insights into the pressure
of their roles they feel mounting on them and gives us a look into their plans for RSAC 2024.
And pay attention, that AWS meter may be running.
It's Tuesday, April 30th, 2024.
I'm Dave Bittner,
and this is your CyberWire Intel briefing. thing. UnitedHealth CEO Andrew Witte provided a detailed account of the February ransom attack on its subsidiary Change Healthcare during a House subcommittee hearing.
Witte explained that the attack began when hackers used stolen credentials to access an unprotected Citrix portal used by Change Healthcare for remote employee access to their
internal network.
Critically, this portal did not have multi-factor authentication enabled, a security lapse that
facilitated the unauthorized access.
Once inside the system, the hackers utilized sophisticated techniques to move laterally
across the network and extracted data over the following days. The situation escalated nine days
after the initial breach on February 21st when the hackers deployed ransomware. In response, UnitedHealth was forced to shut down
its network to contain the breach. The cyberattack had severe financial repercussions, costing
UnitedHealth over $870 million in the first quarter alone, despite the company's substantial
revenue of nearly $100 billion during the same period. UnitedHealth confirmed that it had paid a ransom
to the attackers known as RansomHub
to prevent further distribution of the stolen data.
RansomHub, which is the second gang
to claim responsibility for this attack,
had already begun posting portions of the data
on the dark web, escalating the threat
of wider data misuse.
This incident has brought to light significant security shortcomings
in the healthcare industry's use of critical IT infrastructure
and will likely prompt further investigation into why necessary security measures,
such as multi-factor authentication, were not in place.
The FCC fined four major U.S. mobile carriers, Sprint, T-Mobile, AT&T, and Verizon,
a total of nearly $200 million for selling customer location data without consent.
According to the Communications Act, carriers must protect customer information
and obtain explicit consent before sharing it.
The FCC found that these carriers continued to sell sensitive location data
to third parties through aggregators,
even after realizing that safeguards were inadequate.
This practice persisted despite the carriers being aware of unauthorized access incidents,
including a case where a Missouri sheriff used such data
to track individuals without their consent.
The investigation and fines are part of broader efforts to hold carriers accountable for data privacy violations.
The threat group Muddling Meerkat, linked to Chinese state-sponsored actors,
has been manipulating DNS systems globally since October 2019, with increased activity in September of
2023. This group notably alters MX records via China's Great Firewall, introducing fake DNS
responses, a new tactic for China's internet censorship system. Discovered by Infoblox,
the exact intentions of muddling Meerkat remain unclear,
but the operations reflect a high level of sophistication in DNS manipulation.
This activity involves creating DNS noise and possibly mapping network vulnerabilities to prepare for future attacks,
showing advanced capabilities in testing and disrupting global DNS infrastructures.
capabilities in testing and disrupting global DNS infrastructures.
According to the Sophos The State of Ransomware 2024 report, average ransom payments skyrocketed by 500% over the past year, reaching $2 million per incident, up from $400,000 the previous year.
Despite a slight decrease in the frequency of ransomware attacks,
from 66% of organizations affected in 2023 to 59% in 2024, ransom demands have become
significantly steeper, with 63% exceeding $1 million and 30% surpassing $5 million.
Although fewer organizations are being targeted, those hit
face more severe financial demands. Additionally, recovery from ransomware attacks has become
costlier and more prolonged, with average recovery expenses rising to $2.7 million
and fewer companies recovering within a week compared to the previous year.
and fewer companies recovering within a week compared to the previous year.
The U.S. Department of Energy released a report assessing the potential benefits and risks of artificial intelligence in critical energy infrastructure.
As the Sector Risk Management Agency for the U.S. energy sector,
the DOE highlights AI's potential to significantly enhance security, reliability, and resilience across the sector. However, it also identifies the need for updated risk-aware best practices
for AI's safe and secure deployment. The report details 10 AI applications and four risk categories,
including unintentional failures and adversarial attacks. The DOE plans ongoing engagement with energy sector stakeholders
to refine AI strategies and ensure resilient and secure energy systems.
This effort aligns with broader federal initiatives to manage AI risks
and leverage its advantages responsibly.
The resurgence of light spy malware
now targeting macOS devices
has raised alarms in the cybersecurity community.
Originally known in 2020 for infecting iOS devices,
the new variant specifically compromises
Apple's desktop operating system.
Discrepancies between BlackBerry's initial findings
and Huntress's subsequent report highlight
this shift. Huntress has confirmed that the malware's binaries are compiled for the x86-64
architecture, typical for macOS, not the ARM architecture used in iPhones. This variable
exhibits more sophisticated operational security and advanced malware capabilities compared to its iOS counterpart.
