CyberWire Daily - Updates on Russia’s hybrid war. Transparent Tribe is back, with cyberespionage. A Trojanized version of Super Mario is out, and law enforcement seizes BreachForum’s domain.
Episode Date: June 26, 2023Russian ISPs blocked Google News as tension with the Wagner Group mounted Friday. Ukrainian hacktivist auxiliaries break into Russian radio broadcasts. New EU sanctions are directed against Russian IT... firms. Transparent Tribe resurfaces against Indian military and academic targets. Unauthorized access is the leading cause of data breaches for the fifth year in a row. Trojanized Super Mario Brothers game spreads SupremeBot malware. Today, guests discuss the cybersecurity skills gap. Paul Rebasti of Lockheed Martin shares what they are doing to fill cybersecurity skills gap. Jenny Brinkley joins us from AWS Re:Inforce discusses opportunities from the cybersecurity skills gap. And law enforcement agencies seize BreachForums' web domain. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/121 Selected reading. Ukraine at D+487: After the march on Moscow. (CyberWire) Ukraine at D+486: The march on Moscow is over. (CyberWire) Ukraine at D+485: “We are dying for the Russian people.” (CyberWire) U.S. spies learned in mid-June Prigozhin was planning armed action in Russia (Washington Post) Google News Blocked in Russia as Feud With Mercenary Leader Intensifies (New York Times) Air War: Pro-Ukraine Hackers Increasingly Breaking Into Russian Broadcasts With Anti-Kremlin Messages (RadioFreeEurope/RadioLiberty) Fresh EU sanctions hit Russian IT firms (Computing) Pakistan based hackers target Indian Army, education sector in new cyber attack (Telangana Today) Pakistan-based hackers target Indian Army, education sector in new cyber attack (PGURUS) ‘Transparent Tribe’ comes out of hiding (Pune Times Mirror) 2023 ForgeRock Identity Breach Report (ForgeRock) Trojanized Super Mario Game Installer Spreads SupremeBot Malware (Cyble) Trojanized Super Mario game used to install Windows malware (BleepingComputer) FBI seizes BreachForums after arresting its owner Pompompurin in March (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Russian ISPs blocked Google News as tension with the Wagner Group mounted.
Ukrainian hacktivist auxiliaries break into Russian radio broadcasts.
New EU sanctions are directed against Russian IT firms.
Transparent Tribe resurfaces against Indian military and academic targets.
Unauthorized access continues to be the leading cause of data breaches.
A Trojanized Super Mario Brothers game spreads malware.
Rick Howard speaks with Director of Amazon Security Jenny Brinkley.
Paul Robasti of Lockheed Martin describes the CodeQuest competition.
And law enforcement agencies seize the web domain of breach forums.
I'm Dave Bittner with your CyberWire Intel briefing for Monday, June 26th, 2023. Internet Observatory NetBlocks found that five Russian ISPs blocked Google News on Friday
as tensions between the Wagner Group and the Ministry of Defense rose
during the run-up to the Wagnerites' abortive march on Moscow.
Google News has been blocked before, the New York Times observes,
most prominently in March of 2022,
when Roskomansur announced an interdict of the service
after Google blocked some online content that spread disinformation
in support of Russia's war against Ukraine.
The Wagner Group's march on Moscow may have been abandoned yesterday, but internal tensions remain high.
Expect information operations to remain prominent in coming days,
and see the coverage on thecyberwire.com for daily updates on the hybrid war in Ukraine.
for daily updates on the hybrid war in Ukraine.
Radio Free Europe Radio Liberty reports that Ukrainian operators have increasingly hacked into Russian radio broadcasts to insert pro-Ukrainian messages.
When the current wave began in early June,
the message was that Russia had declared full mobilization and martial law
in response to a large-scale invasion of Russia.
Outrageous as they were, the messages gained enough traction to draw an official denial
from Kremlin spokesman Dmitry Peskov. Computing reports that the 11th round of European Union
sanctions enacted against Russia will hit that country's IT sector particularly hard. The European Council
singled out companies holding a license from the FSB, authorizing them to work at the Russian
security level of state secret, as well as companies holding a weapons and military equipment
license from Russia's Ministry of Industrial and Trade. It's not just their work on conventional
military systems that puts them on
the EU's list. The Council has also assessed that information warfare constitutes a key means by
which Russia implements its war of aggression against Ukraine and commits gross violations
of international law and the principles of the Charter of the United Nations.
