CyberWire Daily - The reign of digital terror ends.
Episode Date: February 20, 2024Operation Cronos leaves LockBit operations on borrowed time. An alleged leak reveals internal operations from the Chinese Ministry of Public Security. An Israeli airline thwarts communications hijacki...ng attempts. The alleged Raccoon Infostealer operator has been extradited to the US. ConnectWise patches critical vulnerabilities. Schneider Electric confirms a Cactus ransomware attack. Alleged Maryland money launderers face indictments. Russian hackers target media outlets in Ukraine. Our guest is Tomislav Pericin, Chief Software Architect at Reversing Labs , on the rise of software supply chain attacks. and Tinder hopes to reel in the catfish. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest is Tomislav Pericin, ReversingLabs Chief Software Architect, talking about the rise of software supply chain attacks. Learn more in their 2024 State of Software Supply Chain Security Report. Selected Reading Police arrests LockBit ransomware members, release decryptor in global crackdown (BleepingComputer) U.S. and U.K. Disrupt LockBit Ransomware Variant (US Justice Department) Chinese Ministry Of Public Security Breach: Data On GitHub (The Cyber Express) Massive “i-Soon” leak reveals Chinese firm's hacking tools, targets, including NATO (The Stack) I-S00N Leaked Chinese foreign government infiltration intel on Github : r/cybersecurity (Reddit) Israeli Aircraft Survive “Cyber-Hijacking” Attempts (Infosecurity Magazine) Raccoon Infostealer operator extradited to the United States (Malwarebytes) Critical ConnectWise ScreenConnect vulnerabilities fixed, patch ASAP! (Help Net Security) Schneider Electric confirms data was stolen in Cactus ransomware attack (IT Pro) Maryland Busts $9.5 Million #BEC Money Laundering Ring (CyberCrime & Doing Time) Several Ukrainian media outlets attacked by Russian hackers (The Record) Tinder Expands ID Checks Amid Rise in AI Scams, Dating Crimes (Bloomberg) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Operation Kronos leaves lock-bit operations on borrowed time.
An alleged leak reveals internal operations from the Chinese Ministry of Public Security.
An Israeli airline thwarts communications hijacking attempts.
The alleged Raccoon Info Stealer operator has been extradited to the U.S.
ConnectWise patches critical vulnerabilities.
Schneider Electric confirms a cactus ransomware attack,
alleged Maryland money launderers face indictments, Russian hackers target media outlets in Ukraine.
Our guest is Tomislav Peresin, chief software architect at Reversing Labs on the rise of
software supply chain attacks, and Tinder hopes to reel in the catfish.
It's Tuesday, February 20th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. briefing. Thank you for joining us here today. It is great to have you with us. For the past four years, LockBit has been a scourge on the digital landscape, wreaking havoc across businesses, schools, medical facilities,
and governments all over the world. Employing its ransomware-as-a-service model, LockBit has
orchestrated a relentless campaign, infiltrating thousands of organizations and amassing substantial
profits in the process. From a children's hospital to aviation giant Boeing, the UK's Royal Mail, and even the popular sandwich chain Subway, LockBit's victims have spanned industries and continents.
has brought the group's nefarious activities to a screeching halt.
Spearheaded by the UK's National Crime Agency and supported by a coalition of international investigators,
Operation Kronos has dealt a crippling blow to LockBit's infrastructure,
effectively dismantling its operations from the inside out.
Graham Biggar, Director General of the NCA,
declared LockBit effectively redundant following the operation's success.
Operation Kronos achieved unprecedented access,
seizing control of LockBit's systems, domains, and servers.
Moreover, the operation obtained crucial details about the group's members and affiliates,
striking at the heart of LockBit's operations.
It's hard to overstate the significance of Operation Kronos. LockBit is responsible for
a quarter of all ransomware attacks in the past year and has inflicted billions in losses upon
its victims. The operation marks one of the most substantial blows against a cybercrime group to
date, signaling a concerted effort by law enforcement to combat the growing threat of ransomware.
In addition to technical disruptions, Operation Kronos has led to arrests in multiple countries
and sanctions against alleged members of LockBit, further dismantling the group's network.
