CyberWire Daily - Social engineering as a blunt instrument–almost like swatting without the middleman.

Episode Date: October 27, 2023

Eastern European gangs overcome their reservations about working with anglophone criminals. Mirth Connect is vulnerable to a critical flaw. A look at a mercenary spyware strain. “PepsiCo” as phish...bait. Ben Yelin explains the FCC’s renewed interest in Net Neutrality. Our guest is Wade Baker from the Cyentia Institute with insights on measuring risk. And Europol thinks police should take a good look at quantum computing and law enforcement. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/206 Selected reading. Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction (Microsoft Security) MGM Resorts hackers 'one of the most dangerous financial criminal groups’ (Record) Critical Mirth Connect Vulnerability Could Expose Sensitive Healthcare Data (SecurityWeek)  Examining Predator Mercenary Spyware (HYAS) Fresh Phish: The Case of the PepsiCo Procurement Ploy (INKY)  U.S. Tries New Tack on Russian Disinformation: Pre-Empting It (New York Times)  ESET APT Activity Report Q2–Q3 2023 (We Live Security)  Russian hackers claim takedown of WA’s Transperth transport agency with DDoS attack (Cyber Daily)  The Second Quantum Revolution: The impact of quantum computing and quantum technologies on law enforcement (Europol Innovation Lab)  Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.
Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.
Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.
Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Eastern European gangs overcome their reservations about working with Anglophone criminals. MirthConnect is vulnerable to a critical flaw. A look at a mercenary spyware strain.
Starting point is 00:02:11 PepsiCo as fish bait. Ben Yellen explains the FCC's renewed interest in net neutrality. Our guest is Wade Baker from the Scientia Institute with insights on measuring risk. And Europol thinks police should take a good look at quantum computing and law enforcement. I'm Dave Bittner with your CyberWire Intel briefing for Friday, October 27th, 2023. Microsoft describes OctoTempest, a financially motivated threat actor that uses social engineering to compromise organizations around the world. Microsoft researchers write, in mid-2023,
Starting point is 00:03:12 Octotempest became an affiliate of AlfV Black Cat, a human-operated ransomware-as-a-service operation, and initial victims were extorted for data theft with no ransomware deployment using AlfV Collection's leak site. This is notable in that historically, Eastern European ransomware groups refused to do business with native English-speaking criminals. By June 2023, Octotempest started deploying AlfV BlackCat ransomware payloads, both Windows and Linux versions, to victims, Black Cat ransomware payloads, both Windows and Linux versions, to victims, and lately has focused their deployments primarily on VMware ESXi servers. Octotempest progressively broadened the scope of industries targeted for extortion, including natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services. Among the gang's victims, the record points out, was MGM Resorts.
Starting point is 00:04:12 At the time of that attack, the group was being called Scattered Spider, Octopus, or UNC-3944. One of the more repellent features of Octotempest's activity is its willingness to make direct personal threats of violence to bully victims into giving up their credentials A sample threat reads as follows If we don't get your login in the next 20 minutes we're sending a shooter to your house Your wife is going to get shot if you don't fold it Let me know, we'll send shooters to both, lol
Starting point is 00:04:44 It's even worse in print than it is read aloud is going to get shot if you don't fold it. Let me know. We'll send shooters to both. LOL. It's even worse in print than it is read aloud, and there's a lot more than this. It's not just the leet speak, the LOLs when referring to shootings. These aren't just misled kids. The Octotempest crooks are suffering from a bad case of internet disinhibition. Security Week reports that MirthConnect,
Starting point is 00:05:06 an open-source data integration platform developed by NextGen Healthcare, is vulnerable to a flaw that could allow attackers to bypass protections for a critical severity remote code execution flaw that was patched in August. Researchers at Horizon3.ai discovered the new flaw, noting that it was fixed in version 4.4.1 of MirthConnect. The researchers state, we urge all users of MirthConnect, especially instances that are internet-facing, to prioritize updating. Researchers at HIAS Labs have published an analysis of the Predator spyware developed by Citrox. The researchers note that Sequoia earlier this month found evidence suggesting that the spyware may have been used by the Madagascar government. One of the recurrent concerns about spyware products or lawful intercept tools, as they're also called, is the perennial temptation to abuse by governments they represent. Inky is tracking a phishing campaign that's impersonating PepsiCo to deliver
Starting point is 00:06:13 malware. Inky says, as usual, it all starts with a phishing email. In this case, the phishers are impersonating the PepsiCo brand, pretending to be potential clients. They're claiming to need what the recipient sells, and they're asking them to submit a quote for PepsiCo to review. What the would-be victim doesn't know is that attached to the email is a malicious disk image disguised as an RFQ. That is, a request for quote. The U.S. State Department is attempting to pre-bunk Russian disinformation campaigns, the New York Times reports, operating from the premise that disinformation is easier to discredit
Starting point is 00:06:52 and refute before it begins to spread through amplification in legitimate and semi-legitimate channels. The effort works by identifying disinformation operations in their earliest phases and by exposing the fronts and agents of influence before they can begin repeating their themes. Pre-bunking is part refutation, that is, addressing the false claims on their merits, and part transparency, identifying the fronts and trolls as such before they gain traction. ESET's APT Activity Report for the second and third quarter of 2023 matches unpatched vulnerabilities with government-sponsored offensive cyber operations. Unsurprisingly, Russian cyber activity retains its focus on Ukraine.
