CyberWire Daily - Ukraine’s fight to restore critical data.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Russian hackers attack Ukraine's state registers. NotLockBit is a new ransomware strain targeting macOS and Windows. Sophos discloses three critical vulnerabilities in its firewall product. The BadBox botnet infects over 190,000 Android devices.

Starting point is 00:02:19 BeyondTrust patches two critical vulnerabilities. Hackers stole $2.2 billion from cryptocurrency platforms in 2024. Officials dismantle a live sports streaming piracy ring. Rockwell Automation patches critical vulnerabilities in a device used for energy control in industrial systems. A new report from Dragos highlights ransomware groups targeting industrial sectors. A Ukrainian national is sentenced to 60 months in prison for distributing the Raccoon InfoStealer malware, we bid a fond farewell to our colleague Rick Howard,

Starting point is 00:02:52 who's retiring after years of inspiring leadership, wisdom, and camaraderie. And the LockBit gang teases what's yet to come. what's yet to come. It's Friday, December 20th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing. Happy Friday and thanks for joining us here today. Ukraine has experienced one of the largest cyber attacks on its state registers, suspected to be carried out by Russian hackers linked to the GRU, such as the Sandworm Group. The attack disrupted access to over 60 state databases containing critical information like biometric data, business records, and property ownership. Ukrainian authorities, including the Ministry of Justice, temporarily

Starting point is 00:03:58 suspended access while investigating. Pro-Russian group Zaknet claimed responsibility, stating it had stolen and deleted data from the registers, including backups. Officials confirmed backups exist and data will be restored, though the process may take weeks. The attack caused nationwide disruptions affecting government services, business operations, and e-government apps. Ukraine views this attack as part of Russia's broader cyber warfare,

Starting point is 00:04:30 potentially prosecuting it as a war crime. A new ransomware strain, NotLockBit, poses a significant threat with advanced cross-platform capabilities targeting both macOS and Windows. platform capabilities targeting both macOS and Windows. Written in Go, it employs sophisticated tactics, including targeted file encryption, data exfiltration, and self-deletion mechanisms to complicate recovery. Not LockBit closely mirrors the behavior and tactics of the infamous LockBit ransomware, leveraging similar encryption techniques and extortion strategies while expanding its capabilities to target both macOS and Windows systems. Not LockBit encrypts sensitive data files using AES and RSA protocols and exfiltrates

Starting point is 00:05:17 stolen data to attacker-controlled cloud storage for double extortion purposes. It deletes original files, renames encrypted ones, and modifies desktop wallpapers to display ransom notes. On macOS, it uses system commands to enhance its attack. The ransomware is highly evasive, leveraging obfuscation to bypass detection. Variants suggest tailored attacks or ongoing development. Organizations should adopt proactive defenses, including backups, endpoint protection, and user education, as not-lock bits emergence highlights the escalating sophistication of ransomware threats. Sophos has disclosed three critical vulnerabilities in its firewall product, allowing potential remote code execution. The first involves a pre-authentication SQL injection in the email protection feature, exploitable under specific conditions.

Starting point is 00:06:17 The second relates to reused SSH passphrases during high availability setup, risking privileged account exposure. The third enables authenticated users to execute arbitrary code via the user portal. Sophos has issued automatic hotfixes and manual updates, urging organizations to apply them promptly and follow mitigation measures to safeguard their networks. follow mitigation measures to safeguard their networks. The Badbox botnet has infected over 190,000 Android devices, primarily Yandex 4K QLED smart TVs and Hisense T963 smartphones, according to BitSight. Originating from a supply chain compromise, Badbox malware comes pre-installed on low-cost devices, including TVs and smartphones, and enables activities like residential proxying,

Starting point is 00:07:12 ad fraud, and remote code installation. Daily communication with the botnet involves over 160,000 unique IPs, mostly from Russia, China, and Brazil. BitSight urges caution in choosing trusted device manufacturers to mitigate these risks. Beyond trusts, Privileged Remote Access and Remote Support Solutions have two critical vulnerabilities, posing significant security risks. The first, with a CVSS score of 9.8, enables unauthenticated command injection, while the second allows privilege escalation for attackers with administrative access. Both have been actively exploited, with one now in CISA's known exploited vulnerabilities catalog. Beyond Trust has released urgent patches and worked with third-party experts to investigate and address the breach.