Side copy, a subdivision of the Pakistan-aligned threat actor Transparent Tribe,
is targeting the Indian Army and India's education sector.
Researchers at Secrite said in their report on the activity,
there are three infection chains with themes utilized.
DRDO's Invitation Performa, which is part of its defense procurement
procedure, a honey trap lure, and also the Indian military with selection of officers for foreign
assignments theme. The ongoing campaign came to light after a senior DRDO scientist was arrested
for leaking sensitive information to Pakistani agents who honey-trapped
him. Forge Rock's 2023 identity breach report was released on June 22, and it shows that at least
1.5 billion user records were exposed in 2022. 53% of all breaches that occurred in 2022 were
from third-party organizations and cost on average $9.4 million per breach.
Unauthorized access, responsible for 49% of the data breaches, was determined to be the leading
cause of breaches for the fifth consecutive year. Ransomware, however, at 34% is on the rise.
ForgeRock blames companies' misconfiguration of cloud services, firewalls, and human error as the main factors contributing to the breaches.
The healthcare industry seems to have been the most heavily affected in 2022,
showing a 12% increase from 2021's attacks,
with education and financial services in second and third place, respectively.
ForgeRock says this mirrors the headlines
regarding data breaches. One sector the report calls out is insurance. They say, despite being
a highly regulated part of the financial services sector, the insurance industry is increasingly
being targeted by cybercriminals. They exploit the vast amounts of PII stored in outdated systems, the lack of user training, and the slow adoption of strong authentication.
In 2022, while attacks on the financial services sector decreased by 28.6% compared to the previous year, nearly half of all breaches at 47% affected the insurance industry.
affected the insurance industry.
Forgerock also found that generative AI was a leading factor in allowing threat actors to create higher-quality phishing schemes
and other forms of social engineering like malicious voice and video impressions.
To counter this rise in data breaches,
Forgerock recommends that along with implementing passwordless authentication
and implementing a zero-trust framework, companies should leverage AI and intelligent decisioning for all identities
across the identity lifecycle. Ultimately, as the use of generative AI in malicious attacks grows,
the ability of a customer or employee to detect such attacks shrinks. Using AI as a defensive measure for pattern recognition and incident response
may offer some promise in protecting accounts.
A Trojanized version of the Super Mario game installer
is being used to deliver the XMR Crypto Miner,
the Supreme Bot Mining Client,
and the Umbral Stealer, according to researchers at Cyble. The researchers explain,
threat actors use game installers to spread various malware because games have a wide user
base, and users generally trust game installers as legitimate software. The social engineering
tactics that threat actors use exploit users' trust
and entice them to download and run malicious game installers.
The large file size and game's complexity provides Threat Actors opportunities to hide malware within them.
The researchers add,
This incident highlights another reason Threat Actors utilize game installers as a delivery mechanism.
The incident highlights another reason threat actors utilize game installers as a delivery mechanism.
The powerful hardware commonly associated with gaming provides valuable computing power for mining cryptocurrencies.
So, you might say it's just cryptojacking, but that can mean game over for your device's resources, like being snuffled up by a bunch of Koopa Troopas.
And finally, here's one more story with a gamer reference.
Three months after apprehending alleged Breach Forum's impresario Pom Pom Porum,
whose real name is Connor Fitzpatrick, on a range of cybercrime charges,
U.S. authorities have seized the illicit services web domain. As is customary in such
takedowns, the domain now displays a banner saying that the site is under new management,
specifically the FBI, the Office of Inspector General at the Department of Health and Human
Services, and the Department of Justice, acting under a warrant issued by the U.S. District Court
for the Eastern District of Virginia.
The action against Breach Forums was both interagency and international.
The Bureau shares credit for the operation with the U.S. Secret Service,
Homeland Security Investigations, the New York Police Department,
the U.S. Postal Inspection Service, the Dutch National Police,
the Australian Federal Police, the U.K UK National Crime Agency, and Police Scotland.
Bleeping Computer points out that the Bureau did a bit of visual crowing.
