CyberWire Daily - Scattered Spider hacker snagged in Spain.
Episode Date: June 17, 2024Spanish authorities snag a top Scattered Spider hacker. HC3 issues an alert about PHP. WIRED chats with ShinyHunters about the breach affecting Snowflake customers. Meta delays LLM training over Europ...ean privacy concerns. D-Link urges customers to upgrade routers against a factory installed backdoor. A new Linux malware uses emojis for command and control. Vermont’s Governor vetoes a groundbreaking privacy bill. California fines Blackbaud millions over a 2020 data breach. Guest Patrick Joyce, Proofpoint's Global Resident CISO, sharing some key challenges, expectations and priorities of chief information security officers (CISOs) worldwide. N2K’s CSO Rick Howard for a preview of his latest CSO Perspectives podcast episode on The Current State of XDR: A Rick-the-Toolman episode. Be sure to change those virtual locks. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Patrick Joyce, Proofpoint's Global Resident CISO, sharing some key challenges, expectations and priorities of chief information security officers (CISOs) worldwide. You can learn more from their 2024 Voice of the CISO report. CSO Perspectives Dave is joined by N2K’s CSO Rick Howard for a preview of his latest CSO Perspectives podcast episode on The Current State of XDR: A Rick-the-Toolman episode. You can find the accompanying essay here. If you are not an N2K CyberWire Pro subscriber, you can catch the first half of the episode as a preview here. Selected Reading Alleged Scattered Spider ringleader taken down in Spain after law enforcement crackdown (ITPro) US HC3 issues alert on critical PHP vulnerability impacting healthcare sector (Industrial Cyber) Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake (WIRED) Meta Pauses European GenAI Development Over Privacy Concerns (Infosecurity Magazine) Hidden Backdoor in D-Link Routers Let Attacker Login as Admin (GB Hackers) New Linux malware is controlled through emojis sent from Discord (Bleeping Computer) Vermont governor rejects state’s tough data privacy bill (The Record) Blackbaud must pay $6.75 million, improve security after lying about scope of 2020 hack (The Record) Former IT employee gets 2.5 years for wiping 180 virtual servers (Bleeping Computer) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. We'll be right back. about the breach affecting Snowflake customers. Meta delays LLM training over European privacy concerns.
D-Link urges customers to upgrade routers
against a factory-installed backdoor.
A new Linux malware uses emojis for command and control.
Vermont's governor vetoes a groundbreaking privacy bill.
California fines blackbaud millions over a 2020 data breach.
Our guest is Patrick Joyce, Proofpoint's global resident CISO,
sharing some key challenges, expectations, and priorities of CISOs worldwide.
Our own CSO Rick Howard joins us for a preview of his latest CSO Perspectives podcast,
The Current State of XDR, a Rick the Toolman episode.
And be sure to change those virtual locks.
It's Monday, June 17th, 2024. I'm Dave Bittner, and this is your Cyber Wire Intel Briefing.
Spanish authorities, with assistance from the FBI, have arrested 22-year-old Tyler Buchanan,
a key figure in the Scattered Spider hacking group,
notorious for attacking organizations like MGM Resorts, Twilio, and Apple.
Buchanan was apprehended in Palma de Mallorca while attempting to fly to Italy.
He controlled $27 million in Bitcoin at the time.
This marks the second major arrest of a scattered spider member in 2024,
following Michael Noah Urban's earlier capture.
Despite these successes, experts warn that the group's decentralized nature
means they are likely to continue their activities with new leaders ready to step in.
with new leaders ready to step in.
The Health Sector Cybersecurity Coordination Center, HC3,
of the U.S. Department of Health and Human Services,
has issued an alert about a critical vulnerability in PHP affecting healthcare systems. This remote code execution flaw impacts PHP versions on Windows from version 5 through 8.3.8.
The vulnerability allows attackers to execute arbitrary code
when PHP is configured for CGI interaction, posing significant risks to servers.
Discovered on May 7th of this year, the flaw stems from an old argument injection bug.
