CyberWire Daily - The cost of peeking at U.S. traffic.
Episode Date: December 17, 2024The Biden administration takes its first step to retaliate against China for the Salt Typhoon cyberattack. The Feds release a draft National Cyber Incident Response Plan. Telecom Namibia suffers a cyb...erattack. The Australian Information Commissioner has reached a $50 million settlement with Meta over the Cambridge Analytica scandal. CISA releases its 2024 year in review. LastPass hackers nab an additional five millions dollars. Texas Tech University notifies over 1.4 million individuals of a ransomware attack. Researchers discover a new DarkGate RAT attack vector using vishing. A fraudster gets 69 months in prison. On our Threat Vector segment, David Moulton speaks with Nir Zuk, Founder and CTO of Palo Alto Networks about predictions for 2025. Surveillance tweaks our brains in unexpected ways. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment On our Threat Vector segment, we preview this week’s episode where host David Moulton talks with Nir Zuk, Founder and CTO of Palo Alto Networks. They talk about Palo Alto Networks' predictions for 2025, focusing on the shift to unified data security platforms and the growing importance of AI in cybersecurity. You can catch new episodes of Threat Vector every Thursday here and on your favorite podcast app. Selected Reading Biden Administration Takes First Step to Retaliate Against China Over Hack (The New York Times) US Unveils New National Cyber Incident Response Plan (Infosecurity Magazine) Telecom Namibia Cyberattack: 400,000 Files Leaked (The Cyber Express) Landmark settlement of $50m from Meta for Australian users impacted by Cambridge Analytica incident (OAIC) CISA Warns of New Windows Vulnerability Used in Hacker Attacks (CyberInsider) CISA 2024 Year in review (CISA) LastPass threat actor steals $5.4M from victims just a week before Xmas (Cointelegraph) Texas Tech University Data Breach Impacts 1.4 Million People (SecurityWeek) Microsoft Teams Vishing Spreads DarkGate RAT (Dark Reading) Man Accused of SQL Injection Hacking Gets 69-Month Prison Sentence (SecurityWeek) The psychological implications of Big Brother’s gaze (SCIMEX) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k and enter code N2K at checkout. That's join delete me dot com slash N2K code N2K.
The Biden administration takes its first step to retaliate against China for the Salt Typhoon cyber attack.
The feds release a draft national cyber incident response plan.
Telecom Namibia suffers a cyber attack.
The Australian Information Commissioner has reached a $50 million settlement with Meta over the Cambridge Analytica scandal.
CISA releases its 2024 year in review.
LastPass hackers nab an additional $5 million. Texas Tech University notifies over 1.4 million individuals of a
ransomware attack. Researchers discover a new DarkGate rat attack vector using vishing. A
fraudster gets 69 months in prison. On our Vector segment, David Moulton speaks with Nir Zook,
founder and CTO of Palo Alto Networks,
with predictions for 2025.
And surveillance tweaks our brains
in unexpected ways.
It's Tuesday, December 17th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here today. It is great to have you with us.
Thanks for joining us here today. It is great to have you with us.
The Biden administration has taken its first step to retaliate against China for the Salt Typhoon cyber attack by banning China Telecom's remaining U.S. operations, citing national security risks.
This follows a broader Chinese hack that infiltrated U.S. telecommunications networks,
compromising sensitive data and exposing U.S. surveillance targets.
While largely symbolic, the Commerce Department's move addresses China Telecom's ability to peer in on traffic,
an issue left unresolved since the FCC revoked its phone licenses in 2021.
revoked its phone licenses in 2021. However, officials admit the action may not deter China's advanced cyber operations, such as Volt Typhoon, which planted malicious code in critical
infrastructure. Incoming Trump officials, including Mike Waltz, advocate for offensive cyber responses
to impose higher costs on China and prevent further escalation. Meanwhile, China's penetration remains
unresolved, with hackers gaining access to wiretap targets and potentially voice calls.
The Biden administration created a task force to tackle the breach, meeting daily with telecom
executives, but its delayed public response reflects concerns over embarrassment and exposing ongoing investigations.
Biden reportedly addressed the issue with President Xi Jinping in November,
though specifics remain unclear.
The U.S. government has released a draft National Cyber Incident Response Plan,
updating the 2016 version to address evolving cyber threats, policies, and capabilities.
