CyberWire Daily - Tapped and trapped.
Episode Date: October 7, 2024Chinese hackers breach U.S. telecom wiretap systems. A third-party debt collection provider exposes sensitive information of Comcast customers. Homeland Security’s cybercrime division chronicles the...ir success. Google removes Kaspersky antivirus from the Play store. Ukrainian hackers take down Russian TV and Radio channels. A crypto-thief pleads guilty to wire fraud and money laundering. A pig-butchering victim gets his money back. On our Industry Voices segment, Jeff Reed, Chief Product Officer at Vectra AI, joins us to talk about how modern attackers don't hack in, they log in. AI knows - the truth is out there. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, Jeff Reed, Chief Product Officer at Vectra AI, joins us to talk about how modern attackers don't hack in, they log in. Selected Reading Chinese hackers breached US court wiretap systems, WSJ reports (Reuters) Comcast says customer data stolen in ransomware attack on debt collection agency (TechCrunch) Cyber Cops Stopped 500 Ransomware Hacks Since 2021, DHS Says (Bloomberg) Google removes Kaspersky's antivirus software from Play Store (Bleeping Computer) Ukraine Claims Cyberattack Blocked Russian State TV Online on Putin’s Birthday (Bloomberg) Crypto Hacker Pleads Guilty for Stealing Over $37 Million in Cryptocurrency (Cyber Security News) A victim of a crypto ‘pig butchering’ scam just got his $140,000 back (NPR) How chatbots can win over crackpots (Fast Company) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Chinese hackers breach U.S. telecom wiretap systems.
A third-party debt collection provider exposes sensitive information of Comcast customers.
Homeland Security's Cybercrime Division chronicles their success.
Google removes Kaspersky antivirus from the Play Store.
Ukrainian hackers take down Russian TV and radio channels. A crypto thief pleads guilty to wire fraud and money laundering.
A pig butchering victim gets his money back.
On our Industry Voices segment,
Jeff Reed, Chief Product Officer at Vectra AI,
joins us to talk about how modern attackers don't hack in, they log in.
And AI knows the truth is out there.
It's Monday, October 7th, 2024.
I'm Dave Bittner, and this is for joining us here today. Chinese hackers reportedly breached the networks of major U.S. telecom companies, including Verizon, AT&T, and Lumen
Technologies, according to the Wall Street Journal. The hackers accessed systems used for
court-authorized wiretaps, potentially maintaining access for months. They also tapped into other
Internet traffic. U.S. investigators believe the Chinese group Salt Typhoon was behind the attack,
aiming to gather intelligence. This incident follows earlier disruptions of a different
Chinese hacking group, Flax Typhoon. China's foreign ministry denied involvement, calling
the allegations a false narrative and accusing the U.S. of framing China.
The ministry further claimed that the U.S. is obstructing global cybersecurity cooperation.
While Luhmann declined to comment, Verizon and AT&T did not immediately respond.
Beijing previously refuted claims of using hackers for espionage,
asserting that the Volt Typhoon campaign was staged by an international ransomware group.
Comcast has disclosed that over 230,000 customers had their personal data stolen during a ransomware attack on Financial Business and Consumer Services, FBCS, a third-party debt collection provider.
FBCS, a third-party debt collection provider.
The breach occurred in February and was initially downplayed by FBCS,
which later revealed in July that customer data had been compromised.
Hackers accessed names, addresses, social security numbers, birthdates,
and Comcast account details of subscribers from around 2021. The ransomware attack targeted FBCS's systems,
encrypting data and stealing information. FBCS confirmed over 4 million individuals were
affected, including clients of other organizations, such as CF Medical and Truist Bank.
Sensitive data, including medical and financial information, was compromised in the
attack. The incident has not yet been claimed by any ransomware group. Bloomberg reports that the
U.S. Department of Homeland Security's Cybercrime Division, Homeland Security Investigations, or HSI,
has disrupted over 500 ransomware attacks and seized billions in cryptocurrency since 2021.