Researchers recommend updating PHP to the latest version
or applying a mod rewrite rule for unsupported versions. Despite recent detection, exploitation
attempts are already occurring. HC3 emphasizes the need for robust cybersecurity measures,
training, and utilizing resources like CISA's Cyber Hygiene Vulnerability Scanning Services.
In a piece for Wired, Kim Zetter describes how hackers, including the Shiny Hunters group,
breached Ticketmaster and other Snowflake customers by first compromising EPAM Systems,
a Belarusian-founded contractor. Wired spoke with an individual claiming to be a member of Shiny Hunters through a text chat.
In the breach, about 165 accounts were affected, including Ticketmaster and Santander,
with stolen data involving millions of sensitive records.
The vulnerability stemmed from an EPAM employee's infected computer,
allowing hackers to access credentials stored in a project management tool.
Despite EPAM's denial, evidence suggests hackers use these credentials
due to the lack of multi-factor authentication on Snowflake accounts.
Snowflake is now working to mandate MFA for all users.
Meta has delayed training its large language models using public content from
Facebook and Instagram due to privacy concerns raised by the Irish Data Protection Commission.
The DPC's request follows concerns over using public posts and comments. Meta expressed
disappointment, calling it a setback for AI innovation in Europe but affirmed compliance with European
laws. The pause affects the launch of Meta AI in Europe. Meta plans to collaborate with the DPC
and the UK's Information Commissioner's Office to address these privacy concerns.
Regulators welcome the delay, emphasizing the importance of safeguarding privacy rights in AI development.
A critical vulnerability in several D-Link routers allows unauthenticated attackers to gain
administrative access. With a CVSS score of 8.8, this issue stems from a factory testing backdoor.
Attackers can enable Telnet and obtain admin credentials. D-Link has released
firmware updates. Users should promptly update to secure their devices. A newly discovered Linux
malware, DiscoMoji, that's disco with a G, uses emojis to execute commands on infected devices targeting Indian government agencies.
Found by Veloxity and linked to Pakistan-based UTA-0137,
the malware is part of a successful cyber espionage campaign.
DiscoMoji stands out for using Discord and emojis as its command and control platform,
potentially bypassing text-based
security filters. It executes commands, takes screenshots, steals files, and deploys additional
payloads. The malware targets a custom Linux distribution used by Indian agencies but can
affect other Linux systems. It maintains persistence via cron jobs and spreads laterally,
stealing data and credentials. Vermont Governor Phil Scott vetoed a consumer privacy bill that
would have allowed individuals to sue companies for data privacy violations. The legislature may
override the veto with a two-thirds vote. If passed, Vermont would join a few other states with
strong data privacy rights. Scott cited the private right of action as risky and burdensome
for businesses. The bill also includes a kids' code for online privacy for minors.
Attorney General Charity Clark criticized the veto, highlighting the bill's extensive
development process. Scott urged
adopting Connecticut's privacy model, which privacy advocates find weak. Bill sponsor Monique Priestley
criticized the veto and tech industry's influence, while the Chamber of Progress, a progressive tech
industry coalition, defended the veto, citing constitutional concerns. Software firm Blackbaud will pay a $6.75
million fine and improve data security and breach notification practices after a May 2020 hack,
per California Attorney General Rob Bonta. The company, serving over 45,000 organizations,
misled consumers about the breach's impact,
initially denying there was access to personal data.
However, Blackbaud knew by August 2020 that sensitive data,
including social security and bank account numbers, were compromised.
The complaint from California noted poor security practices, allowing the hackers prolonged access. The settlement,
consistent with agreements in other states, requires Blackbaud to enhance security measures,
delete unnecessary data, and improve breach response protocols.
The FTC also mandated comprehensive security improvements.
improvements.
Coming up after the break, my conversation with Patrick Joyce, global resident CISO at Proofpoint.
Our own CSO Rick Howard joins us for a preview of his latest CSO Perspectives podcast, The
Current State of XDR, a Rick the Toolman episode.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty. We could go
skating. Too icy. We could book a yoga. Too sweaty. We could go skating. Too icy.
