CyberWire Daily - Silicon Valley Bank as phishbait. An “attack superhighway.” Unauthorized software in the workplace. YoroTrooper, a new cyberespionage threat actor. Hacktivists game, too. How crime pays.
Episode Date: March 14, 2023Expect phishing, BEC scams, and other social engineering to use Silicon Valley Bank lures. An "attack superhighway." Unauthorized software in the workplace. A new cyberespionage group emerges. Squad u...p (but not IRL). Ben Yelin unpacks the FBI director’s recent admission of purchasing location data. Ann Johnson from Afternoon Cyber Tea speaks with Jason Barnett from HCA Healthcare about cyber resilience. And, not that you’d consider a life of crime, but what are the gangs paying cyber criminals, nowadays? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/49 Selected reading. SVB's collapse and the potential for fraud. (CyberWire) State-of-the-Internet: malicious DNS traffic. (CyberWire) Unauthorized software in the workplace. (CyberWire) Talos uncovers espionage campaigns targeting CIS countries, including embassies and EU health care agency (Cisco Talos Blog) STALKER 2 game developer hacked by Russian hacktivists, data stolen (BleepingComputer) GSC Game World suffers Stalker 2 leak after latest cyber attack (GamesIndustry.biz) Threat Groups Offer $240k Salary to Tech Jobseekers (Security Intelligence) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Expect phishing BEC scams and other social engineering to use Silicon Valley bank lures.
An attack superhighway?
Unauthorized software in the workplace?
A new cyber espionage group emerges?
Squad up, but not in real life.
Ben Yellen unpacks the FBI director's recent admission of purchasing location data.
Anne Johnson from Afternoon Cyber Tea speaks with Jason Barnett from HCA Healthcare
about cyber resilience. And not that you'd consider a life of crime, but what are the
gangs paying cyber criminals nowadays? From the Cyber Wireire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 14th, 2023.
Security experts are warning that cyber criminals are gearing up to take advantage of the disruption surrounding the collapse and shutdown of Silicon Valley Bank.
Johannes Ulrich from the Sands Institute is tracking a spike in newly registered SVB-related domains.
It's not clear how many of these domains were created by scammers,
but Ulrich expects to see business email compromise attacks,
taking advantage of the situation for at least three reasons.
First, it involves a lot of money.
Second, urgency.
Many companies and individuals employed by companies have questions about how to pay urgent bills. Will my employer be able to make payroll?
Is there anything I need
to do right now? And third, uncertainty. For many, it isn't clear how to communicate with SVB,
what website to use, or what emails to expect, or where they might come from. Times are unsettled,
the failure has spread into surprising corners of the tech economy, and people are worried. The crooks know that.
Akamai Technologies this morning released its state-of-the-internet report titled
Attack Superhighway, Analyzing Malicious Traffic in DNS, detailing the global spread of malware.
Researchers report that about 10 to 16 percent of organizations have shown potential signs of a breach last year.
Key findings of the Akamai report include that 26 percent of affected devices have attempted to reach out to known initial access brokers, C2 domains, including Emotet-related domains.
Attackers are also reporting using the Q-Snatch botnet to abuse network-attached storage devices,
with 36% of devices affected linked to Q-Snatch-affiliated C2 domains.
Targeting by threat actors of home networks seeks out computers, cell phones, and IoT devices,
as mobile malware and IoT botnets have been significantly observed.
Devo Technology this morning released a study they commissioned from Wakefield Research.
It details unauthorized use by security professionals of artificial intelligence tools.
The study found that IT security professionals are increasingly dissatisfied with their company's
adoption of automation in security operations centers. 96% of IT security pros admit to knowing
that someone in their organization is using external unauthorized AI tools, with a surprising
80% admitting to the use of those tools themselves. These pros report the use of these unauthorized AI tools
because 96% report dissatisfaction
with their organization's implementation
of automation in the SOC.
42% of respondents expressed a concern
over a limited scalability and flexibility
currently within their organization's implemented solutions,
while 39% reference financial issues such as high costs.
These unauthorized tools are reportedly appealing to respondents
because of better user interfaces, more specializations, and more efficiency.
Researchers at Cisco Talos have identified a new threat actor
and a new cluster of activity in Eastern Europe and the former Soviet Union.
They're calling the group Euro Trooper, and while it appears to be a Russophone group, Cisco Talos thinks the evidence is too ambiguous for clear attribution.
may speak Russian, and there are snippets of the Cyrillic alphabet in some of their implants,
but this simply shows linguistic familiarity and doesn't necessarily mean that they're either based in Russia or are Russian nationals. Some of the targets are also Russian speakers,
and the victimology, for the most part, consists of countries in the Commonwealth of Independent
States, those former Soviet republics that remain on speaking terms with Russia.
Attribution remains unclear, but the group will bear watching,
especially while fighting continues in Ukraine.
Bleeping Computer reports that the Ukrainian game developer GSC GameWorld,
whose Stalker 2, Heart of Chernobyl, has been widely anticipated,
has come under cyber attack by Russian hacktivists who claim to have stolen game-specific material,
storylines, images, and so on, which they threaten to release unless their demands are met.