Security enhancements by Apple, including lockdown mode and tighter data access controls, aim to mitigate these risks.
Huntress has also provided detection tools and indicators of compromise to help businesses protect against this evolving threat.
indicators of compromise to help businesses protect against this evolving threat.
Last week, the Kansas City Scout System, a crucial bi-state traffic and weather management tool operated by the Departments of Transportation in Missouri and Kansas, was disabled by a cyber
attack. This outage occurred during a weekend of severe storms, posing significant risks as the
system displays real-time weather and traffic updates
on highway signs and through its app and website.
Following the attack,
all systems, including traffic cameras and message boards,
were shut down as a protective measure by the IT team.
Restoration efforts are underway,
but there is no specified timeline for when services will resume.
The disruption has raised concerns about the inability to communicate urgent weather
warnings to drivers, complicating safety measures during a critical time.
London Drugs, a Canadian pharmacy chain, has temporarily closed all its stores across
Western Canada following a cybersecurity incident detected on April 28th.
The company has enlisted external cybersecurity experts
to help contain the breach and conduct a forensic investigation.
Although there is currently no evidence that customer or employee data was compromised,
the company has taken extensive measures to secure its network and data.
London Drugs has not yet notified authorities,
as personal and health information appears to be unaffected.
However, they have stated that they will inform impacted individuals and privacy commissioners
if the ongoing investigation reveals any compromised personal information.
In the meantime, customers with urgent pharmacy needs
are advised to contact alternative local pharmacies.
Coming up after the break, Kayla Williams, CISO from Devo,
joins us to share insights into the pressure of the CISO role.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty. We could go skating too icy we
could book a vacation like somewhere hot yeah with pools and a spa and endless snacks yes yes yes
with savings of up to 40 on transat south packages it's easy to say so long to winter
visit transat.com or contact your marlin travel professional for details
conditions apply air transat travel moves us Visit Transat.com or contact your Marlin travel professional for details. Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Kayla Williams is Chief Information Security Officer from Devo.
I recently spoke with her about the pressure of the CISO role and what can be done about it.
Devo has been laser focused on stopping cybersecurity burnout and enabling CISOs and their teams to tackle the biggest hurdles in our industry. We published this Modern CISO,
an essential guide for CISO success
back, I think this past Tuesday,
which was really, really exciting.
We've been in this game
for quite a number of years now.
And speaking from my own personal experience,
burnouts and the feeling of
just constantly fighting fires is why we felt it was important for CISOs and their teams to understand that they're not alone and that this isn't normal to feel this way.
Well, let's dig into some of the information that you've gathered here.
I mean, some of this is quite striking.
Yeah, it is.
You know, we surveyed 200 CISOs at enterprise-sized organizations. So that being said, that's like $500 million or more in revenue. And 32% of the CISO surveyed think about leaving their that we've seen filed against CISOs of some very large, well-known organizations.
And to that point, you all gathered information on what CISOs are doing to kind of protect themselves.
Yeah, some of them are obtaining indemnification agreements with their organizations.
And that's about 52% of our respondents.
So more than half have started to look in that direction and to ask the organizations how they can be protected more.
And furthermore, 47% of our respondents ask their organizations to actually provide personal liability insurance and other cyber liability policies.
And that's a striking number as well.
Yeah.
Well, let's go beyond some of the numbers here
and talk about this e-book that you all put out.
This is titled The Modern CISO, An Essential Guide for CISO Success.
You really are focusing on this notion of burnout here
and the stresses that CISOs experience.
What are you hoping that people
take away from the book? That this is not normal and that it is okay to feel the way that you're
feeling, but there are mechanisms in place to help you. And that, you know, we're partnering
with a company called CyberMinds. Again, this is our third year partnering with them. They're a
not-for-profit organization. They're focused on delivering cyber-informed mental resilience services to help boost team morale.
And I've actually been through parts of the program, and it really helps to calm your body.
So we're not just sitting here pointing out all the things that are going wrong or could possibly go wrong.
We're actually giving strategies and suggestions on how you can make it better for yourself and your team. So we really hope that that's taken away.
That's a really interesting insight. I mean, I think for a lot of folks, it's,
I'll maybe I'm exaggerating some, but I think you can have this kind of a superhero mindset where
there's the pressure that everyone's depending on you. And it's hard to have mental and emotional
downtime. Absolutely. And I think it's actually
heightened more since COVID, where there is a blurred line between work and home. They tend
to be the same place nowadays, especially in the security industry, where you don't need to be
in the office every day. And it becomes almost a fiduciary responsibility to always be on,
at least with the people I've spoken to.
