CyberWire Daily - The claim heard ‘round the world.
Episode Date: June 24, 2024LockBit claims to have hit the Federal Reserve. CDK Global negotiates with BlackSuit to unlock car dealerships across the U.S. Treasury proposes a rule to restrict tech investments in China. An LA sch...ool district confirms a Snowflake related data breach. Rafel RAT hits outdated Android devices. The UK’s largest plutonium stockpiler pleads guilty to criminal charges of inadequate cybersecurity. Clearview AI settles privacy violations in a deal that could exceed fifty million dollars. North Korean hackers target aerospace and defense firms. Rick Howard previews CSOP Live. Our guest is Christie Terrill, CISO at Bishop Fox, discussing how organizations can best leverage offensive security tactics. Bug hunting gets a little too real. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Christie Terrill, CISO at Bishop Fox, joins to discuss how organizations can leverage offensive security tactics not just as strategies to prevent cyber incidents, but as a critical component of a cyberattack recovery process. Rick Howard sits down with Dave to share a preview of what’s to come at our upcoming CSOP Live event this Thursday, going beyond the headlines with our panel of Hash Table experts for an insightful discussion on emerging industry trends, recent threats and events, and the evolving role of executives in our field. Selected Reading LockBit claims the hack of the US Federal Reserve (securityaffairs) Why are threat actors faking data breaches? (Help Net Security) CDK Global outage caused by BlackSuit ransomware attack (bleepingcomputer) US proposes rules to stop Americans from investing in Chinese technology with military uses (AP News) Los Angeles Unified confirms student data stolen in Snowflake account hack (bleepingcomputer) Ratel RAT targets outdated Android phones in ransomware attacks (bleepingcomputer) Sellafield Pleads Guilty to Historic Cybersecurity Offenses (Infosecurity Magazine) Sellafield nuclear waste site pleads guilty to IT security breaches (Financial Times) Facial Recognition Startup Clearview AI Settles Privacy Suit (SecurityWeek) New North Korean Hackers Attack Aerospace and Defense Companies (cybersecuritynews) Spatial Computing Hack (Ryan Pickren) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. LockBit claims to have hit the Federal Reserve.
CDK Global negotiates with BlackSuit to unlock car dealerships across the U.S.
Treasury proposes a rule to restrict tech investments in China.
An L.A. school district confirms a snowflake-related data breach.
Rafael Ratt hits outdated Android devices.
The U.K.'s largest plutonium stockpiler pleads guilty to criminal charges of inadequate cybersecurity.
Clearview AI settles privacy violations in a deal that could exceed $50 million.
North Korean hackers target aerospace and defense firms.
Rick Howard previews CSOP Live.
Our guest is Christy Terrell,
Chief Information Security Officer at Bishop Fox,
discussing how organizations can best leverage
offensive security tactics.
And bug hunting gets a little too real.
It's Monday, June 24th, 2024.
I'm Dave Bittner,
and this is your CyberWire Intel briefing. Fing. Happy Monday, and thank you for joining us. It is great, as always, to have you here with us.
The LockBit ransomware group claims to have breached the U.S. Federal Reserve, stealing 33 terabytes of sensitive data, including Americans' banking information.
They added the Federal Reserve to their Tor data leak site and threatened to release the data on June 25. No sample data has been published yet. LockBit's announcement detailed the Federal
Reserve's role in managing money distribution
across 12 banking districts in cities like New York, Chicago, and San Francisco.
They mocked the negotiator handling the situation, calling them a clinical idiot,
demanding a replacement within 48 hours.
Experts are skeptical, suspecting the announcement may be a ploy for attention given the Federal Reserve's high-profile status.
If true, a breach of this magnitude could, of course, have significant consequences.
The Federal Reserve has yet to comment, and of course there's a good chance that this is nothing more than bluster and bravado from the lock-bit gang.
and bravado from the lock-bit gang.
HelpNet Security commented on the recent string of threat actors making false claims.
Hackers sell fake data primarily for financial gain, similar to peddling fake jewelry.
