CyberWire Daily - Taking aim at cybercrime.
Episode Date: November 26, 2024Smashing cybercrime syndicates. CyberVolk goes global. Tech troubles mostly resolved. A malware web weaved by Salt Typhoon targets global sectors. Love at first exploit. Ransomware attack on Blue Yond...er brews trouble. Google faces a UK court battle. Lateral moves and lost data. I sit down with Clemence Poirer, Senior Cyberdefense Researcher at the Center for Security Studies (CSS) at ETH Zurich | Space Cybersecurity to discuss cybersecurity attacks in space. And finally, a Cybersecurity sales pitch goes rogue. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s guest, Clemence Poirier, Senior Cyberdefense Researcher at the Center for Security Studies (CSS) at ETH Zurich, recently spoke with T-Minus Space Daily podcast host Maria Varmazis about cybersecurity attacks in space. Read the case study: Hacking the Cosmos: Cyber operations against the space sector. A case study from the war in Ukraine. Selected Reading Bangkok busts SMS Blaster sending 1 million scam texts from a van (Bleeping Computer) Police bust two Chinese syndicates (Bangkok Post) 'CyberVolk' hacktivists use ransomware in support of Russian interests (The Record) Microsoft says massive Outlook and Teams outage is mostly resolved (CNN) British hospital group declares ‘major incident’ following cyberattack (The Record) NHS declares major cyber incident for third time this year (The Register) Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions (Trend Micro) RomCom exploits Firefox and Windows zero days in the wild Starbucks, Grocery Stores Hit by Blue Yonder Ransomware Attack (SecurityWeek) Google hit with £7B claim over search engine dominance (The Register) CISA Details Red Team Assessment including TTPs & network defense (GB Hackers) DOJ: Man hacked networks to pitch cybersecurity services (Bleeping Computer) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Smashing cybercrime syndicates. Cybervote goals global.
Tech troubles mostly resolved.
A malware web weaved by Salt Typhoon targets global sectors.
Love at first exploit.
Ransomware attack on Blue Yonder proves trouble.
Google faces a UK court battle.
Lateral moves and lost data.
And I sit down with Clemence Poirier, senior cyber Defense Researcher at the Center for Security Studies at ETH Zurich,
to discuss cybersecurity attacks in space.
And finally, a cybersecurity sales pitch goes rogue.
Today is November 26th, 2024.
I'm Maria Varmasis, host of the T-Minus Space Daily podcast, in for Dave Bittner.
And this is your Cyber Wire Intel briefing. Thai authorities dismantled two sophisticated Chinese-operated cybercrime syndicates responsible for extensive fraudulent activities. The first syndicate utilized over
10,000 phone numbers with Bangkok's 02 area code to execute more than 700 million scam calls within
three days, promoting fraudulent investment schemes. Investigations revealed connections
to three companies linked to Chinese nationals, leading to arrest warrants for 24 suspects,
including nine foreigners and 15 Thais, with 10 individuals apprehended. Concurrently,
ties, with 10 individuals apprehended. Concurrently, police arrested a 35-year-old Chinese national operating an SMS blaster from a van in Bangkok's Sukhumvit area.
Over a three-day period, the device transmitted nearly 1 million phishing messages,
each capable of sending 100,000 texts per hour within a three-kilometer radius.
The fraudulent messages impersonated the Advanced
Info Service and urged recipients to redeem expiring points via a provided link, which then
led to a phishing site designed to harvest credit card information for unauthorized transactions
abroad. CyberVolk, a hacktivist group with possible Indian origins, has been active since at least March 2024,
targeting state and public entities and nations opposing Russian interests.
Initially known as Gloriamist India, the group rebranded to CyberVolk and has claimed
responsibility for compromising critical infrastructure in Japan, France, and the UK.
