CyberWire Daily - TeamViewer and APT29 go toe to toe.
Episode Date: June 28, 2024TeamViewer tackles APT29 intrusion. Microsoft widens email breach alerts. Uncovering a malware epidemic. Google's distrust on Entrust. Safeguarding critical systems. FTC vs. MGM. Don’t forget to bac...kup your data. Polyfill's accidental exposé. Our guest is Caitlyn Shim, Director of AWS Cloud Governance, and she recently joined N2K’s Rick Howard at AWS re:Inforce event. They're discussing cloud governance, the growth and development of AWS, and diversity. And a telecom titan becomes telecom terror. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Caitlyn Shim, Director of AWS Cloud Governance, joined N2K’s Rick Howard at AWS re:Inforce event recently in Philadelphia, PA. They spoke about cloud governance, the growth and development of AWS, and diversity. Caitlyn was part of the Women of Amazon Security Panel at the event. You can read more about Caitlyn and her colleagues as they discuss their diverse paths into security and offer advice for those looking to enter the field here. Selected Reading TeamViewer investigating intrusion of corporate IT environment (The Record) Microsoft reveals further emails compromised by Russian hack (Engadget) Chicago Children's Hospital Says 791,000 Impacted by Ransomware Attack (SecurityWeek) Unfurling Hemlock: New threat group uses cluster bomb campaign to distribute malware (Outpost 24) Google to block sites using Entrust certificates in bombshell move (The Stack) US House Subcommittee examines critical infrastructure vulnerabilities, role of cyber insurance in resilience efforts (Industrial Cyber) FTC Defends Investigation Into Cyberattack on MGM as Casino Giant Seeks to Block Probe (The National Law Journal) This is why you need backups: A cyber attack on an Indonesian data center caused havoc for public services – and its forcing a national rethink on data security (ITPro) Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator (Bleeping Computer) ISP Sends Malware to Thousands of Customers to Stop Using File-Sharing Services (Cybersecurity News)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Thank you. trust on Entrust, safeguarding critical systems, FTC versus MGM. Don't forget to back up your data.
Polyfills accidental expose. Our guest is Caitlin Shim, director of AWS Cloud Governance,
and she joins Rick Howard at the AWS Reinforce event. They're discussing cloud governance,
the growth and development of AWS, and diversity. And a telecom titan becomes a telecom terror.
Today is Friday, June 28th, 2024. This is not Dave Bittner, but Trey Hester filling in for Dave Bittner. And this is your CyberWire Intel briefing.
Remote access software provider TeamViewer is investigating a breach of its internal corporate IT environment, the record reports. The company said in an update this morning,
quote, current findings of the investigation point to an attack on Wednesday, June 26,
tied to credentials of a standard employee account within our corporate IT environment.
Based on continuous security monitoring, our teams identified suspicious behavior of this account
and immediately put incident response measures into action. Together with our internal incident
response support, we currently attribute this activity
to a threat actor known as APT29,
also known as Midnight Blizzard.
Based on current findings of the investigation,
the attack was contained within the corporate IT environment
and there is no evidence that the threat actor
gained access to our product environment or customer data.
End quote.
The Health Information Sharing and Analysis Center
issued a threat bulletin
yesterday alerting the health sector to active cyber threats exploiting TeamViewer. The record
also notes that cybersecurity firm NCC Group notified its customers that it has been made
aware of significant compromise of its TeamViewer remote access and support platform by an APT group.
Microsoft is notifying additional customers
whose email correspondence with Microsoft was accessed by the Russian threat actor Midnight
Blizzard, according to Engadget. The number of those affected was not disclosed. Microsoft stated,
quote, this week we are continuing notifications to customers who corresponded with Microsoft
corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor,
and we are providing the customers the email correspondence that was accessed by this actor.
This has increased detail for customers who have already been notified and also includes new notifications.
End quote.
In a follow-up to a story we've followed over the past few months,
Security Week reports that the Ann and Robert H. Lurie Children's Hospital of Chicago is notifying 791,000 people that their personal and medical information
was accessed during a January ransomware attack.