The hacktivists on the VK channel write that they want GSC to change its attitude towards players from Belarus
and Russia, lift the ban on a player who's been booted from the game's Discord channel,
and permit Russian localization for Stalker 2. In short, they're saying don't ruin people's
enjoyment of the game due to politics. And of course, by politics politics they mean Russia's invasion of Ukraine, and a first-person
shooter in real life shouldn't interfere with, well, a first-person shooter. The publication
Games Industry reports that GSC Game World is hanging tough. GSC states, we've been enduring
constant cyber attacks for more than a year now. We've faced blackmail, acts of aggression, hacks,
attempts to hurt players and fans, and efforts to damage the development process or the reputation of our company.
We are a Ukrainian company, and like most Ukrainians, we have experienced many things that are much more terrifying.
Destroyed houses, ruined lives, and the deaths of our loved ones.
Attempts to blackmail or intimidate us are completely futile.
This may be a case of actual spontaneous hacktivism.
Sure, it's patriotic in the Russian sense of the term,
but this particular crew may be freelancers who want their games
as opposed to semi-disciplined auxiliaries of the intelligence and security organs.
And finally, how well does crime pay nowadays?
Not that you're in that particular job market, but it's worth keeping an eye on.
IBM Security Intelligence takes a quick look at the cyber underworld
and finds that the criminal labor market resembles the legitimate
labor market in a number of respects. A criminal career can be well compensated, with some gangs
offering around $240,000 a year to applicants looking for a career, betraying trust, exploiting
their fellow human beings, preying on the innocent and gullible, and so on. To get hired, you have to pass certain screens.
Test assignments account for the majority of the hiring decision,
your CV and portfolio for just over a third,
and finally, the interview itself.
Benefits often include flexible hours,
the possibility of remote work,
paid sick leave,
and our favorite, a welcoming work environment.
We hesitate to think of what might count in this context
as a welcoming work environment,
maybe snacks and games in the office.
We'd imagine there'd be a lot of potluck meals,
maybe everybody signs a birthday card, stuff like that.
Foosball and air-on chairs seem so dot-com boomerish. At any rate,
we'll pass. Thanks.
Coming up after the break, Ben Yellen unpacks the FBI director's recent admission of purchasing location data.
Ann Johnson from Afternoon Cyber Tea speaks with Jason Barnett from HCA Healthcare about cyber resilience.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive
protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Anne Johnson is a senior executive at Microsoft and host of the Afternoon Cyber Tea podcast.
In a recent episode, she spoke with Jason Barnett
from HCA Healthcare about cyber resilience.
Here's an excerpt from that conversation.
On today's episode of Afternoon Cyber Tea,
I'm going to have a really important conversation
about cybersecurity in the healthcare industry
with Chief Security Officer of HCA Healthcare, Jason Barnett.
Jason has spent more than 20 years in the technology field with a primary focus on security operations, threat detection, and response.
As the Chief Security Officer of HCA Healthcare, Jason leads a team and programs for cybersecurity, privacy, identity engagement, business risk solutions, and physical security.
Welcome to Afternoon Cyber Tea, Jason. I'm thrilled to have you on the program today.
Likewise, Anne. I'm very happy to be here. Thank you for having me today.
So starting at the industry level, Jason, I would love to get your point of view on some of the challenges leaders in healthcare are facing when it comes to cyber.
What's unique about the challenges? Have they mostly stayed the same over the past few years, or are they evolving?
They're absolutely evolving, and the impact is increasing as well.
I mentioned earlier, as our adversaries mature and evolve, their reach has gotten broader.
And as a result, more areas of the business are impacted.
So no longer are the days that somebody clicks on something and
it affects the local PC that a user is operating on. Today, if somebody clicks on the wrong thing,
you can have an operational incident across an entire enterprise, affecting all of your
applications, affecting all lines of business, and you find yourself in a position of having
to reassemble that. So I think that's consistent from industry to industry
in terms of what the impacts are. Oftentimes, healthcare is reputed as being behind the
technology curve or the immature industries on the technology curve. To whatever degree that's
a correct statement, regardless of what side of that argument you fall on, healthcare is becoming more dependent on technology, both in terms of how care is delivered.
Technology is used in how decisions are made.
Technology is used more heavily in processing payments and claims.
It's touching every aspect of the healthcare business.
It's touching every aspect of the healthcare business.
So, as I mentioned, as the adversary has evolved, their impact has expanded.
It's forced us to expand as a security team.
But at the same time, understand each component of our business so that we can have a good conversation.
I'd love to paint a picture of HCA for our audience. HCA is a leading health network. And as I mentioned, you have 180 hospitals,
you have 1,200 plus care sites in 20 states in the U.S. as well as in the U.K. And you have more
than 260,000 employees or associates who are all focused on your commitment to delivering health
and also to improving human life. This size, this scale, the complexity is simply astounding.
There aren't a lot of organizations that are at this scale.
So how do you start and how do you lead a security program and how do you focus at such scale?
That's a big question.
I believe that no security program can be successful if it's enclosed unto itself. No security group by itself
can effectively secure an organization. Rather, what they accomplish is because of the partnerships
that they've effectively built across the company. Our organization has several hundred people in it,
but even on their best days, they can't accomplish what they're able to accomplish without the partnerships that they've built across the company.
