CyberWire Daily - The NTLM bug that sees and steals.
Episode Date: December 6, 2024Researchers uncover a critical Windows zero-day. An alleged Ukrainian cyberattack targets one of Russia’s largest banks. Russian group BlueAlpha exploits CloudFlare services. Microsoft flags Chine...se hacking group Storm-0227 for targeting critical infrastructure and U.S. government agencies. SonicWall patches high-severity vulnerabilities in its secure access gateway. Atrium Health reports a data breach affecting over half a million individuals. Rockwell Automation discloses four critical vulnerabilities in its Arena software. U.S. authorities arrest an alleged member of the Scattered Spider gang. Our guest is Hugh Thompson, RSAC program committee chair, discussing the 2025 Innovation Sandbox Contest and its new investment component. C3PO gets caught in the crypto mines. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Joining Dave today is Hugh Thompson, RSAC program committee chair, discussing the 2025 Innovation Sandbox Contest and its new investment component. Read more details in the press release. Selected Reading New Windows 7 To 11 Warning As Zero-Day With No Official Fix Confirmed (Forbes) Russian users report Gazprombank outages amid alleged Ukrainian cyberattack (The Record) BlueAlpha Russian hackers caught abusing CloudFlare services (SC Media) U.S. org suffered four month intrusion by Chinese hackers (Bleeping Computer) Microsoft: Another Chinese cyberspy crew targeting US critical orgs 'as of yesterday' (The Register) SonicWall Patches 6 Vulnerabilities in Secure Access Gateway (SecurityWeek) Mitel MiCollab zero-day and PoC exploit unveiled (Help Net Security) Atrium Health Data Breach Impacts 585,000 People (SecurityWeek) Rockwell Automation Vulnerabilities Let Attackers Execute Remote Code (Cyber Security News) US arrests Scattered Spider suspect linked to telecom hacks  (Bleeping Computer) Nebraska Man pleads guilty to $3.5 million cryptojacking scheme (Bleeping Computer) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Researchers uncover a critical Windows Zero day.
An alleged Ukrainian cyber attack targets one of Russia's largest banks.
Russian group Blue Alpha exploits Cloudflare services.
Microsoft flags Chinese hacking group Storm 0227 for targeting critical infrastructure and U.S. government agencies.
SonicWall patches high-severity vulnerabilities in its secure access gateway.
Atrium Health reports a data breach affecting over half a million individuals.
Rockwell Automation discloses four critical vulnerabilities in its Arena software.
U.S. authorities arrest an alleged member of the Scattered Spider gang.
Our guest is Hugh Thompson, RSAC Program Committee Chair, discussing the 2025 Innovation Sandbox and its new investment component. I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here today, and happy Friday. It is great as always to have you with us.
Researchers at Acros Security have identified a critical zero-day vulnerability affecting all Windows versions from 7 through 11 and Windows Server 2008 R2 onwards. The flaw, tied to the Windows NT LAN manager authentication protocol, enables attackers
to steal credentials simply by having users view a malicious file in Windows Explorer.
Actions as mundane as opening a shared folder, a USB disk, or even viewing the downloads folder
can trigger exploitation. Microsoft is developing a patch but has not yet
released an official fix or CVE allocation. Meanwhile, Acros Security has issued a temporary
micro-patch through its O-Patch platform to protect users, including those running unsupported
Windows versions. Users are advised to apply this micro patch immediately to mitigate risks until Microsoft
issues a permanent solution. With full technical details withheld to limit exploitation,
this remains a significant and evolving security threat. Gazprom Bank, one of Russia's largest
private banks, faced reported service outages following an alleged Ukrainian cyber attack.
Ukraine's military intelligence agency claimed responsible for a DDoS attack,
disrupting online and mobile banking services for Russian users.
While Gazprombank's website is operational,
users continue to report app issues.
The bank denied linking the disruptions to the attack.
This follows recent U.S. sanctions targeting Gazprombank,
a key channel for Russia's oil and gas payments.
Ukrainian cyberattacks on Russian financial institutions are frequent,
but their actual impact remains unclear.
The Russian FSB-backed hacking group Blue Alpha is exploiting Cloudflare's secure
tunneling service to enhance its phishing malware attacks, particularly targeting Ukraine.
