CyberWire Daily - Swatting on the rise.
Episode Date: January 9, 2024Swatting is on the rise. LoanDepot, the Toronto Zoo and the World Council of Churches all confirm ransomware attacks. Iran-linked hackers target Albania. Sea Turtle focuses on espionage and informatio...n theft. Fake “security researchers” offer phony ransomware recovery services. Could AI make KYC EOL? Avast enhances Babuk decryption. Joe Carrigan looks at the human side of email security. And a group of midwives fail to deliver. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, we are joined by Joe Carrigan from JHU ISI on the human elements that impact email security Selected Reading Tanya Chutkan, the judge overseeing Trump's federal election interference case, appears to be victim of 'swatting' Special counsel Jack Smith was targeted by attempted swatting on Christmas Day LoanDepot Takes Systems Offline Following Ransomware Attack Toronto Zoo hit by ransomware attack | Cybernews Rhysida ransomware gang takes responsibility for attack on World Council of Churches Wiper malware found in analysis of Iran-linked attacks on Albanian institutions Turkish espionage campaigns in the Netherlands "Security researcher" offers to delete data stolen by ransomware attackers Gen AI could make KYC effectively useless | TechCrunch Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Swatting is on the rise.
Lone Depot, the Toronto Zoo, and the World Council of Churches all confirm ransomware attacks.
Iran-linked hackers target Albania.
Sea Turtle focuses on espionage and information theft.
Fake security researchers offer phony ransomware recovery services.
Could AI make KYC EOL?
Avast enhances Babook decryption. Joe Kerrigan looks at the human side of email
security. And a group of midwives fail to deliver. It's Tuesday, January 9th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. NBC News reports that Special Counsel Jack Smith,
leading the prosecution against former President Donald Trump in two federal cases,
and Judge Tanya Chutkan, overseeing one of these cases,
were targets of attempted swatting incidents at their residences.
Swatting is a criminal harassment tactic involving false reporting of serious incidents
to draw a heavy police response to a specific location. In Smith's case, a 911 call falsely
claimed he had shot his wife, but deputy U.S. Marshals at his home confirmed it was a hoax.
Chutkin experienced a similar situation with police responding to a falsely reported shooting at her home.
No arrests have been made in either case.
Smith, who has been prosecuting Trump for alleged efforts to overturn the 2020 election results
and mishandling classified documents at Mar-a-Lago,
has faced numerous threats and intimidating communications,
particularly after Trump's inflammatory posts
about him. Chutkan has also encountered threats. A Texas woman was arrested for leaving a threatening
voicemail for her. Trump has specifically targeted Chutkan on social media, leading to a gag order
against him, later narrowed by an appeals court. The security concerns for judges and prosecutors have been escalating.
The recent swatting incidents underscore the heightened security concerns
surrounding high-profile legal cases involving political figures.
Following up on yesterday's story,
a mortgage lending firm, Loan Depot, confirmed a ransomware attack
causing system disruptions and data
encryption in a Form 8K filing with the SEC. The Irvine-based company took immediate containment
steps, initiated an investigation, and notified regulators and law enforcement. While they work
to secure operations and assess impact, it's unclear if personal information was compromised.
secure operations and assess impact, it's unclear if personal information was compromised.
Speaking of ransomware, the Toronto Zoo, Canada's largest zoo, experienced a ransomware attack on January 5th, affecting its systems and potentially visitor, member, and donor information. Immediate
steps were taken to assess the impact, and the zoo remains open with animal care systems unaffected.
The incident, reported to Toronto Police Services, is being addressed with the assistance from
City of Toronto's Chief Information Security Office and external cybersecurity experts.
This follows similar incidents in Toronto, including the public library system and Sick Kids Hospital.
The World Council of Churches, the WCC, representing numerous Christian denominations,
was hit by a ransomware attack during the Christmas season.
Responsibility for the attack was claimed by the Ryseda ransomware gang,
targeting the Lutheran World Federation, a WCC member.
The attack, which occurred on December 26th, resulted in a system shutdown, including the WCC's website.
The ransom demanded is six bitcoins, about $280,000, with a seven-day deadline.
The incident has been reported to Swiss police and is under investigation,
with no specific details on the data breach or the number
of affected individuals disclosed. And in a reminder that the effects of ransomware can
extend beyond the event itself, New York Attorney General Letitia James reached an agreement with
the Refua Health Center following a ransomware attack in May 2021 that compromised sensitive patient data.
The attack, perpetrated by the Lorenz Ransomware Group,
was facilitated by outdated and unsecured administrator credentials.
RAFUA failed to maintain appropriate cybersecurity controls,
leading to extensive data breaches,
including personal and health information of over 260,000 individuals.
The New York AG identified multiple violations of the HIPAA security rule and New York general
business law, including insufficient policies, failure to conduct risk analysis, and inadequate
incident response measures. As part of the agreement, RAFUA will invest $1.2 million in cybersecurity improvements and pay $450,000 in penalties and costs.