Unlike typical hacktivist groups that primarily conduct distributed denial
of service attacks, or DDoS attacks, CyberVolk employs ransomware and information-stealing
malware. Their ransomware, derived from leaked source code of the pro-Russia group Azasek,
demands $1,000 in cryptocurrency, with victims instructed to pay within five hours.
CyberVolk's adaptability in using various ransomware families,
including Hexalocker and Parano,
underscores the dynamic nature of affiliations among hacktivist groups.
Yesterday, on November 25, 2024,
Microsoft 365 services, including Outlook and Teams,
experienced a significant outage affecting users globally.
Reports indicated difficulties accessing emails,
loading calendars, and opening applications like PowerPoint.
Microsoft acknowledged the issues,
attributing them to a recent change
impacting Exchange Online and Teams calendar functionalities.
By noon Eastern time,
the company reported resolving issues
in approximately 98% of affected environments,
though some recovery efforts faced delays. Microsoft, for its part, expressed understanding of the event's significant impact
on businesses and committed to providing relief as swiftly as possible. On November 26, 2024,
Wirral University Teaching Hospital NHS Trust in Northwest England declared a major incident due to a cyber attack affecting its
entire network, including Arrow Park, Clatterbridge, and Wirral Women and Children's Hospitals.
This breach led to the cancellation of all outpatient appointments and a directive for
the public to use emergency services only for genuine emergencies. This marks the third
significant cyber incident targeting NHS units this year,
following previous attacks that disrupted services and compromised patient data.
The trust has implemented business continuity processes and is collaborating with cybersecurity
experts to investigate and mitigate the breach. Trend Micro has published a report on a new
strain of malware used by the Chinese state-sponsored threat actor Earth Estries, also known as Salt Typhoon, to target Southeast Asian telecommunications companies.
The malware, dubbed Ghost Spider, is a sophisticated multi-modular backdoor designed with several layers to load different modules based on specific purposes.
The backdoor is used alongside the Demodex rootkit for long-term
espionage operations. In addition to telecommunications companies, the group has
targeted entities in the technology, consulting, chemical, and transportation sectors, as well as
government agencies and NGOs. Trend Micro says the campaign compromised more than 20 organizations
across Afghanistan, Brazil, Eswatini, India, Indonesia,
Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the United States, and Vietnam.
The researchers note that most of the victims had been compromised for several years.
ESET warns that the rom-com threat actor exploited a critical zero-day affecting Mozilla products to install
malware. The vulnerability CVE-2024-9680 was assigned a CVSS score of 9.8 and allows vulnerable
versions of Firebox, Thunderbird, and the Tor browser to execute code in the restricted context
of the browser. RomCom chained this flow with a Windows Zero Day, CVE-2024-49039,
to deliver malware via malicious webpages with no user interaction required. Both vulnerabilities
have since been patched. A reminder that RomCom is a Russia-aligned threat actor that conducts
espionage alongside cybercrime operations. In an update to a story we are following this week,
on November 21st, 2024,
supply chain management software provider Blue Yonder
experienced a ransomware attack
that disrupted its managed services hosted environment.
This incident affected several major clients,
including Starbucks and UK supermarket chains,
Morrison's and Sainsbury's.
Starbucks faced challenges in paying baristas and managing employee schedules,
while Morrisons and Sainsbury's encountered disruptions in their supply chains.
Blue Yonder has engaged a cybersecurity firm to assist in investigating and restoring impacted services,
but has not yet provided a specific timeline for full recovery.
not yet provided a specific timeline for full recovery. Google is facing a £7 billion or $8.8 billion class action lawsuit in the UK, alleging that the company abused its dominance in the
search engine market. The claim, led by consumer rights advocate Nikki Stopford, asserts that
Google's practices, such as requiring Android device manufacturers to pre-install Google Search
and Chrome, and paying Apple to make Google the default search engine on Safari, have stifled competition.
This lack of competition purportedly led to higher advertising costs, which were then passed on to consumers.
The UK's Competition Appeal Tribunal has allowed the case to proceed,
marking a significant legal challenge for Google in the UK.
to proceed, marking a significant legal challenge for Google in the UK.
