CyberWire Daily - Social engineering as a blunt instrument–almost like swatting without the middleman.
Episode Date: October 27, 2023Eastern European gangs overcome their reservations about working with anglophone criminals. Mirth Connect is vulnerable to a critical flaw. A look at a mercenary spyware strain. “PepsiCo” as phish...bait. Ben Yelin explains the FCC’s renewed interest in Net Neutrality. Our guest is Wade Baker from the Cyentia Institute with insights on measuring risk. And Europol thinks police should take a good look at quantum computing and law enforcement. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/206 Selected reading. Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction (Microsoft Security) MGM Resorts hackers 'one of the most dangerous financial criminal groups’ (Record) Critical Mirth Connect Vulnerability Could Expose Sensitive Healthcare Data (SecurityWeek) Examining Predator Mercenary Spyware (HYAS) Fresh Phish: The Case of the PepsiCo Procurement Ploy (INKY) U.S. Tries New Tack on Russian Disinformation: Pre-Empting It (New York Times) ESET APT Activity Report Q2–Q3 2023 (We Live Security) Russian hackers claim takedown of WA’s Transperth transport agency with DDoS attack (Cyber Daily) The Second Quantum Revolution: The impact of quantum computing and quantum technologies on law enforcement (Europol Innovation Lab) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Eastern European gangs overcome their reservations
about working with Anglophone criminals.
MirthConnect is vulnerable to a critical flaw.
A look at a mercenary spyware strain.
PepsiCo as fish bait.
Ben Yellen explains the FCC's renewed interest in net neutrality.
Our guest is Wade Baker from the Scientia Institute with insights on measuring risk.
And Europol thinks police should take a good look at
quantum computing and law enforcement. I'm Dave Bittner with your CyberWire
Intel briefing for Friday, October 27th, 2023.
Microsoft describes OctoTempest, a financially motivated threat actor that uses social engineering to
compromise organizations around the world. Microsoft researchers write, in mid-2023,
Octotempest became an affiliate of AlfV Black Cat, a human-operated ransomware-as-a-service
operation, and initial victims were extorted for data theft with no ransomware deployment using AlfV Collection's leak site.
This is notable in that historically, Eastern European ransomware groups refused to do business with native English-speaking criminals.
By June 2023, Octotempest started deploying AlfV BlackCat ransomware payloads, both Windows and Linux versions, to victims,
Black Cat ransomware payloads, both Windows and Linux versions, to victims, and lately has focused their deployments primarily on VMware ESXi servers. Octotempest progressively broadened
the scope of industries targeted for extortion, including natural resources, gaming, hospitality,
consumer products, retail, managed service providers, manufacturing, law, technology,
and financial services. Among the gang's victims, the record points out, was MGM Resorts.
At the time of that attack, the group was being called Scattered Spider, Octopus, or UNC-3944.
One of the more repellent features of Octotempest's activity is its willingness to make direct personal threats of violence
to bully victims into giving up their credentials
A sample threat reads as follows
If we don't get your login in the next 20 minutes
we're sending a shooter to your house
Your wife is going to get shot if you don't fold it
Let me know, we'll send shooters to both, lol
It's even worse in print than it is read aloud is going to get shot if you don't fold it. Let me know. We'll send shooters to both. LOL.
It's even worse in print than it is read aloud,
and there's a lot more than this.
It's not just the leet speak,
the LOLs when referring to shootings.
These aren't just misled kids.
The Octotempest crooks are suffering from a bad case of internet disinhibition.
Security Week reports that MirthConnect,
an open-source data integration platform developed by NextGen Healthcare, is vulnerable to a flaw
that could allow attackers to bypass protections for a critical severity remote code execution
flaw that was patched in August. Researchers at Horizon3.ai discovered the new flaw, noting that it was fixed in version 4.4.1
of MirthConnect. The researchers state, we urge all users of MirthConnect, especially instances
that are internet-facing, to prioritize updating. Researchers at HIAS Labs have published an analysis of the Predator spyware developed by Citrox.
The researchers note that Sequoia earlier this month found evidence suggesting that the spyware may have been used by the Madagascar government.
