Week in Review: Most common passwords, Secure-by-design, DNA firm vanishes - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines: Week in Review – Detailed Summary

Episode Title: Week in Review: Most Common Passwords, Secure-by-Design, DNA Firm Vanishes
Host: CISO Series
Release Date: November 15, 2024
Guest: Brett Conlan, CISO at American Century Investments

1. Most Common Passwords: A Persistent Problem

The episode opens with a discussion on the alarming persistence of weak passwords. Rich Strofolino highlights NordPass's recent revelation that the numeric sequence "1, 2, 3, 4, 5, 6" continues to top the list of the most common passwords. NordPass analyzed a 2.5 terabyte database of passwords and found that variations of simple sequences, QWERTY patterns, and single-word passwords like "password" and "secret" remain prevalent and easily crackable within seconds.

Notable Quote:

Brett Conlan [02:50]: "The reason people haven't improved their password hygiene despite repeated warnings boils down to convenience over security. Strong passwords are hard to remember, so people default to easy, common passwords out of habit."

Brett emphasizes that the lack of improvement over the past six years is concerning. He attributes this to factors such as:

Convenience Over Security: Users prioritize ease of access over creating complex passwords.
Lack of Awareness: Many individuals do not comprehend the severe risks associated with weak passwords, including account takeovers and identity theft.
Limited Adoption of Better Tools: Despite the availability of password managers and multifactor authentication, many users and organizations have yet to adopt these essential security measures.
Corporate Responsibility: Companies often fail to enforce strong password policies, allowing poor habits to persist among employees.

Brett suggests that improving password hygiene requires a multifaceted approach:

Enhanced Education: Raising awareness about the importance of strong passwords and the risks of weak ones.
Accessible Tools: Promoting the use of password managers and multifactor authentication to simplify the creation and management of secure passwords.
Policy Enforcement: Organizations must implement and enforce robust password policies to encourage better security practices.

2. Secure-by-Design Program: Six Months On

The conversation shifts to the Secure-by-Design initiative, a pledge involving software companies committing to seven key digital security practices within a year. Jack Cable from CISA reports that 248 companies have signed the pledge, with significant progress observed in the adoption of better security measures.

Notable Quote:

Brett Conlan [05:44]: "Organizations signing the pledge, especially giants like Google and Microsoft, are driving meaningful change in the industry. Their actions set a high standard, such as expanding multifactor authentication and improving secure code development."

Brett applauds the commitment from major players, noting that their efforts:

Enhance Multifactor Authentication (MFA): Expanding MFA strengthens access controls.
Improve Secure Code Development: Reducing vulnerabilities through better coding practices.
Automate Security Updates: Ensuring customers receive timely patches to minimize exposure to threats.

However, Brett also points out challenges, primarily the pressure on development teams to ship products quickly, which can lead to deprioritizing security. He underscores the necessity for companies to balance speed with long-term security benefits, such as fewer breaches and increased customer trust.

3. Atlas Biomed Disappearance: Risks of Unprotected Genetic Data

A startling story covered in the episode involves Atlas Biomed, a London-based DNA firm that abruptly ceased operations, leaving customers' highly sensitive genetic data in jeopardy. The company's sudden disappearance raises serious concerns about data protection and potential misuse.

Notable Quote:

Brett Conlan [08:46]: "The loss of genetic data can lead to genetic discrimination, increased risk of identity theft, and potential misuse by foreign entities for biosurveillance or military purposes."

Brett elaborates on the dangers posed by the disappearance of such a company:

Genetic Discrimination: Individuals may face unfair treatment in areas like insurance and employment based on their genetic information.
Identity Theft: While DNA is not typically used for fraud, its uniqueness and permanence make it a valuable target for malicious actors.
Foreign Exploitation: Links to Russia suggest possible misuse of data by foreign governments for purposes like biosurveillance or military applications.

Brett stresses the need for robust safeguards, stronger data protection laws, and greater transparency from companies handling genetic information to prevent such incidents and protect individuals' privacy.

4. Surge in Zero-Day Vulnerabilities: A New Threat Landscape

The episode addresses the alarming increase in zero-day vulnerability exploits, as reported by the Five Eyes Intelligence alliance (comprising the US, UK, Australia, Canada, and New Zealand). Unlike previous trends where older software vulnerabilities were exploited, attackers are now targeting freshly discovered zero days with unprecedented speed.

