Hackers Move From Data Theft To Complete Destruction: Cyber Security Today For Wednesday, December 4, 2024 - Cybersecurity Today

Summary7 min read

Cybersecurity Today: Episode Summary – "Hackers Move From Data Theft To Complete Destruction"

Host: Jim Love
Release Date: December 4, 2024
Podcast: Cybersecurity Today
Episode Title: Hackers Move From Data Theft To Complete Destruction

1. Introduction and Episode Overview

In this episode of Cybersecurity Today, host Jim Love delves into the evolving landscape of cyber threats faced by businesses today. Emphasizing the shift from traditional data theft to more destructive cyberattacks, Love provides listeners with an in-depth analysis of recent cybersecurity incidents, vulnerabilities, and international law enforcement actions against cybercriminals.

2. Evolving Cyber Threats: From Data Theft to Total Destruction

Jim Love opens the discussion by highlighting a significant trend: cybercriminals are moving beyond mere data theft and ransomware to executing highly destructive attacks aimed at crippling entire business operations.

“[Cybercriminals] are evolving their attacks, moving beyond traditional ransomware attacks to focus on highly destructive campaigns that render systems inoperable,”
— Jim Love [00:30]

A recent Palo Alto Networks report underscores this shift, revealing that modern attacks not only encrypt or steal data but also aim to corrupt systems and halt business operations completely. Unlike traditional ransomware that holds data hostage for ransom, these new tactics involve wiping data, corrupting virtual machines, and deploying malware designed to destroy key operational systems.

Sam Rubin, from Palo Alto’s Unit 42, elaborates on this evolution:

“Attackers are now targeting large software vendors and service providers, knowing they can disrupt hundreds of connected businesses through a single breach.”
— Sam Rubin [03:15]

One notorious group exemplifying this shift is Scattered Spider, responsible for the high-profile MGM and Caesars attacks. These incidents forced companies to disconnect over 100 customers for weeks, ensuring system safety even if direct compromises weren’t evident. In another scenario, a company's complete shutdown led to millions in daily losses, compelling them to pay a ransom to resume operations.

The strategic intent behind these attacks is to inflict such severe operational disruption that victims face immense financial and reputational pressures, pushing them to comply with ransom demands swiftly.

Rubin adds:

“This approach demands more preparation from the attackers. They must research a company's dependencies, understand its vendors, and exploit vulnerabilities across a broader ecosystem.”
— Sam Rubin [05:50]

The adoption of generative AI tools by hackers is anticipated to further exacerbate this threat landscape by enabling the discovery of new vulnerabilities more efficiently.

3. Veeam Patches Critical Vulnerabilities

Transitioning to recent software vulnerabilities, Love discusses Veeam, a prominent backup and recovery service provider, which has patched two critical vulnerabilities in its service provider console.

“Veeam patches a critical vulnerability in its service provider console,”
— Jim Love [07:20]

The first vulnerability, identified as CVE-2024-2448, is a Remote Code Execution (RCE) flaw rated 9.9 out of 10 in severity. This flaw allows attackers to execute arbitrary code from the VSPC Management Agent machine. The second, CVE-2024-42449, enables attackers to steal NTLM hashes and delete files on affected servers.

These vulnerabilities affect VSPC versions 8.1.0.21377 and earlier, including builds 7 and 8. Veeam emphasizes the urgency for service providers to update immediately, especially those using supported versions. Unsupported versions are also at risk and should be upgraded to the latest release.

“Maybe a wise thing to check to make sure you've got this one up to date.”
— Jim Love [09:00]

With over 550,000 customers worldwide, including 74% of global Fortune 500 companies, the impact of these vulnerabilities is substantial. Veeam has faced multiple critical software vulnerabilities and recent ransomware campaigns, highlighting the importance of stringent security measures.

4. Data Breach in Saskatchewan: Recommendations and Implications

The episode shifts focus to a significant data breach incident involving Inmar Strategies, a subsidiary of Sencora, which exposed the sensitive personal information of 7,293 individuals in Saskatchewan.

“A ransomware attack on Inmar Strategies in Saskatchewan exposed the sensitive personal information of 7,293 people,”
— Jim Love [09:45]

The compromised data included health records, medication details, and personal identifiers. Following the breach discovered in February, Sencora notified affected individuals by May and implemented system segmentation to bolster security against future attacks. Initially, the company offered two years of free credit monitoring to the victims.

