CyberWire Daily - The usual suspects are up to their usual tricks.
Episode Date: March 13, 2024ODNI’s Annual Threat Assessment highlights the usual suspects. The White House meets with UnitedHealth Group’s CEO. A convicted LockBit operator gets four years in prison. The Clop ransomware grou...p leaks data from major universities. Equilend discloses a data breach. Fortinet announces critical and high-severity vulnerabilities. GhostRace exploits speculative race conditions in popular CPUs. Incognito Market pulls the rug and extorts its users. Patch Tuesday notes. On the Learning Layer, Sam Meisenberg talks with Joe Carrigan from Johns Hopkins University Information Security Institute, and co-host of Hacking Humans podcast. They explore Joe's journey on the road to taking his CISSP test. And, I do not authorize Facebook, Meta or any of its subsidiaries to use this podcast. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Join us as a Learning Layer special series kicks off. Over the next several weekly episodes of the Learning Layer, host Sam Meisenberg talks with Joe Carrigan from Johns Hopkins University Information Security Institute, and co-host of Hacking Humans podcast. On this episode, they explore Joe's journey as he embarks on the road to taking his CISSP test after fourteen years in the cyber industry, and why he decided to get it now. Learn more about ISC2’s Certified Information Systems Security Professional (CISSP) certification, and explore our online certification courses, practice tests, and labs that ensure that you’re ready for exam day. Selected Reading ODNI's 2024 Threat Assessment: China, Russia, North Korea pose major cyber threats amid global instability - Industrial Cyber (Industrial Cyber) White House meets with UnitedHealth CEO over hack  (Reuters) LockBit ransomware affiliate gets four years in jail, to pay $860k (bleepingcomputer) Stanford University ransomware attack impacts 27K  (SC Media) EquiLend Employee Data Breached After January Ransomware Attack (HACKread) Fortinet reports two critical and three high severity issues, plan to patch (beyondmachines) Major CPU, Software Vendors Impacted by New GhostRace Attack (SecurityWeek) Incognito Market: The not-so-secure dark web drug marketplace  (Graham Cluley) Microsoft Patch Tuesday – Major Flaws In Office, Exchange And SQL Server (cybersecuritynews) New Facebook photo rule hoax spreads (Malwarebytes) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
ODNI's annual threat assessment highlights the usual suspects.
The White House meets with UnitedHealth Group's CEO.
A convicted lock-bit operator gets four years in prison.
The Klopp ransomware group leaks data from major universities.
Equiland discloses a data breach.
Fortinet announces critical and high-severity vulnerabilities.
Ghost Race exploits speculative race conditions in popular CPUs.
The incognito market pulls the rug
and extorts its users.
We got some Patch Tuesday notes.
On our learning layer,
Sam Meisenberg talks with Joe Kerrigan
from Johns Hopkins University
Information Security Institute
and co-host of the Hacking Humans podcast.
They explore Joe's journey
on the road to taking his CISSP test.
And I do not authorize Facebook, Meta, or any of its subsidiaries to use this podcast.
It's Wednesday, March 13th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thank you all for joining us here today.
It is great to have you with us.
The Office of the Director of National Intelligence's
2024 Annual Threat Assessment
reveals an escalating cyber threat landscape,
with China identified as the top persistent cyber adversary to the U.S.,
targeting government, private sector, and critical infrastructure.
adversary to the U.S., targeting government, private sector, and critical infrastructure.
ODNI says Russia continues as a significant global cyber threat, focusing on Ukrainian conflict-related cyber operations. North Korea is expected to ramp up illicit activities,
including cyber theft, to support its weapons of mass destruction program.
The U.S. faces challenges from strategic competition among major powers,
transnational threats, and regional conflicts,
with organized cybercriminals refining ransomware attacks against critical services
and exploiting weak defenses worldwide, especially in low-income countries.
The proliferation and sophistication of ransomware attacks are fueled
by inexpensive, anonymizing online infrastructure, making them more accessible to newcomers.
Despite occasional operational pauses by cybercriminal groups due to law enforcement
actions, their activities often resume or evolve. Without cooperation from countries providing safe havens for cybercriminals
like Russia, mitigation efforts are limited. The report also highlights China's cyber espionage,
the threat of aggressive cyber operations against the U.S., and surveillance and censorship
practices. It underscores Russia's foreign policy use of cyber disruptions and Iran's increasing cyber aggression, posing a threat to the U.S. and allied security.