Notable Quote:

Brett Conlan [13:31]: "Mitigating the risk of zero days lies in the speed and automation of patch management. Automating deployment reduces the window of exposure and helps in swiftly addressing these vulnerabilities."

Key points discussed include:

Targeted Products: Critical vulnerabilities have been found in Citrix's NetScaler, Cisco routers, Fortinet VPN equipment, and the MoveIt file transfer tool.
Immediate Exploitation: Attackers are weaponizing zero days within days, even hours, of their disclosure.
CISO Recommendations: Brett advises prioritizing patch management, automating updates, closely monitoring threat intelligence, investing in advanced detection tools, and adopting secure-by-design principles to reduce future vulnerabilities. Additionally, having a tailored incident response plan and a zero-day playbook is essential for readiness.

Brett also touches on the potential role of AI in both identifying and managing zero-day vulnerabilities, though he notes that while AI has promise in patch management, its effectiveness in proactive zero-day discovery remains to be seen.

5. Amazon Employee Data Leak: Ethical Boundaries in Hacking

Another significant topic is the leak of 2.8 million lines of Amazon employee data on a dark web forum by an individual claiming to be an ethical hacker. The data, which includes sensitive information from various organizations, was purportedly obtained through the MoveIt file transfer exploit.

Notable Quote:

Brett Conlan [18:08]: "The actions of this individual are not ethical hacking. Ethical hackers work with organizations to report vulnerabilities without putting anyone at risk. Leaking sensitive data is irresponsible and dangerous."

Brett critiques the ethics of the perpetrator, emphasizing that true ethical hacking involves responsible disclosure and collaboration with organizations to fix vulnerabilities without exposing data. He warns that such actions:

Increase Risks: Exposing sensitive data leads to heightened threats like social engineering and identity theft.
Set Dangerous Precedents: Unauthorized data leaks encourage others to bypass ethical and legal boundaries, exacerbating cybersecurity chaos.

Brett concludes that while the intent to raise awareness about data encryption is valid, the method employed is flawed and harmful, undermining trust and security efforts.

6. Strela Stealer Malware Reemerges: Sophisticated Phishing Tactics

The final major story covers the resurgence of Strela stealer malware, particularly in Spain, Germany, and Ukraine. The threat group Hive0145 is deploying the malware through highly deceptive phishing emails that mimic legitimate invoice notifications.

Notable Quote:

Brett Conlan [21:42]: "Weaponizing stolen emails is deeply concerning. It demonstrates that attackers are leveraging trusted email infrastructures to execute highly convincing phishing attacks, making them exceptionally difficult to detect."

Brett explains that Hive0145's strategy involves:

Using Real Compromised Emails: By utilizing genuine email accounts from sectors like financial technology and e-commerce, phishing attempts become more credible and harder to identify.
Enhanced Deception: This method blurs the line between legitimate communication and malicious intent, increasing the likelihood of successful breaches.

He underscores the critical need for:

Securing Internal Systems: Protecting email infrastructure to prevent attackers from exploiting trusted channels.
Advanced Detection Mechanisms: Implementing sophisticated tools to identify and mitigate such deceptive phishing attempts.

Rich Strofolino adds that this form of phishing exploits the inherent trust in traditional email systems, highlighting the ongoing challenges in cybersecurity awareness and training.

Conclusion: Vigilance and Proactive Measures are Essential

Throughout the episode, Brett Conlan provides insightful analysis on each topic, emphasizing the importance of proactive security measures, robust policies, and ethical standards in safeguarding sensitive information. The discussions underscore the evolving threats in the cybersecurity landscape and the critical need for continuous adaptation and vigilance among organizations and individuals alike.

For more in-depth coverage of these stories and daily cybersecurity updates, listeners are encouraged to visit CISOseries.com.