HSI's proactive approach involves monitoring internet traffic for malicious activity,
unpatched software vulnerabilities, and ransomware tactics.
By analyzing this data, they can often detect and prevent attacks before they occur. Between October 2023 and September 2024,
HSI stopped 150 ransomware plots, preventing 537 intrusions since the operation's start.
HSI's efforts, which differ from the U.S. Cybersecurity and Infrastructure Security
Agency's operations, have led to $4.3 billion in cryptocurrency seizures,
including $180 million last year. The agency works closely with its 235 field offices to
alert potential targets, including U.S. agencies and healthcare organizations, about imminent
threats. However, building criminal cases remains a challenge,
especially when attacks are thwarted before occurring.
The official Kaspersky antivirus app for Android
has been removed from the Google Play Store
following recent U.S. government sanctions.
Google disabled Kaspersky's developer accounts
and removed its apps due to restrictions imposed by the U.S. Department of Commerce's Bureau of Industry and Security.
Kaspersky is investigating the removal and exploring alternative solutions to allow users to download and update their software.
The move comes after a U.S. ban on Kaspersky products over national security concerns,
with allegations that the Russian government could exploit the software.
The U.S. banned Kaspersky sales starting July 2024,
and subsequent updates for the software ceased by late September.
Ukrainian hackers took down online broadcasts of at least 20 Russian state TV and radio channels,
including Rossiya 24, coinciding with President Putin's 72nd birthday.
The hack affected major broadcasters like Rossiya 1, Rossiya 24, and radio stations such as Vesti FM and Mayak.
Russia's VGTRK media holding called the attack unprecedented. Kremlin spokesman
Dmitry Peskov said efforts were underway to address the breach. A pro-Ukrainian hacker group,
Pseudo-RMRF, claimed responsibility for the attack. Evan Frederick Light, a 21-year-old from
Lebanon, Indiana, has pleaded guilty to conspiracy charges of wire fraud and money laundering related to a cyber intrusion that stole over $37 million in cryptocurrency.
In February 2022, Light targeted an investment company in Sioux Falls, South Dakota, exploiting server vulnerabilities to access the personal data of
nearly 600 clients. Using a legitimate client's identity, he stole cryptocurrency from multiple
victims and laundered the funds through mixing services and gambling websites to hide his tracks.
U.S. Attorney Allison Ramsdell and FBI Special Agent Alvin Winston emphasized the seriousness of cyber threats
and the commitment to holding cyber criminals accountable.
Light remains in custody awaiting sentencing,
with a pre-sentence investigation underway.
Alexei Madan, age 69,
received a $140,000 check from Massachusetts officials after losing his
life savings in a crypto scam. He was among several victims targeted by Spirebit, a fraudulent
operation that lured Russian-speaking seniors with fake investment ads on social media,
using Elon Musk's image to promote false promises of high returns.
Spirebit used stock photos for its executives and fake business addresses.
After NPR's investigation exposed the scam,
Massachusetts authorities sued Spirebit and froze its assets on Binance, the cryptocurrency trading platform.
The state seized $269,000 from SpireBit's crypto wallets,
distributing most of it to four victims.
This case is part of a growing online scam trend known as pig butchering,
where scammers build trust before stealing large sums.
The FBI reported over $5.6 billion in crypto scams last year.
Another victim, Naum Lansman, lost $340,000 but has yet to receive restitution.
Coming up after the break, my conversation with Jeff Reed from Vectra AI.
We're talking about how modern attackers don't hack in, they log in.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Jeff Reed is Chief Product Officer at Vectra AI.
And on today's sponsored Industry Voices segment,
we discuss how modern attackers don't hack in,
they log in.
Really over the past decade,
an increasing move away from phones
or malicious payloads
as the initial intrusion into an organization
and it happening more and more through your fishing through social
engineering etc and i think it really you know a lot like groups like scattered spider that were
in the news a lot like earlier this year are you know particularly known and particularly good at
this idea around you know social engineering as a way to get credentials
from individuals and then use that.