Researchers from Recorded Futures' Insect Group revealed that Blue Alpha uses Cloudflare tunnels
to hide staging servers and establish secure connections between victims' devices
and malware command and control servers. This method, part of its GammaDrop infrastructure,
complicates detection and blocking efforts. Blue Alpha, an offshoot of Kremlin-controlled
Center18, exemplifies the growing trend among threat actors leveraging legitimate services like cloud flare tunnels for malicious campaigns.
China-based threat actors reportedly breached a major U.S. organization with operations in China,
persisting in its networks from April through August of this year, likely for intelligence gathering.
Symantec researchers found compromised exchange servers suggesting
email and data exfiltration. Although the attack's entry point remains unclear, attackers used
PowerShell to query Active Directory and employed CareBear Roasting for credential access.
They escalated activity in June using renamed FileZilla components for data transfer and deploying
persistence tools such as malicious DLLs and registry manipulation. Attackers leveraged
living-off-the-land tactics with tools like PSExec, PowerShell, and WMI, typical of Chinese
hacker strategies. The same organization was targeted by China's Daggerfly group in 2023,
but attribution to specific actors remains inconclusive. Symantec highlighted the
methodical role assignments across compromised machines to maintain persistence and gather
intelligence. Microsoft has flagged Chinese government-linked hacking group Storm 0227 for targeting critical infrastructure organizations and U.S. government agencies.
Active since January, the group shares similarities with Silk Typhoon, also known as Hafnium, and TAG 100.
Over the past year, Storm 0227 has focused on sectors including defense, aviation, telecommunications, legal
services, and government agencies. The group typically gains access through vulnerabilities
in public-facing applications or spear-phishing emails delivering SparkRat, an open-source remote
administration tool. Notably, they use off-the-shelf malware rather than custom tools,
tool. Notably, they use off-the-shelf malware rather than custom tools, blending in to normal network activity to evade detection. Once inside, Storm 0227 steals credentials to access cloud
applications like Microsoft 365, exfiltrating emails and sensitive files to gather contextual
intelligence. Their operations align with China's broader espionage goals,
targeting U.S. interests and critical sectors.
Microsoft warns the group's persistence and focus on espionage
make them a long-term threat.
SonicWall has patched several high-severity vulnerabilities
in its SMA-100 SSL VPN secure access gateway,
including remote code execution flaws. in its SMA 100 SSL VPN secure access gateway,
including remote code execution flaws. The most critical are buffer overflow bugs
in the web management interface
and Apache web server library,
each with a CVSS score of 8.1.
Other issues include a heap-based overflow,
path traversal, and authentication bypass.
Users are urged to update their firmware promptly to prevent potential exploitation. A zero-day vulnerability
in the Mitel MyCollab suite allows attackers to read sensitive files, according to Watchtower
researcher Sonny McDonald. The flaw, exploitable only by authenticated users,
was chained in a proof of concept
with an authenticated bypass patched in October.
The zero-day, still awaiting a patch,
could expose critical files.
Mitel plans to release a fix soon.
Atrium Health has reported a data breach
affecting over 585,000 individuals to the U.S. Department of Health and Human Services.
The breach appears linked to tracking technologies used on its patient portals between 2015 and 2019,
which may have transmitted user data to third-party vendors like Google and Meta.
Exposed information could include names, emails,
phone numbers, and treatment details, though no financial or social security data was compromised.
Atrium emphasized no misuse has been detected. This follows another incident in April involving
compromised employee email accounts containing sensitive data.
Rockwell Automation has disclosed four critical
vulnerabilities in its Arena software, potentially enabling attackers to execute remote code.
The vulnerabilities include a use-after-free flaw, out-of-bounds write, uninitialized variable,
and out-of-bounds read, each rating high severity of 8.5. Exploiting these flaws
requires a legitimate user to execute a malicious DOE file, potentially leading to arbitrary code
execution or operational disruption. Users should upgrade to the latest version immediately.