The global reach of LockBit underscores the collaborative nature
of the operation, with law enforcement agencies coordinating efforts across borders to bring the
perpetrators to justice. Despite the success of Operation Kronos, the threat of ransomware looms
large, with payments reaching record highs. Moreover, the possibility of LockBit's resurgence under a different guise remains a
concern. However, the operation sends a clear message to cybercriminals. Law enforcement will
not tolerate their malicious activities, and perpetrators will be held accountable for their
actions. The takedown of LockBit represents a significant milestone in the ongoing battle
against cybercrime. While challenges
persist, Operation Kronos demonstrates the effectiveness of international cooperation
and the determination of law enforcement to safeguard the digital ecosystem from malicious
actors. We are monitoring early reports of a significant data breach from the Chinese Ministry of Public Security that's been
discovered on GitHub. The breach, attributed to a contractor known as iSoon, includes sensitive
information that could potentially impact espionage operations. Leaked data involves spyware,
espionage operation details, and mentions of a Twitter monitoring platform. While the documents are
unverified, they raise questions about China's MPS security protocols. The leak's contents range
from complaints and financial issues to overseas infiltration discussions. This is a developing
story, so stay tuned for more details as they develop. Two El Al flights from Thailand to Israel
faced attempted communications hijackings over the Middle East, with no group claiming
responsibility. Suspicions point to Iranian-backed Houthis or a group from Somaliland. Pilots notice
the irregularities and maintain their course, following protocol
to thwart the threats. El Al emphasized the pilots' training to handle such situations
and assured the public of flight safety. This incident underscores the importance of
cybersecurity in aviation, and the EU has been updating regulations to enforce industry-wide security standards.
Mark Sokolovsky, a Ukrainian national, has been extradited to the U.S. from the Netherlands,
facing charges related to fraud, money laundering, and identity theft.
He's accused of operating the Raccoon Info Stealer, a malware-as-a-service,
allowing criminals to steal data from victim
computers. Sokolovsky faces multiple charges and a potential maximum sentence of 20 years if
convicted. Raccoon Info Stealer targets credit card data, passwords, and cryptocurrency wallets
with over 50 million credentials stolen globally. The FBI urges potential victims to check their status on
raccoon.ic3.gov and report any harm caused by the malware to the FBI's Crime Complaint Center.
ConnectWise has addressed two critical vulnerabilities in their ScreenConnect
remote desktop software, which could lead to remote code execution or data compromise.
While there's no evidence of exploitation, immediate action is urged.
ScreenConnect is used by managed service providers and businesses for tech support,
but also has been exploited by scammers and ransomware groups.
The vulnerabilities involve authentication bypass and path traversal.
ConnectWise advises self-hosted or on-premise users update promptly.
Schneider Electric confirms a ransomware attack by the Cactus Group on January 17,
impacting its sustainability business division, including the Resource Advisor system.
The attack compromised 1 and a half terabytes
of data, which the Cactus Group threatens to publish if a ransom isn't paid. Schneider
Electric says they're working to contain the incident and inform affected customers.
The sustainability business unit is autonomously managed, and no other parts of Schneider Electric
are affected. The Cactus Group, active since March
2023, employs a ransomware-as-a-service model and has targeted over 100 victims exploiting VPN
appliances to gain access. Three indictments unveiled in Maryland reveal a complex network
of shell companies used to launder over $9.5 million
from 15 business email compromise cases nationwide.
The victims range from environmental trusts to K-12 school districts and private colleges.
The alleged perpetrators operated shell companies that lacked legitimate operations
or significant employees using various bank accounts for money laundering.
Multiple federal agencies collaborated on the investigation,
including DHS, the EPA, IRS, and DCIS.
The whereabouts of the laundered funds remains a key question.
Several defendants have been arrested, while others are fugitives.
Several defendants have been arrested, while others are fugitives.
Russian hackers targeted several prominent Ukrainian media outlets over the weekend,
spreading fake news about Russia destroying a unit of Ukrainian special forces in Avdivka.
The fake news was swiftly removed, but it still circulated on social media.
Ukraine's state cybersecurity agency attributed the attack to a Russian threat actor, part of Russia's information warfare against Ukraine. These
kinds of attacks are common, aiming to spread disinformation. Notorious groups like Sandworm
have targeted Ukrainian media before, and of course these attacks intensified during Russia's invasion since 2022.
The goal is to destabilize Ukraine, spread propaganda, and undermine trust in authorities.
Coming up after the break, our guest, Tomislav Perichin,
chief software architect at Reversing Labs on the rise of software
supply chain attacks.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform secures their personal devices, home Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Tomislav Perichin is Chief Software Architect at Reversing Labs.
I recently caught up with him to talk about the rise of software supply chain attacks.
We've been following software supply chain attacks
for quite a long while now,
and we wanted to compile a report
which looks at the problem holistically.
So we looked at the data for the last couple of years.
Really, we started collecting this data,
compiling this data for the report
from the attack on SolarWinds.
Because that was one of the most prominent attacks in the software supply chain space.
And that kind of started to get everybody going and thinking about software supply chain attacks.
So we wanted to take a look at it from that point to today to see how the threat landscape was evolving.
Well, let's dig into some of the findings here. What are some of the things that really caught your attention?
Oh, absolutely. So, you know, when you look at software supply chain attacks from that point onward,
there is a significant increase year over year from software supply chain attacks, and they kind of end up varying.
You have many software supply chain attacks in the open source space, if you will,
so malicious packages circulating in the development environments,
while targeting developers and then targeting their build as well.
But there are also attacks on commercial software too,
like the attack which happened on SolarWinds, 3CX, and a few others in the meanwhile.
Granted, we do find a lot more malicious packages circulating in the open source than there are public events of attacks on commercial software.