Starting point is 00:08:07 Organizations should remediate immediately to avoid further exploitation. Hackers stole $2.2 billion from cryptocurrency platforms in 2024, with 61% of the funds attributed to North Korean attackers, according to Chainalysis. The number of incidents rose from 282 in 2023 to 303 in 2024, a 21% year-on-year increase. Notably, the intensity of attacks dropped after a June summit between Vladimir Putin and Kim Jong-un, reducing North Korean thefts by 54%. However, attacks overall have grown more frequent, with larger exploits above $100 million and smaller hacks around $10,000 increasing. Chainalysis urges rigorous employee vetting, improved key hygiene, and stronger industry-law enforcement collaboration

Starting point is 00:09:06 to combat these threats. The Alliance for Creativity and Entertainment, ACE, has dismantled one of the largest live sports streaming piracy rings, Marky Streams, based in Vietnam, with over 821 million visits in 2023. Targeting U.S. and Canadian audiences, the operation streamed sports events from major U.S. leagues and global competitions, affecting ACE members. ACE seized 138 domains associated with the ring, issuing a warning to piracy operators worldwide. The takedown highlights the unique threat piracy poses to live sports broadcasts. Rockwell Automation has patched critical vulnerabilities in its Allen-Bradley Power Monitor 1000,

Starting point is 00:09:57 a device used for energy control in industrial systems. The flaws allow attackers to take over devices, execute remote code, or launch denial of service attacks. Exploitation requires no authentication and could disrupt production by halting power monitoring or compromising networks. A firmware update addresses these issues. Researchers urge immediate updates to protect Internet-exposed devices and prevent industrial system breaches. Dragos' third-quarter 2024 industrial ransomware analysis identified 23 ransomware groups targeting industrial sectors, including new and rebranded entities like APT73 linked to LockBit remnants. entities like APT73 linked to lock-bit remnants. Key attacks include CDK Global paying $25 million to BlackSuit and Halliburton losing $35 million to RansomHub. Groups increasingly exploit VPN

Starting point is 00:10:57 vulnerabilities, bypass MFA, and target virtual environments like VMware ESXi. The use of initial access brokers in ransomware-as-a-service models has grown, enabling scalable operations. Tactics such as living off the land, advanced persistence, and custom malware highlight evolving threats. Ukrainian national Mark Sokolovsky was sentenced to 60 months in prison for his role in distributing the Raccoon InfoStealer malware. Operating under a malware-as-a-service model, Sokolovsky charged $200 per month in cryptocurrency for access to the malware, enabling threat actors to steal credentials, financial data, and personal information via phishing campaigns. The stolen data fueled financial fraud and was sold on criminal forums. After dismantling Raccoon's infrastructure in 2022, the FBI recovered over 50 million stolen credentials. Sokolovsky will also pay $910,000 in restitution.

Starting point is 00:12:07 also pay $910,000 in restitution. Elsewhere, Romanian national Daniel Christian Hulia, age 30, was sentenced to 20 years in prison for his role in NetWalker ransomware attacks, targeting healthcare, education, law enforcement, and government sectors. Operating under a ransomware-as-a-service model, Hulia extorted victims during the COVID-19 pandemic, collecting $21.5 million in Bitcoin and using proceeds for luxury investments. U.S. and Romanian authorities collaborated to arrest and extradite Hulia in 2023. This case underscores the commitment to combating ransomware, with the DOJ emphasizing the need for strong cybersecurity defenses. Coming up after the break, a fond farewell to our colleague Rick Howard and the Lockheed gang teases what's yet to come. Stay with us.

Starting point is 00:13:25 Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection

Starting point is 00:13:49 across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.

Starting point is 00:14:31 And now, a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. We have a special segment for you today.