We're always on online and checking out alerts and paying attention to the industry news, trying to be on top of everything so that we can protect our organizations because we do feel that responsibility.
Is part of this getting that message up to the powers that be at an organization, at the board level, the management
level, to let them know that this is a serious issue? Yes, without a doubt. There is a big
disconnect that we found between the leaders at the top of the organization and the boots on ground.
And that discrepancy can actually be between the CISO and their own teams and what they're
enduring and the workload that they have. The monotony of being in a security
operations center, for example, and having hundreds or thousands of alerts firing where not all of
them are emergencies, some of them are false positives, or maybe even the vast majority,
depending on how you fine-tuned your alerts or not, takes a lot of work and it can be exhausting.
And feeling that you're not
focusing on the items that are the highest risk to your organization can also lead to your burnout.
Like you're not contributing to the end goal and the objectives of the company.
Well, we're coming up on the RSA conference here and you and your Devo colleagues are kind of
putting your money where your mouth is when it comes to your collaboration with CyberMinds and supporting this effort.
Can you share with us what you're up to there?
Yes, and I love this.
So Devo will be exhibiting at booth number 343.
And for every badge scan that we receive, Devo will donate $10 to CyberMinds to help support their mission.
You're also going to be presenting on this topic
along with your, I believe, one of your founders, right?
Actually, it's not one of our founders.
It's the CyberMinds founder and executive chairman,
Peter Kouronios.
And that's going to be on Tuesday, May 7th.
Yes, he's actually bringing the neuroscience
into our presentation.
So it's really fascinating.
It's things that I never thought I would be interested in,
but because it ties so closely into how I feel
and how my colleagues feel,
it's been a learning journey for myself.
And it's something that I highly appreciate
and learn from Peter every time I speak to him.
So I highly recommend coming and checking us out.
So folks should stay tuned in terms of the location
for that particular presentation.
Yes, please keep an eye out for our session
on the conference agenda.
We don't have a room known just yet,
but we are one of the earned speaker slots.
Well, it's such an important topic.
And I think, you know,
there's that old saying that knowledge is power.
And I think the more information you can get on this, the more tools you can have in your tool bag to be able to contend with these issues.
So you're going to be better off.
So tip of the hat to you and your colleagues there at Devo for taking this on head on.
Thank you.
We appreciate that.
It is a topic near and dear to my heart as well, as I mentioned.
So I am really looking forward to the session,
and I hope that all of your listeners can come and learn something as well.
That's Kayla Williams from Devo.
Cyber threats are evolving every second, Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And finally, Maciej Pokworts, senior software engineer at Symantev,
experienced significant frustration when their AWS bill skyrocketed to over $1,300 due to a misunderstanding
involving the use of their S3 bucket. They set up a single bucket in the EU West 1 region for
a proof of concept, assuming it would remain within the free-tier limits. Instead, they found
nearly 100 million put requests had been made to their bucket in just one day,
most of these from misconfigured instances of a popular open-source tool
that had mistakenly used the same bucket name as a default.
He discovered that AWS charges for unauthorized requests,
which were unexpectedly flooding their bucket from third-party systems.
These charges were compounded by the fact that requests without a specified region
were defaulting to US East 1, resulting in additional redirection costs.
Out of curiosity and an attempt to understand the scale of the issue,
they temporarily allowed public rights to the bucket,
quickly amassing over 10 gigabytes of random data,
which underscored the potential for serious data leaks due to such misconfigurations.
They tried to mitigate the problem by reaching out to the maintainers of the open-source tool,
the AWS security team, and the owners of the data they accidentally collected.
However, responses were minimal or non-existent, adding to their frustration.
Although AWS eventually waived the hefty bill as an exception,
the ordeal highlighted critical lessons in cybersecurity and AWS usage,
including the importance of specifying regions in requests
and choosing unique bucket names to avoid similar costly mistakes.
This incident was a painful but enlightening experience
that exposed vulnerabilities and default configurations
and third-party interactions with cloud services.
One day you're in the cloud,
the next you're thunderstruck by a $1,300 bill.
You've been thunderstruck by a $1,300 bill. You've been thunderstruck!
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. N2K Strategic
Workforce Intelligence optimizes the value of your biggest investment, your people. We make
you smarter about your team while making your team smarter. Learn more at n2k.com. This episode
was produced by Liz Stokes. Our mixer is Trey Hester with original music by Elliot Peltzman. Our executive producers
are Jennifer Iben
and Brandon Karp.
Our executive editor
is Peter Kilpie
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.