And why is that? Is it just the accessibility of those open source projects?
is that? Is it just the accessibility of those open source projects?
Oh, absolutely. So open source communities are pretty welcoming. So you can easily create an account, be an anonymous
developer or an attacker, and just publish your malicious content there.
From that point, it's a matter of how you get
the parties to install your malicious piece of code, which is where we see a lot of
tactics evolving.
And so what are some of the specific threat actors here who are taking advantage of this?
Are there any names that you're tracking?
Oh, absolutely.
So, I mean, there are many people who are not really affiliated.
They're kind of low-skill attackers, if you will.
And they're just, you know, latching on to the trend.
But there are also nation-state actors as well.
So last year was actually the first year
we were able to attribute one such attack to a nation-state.
And specifically, it was interesting to us
because this nation-state actor was interested
in attacking both the open-source communities
and more specifically, parts of the community
which deal with cryptocurrency and also commercial vendors too.
So that kind of shows that nation state actors,
especially financially motivated ones,
are not really picky when it comes to the way they infect their targets.
What are some of the other things that drew your attention?
targets.
What are some of the other things that drew your attention?
Well, there were many
what we like to call firsts
last year, just evolutions
of tactics, how
attacks are actually evolving.
So one of the things we mentioned in our
report, which was very interesting to me,
is that the last year was the first year
we saw our first, what we call
a dual-use type of a software supply chain attack.
And this was a malicious package published in an open source community,
which was targeting both the open source developers
as part of that code being included in their package.
But that package was also used for phishing campaigns at the same time.
So they had this idea of writing the malicious code once
and use it as many times as possible.
So in this particular case,
both for phishing and infecting the software packages.
That's really interesting.
What are you tracking in terms of things like login credentials
or encryption keys?
Is this part of what's going on as well?
Yeah, it's all related.
I mean, when you talk about software supply chain attacks,
you tend to focus on the malicious aspect of it.
But a lot of software supply chain attacks
actually start by having credentials or access tokens leaked.
Because once that happens,
you have a very easy way
of penetrating the build environment.
Basically, you can do anything you want with the build
as soon as you have the keys to the kingdom, if you will.
Where do you suppose we're headed from here?
I mean, is there any sense that we're making progress here?
Or is this something that continues to grow?
There's a lot of positive movements, really,
in the software supply chain space.
There's a lot of vendors who are getting involved
to provide people with tooling
and capabilities to detect these types of things.
And even open source community itself,
OpenSSF is not only advocating,
but creating some of the solutions
that are meant to both protect the build environment,
to kind of track the prominence of builds,
to ensure everything is kind of signed,
not tampered with.
There's a lot of aspects of software supply chain security
which need to be secured.
And it really takes a village to get us there.
But attackers, they do like to innovate
and they kind of follow the path of least resistance.
I do feel like that this is an emerging threat factor
and that the sophistication of these actors
is relatively low at this time.
But as we kind of buff up our defenses, so will the attackers evolve their
tactics. So what are your recommendations then? How do folks best protect themselves here?
Interesting question. Well, depending on who you are, right? So if you are a software publisher
and you're trying to build a secure piece of code, which you should. You should leverage at least what the OpenSSF is making available today.
So tools and capability to scan your code for both known malicious packages.
They do have a GitHub repository open up relatively recently,
which kind of lists out all of the known incidents.
And they also have a bunch of tools when it comes to securing the provenance
and vulnerabilities and stuff like that.
So I would look at the program itself
and start to take chunks out of it.
There's good advice actually coming from the government.
There's this framework I really, really like
published recently.
It's called Enduring Software Security Framework, ESF.
There's a bunch of really good advice in there.
It's not realistic for everybody.
It's more like a guiding star.
But if you start attacking the problem, I think we're all going to be in a better spot
than we were yesterday.
Our thanks to Tomislav Perichin from Reversing Labs for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
With TD Direct Investing,
new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%.
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31st, 2025.
Visit td.com slash dioffer to learn more.
And finally, our Lonely Hearts Club desk tells us that Tinder is introducing advanced ID verification in the U.S., U.K., Brazil, and Mexico to combat catfishing.
in the US, UK, Brazil, and Mexico to combat catfishing.
Users must upload a video selfie and a valid driver's license or passport.
Previously, only photos or video selfies were required for verification.
Tinder will cross-check uploaded IDs with selfies and profile photos,
verifying age from the ID.
Users reluctant to upload IDs can still verify with a selfie,
but get a camera icon, not a coveted checkmark. The system was tested in New Zealand and Australia,
and will roll out to the UK and Brazil in the spring, and the US and Mexico this summer.
So, Tinder hopes to cut down on catfishing.
Our guess is there will still be plenty of fishing for compliments.
Hopefully, the dating pool just got a whole lot cleaner
with no more casting doubts on your matches.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
We're privileged that N2K and podcasts like the Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law
enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest
investment, your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with
original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.