CyberWire Daily - The United Kingdom's catastrophic ransomware attack.
Episode Date: December 13, 2023The UK faces a looming threat of a catastrophic ransomware attack. The Senate confirms a new National Cyber Director. The rivalry between malware groups BatLoader and FakeBat. BazarCall phishing attac...k and its unusual use of Google Forms. A serious vulnerability threatens K-12 student data. Spiderman game developer Insomniac Games becomes the latest ransomware victim. Today’s guest is Tim Starks from the Washington Post’s Cybersecurity 202 with China’s influence operations in Taiwan, along with a look back at 2023. We'll touch on Microsoft's Patch Tuesday and why outdated password policies are still a problem. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s guest is Tim Starks from the Washington Post’s Cybersecurity 202. Tim and Dave discuss China’s influence operations in Taiwan, along with a look back at 2023. Selected Reading UK at high risk of ‘catastrophic ransomware attack’, report says (The Guardian) Roll Call Vote 118th Congress - 1st Session  (United States Senate) How Does Access Impact Risk? (IST) API and App Security: Q3 2023 Snapshot (ThreatX) The Kids Aren’t Alright: Vulnerabilities in Edulog Portal Revealed K-12 Student Location Data (tenable) Press and pressure: Ransomware gangs and the media (Sophos) BazarCall Attack Leverages Google Forms to Increase Perceived Credibility (Abnormal) Two Competing, Russian-Speaking Cybercrime Groups Attack Employees from 23 Companies in the Manufacturing, Software, Legal, Retail, and Healthcare Sectors Using Malicious Google Ads (esentire) Spider-Man 2 developer Insomniac Games hit by Rhysida ransomware attack  (cyberdaily) Microsoft Patch Tuesday December 2023 (Sans) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The UK faces a looming threat of catastrophic ransomware.
The Senate confirms a new national cyber director.
The rivalry between malware groups Batloader and Fakebat.
Bizarre call phishing attack and its unusual use of Google Forms.
A serious vulnerability threatens K-12 student data.
The Spider-Man game developer Insomniac Games becomes the latest ransomware victim.
Today's guest is Tim Starks from the Washington Post's Cybersecurity 202,
with China's influence operations in Taiwan, along with a look back at 2023.
We'll touch on Microsoft's patch Tuesday and why outdated password policies are still a problem.
problem. It's Wednesday, December 13th, 2023. I'm Dave Bittner, and this is your CyberWire We begin today with news from The Guardian that the UK government is reportedly at high risk of a catastrophic ransomware attack due to insufficient planning and investment,
as warned by a parliamentary committee. The Joint Committee on National Security Strategy
highlighted the UK's vulnerability to a major cyber attack
on its critical national infrastructure,
which includes essential assets like energy,
water, transportation, health, and telecommunications.
Recent examples of such attacks include the NHS incident last year,
where patient data was compromised, and the 2020 Red Car
and Cleveland Council ransomware attack, which led to weeks of system lockdown and costly damages.
The government, particularly the Home Office and former Home Secretary Suella Braverman,
have been criticized for not prioritizing ransomware as a policy issue,
focusing instead on issues like illegal migration.
The report stressed that the UK's CNI is dependent on private third-party IT systems, making it more susceptible to cyberattacks.
Future attacks could threaten physical security or human life, for instance,
by sabotaging CNI operations or hijacking
cyber-physical systems like shipping vessels. The NHS is noted as particularly at risk due to
outdated IT infrastructure and insufficient capacity for even basic upgrades.
Harjinder Singh Lali from the University of Warwick pointed out the potential for wide-ranging impacts on the NHS, including disruptions to appointments, medical records, and staff payment systems.
He suggested more frequent updates to operating systems and hardware to reduce costs and disruption.
Most ransomware groups targeting the UK are believed to be based in Russia, with North Korean and Iranian groups also posing threats.
The UK's support for Ukraine in the current conflict has heightened its risk of being targeted.
Margaret Beckett, the chair of the Joint Committee, remarked on the UK's status as a highly cyber-attacked nation and criticized the government's inadequate response.
cyber-attacked nation and criticized the government's inadequate response.