Starting point is 00:15:17 Break out your Kleenex as we share a fond farewell to N2K's CSO and our CSO Perspectives host, Rick Howard. My name is Liz Stokes, and while I'm not tucked away in the fabled depths of the CyberWire's secret sanctum sanctorum, rumored to be somewhere underwater along the Patapsco River near the Baltimore Harbor, I am here reaching out to you, our listeners, to join us for our heartfelt farewell. Today we say goodbye to a dear friend and one of the true legends here at N2K CyberWire, Rick Howard, who's finally ready to swap out his endless collection of hats for an adventure called

Starting point is 00:16:06 retirement. This is our chance to look back and share just how much Rick has meant to all of us over the years. So sit back, relax, and join us in celebrating this incredible man and all the laughter, stories, and memories he's given us. We'll start off with an introduction. My name is Rick Howard, and officially, I have three titles. Chief Security Officer, Chief Analyst, and Senior Fellow at the Cyber Wire. Unofficially, I'm an amateur geek, professional kibitzer, and a general purpose security wonk. Now that we all know who he is, we're here to celebrate a milestone, a bittersweet one at that. Our friend and colleague Rick Howard is hanging up his cybersecurity cape and stepping

Starting point is 00:16:52 into a well-deserved retirement. It's hard to imagine the Cyber Wire without Rick, but if there's one thing we know for sure, it's that his legacy will live on in everything we do. Rick, you've been the heart and soul of this team, guiding us with your wisdom, your wit, and of course, your endless Marvel references. We've shared some unforgettable moments and had plenty of laughs along the way. Like you trying to break it down

Starting point is 00:17:19 for some of us less techie folks. If I were to put all the authentication methods as rest stops on a hundred mile road between the two great cities of, oh my God, this is not secure at all, to Nirvana, we've solved security, the user ID password pair rest stop would be just a mile out of OMG, just slightly better than having no credentials at all. The email verification rest stop would be about 25 miles out on this journey. Or this one, where you so graciously add some sports humor to this

Starting point is 00:17:51 teachable moment. I'm going to try my hand at a sports metaphor, so bear with me. This past summer, the coach at my local high school football team, the mighty West Springfield Spartans, put a call out to the local fans. He needed volunteers to film his opponent's teams in the upcoming season. I enlisted with a cackle of tech dads to film one of the competitors. By tech dads, I mean we all came from the tech sector and didn't necessarily know anything specific about the sport of football. And yes, I realized that cackle is normally reserved for a group of hyenas, but I thought it was appropriate for this group of wisecracking dads. Anyway, we attended a South County stallion game

Starting point is 00:18:31 and filmed the plays we thought were pertinent. Later, we got a slightly miffed email from the coach wondering where the rest of the film was. It turns out that he wanted both sides of the game filmed, the stallion's offense and defense, whereas our cackle thought the important stuff was just the stallion's offense. It might have had something to do with the amount of beer consumed, but I'm going to plead the fifth on that one. And at this point, you should be asking yourself, what exactly does Rick's cackle adventure have to do with XDR? Well, sports and InfoSec are similar in at least one respect. Collecting all the data available, as opposed to collecting the most obvious data or the easiest, will improve your chances of defeating the

Starting point is 00:19:10 adversary. It wasn't just the laughs, though. Rick had a unique way of weaving his love for superheroes and other nerdy classics into anything we were working on, whether it was Iron Man or Benedict Cumberbatch and his favorite movie, The Imitation Game. Rick, you somehow made Marvel relevant to cybersecurity. I mean, who else could do that? In the Marvel Studios classic Avengers, Infinity War, released in 2018, Iron Man, played by Robert Downey Jr., Star-Lord, played by Chris Pratt,

Starting point is 00:19:44 and Doctor Strange, played by Benedict Cumberbatch, discuss the plan to defeat Thanos. Doctor Strange uses the Time Stone to move forward in time to view all of the potential outcomes of the upcoming battle. By doing this, he becomes the first superhero to use a Monte Carlo simulation in film. I've been binge-watching Marvel Agents of S.H.I.E.L.D. over at Disney Plus for the last month or so. I have to say, if you're a Marvel fan or a science fiction fan or even just a super spy fan, this little TV show that ran on ABC from 2013 to 2020 is really quite good. Created by Josh Whedon of Buffy the Vampire Slayer, Firefly, and The Avengers fame, the production values are really quite high for a TV show created almost 10 years ago.

Starting point is 00:20:30 And it's the perfect mindless entertainment I've been craving during the pandemic. My clip this week comes from the 2014 movie The Imitation Game. Have you seen it, Dave? No, I'm not familiar with that one. Oh, this is one of my all-time favorites. It's directed by Morton Tildum, and he's probably most famous to our audience for the Netflix TV series Tom Clancy's Jack Ryan. The movie stars Benedict Cumberbatch, most famous for the excellent BBC TV series Sherlock, and the six-year and six-movie run in the Marvel Cinematic Universe playing Doctor Strange.

