CyberWire Daily - Russian hackers hide in Ukraine telecoms for months.
Episode Date: January 4, 2024Sandworm was in Kyivstar's networks for months. Museums face online outages. Emsisoft suggests a ransomware payment ban. An ambulance service suffers a data breach. Mandiant’s social media gets hack...ed. GXC Team's latest offerings in the C2C underground market. 23andMe blames their breach on password reuse. Lawyers are using outdated encryption. On today’s Threat Vector segment, David Moulton chats with Garrett Boyd, senior consultant at Palo Alto Networks Unit 42 about the importance of internal training and mentorship in cybersecurity. And in Russia, holiday cheers turn to political jeers. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Threat Vector segment with David Moulton features Garrett Boyd, a senior consultant at Unit 42 by Palo Alto Networks with a background as a Marine and professor, discusses the importance of internal training and mentorship in cybersecurity. He provides insights into how training prepares professionals for industry challenges and how mentorship fosters professional growth and innovation. Garrett emphasizes the need for a mentorship culture in organizations and the responsibility of both mentors and mentees in this dynamic. The episode highlights the transformative impact of mentorship through personal experiences and concludes with an invitation for listeners to share their stories and a reminder to stay vigilant in the digital world. Threat Vector To learn what is top of mind each month from the experts at Unit 42 sign up for their Threat Intel Bulletin. Selected Reading Compromised accounts and C2C markets. Cyberespionage and state-directed hacktivism. (CyberWire) Exclusive: Russian hackers were inside Ukraine telecoms giant for months (Reuters) Hackers linked to Russian spy agency claim cyberattack on Ukrainian cell network (reuters) Museum World Hit by Cyberattack on Widely Used Software (The New York Times) The State of Ransomware in the U.S.: Report and Statistics 2023 (Emsisoft) Nearly 1 million affected by ambulance service data breach (The Record) Mandiant’s account on X hacked to push cryptocurrency scam (Bleeping Computer) Cybercriminals Implemented Artificial Intelligence (AI) For Invoice Fraud (Resecurity) 23andMe tells victims it’s their fault that their data was breached (TechCrunch+) The Curious Case of MD5 (katelynsills) Firmware prank causes LED curtain in Russia to display ‘Slava Ukraini’ — police arrest apartment owner (The Record) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Sandworm was in Kevstar's network for months.
Museums face online outages.
Emsisoft suggests a ransomware payment ban.
An ambulance service suffers a data breach.
Mandiant's social media gets hacked.
GXC team's latest offering in the C2C underground market.
23andMe blames their breach on password reuse.
Lawyers are using outdated encryption.
On today's Threat Vector segment, claims their breach on password reuse. Lawyers are using outdated encryption.
On today's Threat Vector segment,
David Moulton chats with Garrett Boyd,
senior consultant at Palo Alto Networks Unit 42,
about the importance of internal training and mentorship in cybersecurity.
And in Russia, holiday cheers turn to political jeers. Gears.
It's Thursday, January 4th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. briefing. We begin today with reports that Russia's sandworm was in Kyiv Star's networks for at least seven months. Ilya Vityuk, who leads Ukraine's SBU cybersecurity department, has told Reuters that
the Sandworm element of Russia's GRU had gained access to telecom provider Kivstar's networks at
least as long ago as May of 2023. Sandworm probably began its attempts against Kivstar as early as
March of that year. Its goal was collection, mostly of data on individual users of Kivstar as early as March of that year. Its goal was collection, mostly of
data on individual users of Kivstar's services, followed in the last stages of the operation by
destruction of data and disruption of services. A nominally hacktivist group, Solintepsyak,
has claimed credit for the attack, but they're almost surely a GRU front.
The effects of the attack on Kyivstar were severe and widespread,
but mostly affected civilian users as opposed to military operations.
The Ukrainian military doesn't make much tactical use of civilian telecoms.
Vityuk sees the attack as a warning.
He said, this attack is a big message, a big warning, not only to Ukraine, but for the whole Western world to understand that no one is actually untouchable.