One of the recurrent concerns about spyware products or lawful intercept tools, as they're also called, is the perennial temptation to abuse by governments
they represent. Inky is tracking a phishing campaign that's impersonating PepsiCo to deliver
malware. Inky says, as usual, it all starts with a phishing email. In this case, the phishers are
impersonating the PepsiCo brand, pretending to be potential clients. They're claiming to need what the recipient sells,
and they're asking them to submit a quote for PepsiCo to review.
What the would-be victim doesn't know is that attached to the email
is a malicious disk image disguised as an RFQ.
That is, a request for quote.
The U.S. State Department is attempting to pre-bunk Russian disinformation campaigns,
the New York Times reports, operating from the premise that disinformation is easier to discredit
and refute before it begins to spread through amplification in legitimate and semi-legitimate
channels. The effort works by identifying disinformation operations in their earliest
phases and by exposing the fronts and agents of influence before they can begin repeating their themes.
Pre-bunking is part refutation, that is, addressing the false claims on their merits,
and part transparency, identifying the fronts and trolls as such before they gain traction.
ESET's APT Activity Report for the second and third quarter of 2023
matches unpatched vulnerabilities with government-sponsored offensive cyber operations.
Unsurprisingly, Russian cyber activity retains its focus on Ukraine.
The main Russian APT group's ESET tracks are Sandworm, Turla, Sednet, and Gamerodon. ESET says that the
greatest of these from the Ukrainian perspective is Gamerodon, which significantly enhanced its
data collecting capabilities by redeveloping existing tools and deploying new ones.
The others aren't to be dismissed either. The French security agency ANSI warned yesterday that Fancy Bear, APT28 or Sednet, whichever name you prefer, has succeeded in penetrating sensitive networks in France.
The targeting is commonplace for an espionage campaign. Fancy Bear has been interested in government agencies, businesses, universities, research institutes, and think tanks.
Cyber Daily reports that NoName05716, specialists in nuisance-level DDoS attacks,
has put Australia on notice, NoName says, for its russophobic contributions to Ukraine's war effort.
The hacktivist auxiliary said it had hit sites belonging to Adelaide Bank's
net bank portal, the Transperth Transport Agency, the Administrative Appeals Tribunal's online
portal, and the Northern Territory Department of Infrastructure Planning and Logistics.
The hacktivist's communique deplored Australia's decision to send a military aid package worth $12 million to Ukraine. The only
effect the shipment will have, No Name said, will be to give the Russians more material to capture.
And besides, it amounts to theft from the Australian taxpayers. No Name says,
we are going to Australia for destroying portals of critical infrastructure.
It's an overstatement.
Only the TransPerth website sustained periodic and annoying disruption.
The other three targets rode out the attack without much difficulty.
And finally, Europol is urging its colleagues and law enforcement to think hard about the implications of quantum computing.
Europol's Innovation Lab has published a report titled
The Second Quantum Revolution, in which it outlines the potential implications of the
new technology for law enforcement. Greater computational power promises new cryptographic
challenges and new sensing opportunities. The report represents preparatory work. It urges
agencies to stay aware of developments in the new field,
and it summarizes its recommendations under five headings. Observe quantum trends,
build up knowledge and start experimenting, foster research and development projects,
assess the impact of quantum technologies on fundamental rights, and review your organization's
transition plans. That is, of course, transition to the post-quantum future, and review your organization's transition plans.
That is, of course, transition to the post-quantum future.
And trust us, it's not going to look like the quantum realm from Ant-Man.
Coming up after the break, Ben Yellen explains the FCC's renewed interest in net neutrality. Our guest is Wade Baker from the Scientia Institute with insights on measuring risk.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Wade Baker is co-founder of the Scientia Institute and also a professor in the College of Business at Virginia Tech.
Scientia Institute recently published the latest edition of their Information Risk Insights Study, or IRIS reports, focusing on threat event analysis.
I checked in with Wade Baker for the details.
And I've done a lot of studies in the information security space going back years and have always wanted to demonstrate how to quantify cyber losses.
And I just haven't had the data to do it in the past. So I'm probably best known for starting and working on Verizon's data breach investigations report for a long time.
data breach investigations report for a long time. And we had phenomenal information about how incidents occur and who's behind them and how assets are impacted and how organizations respond.