Loading summary

Transcript33 lines

[00:00]
Brett Conlan
From the CISO series, it's cybersecurity headlines.
[00:06]
Rich Strofolino
DNA firm holding highly sensitive data vanishes without warning. 1, 2, 3, 4, 5, 6. Tops the list of the most popular passwords again. And Strellis dealer malware reappears with stolen emails. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And now we're ready for some insight, some opinion and most definitely some expertise from our returning guest, Brett Conlan, the CISO over at American Century Investments. Brett, it's your fourth time on the show. Thank you so much for being here. I gotta ask before we jump into the news, how was your week in cybersecurity?
[00:42]
Brett Conlan
Yeah, thank you for having me. It's always great to be on the show. I'm excited about everything we're about to talk about. This might be one of the most interesting weeks that I've been able to be a part of. So great week so far. I'm getting to go to the foxhole here after this where a group of CISOs and I get together and talk about what' on. And then also I think we have a first time listener in Kelly Gifford. So she's a fellow swifty and she's super excited about being part of this.
[01:06]
Rich Strofolino
Well, glad to have some new folks along. I hope you enjoy the show. And Brett's on so we're going to have a great time. Another reason we're going to have a great time is because of our sponsor for today. That's threat locker zero trust endpoint protection platform. Remember to join us on YouTube live, do so go to csoseries.com, hit the events dropdown, look for the cybersecurity headlines week in review image. You got to join us live because that way you can get in and contribute in our chat. It's on YouTube. It's on LinkedIn too. If you find the stream on LinkedIn, you're more than welcome to do comments there. We will see them, bring them up and do our best to address them during the show. We're just got about 20 minutes, so let's get started. Before we do, just a quick disclaimer that Brett's opinions are his own and not necessarily those of his employer. Just keep that in mind and we'll jump right into the news. First up Here, good old 1, 2, 3, 4, 5, 6 tops the list of the most popular passwords again. NordPass, makers of the password manager and sister company of NordVPN, announced its list of the 200 most common passwords. They drew up their list from a 2.5 terabyte database of passwords and showed that people are still really bad at choosing hard to crack passwords. The list contains variations of that numeric sequence and the old QWERTY theme, as well as single word passwords like password and secret things you might have heard in the movie Hackers, all of which can be cracked in less than a second. The company says there really hasn't been any improvement over the last six years. So, Brett, why have people not improved their password hygiene despite all the warnings? Maybe many have, but certainly we see that this is still extraordinarily common and we know only takes one bad password to kind of spoil the bunch here. I'm curious what's missing that would help people practice better cyber hygiene here?
[02:50]
Brett Conlan
Yeah, I, you know, I want to be surprised, but I'm not. Right. The reason people haven't improved their password hygiene despite repeated warnings, it boils down to a few things, right? Convenience over security. Strong passwords are hard to remember, so people default to easy, common passwords out of habit. There's a lack of awareness. They don't fully understand the risks. It's hard to make it concrete to them. And how breaches can lead to account takeovers and identity theft. There's a limited adoption of better tools. Password managers, multifactor, they're not universal and it leaves a lot of people with weak passwords. Corporate responsibility. Many companies still don't enforce the strong password policies and it's making it easier for employees to slip into bad habits. So if we're going to improve, we need better education, we need to make it more accessible tools that allow us to create those passwords and then enforce the policies on the corporate level to make strong passwords easier to use and more convenient to everyone. So if we get a mix of that better technology adoption, more awareness campaigns, and then stronger enforcement, I think it's going to make good security habits more convenient and accessible.
[03:58]
Rich Strofolino
Yeah, we've seen, I think, some of the recent changes from NIST in terms of their password recommendations. Obviously, if you're using 1, 2, 3, 4, 5, 6, you don't probably know who NIST is. But seeing that in terms of making it easier to adopt stronger passwords in the workplace at least those are the kind of small steps we need. And ultimately, I know a lot of people argue that, hey, passkeys are coming into vogue now. They're becoming readily available on most major platforms now. And the key to better password hygiene is to not have passwords anymore. Does that hold water for you, Brett?
[04:33]
Brett Conlan
It does. I mean, I think you have to have a strategy to get there, but that's something we're definitely looking at. And how can we go passwordless? I have to go change my password now because Kevin just gave it away to Everybody on the YouTube channel. But he's right. I mean, you know, I just was hoping he wouldn't share my password with.
[04:50]
Rich Strofolino
Everybody, but, yeah, Kevin, be cool. Come on, we're all friends here.
[04:54]
Brett Conlan
Yeah, Kevin, let me get off this before you share with everybody.
[04:57]
Rich Strofolino
