CyberWire Daily - Remapping privacy.
Episode Date: December 15, 2023Google boosts Maps privacy, a court shields password disclosure, feds foil a massive scam operation, Iran-Israel cyber tensions escalate, Idaho National Labs reports a significant data breach, a secur...ity engineer's cybercrime confession. N2K’s Rick Howard reports from the recent MITRE ATT&CK con, speaking with Blake Strom of Microsoft about 10 years of the MITRE ATT&CK Framework. And Brian Krebs' relentless investigation into the Target breach. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, N2K’s Rick Howard recently attended the MITRE ATT&CK Con. While there, Rick spoke with Blake Strom of Microsoft and they discussed 10 years of MITRE ATT&CK Framework. Selected Reading Google is rolling out new protections for our location data (The Washington Post) Four men indicted in $80 million ‘pig butchering’ scheme (CNBC) Just In: Crypto Hacker Shakeeb Ahmed Admits to $12 Million Heist (BET US) Suspects can refuse to provide phone passcodes to police, court rules (Ars Technica) Gaza Cybergang | Unified Front Targeting Hamas Opposition (Sentinal Labs) Israeli CEO recruits Muslim hackers to fight Hamas in cyberwarfare (The Jerusalem Post)  Personal Information of 45,000 Individuals Stolen in Idaho National Laboratory Data Breach (Securityweek) Ten Years Later, New Clues in the Target Breach (krebsonsecurity) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Google boosts maps privacy.
A court shields password disclosure,
feds foil a massive scam operation, Iran-Israel cyber tensions escalate,
Idaho National Labs reports a significant data breach,
a security engineer's cybercrime confession,
N2K's Rick Howard reports from the recent MITRE ATT&CK con,
speaking with Blake Strom from Microsoft about 10 years of the MITRE ATT&CK con, speaking with Blake Strom from Microsoft about 10 years of the MITRE
ATT&CK framework, and Brian Krebs' relentless investigation into the Target breach.
It's Friday, December 15th, 2023.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Google is enhancing privacy protection for users' location data in its Maps Timeline feature.
Currently, timeline data is stored on both users' devices and Google's servers.
However, Google plans to shift this, ensuring location history remains only on user-owned hardware.
Additionally, the default storage
duration for this data will be reduced from 18 months to 3 months. This move is part of Google's
effort to secure location data against potential legal access, such as geofence warrants used by
law enforcement. If users opt for cloud backup, their data will be encrypted, making it inaccessible even to Google.
This update aims to protect sensitive information, especially in contexts like visits to medical facilities,
which Google pledged to delete swiftly but has been inconsistent in doing so.
Users have some existing control over their location histories, like the ability to enable or edit
them. The upcoming changes also include a feature for managing activities related to sensitive
locations, enhancing users' control over their data. Privacy advocates welcome these changes,
though some remain cautious about Google's commitment to privacy. Google asserts its
ongoing efforts to provide users with more control over
their data, emphasizing their intentions to improve privacy measures continuously. These
changes, expected to roll out over the next year, represent a significant step in enhancing user
privacy in digital spaces. Federal prosecutors disrupted a major pig butchering scam,
arresting two and indicting four Californians for laundering over $80 million from victims.
The scam, named after a Chinese phrase, involves building rapport with victims through cold messaging
and tricking them into sending money to fake investment platforms.
The scammers show falsified profits,
persuading victims to invest in crypto or other assets
before disappearing with the funds.
The accused used shell companies and various banks,
including Bank of America and JPMorgan Chase,
to funnel profits to accounts in the U.S., Hong Kong, and the Bahamas
linked to money laundering and the Tether stablecoin.
This case represents a significant enforcement action
against a scam that costs U.S. citizens
hundreds of millions annually.
Shaqib Ahmed, a 34-year-old senior security engineer,
pleaded guilty to high-profile cybercrimes,
including a $12 million theft from Nirvana Finance
and another decentralized exchange.