CISA is soliciting public feedback until January 15th of 2025. The NCIRP outlines a flexible
framework for federal, state, and local government coordination with private sector organizations
during significant cyber incidents categorized as level two or higher
in severity. It focuses on four key areas of response. Asset response, led by CISA,
providing technical assistance to mitigate vulnerabilities and reduce cascading effects.
Threat response, managed by the DOJ and FBI, focusing on investigations, evidence collection, and threat disruption,
intelligence response, led by the Office of the Director of National Intelligence
to build awareness and share threat intelligence, and affected entity response,
ensuring operational continuity with the federal government playing a limited role for private
entities. CISA emphasizes the plan is not a
step-by-step guide but a flexible structure for collaboration. Additional planning documents and
regular updates will be developed to address emerging needs. Telecom Namibia suffered a
cyber attack on December 11th of this year, resulting in the leak of over 400,000 customer
files. The ransom group Hunters International exfiltrated 626 gigabytes of data, including
personal identification, addresses, and banking details, later leaking the information when ransom
demands went unmet. Telecom Nibidia's CEO Stanley Shanapinda assured the public of efforts to
contain the breach and strengthen cybersecurity. The Communications Regulatory Authority of Namibia
and NAM-C-CERT are assisting in mitigating the attack's impact.
The Australian Information Commissioner has reached a $50 million settlement with Meta Platforms
over privacy breaches related to the Cambridge Analytica scandal.
The settlement follows court-ordered mediation stemming from civil penalty proceedings that began in 2020.
The scheme will offer two tiers of compensation, a base payment for general concerns
and a higher tier for individuals who prove specific loss or damage.
An independent third-party administrator will oversee the program, expected to begin in the second quarter of 2025.
CISA has issued a warning about an actively exploited Windows kernel-mode driver vulnerability
that enables privilege escalation to system level.
Initially disclosed by Microsoft in June 2024 with a CVSS score of 7.8, the flaw requires low
privileges and no user interaction, making it highly exploitable. CISA has mandated remediation for federal agencies by January 6, 2025.
Organizations are urged to apply Microsoft's June patch or use mitigations like system isolation, firewalls, endpoint detection tools, and enforcing least privilege to reduce risk.
Additionally, CISA released its 2024 Year in Review, highlighting key accomplishments in advancing cybersecurity, protecting critical infrastructure, and addressing emerging threats.
Throughout the year, CISA focused on building resilience through partnerships, innovation, and proactive measures.
Areas of specific interest include election security, cyber threat mitigation, global partnerships, workforce development, and emergency communications. CISA underscored its commitment to collaboration, innovation,
and accountability, positioning itself as a leader in securing critical systems that underpin the
nation's economy and daily life. The 2024 report reflects CISA's ongoing mission to safeguard the United States
against evolving cyber and infrastructure threats.
Hackers linked to the 2022 LastPass breach have stolen an additional $5.36 million from 40 victims,
pushing total crypto losses to $ million dollars the attackers accessed users encrypted
Vault backups exploiting private keys and seed phrases stored before 2023 blockchain sleuth
zacxbt traced the stolen funds swapped for ether and sent to exchanges. Security experts urge affected users to transfer assets immediately.
The theft comes amid a spike in scams during the holiday season, dubbed hacker season,
with warnings to avoid free Wi-Fi, sharing 2FA codes, and festive scams. Non-crypto funds have
also been targeted, with $250 million stolen in May.
Cybersecurity advocates stress vigilance as hackers aim to exploit the seasonal uptick in online activity and spending.
Texas Tech University is notifying over 1.4 million individuals of a ransomware attack that targeted its Health sciences center and health sciences center El Paso.
The attackers accessed the network from September 17th to 29th,
exfiltrating personal and sensitive data, including names, social security numbers,
driver's license details, health insurance, medical records, and financial account information.
The Interlock ransomware Group claimed responsibility,
alleging theft of 2.5 terabytes of data,
including medical research and SQL databases.
Texas Tech also reported prior threats.
In July, the Meow Ransomware Group
offered SQL databases and website vulnerabilities for sale.
The university has filed breach reports with the U.S. Department of Health and Human Services
and is offering free credit monitoring to affected individuals.
Researchers at Trend Micro discovered a new DarkGate rat attack vector using vishing, voice phishing,
via Microsoft Teams calls to gain remote access to a victim's device.
Initially, the attacker attempted to install Microsoft Remote Support,
but when that failed, they manipulated the victim into downloading any desk.