All right, our next story here. Secure by design hits six month mark. Progress being made. Secure by Design includes a pledge from software companies to the Biden administration and their own customers that they would adopt seven key digital security practices within a year. Jack Cable, a senior technical advisor at CISA and holder of a very authoritative name, says 248 companies signed the pledge and most are taking it seriously. He says he's seeing significant impact across the Internet ecosystem and that progress has exceeded expectations. He points out things like Microsoft's expansion of multifactor authentication, Google's improvements to secure code development, and Fortinet's new requirement that customers receive automatic security updates as examples of things working. So, Brett, I'm curious, what are your thoughts with this secure by design program?
[05:44]
Brett Conlan
Okay, so I'm gonna start with the positive. We have 248 companies that have signed the pledge. That's a positive sign, and it's showing that organizations are taking this seriously and driving meaningful change in the industry. Especially when you look at some of those companies, right? So you have Google, you have Microsoft, you have Amazon, you have some pretty large companies that I think can really set the bar and help other companies follow suit. And it's especially important as cyber threats continue to evolve and that digital ecosystem grows more complex. So when I see companies like Microsoft, Google and Fortinet lead the way with concrete actions like expanding MFA or improving secure development, it sets a high standard for others to follow. Specifically, secure code development minimizes the vulnerabilities that can be exploited by the attackers. Then I really like the automatic security updates to ensure that customers receive the patches for the vulnerabilities and they don't have to take action. This completely reduces the window of opportunity for attackers. And we'll talk a little bit about that later on, I think, when we talk about the zero day article. And from my experience, one of the biggest challenges with the secure design is ensuring that development teams have the resources, the tools, and the training they need to implement the practices effectively. There's still that pressure to ship products quickly. And when you have that pressure, you can lead to security being deprioritized. And the long term benefits, such as fewer breaches, reduced risk and greater customer trust far outweigh that short term trade off. But the company needs to see that and then the developers need to understand that. So it's a critical shift. It can ultimately help create a safer and more resilient digital world. I like the effort and I like where it's going. I really like that the large companies are going after it. I'm excited to see where this goes in the next couple of years.
[07:37]
Rich Strofolino
All right, well, next, right here. DNA firm holding highly sensitive data vanishes without warning Atlas Biomed is a company based in London, England and offers to provide insights into people's genetic makeup and predispositions to certain illnesses. Certainly not the first company to offer similar services, but one that was out there. It recently ceased operations without telling its customers. What has happened to the highly sensitive data they shared with it. All activity, including social media has ceased and its London office stands empty. None of these are reassuring signs. The company also has links to Russia. It used to have eight official positions, although according to the BBC, four of its officers have resigned and the two apparently remaining officers are listed at the same address in Moscow, as is a Russian billionaire who is described as a now resigned director. So Brett, the story contains all the components of a, I don't know, a Michael Crichton novel or an action movie. But behind all of this is the fact that people's most personal of pii, either actual DNA has gone missing. Obviously the news cycle will quickly move on. But what are your thoughts about the dangers this disappearance might pose?
[08:46]
Brett Conlan
So I hope the news cycle doesn't move on too quickly from this. This company which supposedly offered insights into customers genetic pre dispositions shut down didn't inform their users about what happened to their their DNA. So this loss of data can lead to several consequences, right? Genetical discrimination, insurance premiums, employment opportunities, healthcare access based on whatever the genetic traits are. And then you also are increasing the risk of identity theft. DNA isn't typically used for fraud, but it is permanent, it's unique and it's a form of PII that could be exploited. The company's links to Russia raise questions. Potential misuse of the data by foreign governments, biosurveillance, military purposes, the individuals whose data has been lost. This breach could extend beyond personal privacy. I think the incident when I read that and I thought it was one of the wildest stories that I had read in a long time. It underscores the broader issue. Right. We're increasingly relying on genetic testing for health insights. We have people that are actively sending information over to really, they don't know where it's going. And so we have to ensure that there's robust safeguards are in place, there's stronger data protection laws, greater transparency for companies and more secure ways to handle that data are essential to protect people from both the immediate and future risks. Because I only see this type of data being passed increasing as people, you know, focus on their health and longevity and they, they send this information over.