Other motives include gaining notoriety, creating distractions, damaging reputations,
manipulating stock prices, and uncovering security processes.
For example, in March of this year,
a Russian hacking group falsely claimed to hack Epic Games to gain visibility.
Similarly, false breach claims like the one against Sony in September of last year can harm reputations despite being untrue.
Hackers can use tools like ChatGPT to generate convincing fake data.
Organizations can combat fake breaches by monitoring the dark web, analyzing leaked
datasets, preparing their workforce, keeping communication teams ready, deploying canary
tokens, and using integrated security models like SASE to detect and block breaches in
real time.
like SASE, to detect and block breaches in real time.
Car dealerships across North America were thrown into chaos after CDK Global suffered a massive IT outage
caused by the Black Suit ransomware gang.
This disruption forced dealerships to revert to pen and paper for operations
impacting sales, inventory, and customer service.
Major dealership groups like Penske Automotive and Sonic Automotive
reported significant disruptions and implemented manual workarounds.
The black suit ransomware gang is behind the attack, according to anonymous sources.
CDK Global is negotiating with the gang to obtain a decryptor and prevent data leaks.
is negotiating with the gang to obtain a decryptor and prevent data leaks.
The attack forced CDK to shut down its IT systems twice to contain the damage.
Black Suit, which emerged in May 2023,
is believed to be a rebrand of the Royal ransomware operation. The FBI and CISA have linked them to over 350 attacks
and $275 million in ransom demands since September of
2022. CDK also warned of threat actors posing as its agents to gain unauthorized access.
The Treasury Department proposed a rule to restrict and monitor U.S. investments in China
for AI, computer chips, and Computing, based on President Biden's
August 2023 executive order. This aims to prevent countries of concern, including China, Hong Kong,
and Macau, from enhancing their military and cyber capabilities with U.S. funds. The rule requires
U.S. citizens and residents to report transactions in these areas and prohibits funding AI systems for military applications in China.
President Biden also imposed tariffs on Chinese electric vehicles, highlighting political efforts to counter China.
Treasury seeks public comments on the proposal until August 4, with a final rule expected afterward. Despite rising
tensions, officials assert no intent to decouple from China. The Los Angeles Unified School District
confirmed a data breach after threat actors accessed its Snowflake account, stealing student
and employee information. Snowflake is a cloud database platform used globally.
Hackers began selling data from several companies,
including the Los Angeles Unified School District, on hacker forums.
A joint investigation by Snowflake, Mandiant, and CrowdStrike
revealed that the threat actor, UNC-5537,
exploited stolen credentials from organizations
who weren't using multi-factor
authentication, downloaded their data, and attempted extortion. On June 18th, the hacker
Spider listed LAUSD data for $150,000. Another hacker, Satanic, had earlier sold different LAUSD data. LAUSD is working with the FBI and CISA to investigate.
Students, teachers, and staff should stay vigilant
against potential phishing attacks using this leaked data.
The open-source Android malware RafelRat
is being widely used by cybercriminals to attack outdated devices,
often deploying a ransomware module
demanding payment via telegram. Researchers at Checkpoint detected over 120 campaigns using
RafelRat, including those by known threat actors like APT-C35, originating from Iran and Pakistan.
High-profile organizations in the government and military sectors, mainly in the U.S.,
China, and Indonesia, are among the targets. Most victims run Android versions 11 or older,
which are no longer receiving security updates. RafaleRat spreads through fake apps mimicking
popular brands and requests risky permissions during installation. It supports various commands, including ransomware and device lock.
To defend against these attacks, users should avoid dubious APK downloads,
avoid clicking on suspicious URLs, and use Play Protect.
Sellafield Limited, the organization that manages the world's largest plutonium stockpile, has pleaded guilty to all charges related to cybersecurity failings from 2019 to 2023.
The UK's Office for Nuclear Regulation confirmed the plea and stated there was no evidence of exploitation or hacking.
A sentencing hearing is set for August 8th.
The charges involve not adequately protecting
sensitive IT network information,
though public safety was reportedly not compromised.