Iran's potential influence operations targeting the U.S. elections are noted.
North Korea's cyber program is characterized as sophisticated and versatile, focusing on espionage, cybercrime, and strategic objectives.
versatile, focusing on espionage, cybercrime, and strategic objectives. In response, CISA has outlined a 2024 plan to address these threats, particularly from China, through enhanced
cybersecurity and collaboration efforts. Yesterday, White House officials met with
UnitedHealth Group's CEO and industry representatives to address the cyber attack
on UnitedHealth's tech unit Change Healthcare that disrupted U.S. healthcare operations.
This gathering marked the first coordinated effort between healthcare providers and insurers
post-hack. The cyber attack, attributed to the Black Cat ransomware group,
significantly impacted the healthcare system, affecting the
processing of medical claims and payments. Health insurers have since implemented alternative
payment processes to assist healthcare providers. Change healthcare, which is crucial for processing
about half of U.S. medical claims, serves numerous healthcare entities. U.S. officials have urged
UnitedHealth to expedite payments
to affected providers, highlighting the extensive reach and impact of the cyber attack on the
healthcare sector. Mikhail Vasilev, a Russian-Canadian involved in the LockBit ransomware
operation, has been sentenced to four years in prison by an Ontario court.
Arrested in November 2022 and pleading guilty to eight charges in February 2024,
Vassiliev played a crucial role in numerous high-profile cyberattacks,
demanding ransoms totaling over $100 million.
His activities, particularly targeting Canadian businesses,
led to significant disruptions between 2021 and 2022.
Despite his lawyers' claims of pandemic-driven criminality, Justice Michelle Furst labeled Vassiliev a cyber-terrorist driven by greed.
He's been ordered to pay $860,000 in restitution and faces potential extradition to the U.S. for further charges.
Meanwhile, despite law enforcement efforts to disrupt LockBit, including arrests and a $15 million reward for information, the gang attempts to recover, using new infrastructure to resume
attacks, although their activity level may be overstated, according to recent analysis.
The Klopp Ransomware Group leaked personal and financial information stolen from Stanford Medicine,
University of Maryland Baltimore, and the University of California.
The breach occurred through vulnerabilities in the Accelion file transfer appliance,
a tool used by these institutions to share and store sensitive
information. Stanford Medicine reported that stolen data included social security numbers
and financial details. UMB acknowledged a breach involving personally identifiable information,
while the University of California recognized a broader cyber attack impacting several entities.
Similar incidents also affected the University of Colorado and the University of Miami.
Although internal networks remain secure,
the compromised Excelian servers led to significant data exposure.
The CLOP ransomware group, potentially linked with the FIN11 cybercrime group,
aims to pressure victims into paying ransoms to prevent
data leaks. This series of attacks underscores ongoing security challenges and the necessity
for robust cybersecurity measures against ransomware threats. Financial technology firm
Equilend has disclosed a data breach due to a ransomware attack in January attributed to the LockBit group.
This incident compromised personal information of Equilend employees, including names, birthdates,
social security numbers, and payroll details. Although there is no evidence of misuse,
affected individuals are offered two years of free credit monitoring and identity protection.
The attack led to temporary service disruptions,
but the full extent and whether a ransom was paid remain undisclosed.
LockBit's leak site currently does not list Equilend,
suggesting possible negotiations.
Fortinet has announced vulnerabilities in its products,
with two classified as critical and others as high-severity, prompting an advisory from CISA.
The vulnerabilities impact FortiClient EMS, FortiManager, FortiOS, and Fortiproxy.
allowing command execution on admin workstations through malicious log entries and enabling code execution on FortiOS and FortiProxy via the captive portal due to security flaws.
Fortinet recommends updating to the latest software versions to address these issues.
Additionally, high severity issues affect multiple Fortinet services, particularly related to SSL VPN features.
While no attacks exploiting these vulnerabilities have been reported, Fortinet's advisory highlights
the necessity of timely security updates to prevent potential cybersecurity risks.
Researchers from IBM and VU Amsterdam have unveiled a new data leakage attack
named Ghost Race,
affecting major CPU manufacturers
and various software.