[10:25]
Rich Strofolino
Yeah. And it's very interesting because a lot of the privacy conversations, this kind of stuff is kind of out of bounds for a lot of that. I know Illinois has a very strong or fairly strong biometric privacy law, which I believe this would cover. But even still, I mean, like, you know, if you're out of there, you're out of luck. That is certainly not a standard in any sense, at least so far. So, yeah, definitely just a very, very singular set of circumstances leading into that. Maxtronic, of course in the chat says to add up to a Hollywood thriller, it ends up at a DNA cloning startup. We don't know where this ends, quite honestly. You know, funny to think about, but not funny for the people that had that happen to them. Because just, I mean like I remember what 23andMe, right, was going through some financial troubles and stuff like that. And like the idea of a company like that just being acquired by a company that you didn't have a relationship, I could see that as being problematic. Right. If they had your information, let alone, you know, close the doors overnight and you have no recourse to get any of that, any of that information deleted or anything like that.
[11:33]
Brett Conlan
So it's just gone.
[11:34]
Rich Strofolino
Yeah. So we will keep an eye out if there's any more update on that and we will have an update, if available, on cybersecurity headlines. Before we move on to our next story, we have to spend a few moments and thank our sponsor for today. Threat Locker. Do zero day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with Threat Locker. Threat Locker helps you take a proactive default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation are fully supported by their US based support team. To learn more about how ThreatLocker can help keep your organization Running efficiently and protected from ransomware. Visit threatlocker.com that's T H R E A T L O c k e r.com.
[12:29]
Brett Conlan
All right.
[12:30]
Rich Strofolino
A surge in zero day vulnerability exploits is the new normal according to Five Eyes. Brett, you had alluded to this article, so let's dig into the details here. This warning comes from the Five Eyes Intelligence alliance, which if you haven't been keeping score, that's the us, uk, Australia, Canada and New Zealand stating that contrary to previous years in which malicious cyber actors were exploiting older software vulnerabilities, the tide has turned to zero days, with Citrix's networking product netscaler being the most widely used. The report also mentions a critical vulnerability impacting Cisco routers, another in Fortinet VPN equipment, and one affecting the MoveIt file transfer tool, very famously exploited by the Klopp ransomware game along with everyone else. A link to the report published by CISA is available in the show notes of this episode if you want to check that out. Highly recommend you do. But Brett, pretty straightforward story here bringing zero days into sharp focus and kind of making these maybe like the default now to look for. I'm curious, what are your recommendations for other CISOs in relation to this announcement? You're going to be talking about this tonight?
[13:31]
Brett Conlan
We absolutely will. The growing exploitation of the zero days is a wake up call for us, right? The advisory from the Five Eyes. As it pointed out, attackers are now targeting the freshly discovered flaws. I know, I think the article said it was within days of a patch being released. We've seen zero days where within hours they've started to try to exploit it. So we definitely are looking at strategies of how we can better approach those zero days. I think the key to mitigating this risk lies in the speed and the automation you need to accelerate your patch management process where possible. And you need to automate that deployment to reduce the window of exposure. So if I'm telling my CISOs tonight at the foxhole, I'll be talking about them, they need to act swiftly. Right? We need to prioritize patch management, automate the Updates where possible. 0 days are often weaponized as soon as they're disclosed. We're going to monitor threat intel closely for any indicators of new exploits and invest in attacked advanced detection tools to catch any signs of the attack. And then you have to embrace the security by design principles with vendors and within your own development process to reduce the future vulnerabilities. So ensure your incident response plan is tailored for it. You should have A zero day playbook at this point and then test your team's readiness with regular exercises. I have a secret strategy because we actually have a guy on our team named Mike who's actually Kelly's husband that we talked about earlier and we call him zero day. He has a knack for finding any of these vulnerabilities, but not in the way that I want him to. Right. So we have to like protect ourselves from him and. But that's, that's my defense and strategy. But for others, I would say adopt a multilayered defense strategy. Don't rely just on the perimeter of security and make sure you have that zero day playbook. I think that this is going to make a big difference and AI is only accelerating this. Right. The ability to exploit these things is.
[15:27]
Rich Strofolino