And so essentially, instead of having to find a phone
or have someone download a piece of malware, they're basically
using legitimate credentials to log in and
using that as that kind of initial entry point into an organization.
So that's been something we've seen a lot of, you know, and it's been, I'd say, an increasing trend over time.
But there have been some of these groups that are particularly excellent at that form of attack.
that form of attack.
And what about organizations who put things in place like multi-factor authentication or endpoint detection?
I mean, is that a false sense of security or to what degree does it help?
I mean, it absolutely helps. You should 100% have
multi-factor within your organization.
One of the breaches that we helped stop,
they had basically gotten into a call center
and were able to convince the call center
to basically reset and basically bypass MFA
in order to have to get some crucial work done.
So that's what makes some of these attackers,
what they're really known for is the fact
they're able to prey on human beings,
natural tendencies to want to be helpful and nice
and use that against them
in order to get into an organization.
So I think those types of things are absolutely necessary
and should be widely used,
but they're also insufficient in light of these types of attacks.
So what do you recommend then?
What additional things should folks have in place here?
Yeah, so I think, look, part of this is,
I think, an increasing view on how you're looking
at identity threat detection and response.
So understanding how do we track, understand where there may be attacker behavior within the identity infrastructure of an organization.
And that can be how there are
suspicious sign-ons.
I want to be careful here because
someone's kind of lived
through the UEBA
trend
about a decade ago
where,
if someone's logging in from a new
place, that's bad. And the problem
I think that has been historically around user behavior
is the fact that users do different things all the time.
And so I think it was historically really noisy
and just flooded SOC teams with a bunch of false positives
that really didn't allow them to get to the truth.
And so I think what you've seen now is more sophisticated approaches
to identity threat detection that take advantage of not just anomalous behavior,
but understanding what are the behaviors typical of this type of persona based on what
their peers do?
What are observed privileges from individuals, not just what's granted within the identity
infrastructure policy apparatus?
How certain behaviors. So I've just changed the rule
and the exchange around what happens to sent emails,
things that are very specific to attacker behavior
and honing in on those issues,
not just, hey, so-and-so's never logged in
from Portugal before, so this must be bad.
Right, right. I want to touch on AI. I mean, you at Vectra, you have AI in your name there,
and certainly we're at this place now where I think it's fair to say that AI has really
captured people's imagination. Can we touch on the good and the bad sides of AI when it comes to this sort of protection?
Absolutely.
So let's start with the good. I mean, what sort of things are you all bringing to bear here to help with this fight? that Vectra has realized over the last decade or so
is that AI is useful,
but when it's paired with deep knowledge of security
and what attacker behaviors do.
And so our foundational approach
is steeped in security research, so understanding what are bad actors doing, what are the techniques that they're using, how are those evolving, and then partnering the security research team with our data scientist team to then try to figure out, hey, if we know this is a typical behavior that we're seeing in attacks,
what are the AI approaches that we can take to identifying those behaviors
in these large, complex companies with very low false positive rates and zero false negatives.
And so that's our foundational approach.
And what we've learned, I think one of the interesting things is there is no kind of
magic one AI technique solves all.
It's actually very specific to the type of data, the kind of environmental factors that that data lives
in, in order to be able to kind of bring clarity out of all of this signal. And so that's been,
I think, the core thing that we've also realized is we use dozens of techniques to help us get to which one is going to provide the best outcome in terms of delivering clarity for our customers.
So that's been really kind of the real aha that we've had.
And the nice thing is we took that approach and we initially applied it to the network side of the place.
And so how can we identify c2s uh reconnaissance activities
etc but that same kind of foundational element is also super valuable and an example for the
identity space and it's also really valuable in terms of how do we do a better job of noise reduction, prioritization, triage?