We could book a vacation. Like
somewhere hot. Yeah, with pools.
And a spa. And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on Transat
South packages, it's easy to say
so long to winter. Visit
Transat.com or contact your Marlin travel
professional for details. Conditions apply.
Air Transat.com or contact your Marlin travel professional for details. Conditions apply. Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Patrick Joyce is Global Resident CISO at Proofpoint,
and I recently caught up with him for insights on some of the key challenges,
expectations, and priorities of chief information security officers worldwide.
You know, we've done this now for three to four years.
I think it's four.
And it's interesting.
When you look at the history of it, we've tried
to keep consistent in our questions, always adding a few things, but really trying to get the
perspective of practicing operational CISOs in their career, in the space that they work,
in the things they think about or are concerned about, really just kind of gauge where they are. And we've grown
the size of that audience or the size of that pool of participants over the years.
And it's getting to be pretty meaningful. When you look at 1,600 practicing CISOs across the globe,
you start to get a bigger feeling for where people really are at with regard to the threat environment
and everything else.
Well, let's go through the report together here.
I mean, what are some of the things that really caught your attention?
Well, I guess it caught my attention, and that's a little bit surprising.
You know, one of the things that was interesting is, not surprising, is human error is still
probably the number one vulnerability area that concerns CISOs.
What that means is people making mistakes, people maybe clicking on things they shouldn't click on,
taking information they shouldn't take, those sorts of things.
Some is intentional, some is unintentional.
But the whole aspect of the human error and human interaction being the leading cause of a lot of
cyber vulnerabilities is not new, but it's still number one in terms of people's concern.
Like 74% of the survey this year indicated they had that concern. So with that, one of the things
that did surprise me was that, you know, CISOs obviously fear cyber attacks.
They feel more prepared is probably the way to put it.
They have a growing confidence in the security measures that they've taken, and they feel better about where they are.
It doesn't mean that the attacks are going to go away.
What it means is they feel like they're in a better position to deal with them.
And that was probably the thing that jumped out at me as the most interesting in the report.
Where do we stand in terms of attitudes toward things like ransomware?
Oh, still ransomware and malware.
I mean, you have to put the two together because the malware causes the ransomware.
Still is the top concern for CISOs. Because when you think about it,
they want to be able to take proactive measures
to protect their environments.
And they can take all kinds of proactive measures.
But in the end, if an attack is successful
from a malware standpoint,
if a bad actor is able to gain control of a system
or access or credentials, et cetera,
then they're kind of off to the races
and they have less control over those things.
And now they have to mitigate that risk
or mitigate that actual situation,
perhaps recover from an outage,
perhaps recover from data loss.
So it's still way up there in terms of the concern
because it can shut down enterprises,
it can shut down organizations
and have significant impact on financials and operations and people for that matter. You know, I'd be
remiss to not ask you about the hot topic these days, which of course is AI. How are CISOs reacting
to this new reality here? Well, you know, we actually wrote this in a report earlier this year.
It really is a double-edged sword.
It promises to be a great benefit.
I mean, organizations like Proofpoint
have been using AI for years in our algorithms,
in our products to detect and prevent attacks
in malicious activity.
I think what you're referring to is generative AI or the ability of
individuals to interact with AI. And I think that's probably one of the greatest concerns
CISOs have is that, you know, hey, this is going to allow the bad guys to operate more effectively.
I think somebody said it's going to turn the JV team into the varsity team or the college into the pros because it covers up a lot of sins.
So from a bad guy perspective, it's a concern because it makes them look better.
They can generate code faster.
They can do things more effectively, no different than good guys can do with AI.
The good thing for Proofpoint is that we're able to leverage and continue to leverage AI
to prevent the bad things from happening. So when I say it's a double-edged sword, it really is.
It's not going away. I mean, it's the buzzword of 2023, 2024. And it's going to become,
it's becoming common lexicon, no different than cloud and mobile were a few years ago.
What about the CISOs' relationship
with the other leaders in an organization? You know, when they have to go in and make their
case to the board, did this year's report have any insights on where that's headed and how that's
going? Yeah, I think relationship-wise across the C-suite is still strong. And C-sorts are being treated more like they're members of that leadership team.
