CyberWire Daily - The rebirth of Russia's cyber warfare.
Episode Date: April 17, 2024A Russian hacker group boldly targets critical infrastructure. The Change Healthcare ransomware attack is projected to cost over a billion dollars. Three hundred bucks is the going rate for a SIM swap.... PuTTY potentially reveals private keys. Cisco Talos reports a surge in brute-force attacks. Ivanti updates its MDM product. Omni Hotels & Resorts confirm a data breach. Financially motivated hackers target Businesses in Latin America with steganography. A prolific cryptojacker faces decades in prison. On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey. The ransomware equivalent of a Saturday night special. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey using N2K’s comprehensive CISSP training course, CISSP practice test, and CISSP practice labs. Sam and Joe discuss content and study strategies for Domain 2, Asset Security. Resources: Domain 2, Asset Security Identify and securely provision information assets, establish handling requirements, manage the data lifecycle, and apply data security controls to comply with applicable laws. 2.1 Identify and classify information and assets 2.2 Establish information and asset handling requirements 2.3 Provision resources securely 2.4 Manage data lifecycle 2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS)) 2.6 Determine data security controls and compliance requirements Are you studying for the CISSP exam, considering taking the test soon, or did you have an unsuccessful exam experience? Here are some CISSP exam pitfalls to avoid so that you’re confident and successful on exam day. Selected Reading Hackers Linked to Russia’s Military Claim Credit for Sabotaging US Water Utilities (WIRED) T-Mobile, Verizon workers get texts offering $300 for SIM swaps (Bleeping Computer) PuTTY SSH client flaw allows recovery of cryptographic private keys (Bleeping Computer) Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials (Talos Intelligence) Ivanti Patches Two Critical Avalanche Flaws in Major Update (Infosecurity Magazine) Omni Hotels confirms data compromise in apparent ransomware attack (SC Media) Steganography Campaign Targets Global Enterprises (GovInfo Security) Nebraska man allegedly defrauded cloud providers of millions via cryptojacking (The Record) Ransomware attack has cost UnitedHealth $872 million; total expected to surpass $1 billion (The Record) ‘Junk gun’ ransomware: Peashooters can still pack a punch (Sophos News) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. A Russian hacker group boldly targets critical infrastructure.
The Change Healthcare ransomware attack is projected to cost over a billion dollars.
300 bucks is the going rate for a SIM swap.
Putty potentially reveals private keys.
Cisco Talos reports a surge in brute force attacks.
Avante updates its MDM product.
Omni Hotels and Resorts confirm a data breach.
Financially motivated hackers target businesses in Latin America with steganography.
A prolific crypto-jacker faces decades in prison. On our Learning Layers segment, hosts Sam Meisenberg and Joe Kerrigan continue their discussion of Joe's ISC-2 CISSP certification journey.
And the ransomware equivalent of a Saturday night special.
It's Wednesday, April 17th, 2024.
I'm Dave Bittner, and this is great to have you here with us. For the past decade, Russia's Sandworm, a military cyber unit, has been notorious for its disruptive cyber attacks worldwide.
worldwide. Recently, a related hacker group, the Cyber Army of Russia, or Cyber Army of Russia Reborn, has escalated these digital assaults, targeting critical infrastructure in the U.S.,
Poland, and France. This group has claimed responsibility for hacking water utilities
and a hydroelectric dam, aiming to sabotage through the manipulation of control systems.
dam, aiming to sabotage through the manipulation of control systems. Their actions, documented in social media videos, have resulted in tangible disruptions, such as an overflowed water tank in
Texas. Cybersecurity firm Mandiant links this group to Sandworm, suggesting either a shared
identity or a collaboration between the two. Unlike Sandworm's indirect strategies,
the cyber army of Russia Reborn directly targets foreign networks, marking a bold shift in
operational tactics. Their attacks, characterized by a mix of technical knowledge and reckless
tampering, have raised concerns over potential catastrophic outcomes.
have raised concerns over potential catastrophic outcomes.
While Sandworm appears to have transitioned towards espionage supporting Russia's military efforts in Ukraine,
the cyber army of Russia Reborn continues its disruptive operations.
This shift hints at a possible evolution in cyber warfare tactics
with implications for global cybersecurity
and the risks of unanticipated severe incidents
stemming from less restrained cyber activism. Wired's Andy Greenberg has the complete story
and we'll have a link in the show notes. The ransomware attack on Change Healthcare,
owned by UnitedHealth Group, has reportedly, so far, incurred $872 million in losses.