His admission reveals his use of sophisticated methods,
exploiting vulnerabilities in smart contracts of Solana-based exchanges,
including a $3.6 million attack on Nirvana Finance using a flash loan.
Ahmed employed advanced laundering techniques
involving token swap transactions transfers across blockchain networks conversions into monero and
use of international exchanges and mixers he faces serious consequences including forfeiting 12.3
million dollars and paying five5 million in restitution.
Ahmed's conviction, a first involving a smart contract attack,
is a significant legal milestone in addressing crimes in decentralized finance.
Scheduled for sentencing on March 13th, he could face up to five years in prison.
The Utah Supreme Court unanimously ruled that suspects have a Fifth Amendment right
to refuse providing phone passcodes to police, a principle affirmed in the Alfonso Valdez case.
Valdez, arrested for kidnapping and assault, didn't give his passcode during the investigation.
The state's use of his refusal as trial evidence led to his conviction, which was
later overturned on appeal. This ruling underscores the complexity of applying the Fifth Amendment in
digital evidence cases, with potential implications for the U.S. Supreme Court. Legal experts note the
current lower court confusion regarding digital evidence and the Fifth Amendment, suggesting this case might
be reviewed by the U.S. Supreme Court for clarity. In the ongoing conflict involving Israel,
Iranian cybergroups have intensified their operations. The group known as Oil Rig,
also identified by various names such as APT34, Lyceum, Krambus, and Siamese Kitten, has been particularly active.
According to ESET's analysis, since 2022, OilRig has launched a series of attacks against Israeli
targets using four new downloaders, SampleCheck5000, OD Agent, OilCheck, and OilBooster.
These tools, while somewhat basic and detectable, have proven to be effective.
One notable tactic in these attacks is the use of legitimate cloud services for command and
control purposes. Oil rigs' primary focus is on cyber espionage, gathering information rather
than engaging in theft or sabotage. Israeli law prohibits private companies from attacking international cyber systems,
but according to the Jerusalem Post, one Israeli company, Sytaka, believes it's found a way to hit
back at Israel's enemies in cyberspace without running afoul of the law. Engage international
partners. The Jerusalem Post writes, theiroser to home, Idaho National
Laboratory is notifying 45,000 individuals, including current and former employees, retirees,
postdocs, graduate fellows, interns, as well as their dependents and spouses, of a data breach
involving stolen personal information. The breach, identified on November 20,
affected the Oracle human capital management software used for HR applications.
Compromised data includes names, birthdates, social security numbers,
salary details, and banking information, all current as of June 1, 2023.
Those affected will receive a letter from Experian and INL
offering no-cost identity protection and credit monitoring services.
The hacktivist group SiegedSec claimed responsibility for the breach,
with INL investigating alongside the DOE, FBI, and CISA.
Impacted individuals are advised to be vigilant
against identity theft and phishing
attempts. Coming up after the break, our own Rick Howard speaks with Blake Strom from Microsoft
about 10 years of the MITRE ATT&CK framework. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Back in October, the MITRE Corporation hosted the ATT&CK CON 4.0 conference at their company headquarters in McLean, Virginia. And one of the coolest things they did on the 10th anniversary
since they invented the MITRE ATT&CK framework
was to bring back the original researcher analysts who came up with the idea in the first place.
On the panel was Jen Miller Osborne, who just recently stepped down as the Palo Alto Network's Deputy Intelligence Director for Unit 42,
Brad Crawford, the Vice President of Product at Phylum,
Eric Schiessle, the head global security architect at Sony,
and Blake Strom, the principal security researcher manager at Microsoft.
I got to sit down with Blake after the panel and started out by asking him
if he thought the MITRE ATT&CK framework was the de facto standard
for how cyber threat intelligence teams convey and represent
adversary playbook
intelligence.
So we definitely had antibodies when it comes to standards and people calling it a standard.
So we'll just call it a framework and a knowledge base.