My security program, our security organization here, is not a part of the IT organization, but we have an amazing working partnership with that organization.
And I can give you an easy example of how that
partnership has paid off. In the early years, most of our threat and vulnerability management work
was all due to poor hygiene of systems, systems maintenance, systems management, poor change
management. As we've worked with our IT organization, as they have had goals to grow and improve uptimes and manage availability.
tend to asset management and how all of those things that at one point were a lower priority improve the overall security posture of the company.
That's Anne Johnson from Afternoon Cyber Tea
along with her guest Jason Barnett from HCA Healthcare.
The Afternoon Cyber Tea podcast is part of the Cyber Wire network.
You can find it wherever you find your podcasts. And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Ben, welcome back.
Good to be with you, Dave.
This article from Wired caught my eye.
It's an article written by Del Cameron,
and it's titled,
The FBI Just Admitted It Bought U.S. Location Data.
What's going on here, Ben?
There was a Senate hearing recently
in which the head of the Federal Bureau of Investigation,
Christopher Wray, testified.
And he was asked directly by U.S. Senator Ron Wyden,
who was a digital privacy
advocate, whether the FBI has purchased U.S. phone geolocation information and other U.S.
location information from private companies. And Mr. Wray, in giving kind of a Bill Clinton-esque
answer, said that the, and I'll try to explain that in a moment.
He said that the agency has done so in the past as part of a pilot program for national security.
But to his knowledge, it is not something that the FBI currently does.
They go through, in his words, a court-approved process. Now, whether that means that they are obtaining warrants to get this location-based information
or some other judicial process,
like an administrative subpoena, that's unclear.
But I guess what Chris Wray was saying here
in the parlance of Bill Clinton was,
it depends on what the meaning of is is.
Yeah.
Because it's unclear whether the Bureau
is still collecting this data.
The reason that this is relevant is
that there was a 2018 U.S. Supreme Court decision, Carpenter v. United States, which held that
the government needed to obtain a warrant if it was to collect location data. So historical cell
site location information. There's a question as to whether that Supreme Court decision extends to data that is purchased from private companies.
Because in that case, it's not the government compelling companies to hand over data under some sort of legal penalty.
It is simply giving certain private entities money so that they can have access to that data.
And now we know for the first time,
it's no longer just a rumor, that the FBI has at least done that in the past. So I think that's
what was particularly eye-opening about this hearing. Yeah, it reminds me of, I've had friends
with security clearances, you know, I remember when the Snowden revelations came out and, uh,
you know, you and I and everyone else were reading about things in the New York times,
right. And our friends with security clearances were not allowed to read those things in the New
York times because technically they were still classified. Right. Right. So it's like one of
those weird workarounds that it seems nonsensical, but here we are. Yeah, I mean, I think that's a pretty good metaphor
for what's going on here.
I think the question is,
are senators and members of Congress
going to use their powers to try and get more information
about the extent of this practice?
From whom were they purchasing the data?
Was this just for a national security pilot program
or has this been done more
broadly? And then beyond the FBI, which other federal agencies are similarly purchasing
privately held location data? Because there have been allegations that agencies from the
Department of Homeland Security to the Department of Treasury have been engaged in this practice.
So I think there might be bipartisan support in Congress to
look into this question a little more fully. And now they have the ammunition since Director Wray
has admitted under oath that this is something that the FBI has done in the past. There is a
policy attorney at Demand Progress, a nonprofit focused on these issues, national security and
privacy reform, says that the FBI
needs to be more forthcoming. The public needs to know who gave the go-ahead for this purchase,
why, and what other agencies have done or are trying to do the same.
In terms of future congressional action, there have been bills introduced, I think,
in every session of Congress going back a decade or so to prohibit this type of
data purchasing, but that legislation has thus far not succeeded. So I think it would start with an
investigation, and then over the long term, if this is something that Congress really finds
objectionable, they can ban this practice. And I think that's something that we would have to look
out for in the future. Is law enforcement saying saying why tie our hands with this sort of thing?
I mean, if this information is being gathered and the local burger joint down the street can buy location data for marketing purposes, why can't we use it for law enforcement?
I guess part of the response would be that the burger joint down the street doesn't have people with guns.
Right.
The burger joint can't lock you up, hamburger notwithstanding.
Right, right.
I mean, I do think it's a reasonable point for these federal agencies to make is that this is data that is available on the open market.
It's not like they are going on the dark web to steal this data somewhere. I mean,
if you have money, you can have it. And so why, as a federal agency, can we not purchase
this data? I think the reason would be that, just as you say, they are a government with guns and
enforcement power and the ability to lock people up. And so the
consequences of them obtaining this data is much more severe than any private company. And that's
where Congress could really step in and say, it's not advantageous from a policy perspective to
allow federal agencies to have this authority. Yeah. All right. Well, again, the article is
from Wired, written by Del Cameron.
It's titled, The FBI Just Admitted It Bought U.S. Location Data.
Ben Yellen, thanks for joining us.
Thank you.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.