CyberWire Daily - Sentenced to hospital detention.
Episode Date: December 22, 2023A Lapsus$ hacker is sentenced to hospital detention. Online ads and phishing drain crypto wallets. Cyberespionage continues. LockBit and ALPHV say they want to form a ransomware cartel. The 8220 gang'...s cryptojacking. DarkGate RAT's propagation. The evolution of Bandook. A prominent title insurance company takes systems offline. Rick Howard speaks with guests John Goodman & Amanda Satterwhite of Accenture Federal Services about the launch of a public sector Cybersecurity Center of Excellence. And Trump’s Dumps lead to BidenCash. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest N2K’s Rick Howard talks with guests John Goodman & Amanda Satterwhite of Accenture Federal Services about the launch of a public sector Cybersecurity Center of Excellence in conjunction with Google. Selected Reading The infamous GTA VI hacker has been convicted - and the story is simply absurd (IT Pro) Crypto drainer steals $59 million from 63k people in Twitter ad push (Bleeping Computer) Threat Actor 'UAC-0099' Continues to Target Ukraine (Deep Instinct) ‘Today FBI Got Him, Tomorrow They Will Get Me’: LockBit, BlackCat Unite to Form Cyber Cartel (The Cyber Express) Imperva Detects Undocumented 8220 Gang Activities (Imperva) BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates (Proofpoint) Bandook - A Persistent Threat That Keeps Evolving (Fortinet) First American takes IT systems offline after cyberattack (Bleeping Computer) BidenCash darkweb market gives 1.9 million credit cards for free (Bleeping Computer) BidenCash (Searchlight Cyber) Russia Seizes Ferum, Sky-Fraud, UAS, and Trump’s Dumps—and Signals More Takedowns to Come [Updated] (Flashpoint) Share your feedback.Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Elapsus hacker is sentenced to hospital detention.
Online ads and phishing drain crypto wallets.
Cyber espionage continues.
Lockbit and Alvi say they want to form a ransomware cartel.
The 8220 gang's crypto jacking.
Darkgate rat's propagation.
The evolution of Bandook.
A prominent title insurance company takes systems offline.
Rick Howard speaks with guests John Goodman and Amanda Satterwhite of Accenture Federal Services
about the launch of a public sector cybersecurity center of excellence.
And Trump's dumps lead to Biden cash.
It's Friday, December 22, 2023.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Arianne Kirtage, an 18-year-old hacker associated with the infamous Lapsus Group, has been sentenced to an indefinite hospital order after a series of high-profile cyberattacks,
including a significant leak from the highly anticipated Grand Theft Auto
6 game. Alongside a younger accomplice who remains unnamed due to legal protections for minors,
Cortage faced a six-week trial at Southwark Crown Court, where their guilt was established.
The lapsus group, described as digital bandits in court, has been involved in various attacks targeting entities from the Brazilian Ministry of Health
to major corporations like NVIDIA, Uber, and BT Group.
These teens, mainly based in the UK and Brazil,
have caused an estimated $10 million in damages through their coordinated cyber attacks,
which include attempts to extort a $4 million ransomware
from BT using exfiltrated data. Notably, Kirtage continued his hacking spree even while under
police custody, managing to compromise Rockstar Games and exfiltrate 90 clips and the source code
of the unreleased Grand Theft Auto 6. He executed these attacks from a Travelodge hotel
using a hotel TV, mobile phone, and Amazon Fire Stick.
His brazen actions, including a threat to release the source code
unless contacted within 24 hours,
led to his arrest and eventual sentencing.
Judge Patricia Lees deemed Kirtage unfit for a traditional trial
due to his autism, but recognized him as a high risk to the public due to his advanced hacking
skills and determination to continue cybercrime activities. As a result, Kurtage will reside in
a secure hospital until a mental health tribunal assesses him fit for release. This sentence reflects the
court's understanding of both his mental health needs and the serious threat his capabilities pose.
Google and Twitter ads are being used to promote phishing sites featuring a cryptocurrency drainer
named MS Drainer, which has already stolen $59 million from over 63,000 victims in nine months.
Researchers at ScamSniffer identified over 10,000 phishing websites utilizing MS Drainer,
with notable spikes in activity throughout 2023. The drainer deceives users into approving
malicious contracts on seemingly legitimate websites,
allowing attackers to transfer funds from victims' wallets.
Ads on Google and ex-Twitter, including those from verified accounts possibly compromised by malware,
have significantly contributed to the spread and success of these phishing campaigns.
Users are advised to exercise extreme caution with cryptocurrency-related ads and thoroughly vet new platforms. Deep Instinct reports ongoing cyber espionage by UAC-0099
against Ukraine, exploiting a WinRAR vulnerability typically through bogus court documents.
This actor uses simple but effective tactics involving PowerShell and VBS files,
with newer WinRAR versions being immune.
While suggestive of Russian involvement, no formal attribution is given.
Concurrently, the Cloud Atlas Group is targeting Russian entities with phishing campaigns,
exploiting unknown Microsoft Office vulnerability.
Both campaigns exemplify persistent cyber espionage activities in the region, with phishing campaigns, exploiting a known Microsoft Office vulnerability.