Starting point is 00:21:08 Yeah, that's probably where I knew him best. Yeah, that's where he gets his most famed-em, I guess. Right. But in this scene, he's playing one of my all-time computer science heroes, the inspirational Alan Turing. And, of course, the list goes on and on and on. But beyond the humor and pop culture, Rick was a constant source of knowledge.

Starting point is 00:21:34 Every day with him was a chance to learn something new. Whether it was the latest threat actor or the next big cybersecurity trend, Rick made sure we were always on our toes, always understanding the cybersecurity field in ways that just made sense. When we first started doing this podcast back in 2020, the intrusion kill chain prevention strategy was one of the first topics we covered. In 2022, we covered it again. And of course, when we published the first principles book back in 2023,

Starting point is 00:22:06 Of course, when we published the first principles book back in 2023, I dedicated chapter four to the idea. In the book and the podcast, I made the case about why these three research efforts should be considered collectively and not separately. They are three significant elements coming together. One is a strategy document, the Lockheed Martin paper. One is an operational construct for defensive action, the MITRE framework, and one is a methodology for cyber threat intelligence teams, the diamond model. You don't choose one model over the other. All of these models work in conjunction with each other. To be clear, though, there wasn't a lot of collaboration between the research groups. The Lockheed Martin people weren't saying, hey, we're doing the strategic piece, DOD, you work on the intelligence piece, and MITRE, you build an intelligence wiki.

Starting point is 00:22:48 No, different parts of the InfoSec profession were all thinking along the same lines, working independently, and coming to different conclusions. The difference between coming straight through the firewall and using a VPN can be found at Layer 3 of the TCP IP stack, the network layer. Using a VPN can be found at layer three of the TCP IP stack, the network layer. With a VPN, the client establishes a secure tunnel, an encrypted path at layer three to the VPN server on the inside of the perimeter. Think of coming straight through the firewall as akin to walking through the front door of your office building. As you badge in with a card reader and work your way through the security checkpoint, everybody can see what you're doing. With a VPN, though, it's like you're in a Star Trek TV show. You walk into a transporter room on the outside of the firewall and pop out on the inside of the firewall,

Starting point is 00:23:33 completely bypassing any security. Rick, you're not just an incredible colleague. You're an amazing person. Your passion for cybersecurity is infectious, and your commitment to this field has inspired so many. We've been lucky to have you, and we know the entire cybersecurity community feels the same way. You will be missed, not just for your expertise,

Starting point is 00:23:59 but for your kindness, your humor, and the way you make us all feel a part of something bigger. One of the things I like about the cybersecurity field is this profession is more than just the business bringing money in. You actually have a mission that is trying to prevent bad things from happening to good people. That's why I hope I remember that we gave that a shot. I may have been successful, may not have, but we certainly were trying, and I hope I remember that we gave that a shot I may have been successful may not have but we certainly were trying and I hope people remember that from everyone here at N2K Networks

Starting point is 00:24:30 we just want to say thank you Rick thank you for the laughs the lessons and the countless memories enjoy your retirement you've earned it we'll miss you more than words can say but some of us would at least like to try. I really don't know what to say other than I'm really going to miss my first day in 2K, buddy. It's definitely going to be a lot less exciting without Rick Howard's booming voice coming over through walls, doors, podcast speakers everywhere. Well, Rick, you know what they say. Old CSOs, they never die.

Starting point is 00:25:08 They only fade away. But you will never fade away. You are always in our hearts. Best of luck. We'll miss you. And can't wait to run into you back on the baseball field of Moneyball. This is Alice Carruth wishing Rick Howard

Starting point is 00:25:20 a very happy retirement. I'm sure you're going to find something to keep you occupied with your time. Now you've got a lot of it back. Rick Howard, I am going to miss you very, very much. I know you'll still be around because I always need book recommendations. And don't worry, you're not going to be too far. Who am I going to go have lunch and talk all Star Trek things with in the future? I'm going to miss you so much. And I promise you, I am going to go watch Serenity and Firefly.