The February incident led to hundreds of systems being taken offline,
prompting criticism from the White House and Congress.
Despite a first-quarter earnings of $7.8 billion,
UnitedHealth Group faced significant direct costs and revenue losses due to the attack.
The company estimates up to $1.15 billion in direct costs and additional losses of between $350 and $450 million for the year.
Restoration efforts have brought some services back, with the pharmacy claim platform at 80% functionality.
with the pharmacy claim platform at 80% functionality.
Meanwhile, the ransomware gang behind the attack,
ALF-V or Black Cat,
has seen internal conflicts and data leaks with over 4 terabytes of sensitive data,
including patient information, being leaked.
UnitedHealth Group is working with authorities
amidst ongoing extortion threats and data leaks,
but faces scrutiny over its
handling of the situation and the impact on the healthcare industry. Criminals are targeting T-Mobile
and Verizon employees with text messages, offering $300 for assistance in conducting SIM swaps.
This campaign aims at current and former employees capable of accessing necessary systems.
Screenshots reveal offers from different numbers with claims of obtaining contact info from employee directories.
While initially thought to be solely targeting T-Mobile workers, Verizon employees have also reported receiving similar texts.
employees have also reported receiving similar texts. T-Mobile confirmed they are investigating these solicitations for illegal activity but denied any system breach. The surge in SIM swap
attacks, where criminals hijack phone numbers to access victims' personal and financial information,
prompted the FBI to issue warnings and the Federal Communications Commission to introduce new rules for secure authentication
and customer notifications for SIM changes or port-out requests. A vulnerability in PuTTY,
the free and open-source terminal emulator, serial console, and network file transfer application,
exposes a method for attackers to potentially recover the private key from 60 cryptographic signatures.
This flaw arises from a deterministic nonce generation process
intended to compensate for inadequate cryptographic randomness in some Windows versions.
The issue could allow unauthorized SSH server access or enable attackers to sign commits fraudulently, posing a risk of supply
chain attacks. The exploit requires acquiring signatures from server logins or signed git
commits. Users are advised to update their tools and replace potentially compromised keys.
Cisco Talos reports a surge in brute force attacks globally targeting VPNs, web application interfaces, and SSH services since March 18th of this year.
Originating from Tor exit nodes and various anonymizing services, these attacks aim at various services including Cisco Secure Firewall VPN, Checkpoint, Fortinet, SonicWall, and others. The indiscriminate attempts use both
generic and organization-specific usernames, potentially leading to unauthorized access,
account lockouts, or denial of service. The threat, intensifying over time, leverages
multiple proxy services, prompting Cisco to update its block list in response to the changing source IPs.
Ivanti has updated its Avalanche mobile device management product, addressing 27 vulnerabilities,
including two critical bugs with a 9.8 CVSS score that could enable remote code execution
by unauthenticated attackers. The critical flaws are heap overflow issues.
Although there are no reports of these vulnerabilities being exploited, their severity
underscores the importance of the patch, especially given Avalanche's role in managing extensive
device deployments in large organizations. The update also rectifies 25 other vulnerabilities,
mainly path traversal and out-of-bounds read issues.
Omni Hotels and Resorts confirmed a data breach following the Good Friday cyber attack on March 29th,
with customer names, email and mailing addresses and some loyalty program information compromised.
Payment and financial details, along with social security numbers,
were not affected. The attack's timing during a busy holiday period is indicative of ransomware
gangs targeting hospitality for their capacity to pay significant ransoms due to potential revenue
losses. The Dyixin team, a ransomware group previously focused on healthcare, claimed responsibility and initially
demanded a $3.5 million ransom, later reduced to $2 million, though it's unclear if Omni paid.
Security researchers from Positive Technologies have identified over 300 attacks by financially
motivated hackers targeting businesses in Latin America,
employing steganography to embed malicious code in digital images.
The group behind these attacks, known as TA558,
has expanded its focus from the hospitality industry in Spanish and Portuguese-speaking countries to various industries in Russia, Romania, and Turkey.
to various industries in Russia, Romania, and Turkey.
TA-558 uses a range of malware tools, including Agent Tesla and Formbook.
One documented attack involves exploiting a Microsoft Office vulnerability to execute a PowerShell script hidden in a JPEG image,
leading to the installation of Agent Tesla malware.
Charles Parks III, a 45-year-old from Nebraska,
is set to appear in federal court in Omaha, charged with operating a cryptojacking scheme
that cost cloud computing providers millions. Arrested on April 13, Parks faces wire fraud,
money laundering, and unlawful monetary transaction charges.