Despite past media claims
of Russian and Chinese hacker intrusions
dating back to 2015,
Sellafield asserts these issues only emerged
when external staff accessed its servers and reported vulnerabilities.
Sellafield's cybersecurity is now described as robust by its lawyers.
Clearview AI settled an Illinois lawsuit alleging privacy violations from its photo database in a deal potentially exceeding $50 million.
in a deal potentially exceeding $50 million.
The settlement offers plaintiffs a share of the company's future value,
with $20 million allocated for attorney fees.
Preliminary approval was granted by Judge Sharon Johnson Coleman.
The lawsuit, consolidating cases nationwide,
claimed Clearview violated privacy by scraping photos from the internet.
Clearview previously settled a 2022 Illinois case,
stopping sales to private entities but allowing work with law enforcement.
Clearview denies liability in the current settlement.
The agreement, facilitated by mediator Wayne Anderson,
acknowledges Clearview's lack of funds for a larger payout. Privacy advocates criticize
the deal for not stopping Clearview's practices. A campaign will notify eligible U.S. plaintiffs
with data in Clearview's database from July 2017 onward. Researchers from Cyber Armor have
uncovered a sophisticated malware campaign, NICKI, likely linked to North Korean hackers targeting aerospace and defense firms.
This campaign uses job description lures to deliver a multi-stage attack,
installing a powerful backdoor that provides remote access and data exfiltration capabilities.
Indicators point to the KimSuki group as the culprit.
The backdoor employs advanced obfuscation techniques to evade detection.
Coming up after the break, Rick Howard previews CSOP Live,
and our guest is Christy Terrell, Chief Information Security Officer at Bishop Fox,
discussing how organizations can best leverage offensive security tactics. Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com
or contact your Marlin
travel professional for details.
Conditions apply.
Air Transat.
Travel moves us.
Do you know the status
of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Christy Terrell is CISO at Bishop Fox.
I recently caught up with her to discuss how organizations can best leverage offensive security tactics.
Offensive security, which can be whittled down to more simple things like penetration testing, red teaming,
those types of activities. Generally, people think of it as more proactive. We're going to do these things periodically, X number of times per year upon request. And it's all to find issues,
preferably before external parties and preferably before the bad guys find them. But what we're seeing is,
as things have sped up and we do more frequent releases of apps and environments change,
that these same types of activities are both needed more frequently and when there is some
type of attack or incident or breach,
it can actually complement how a company can respond to that.
Well, before we get into the recovery process component here,
can we talk about the frequency?
I mean, how can an organization, as you say, in kind of this increased cadence,
how do they dial in how often they should be doing these things?
Well, the minimum bar has been for a long time
and I think still is annual testing, right?
It's something that customers often require
of the other B2B relationships.
And it's something that's in lots of policies and frameworks.
But because things are changing so frequently, there is much more of a need to have results more frequently.
And so the type of testing actually has to change.
It can't just be a single point in time, comprehensive, deep dive, analyze all the source code, look at it kind of clean slate.
You can't do that every month, every quarter, even every week, right?
So I think the type of testing services
or testing activities you could do for yourselves internally
needs to be more looking at incremental changes,
looking at data fees you could even get from the outside,
looking at things from like emerging threats,
just more comprehensive,
but also looking at things that are smaller, chewable bites at once.
And how does this fit into a compliance regime here? You mentioned that lots of folks are
obligated to do something on an annual basis. Does this supplement that?
Yes. I mean, it's actually, it won't, I would say it might not help you with some of the compliance requirements because they're always a little behind the times and they still may have those kind of just do something annually, do something upon major release.
some activities yourselves, you can still create and issue those types of reports that then at least say, you know, what was found at, on what date and that you're fixing those things, right?
Because let's just say you were doing testing that was once a quarter and your obligation is only
annual. There's various ways you could do that for compliance, right? You can give them their
most recent quarterly assessment. You could, you know, if something that's kind of an always-on test, you could just get a
point-in-time report.
So there's various ways.
I mean, we've dealt with this with our customers because we've been definitely thinking about
that.