We're comfortable with that.
Why has everybody accepted that?
You guys didn't think it was going to be that when it started.
So how did it become to be that?
started so how did it become to be that um i think it's because it was just the right mix of threat intel uh red teaming and uh defense and so i mentioned todd woodbolds in the uh the panel
so he was the guy that hired me he was my department head when i was a minor for
a long time but he had this saying about attack that it was like the rug that brought the room
together sort of like you know, what's that movie?
Is it Lebowski? Yeah, the
Big Lebowski. Yeah, so he said it's
the rug that pulls the room together, or
ties the room together, and that's definitely
what it is. Before
ATT&CK,
you know, every vendor had their own way to describe
things, right? And they could be talking about the same
adversary, and
nobody would know.
Because we even have colorful names that were different.
And we still have that problem.
But the ATT&CK framework becomes the Rosetta Stone to fix all that.
You can tell me if I'm wrong.
No, you're definitely right.
Because if you read some of the reports, like the Intel reports back in the day,
you could get two different reports from two different Intel providers or vendors and they would describe the same,
even behavior in different ways.
There was no way to compare them
unless you really know the deep technical details
and how the actor is actually performing the act.
And so that's where the rubber hits the road for ATT&CK.
Well, take me back to those days, right?
Because the panel was talking about the origin story. I'm an old back to those days, right? Because the panel was talking about,
you know, the origin story.
I'm an old comic book nerd myself, right?
So I love origin story.
So what was happening before
you started working on this
that was the spark that said,
hey, we should do this other thing?
What was happening?
It was basically back to the CyberGames report. So what is the
readout that the Red team did?
Well, explain that. I don't know if everybody knows what that is.
The CyberGames was what?
Yeah, so the CyberGames was basically
the Red versus Blue
session that would happen as part
of the FMX project.
For the NSA? No, this is for
MITRE.
I'll go back a little bit.
So MITRE started this research project.
The premise that, you know, the IOCs that people were typically using to detect malware and attackers wasn't enough.
You needed to instrument the endpoint systems, instrument the network in a way that you're collecting like telemetry over time and then looking for the signal patterns that indicate an attack was happening.
And so that's what the FMX project was.
That set of sensors, the set of
analytics, the analytic data
getting into Splunk and then
churning on it to see if you can find the correct...
It's a red team, blue team exercise?
Yeah, so we exercise...
Did we not have those before that?
We did, but it's usually like the red team going in
and assessing your network and the blue team going, hey,
we caught you here, but we missed all this stuff.
Don't tell us what we're bad at.
Where this was much more supposed
to be a collaborative exercise because
the red and blue team both had the objective
to improve the system.
It's the origin of purple team.
Yes, it was. It was very much
a purple team. How about that? I didn't know that
until just now. That's really good. We didn't coin the term, but it was definitely Is it? It was very much a purple team. How about that? I didn't know that until just now. That's really good.
Okay, so.
We didn't coin the term, but it was definitely like a purple team exercise.
And so trying to figure out like what is the commonalities across the threat actors so that we can emulate them successfully in this environment in a way that the blue team can show that their work is actually making a difference against specific threats.
It really was like the origin for ATT&CK.
That was the foundation.
So what was the games called again?
Cyber Game.
Cyber Game.
So, all right, we do the games.
We still don't have ATT&CK yet.
So what changed?
So we had lots of data on how threats operate
within like an enterprise network.
And Jen was going through that data
and then comparing it,
figuring out what the nuggets of details are
that are specific techniques,
comparing that to what Brad and Eric were doing.
And then we realized,
okay, so if we start with the ground level,
what are the individual actions
that attires are going to take within a network?
Let's start there.
Let's start categorizing them.
Let's start bidding them into, like,
what is the purpose for that technique?
Is it persistence?
Is it lateral movement?
Is it credential access?
And that started to build the framework
for the tactics that became, like, part of ATT&CK.
Did all that just kind of trip off your tongue back then?