From January through August 2021, he allegedly used cloud services under the guise of his corporate entities to mine over $970,000 in cryptocurrency, costing two major providers $3.5 million in resources.
$3.5 million in resources. Parks reportedly manipulated account setups and benefits,
continuing operations even after suspensions for non-payment and fraud. The proceeds were laundered through exchanges, an NFT marketplace, online payment services, and banks, ultimately
funding extravagant purchases. He risks up to 20 years in prison for wire fraud
and 10 years for unlawful monetary transactions.
Coming up after the break on our Learning Layer segment,
Sam Meisenberg and Joe Kerrigan continue their discussion
of Joe's CISSP certification journey.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty. We could go skating. winter blues. We could try hot yoga. Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply. Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
On our Learning Layers segment,
host Sam Meisenberg is joined by my Hacking Humans co-host, Joe Kerrigan,
continuing their discussion of Joe's CISSP certification journey. Welcome back to another Learning Layer segment.
We are continuing our conversation with Joe Kerrigan as he gets ready for his CISSP.
So Joe, you're in it. I'm in it now, yes.
You are. Now's the time that tries men's souls. Indeed. Very trying.
Say it right. So catch us up. What are you doing? Where are you at? Where are you at in your studies?
So I'm running behind. We're coming up on a holiday and it's crazy in my house right now.
Just haven't had the time to sit down and commit to this.
But, you know, that's going to have to change.
Asset security is, you know, I've got the understanding.
I'd like to take the test to see how I do
because this is one of the areas in the diagnostic test
I didn't do very well in.
I was kind of shocked by that,
not doing very well in asset security.
So I'm looking forward
actually to taking that test to see how I
do. Now, at the same time,
I don't want to lose the information
I've got from domain one.
So I'm taking, using the tool
with the question pool
to, you know,
every other day or so, I've been taking a test
on domain one.
Okay.
Just make a 20-question test and see how well I do.
And I'm doing okay in those.
I'm coming in around, you know,
I'm getting what I would consider to be a passing grade.
I'd like to get better grades, you know, better scores.
But what I like about this tool is that if I miss a question,
I can look at the question,
understand why I got the question wrong.
There's a little blurb underneath that tells you
what the right answer was and why,
which is of paramount importance.
But there also are links to the material.
So you can go right to the video to see
where that was covered in the lessons.
Right, right.
So two quick comments about that.
First, what Joe was referring to
is something called our question bank tool.
And basically, it helps get really granular on very specific areas that you need to study.
So for example, you can create a custom quiz of any length.
Sounds like Joe's using it to create 20 question quizzes.
But if you only have five minutes, you can do a three-minute question or a five-minute quiz.
I'm sorry, a five-question quiz.
But the point is you can also select the domain you want to study in
and the subdomain and even some subdomains under that.
It gets very granular if you want to do deep dives.
And that leads me to my second comment, Joe,
which is about your results.
It's actually normal to see a little bit of volatility within the QBank
because it is so specific, right?
It is so granular.
So I wouldn't, you know, freak out of one quiz.
You get a 90 and the next time you get a 70.
Right.
Like that just helps you pinpoint exactly what you need to study.
Excellent.
That's good to know.
So sounds like you have the QBank down
and you have a good routine for domain one.
Can you talk a little bit more about like specifically
what you're doing for domain two and what that looks like?
The same process I did for domain one,
which is where I've gone through and I've taken the notes
and I have my own, you know, I have a Google Doc file
where I'm fortunate enough that I have two monitors.
So I keep the Google Doc file on one monitor
and I keep the video on the other monitor
and I'm watching the video and typing the notes in as I'm watching the videos. Great.
Keeping notes. When it comes time for the actual class lecture, I am using the printout of the
class notes that N2K provides as a PDF. I've printed some of those out. This time for domain two,
I did something I didn't do for domain one,
which was I went and read the book.
And I actually spent a lot of time in the book
and I read actually the readings for domain one as well.
I kind of skimmed through those as well.
That took a little bit of time.
So I'm doing a deeper dive on domain two,
which is why the time commitment
is a little bit greater, I think.
Sure, makes sense. And by the way, I do love what you're doing because you're basically getting,
because from the textbook to the video library that you're going through, and then also like
the longer lecture style, it is a lot of repeated information, but it's not like it's redundant or
it's exactly the same,
but it's, you're getting the same information in different modalities.