The image of Pom Pom Porum, a golden retriever from the Hello Kitty universe that graced the site, now sports a pair of handcuffs.
Coming up after the break, Rick Howard speaks with Director of Amazon Security
Jenny Brinkley.
Paul Robasti of Lockheed
Martin describes the CodeQuest
competition. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Paul Robasti is Program Director for Cyber and Intelligence within Lockheed Martin's Rotary and Mission Systems. He's also executive sponsor within Lockheed Martin of an event called CodeQuest, which gathers high school students for competitive coding challenges.
2023 was our 11th annual CodeQuest.
It's actually a worldwide event.
We have more than 19 sites that participate worldwide.
I am the exec sponsor for the Hanover, Maryland site.
Across the world, though, we have over 1,500 students that participate.
And basically, it's a competition, right?
So it's a high school level competition where teams of two to three, and we try to really push for and get a
fair amount of schools across the areas that are participating. We max it out as two teams per
school just so we can ensure that we're getting good representation
across. And basically, it's a three-hour competition. They work through somewhere in
the neighborhood of 20 to 30, depending on how quickly they can get through some of these
challenging problems that are put together through and by sort of Lockheed engineers
that are working day-to-day problems. And it allows the students and a sponsor, usually a teacher sponsor from either a teacher of an
individual class or sometimes the moderator of a club. The students go off and participate
in a couple-hour session. And then in addition, we actually give those moderators slash teachers some additional tool sets and opportunities to work with Lockheed to further enrich what they're teaching their students.
So it's great.
It's certainly a competition.
We certainly have winners, hand out prizes, trophies for all.
But in reality, in my mind, the real benefit is not the winning. It's the participation by the broad number of, within the Hanover site,
had a number of new teams that had never participated before. And that's exciting,
right? Because you're exposing it to folks who may not have had that level of understanding of,
hey, what would it mean to be in this type of job 10 years from now?
And my understanding is that this is a bit of a family affair for you, that your
daughter is participating as well? Yeah, so that was really sort of the way things worked out.
I'm pretty proud of this. So my daughter, she's a junior now in Falston High School, which is
in Harford County in Maryland. She took AP Computer Science as a freshman. Actually, my son took AP Computer Science this year as a freshman, my son, Finn. To me, those,
as I told them, good class to take. Even if it's not something you may go into, it's going to be
a foundational course that you really want to understand. And so Addie took that freshman year.
And then she has a lot of interest, but this past year, her junior year,
she said, you know what? There's really no outlet for our school here in terms of just classwork,
but really a club environment to work on this. So she's founded Girls Who Code within the high school. And this is the first year they've done it.
The teacher who is the computer science lead
for the high school is a personal friend of mine,
Jen Canatella.
And Jen is the sponsor for it.
Natty and Jen worked together
and got the charter taken care of.
And they're 12 to 15 strong now.
And despite the name,
they have both boys and girls who participate in it,
majority girls, but both boys and girls participating in the club.
And they then, this past year, as I mentioned, there were some new teams.
Two of those new teams that participate in Code Quest this year
came from Folsom High School.
So it was certainly the first participants we've had in the 11 years,
and it was also the first participants out of a Hartford County high school.
So that expansion and growth that, you know, I talked about and it's important to me sort of came full circle.
And, you know, my daughter got involved and was something I certainly was pretty proud of as that team and those teams participated.
Yeah, that's terrific.
So what does Lockheed Martin get out of their participation here? Is there a pipeline for potential employees?
Yeah, so we, in general, I think this is a really, really critical and important
focus for Lockheed. There's, of of course a pipeline. And we do many things above
just CodeQuest. There's another competition called CyberQuest. We do a number of other
things that really focus on that outreach into the community to build those pipelines. So out of the
CodeQuest and CyberQuest, that's usually where we pull our internships. So we have both high
school internships, and then we have college internships as well. And those high school
internships come from those events, right? We identify folks who have an interest in those
events. And we've had in the past few years, again, just within the Hanover site, one site,
you know, 15 to 20 interns every year. And a number of those interns, you know, we've been doing it for a few years.
As I said, I've been, I think I mentioned I've been doing it for five years as the exec sponsor.
And a number of those interns have now turned into full-time employees.
So we had a great story where one of those, Beth turned, Beth was an internship.