Starting point is 00:07:38 The main Russian APT group's ESET tracks are Sandworm, Turla, Sednet, and Gamerodon. ESET says that the greatest of these from the Ukrainian perspective is Gamerodon, which significantly enhanced its data collecting capabilities by redeveloping existing tools and deploying new ones. The others aren't to be dismissed either. The French security agency ANSI warned yesterday that Fancy Bear, APT28 or Sednet, whichever name you prefer, has succeeded in penetrating sensitive networks in France. The targeting is commonplace for an espionage campaign. Fancy Bear has been interested in government agencies, businesses, universities, research institutes, and think tanks. Cyber Daily reports that NoName05716, specialists in nuisance-level DDoS attacks, has put Australia on notice, NoName says, for its russophobic contributions to Ukraine's war effort. The hacktivist auxiliary said it had hit sites belonging to Adelaide Bank's
Starting point is 00:08:46 net bank portal, the Transperth Transport Agency, the Administrative Appeals Tribunal's online portal, and the Northern Territory Department of Infrastructure Planning and Logistics. The hacktivist's communique deplored Australia's decision to send a military aid package worth $12 million to Ukraine. The only effect the shipment will have, No Name said, will be to give the Russians more material to capture. And besides, it amounts to theft from the Australian taxpayers. No Name says, we are going to Australia for destroying portals of critical infrastructure. It's an overstatement. Only the TransPerth website sustained periodic and annoying disruption.
Starting point is 00:09:33 The other three targets rode out the attack without much difficulty. And finally, Europol is urging its colleagues and law enforcement to think hard about the implications of quantum computing. Europol's Innovation Lab has published a report titled The Second Quantum Revolution, in which it outlines the potential implications of the new technology for law enforcement. Greater computational power promises new cryptographic challenges and new sensing opportunities. The report represents preparatory work. It urges agencies to stay aware of developments in the new field, and it summarizes its recommendations under five headings. Observe quantum trends,
Starting point is 00:10:11 build up knowledge and start experimenting, foster research and development projects, assess the impact of quantum technologies on fundamental rights, and review your organization's transition plans. That is, of course, transition to the post-quantum future, and review your organization's transition plans. That is, of course, transition to the post-quantum future. And trust us, it's not going to look like the quantum realm from Ant-Man. Coming up after the break, Ben Yellen explains the FCC's renewed interest in net neutrality. Our guest is Wade Baker from the Scientia Institute with insights on measuring risk. Stick around. Do you know the status of your compliance controls right now?
Starting point is 00:11:12 Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Starting point is 00:11:54 Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Starting point is 00:12:34 Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. Wade Baker is co-founder of the Scientia Institute and also a professor in the College of Business at Virginia Tech. Scientia Institute recently published the latest edition of their Information Risk Insights Study, or IRIS reports, focusing on threat event analysis.