The government, however, claims to be well-prepared, citing a £2.6 billion investment in cybersecurity and the implementation of minimum standards through the NCSC's
Cyber Essentials Scheme. Meanwhile, on this side of the pond, the U.S. Senate yesterday confirmed Harry Coker Jr. as National Cyber Director in the White House Office of the National Cyber Director, where he will serve as the principal advisor to the president on cybersecurity policy and strategy.
its creation in 2021. Coker is a retired senior executive at the Central Intelligence Agency and a career naval officer. He most recently served as executive director of the National
Security Agency. The first national cyber director was Chris Inglis, who held the position from 2021
until February of this year. The Institute for Security and Technology convened a working group that
released a study on the risks associated with increasing access to AI foundation models.
The researchers found that greater access escalates the risk of malicious use, such as fraud,
crimes, social and democratic disruption, and critical infrastructure interference.
social and democratic disruption, and critical infrastructure interference.
This access also raises concerns about compliance failures, removing human oversight,
and capability overhang, where models develop unforeseen capabilities.
On the positive side, wider access to these AI models can spur faster innovation and allow for more extensive stress testing, red teaming, and vulnerability identification by a broader range of developers and users.
A number of companies have sent us news of their latest reports and research.
ThreadX released a report highlighting that most API attacks involve programmatic access,
such as automated interactions aiming to scrape data or exploit
vulnerabilities. The report emphasizes the importance of robust anti-bot solutions and
improved user authentication and validation mechanisms to counter these threats.
Tenable researchers found vulnerabilities in the Edulog parent portal used in 7,500 K-12 school districts for tracking students' routes.
These flaws, now patched, could have allowed someone with a free account to access API endpoints,
potentially revealing sensitive information like student names, bus routes, parent contact details,
GPS data, and even encrypted passwords for school district integrations.
GPS data and even encrypted passwords for school district integrations.
Sophos has analyzed how ransomware gangs interact with the media, observing their increasing professionalism in press and reputational management. This includes issuing press releases,
creating sophisticated graphics, and recruiting English-speaking writers. These gangs recognize the newsworthiness of their actions
and use media attention to enhance their credibility and pressure victims.
Sophos advises the media to avoid engaging with threat actors
unless it serves the public interest or provides useful intelligence for defenders.
Abnormal Security has identified a bizarre call phishing attack that cleverly uses
Google Forms to appear legitimate. The scam involves sending an email about a pending
subscription charge and providing a fake customer support number. When a victim calls, they're
tricked into installing malware. In this instance, the attacker creates a fake invoice using Google Forms,
entering the victim's email address to ensure they receive a copy of the form,
which is disguised as a Norton antivirus payment confirmation. The use of Google Forms allows the
email to be sent from a legitimate address, increasing the likelihood of it bypassing
security filters. eSentire researchers are monitoring two rival
Rucifone malware-as-a-service groups, Batloader and FakeBat. FakeBat, likely a former client of
Batloader, has started its own similar operation. These groups deceive employees by creating Google
ads and websites that mimic legitimate software sites, tricking
them into downloading malware loaders disguised as business software. Both Batloader and Fakebot
are focused on infecting corporate employees with various malware types as per their customers'
choices. Batloader's attacks have resulted in companies being infected with Royal Ransomware,
Gauzy Banking Trojan, Credential Stealers, and Remote Access Trojans.
Ransomware group Rysida claims to have attacked video game developer Insomniac Games,
posting limited data as proof.
This data includes a screenshot and character art from Insomniac's upcoming Wolverine game,
passport scans of employees, and personal documents belonging to Yuri Lowenthal,
the voice actor for Insomniac's popular Spider-Man games.
The leak also features internal emails and confidential documents.
Raisuda is threatening to release the full dataset in seven days and is auctioning it off starting at 50 bitcoins, just over 2 million US dollars.
Sony, the owner of Insomniac Games, acknowledges the incident and is investigating,
but believes no other divisions are affected.