The Cybersecurity and Infrastructure Security Agency, or CISA, has released a comprehensive report detailing a Red Team assessment conducted on a critical infrastructure organization.
This assessment aimed to evaluate the organization's cybersecurity posture
by simulating real-world attack scenarios. And key findings from the report include
initial access.
The red team gained access through spear phishing emails, highlighting the need for robust email
security measures. Privilege escalation. Exploiting misconfigurations, the team escalated privileges,
underscoring the importance of proper system configurations. Lateral movement. The team
moved laterally across the network using compromised credentials,
emphasizing the necessity for strong access controls.
And data exfiltration.
Sensitive data was exfiltrated without detection,
indicating gaps in monitoring and data loss prevention strategies.
For its part, CISA recommends organizations implement multi-factor authentication, conduct regular security training,
and continuously monitor network activity to
mitigate such vulnerabilities. This report serves as a critical resource for organizations aiming
to strengthen their cybersecurity defenses. Today, our guest is Clémence Poirier,
Senior Cyber Defense Researcher at the Center for
Security Studies at ETH Zurich.
Clémence and I recently spoke about cybersecurity attacks in space.
Following the interview, get some tips on how not to convince prospective customers
that they should secure your services.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Welcome back.
Today, our guest is Clémence Poirier, Senior Cyber Defense Researcher at the Center for Security Studies at ETH Zurich.
Clémence and I recently spoke about cybersecurity attacks in space. And following the interview, get some tips on how not to convince prospective customers that they should secure your services.
When the war in Ukraine started, of course, the invasion actually started with a cyber attack
against the satellite, which is the now infamous Piasat hack. And prior to this,
infamous Viasat hack. And prior to this, there was very little interest from the space sector for cybersecurity issues. And it was a bit overlooked, whether it's from engineers or
the industry or public policies. So nobody really paid so much attention to that and and the threat was a bit uh overlooked as well uh but when the the
vias attack happened it was a bit of something like the parallel war for the space industry in
some ways it was really a wake-up call so i decided back then to analyze this this attack
and um analyze what happened but also what that meant for Ukrainian armed forces and
their ability to respond to the invasion, but also all the ripple effect that this attack created
across Europe and what it also meant for the European space sector. And after this first attack, I asked myself, okay, how many other attacks affected
space systems in this conflict? Because everyone saw how Starlink is used to conduct military
operations there, but also used by the civilian population and how it's a central aspect of
accessing connectivity there, but also how satellite images are used, how navigation,
so GPS are used in the conflict. So I asked myself, naturally, there would be
I asked myself, naturally, there would be probably a lot of operation against space systems. So I decided to look into that.
And so I crawled through hundreds and hundreds of Telegram channels, Twitter accounts, hacker forums, and a bit weird websites, to be honest, and try to see and map groups that
took sides in the conflict, because that's a big trend that happened in this war.
Hacktivist group popped up and took sides in the conflict. And I decided to check how they would talk about space,
how they would talk about attacking the satellites
or the space sectors or space companies.
And so I mapped hundreds of groups
and I found 124 cyber operations
that targeted the space sector in the context of the war.
So by groups that either took side in the conflict or claimed that the attack was related to the conflict directly.
And so that's the main finding of the report.
It's been really fascinating how much that Viasat attack really changed the conversation about space cybersecurity.
I think previously to that, there was a sense of, I'm not a military asset, I don't need to worry about it, or I'm in compliance with government security standards, so I'm fine, or nobody's targeting me.
This is not an issue.
The conversation has completely changed since then, and especially with commercial players, as you mentioned with Starlink, and obviously Viasat as well.
You know, there is a whole level of complexity that is there.
I'm so fascinated that you not only looked at the attack itself, but also what came after in those conversations.
Because that's been actually a huge question I've had in the last two plus years is for adversaries, for threat actors, how has the conversation changed for them?