Once connected, the attacker loaded suspicious files, including DarkGate,
which enabled remote control, executed commands, and established a connection to a C2 server.
The multi-stage attack began with phishing emails, followed by a fake Teams call posing as external tech support.
DarkGate, a sophisticated malware active since 2017, allows remote access, keylogging, cryptocurrency mining, and system data theft.
To mitigate such attacks, organizations should train employees on social engineering tactics,
verify third-party support claims, whitelist approved remote tools,
enable MFA, and block unvetted applications.
The U.S. Justice Department sentenced Vitaly Antonenko, age 32, to 69 months in prison for hacking, credit card theft, and money laundering.
Arrested in 2019 at JFK Airport returning from Ukraine, Antonenko was found with hundreds of thousands of stolen payment card numbers.
of thousands of stolen payment card numbers. He belonged to a cybercrime group that exploited SQL injection vulnerabilities to steal data from organizations like a hospitality business
and a research institution. The stolen data was sold on cybercrime marketplaces,
and proceeds were laundered through cryptocurrency and cash transactions.
Coming up after the break on our Threat Vector segment, David Moulton speaks with Nir Zook,
founder and CTO of Palo Alto Networks, about predictions for 2025.
And surveillance tweaks our brains in unexpected ways. Stay with us.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta
brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Next up, we've got our bi-weekly Threat Vector segment
giving you a preview of this week's podcast episode.
David Moulton speaks with Palo Alto Network's founder and CTO Nir Zook
about Palo Alto Network's predictions for 2025. Here's their conversation.
Here's a quick preview of this week's Threat Factor. Tune into the full show on Thursday,
and don't forget to subscribe so you never miss a single episode. Let's get into it.
Personally, I think that quantum computing is one of Silicon Valley's biggest hoax.
It's going to turn out to be a really, really expensive hoax,
where any physicist that is not working on quantum computing
believes that it's not going to happen,
and only those that work on quantum computing and will benefit from quantum computing think it's going to happen.
Welcome to Threat Factor, the Palo Alto Network's podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends.
I'm your host, David Moulton, Director of Thought Leadership for Unit 42.
Today I'm speaking with Nir Zook,
Founder and Chief Technology Officer at Palo Alto Networks.
Nir's journey began at the age of 16 when he developed some of the earliest computer viruses
on his Dragon 64 computer.
His passion for technology and innovation is evident. After serving in the military,
he worked at Checkpoint, Netscreen Technologies, and then, in 2005,
Nir founded Palo Alto Networks with a vision to revolutionize network security.
Today, we're going to talk about Palo Alto Networks' 2025 predictions.
These seven predictions cover a wide range of topics, and you can read them all on our website.
For today, Nir and I are focusing on three.
First, in 2025, organizations will shift toward unified data security platforms that integrate code development, cloud monitoring, and SOX for seamless AI-driven threat analysis.
The consolidation will enhance visibility, streamline operations, and dramatically reduce detection and response times,
positioning organizations to better combat advanced threats. Second, established organizations with
massive datasets will lead AI-driven innovations, their data volume for continuous improvement.
Partnerships between incumbents and agile newcomers will drive collaborative breakthroughs. Finally, we'll talk about quantum attacks.
While they're not imminent, Harvest Now Decrypt Later tactics by nation-states will target sensitive data.
Organizations should act now by adopting quantum-resistant technologies
and preparing with new cryptology standards to safeguard their systems as quantum capabilities evolve.
Here's our conversation.
Our first was a prediction about how the landscape will transform and the adoption of a unified
data security platform that integrates code development, cloud environments, and SOX.
platform that integrates code development, cloud environments, and SOX.
So how do you think that the unified data platform will revolutionize cyber infrastructure in 2025?
Sure.
So it's very clear that it needs to happen.
And the reason it needs to happen is because cybersecurity is becoming more and more data
based, meaning more and more cybersecurity functions need a and more data-based,
meaning more and more cybersecurity functions
need a lot of data in order to do what they do
versus the past where we were just running signatures
or some basic rules on whatever it was,
traffic files and so on.
And now that more and more cybersecurity functions need a lot of data,
what we're observing is that there is a superset of that data
that is, of course, shared across all of them.
Meaning, if you look at what the SOC, the Security Operations Center, needs in terms of data to perform its tasks of detecting and responding to attacks very quickly,
that data contains pretty much everything
that all the other cybersecurity functions need.