They're expected to drive a lot of business activity and have a voice in business decisions,
especially when it comes to merger and acquisition and divestiture and other sorts of things.
The security expertise is crucial in those kind of decision makings across the business.
But the question that's always been there is what the report revealed this year was that
that board to CISO relationship has really improved. This year, 84% of the CISOs agreed
that their board members basically see eye to eye with them on cybersecurity issues. That's a huge jump. It was 62% last year and 59% the year
before. So 84% up from 62% in one year is a huge jump. You know, what's interesting, though, is
there's still lots of decisions and lots of positions on resource utilization. And I think
a lot of CISOs are struggling, and they continue to say they're struggling with being able to,
you know, get permission to backfill people who have left or being able to have the budgets that they need to effectively control their environment.
So just because the relationships are maybe better or they're perceived to be better, there's still resource constraints and concerns.
And that's true, of course, in any part of any business.
But when it comes down to being able to protect the entire enterprise,
those are challenges that CISOs have to deal with.
I'm curious what your sense is in the overall tone of the people responding to your questions here.
I mean, is there a sense of optimism out there?
I think there's cautious optimism, but there's still a lot of pressures on the CISO.
We said in the report that the pressures really are kind of unrelenting.
In this year's report, 53% of the CISOs admitted to burnout compared to 60% last year.
So that sounds better, but they still feel that they are facing excessive expectations in their role, changes in their role, and that's up
to 61%, up from 49% the year before. So the burnout percentage might be a little bit less
year over year, but the excessive expectations is high, the changing environment is high,
you throw on that the budget aspect and the headcount thing I just talked about,
you throw in the changing environment, you throw in AI, and then on top of that, the budget aspect and the headcount thing I just talked about. You throw in the changing environment. You throw in AI.
And then on top of that, you throw in the regulatory, both current and anticipated regulatory demands on the role.
And it's a lot.
It's a lot for CISOs to carry.
You know, when I look at a report like this, one of the things that comes to mind is that if I'm out there and I'm a CISO,
a report like this, one of the things that comes to mind is that if I'm out there and I'm a CISO,
I can read through a report like this and be reassured that I'm not alone, that there are other people out there who are feeling a lot of the same things that I'm feeling and facing some
of the same challenges that I'm facing. I'm curious, based on the information that you've
gathered here, are there any general takeaways or words of wisdom to share with CISOs?
Well, I think what CISOs would do,
to your point,
CISOs are not in competition with each other.
And they talk about this.
And there is a collective ecosystem
of support across CISOs.
And there is the ability to benchmark and share.
I know myself in my prior role as the CISO and CSO at Medtronic, I worked regularly with peers across multiple industries to share information.
And we encouraged our staffs to do that as well.
So the good news is there isn't a feeling of competition or I have a secret.
the feeling of competition or I have to play, I have a secret. In contrast to that, it's actually the sharing of information, the ability to help others become better and keep bad things from
happening to them. So I think if you look at it from a broader support system for CISOs,
it's strong at a CISO to CISO level. And they feel that support. And I feel that when I talk to them on a regular basis.
There's no competition.
That's Patrick Joyce, Global Resident CISO at Proofpoint.
And it is always my pleasure to welcome back to the show Rick Howard.
He is N2K CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, good to have you back.
Hey, Dave.
So the audience has spoken and they are excited to have CSO Perspectives back in their favorite podcast app after a long break.
So what do you got in store for us this week, Rick?
Yeah, it's like getting back in the saddle.
We're on episode two of this season, right?
I've forgotten how to do all those things.
Yeah.
This week, we're talking about a favorite topic of mine.
It's called, it's a new tool.
It's a relatively new cybersecurity tool called XDR.
Are you familiar with it, Dave?
Yeah, I mean, it was the, I want to say,
year before this most recent RSA conference, it was the hot phrase on everybody's lips, right?
Yeah, it stands for Extended Detection and Response.