What are they saying?
What did you see from those conversations on all sides of the conflict?
Is this a domain where people feel comfortable and what kind of attacks are they trying to leverage?
Are they all similar?
Are there a lot of different tactics being deployed?
I'm sorry, I have so many questions.
I'm so fascinated here.
What I first noticed is that those hacker groups
on their Telegram channels, hacker forums, Twitter accounts, they really see space
as a topic of fascination. So they really use space as a way to gather their communities and
their members and create online engagement. So they very often talk about space exploration
or whatever is in the news in space.
They sometimes share fun facts,
like the first time that coffee was brewed on the ISS
or this kind of things that you would not really expect
on a hacktivist group communication channel.
They're nerds at Harden.
Exactly.
And that's very funny because you don't see that about other sectors of the economy.
But they also see space as an ultimate challenge and something that would bring a lot of media attention
if they succeed. That is something that is perceived as more difficult to hack.
So you see some groups that talk almost in a childish way, like, oh, should we, can we hack a satellite?
Should we hack a NASA satellite?
And so they discuss about whether that's feasible or not.
And they really see this as the final frontier for their cyber operations.
The notoriety. Yeah.
Yes, that's definitely how it's perceived.
But at the same time,
when you look at their operations against the space sector,
you also see that there are no groups that are specialized
or entirely dedicated at targeting the space sector.
So there's not one group that only targets the space sector.
All the cyber operations that I could find were random, almost, among bigger campaigns against specific countries.
specific countries. So it's quite the opposite, in fact, where they actually do not know so much about space. A lot of them say, oh, it was our first attack against satellite, or it was very
complex for us to understand how the network was operating, or how a satellite functions, or it was very hard to enter into the
network. And so they really say, acknowledge that and that difficulty. It also shows that maybe
cybersecurity is a bit different in space than on Earth. And it's also interesting
that Microsoft and OpenAI
also disclosed that
Russian hacker groups, Fancy Bear,
also use ChatGPT
to ask questions about
how satellite communication functions
and how to target them.
So they didn't specify
whether they could link it
to an actual operation.
But that also says that there's still a knowledge gap for threat actors
about how to enter into a space system.
So the space sector is not necessarily well protected,
but because the nature of the system is a bit different,
it also saves the sector a little bit.
You can find a link to the case study Clemence mentioned in our show notes.
Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And finally, in a bizarre mix of cybercrime and self-promotion,
Kansas City's Nicholas Kloster faces federal charges
for allegedly hacking multiple organizations
to pitch his cybersecurity services.
The Department of Justice alleges that Kloster breached a gym,
a nonprofit, and a former employer,
leaving behind a trail of audacity and damages.
At the gym, Kloster reportedly bypassed security cameras and routers to access systems.
He then emailed the owner,
offering his services to fix the vulnerabilities he exploited.
And not stopping there, he reduced his gym membership fee to $1,
deleted his profile, took a staff name tag,
all before flaunting the gym's compromised cameras on social media.
Career-limiting move.
Weeks later, he allegedly struck a nonprofit using a boot disk to bypass authentication,
install a VPN, and change account credentials.
The breach, by the way, forced the nonprofit to spend $5,000 on remediation and upgrades.
Kloster also reportedly used stolen credit card data from a former employer to buy hacking tools,
cementing his status as a rogue, and I quote here, entrepreneur.
While his alleged antics might sound like a movie plot,
Kloster, we should note, faces up to 15 years in prison. His tale is a very good reminder,
real cybersecurity pros don't exploit systems, they protect them. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing over at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures
we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like the show, please share a rating and review in your podcast app.
Also, please fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential Thank you. your teams while making your teams smarter. Learn how at n2k.com. This episode was produced by Liz
Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp.
Simone Petrella is our president. Peter Kilpie is our publisher.
And I'm Maria Varmasas in for Dave Bittner. Thanks for listening. We'll see you
tomorrow.