Ghost Race exploits speculative race conditions,
potentially allowing attackers
to access sensitive data
like passwords and encryption keys from memory.
This technique generally requires
physical or privileged machine access, making practical
exploitation challenging.
The attack leverages speculative execution alongside race conditions previously exploited
in CPU attacks to bypass synchronization primitives meant to prevent these sorts of conditions.
The researchers utilized a novel method called inter-process interrupt storming to disrupt a victim's process's execution, facilitating speculative concurrent use-after-free attacks, leading to significant data leakage in tests on the Linux kernel.
the vulnerability extends to all major hardware platforms and various software implementing similar synchronization
without protective serialization instructions.
Intel, AMD, ARM, and IBM have been informed,
with AMD advising that measures against Spectre-type attacks
could mitigate ghost race risks.
The Xen hypervisor and Linux developers have acknowledged the issue, with Linux introducing an IPI rate-limiting feature, albeit with reservations about further action due to performance concerns.
has turned extortionist against its users, threatening to expose private messages,
transaction details, and crypto transaction IDs unless a ransom is paid.
The blackmail message boasts about the unreliability of their auto-encrypt feature and the non-deletion of messages, warning of a potential data dump including over 557,000 orders
and 862,000 crypto transaction IDs.
The market is demanding ransoms ranging from $100 to $20,000 based on the user's activity level,
promising to keep their information from law enforcement.
This revelation follows a significant exit scam that saw users lose access to their Bitcoin and Monero funds,
highlighting the inherent risks and lack of trust in darknet marketplaces.
Incognito Market has even published a list showing who has paid the ransom, possibly to coerce more into paying.
Microsoft's March 2024 Patch Tuesday addressed 59 vulnerabilities across its
product range, without any being zero-day or publicly disclosed beforehand. Two vulnerabilities
are rated as critical, affecting Windows Hyper-V with a denial-of-service and remote code execution
risk, and 57 are deemed important, spanning products like Skype, Microsoft
Components for Android, Windows, Office, Azure,.NET Framework, Visual Studio, SQL Server,
and Microsoft Dynamics.
This update also includes fixes for several Chromium issues.
Released ahead of the Pwn2Own competition, the patch volume is notably low for March.
Microsoft recommends updating all products to the latest versions to secure against potential exploitation of these vulnerabilities.
Coming up next on The Learning Layer, Sam Meisenberg talks with Joe Kerrigan as he embarks on his CISSP test journey.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest
way for cyber criminals to bypass your company's defenses is by targeting your executives and their Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Today kicks off a special series of Learning Layer segments. Our host, Sam Meisenberg, talks with Joe Kerrigan from the Johns Hopkins University Information Security Institute
about Joe's journey taking his CISSP test.
Here's their conversation. Welcome back to the Learning Layers segment.
This is a special one because it's kicking off my conversation with Joe Kerrigan,
and we're going to follow Joe as he gets ready for his CISSP exam.
Joe, you need no introduction.
Oh, okay.
Because the Cyber Wire listeners know you already.
But for those who might not listen to Hacking Humans,
why don't you just give us a quick overview of who you are and what you do?
So I am Joe Kerrigan, and on Hacking Humans,
they say Joe Kerrigan from the on Hacking Humans, they say Joe Kerrigan
from the Information Security Institute
up at Johns Hopkins University.
I've been a security professional
almost exclusively in security
for about 14 years,
maybe 13 and a half, I don't know.
And it's been 14 years,
and why now for the CISSP?
That's a good question.
Why am I getting the CISSP now?
Well, normally when someone's been in the industry for 14 years, they already have a CISSP? That's a good question. Why am I getting the CISSP now? Well, normally when someone's been in the industry for 14 years,
they already have a CISSP, right?
If you've been doing this for more than five years
and you feel comfortable sitting for the test,
you should be doing this.
It definitely makes you more marketable.
But when I had been at Hopkins for a while,
I said, I think I want to go get a certification, a CISSP certification. I meet the
length qualifications. And the answer I got back was, we don't value certifications here.
We value research. Sure. Which, from a research university perspective, is a valid way of looking
at it. Makes sense. So I've actually done research
and been published a few times.