And when I say other functions, I mean things like IoT and OT security,
detection based on DNS,
cloud security, and quite a few other functions.
And then the question is,
are we going to see 10 different data lakes,
each containing tons of data?
Or are we going to see one data lake
containing all the data?
And I just don't see a good reason for the former.
Not a single good reason and only good reasons why
everything will be in the same data lake.
It's of course cheaper.
It is much more environmental friendly
because you store once, you process once.
So you need less resources.
And more importantly, it works better.
Probably if you have all the data in one place,
our very smart engineers and data scientists
will be able to use some extra data that's in the data lake
to make IoT security better in ways that we didn't think about before.
So bringing all the data in one place just makes a whole lot of sense.
Running many different cybersecurity functions off that data lake a whole lot of sense. Running many different cybersecurity functions
off that data lake makes a lot of sense.
And that was our first prediction.
In 2025, we're going to see it start happening.
Can you talk about some of the potential risks
and benefits of centralizing cybersecurity
into a single platform?
So I often hear about concerns from customers
when we talk about those things.
And the main concern that they have is vendor lock-in.
And my answer to that is,
sorry, that's the way the world is.
Meaning you have one CRM solution in your organization.
So if you picked Salesforce.com,
you're kind of locked in with Salesforce.com
and switching from Salesforce.com to another vendor
as your main repository for all the data
is going to be very difficult.
And the same is true for your ERP
and other data-driven solutions that you have.
So there is going to be some vendor lock-in, of course.
We need to look at vendors that have partners
that use the same data lane for different functions.
And we need to make sure that that vendor lock-in
can be mitigated.
So that's probably the biggest risk that I'm hearing about
from customers, from their perspective.
I think that many other risks are
not as relevant.
For example, customers say,
hey, if I put everything in one place,
what if you get hacked?
And my answer is, number one,
it's much easier to guard one data lake
than 10 data lakes.
And number two,
there's a smaller chance of one data lake getting hacked
versus 10 data lakes. So if you spread one data lake getting hacked versus 10 data lakes.
So if you spread your data with replication across 10 different data lakes, you are at a higher risk.
There is the risk of, what if I work with one vendor and that vendor misses an attack that another vendor would have found?
The answer to that is usually, it's not about the vendor, it's about the data.
Meaning machine learning and other types of AI differ from each other, not by how good
your algorithms are, because these algorithms are all known.
They differ a little bit by how good your data models are, but that's only 10% of the
picture.
how good your data models are,
but that's only 10% of the picture.
90% of the difference between different AI-based solutions is the actual data,
and it's really the quantity of the data.
So this idea that if I work with one vendor
versus if I work with five,
I might miss something,
it's actually the opposite.
If you work with one vendor
and you put all the data in one place
and you work off five times the amount of data,
you have a much better chance of detecting things
versus separating it into different data lakes.
Thanks for listening to this segment of the Threat Vector podcast.
If you want to hear the whole conversation, you can find the show in your podcast player.
Just search for Threat Vector by Palo Alto Networks.
Each week, I interview leaders from across our industry and from Palo Alto Networks to get their insights on cybersecurity, the threat landscape, and the constant changes we face.
See you there.
See you there. Thank you. to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
And finally, a new study shows that being watched, even by lifeless CCTV cameras, turns us into hyper-vigilant gaze detectors,
as if we're all starring in our own episode of Big Brother.
Conducted by researchers at the University of Technology, Sydney,
and published in Neuroscience of Consciousness,
the study found that surveillance tweaks our brains in unexpected ways.
Participants under watchful eyes detected faces almost a second faster than their unobserved peers,
suggesting an involuntary boost to our built-in threat detection systems.
Lead researcher, Associate Professor Kylie Seymour,
explains this heightened face-spotting ability evolved for survival,
but surveillance may crank it up without us realizing. While participants shrugged off concerns about being
monitored, their brains had other plans. This hypersensitivity mimics patterns seen in social
anxiety and psychosis, raising questions about the mental health impact of our surveillance-heavy society.
So, the next time you catch yourself scanning for faces on a crowded street,
blame Big Brother, not paranoia. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity. If you like our show, please share a rating and
review in your favorite podcast app. Please also fill out the survey in the show notes or send an
email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine
of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence
and law enforcement agencies. This episode was produced by Liz Stokes. Our mixer is Trey Hester
with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer
Iben. Our executive editor is Brandon Park. Simone Petrella is our president. Peter
Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Thank you.