They are also required to notify affected individuals and enhance their security and incident response policies.
Turning to international news, a group of Iran-linked hackers known as Homeland Justice used a wiper malware named NoJustice in a series of cyberattacks targeting Albanian organizations in December.
These attacks hit the Albanian parliament, Telcom companies OneAlbania and Eagle Mobile and Air Albania. No Justice, identified by Clear Sky researchers, crashes
Windows OS, preventing rebooting, and a PowerShell script spreads the wiper across networks.
The malware had a valid digital signature and required admin privileges. The attacks may have
been in retaliation for Albania sheltering the Iranian opposition group MEK. The full extent
of the damage is unclear, but Homeland Justice's operations pose a threat to other countries
and are likely state-sponsored. Researchers at Hunt & Hackett describe Sea Turtle,
believed to be a Turkey-based advanced persistent threat group, Sea Turtle focuses on espionage and information theft targeting public and private entities.
From 2017 to 2019, it was primarily known for DNS hacking,
but has more recently changed tactics to better evade detection.
Microsoft and the Greek national CERT have highlighted its intelligence-gathering activities
aligned with Turkish interests. The group targets organizations in Europe and the Middle East,
especially governmental bodies, Kurdish groups, NGOs, telecommunication entities, ISPs,
IT service providers, and media organizations. Their modus operandi includes intercepting
internet traffic to gain unauthorized access to networks
and using reverse shell mechanisms for data extraction.
Organizations hit by ransomware face uncertainty about whether cybercriminals will actually decrypt and delete their stolen data,
even after paying the ransom.
even after paying the ransom.
HelpNet Security reports that imposters posing as security researchers
are offering to hack into the ransomware group's servers
to delete the exfiltrated data for a fee.
Arctic Wolf researchers encountered this scam in two cases
involving victims of Royal and Akira ransomware.
The imposters, using aliases like
Ethical Side Group and X Anonymous,
approached victims via online chat, provided proof of access to data, warned of future attack risks,
specified the stolen data amount, and demanded less than five bitcoins, around $220,000.
It's unclear if these follow-on extortions are connected to the ransomware groups
or are independent actions. In both cases, this additional extortion attempt was unsuccessful.
KYC, know-your-customer processes, essential for financial institutions, banks, and fintech startups are at risk due to generative AI advancements.
These processes often use ID images or selfies for customer identity verification.
A report from TechCrunch examines how posts on platforms like xTwitter and Reddit
demonstrate how attackers could manipulate selfies using generative AI tools to create convincing deepfaked ID images and potentially bypass KYC checks.
Although there's no evidence of generative AI being used against actual KYC systems yet,
the ease of creating deepfaked images is concerning.
The growing threat extends to bypassing liveness checks,
which are designed to ensure a real person is present during verification. These checks are vulnerable to advanced generative AI
tools capable of simulating real-time actions like head turns. As generative AI technology improves,
even human reviewers might struggle to distinguish between real and deepfaked images and videos,
potentially rendering this type of KYC ineffective as a security measure.
A tip of the virtual hat to Avast, who in cooperation with Cisco Talos and Dutch Police,
have released an updated version of the Avast Babook decryption tool,
capable of restoring files encrypted by the Babook ransomware variant called Tortilla.
Well done.
Coming up after the break,
Joe Kerrigan looks at the human side of email security.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He is from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hey, Joe.
Hi, Dave.
So before we took our break for the holidays,
this article came to my attention.
It's from the folks over at HackRead.
This one's written by Awais Sultan.
And it was about the human elements that impact email security.
And this is something right up our alley over on Hacking Humans.
And I thought it was something we could target here today.
What's some of the information here you think is worth sharing?
Well, I'm going to say, it's not really said in this article,
but I'm going to say it again, Dave.
I love saying it so much.
Email's terrible.
Fair enough.
It's the only system that we have as internet users
where anybody can just put anything they want into your inbox.
There are, if I wanted to host a web server, I don't necessarily have to accept information from people. I could just host
static web pages and never take anything more from somebody other than a request for that page.
That's it. Email is not like that. Email, by definition, I have to have some kind of service on a computer somewhere
that then gets that information directly in front of me. And that's really the problem because me
can be anybody and now is essentially anybody. And that's kind of where this article goes.
It starts off with an interesting fact that around 82% of all breaches that occur in business environments are from some employee taking some action based on email, clicking on a link or installing software that's attached to an email.
points out that this is because of something called action bias, which is part of the human psyche that is, oh, I've got this very important email. I have to take care of it right now.
It's part of what I call is the fight or flight part. We've had people who talk about
the raptor brain versus the thinky brain. The raptor brain is very, and I can't remember the lady's name.
We talked about that, but I really liked it.
It's really smart because our reptilian brain
does the processing very quickly.
And our thinking brain does processing very, very slowly.
I wish I could remember her name,
but she's probably sitting there listening right now going,
ha ha, that's my work he's talking about.