The hospital said in a breach notification that it refused to pay the ransom,
and the Ricetta ransomware group subsequently marked the stolen data dump as sold on its website.
Security Week says the breached information includes names, addresses, dates of birth, dates
of service, driver's license numbers, social security numbers, email addresses, phone numbers,
health claims information, medical condition or diagnosis, medical record number, medical treatment,
and prescription information. Outpost 24 has published a report on a malware distribution
campaign that's spreading hundreds of thousands of malware samples,
infecting each victim with up to 10 of them at the same time. The campaign is run by a suspected criminal group based in Eastern Europe, which is likely providing the distribution operation
as a service for numerous malware operators. The researchers believe the threat actor is paid per
infection and is attempting to spread as much malware as possible to as many victims as possible.
The malware is distributed via phishing emails and malware loaders. Once the file is executed
on the machine, it unfurls by installing up to 10 strains of information-stealing malware.
Google has announced that Chrome will no longer trust digital certificates issued by
Entrust, a major certificate authority. The decision follows multiple compliance violations by Entrust,
which have eroded confidence in its competence and reliability.
The move will impact numerous organizations,
including major banks and corporations, starting November 1, 2024.
Google recommends affected entities transition to a new CA.
Despite Entrust's recent efforts to address these issues,
the response has been
deemed insufficient. The company is urged to demonstrate significant improvements to regain
trust. The U.S. Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection
held a hearing to address vulnerabilities in critical infrastructure and the role of
cyber insurance in enhancing resilience. Key witnesses emphasized the importance of cyber
insurance in recovery and risk mitigation, highlighting its potential to support both
private and federal responses to cyber threats. The discussion underscored the necessity of
proactive planning, clearer coverage standards, and enhanced public-private collaboration to
protect critical infrastructure from evolving cyber threats. The Federal Trade Commission is
pushing back against MGM Resorts International's efforts
to block its investigation into a significant cyber attack
that occurred last September.
The breach compromised the personal information
of 1.5 million guests
and disrupted MGM's operations for over a week.
MGM has been resisting the FTC's investigative demands,
leading the FTC to seek a court order to enforce compliance.
The FTC's stance underscores the importance of regulatory oversight in addressing cybersecurity
breaches and ensuring accountability to protect consumer data. A recent cyber attack on an
Indonesian data center severely disrupted public services, including airport, immigration systems,
and exposed significant shortcomings in data
backup practices. With 98% of the government's data not backed up, the incident has prompted
a national audit to improve cyber resilience and data security. Officials blame poor governance
and budget constraints for the lack of backups. The breach highlights the critical need for robust
backup strategies and proactive data protection to prevent similar disruptions in the future.
Come on, people, back up the data.
Continuing our coverage of a story we are following this week,
a large-scale supply chain attack on multiple content delivery networks,
including Polyfill.io, BootCDN, BootCSS, and StaticFile,
has been traced to a single operator.
Researchers discovered exposed Cloudflare keys in a public GitHub repository,
which linked the attack to a common entity.
The breach affected tens of millions of websites,
highlighting severe vulnerabilities in the supply chain.
The attack is likely to have been ongoing since June of 2023.
2023. Coming up after the break, we've got N2K's Rick Howard talking with guest Caitlin Shim,
AWS's Director of AWS Cloud Governance. Rick recently caught up with her at AWS's Reinforce event. They spoke about cloud governance, the growth and development of AWS,
and diversity. Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty. We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah. With pools. And a spa. And endless book a vacation. Like somewhere hot. Yeah, with pools. And a
spa. And endless snacks. Yes!
Yes! Yes! With savings
of up to 40% on Transat South
packages, it's easy to say
so long to winter. Visit Transat.com
or contact your Marlin travel professional
for details. Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
AWS is a media partner here at N2K CyberWire. In June of 2024, Brandon Karp, our VP of Programming,
Jen Iben, our Executive Producer, and I traveled to the great city of Philadelphia
to attend the 2024 AWS Reinforced Security Conference.
And I got to sit down with Caitlin Shim, the GM of AWS Cloud Governance.
Of course, one of the conference themes is trying to
understand the impact of machine learning and generative AI in the cloud security space.