So what we found is there's some really excellent ways.
And I talked a little bit about things like observed privilege
has been one of the key things that's helped us in the identity space
really resolve and reduce noise.
And that's kind of one of our patented capabilities that we have here at Vectra. Interesting. Well, I mean, let's talk about the
other side of the coin then. I mean, what sort of things are you seeing from the attackers
themselves making use of these newly available tools?
Yeah. So one I want to highlight that's kind of interesting is
that AI, and particularly generative AI tools,
represent a new attack surface.
And so one of the most interesting ones, we think, are the co-pilot style capabilities.
If you kind of looked at when Microsoft introduced co-pilot for M365,
the ability for that to do things
that you would not want that generative AI to do,
like return all the passwords that it's seen
over some period of time, et cetera,
was really alarming.
And it's interesting.
Within our team, we had initially a debate over,
hey, is this really that big of an attack surface because you know if
you think about an attacker they there's other ways powershell etc that are like they know how
to do that are fast uh they were like oh they'll probably just use those tools if they if they get
entrance into an organization um and but then the other thing about these tools is their logging, their visibility is really poor
and so it's actually
something that we feel now is
very much a concern
for customers in terms of
the ability for attackers to use
those generative AI tools to
obscure what they're doing
so that's kind of one
bad. Another bad
is obviously
these tools are, and this has been talked about kind of one bad. Another bad is obviously the
I think these tools are
and this has been talked about a fair
amount. These tools are well
designed
to be able to add and aid
in social engineering.
And so we're starting
to see the use of
voice and generative AI
voice to be able to trick folks into thinking it's a different individual on the other side of the line, image, etc.
And even just going out there and basically making it easier for them to do research on potential targets.
So those are absolutely areas that are part of the bad of this process.
What are your recommendations for folks who are interested in taking this journey?
They know they want to up their game here, but they're not sure how to get started,
not sure what's involved in the process.
What can you share with us there?
Yeah, so I think one would be, obviously map out what your current organization is doing
in the AI space.
And I think for both, to the point we just discussed,
where are you utilizing AI for good?
But also for some of these new attack vectors,
do you have coverage?
How are you protecting yourself in light of the fact that
these both represent a threat surface
and a way for new offensive techniques
to be able to be delivered and built more rapidly?
So I think one is just kind of having that overall landscape.
And then I think coming in specifically,
and as I mentioned,
to begin with,
I do feel like on the identity side in particular,
this is a really interesting area
where AI has allowed us
to up our game significantly
from where we were previously
in terms of being able to do threat detection
and response and identity-based threats. So I think that's a low-hanging fruit for a lot of
organizations to be able to look at, you know, would an investment in that space help them
dramatically improve their protection. That's Jeff Reed, Chief Product Officer at Vectra AI.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant.
And finally, AI, often blamed for spreading conspiracy theories,
might be the perfect tool to fight them.
A recent study by MIT and Cornell found that ChatGPT-4 Turbo can actually help people rethink their beliefs in conspiracy theories.
Researchers had over 2,000 Americans explain
their favorite conspiracy theory and then engage in a conversation with the chatbot.
Shockingly, 20% of participants changed their minds after chatting with AI. Why did it work?
Well, the simple explanation seems to be that AI doesn't get emotional. It calmly presents facts
without making anyone feel dumb. People weren't defensive because there was no human ego involved,
just data. This approach gave participants the emotional space to process the information.
Plus, the chatbot nailed its facts with a 99.2% accuracy rate.
The potential here is huge.
What if AI could be the key to debunking misinformation on social media?
Wouldn't it be poetic if the same technology that spreads fake news could help take it down?
And that's the Cyber Wire.
We have links to all of today's stories in our show notes.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode was
produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot
Peltzman. Our executive producer is Jennifer
Iben. Our executive editor is
Brandon Karp. Simone Petrella is our
president. Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening. We'll see you back here
tomorrow. Thank you.