Microsoft's latest patch Tuesday was relatively light, featuring a total of 35 vulnerabilities.
This set comprises four critical, 30 important, and one moderate vulnerability.
Additionally, the update includes five Chromium patches as part of Microsoft Edge.
Prior to this release, only one of these vulnerabilities was publicly known.
Notably, none of the vulnerabilities patched in this update were being actively exploited.
Coming up after the break, my conversation with Tim Starks from The Washington Post's Cybersecurity 202.
We're talking China's influence operations in Taiwan, along with a look back at 2023.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. It is always my pleasure to welcome back to the show Tim Starks.
He is the author of the Cybersecurity 202 at The Washington Post.
Tim, welcome back. Dave, sir.
I want to start off with highlighting a bit of a scoop that you and your colleagues at the 202
have here, reporting on research from Grafica. What do you have here today?
Yeah, so Grafica is one of these organizations that does big research on influence operations, disinformation campaigns.
And we obviously are preoccupied in the United States about our election and worrying about disinformation there.
But they have found a disinformation campaign dating back to May of 2022 affecting the upcoming elections in Taiwan next month.
Taiwan has been warning, the Taiwanese leaders have been warning that China is interfering
in their elections.
Grafica does not explicitly say that China is behind this.
They say we can't attribute who's behind it.
However, if you look at the research, there are a lot of indicators that this is probably
Chinese actors, whether it's the Chinese government or not, because they're in Chinese language,
they're Chinese language memes and videos.
Their fluency with the Taiwanese language is poor.
And it just so happens that the campaign,
it just seems to be accidentally
sort of favoring the organization,
the political group that is well known
for being closer to a pro-China position
and criticizing the explicitly independence-minded
political party there in Canada.
So it looks like it fits into the pattern
of things we've seen with China.
And while most of it has been taken down,
it's not entirely down.
So it's interesting that there's still some elements of it
that are floating around out there.
And is this a cautionary tale for us
as we continue to roll downhill towards our own election season here?
Yeah, I think so.
I mean, what's interesting about China and election disinformation is that they've kind of dipped their toe in it before with us, but not like Russia did in 2016 or even subsequent elections.
There were signs in the last major election in 2020 that China was getting
more interested in this, and 2022. And this seems like they're full-fledged into it with Taiwan.
Now, Taiwan is of greater interest to them, perhaps, than the United States for many reasons.
But if you combine this with the discussion that we've heard from U.S. officials that China is
getting more brazen with its cyber attacks, not less, it seems like this would give them every...
It could be potentially a bit of a test run for them, for the U.S.
When it's come to Taiwan and the U.S. and there's been an overlap of disinformation, if you'll recall, when then House Speaker Nancy Pelosi visited not long after,
Speaker Nancy Pelosi visited not long after, they had a bunch of disinformation campaigns related in Taiwan to Pelosi and Taiwan. So there's a Venn diagram of overlap here and concern
as far as the U.S. and Taiwan. Well, let's switch gears here as we're coming towards the end of the
year. And this is for the two of us,
you and I, the last conversation
we're going to have before the new year.
Looking back on 2023,
how does this year shape up for you
when it comes to cybersecurity?
Yeah, I've been doing this for a long time.
I know you have too, Dave.
There are a couple of things
that stand out to me about this year.
I've written about this and others have written about it, but I feel like it's maybe
been underappreciated that the MoveIt-based attack, a ransomware attack, is arguably the
biggest cyber attack of all time. But I don't think we've heard people talk about it that much
that way because it ultimately ended up affecting more than 2,000 organizations. If you look at the
number of people who were affected by it, it's above 60 million.
So the other thing that's interesting
about that, of course,
is that it's attacking
these kinds of organizations
that get you into other organizations.
We've seen a lot of attacks
like that this year.
So that seems like a wave of the future
and a big landmark
with one specific attack
and the wave of the future
on the attack vector.
It's interesting that move it is,
I guess the word that comes to mind for me is diffuse.
And perhaps that's why it's not getting so much attention.
Yeah, I think that's it.