Kivstar is a large, wealthy, private company, a subsidiary of the Netherlands multinational Vion, and it was by no means a soft target.
and it was by no means a soft target.
Several prestigious museums have faced outages in displaying their collections online due to a cyber attack on Gallery Systems,
a key service provider aiding hundreds of cultural institutions
with digital displays and document management.
Institutions like the Museum of Fine Arts Boston,
Rubin Museum of Art, and Crystal Bridges Museum of American Art
reported disruptions following the incident, first detected on December 28th,
when Gallery Systems found its software encrypted and inoperative.
Immediate isolation and investigation measures were taken,
including engaging cybersecurity experts and notifying law enforcement.
While some systems have been restored, others remain down,
affecting access to critical internal documents like donor names,
loan agreements, and artwork storage details.
The attack highlights the growing threat to cultural organizations,
with recent similar incidents at the British Library, Metropolitan Opera,
and Philadelphia Orchestra,
often due to ransomware groups.
Museums hosting their databases independently, like the Metropolitan Museum of Art and the Whitney Museum,
reported no impact.
In 2023, the U.S. was heavily targeted by ransomware attacks,
with over 2,200 known incidents affecting hospitals,
schools, governments, and private companies. A report by Emsisoft Malware Lab presents a dire
view of the situation, suggesting that despite various countermeasures, ransomware remains a
prevalent threat, causing not only economic damage but also potentially endangering lives, particularly in
healthcare settings. Indeed, the number of ransomware attacks on critical institutions
like hospital systems and educational institutions has significantly increased over the past three
years. The authors argue that the only effective solution to the ransomware crisis is to completely ban the
payment of ransoms. They contend that ransomware is a profit-driven crime, and making it unprofitable
will lead to a drastic reduction in attacks. Security experts like Kevin Beaumont and Alan
Liska support this view, acknowledging that while a ban on ransom payments might lead to a short-term
increase in attacks, it's the only viable long-term solution. The report also notes the
evolving nature of ransomware attacks, with threat actors employing more aggressive tactics and
demanding increasingly higher ransoms. It underscores the fact that these are not mere
disruptions but constitute a crisis with significant and far-reaching consequences.
The report calls for urgent and decisive action to combat ransomware.
It suggests that a ban on ransom payments,
coupled with improved cybersecurity practices and international cooperation,
is crucial to stemming the tide of this damaging and dangerous cybercrime wave.
Transformative Healthcare, a Massachusetts-based company, reported a data breach affecting nearly
912,000 people. The breach, linked to Fallon Ambulance Services, which it acquired in 2018,
was detected in April 2023, with unauthorized activity dating back to
February. Compromised data includes names, addresses, social security numbers, medical
details, and employment-related information. The company has offered two years of free identity
protection to victims and is under investigation by federal law enforcement and a national consumer rights law firm.
The ambulance company had been shut down before the breach occurred,
but the parent company had a legal obligation to retain copies of the records that were subsequently stolen.
Cybersecurity firm Mandiant had its ex-Twitter account hijacked
and used to impersonate the phantom crypto wallet
spreading a cryptocurrency scam.
The attacker promoted a fake site
offering free phantom tokens,
leading users to install a fraudulent phantom wallet
aimed at draining their cryptocurrency.
The real phantom wallet has since warned users
and disabled interaction with the scam site.
The threat actor briefly used the account to troll Mandiant before the company regained control and
began restoration efforts. ReSecurity has identified a cybercriminal group, GXC Team,
known for creating tools aiding online banking theft and social engineering.
creating tools aiding online banking theft and social engineering. Recently, they started selling an AI-powered tool for generating fake invoices to execute business email compromise attacks,
replacing legitimate banking details in business transactions. This tool adds to their repertoire
of fraudulent platforms, including phishing kits and payment data checkers.
forms, including phishing kits and payment data checkers. Genetic testing company 23andMe has attracted criticism for its response to a major data breach the company sustained in December,
TechCrunch reports. The hackers gained initial access by brute-forcing the accounts of 14,000
customers, then gaining access to the data of 6.9 million users who had opted in to the service's
DNA relatives feature. 23andMe's response to the breach has been widely perceived as victim-blaming.