But we never had, what are the losses? You know, how do those events impact organizations
long after the forensic investigation is gone? So the IRIS series, Information Risk Insight Study, is all about
what is the probability of an event and how much do those events cost and showing that you actually
can come up with historically proven numbers on those kinds of things and you don't have to make
it all guesswork. Well, let's dig into some of the findings from this year's
version. What are some of the things that stood out to you? So there are quite a few things,
and some of them are, I hate to say obvious because that sounds negative, but we get the
opportunity to add data to some things that maybe we believe.
And then in other cases, data overturns maybe what we believe.
But just an example, we do a lot about how industry and size of organizations impact
the probability of different types of loss events and how much those events are.
So what's probably not surprising is if you are a really large organization,
you are much, much, much, much, much more likely to have a security incident
than a really small organization.
You have a bigger attack surface, you have brand recognition
and maybe targeted attacks, all of those kinds of things.
So, you know, that's one of those that's maybe not so incredibly obvious, or sorry, is pretty
obvious. And then, you know, I think we have some other things that may be less so, you know,
what is the cost of a typical security incident? I think there's, you ask anybody, lots of different opinions on that.
We found that the median loss is about $260,000.
And I get lots of different reactions when I say that.
Some think that's, whoa, that's ridiculously low.
How can that possibly be?
Others think that's high.
But we're talking about all types of security incidents here.
The 95th percentile loss is much larger.
That's $52 million.
And I kind of think maybe that's part of the misconception
is people think about the really big stuff
that we hear about the headlines
and forget about the sort of daily things that stack up,
but don't cost a huge amount.
Yeah.
One of the challenges that I find for myself
personally is taking those numbers and making them meaningful. There are all these numbers
thrown around, but how do I align that with my own organization and how I should go about
evaluating my own risk? 100%. And I think that's a huge challenge because we hear of all of these
reports of incidents occurring and some terrible thing happens to another organization and the
obvious question is, hey, could that happen to us? And if so, what would that be like?
And we try to tackle a few of those things in the report. One of the things that we do is we can measure losses objectively and say, hey, this was a $100 million loss. And what is the probability that any given organization experiences a $100 million loss? Okay, you can answer that.
We can also make that a little bit more relevant by looking at it as a proportion of revenue, you know, and asking the question, you know, what is the likelihood that a small organization
will have a loss that equals 1%, 10%, you know, 100% of their revenue versus a large
organization?
And that is something that I think was a really important point in the
latest Iris, is that smaller organizations are very disproportionately impacted by security
events. In other words, it might be smaller amounts from a just straight dollars perspective,
but as a proportion of their revenue, even menial events can be a quarter or much higher
of their revenue. And that hurts a lot when you're a small company and margins are slim.
As you gather your data here, are there any myths that you want to dispel here? I think about
sometimes, I think folks call them zombie facts. They know, they're dead, but they keep on living, and we can't seem to shed them.
Any things like that in your findings?
There is one in particular that comes to mind as a myth, and I'm not going to name names here,
but there is a study that is very often cited that gives a straight dollar per record as a means of quantifying losses around
an event. So if you have, you know, it's $150 per record or $180 per record, and then you take the
number of records that were compromised in an event, you multiply it by $150 and voila, you
know, that's how much the event costs. And we do some picking apart of that because it is just
dead wrong. There is no such thing as a linear dollar per record loss. The data time and time
again shows this. And there are much, much better, more accurate ways of estimating losses given
something like the amount of data that was compromised, rather than just multiplying by,
you know, a single amount. And that's a myth that we have tried, you know, some say a little bit
too hard in these reports to dispel, but it still sticks around. What do you hope people take away
from this report in terms of actionable items? I am hoping that, one, people will say that,
hey, we can quantify risk and therefore better manage it.
There's been a long-time argument over whether that's possible.
And I think if you read the iris and look at what we've done,
we've proven that you can actually do that.
And then second, I hope that people look at some
of this analysis and say, hey, I think we could benefit from this. I would like to have this to
aid my decisions on, you know, are we over at risk? What should we do about it? Which threats
are more relevant to my organization? And those kinds of things, because I really do think the time is far past in the management
of cybersecurity that we take a more measured and risk-oriented approach.
We always preach that, but very few people get beyond sort of the high, medium, low type
buckets applied to risk and realize that we can do this and the outcomes are going to be
better. That's Wade Baker from the Scientia Institute. The report is Iris, Threat Event Analysis.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Ben, welcome back.
