CyberWire Daily - The hot pursuit of Volt Typhoon.
Episode Date: March 18, 2024Volt Typhoon retains the attention of US investigators. The IMF reports a cyber breach. Fujitsu finds malware on internal systems. Securonix researchers describe DEEP#GOSU targeting South Korea. Subse...a cable breaks leave West and Central Africa offline. Health care groups oppose enhanced cyber security regulations. A Pennsylvania school district grapples with a ransomware attack. AT&T denies a data leak. Our guest Kevin Magee of Microsoft Canada shared his experiments with board reporting. And Apex Legends eSports competitors get some unexpected upgrades. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest today is Kevin Magee of Microsoft Canada sharing his experiments using N2K’s CSO Rick Howard's forecasting methodology from his Cybersecurity First Principles book regarding board reporting. Selected Reading US is still chasing down pieces of Chinese hacking operation, NSA official says (The Record) IMF Investigates Serious Cybersecurity Breach (Infosecurity Magazine) Tech giant Fujitsu says it was hacked, warns of data breach (TechCrunch) Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware (securonix) Ghana says repairs on subsea cables could take five weeks  (Reuters) Health care groups resist cybersecurity rules in wake of landmark breach (CyberScoop) Pennsylvania’s Scranton School District dealing with ransomware attack (The Record) AT&T says leaked data of 70 million people is not from its systems (BleepingComputer) The Aviation and Aerospace Sectors Face Skyrocketing Cyber Threats (Security Affairs) Massive ‘Apex Legends’ Hack Disrupts NA Finals, Raises Serious Security Concerns (Forbes) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Volt Typhoon retains the attention of U.S. investigators.
The IMF reports a cyber breach.
Fujitsu finds malware on internal systems.
Securonics researchers describe Deep Gosu targeting South Korea.
Subsea cable breaks leave West and Central Africa offline.
Healthcare groups oppose enhanced cybersecurity regulations.
A Pennsylvania school district grapples with a ransomware attack. AT&T denies a data leak. Our guest is Kevin McGee of Microsoft
Canada, sharing his experiments with board reporting. And Apex Legends esports competitors It's Monday, March 18th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Happy Monday. It is great to have you here with us.
The United States is currently facing a sophisticated and extensive espionage campaign orchestrated by Vault Typhoon, a Chinese hacking group.
Rob Joyce, the outgoing director of the National Security Agency's Cybersecurity Directorate,
shared insights during a roundtable with reporters,
emphasizing the ongoing efforts to fully comprehend and neutralize the threats posed by this campaign.
Despite nearly a year passing since the initial disclosure of Volt Typhoon's activities by Western intelligence,
passing since the initial disclosure of Volt Typhoon's activities by Western intelligence,
the U.S. government, according to Joyce, is still in the process of identifying all affected entities and eradicating the hackers' footholds within compromised systems. The operation's complexity
is further highlighted by the hackers' method of operation, which includes the use of legitimate
credentials to avoid detection and the abstention from introducing additional malware into the systems they infiltrate.
Interestingly, Joyce revealed for the first time that artificial intelligence played a role in
uncovering some of the breaches attributed to Volt Typhoon, marking a pivotal moment in the
use of AI for cybersecurity purposes. However, he also noted that there have been no instances of the hacking group utilizing AI for their ends.
Instead, their approach relies heavily on conducting bulk scans
to identify and exploit known vulnerabilities across networks.
The seriousness of this espionage effort was underscored by recent warnings from top U.S. cybersecurity officials
regarding the potential for Chinese hackers to compromise critical U.S. networks,
especially in the event of a conflict with Beijing.
This vulnerability stems from long-standing security issues within the infrastructure's underlying technology,
largely due to a historical emphasis on feature development
and market speed over robust security measures.
Joyce expressed hope that the Chinese government would exercise caution
in the wake of widespread national anger over previous espionage activities,
including the discovery of a high-altitude balloon campaign last year.