Starting point is 00:13:17 I checked in with Wade Baker for the details. And I've done a lot of studies in the information security space going back years and have always wanted to demonstrate how to quantify cyber losses. And I just haven't had the data to do it in the past. So I'm probably best known for starting and working on Verizon's data breach investigations report for a long time. data breach investigations report for a long time. And we had phenomenal information about how incidents occur and who's behind them and how assets are impacted and how organizations respond. But we never had, what are the losses? You know, how do those events impact organizations long after the forensic investigation is gone? So the IRIS series, Information Risk Insight Study, is all about what is the probability of an event and how much do those events cost and showing that you actually can come up with historically proven numbers on those kinds of things and you don't have to make
Starting point is 00:14:20 it all guesswork. Well, let's dig into some of the findings from this year's version. What are some of the things that stood out to you? So there are quite a few things, and some of them are, I hate to say obvious because that sounds negative, but we get the opportunity to add data to some things that maybe we believe. And then in other cases, data overturns maybe what we believe. But just an example, we do a lot about how industry and size of organizations impact the probability of different types of loss events and how much those events are. So what's probably not surprising is if you are a really large organization,
Starting point is 00:15:12 you are much, much, much, much, much more likely to have a security incident than a really small organization. You have a bigger attack surface, you have brand recognition and maybe targeted attacks, all of those kinds of things. So, you know, that's one of those that's maybe not so incredibly obvious, or sorry, is pretty obvious. And then, you know, I think we have some other things that may be less so, you know, what is the cost of a typical security incident? I think there's, you ask anybody, lots of different opinions on that. We found that the median loss is about $260,000.
Starting point is 00:15:51 And I get lots of different reactions when I say that. Some think that's, whoa, that's ridiculously low. How can that possibly be? Others think that's high. But we're talking about all types of security incidents here. The 95th percentile loss is much larger. That's $52 million. And I kind of think maybe that's part of the misconception
Starting point is 00:16:14 is people think about the really big stuff that we hear about the headlines and forget about the sort of daily things that stack up, but don't cost a huge amount. Yeah. One of the challenges that I find for myself personally is taking those numbers and making them meaningful. There are all these numbers thrown around, but how do I align that with my own organization and how I should go about
Starting point is 00:16:40 evaluating my own risk? 100%. And I think that's a huge challenge because we hear of all of these reports of incidents occurring and some terrible thing happens to another organization and the obvious question is, hey, could that happen to us? And if so, what would that be like? And we try to tackle a few of those things in the report. One of the things that we do is we can measure losses objectively and say, hey, this was a $100 million loss. And what is the probability that any given organization experiences a $100 million loss? Okay, you can answer that. We can also make that a little bit more relevant by looking at it as a proportion of revenue, you know, and asking the question, you know, what is the likelihood that a small organization will have a loss that equals 1%, 10%, you know, 100% of their revenue versus a large organization? And that is something that I think was a really important point in the
Starting point is 00:17:46 latest Iris, is that smaller organizations are very disproportionately impacted by security events. In other words, it might be smaller amounts from a just straight dollars perspective, but as a proportion of their revenue, even menial events can be a quarter or much higher of their revenue. And that hurts a lot when you're a small company and margins are slim. As you gather your data here, are there any myths that you want to dispel here? I think about sometimes, I think folks call them zombie facts. They know, they're dead, but they keep on living, and we can't seem to shed them. Any things like that in your findings? There is one in particular that comes to mind as a myth, and I'm not going to name names here,
Starting point is 00:18:37 but there is a study that is very often cited that gives a straight dollar per record as a means of quantifying losses around an event. So if you have, you know, it's $150 per record or $180 per record, and then you take the number of records that were compromised in an event, you multiply it by $150 and voila, you know, that's how much the event costs. And we do some picking apart of that because it is just dead wrong. There is no such thing as a linear dollar per record loss. The data time and time again shows this. And there are much, much better, more accurate ways of estimating losses given something like the amount of data that was compromised, rather than just multiplying by, you know, a single amount. And that's a myth that we have tried, you know, some say a little bit
Starting point is 00:19:32 too hard in these reports to dispel, but it still sticks around. What do you hope people take away from this report in terms of actionable items? I am hoping that, one, people will say that, hey, we can quantify risk and therefore better manage it. There's been a long-time argument over whether that's possible. And I think if you read the iris and look at what we've done, we've proven that you can actually do that. And then second, I hope that people look at some of this analysis and say, hey, I think we could benefit from this. I would like to have this to