Like, because before, you know, I was doing this,
I've been doing this for 30 years, right?
No one started talking about sequences of activity until, you know, the Lockheed Martin kill chain paper and the Torbjorn Defense Diamond model, the MITRE ATT&CK framework, right?
So were you guys thinking in those terms when the games were going on?
Yeah, we were.
But if you look at the Lockheed Martin cyber kill chain, like the actions on objectives is very vague.
And that's basically where attack sort of like fits in squarely to fill in a lot of...
I don't like that.
That is exactly right.
I've always thought the kill chain paper from Lockheed Martin was more strategic idea with no details about how to do it operationally.
But you are absolutely right.
That MITRE sits right in those actions on the objectives phase that they didn't address.
I didn't know that.
What about the Diamond Model?
Was that part of it too?
Because the Lockheed Martin paper came out in 2010, Diamond Model came out in 2011,
but both teams were working on it in the same, you know, for five years, I guess.
Yeah, and I knew, like, I worked with some of the founders of the diamond model at the NSA when we were there together.
And there's been like a lot of controversy that I think is totally unfounded in the industry.
Like, what would you use, the diamond model or the attack framework of the cyber kill chain?
But they're all necessary components to understand threats. it helps give analysts a framework to attribute a particular threat actor, which is important
knowledge for some organizations like governments and sort of multinational companies to understand
sort of like who they're doing business with and how that might impact their cybersecurity.
That was Blake Trom, the Principal Security Research Manager at Microsoft.
You can hear more about how the three main papers, the Lockheed Martin kill chain
paper, the DOD's diamond model, and the MITRE ATT&CK framework are really the intrusion kill
chain defense triad in my book, Cybersecurity First Principles, and you can get your copy at
Amazon. And you can hear the full interview I had with Blake in the next season of CSO Perspectives
that will come out next year.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today
to see how a default-deny approach can keep your company safe and compliant.
And finally, in 2013, Krebs on Security reported on a major breach at U.S. retailer Target,
where over 40 million customer payment cards were compromised.
The malware used was linked to a cybercriminal using the handle Rescator.
A decade later, Brian Krebs has unearthed new clues pointing to Reskator's real-life identity.
Initially believed to be a Ukrainian hacker, further investigation linked Reskator to Pavel
Vrublevsky, a convicted Russian cybercriminal. Reskator's tactics involve selling stolen cards
from Target and Home Depot breaches exclusively on his online shops. Reskator's identity was further unraveled
through connections to the Russian cybercrime forum Black SEO and a Russian ISP, where key
figures in the cybercrime world were identified. One significant clue was an email address used by
Reskator linked to a ChronoPay employee who managed pirated music sales. This led to connections with other Russian cybercrime figures
and businesses involved in illicit activities,
including cryptocurrency exchange Suex,
sanctioned by the U.S. Treasury.
Mikhail Mike Shefel, a key figure at ChronoPay,
emerged as a potential associate of Reskator.
The investigation revealed intricate relationships
among Russian cybercriminals spanning various illegal enterprises.
Rublevsky's continued involvement in fraudulent activities post-imprisonment and Sheffel's
ventures into cryptocurrency highlight the ongoing challenges in tracking and prosecuting
cybercrime. The U.S. Secret Service remains interested in further information,
emphasizing the ongoing nature of the investigation into this complex web of digital crime.
Unmasking cybercriminals is like peeling an onion with infinite layers,
but it looks like Brian Krebs doesn't mind the tears.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out a special edition of this week's Research Saturday.
Threat Vector host David Moulton is bringing us an exclusive interview with Unit 42's Michael Sikorsky to discuss the Russian APT fighting
URSA. That's Research Saturday. Check it out. We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. We're privileged that N2K and podcasts like The Cyber
Wire are part of the daily intelligence routine of many of the most influential leaders and Thank you. Strategic workforce intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp. Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for
listening. We'll see you back here next week. Thank you. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.