Starting point is 00:25:48 Just wanted to pop in really quick and say, it's been an honor working with you. One of my favorite, favorite memories of my professional career, honestly, is brainstorming CSO perspectives in its infancy with you and slowly watching you turn that show from just an idea into something truly special. I've absolutely loved working with you and don't be a stranger.

Starting point is 00:26:11 Hey Rick, this is Peter. I just wanted to let you know I'm incredibly grateful for all the things that you've brought to our little company. It's been a joy working with you. You brought a lot of value to what we do and made this place a happier place to work. Wishing you well on your retirement. I hope you keep in touch. Take care. Hey, Rick, this is Tim. We're going to miss you. Good luck with retirement. Hey, Rick, it's Maria Varmasas here. I wish you all the best in your retirement. Thank you so much for all your years of guidance and your cranky insights. Hey, Rick, it's Ethan.

Starting point is 00:26:47 It was a pleasure working with you, designing those courses. Have a great retirement. Look forward to hearing all about it. Thank you, man. Wish you the best on your future endeavors, whatever that may be. I know you're going into retirement, so just keep back and enjoy, man. Rick, what can I say that hasn't already been said? You were one of the first people that I interviewed when you were still at Palo Alto Networks and I was just starting

Starting point is 00:27:09 my job here at the Cyber Wire and how thrilling it's been that you joined our team and we've been able to do so many amazing things together. I'm going to miss you, man, but I wish you the best in all of your future endeavors. Hey, Rick, it's Bennett. I wish I could say that it's been a pleasure and an honor working with you. Oh, wait, I can. It has been. Really, truly, it's been an honor working with you and learning from you. And the content that you've created over these years working with us as a team will live on for many years. Hey, Rick, it's Emily. Happy retirement. It's been wonderful working with you for these last two years and getting to see you in your element. Let me know if you ever want to head

Starting point is 00:27:48 over to Silverado for lunch anytime. But enjoy the retirement. This is Brandon Karf and Rick, thank you so much for teaching us that the first principle of cybersecurity is we must reduce the probability of material impact due to a cyber event in the next

Starting point is 00:28:04 two to three years. I'm very excited for your retirement, mostly because I'm just tired of fixing your math mistakes. Thank you, Rick Howard, for everything. You've made an indelible mark on all of us and will carry your legacy forward. Wishing you all the best in your next chapter. I want to personally thank Rick for always being so welcoming when I was brand new to the cybersecurity industry. I've learned a lot from Rick and wish him nothing but the best in all of his future endeavors.

Starting point is 00:29:04 You're going to be missed, my friend. Best wishes. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe

Starting point is 00:29:54 and compliant. And finally, after a rough year of takedowns and turmoil, the LockBit ransomware gang seems to be revving its engines for a big comeback with LockBit 4.0. Announced by the group's spokesperson, LockBitSup, the new version promises wannabe cybercriminals a pen-tester billionaire journey, complete with Lamborghinis and girls. The gang is clearly aiming to recapture its former glory after Operation Kronos in February 2024 dismantled much of their infrastructure and exposed 7,000 decryption keys. LockBit has a notorious past, evolving through various versions since 2019, but even with leaks and arrests, like Israeli developer Rostelev Penev,

Starting point is 00:30:57 who allegedly pocketed $230,000, the group remains persistent. While LockBit 4.0 is set to debut in February 2025, researchers are already dissecting samples. Whether this relaunch makes LockBit a cyber criminal kingpin again, or just a flash in the pan, remains to be seen. Either way, buckle up. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Well, folks, it's that time of year. The N2K CyberWire team is getting ready to settle down into our long winter's nap. We'll be taking a publishing break starting on Tuesday, December 24th through Wednesday, January 1st. Fret not, while we are out, we've got some fun surprises planned

Starting point is 00:32:03 for you in your podcast feeds. If you've got some downtime or want to pop those AirPods in and not engage in any more family togetherness, head over to your favorite podcast app and check out our goodies. We'll emerge from our nap on January 2nd. See you there. Be sure to check out this weekend's Research Saturday and my conversation with Adam Kahn, VP of Security Operations at Barracuda. We're discussing their research, the evolving use of QR codes in phishing attacks.

Starting point is 00:32:34 That's Research Saturday. Check it out. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jenniferzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Park.

Starting point is 00:32:48 Simone Petrella is our president. Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you.

CyberWire Daily - Ukraine’s fight to restore critical data.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.