Caitlin was quick to point out that just because a new technology comes down the road that appears
all shiny and new, it doesn't mean that InfoSec leaders need to change their strategies,
their first principles. She calls it your Strong Security Governance Foundation.
I think over the course of my career,
I've been honored to see a whole bunch
of new technologies come up.
Yeah.
And so one thing we've learned from that experience
is that it's really, really important
to have a strong security and governance foundation.
And if you have that foundation,
it helps protect you for whatever may happen.
Gen AI is the one that we're very excited about and you're hearing a lot about this week, but there'll be something else tomorrow.
Gen AI will be old hat and we'll be really excited about something else next.
And that's really where you really want to make sure you have that fence and that perimeter around your environment to make sure that it's set up correct.
In some ways, like AI and ML for Amazon is a little hat.
We've been working on, we've been working in this for over 25 years.
So.
I think it's what people forget.
You know, machine learning algorithms have been around for a long time.
Yes.
Right.
Exactly.
This got popular in the last couple of years.
Yeah.
Exactly.
And so learning how to be secure and well-governed with all of that is, we have a lot of experience to bring to the table with that.
So I just found out that you were one of the, almost one of the original employees around AWS in 2006, right? When it all started, right? That's when we launched AWS as a product, right? So you were there at the ground floor? I was on the team that launched AWS CloudWatch,
which was the, if my memory serves me right,
something like the fifth AWS service it launched.
So I won't call myself one of the originals.
I won't compete with Peter DeSantis on launching EC2 or anything like that.
I would totally claim that.
But yeah, it's been fun watching AWS grow up over the years.
So tell me about that.
What's the difference between young AWS and modern AWS these days?
In some ways, a lot of things aren't different, right?
Like security has been critical to Amazon since before AWS.
Security is how we keep our customer trust.
It's how we keep customers being willing to give us our credit card for amazon.com.
AWS came from a lot of those lessons
that we've learned as a company,
even before AWS existed.
I think the big thing has been scale, right?
More and more customers have chosen AWS.
They've moved their workloads to AWS
and they pick us because we offer
a wide variety of services
and we're the most secure cloud provider. and they pick us because we offer a wide variety of services,
and we're the most secure cloud provider.
So your experience, and you're passionate about diversity in the workplace.
You're a successful woman at AWS in a world dominated by mostly white guys, right?
So you've seen it from the beginning. Can you give us a sense of what what it's like these days working as a woman in a male-dominated world?
I can say that I've seen a number of women come up right now, and I'm in the cloud governance and identity team.
And I have two other female peers at my level, which is amazing.
two other female peers at my level, which is amazing. And I think in the world where we see the importance of diversity of thought, AWS and Amazon are very encouraging of making
sure that we do think that bring in many different perspectives, women, many different things that we
look for, not just gender. And I lost a tranth on your question, sorry.
Let me rephrase it then, right?
We've known about diversity inclusion issues in the cybersecurity space for a decade, let's say.
And we all, all of us tried to do things to make it better, right?
And it has gotten a little bit better.
But it hasn't been a resounding success in any way, I don't think, right?
Do you agree with that?
I've seen it get better,
for sure. Yeah. But there's still work to do, for sure. Is there anything you can point to that
here's things that works and here's things that don't work? That's a good question. Making sure
that diverse perspectives are brought in is always super important. With our success of our products,
it means that the people working on them
need to reflect our customers
and every customer needs to be secure,
not just people who look like one particular profile.
And I think this also, the Amazon,
there's a lot of systems at Amazon
that I think really do help with that as well.
Our whole working backwards process
means that we start with the customer, what they
need, write down the data for what they need and make decisions not based on a PowerPoint
presentation, but based on what we think is truly the best customer experience. Personally, for me,
I found that be super helpful to make sure my voice is heard. I can put the data down. We read
it, we evaluate it, and we have a discussion about what's right for the customer, not just the loudest person in the room. When I first started
thinking about diversity inclusion issues, there was really two pieces, right? It was an awareness
piece where we did a lot of, you guys should know that there's a problem that we need to try to fix.
And then there was a second piece where we actually tried to do stuff to make it better.