He warned that any direct attacks on U.S. water and transportation systems by state-backed hackers
would only exacerbate public outrage.
As Joyce prepares for retirement at the end of the month,
he will be succeeded by Dave Luber, a veteran of U.S. Cyber Command
and current deputy chief of the Cybersecurity Directorate,
who brings extensive experience to the role at a critical time for national cybersecurity efforts.
The International Monetary Fund is addressing a cybersecurity incident
that compromised 11 of its internal email accounts, detected on February 16.
With the help of external cybersecurity experts,
the IMF took remedial actions and re-secured the affected accounts, finding no evidence of
further breaches. This event underscores the IMF's potential vulnerability to cyber espionage,
especially from state-sponsored actors interested in its financial dealings with 190 member countries.
Meanwhile, global tech firm Fujitsu has announced it fell victim to a cyber attack
with malware found on several internal systems, potentially leading to the unauthorized access
and theft of personal and customer information. The company has disconnected affected systems
and is probing the breach's extent and potential information leakage The company has disconnected affected systems and is probing
the breach's extent and potential information leakage. Fujitsu, with significant government
and private sector clientele, has reported the incident to Japan's Personal Information
Protection Commission. The specifics of the stolen data, including whose data was affected,
remain unclear. This incident comes amid scrutiny over Fujitsu's role in the UK post office scandal
involving wrongful convictions of postal workers that were later tied to bugs in its software.
The company's response and further regulatory notifications are pending.
The Securonics threat research team identified a complex multi-stage cyber attack campaign
likely linked to the North Korean Kimsuki Group targeting South Korean entities.
The operation, named Deep Gosu, incorporates new and reused code alongside traditional tactics,
techniques, and procedures. It employs a sophisticated script-based attack
chain using PowerShell and VBScript to infiltrate systems quietly, allowing attackers to monitor
user activities such as clipboard and keystroke logging. The attackers utilize a remote-access
Trojan for complete control over compromised systems, ensuring persistent surveillance and data
collection. Communication with command and control servers was stealthily conducted through
legitimate services like Dropbox and Google Docs, making detection more challenging. The initial
malware infiltration likely occurred through malicious email attachments disguised as legitimate files. Repairs on cut subsea cables, which have disrupted
internet and telecommunications across West and Central Africa, are expected to take at least
five weeks, according to Ghana's communications regulator. The damage to the cables has severely
impacted various services, including banking, mobile phone operations,
money transfer agencies, and stock exchanges. The National Communications Authority of Ghana,
after meeting with subsea cable landing service providers Africa Coast to Europe,
Maine One, South Atlantic Three, and the West Africa Cable System, as well as mobile network operators,
reported that the location of the damage has been identified.
Preparations are underway to send repair vessels to the sites.
Main 1 suggests that the breakage may have been caused by seismic activity on the seabed.
In the wake of the recent cyberattack on Change Healthcare, discussions have intensified in Washington about implementing cybersecurity regulations in the healthcare sector.
This move faces opposition from hospital and healthcare groups who argue against mandatory requirements, citing substantial investments in cybersecurity and the unfairness of penalizing hospitals for third-party breaches.
Senator Ron Wyden advocates for immediate actions, including fines for negligent CEOs, to enhance cybersecurity standards.
The Biden administration is exploring mandatory cybersecurity rules and proposing a $1.3 billion budget to support hospital cybersecurity efforts,
possibly including financial penalties for noncompliance. The attack itself underscores
the systemic risk large healthcare companies pose and the urgent need for improved digital
security measures, despite the industry's resistance and the complexities of enforcing new standards.
The Scranton School District in Pennsylvania is addressing a ransomware attack that's caused
significant technology outages, affecting about 10,000 students across 15 schools.
The district is collaborating with third-party forensic specialists to investigate the attack's
source,
assess its impact, and restore system functionality.
The attack has led to disruptions in computer systems and services,
making some files inaccessible and slowing down certain functions due to heightened security measures.