It's reinforcement.
It's reinforcement. That's exactly right. And specifically within different modalities,
to wonk out for a second, learning science shows that's really good for knowledge retention.
Yeah, good.
What you're doing, you know, might be natural to you. It makes sense. But, you know, for maybe
some people haven't studied in a while or haven't flexed that muscle. that's kind of what you have to do. You have to immerse yourself in
the content in a lot of different ways. Yeah. And that's what I'm trying to do this time.
Well, at least with domain two. Domain one, I wasn't all that concerned because I did
fairly well in the diagnostics. But I did go back and review some of the major points.
I'm curious, is there anything in like domain two in your studies that just kind
of stand out to you being difficult or hard to wrap your head around? Any questions about the
content that you might have? Nothing stands out as like difficult to get my head around. Everything
makes sense. It's all very logical. So Joe, since you don't have any content questions for me,
I have a content question for you.
Pop quiz.
You ready?
Okay.
What's the difference between a data owner and a data custodian?
A data owner is the person who is actually the person that owns the data.
This is usually someone pretty high up in the food chain,
usually like some higher level management.
The data custodian is the one who's responsible
for maintaining the appropriate access,
the appropriate authentication,
and what's the other?
CIA.
Hold on just a minute.
Give me a second.
So...
Okay, here it is.
The data custodian is the one who is responsible
for maintaining all the CIA stuff around the,
you know, that it's only accessible to people who should have access,
that the data is correct.
Confidentiality.
You know,
that they're the people where the rubber meets the road.
Yes,
that's right.
That's right.
The,
the confidentiality,
integrity,
and availability and the authorization and authentication you're talking about,
that would really be wrapped up in the C,
the access control.
Yep.
So,
all right,
look,
look,
I believed you when you said, you know, your stuff in the C, not the access control. Yep. So, all right. Look, I believed you
when you said you know your stuff in Domain 2
and you didn't have any questions,
but I just had to verify.
Trust will verify, right?
Sure.
That's probably something in Domain 2,
the two.
Yep.
Pretty meta.
Well, Joe, good luck with the studies.
Seems like you're on the right path.
You're doing the good work.
And again, you will get to Domain 3
when you get to Domain 3,
but like you said,
you just got to make the time and carve out the time. Yeah, I've got to do that this week. Awesome. And again, you will get to Domain 3 when you get to Domain 3, but like you said, you just got to make the time and carve
out the time. Yeah, I've got to do that this week.
Awesome. We'll hold you accountable because
next time we talk, we'll do a deep dive into
Domain 3. Excellent. That's my N2K CyberWire colleague, Sam Meisenberg,
and my Hacking Humans co-host, Joe Kerrigan. Thank you. with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default-deny approach can keep your company safe and compliant.
And finally, a junk gun, often referred to pejoratively as a Saturday night special, is a term used to describe cheaply made low-caliber handguns
that are considered to be of poor quality and reliability.
Back in the 70s, they were the go-to weapon of choice for, say, holding up a liquor store.
Or so I've been told.
In the digital arms race of the 21st century,
Sophos X-OPS has uncovered the cyber equivalent of junk guns proliferating across underground forums.
Dubbed junk gun ransomware, this trend features rudimentary low-cost ransomware tools sold mostly on a one-time purchase basis,
diverging from the traditional ransomware-as-a-service model. This development democratizes cybercriminal capabilities, offering entry-level attackers
the means to execute ransomware campaigns without substantial initial investment or
technical skill.
Through their investigation, the researchers discovered 19 varieties of such ransomware,
indicating a shift towards enabling lower-skilled threat actors to
partake in cyber extortion activities. These tools, available across several forums from June 2023
through February of this year, range in sophistication and cost, highlighting an
emerging market catering to cybercriminals targeting smaller, less-protected entities.
The allure of junk gun ransomware
lies in its accessibility and potential profitability for individuals targeting
small businesses and personal devices. These weapons are cheap, hard to trace,
and provide a low barrier of entry for illicit activities,
mirroring the advantages once held by physical junk guns.
mirroring the advantages once held by physical junk guns.
I must admit I've sometimes pondered the potential of a criminal business model of nuisance ransomware,
low-level, low-sophistication, low-cost-to-the-victim activities that provide steady cash flow for the criminal owner-operator,
but which also flies under the radar of law enforcement who have much bigger fish to fry.
And when I say pondered, I mean purely as a hypothetical, of course.
A thought exercise.
Stay in school, friends.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.