I mean, when you think of the very big attacks
or big landmark kind of attacks,
it's like the Sony attack, for instance, right?
It was one big organization that was affected.
This is lots and lots of organizations affected.
The other thing that's interesting about this, and this is a multi-year trend, I don't know about you, I didn't
use Moveit before the attack. I don't think I'd even heard of Moveit before the attack. Same thing
with SolarWinds. I didn't know much about SolarWinds. So there's kind of all these sort of
players that are big players in the IT world who you could attack and really reap a lot of gains
from if you're a cyber attacker. And they fit into that pattern as well.
Any thoughts as we come into the new year here?
I know we're all reticent to read the tea leaves, as it were, and make predictions.
But is it fair to say that 2024 is shaping up to be just as interesting, if not more so?
Yeah, it feels like it'll almost be more interesting.
I don't know if you remember coming into this year,
there was a lot of talk about ransomware attacks
being down the prior year,
or at least not on the sort of steady rise they'd been on.
Well, now that's back to being the case
that ransomware attacks are back on the increase.
One thing I've learned from being a cyber reporter,
even though it's my job to try to
anticipate the threats and trends, it's an exciting and scary place to write about because as much as
I think about what's next, it's never what I think it is. It's always something else that comes, like
Moveit being a perfect example. It's always hard to anticipate what the next thing is going to be.
Nobody, you know, even though there were indicators in 2016 that there was going to be, that there
had been some vulnerabilities in voting
machines and that there had been attacks on
presidential campaigns, nobody saw
anything like that coming before it happened
in 2016. Not the scale of it, not the way
it happened. It's
one of those things where I think about it a lot
and I have no
confidence in my ability to predict where hackers are going.
Fair enough.
I join you in that lack of confidence
in our predictive abilities.
Well, Tim Starks is the author of
the Cybersecurity 202 at the Washington Post.
Tim, thank you so much for joining us throughout this year.
It has been a true pleasure for me
and I look forward to our future conversations. Yeah, man. I've loved doing it. for joining us throughout this year. It has been a true pleasure for me, and I look forward to our future conversations.
Yeah, man. I've loved doing it.
Thanks for having me this year.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, a study by the Georgia Institute of Technology has uncovered that a significant number of popular websites
are stuck in a password policy time warp, reminiscent of 1985.
Their examination of over 20,000 websites revealed a concerning trend. 75% of these sites
allow passwords shorter than the recommended eight characters, with some even accepting single
character passwords. Additionally, 40% of the sites limit password lengths to less than the
advised 64 characters. Surprisingly, 72% permit the use of dictionary
words, and 88% allow the users to choose passwords that have been previously breached.
Alarmingly, a third of these websites don't support the use of special characters and passwords,
and nearly 40% accept 123456, the most popular and insecure password. The study also found that a significant
portion of websites are still operating under the NIST 2004 password policy guidelines,
with just under 17% following an even older recommendation from 1985.
Stronger security standards are notably less common, with only a fraction of sites adhering to the more secure NIST 2004 Level 2 guidelines.
Furthermore, the researchers' evaluation of website login policies revealed that nearly 2,000 domains dangerously transmit and store passwords in plain text.
transmit, and store passwords in plain text.
Around 3,200 websites disable copy-pasting for crucial fields,
and numerous sites employ typo-tolerant password authentication,
increasing the vulnerability to various cyber attacks.
User enumeration attacks are made easier by the nearly 6,000 websites that provide revealing error messages.
Only a minority of sites implement login rate
limiting to prevent brute force attacks. And worryingly, 570 websites were found to be
sending plain text passwords via email, a potential breach of the EU's GDPR.
The researchers suggest that modernizing web frameworks and standardizing password policies could drastically improve online
security. They recommend outreach campaigns and updates to popular web software to address these
widespread authentication issues, emphasizing that software improvements could significantly
reduce the number of vulnerable sites. In the digital security dance, it appears that while some are doing the cybersecurity shuffle, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence
routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement
agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Ervin.
Our mixer is Trey Hester,
with original music by Elliot Peltzman.
Our executive producers are
Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby,
and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.