Beth Mosing was an intern, had an internship with us. She then
became a full-time employee. And this past year, I mean, she does such a good job.
She went out and presented at an industry event for us, even though she's relatively early career
and really did a great job and got lots of kudos from the event. So the fact that we can nurture and really sort of help have some focus
for folks that have an interest in this
and then lead them into,
obviously it's a benefit for us
if we've seen the good work
they've done throughout internships
for four or five years,
and all of a sudden now they're ready to come on
and join the workforce.
That's great for us.
Again, we have, there's, as I mentioned,
there's lots of openings
and we want to be able to fill those
with folks that we've mentored and know.
I mean, that's an added bonus for us, sir.
That's Paul Robasti from Lockheed Martin. In our continuing series of interviews Rick Howard gathered at the recent AWS Reinforce Conference,
Rick speaks with Director of Amazon Security, Jenny Brinkley.
The Cyber Wire is an Amazon Web Services media partner,
and in June 2023, Jen Iben, the Cyber Wire senior producer, and I traveled to the magical world of
Disneyland in Anaheim, California to attend their AWS Reinforce conference and talk with senior AWS
leaders about the latest developments in securing the Amazon cloud. I got to sit down with Jenny Brinkley, a director at Amazon Security.
Before coming to work for Amazon, she was the co-founder at a company called Harvest.ai
that used machine learning techniques for behavioral analytic services
that Amazon eventually acquired about seven years ago.
I started out by asking Jenny how she decided to create a startup around AI.
Yeah, where all my friends looked at me and said, how did you get into a security job?
So at the startup, I did everything but code. So coming up with how we would go to market,
how we should be building the service, working with customers on what their needs were for data
loss prevention at scale, and how to think about user behavioral analytics when this was the hot
topic on how it could be applied within their business related to cloud-based companies.
So talk to me about that because I always thought that was going to be the big win for machine learning,
that we would be able to take that kind of information,
throw it into some machine learning algorithm, and find bad guys.
But it hasn't really worked out that well, right?
It's cost. It's compute cost.
And so that's where you're starting to see this really interesting sweet spot where things are starting to evolve because those compute costs are starting to come down.
Because when you think about the ingestion of a massive corpus of data and all that data classification that needs to happen, that see where the industry is headed because the compute costs are coming down, the trading models are getting more sophisticated, and you're getting better user interfaces
on how to train and use a model to have the right outcomes depending on what you're trying to solve
for whatever thing you're trying to work on.
So your big passionate topic is how do we solve, at least one of your big passionate topics,
is how do you solve the training gap that we've been talking about for a decade, right?
What's the current take?
What's the current situation?
Are we getting better?
Are we getting worse?
What's going on there?
So much opportunity, right?
Opportunity.
I love your positives.
Have to.
I mean, I am all about, you know,
I work in an industry where there's two sides to it.
You know, there's some people that like to work
in the fear, uncertainty, and doubt space. that like to work in the fear and certainty and
doubt space. I like to be in the space where anything's possible. And that's how my brain
operates. I'm a deep optimist at the end of the day. I couldn't tell. Really? Does it not come
across as I speak? So what I love about what I get to do is, is experiment and try different ways to
bring people into security careers because it completely changed my life. Like in terms of, I've always cared about people. I've always cared about protecting people and
helping people, but I never really knew how to apply some of those skills. So if you can find
people that are mission centric, that care, have empathy, want to help and get them into these
types of security careers, it completely evolved the way that your life can change. I mean, these are multi-generational wealth type roles for some
people, bring people up above the poverty line. That's where I spend a lot of my time is the
diversification of trying to find people that can get into these types of jobs and get them to on
these paths for these jobs of the future. Well, that's the problem we've had for over a decade.
Not only are we not, can't find the people that do it,
and we can talk about why that is, right?
But then when we do find the people,
it's not diverse at all, right?
We don't find women and we don't find minorities.
And I'm hoping you're going to tell me there's,
we have a better, we're on a better path.
What are you going to tell me, Mrs. Optimism?
I love that.
I'll take Mrs. Optimism.
You know, it's about small acts. I was asked this morning about, you know, let's talk about diversity and security and what's happening.