This incident forced students to revert to traditional paper and pencil for assignments. It marks at least the 21st
confirmed ransomware attack on a K-12 school district so far in 2024. AT&T has denied that
a data leak affecting 71 million individuals came from its systems, despite claims by a hacker on a cybercrime forum that it was stolen in a 2021 breach.
Bleeping Computer confirmed the accuracy of some data entries,
which include sensitive information such as social security numbers and addresses.
The data was initially offered for sale by a threat actor named Shiny Hunters
on the Raid Forum's data theft site.
Despite AT&T's denials of a breach,
another hacker, Major Nelson, later released the data for free, claiming it to be the same as what
Shiny Hunters attempted to sell. While the source of the data remains unconfirmed, cybersecurity
researchers have verified some of the information as accurate. AT&T customers from
before and through 2021 are advised to be vigilant for potential phishing and SIM swapping attacks.
Coming up after the break, Kevin McGee from Microsoft Canada joins me to discuss his methodology regarding board reporting.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7,
365 with Black Cloak. Learn more at blackcloak.io.
It is my pleasure to welcome back to the show Kevin McGee. He is the Chief Security Officer
at Microsoft Canada. Kevin, welcome back. You know Kevin McGee. He is the Chief Security Officer at Microsoft Canada.
Kevin, welcome back.
You know, you and I have something in common,
which is that we both very much enjoyed my colleague Rick Howard's book
on cybersecurity first principles.
But you've really had some kind of on-the-ground interaction
with some of the things that you've taken away from the book here recently.
What's going on?
Yeah, thanks for having me back, Dave.
And I'd love to talk about Rick's book.
I definitely want to be Rick when I grow up.
So it was fascinating for him to really put together
his sort of an entire career's worth of learnings and lessons into one book.
And it's something I've either recommended or bought
for a number of the folks where I sit on boards and whatnot.
It's a book that you can hand to not only a technical person,
but a business person.
And I'm getting no financial compensation for pitching.
I just really think you did a great job.
But one of the areas where I spend a lot of time is speaking with boards.
And I sit on a number of boards.
I'm an Institute of Corporate Directors for Canada, a certified public
director. And I made a
comment from a stage a little while ago
at a conference that I should really do
CISO therapy sessions. If you've been
savaged by your board, I can help you
maybe look at how to do better
reporting or answer their questions. And I had
11 people send me an email
that they'd like to work with me
on that. So what I've been doing is looking at what are some of the best resources.
And one was Rick's book to say, here are the first principles of security.
How can we develop a common vocabulary and an understanding of what a security program works?
And one of the things I guess lessons learned the last little while is that's what's been missing.
We have that in accounting. We know what what an asset is we know what a liability is
we lack that and that's that lack of common understanding frameworks and vocabulary
is so fundamental to everything that we build on top of it but we often jump well past the
first principles into a deeper discussion without establishing those norms first
and so what is the best process here? I mean,
is this a matter of sitting down with your board and having a kind of a mutual learning lesson?
One thing that would be, how do we start with the fundamentals of understanding?
As a director, you have a duty to become financially literate. We don't have an
understanding of what that means in cyber. So one of the things that I use Rick's book and a couple other foundational documents to say,
sort of, here are the things that a director, you know, really should read and should understand
as part of the onboarding process. You should understand fundamentally what zero trust means.
You should understand some of these concepts from a relatively high level, but be able to have an interaction and a discussion
about them. That's what I was sort of like the first principles approach that Rick uses. Now,
some of the advanced discussions are how do we discuss things like risk? And I think one of the
things that Rick does a great job is to say, hey, what's the material impact and what's the
probability? And instead of giving me 90, you know, 100 pages of data,
you know, can we have that discussion? Is this a 50 to 70 million dollar problem?
And what does the probability look like? And Rick's book gives lots of tools that are very high level
that can be implemented to sort of drive those discussions out without a great deal of, you know,
math or work involved as well, too. So I think it's one of those sort of foundational books that I really think are important to develop a good board reporting discussion.