I know in the early days, we did a lot of awareness things and didn't do a lot of
fixing kinds of things. Is that still the current situation?
I think it's a balance.
It's a balance.
Yeah. I mean, awareness alone, and I've seen some studies recently that awareness alone can
sometimes hurt, not help. So you need those mechanisms in place. You need to check.
You need to think about how are we making sure that we're not just catering our business
environment, our meetings, our processes around one type of personality. If someone's quieter,
how do we make sure that their voice is recognized? If someone doesn't speak very loudly,
how do we make sure that we're seeing their opinion, things like that?
Well, I've always said this is not a woman's problem.
It's a men's problem, right?
Men have to do what you're describing, right?
They have to see that there's this talented person in the corner who's kind of quiet and bring them out.
You know, they have to do that, right?
Or we're never going to get there.
Yeah, it's everyone, right? And I've been honored to work for a number of leaders who have been very, very explicit about recognizing when there's someone who has good ideas that may not be highlighted and they explicitly call them out.
And certainly when I was a junior in my career, I had a boss who he either slacked me or explicitly called me out like, Caitlin, what do you think here?
Yeah, exactly. That's what do you think here?
Yeah, exactly. That's what we need, right? Yeah.
So at the conference, at the AWS Reinforce conference, you're on a panel that discuss women's issues. Is there a main theme from that
that you're going to tell everybody? I think our biggest theme
is encouraging women to focus on security. It is one of the industries
that are one of the ends of computer science
we don't see as many women.
And security touches every possible industry.
There's not much you can do
where you don't care about security and tech.
And so it's really talking about how having,
first of all, encouraging women to focus on security,
think about security.
And what I really want the audience to take away is that it's a really advantage to you to focus on that and learn it,
because it's a transferable skill.
If you're in healthcare, if you're in cloud providing, if you end up working on devices,
everyone needs to care about security.
So it's not just a thing you could do.
It's a thing that might sustain you forever anywhere you might go.
So don't be afraid of it.
Exactly.
That's excellent.
I think that's a great place to leave us.
Well, thank you for coming in and telling us about this.
We really appreciate it.
Thank you.
That was Caitlin Shim, the GM of AWS Cloud Governance.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And finally, we dive into a cyber scandal
straight out of a dystopian thriller,
but with a distinctly real-world twist.
JTBC, a leading Korean news outlet, has blown the whistle on KT Corporation,
one of South Korea's largest telecom providers,
for deliberately infecting over 600,000 users with malware to deter them from using torrent services.
In May of 2020, WebHard, a Korean cloud service reliant on BitTorrent, started drowning
in user complaints about bizarre system errors. As it turned out, KT Corporation had decided to
moonlight as a digital vigilante. Their malware operation, straight from their data center south
of Seoul, wreaked havoc. Users saw strange folders appearing, files vanishing, and in severe cases,
entire PCs rendered useless.
The police traced the malware back to KT's data center and have charged 13 individuals,
including KT employees and subcontractors, with violating South Korea's Protection of
Communications Secrets Act and the Information and Communications Network Act. The investigation
is ongoing, and more heads might roll as authorities dig deeper.
So next time your computer acts up, remember, it might not be a bug.
It may just be your friendly neighborhood telecom company trying to teach you a lesson.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out Research Saturday tomorrow, where Dave sits down with Ismael Valenzuela, Vice President of Threat Research and Intelligence from the BlackBerry Threat Research and Intelligence team,
to discuss their work on transparent tribe targeting the Indian government, defense, and aerospace sectors, and leveraging cross-platform programming languages.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast. Your feedback ensures that we deliver the insights
that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show,
please share a rating and review in your podcast app. Please also fill out the survey in the show
notes or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of a daily routine
of the most influential leaders and operators in the public and private sector, from the Fortune
500 to many of the world's preeminent agencies. N2K makes it easy for companies to optimize your
biggest investment, your people. We make you smarter about your team while making your team
smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is me,
with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer
Iben. Our executive editor is Brayden Karp. Simone Petrella is our president. Peter Kilpie
is our publisher. And I'm Trey Hester, filling in for Dave Bittner. Thanks for listening.
We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.