The company stated in an email to customers who are suing the company that, quote,
users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.
Therefore, the incident was not a result of 23andMe's alleged failure to maintain reasonable security measures.
Hassan Zavari, one of the lawyers representing victims of the breach, told TechCrunch,
presenting victims of the breach, told TechCrunch, 23andMe knew or should have known that many consumers use recycled passwords, and thus that 23andMe should have implemented some of the many
safeguards available to protect against credential stuffing, especially considering that 23andMe
stores personally identifiable information, health information, and genetic information on its platform. And a quick program
note, we discussed the 23andMe breach on this week's Hacking Humans podcast. You can find that
wherever you get your podcasts or on our website, thecyberwire.com. Software engineer Kate Sills
has written an interesting blog post outlining how the International Criminal Court and the broader
American legal and forensics community continue to use the outdated MD5 hashing algorithm,
despite long-standing warnings against its use due to security vulnerabilities.
In law, cryptographic hashing is crucial for verifying the identity and integrity of documents,
hashing is crucial for verifying the identity and integrity of documents, but MD5's flaws can be exploited to create different documents with the same hash, undermining these protections.
Kate Sills makes the case that the persistence in using MD5 is due to a combination of
misunderstanding its flaws, inertia within the legal community, and a lack of awareness of better alternatives like SHA-3.
The Post argues for an urgent shift to more secure hashing methods and a cultural change
within the legal sector to embrace regular technological updates for maintaining the
integrity and trustworthiness of legal processes. Tip of the hat to Medicarety's Cynthia Brumfield
for sharing this story on Mastodon.
Coming up after the break, on today's Threat Vector segment, David Moulton chats with Garrett
Boyd, Senior Consultant at Palo Alto Networks Unit 42, about the importance of internal training and mentorship in cybersecurity.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, Thank you. been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Welcome to Threat Factor, a podcast where Unit 42 shares unique threat intelligence insights,
new threat actor TTPs, and real-world case studies. Unit 42 has a global team of threat
intelligence experts, incident responders, and proactive security consultants dedicated
to safeguarding our digital world. I'm your host, David Moulton,
Director of Thought Leadership for
Unit 42. In today's episode, I'm going to talk with Garrett Boyd about the importance of internal training and mentorship in cybersecurity.
Garrett is a senior consultant at Uni42.
Garrett's security career stretches back for more than a decade and is a former Marine and professor, someone that has a long history of service.
and professor, someone that has a long history of service. In our conversation, we'll discuss the role internal training plays in preparing cybersecurity professionals and the importance
of mentorship. Garrett will talk about how organizations can build cultures that encourage
everyone to participate and how to use those relationships to advance careers.
Let's get right into it. Garrett, what role does internal training play in preparing cybersecurity professionals for the challenges they'll face in our industry?
Our industry is something that's ever-changing.
And so the requirement for internal training allows for this idea of getting the baseline from zero to at least knowledgeable. So that way,
every single person is a proactive member of the team. Without it, it's a race to try and put
letters together, squares to squares, circles to circles. How does mentorship within an organization
contribute to the professional growth and development of individuals pursuing a cybersecurity career? I think that mentorship, and when we're talking about mentorship, we're talking about a
dedicated relationship. It's not just the supervisor-supervisee relationship. We're
talking about true mentorship where someone is challenging individuals and the individual is
working to meet, rise to the challenge. that kind of professional growth is something that we really want every organization to have.
Because without that, you have drones that are not innovating.
They're not thinking about the next step or the next threat in our case.
And so we see things like solar winds or the exchange vulnerabilities that happened over the last couple of years.
And if people aren't challenged to meet those threats and challenged to find ways to defend against them and to recognize them,
then we just have people that are there just waiting for an event to happen and they do the bare minimum.
That challenge, that mentorship allows them to think beyond
that initial triage and to think beyond and see the threats that are coming or the patterns
that are associated.