Both campaigns exemplify persistent cyber espionage activities in the region with state direction suspected but not confirmed.
After the FBI-led takedown of the AlfV Black Cats dump site,
the Cyber Express reports that AlfV and LockBit are discussing forming a cartel
as a strategy for criminal survival and resistance against law enforcement.
Citing the need for unity in the face of international law enforcement collaboration,
they propose banding together.
However, it's uncertain whether this will make them stronger or just a bigger target.
Meanwhile, the global community and law enforcement continue
their pursuit of these cybercriminals. Researchers at Imperva have identified the 8220 Gang,
a cybercriminal group from China, exploiting a vulnerability in Oracle WebLogic server to
install cryptojacking malware. By combining this with using compromised credentials,
they execute code and deploy malware.
The 8220 gang employs gadget chains to load XML files
and execute OS commands.
They're primarily targeting healthcare, telecommunications,
and financial services in the U.S., South Africa, Spain,
Colombia, and Mexico.
Proofpoint is monitoring a malware operator known as Battle Royale,
which notably began exploiting a Windows smart screen vulnerability before Microsoft disclosed it.
The initial campaign, detected on October 2nd of 2023, utilized multiple traffic delivery systems,
specifically 404 TDS and Kitaro TDS.
Despite variations in the attack chain,.URL files exploiting the smart screen flaw
were a consistent element in all campaigns by this actor.
Fortinet has identified a new variant of the Bandook remote access Trojan,
emerging in October and spreading through
shortened URLs in PDF files.
Despite a large number of commands for C2 communication
with the malware, its actual payload performs
fewer tasks. This discrepancy is due
to multiple commands being used for single actions,
some calling functions in other modules
and others solely responding to the server.
First American Financial Corporation, a major U.S. title insurance company, took some systems
offline to manage a cyber attack. The incident led to their official website being taken down,
with the company working to resume normal operations. This incident follows a May 2019 breach,
which exposed the personal and financial data of many individuals
due to a vulnerability in their Eagle Pro application.
The California-based company, with a history dating back to 1889,
recently paid a $1 million penalty for the 2019 breach,
underlining the serious implications of cybersecurity lapses
in handling sensitive data.
Coming up after the break, Rick Howard speaks with guests John Goodman and Amanda Satterwhite
of Accenture Federal Services about the launch of a public sector cybersecurity center of excellence.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Accenture is a global professional services firm that provides consulting technology and
outsourcing services to clients in various industries. I got to sit down with two of its leaders that service the U.S. federal government,
Amanda Satterwhite, the lead for Federal Cyber Growth Strategy,
and the CEO of the federal business, John Goodman.
We got to talking about these relatively new organizational constructs
called Centers of Excellence, or COEs, that have been around for 30 years or so
and probably originated
from the manufacturing sector. But the tech world started adopting similar ideas that came from that
world, like running lean teams and Kanban boards and technical debt. And Accenture has built two
COEs to help the U.S. federal government, one for cybersecurity and one for artificial intelligence.
I started out by asking
John to explain just what a center of excellence does in the general case. Well, a center of
excellence brings together the relevant experts and professionals who are focused on solving
problems in a particular area and seeks to focus attention, insight, resources to solve problems. In this case,
in cyber, what we are doing is bringing together our professional services experts with Google
Mandiant's threat intelligence capabilities and experts to directly solve one of the most
challenging issues facing our clients
in the federal government today. A center of excellence is a way to organize experts to
ensure that we're focused on solving the most significant important problems.
So Amanda, Accenture Federal Services has launched this new Cybersecurity Center of Excellence.
This is a service directed at the federal government.
Why does the federal government need a cybersecurity center of excellence?
By expanding the alliance between these two organizations, we bring best of breed technologies from both Mandiant,
so their tech intelligence platform, as well as Google's, the cloud AI power security tools. And then you
overlay that with the Accenture Federal's human-centered cyber capabilities that have
always been focused towards federal mission. You wrap that together, and now you're bringing kind
of the ultimate cybersecurity services to help our federal agencies not only detect threats a lot faster,
but also to be able to respond to those types of threats a lot quicker.
How is that different from how we've been doing it? We've been doing cybersecurity for 30 years.
What does the Cyber Center of Excellence bring to the table?
So one thing that is different about it is we're bringing proven technology that's used in the commercial world, and we're tailoring it for mission, and we're right-fitting it for mission.
And we found that our government clients absolutely are interested in using some consumer-grade technologies, but they need the expertise from Accenture Federal to be able to tailor it and to be able to position it and integrate it for mission use. So, John, I think that's right,
because most people, when you think about big government like U.S. government, you think
lots of resources to throw at this, but in reality, most of the U.S. government,
they run like small startups, right? They don't really have the expertise to do all the things that we're talking about here.
Honestly, I think every large organization
in the United States, if not the world,
faces multiple threats from cybersecurity,
whether it's ransomware,
which we've seen numerous examples
in the commercial sector,
or direct attacks by state and non-state actors for purposes of everything
from intelligence gathering to accessing intellectual property to more pernicious types of attacks.