Now that's interesting to finish on. AI is obviously it's, it's far more. Not even efficient, but like we're never going to find all the zero days that are out there. It's better to be able to respond quickly to them. Does have you seen any possibility of using AI to maybe more proactively look for those on your, like, you know, to find them more on the, you know, before they hit the curve. You know, find zero days that haven't been discovered using those tools? Or is that way too far out? Or is that not never going to have the hit rate you need to ever be able to really supplement kind of the prevention or the response piece?
[16:03]
Brett Conlan
I haven't seen it yet. I'm sure that will come at some point. Right. I mean they can, if they can mirror it and try to look at what their tools are looking at. I would actually want to see that from the vendor side. Vendors actually use that to find their own zero days and then get that back to us and find the patching of that. So that would be an interesting concept. I think there are definitely. We're seeing vendors put AI in more towards the patch management side and how they can use that to patch easier and quicker. But, but you know, time will tell on that.
[16:34]
Rich Strofolino
CCL had a question in the chat. What are some steps to handle zero days? I think that's going to go beyond the scope of what we can talk about here. But ccl, I love that I'm going to, we're going to save that and I want to use that for like a Super Cyber Friday or something like that because I think that would be a really interesting conversation. So thank you for the inspiration on there. Here's one of my favorite stories of the week. Though coming up next here, Amazon leaker claims to be an ethical hacker. He It's a move, right? I applaud. So here's the details. Last week, 2.8 million lines of Amazon employee data were posted on a dark web forum by someone who claimed to have obtained the information on dozens of companies through the Move it file transfer exploit. They weren't clear if they use the exploit or they obtained them from sources that had, but it's related to that. Researchers at Rock Hudson Verify or excuse me, at Hudson Rock verified this data, including from organizations like Lenovo, Delta, HSBC, and Charles Schwab. This includes names, organizational roles, contact information, department assignments, a lot of stuff that you could use for social engineering. The perpetrator claimed to be an ethical hacker, not obtaining the data with fake credentials and only scraping what was publicly available. Their goal was to raise awareness of the need to encrypt PII data at these organizations and not to hide behind blaming third parties for leaked data. Although I should note, they also said that they would leak more data, which I think we already got the point. You don't need to leak data. But anyway, Brett, does this sit well with you? Do the actions of an ethical hacker actually taking and releasing data represent a heroic warning here? Or do they reveal or even instigate greater dangers here?
[18:09]
Brett Conlan
I have serious concerns about the actions of the individual behind the leak. Right. It's not ethical hacking. And while it's true that your poor security practices or unencrypted data, poor vendor management are real issues, the way this person is going about raising awareness is dangerous and irresponsible. And what they're doing, again, is not ethical hacking. Ethical hackers work with organizations, they find vulnerabilities, they report them, and they help fix them without putting anyone at risk. In contrast, if we look at what's going on here, they're leaking sensitive data, and I don't think the intentions are good. They're exposing millions to new threats, including the social engineering and identity theft. The larger issue here is that by bypassing legal and ethical boundaries, they set a dangerous precedent. If people begin taking matters into their own hands, it could lead to more chaos in the cybersecurity world, which we all know that we don't need. These flaws should have been, should be addressed, but they need to be reported through the right channels, whether that's through responsible disclosure to security teams or CERTs. It's not by releasing the data into the wild. So I read this article a couple times. I mean, I can't believe they're claiming to be an ethical hacker. It's definitely someone who's done bad. And then they're just trying to almost justify their actions by stating, hey, by the way, I'm a good guy.
[19:32]
Rich Strofolino
It almost is like they realize like law enforcement or something is sniffing around and they're like, no, no, no, for real, I wasn't trying to make any money off this. I mean, this to me reminds me of like you discovered like a fire code violation. So your response is I should set the building on fire to show how bad it is. Like that. It doesn't. Yeah, you're not helping the situation here. I think it's a very different. You know, I was thinking of the other kind of ethical hacking story that we covered recently, which was the when the city of Columbus got hit with ransomware and a security researcher was kind of putting to light that, hey, actually this information that you said was encrypted and corrupted is actually publicly available. That's very different because like, to me that, that felt very different because they were, you know, they were shedding light on, hey, you know, people maybe aren't being forthright to the extent of this attack. You know, you can, you can debate whether they did it in the most responsible way, but at least there was a. Seemed like a motivation there. This just seemed like I did this for the lulz and now I'm, I'm going ethical. Sure, why not?
[20:34]
Brett Conlan
And oh, by the way, there's more to come.
[20:36]
Rich Strofolino