Starting point is 00:20:15 aid my decisions on, you know, are we over at risk? What should we do about it? Which threats are more relevant to my organization? And those kinds of things, because I really do think the time is far past in the management of cybersecurity that we take a more measured and risk-oriented approach. We always preach that, but very few people get beyond sort of the high, medium, low type buckets applied to risk and realize that we can do this and the outcomes are going to be better. That's Wade Baker from the Scientia Institute. The report is Iris, Threat Event Analysis. And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Starting point is 00:21:17 Ben, welcome back. Good to be with you, Dave. Interesting story you and I talked about on this week's Caveat about how the FCC, thanks to having an additional member on their board, is able to make a move here with net neutrality. What's going on here, Ben? So we finally have a Democratic majority on the FCC. The newest nominee from President Biden was just confirmed recently by the Senate. Back in 2015, the Obama administration initiated a rulemaking process that led to net neutrality. Basically, the idea here is reclassifying broadband as a telecommunications
Starting point is 00:21:55 service that allows the FCC to regulate internet service providers and make sure that they are not throttling companies who want to use greater bandwidth. So things like Netflix and other streaming services. That's the point of maintaining that neutrality. So this doesn't become kind of a fee-for-service jungle where the main providers, the Verizons, the AT&Ts of the world, are auctioning off this broadband space to the highest bidder. The Trump administration came in in 2017 under the leadership of Ajit Pai. They got their own majority on the FCC, and they reversed Obama-era net neutrality rules. Basically, their rationalization
Starting point is 00:22:40 then is that this was a 1930s-style regulation on the open internet, that we should be fostering an open marketplace to the extent possible, and that this won't lead to the sort of parade of horribles that you would hear about in warnings in 2017, that we're going to lose our open internet, that net neutrality is going to cut against all the principles that make the internet great. In defense of Ajit Pai and his majority, I mean, we really haven't seen those types of impacts over the past several years. As far as we can tell, the internet is in pretty good shape. Streaming services work well without the need for this kind of heavy-handed federal government regulation. But the Biden administration
Starting point is 00:23:22 is interested in reviving these Obama-era rules. So they're going through the rulemaking process right now. They're on the notice of proposed rulemaking stage. I'm sure industry is going to weigh in. The final rule will probably be published sometime in January or February. And then I think we can expect a lot of lawsuits that are challenging the statutory authority for the FCC to take this action, and then possibly some constitutional issues as well. So certainly this is just the beginning of the story, and we'll have to see what happens with both the rulemaking process and the almost certain court cases that we're going to see. Yeah. You know, I think it's fair to say
Starting point is 00:24:02 one thing that industry hates is uncertainty. And with this swinging back and forth, you've got, you know, Obama puts this in play. Trump takes it out of play. Biden puts it back into play. You know, it's easy to see, perhaps if we get a Republican president, it goes back out of play. And how long can that go on? Yeah, I mean, it's this, there are other areas of policy that go like this where you just ping pong based on presidential administrations uh the long-running one is something called the mexico city policy which is about uh prohibiting any sort of foreign aid going to governments around the world that promote reproductive health and abortion services january 20th every time there's a new administration, when it's the Democrats,
Starting point is 00:24:47 they reverse the Mexico City policy. When it's the Republicans, they reinstate it. And I'm wondering if net neutrality is going to be one of those principles where the Democrats or the Democratic members, the FCC are so committed to this principle. They think that the regulation that was instituted in
Starting point is 00:25:05 2015 under Obama was necessary not just to maintain a free internet, but also giving the FCC more authority to protect national security on our broadband networks, implementing cybersecurity standards. And then the Republican members see this as heavy-handed federal regulation that actually plays no role in maintaining a free and open internet. So yeah, I think we could see this kind of ping pong back and forth through presidential administrations. And I know that's frustrating for the industry because as you said, they rely on certainty. Yeah. This article points out that for sure we're probably going to see lawsuits from industry once the rulemaking is done, that those lawsuits are
Starting point is 00:25:47 inevitable? I think they're absolutely inevitable. The legal challenges will come on day one when this is published in the Federal Register. I think the companies have obviously a large stake in net neutrality rules. I think there's certainly profit potential in a less regulated industry for companies like Verizon, AT&T, etc. But yeah, I think there's no doubt that we're going to see litigation. All right. Well, we'll keep an eye on it here. Interesting move. Ben Yellen, thanks for joining us. Thank you. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
Starting point is 00:26:46 ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. With TD Direct Investing, new and existing clients could get 1% cash back. Great! That's 1% closer to being part of the 1%. Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing. Conditions apply. Offer ends January 31st, 2025. Visit td.com slash dioffer to learn more. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Starting point is 00:27:56 Be sure to check out this weekend's Research Saturday and my conversation with Danny Ademides from Lumen's Black Lotus Labs. We're discussing No Rest for the Wicked. Hiatus Rat Takes Little Time Off in a Return to Action. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and insights
Starting point is 00:28:23 that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by our editorial staff.
Starting point is 00:29:10 Our executive editor is Peter Kilby and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.