U.S. authorities have arrested 19-year-old Remington Ogletree, a member of the Scattered
Spider cybercrime gang, for breaching a U.S. financial institution and two telecommunications
firms. Ogletree allegedly used text and voice phishing to steal employee credentials,
impersonating IT support to pressure victims into visiting phishing sites.
impersonating IT support to pressure victims into visiting phishing sites.
One phishing campaign targeted 149 employees of the financial institution,
luring them with fake HR updates and benefits modifications.
Between October 2023 and May 2024,
Ogletree allegedly exploited telecom systems to send over 8.6 million phishing texts,
many aimed at stealing cryptocurrency.
Evidence seized from Ogletree's iPhone included phishing messages, credential harvesting sites,
and screenshots of cryptocurrency wallets. The scattered spider gang, known for targeting companies with weaker security, has also been linked to high-profile attacks on MGM resorts,
Caesars, and Reddit. This fluid English-speaking group uses phishing, social engineering,
and SIM swapping to infiltrate corporate systems, complicating law enforcement's efforts to track Coming up after the break, my conversation with Hugh Thompson from RSAC.
We're discussing the 2025 Innovation Sandbox Contest.
And C3PO gets caught in the crypto mines.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Hugh Thompson is Program Committee Chair for the RSA Conference.
I recently caught up with him to discuss the 2025 Innovation Sandbox Contest and its new investment component.
So, Hugh, today we are talking about some exciting changes that are going into effect for the 2025 Innovation Sandbox Contest at RSA
Conference this coming year. I have to say at the outset that the Innovation Sandbox has always been
a favorite event for me and many of my CyberWire colleagues here. I think it really captures a lot
of the energy of the conference itself. And you all have some really exciting news for this next coming show.
Dave, so first, thanks so much for having me on.
And we're super excited about Innovation Sandbox.
You know, I've always viewed it as a celebration of innovation in cyber.
And cyber is so dependent on innovation.
Bad guys are changing all the time.
We need to innovate.
Innovation Sandbox, I think, is the ultimate representation of that.
This is our 20th year of doing Innovation Sandbox,
which is just hard for me to fathom. And we do have some exciting additions
this year. So one of the things that we've announced is for every one of the top 10 finalists
in Innovation Sandbox, we are providing $5 million in very founder-friendly financing for these folks, and I couldn't be more excited about it. to capitalize on all the interest that they get as part of being in Innovation Sandbox and the
opportunities that come out of it. Well, let's dig into some of the details here. I mean,
that is a big number. You know, we hear people joke about it's an honor to just be nominated,
but in this case, to make it into the top 10, there's quite potential here for a big financial boost.
I think so. And for a long time now, it's fascinating to watch once those top 10 are
announced. Typically, companies change their entire website, right? It's sort of the focal
point of their site, the fact that they got in the top 10. And they deserve that.
We've got an independent panel of judges that weed through a lot of applicants. And so getting
into the top 10 is extremely difficult. But one of the things that we found is as soon as you
become a part of that top 10 cohort, you're then inundated with opportunities.
There's companies, chief security officers, folks that now want to know more about you,
maybe do proof of concepts. And necessarily for many of these companies, it means how do they deploy more resources at their companies to go
and seize these opportunities of these proof of concepts, of these trials. And we think we have a
way to give them a cash infusion immediately that doesn't set a valuation on the company,
immediately, that doesn't set a valuation on the company, waits till their next professional financing to actually convert into an equity position. So it's better financing than they
could get on the public market, and they can use it right away to grow their business,
to stimulate innovation, and to grow their companies.
You all have emphasized that this funding comes from Crosspoint Capital Partners,
and this is a simple agreement for future equity, which spells out the word safe.
Safe, that's right.
I guess, is this an obligation as well? I mean, in order to be accepted as being in the top 10, is it a requirement that you take this funding?
It is. It is.
It's a condition of the contest.
And this safe note that you're talking about, I'll go into a little bit of details on it because I think it's important.
that you're talking about, I'll go into a little bit of details on it because I think it's important.
It's something called an uncapped safe, which basically means that it doesn't set a value for the company. It waits till the company has effectively continued to grow, probably fueled fueled by some of this $5 million investment. And then it converts into equity at the next
professional round of financing. And so we think that this is a mechanism for entrepreneurs
to really accelerate their roadmap, to bring to bear resources, to grow their companies. And I can tell you, there's never been a more important time
for us to get not only innovative companies out there in the spotlight,
but also help those companies grow.