To what degree, in your experience, are board members who don't have a strong background in
cyber, are they willing, eager, and able to take this on? I think a few years ago, you saw all the articles about
boards need to make cyber risk
a board-level discussion.
I think we're past that.
I think they know they have to.
The big epiphany for me was
I was sitting in an audit committee meeting.
We were discussing the current ratio.
And I couldn't, for the life of me,
remember what the current ratio was.
It was clearly important,
and this number mattered
that the accountants were talking about.
But I had a duty to the organization to make a decision based on what we're discussing. But because I'm a type A and I didn't want to look like a fool in front of
my peers, I didn't put my hand up at first and say that. And then it dawned on me, well,
I don't want to look stupid that I didn't know what the current ratio was in front of my accountant
peers. Do they feel the same way when we talk about cybersecurity about maybe they don't want to
look like they're uninformed or whatnot? So I don't think it's that they don't want to have
the conversation. I think it's often they just don't know how to have it or they don't have the
vocabulary to have it. And I think that's why having that first principles discussion, going
back as part of the board of education, is so fundamental to making sure that we have that to build on so that we can have a good discussion. We can, as governors, ask those
questions and fulfill our duties to the organization. It strikes me too that establishing
an environment, you know, a safe environment where people feel like they can ask those questions and
be rewarded for it. We often too forget that the only modality that a director has to do their job is by asking questions.
So CISOs will often come and try and fill up the time with information and then are surprised when they get asked questions.
Well, that's really the only way that a director can do their job is by asking those questions.
can do their job is by asking those questions.
So I often say to CISOs as part of my therapy session,
it's your job to really help them understand, educate them.
And the better informed they are, the better questions they'll ask.
So the quality of the questions the board are asking is really up to us as cybersecurity professionals.
Are we doing our job in helping them understand
and making the material we're providing them contextually relevant?
If they're asking questions like,
how many port scans did we get last month?
That's completely irrelevant
and doesn't help move forward
the security posture of the organization
or understand enterprise risk.
That's on us
because we didn't really have a good discussion.
We didn't make them feel comfortable
asking those questions or whatnot.
So if they're not learning from us,
who are they learning from?
Or where are they developing these questions?
So I think we need to take more responsibility as a profession to help them understand and recognize with some empathy that maybe this is an area that they're uncomfortable.
And they're used to being in command of their environment and their subject matter.
And maybe not so much in our area.
And that's okay.
Well, Kevin, I see that our time for this session is up.
I want to thank you for joining us.
Kevin McGee is the Chief Security Officer with Microsoft Canada.
Kevin, thanks so much for joining us.
Great. Thanks, Dave. Thank you. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. to you live. Hundreds of wildfires are burning. Be the first to know what's going on and what that
means for you and for Canada. This situation has changed very quickly. Helping make sense of the
world when it matters most. Stay in the know. Download the free CBC News app or visit cbcnews.ca.
We close today with news that the North American finals of the Apex Legends esports competition faced a significant disruption when the competitive integrity of the game was compromised,
leading Respawn and EA to postpone the event.
The disruption involved unauthorized access where professional players were given hacks
like aimbots and wallhacks during the finals,
leading to one player getting banned and raising concerns about the game's overall security.
The extent of the breach remains unclear,
with fears that it might signify a broader security issue affecting
the entire player base. Rumors suggest a hacker known as Destroyer2009 executed the attack
through a remote exploit, but this hasn't been confirmed. The incident has sparked widespread
concern over Apex Legends' anti-cheat system and has coincided with recent layoffs at Respawn,
including developers from the Apex Legends team. As the community and players await further updates,
caution is advised regarding game access. The providers of the game's anti-cheat mechanism
has clarified that the incident does not involve a remote code execution from their end.
I must admit, the extent of my knowledge when it comes to modern online gaming is quite limited,
and part of me longs for the days when the toughest decision in gaming
was which colored ghost to chase first.
Yeah, I know. Get off my lawn. We'll see you next time. your biggest investment, your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.