Anyway, it's those kinds of things that we need to engage
is the thinking part of things.
We need to get people to think about what they're doing
and not just respond to things.
It's not just like that far side, stimulus, response, stimulus, response.
Don't you ever think it's, you know, yes, this is a stimulus coming in,
but try to think about it.
Try to be mindful of what you're doing.
And we can train people for this.
That's one of the other points in this article is that you can train people not to respond to these kind of perceived threats or perceived requirements for action right away.
Because what they're trying to do is short circuit the thinking part of your brain.
Exactly.
They're trying to take that part of you out of the equation and just use your,
essentially your amygdala and your reptilian brain, which is actually a real part of your physiology. What are some of the suggestions here for better coming at this? First off,
they say create backups of all your data, which is a great idea because one of the bad outcomes
is ransomware where they'd be able to destroy your data. So keep backups of the data. Right. And then another thing they say is access control. This is what I like to refer to in the
industry. It's called the principle of least privilege. Yeah. And we've been talking about
this over on Hacking Humans a lot, about people getting access to things and then never losing
access to it. Right. Right. Right. It just, that access remains. Forever. Forever. Even
sometimes after the employee is no longer with the company. We just talked about that recently.
Right. Where that happens. It's an easy thing to overlook. It is. It is. So have policies that
limit access to things. And if somebody needs temporary access, make sure that access expires
when they no longer need it. I know it's
a hassle, but it's part of what has to happen. Yeah. What about like security awareness training?
Security awareness training is an absolute must. Perry Carpenter, who is a host of Eight Layer
Insights on the Cyber Wire Network and also a friend of our Hacking Human show and this show,
he talks about your security culture.
And one of the things that he said,
he's been talking about recently,
is that you have a security culture
whether you realize it or not, right?
And you need to implement
and think about that proactively.
And putting a security culture in place
and building that security culture
is going to involve a security awareness program
that helps your people think through these kind of attack scenarios.
Yeah. I mean, over on Hacking Humans, we talk about this notion of being immunized against
these sorts of attacks. Inoculated.
Inoculated. Right, right. Even just the awareness of what to look out for can make a huge difference.
Yeah. I can't remember who did this study a while ago, but if you Google it,
you'll find it. But there was a study where they took two groups of people and they told
one group of people how the tobacco companies lied about the effects of tobacco, which we all
now agree tobacco is bad for you, right? Right.
You know, in the 70s, 1970s, that wasn't the case. Yeah. We didn't all agree on that. But the tobacco companies manipulated the media and
scientific reporting and funded their own studies to find out or to say that, no, tobacco is fine
for you. Sure. And then they exposed people to other things like, I think climate change was
one of the things they talked about. And they were like,
the people who had been exposed to the information about the tobacco companies
were not as ready to disbelieve things. When they saw critical information, they wanted to know the
source of it. Oh, interesting. And they were like, okay, well, who funded this study?
They ask questions like that.
So having just been exposed to...
Having just been exposed to lies, they've, you know, not lies, data manipulation,
having to understand how it works, they've started asking those questions.
Well, that works across the board for just about everything, right?
So if you say, as a CEO of this company,
I am never going to write you and say,
you need to write a check to this person
for $50,000 right now.
Right, I'm never gonna ask you to go buy gift cards.
I'm never gonna ask you to go buy gift cards.
I mean, that's a rudimentary one
that we all giggle about, right?
But it's something that every security awareness program
should have in place. Yeah.
Right?
Nobody from this company is ever going to ask another person to go out and buy gift cards for this.
No.
For any reason.
A dear friend of mine who is the head of HR for a cybersecurity company was on her way to go buy the gift cards.
And she happened upon the CEO.
And that's what short-circuited the process.
Ah, amazing. It can happen to anybody.
How fortuitous for her. It can happen to anybody. How fortuitous for her.
It can happen to anybody.
Absolutely.
Yeah, yeah.
All right, well, it's an interesting read here.
Again, this is from the folks at Hack Read.
It's titled, How Human Elements Impact Email Security.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave. Thank you. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And finally, clients of Midwives of Windsor in Ontario experienced a rude awakening,
Midwives of Windsor in Ontario experienced a rude awakening,
finding out their sensitive personal and pregnancy-related data had been exposed due to a cyber breach in April 2023.
This breach only disclosed to clients months later,
nine months later,
included names, birthdates, addresses, emails, phone numbers,
pregnancy details, treatment information,
prescriptions, patient IDs, and health insurance data. Although there's no reported misuse of the
data yet, the potential for phishing attacks or identity theft looms large. Midwives of Ontario
has since secured the compromised email account and is investigating with third-party experts.
As clients navigate this breach, one can't help but note the irony. Midwives, experts in delivering
timely care, seem to have missed the mark in delivering timely information.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like
The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector, as well as the critical security teams supporting
the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. Thank you. by Liz Stokes. Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Ivan
and Brandon Karp.
Our executive editor
is Peter Kilby.
I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.