The bad guys are working overtime.
And we think that innovation that comes from these startups
is going to be absolutely essential to cyber defense.
Well, in addition to the funding, you all have announced a new forum that you're calling the RSA Conference Founders Circle.
Tell us about that.
Yeah, I'm very excited about that. applies not just to the top 10 from 2025, but the top 10 going all the way back 20 years
to the beginning of Innovation Sandbox. And many of those companies have continued to grow over
time. Think about it as a network where these companies can connect with each other, share resources, learn from each other. We want to be able to
foster collaboration among those companies that have gone through really the crucible of Innovation
Sandbox, made it into that top 10 cohort, allow them to learn from each other, allow them to help each other. And we're hoping
that this will be just a great network for those companies to be able to continue to grow in the
space. What's your advice for startups who have their sights set on the innovation sandbox here?
And any words of wisdom to improve their
chances of being selected? Oh my gosh, I've been doing this for a couple of decades now.
And I'd say the best advice is to really perfect how you tell the story of your company. It's so important. If you look at these judges who tend to be very
prominent folks from the cyber community, they are in the back of their head asking a couple
of key questions. Why is this company different from the many other cyber companies that I've seen. Now, what is it that they're
bringing that's new into the marketplace? Do they have the right people? Who are the folks
that are behind this company? And do they have a real way to get it out into the marketplace?
Telling your story succinctly in the three minutes that you have on that stage
is so essential. And also in the video that you submit as part of the application process. So if
there's one piece of advice, it's just nail your own story. Yeah. And I suppose, I mean, the proof is in the pudding here that
these companies have had a very high success rate. They have. They have. You know, some of them have
gone on to be absolute staples in cybersecurity. You had some of the early winners like Imperva, for example, that went on to do fantastic things.
Wiz was a top 10 finalist back in 2021.
Ironically, they just purchased a top 10 finalist from 2023, Daz.
And you've got all of these great companies where a huge chapter in their story began at Innovation Sandbox.
And I can't wait to see the next chapter that starts to begin from the cohort that comes up in 2025.
That's Hugh Thompson, RSAC Program Committee Chair. Cyber threats are evolving every second,
and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, a gentleman named Charles O. Parks III,
or as he styled himself, CP30,
kind of like the droid,
decided to take a creative approach to cloud computing.
Instead of paying for it,
he racked up $3.5 million in unpaid bills with two tech giants based in Washington,
believed to be Amazon and Microsoft.
What did he do with all that computing power?
He mined cryptocurrency, Ether, Litecoin, Monero, you name it, netting about $970,000.
From January to August 2021, Parks set up aliases like Multimillionaire LLC,
which is a little on the nose, to open multiple cloud accounts.
He convinced providers to give him premium services with deferred billing
and even managed to launch tens of thousands of mining instances.
That's a lot of fake money-making, literally and figuratively.
He didn't stop at mining.
Parks laundered his crypto through exchanges and NFT marketplace and bank accounts,
then spent his ill-gotten gains on first-class travel, a luxury Mercedes-Benz, and flashy jewelry.
Basically, he was living like a high roller, until the bill came due.
The Justice Department was not impressed.
They've charged Parks, who pleaded guilty to fraud. He faces up to 20 years in prison.
Prosecutors say this case highlights their commitment to cracking down on cybercriminals
using complex schemes. So, it would seem this self-styled C-3PO miscalculated the odds of dodging Microsoft's and Amazon's billing departments.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Sean Kennedy,
Global Director of Trustwave Spider Labs. The research we're discussing is titled,
That's Research Saturday. Check it out. wave spider labs. The research we're discussing is titled Francis Loader, a JPHP driven malware.
That's Research Saturday. Check it out. We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing
world of cybersecurity. If you like our show, please share a rating and review in your favorite
podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that N2K CyberWire
is part of the daily routine of the most influential leaders and operators in the
public and private sector, from the Fortune 500 to many of the world's preeminent intelligence
and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams
while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music
and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president. Peter Kilpie is our publisher. And I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Bye.