Yeah, that is the smoking gun for sure. All right, and our last story for today. Strela stealer malware reappears in Spain, Germany and the Ukraine. A group known as hive0145 has been infecting targets with Strela stealer malware delivered through phishing emails disguised as legitimate invoice notifications. What's worthy of note in this situation is that according to researchers at IBM X Force, whereas the group initially relied on fake invoices and receipts sent from fabricated accounts, they've recently begun to weaponize stolen emails from real identities in the financial technology, manufacturing, media, e commerce and other sectors. And it's believed by the researchers that Hive 0145 is to be the souls to be the tools sole operator. So Brett, what struck me here is weaponizing stolen emails, you know, not, it's, it's. You can't spot the phishing email if they're real ones, kind of speaks to, I don't know, something much more dangerous and may show that, you know, the greater dangers that threat actors who penetrate Networks are able to pull these kind of schemes. I'm curious, what are your thoughts?
[21:43]
Brett Conlan
You're absolutely right. Weaponizing stolen emails is a particularly concerning aspect of this campaign. And what's alarming here is not just the malware itself, but the depth of access these attackers have gained. So they're using real compromised emails from trusted organizations, and then they can create highly convincing phishing attempts that are far more difficult for recipients to spot. So the method essentially turns the victim's own legitimate email infrastructure against them. So this really understood, you know, underscores the growing threat of attackers who penetrate the networks, they gain access to internal systems, and they can keep coming back to launch increasingly sophisticated attacks, and they can go unnoticed for longer. It highlights the importance of securing internal systems, specifically and especially email infrastructure, and to prevent attackers from turning the very tools we rely on for communication into weapons.
[22:39]
Rich Strofolino
It's. Yeah, I mean, it's just devious. As someone who loves a good web standard, every time something that makes me question, should we still use email? Always makes me sad, but it does. I don't know. I know threat actors will. Threat actor, and if you, if everybody moves to Slack or what, you know, whatever comms you use, the threat actors will be there and ready to exploit it. But man, this one, this one seems so devious because I just, I just think of the poor security awareness training of. No, no, this was a real invoice. I was expecting it. It came. This is the legit email. And to still fall prey to that is. That is some harsh, harsh stuff. Before we get out here, I just want to give a shout out to all of our commenters. I see some new names in here, including Toasty Pops and Justin Gold. I think some simply cyber folks popping into our chat. So always great to have you. Of course, we have some of our regulars like ccl, Maxtronic and Kevin Farrell in there as well. So always great when we have people helping to make the show better. Thank you everyone for showing up and helping make the show better. Sharing your thoughts in the chat. That is truly awesome. Brett, before we get out of here, was there any story in the lineup or in the news this week that was a thumbs up or an eye roller for you this week?
[23:52]
Brett Conlan
I think the DNA one was fascinating. I can't get over the fact that it just disappeared overnight. I think that's an eye opener, and I hope that people are paying attention to that. And I think that people need to be much more diligent about where they're sending their information.
[24:10]
Rich Strofolino
Yeah, we cover Exit scams all the time in crypto or ransomware and stuff like that. DNA startup. That's a new exit scam for me. Always nice to have something new for the pallet today here. Brett Conlon, the CISO at American Century Investments. Crushing it as always. Why we keep having you back. Always a pleasure. Where can people find you on cyberspace if they want to follow what you're up to?
[24:35]
Brett Conlan
Yeah, just go to Brett Conlon at LinkedIn. I'm there and happy to talk to everyone.
[24:39]
Rich Strofolino
Excellent, excellent. Well, thank you Brett, so much. It was an absolute pleasure. And thanks also to our sponsor for today, Threat Locker Zero Trust Endpoint protection platform. And thanks once again to all of our audience. You know we can't always get every comment up on the screen. All of you were submitting all of your terrible passwords. I really appreciated that. Gave me some very terrible ideas for my own passwords. And thank you for just making the show fun. And I always get a smile on my face looking at the chat when we' this show here. Don't forget if you're joining us now, you should join us next Friday for Super Cyber Friday where our topic will be seems relevant to a lot of what we're talking about. Hacking e crime trends. An hour of critical thinking about staying on top of an ever evolving threat landscape. That's at 1pm and then 1pm Eastern and then we'll be followed by another episode of the week in review at 3:30 Eastern. Just head on over to the events page@cisoseries.com get registered for both, subscribe to YouTube. We are all good. In the meantime, you get your daily news fixed every day through cybersecurity headlines. Give us about six minutes, we'll get you all caught up. For myself, for Brett, for all of us here on the CISO Series team, I'm Rich Strofolino wishing you and yours to have a super sparkly day.
[25:52]
Brett Conlan
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.