I worked on an authentication system
that was published in Financial Cryptography
back in 2016.
From that, I had a patent that came out of it
for a signal modulation methodology.
And I was published for a cybersecurity course
that we wrote and produced and filmed and edited for community college students.
Oh, cool.
And it's free and available to anybody if they want it.
It's a long-winded way of saying that I've done interesting stuff, but the problem is in the industry, what does that get you?
A bunch of theoretical things don't really help you if you're going to go in
and do something operational, right?
So,
it's just time,
I've just decided
it's time for me to go out
and get the certification.
I'm curious,
do you have any other certifications
under your belt
or is this your first one?
I do.
I have,
I have the CC certification.
Oh, the CC.
Certified in cybersecurity.
Yeah.
That is right now available for free. You can get the, the CCs. Certified in cybersecurity. Yeah. That is right now available for free.
You can get the course materials and a free exam voucher
from the ISC Squared organization.
They'll give it to you.
Yep.
So, okay, that is a very different test than the CSSP.
So tell me why did you take the CC?
Because I wanted to see what it was like
and see what their training materials were like
as well. Because it was free, it was essentially risk-free, right? So I could do that. So I have a
testing experience event that helps me gauge what the testing experience for the CISSP is going to
be. So, and I do have to kind of rephrase my question and go back and clarify what I meant to our listeners.
I said that the CC is different than the CSSP.
It's a very different test.
What I think I meant,
you understood what I meant,
but I want to clarify.
Right.
It's not that the content is different,
because actually there's a lot of content overlap, right? There's a lot of overlap between the two, yeah.
Like, and of course, let's say the obvious thing,
they're both by IAC squared.
Right.
So you have the same question writers sitting in the room who Yeah. Like, and of course, let's say the obvious thing, they're both by IAC squared. Right. So you have the same
question writers
sitting in the room
who write the exams,
the same people
who write the CC
versus the CSSP.
What I wanted to say
was that the difficulty
is very different.
So CC,
as you described,
a lot of discrete questions.
Do you know this
or don't you?
Right.
Right?
Right.
Versus CSSP,
you still need
all that content knowledge,
but they're going to ask you to apply that information. Right.
So how are you feeling? How are you feeling? Are you ready to take your content
understanding to the next level for CSSP? Yes, I'm ready to begin this and I'm anxious and
actually quite eager to get this on the road. Awesome. Well, Joe, we are looking forward to follow along with your journey.
Hopefully I can be helpful.
And I know that our conversations will be helpful to those people who are studying for the CSSB.
So we're looking forward to it. That is our Learning Layer host, Sam Meisenberg,
talking with Joe Kerrigan,
my co-host on the Hacking Humans podcast. Thank you. It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant. With TD Direct Investing, new and existing clients could get 1% cash back. Great. That's 1% closer to being part of the 1%.
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply.
Offer ends January 31st, 2025.
Visit td.com slash dioffer to learn more.
And finally, here we go again.
Malwarebytes notes another round of that tired Facebook hoax,
claiming you can magically forbid meta from using your photos and posts by copying and pasting some legal mumbo-jumbo.
It's like Groundhog Day on
social media, with this nonsense pumping up more times than I can count since its first appearance
in 2012. Despite clear statements from Facebook and numerous debunkings from fact-checkers like
Snopes, people keep falling for it and spreading it around. Let's set the record straight once and for all.
Posting a declaration on your Facebook timeline
does absolutely nothing to change the terms you agreed to when you signed up.
Facebook doesn't own your content,
but yes, you give them permission to use it according to their terms,
which, by the way, you agreed to.
If you're that concerned about privacy,
maybe it's time to rethink your relationship with social media
instead of sharing a pointless post that achieves nothing but fueling more misinformation.
It's frustrating to see this hoax circulate time and time again,
especially when there are legitimate privacy concerns to be aware of.
Instead of doing a bit of research or questioning the efficacy of these viral solutions,
folks just hit the share button, perpetuating fear and confusion.
If you are tempted to share something like this, just in case, please don't.
It only keeps this endless cycle of misinformation going.
Let's be more critical of what we share
and stop these hoaxes from getting yet another undeserved round of attention.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music by Elliot Peltzman. Our executive producers are Jennifer Iben and
Brandon Karp. Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.