And, you know, Gartner, two years ago, put it on just rising to the peak of inflated expectations because it was brand new.
Right.
And last year, they put it on the backside of that peak and they start to lose faith in technology because the vendor offerings don't really match what the hype was, right?
And what I'm saying is I don't want you to lose hype because I think this is going to be a big thing for everybody.
Do you know how it works?
That's the reason I love it is the way they go about their business. Yeah, well, I mean, give us the rundown here.
Well, before XDR, the way we track bad guys is we would collect log files in scene tools.
And, you know, analysts, SOC analysts would spend their lives, you know, sifting through all that
hay to find needles. And, you know, that was, and for 20 years, that was the way to do it.
to find needles.
And for 20 years, that was the way to do it.
XDR changed that process.
Instead of sending log files to a big SIEM database,
the XDR tool itself uses APIs to connect to the systems itself, right?
And then you're not just limited to the log files
the security tool spits out.
You can grab pretty much anything that you think
is useful, which that's kind of a minor change, right? And then people say, well, that's really
a technical nerdy detail, Rick. But here's the thing. It allows us now, because we are connecting
to APIs, you can send stuff back the other way, all right? So if you've decided that you do not
have the right security control for Wicked
Spider, you don't have to go through a manual process of going to every piece in the security
stack, all right, and implementing that control. You can do it right through the API. And the reason
I love this, okay, it goes to our first principle thinking here at the CyberWire. All right. This
will give us, it will make it a lot easier to automate
things in the future. So this whole show talks about the history of all that and why I think
it's so important. And it's a pretty decent show. Yeah. What's the transition been like? I mean,
you sort of alluded to it, how, you know, things either capture the imagination of folks or, dare I say, the marketing folks get their grips on it.
And so it becomes hard to separate the hype from the reality for folks who have adopted this.
Are they finding that it's been a good transition?
Well, that's why Gartner is racing down the backside of the peak towards the trough of disillusionment.
Yeah.
The big promise of XDR is that you can connect to any security device in your security stack, not just one vendor, but all the vendors.
But what's happened so far is most of the vendor offerings only work with their own product set, you know, like the big platform players,
right?
And so that's a little disillusioning.
It'll get better as we go forward.
But the big promise that we thought we were going to get was that when it was introduced
back in 2018, we thought we were just going to dump all that data into a big data lake,
you know, and run machine learning algorithms on it and find bad guys.
No, we're not finding bad guys.
We're finding anomalies, you know, more hay in the haystack,
but we haven't found new instances of, you know,
some wicked spider or something like that.
So it has a way to go before we get to that nirvana,
but it has all the promise and I expect it to come true. And Garner says
five to 10 years before it reaches the peak of productivity as they lay it out.
Huh. Okay. Well, hopefully it won't be like, what is it? Fusion energy that's always 20 years old,
no matter when you ask. Or quantum or the singularities.
All the things that are going to solve all of our problems.
Any day now.
And flying cars, Dave.
Flying cars.
There you go.
There you go.
Oh, Rick, it's so hard not to be cynical.
It's so hard not to be cynical.
All right.
Well, the show is CSO Perspectives, and you can find it right here on the N2K Cyber Wire
Network or wherever you get your favorite podcasts.
Rick Howard, thanks so much for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, Nagaraju Kandula, a former quality assurance employee at National Computer Systems in Singapore, was sentenced to over two years in prison for deleting 180 virtual servers after being fired.
after being fired. In a vengeful spree, Kandula caused $678,000 in damages by using his still active credentials. Fired for poor performance in November of 2022, he accessed NCS systems
multiple times, testing and ultimately executing a server wiping script in March of 2023.
His actions were traced back to him via his IP address
and Google search history on how to delete virtual servers.
Though no sensitive data was compromised,
the incident underscores the critical need for companies
to promptly revoke access for terminated employees.
NCS learned the hard way that neglecting this basic security step can lead to costly and
disruptive consequences. So remember, friends, always change the locks when someone leaves.
And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment
on Jason and Brian's show every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and
law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest
investment, your people. We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey
Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer
Iben. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilby
is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.