But there's various ways that you could still provide the assurance for compliance purposes
that you're doing the activities that they want while actually being ahead of the curve
and doing things, you know things even more frequently and faster.
And I suspect, wouldn't it be so that if you were doing these more frequently,
when it comes time for that annual review, that it may help make that less of a heavy lift and
maybe have there be fewer surprises? Absolutely. And typically for compliance purposes,
that what you do annually and what is usually provided by a third
party that has a report and letter of assessment that goes with it is often what you're going to
have to provide to your third parties and your own customers, right? And so, I mean, just from a,
you know, point of pride perspective, you don't want to have a lot of things on that report.
You prefer as an organization to identify and fix those earlier.
on that report. You prefer as an organization to identify and fix those earlier. Yeah, that's a really interesting point. Well, let's talk about the recovery process component of this. I mean,
how does it play into that? Right. So, you know, my own experience and also that at Bishop Fox,
just to be clear, is that we don't do the immediate triage of incident. We don't do
immediate incident response. So that's kind of not the perspective I have. It's just not the services that we provide.
But we often get engaged with our clients when they are in those follow-on days and weeks after
an incident. And that's where we see how these services can be of help. So I just want to make
that caveat clear. Typically, when we're
working with a customer, they've already been a previous customer of ours. They're not coming to
us because they have a breach, right? We already have a relationship with them. We already have
paperwork with them. So that's another kind of benefit of how we get to have a seat at the table
to what they're going through. But let me use an analogy. Let's say you have, and I live in New
York City, so this analogy is at least very apt for myself. Let's say you live in an apartment
building and there is a fire in a single apartment. It's obviously the immediate need for the fire
department is to come out and put that fire out, right? You don't want that fire to spread. You
don't want anyone to get harmed. There's imminent time-sensitive things that have to spread. You don't want anyone to get harmed. There's imminent, time-sensitive things that have to happen. Immediately, you cannot wait and decide which fire department to call
and go through analysis. You just have to get that issue fixed. So let's say that gets fixed
immediately. Fire is out. But often, there's then a question of, well, is the apartment
building safe for residents to come back in? You know,
what was the cause of that fire? Was it because of a gas leak that could have, you know, could be an
issue for the whole building? Was it a single incident? Was it, you know, was it isolated?
So then there's actual work to be done of kind of going through methodically through the building,
apartment by apartment, perhaps, to really check that the
building is truly safe and secure before you can say everyone can move back in, right? So if you
take that analogy, there's actually more work to be done in those kind of that gray area of you've
triaged the actual immediate incident, but there's a lot more work you now have to do to make sure that that same incident won't happen again.
That's Christy Terrell, Chief Information Security Officer at Bishop Fox.
It is always a treat for me to welcome back to the show my N2K CyberWire colleague, Rick Howard.
He is our chief security officer, also our chief analyst.
Rick, welcome back.
Hey, Dave.
So you and I usually talk about CSO Perspectives, your very popular podcast here on the show.
But this week, we've got something that's related but a little different.
What's coming up here, Rick?
Yeah, this is one of my favorite things we get to do.
It's called CSO Perspectives Live.
It's a webinar, about an hour long.
All right.
And you know, Dave, you do the news every day, and it comes fast and furious.
There's so many things that happen, right? It's tough to get your hands around what's going on. So what this show does is it takes three, well, two experts and me. I is going to have the most impact, you know, from the last 90 days. And we can spend, you know, some time discussing the ramifications of it. So it's really fun to do
and I love we get the opportunity to do it. Can you give us a little preview here? Who do you
have lined up to be your experts? Yeah, these are two really old friends of mine. Don Capelli,
she's the head of the OT cert for Dragos. She's an original OG
member of the Hashtable crew. And she's going to come in and talk about Volt Typhoon and the
Russian hacktivist attacks on water utilities and give us some details there. That's going to be
interesting. Yeah, I've had the pleasure of interviewing her a handful of times, and it's
always time well spent. She's amazing, right?
Really one of the smart people in the industry.