Good to be with you, Dave.
Interesting story you and I talked about on this week's Caveat
about how the FCC, thanks to having an
additional member on their board, is able to make a move here with net neutrality. What's going on
here, Ben? So we finally have a Democratic majority on the FCC. The newest nominee from
President Biden was just confirmed recently by the Senate. Back in 2015, the Obama administration initiated a rulemaking process
that led to net neutrality. Basically, the idea here is reclassifying broadband as a telecommunications
service that allows the FCC to regulate internet service providers and make sure that they are not
throttling companies who want to use greater bandwidth.
So things like Netflix and other streaming services.
That's the point of maintaining that neutrality.
So this doesn't become kind of a fee-for-service jungle where the main providers, the Verizons,
the AT&Ts of the world, are auctioning off this broadband space to the highest bidder.
The Trump administration came in in 2017 under the leadership of Ajit Pai. They got their own
majority on the FCC, and they reversed Obama-era net neutrality rules. Basically, their rationalization
then is that this was a 1930s-style regulation on the open internet, that we should be fostering
an open marketplace to the extent possible, and that this won't lead to the sort of parade of
horribles that you would hear about in warnings in 2017, that we're going to lose our open internet,
that net neutrality is going to cut against all the principles that make the internet great.
In defense of Ajit Pai
and his majority, I mean, we really haven't seen those types of impacts over the past several years.
As far as we can tell, the internet is in pretty good shape. Streaming services work well without
the need for this kind of heavy-handed federal government regulation. But the Biden administration
is interested in reviving these Obama-era rules.
So they're going through the rulemaking process right now. They're on the notice of proposed
rulemaking stage. I'm sure industry is going to weigh in. The final rule will probably be
published sometime in January or February. And then I think we can expect a lot of lawsuits
that are challenging the statutory authority for the FCC to take this
action, and then possibly some constitutional issues as well. So certainly this is just the
beginning of the story, and we'll have to see what happens with both the rulemaking process and
the almost certain court cases that we're going to see. Yeah. You know, I think it's fair to say
one thing that industry hates is uncertainty. And with this swinging back and forth, you've got, you know, Obama puts this in
play. Trump takes it out of play. Biden puts it back into play. You know, it's easy to see,
perhaps if we get a Republican president, it goes back out of play. And how long can that go on?
Yeah, I mean, it's this, there are other areas of policy that go like this where you just ping pong based on presidential administrations
uh the long-running one is something called the mexico city policy which is about uh prohibiting
any sort of foreign aid going to governments around the world that promote reproductive
health and abortion services january 20th every time there's a new administration,
when it's the Democrats,
they reverse the Mexico City policy.
When it's the Republicans, they reinstate it.
And I'm wondering if net neutrality
is going to be one of those principles
where the Democrats or the Democratic members,
the FCC are so committed to this principle.
They think that the regulation
that was instituted in
2015 under Obama was necessary not just to maintain a free internet, but also giving the FCC more
authority to protect national security on our broadband networks, implementing cybersecurity
standards. And then the Republican members see this as heavy-handed federal regulation
that actually plays no role in maintaining a free and open
internet. So yeah, I think we could see this kind of ping pong back and forth through presidential
administrations. And I know that's frustrating for the industry because as you said, they rely
on certainty. Yeah. This article points out that for sure we're probably going to see
lawsuits from industry once the rulemaking is done, that those lawsuits are
inevitable? I think they're absolutely inevitable. The legal challenges will come on day one when
this is published in the Federal Register. I think the companies have obviously a large stake
in net neutrality rules. I think there's certainly profit potential in a less regulated industry for companies like Verizon, AT&T, etc.
But yeah, I think there's no doubt that we're going to see litigation.
All right. Well, we'll keep an eye on it here.
Interesting move.
Ben Yellen, thanks for joining us.
Thank you. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
With TD Direct Investing, new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%.
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31st, 2025. Visit td.com slash dioffer to learn more. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday
and my conversation with Danny Ademides from Lumen's Black Lotus Labs.
We're discussing No Rest for the Wicked.
Hiatus Rat Takes Little Time Off in a Return to Action.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law
enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest
investment, your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.