And I think that a lot of people go out and make these big grand statements. We're going to invest
X amount of dollars to create X amount of programs. It's going to then, you know, turn X amount of
security engineers. But we're not really seeing that pipeline develop
the way that it probably could be developing.
And so it's taking small little moments
and taking small steps like sponsorship,
developing opportunities for people to be,
and why am I blanking on the word
when someone is learning from another person?
Mentorship.
Well, apprenticeship.
Okay.
Which is a big thing that we do internally at Amazon
is we actually build apprenticeship programs
for individuals that want to get in security careers.
But a lot of it is just awareness.
People don't know that these jobs are available
or they think that it's too hard.
In fact, I had somebody today,
an AV person that was helping me mic up for a session
who after our session, we were talking
about education and awareness and job opportunities. I want to learn about pen testing. How do I do it?
So I think it's giving people just some ideas about what's possible, the different types of
roles that are available, the ways to get into the industry, removing those barriers and letting
people know what the opportunities really can look like. And that's where I get to spend a lot of my time.
My problem with all that is we've known about those things
and we've been doing those things
and it doesn't seem to be working.
It doesn't scale, okay?
We have individual successes, like you said, start small,
but we don't need 10 more people.
We need thousands of people.
So how do we address that kind of a thing?
I mean, I think it starts at the top of a company.
I think you're right.
And I think that it's about the prioritization of where security fits within someone's ecosystem,
how they invest, where they spend the time, how to ensure that you're doing the right things.
And I'm very lucky because of who I get to work for. I mean, Steve Schmidt, who's my boss,
has been my boss now for the past four years. He's chief security officer of Amazon now.
So when he talks about the investment of security
and where it should exist
and how it should be fundamental to everything we do,
he sets the tone.
So setting the tone, create that security first mindset.
We need every single company to set that tone.
Security matters.
We need to invest.
We need to find the right people.
We need to create these job opportunities and then putting programs in place that actually make a difference. I think
that's the issue. People don't know where to start or where to go. So if you have somebody at the top
saying security is our top priority, this is why, this is how, this is what we do, that's the
narrative that needs to change. I think one of the issues though is that we keep trying to solve the
problem that we've known about for over a decade the same way.
We insist that we need somebody with 17 years of experience and 25 certs.
And I've said many times today, and we want to pay them $1.50 an hour.
No wonder we have a shortage.
I'm wondering if we could raise that up.
Because in my experience, when we hire cybersecurity people, we never think about the team.
We really think about the individual. Like, we want you to go get another certification.
And it's not really improving the team that much. And if you make that individual a superstar or a
unicorn or whatever you want to call them, there's a really good chance that Amazon's going to pick
them off and bring them into your organization because they're so good now. I'm wondering if
we can think differently about this.
Train as the team for skills that you miss.
Kind of a money ball operation for your cybersecurity team.
And if you could do that,
then you can do what Billy Bean did in the Oakland A's, which is hire cheaper players who have no experience,
but you can train them on the two or three skills
that you have and turn them into a team player as opposed to looking for the superstars. I'm wondering what you think about
that. I kind of dig that idea. I will say that we have been changing the ways that we hire.
Like we don't go at it from a perspective of you need this degree, these certs. It's actually about
curiosity about how things work. That's true. Yeah. And how we've been writing our job descriptions
and how we go through and we interview people and how we're developing different ways
that we attract talent
and how we retain talent to stay.
But my goal isn't just to hire for Amazon.
My goal is to really figure out
how can we help every single individual
that wants to build on the cloud
and have a world-class security team
and how to build it right
and what kind of programs they can put in place.
And so some of the things that we're working through now
are how we start externalizing more of those internal programs.
That's The Cyber Wire's Rick Howard
speaking with Director of Amazon Security, Jenny Brinkley.
Cyber threats are evolving every second Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out
the Grumpy Old Geeks podcast,
where I contribute
to a regular segment
with Jason and Brian
on their show
for a lively discussion
every week.
You can find Grumpy Old Geeks
where all the fine podcasts
are listed.
We'd love to know
what you think of this podcast.
You can email us
at cyberwire at n2k.com.
Your feedback helps us ensure
we're delivering the information
and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law
enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest
investment, your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman. The show was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by the CyberWire's editorial team.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. needs AI solutions that are not only ambitious, but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.