And then right alongside her is Helen Patton, another old friend, another original Hashtable member.
She's the cybersecurity executive advisor at Cisco.
But, you know, I mention her all the time.
She's working with me with the Cybersecurity Canon Project.
She's on the board there.
And she's bringing this topic that, man, I hadn't thought about this, but I just started hearing inklings of it at the last RSA conference. She calls it the changing role of security
leadership. And what's been floating around is that maybe that CISO job has become too big for
one person, and maybe it's split into a technical role
and a business role.
And she's going to talk about the ramifications of that.
That's intriguing.
I know.
Maybe I'm glad I'm at the end of my career.
I don't have to mess with all that.
Well, before I let you go, you mentioned the Cybersecurity Canon Project, and you were just recently out that way at one of the Canon events, right?
Can you give us a little summary of your trip out?
I believe it was Colorado, wasn't it?
Yeah, it was at the Rocky Mountain Information Assurance Conference,
and we gave the Hall of Fame Awards to the two winners this year,
Andy Greenberg for his book, Tracers in the Dark, and Dr. Eugene Spafford for his book,
Myths and Misconceptions. And I can't tell you what a fantastic job this is to be able to
get on stage with those two brilliant people. I mean, Dr. Spafford, you know, he's one of the
original cybersecurity founding fathers. Most of the things we think about now came from him, right?
And Andy Greenberg, you know, he is a world-class cybersecurity journalist,
been writing for Wired Magazine for almost a decade now.
He's got two books in the Hall of Fame right now.
And so, I mean, I just pinch myself sometimes they let me do stuff like this.
Isn't it great?
Yeah.
Well, I mean, that's the Cybersecurity Canon.
So for folks who are interested in checking that out,
just search the regular places for Cybersecurity Canon.
Yep, absolutely.
Ohio State University is a sponsor.
So just look up Canon.
That's one in.
And Ohio State University, you'll find it.
And there are book reviews for all the books
we've considered for the Hall of Fame.
So if you're looking to read a good book this year, don't read a bad one and take a look at the book
reviews first and make your choice. And then signing up for CSO Perspectives Live, is that
over on the CyberWire website? Yes, it is. Go ahead and do that. You'll find it on the website.
And it is, I make sure I got the date right, 27 June at 2 o'clock Eastern Standard Time.
All right.
Terrific.
Rick Howard is N2K CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, thanks so much for joining us.
Thanks, Dave.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And finally, imagine finding a bug that literally fills your room with bugs.
Well, that's exactly what happened with a new exploit researcher Ryan Pickren discovered in VisionOS Safari,
running on Apple's Vision Pro headset.
The bug allows a malicious website to bypass all warnings and fill your room with animated 3D objects like crawling spiders and screeching bats.
When Apple announced the Vision Pro, they touted its impressive privacy protections.
But while exploring the technology, Ryan Pickren found an overlooked loophole in an old 3D model
viewing standard. By using Apple's ARKit QuickLook, he could force Safari to spawn these objects
without any user interaction. The kicker? These objects persist even after closing Safari.
The exploit is simple.
Using JavaScript to auto-click a hidden link,
he could flood the victim's space with 3D models.
Imagine hundreds of spiders crawling around your room
with no easy way to get rid of them
except by physically tapping each one.
Ryan Pickren reported the bug to Apple,
and they assigned it a CVE and paid him a bug bounty.
The discovery highlights the need for a more nuanced approach
to vulnerability triaging in the era of spatial computing.
As we venture into hyper-realistic mixed reality,
our threat models must evolve to consider the deeply personal nature of these
devices. So, next time you find yourself donning the Vision Pro, beware of unexpected visitors.
While virtual reality is designed to be immersive, nobody wants their home turned into a digital
haunted house filled with virtual bugs and screeching bats. It's like an episode of Black
Mirror, but with more spiders. Happy bug hunting.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberW Wire is part of the daily routine of the
most influential leaders and operators in the public and private sector, from the Fortune 500
to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy
for companies to optimize your biggest investment, your people. We make you smarter about your teams
while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.