How can organizations create a culture that encourages both experienced and junior cybersecurity
professionals to participate in those mentorship programs that you talk about?
participate in those mentorship programs that you talk about? Organizations, just this has to be,
that mentorship has to be something that is prevalent and almost a requirement. It can't be something that, oh, we'll get to it in the future. We have to be able to look for it and
process it. And just this, again, I mentioned challenge in the last question, but
if it's not part of that normal everyday culture, then the junior employees who are new to the
career, new to the industry, really don't have the wherewithal to know what's going on. And so
the experienced individuals are the ones with the knowledge. They're the
keeper of the keys. It's their responsibility to share that knowledge or we end up in a
just continual cycle that there's not enough professionals out there.
What advice would you give to aspiring cybersecurity professionals who want to
make the most of internal training and mentorship opportunities to advance their careers? I firmly believe that it is the responsibility of those
that have knowledge to share knowledge. But on the flip side, it is the responsibility of those that
need leadership, that need more training, that need that mentorship to go and ask for it.
Garrett, when you think about the times that you've mentored someone, can you tell me what
you got out of those relationships?
The thing that I think I've ever gotten from my mentorship is how to communicate complex
issues in a way that is digestible by those who don't quite understand or have the same
education level as I do.
I can specifically think of an instance of just trying to explain
a kind of a complex case and being able to redirect it and present it in a way that they're
like, okay, cool, I understand. Think back on the times that somebody has mentored you.
Is there a moment that really stands out?
I was in the military years ago, and I remember getting promoted.
And one of the Marines I had at the time just being completely obstinate.
And after a little bit of a row with the individual,
I was pulled aside by probably one of my best friends now,
but at the time was my senior enlisted leader
and pulled me aside and he taught me,
hey, you praise in public and you punish it in private.
And while I wasn't punishing this individual,
I was definitely giving it a nice little chewing out time.
But if someone does something that's good,
you tell the world about it.
So that way they feel emboldened to be innovative and continue their good work.
That is the role of a mentor.
That's what he did for me.
What's the one thing you want our listeners to remember from this conversation?
No one else is responsible for you.
You're responsible for yourself.
If you want leadership, if you want mentorship, you should go and get it. Ask somebody,
talk to them. And if they say no, ask the next person. There are individuals like myself and
that want to share their information and they're more than willing to give their time. Unit 42 is
full of people like this. There's not, I can reach, I can think of like just looking at my
direct message list. All of them are individuals I've reached out to about something
and they've given me an hour of their time.
No one, for the most part, no one's going to say no
because we all remember being new.
So you are responsible for your knowledge.
Garrett, thanks for sharing some of your own experiences and the value you gained from mentorship, along with your insights on how mentorship and training fosters innovation
and prevents stagnation.
You've described mentorship as a dedicated, challenging relationship beyond the usual
supervisor-supervisee dynamic.
I would love to hear from our guests about how mentorship has accelerated their careers.
You can send me a note at threatvector at halualtonetworks.com. We'll be back on the
Cyber Wire daily in two weeks. In the meantime, stay secure, stay vigilant. Goodbye for now. That's Palo Alto Network's David Moulton and Garrett Boyd,
senior consultant at Palo Alto Network's Unit 42. Thank you. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And finally, our international hijinks desk reports that a holiday display in Novgorod,
Russia, was altered so that instead of spelling
out Happy New Year, it displayed Glory to Ukraine. Police confiscated the LED display and charged the
owners of the apartment with public actions aimed at discrediting the use of the armed forces of the
Russian Federation. The record explains the wayward messaging as a firmware
exploit developed in Ukraine during December and subsequently distributed to users of the
decoration in Russia. The message was designed to switch at the stroke of midnight on New Year's
Eve. It's hard luck for the hapless consumer, after all, must now appear in court after doing nothing more subversive than setting up an apparently innocent holiday sign that switched from holiday cheer to geopolitical jeer.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
A quick reminder that as you are setting new goals to boost your brand across the industry,
we'd love to help you achieve those goals.
We've got some unique opportunities complete with special incentives for 2024.
So tell your marketing team to reach out.
special incentives for 2024.
So tell your marketing team to reach out.
Send us a message to sales at thecyberwire.com or visit our website so we can connect
about building a program to meet your goals.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value
of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby and I'm Dave Fittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.