So I don't think the federal government is alone in that respect by any means. And access to top skilled cyber resources is also a challenge faced in both
the private sector and in the public sector. So in this area and in others, organizations are
reaching out for access to work with partners who are very focused in those areas and can bring them skills that they would have trouble
using on a full-time basis. So in this case, what we're doing is bringing together the
Accenture and Google Mandiant combined capability because none of us can do alone what both of us
can do together. So Amanda, you guys launched the Federal Generative AI Center of Excellence
earlier this year.
Clearly, you guys think that there's something to this COE model.
Is there going to be some sort of overlap between the two?
Because we're all talking about both those things together.
How are you guys handling that with Inside Accenture?
Anything we do, you're going to see a convergence of security applied to name your next technology. And so
it's no different in preparing your government clients to invest in AI securely and responsibly.
And so whether it's preparing them with their data security strategies, helping them with
technology vetting across the entire new AI ecosystem, or even building the next human in the loop and human capital and workforce
planning that allows us to align the best security experts along with those data scientists to help
our federal clients really adopt and support strategies that support a better mission outcome.
It's funny you say that because I was talking to a friend of mine, Steve Winterfeld. He's a
regular here at the CyberWire. He said, you know, a year ago, there was no job description for prompt engineer. with large language models to be able to generate solutions suggests much faster than can be done by humans.
And if you tie this in with the human resource shortage in cyber,
any part of the cyber mission that can be addressed automatically through generative AI
gives your cyber experts more time to focus on newer, more challenging issues.
That was Amanda Satterwhite, the lead for Federal Cyber Growth Strategy,
and John Goodman, the CEO of the federal business at Accenture.
Thank you. your company safe and compliant. With TD Direct Investing,
new and existing clients
could get 1% cash back.
Great! That's 1% closer
to being part of the 1%!
Maybe.
But definitely 100%
closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31st, 2025. Visit TD.com slash DI offer to learn more.
And finally, the Biden Cash criminal marketplace is giving away 1.9 million stolen credit cards for free as a marketing ploy, bleeping computer reports.
The cards include numbers, expiration dates, and CVVs. While the validity of the dataset is unconfirmed, Bleeping Computer notes that given the platform's history
of providing genuine data in previous releases,
it seems improbable that the shop would risk
tarnishing its reputation with a fake pack.
Biden Cash, despite its name and the smiling face of Joe Biden
it displays on its page, is not related to the U.S. president.
According to Searchlight Cyber, the name is a
jokey riff on a predecessor criminal market that called itself Trump's Dumps, which went offline
after it was raided in early February 2022. As Flashpoint reported at the time, the illicit
service was taken down by, of all people, Russian law enforcement authorities. January and
early February of 2022 saw a false dawn of Russian gestures toward legality in cyberspace.
Those gestures ended on February 24th when Russia invaded Ukraine. Since then, it's been all
privateering all the time. Trump's dumps had, of course, no more to do with Mr. Trump than Biden
cash does with Mr. Biden. Biden cash launched shortly after Trump's dumps hit the law enforcement
bumps. So not a Joe, nary even a Hunter, just sleazy Carters shilling fools to some punter.
some punter. And that's The Cyber Wire. For links to all of our stories, check out our show notes at thecyberwire.com. A program note, this is our last Cyber Wire Daily Podcast for 2023.
We'll be taking some time off for a long winter's nap, but we'll be back in your podcast feed with new episodes starting January 2nd.
Over the break, we'll be running encore episodes of some of our favorite shows.
Longtime listeners are familiar with the list of names we credit at the end of every program.
This episode was produced by Liz Ervin, who works hard behind the scenes,
making sure we all have the things we need to
bring you this show every day. Our mixer is Trey Hester, who masterfully and patiently makes sure
that everyone who steps up to the mic sounds their very best and fills in for me as host when I'm
unavailable. Our original music is by Elliot Peltzman, who's not just a brilliant composer
and musician, but this year became leader of our sound and vision team,
heading up N2K's audio and video efforts.
Our editorial team are Tim Nodar and editor John Petrick,
who gathers up the day's stories and makes sure we are providing expert analysis and aggregation.
Our executive producers are Jennifer Iben and Brandon Karpf.
Jennifer Iben leads the day-to-day
decision-making of who will appear on our shows and coordinates our guest appearances and network
shows, making sure everyone has what they need and knows what to expect. Brandon Karpf leads our
podcast team, collaborating on our overall vision and making sure each of us have what we need to
do our jobs and do them well. Our executive editor is Peter Kilpie, our N2K CEO,
responsible for the overall vision of our company
and for making sure the business side of things runs in such a way
that we can keep doing what we love.
There are countless other people, too many to name,
our ad ops team, our sales teams,
the folks writing and producing our N2K training materials
and courses. Every one of them play a part in bringing you the news and information you've
come to count on from the Cyber Wire. And of course, thanks to you for listening and for
helping spread the word about our little show. It's my heartfelt privilege to serve as your host
to bring you the combined efforts of our amazing team every day.
We wish you a Merry Christmas, happy holidays, and a restful time with family and friends full of love, joy, and fellowship.
I'm Dave Bittner. We'll see you back here next year. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.