Ronald J. Kruzynski, the Privacy Commissioner of Saskatchewan, recommends extending this credit monitoring period:

“Stolen data can be exploited long after a breach. We are recommending an increase in credit monitoring to 10 years,”
— Ronald J. Kruzynski [11:15]

Previously advocating for a five-year monitoring period, Kruzynski now deems even that duration insufficient, emphasizing the prolonged risks associated with stolen personal data.

5. SL Data Services Breach Exposes Extensive Personal Information

Another alarming breach involves SL Data Services, a background check company, which exposed personal information of over 600,000 individuals. The breach included full names, addresses, email addresses, employment details, social media accounts, criminal records, and property ownership reports stored in unprotected PDF files totaling 713 gigabytes.

“More than 600,000 individuals have had their personal information exposed in a data breach involving SL Data Services,”
— Jim Love [13:00]

Jeremiah Fowler, a cybersecurity researcher, discovered the vulnerability, noting the lack of encryption and password protection on the database. The information was publicly accessible for a week before SL Data Services secured it. While there is no current evidence of exploitation, the breadth of exposed data heightens the risk of social engineering attacks, despite the absence of Social Security numbers or payment information.

Experts warn that even without direct involvement, the extensive data can facilitate scams and identity theft, as victims may remain unaware of their compromised status.

6. Russia Sentences Cybercriminal Leader to Life in Prison

In a significant development, Russian authorities have sentenced Stanislav Zimoisev, the leader of the Hydra Dark Web market, to life imprisonment. Zimoisev was also fined 4 million rubles. His 15 accomplices received sentences ranging from 8 to 23 years in penal colonies and fines totaling 16 million rubles.

“Russia sentences a cyber criminal leader to life in prison,”
— Jim Love [15:00]

Hydra market, operational until 2022, was a major platform for drug sales, money laundering, and cybercrime services, serving 17 million users and generating approximately $1.35 billion annually. German and U.S. authorities collaborated to dismantle Hydra's servers, seizing 51 million in cryptocurrency. The platform's Bitcoin bank mixer complicated law enforcement efforts by obscuring transaction trails.

This crackdown marks a potential shift in Russia's approach to cybercrime, as the country traditionally refrains from prosecuting hackers targeting foreign entities. Speculations regarding this change include:

Alleged intervention by President Joe Biden urging Russia to act, which Russia has denied.
Possible tax evasion by cybercriminal groups towards Russian authorities.

The sentencing of Zimoisev and other cybercriminals indicates a new stance by Russia in handling high-profile cybercrime operations, warranting close observation of future developments.

7. European Law Enforcement Takedown of Matrix Cybercrime Network

The episode highlights a large-scale international operation that successfully dismantled Matrix, an encrypted messaging platform utilized by at least 8,000 criminal accounts to coordinate illicit activities.

“An international law enforcement operation has dismantled Matrix, an encrypted messaging platform used by at least 8,000 criminal accounts,”
— Jim Love [17:00]

Operation Passion Flower, spearheaded by Europol, Eurojust, and authorities from France, the Netherlands, and Germany, targeted Matrix during the investigation of the 2021 shooting of journalist Peter R. De Vries. Over three months, authorities intercepted 2.3 million messages sent through Matrix, which offered features like encrypted messaging, video calls, and anonymous browsing. Users paid up to $1,700 for customized Google Pixel devices and service subscriptions.

The crackdown involved simultaneous raids across four countries, resulting in the shutdown of 40 servers and the arrest of five suspects, including a 52-year-old Lithuanian believed to be the platform’s operator. Authorities also seized 970 encrypted phones, €645,000 in cash and cryptocurrency, and four vehicles.

Matrix had been marketed under various names, including Matrix and Total Sec, and was comparable to platforms like encroachat and sky ecc, which have previously facilitated thousands of arrests for crimes such as drug trafficking and money laundering.

Authorities caution Matrix users that their communications may now be exposed, though those using the service for legitimate privacy purposes can request exemptions from investigations.

“This marks another significant victory for law enforcement against cybercriminal networks,”
— Jim Love [18:30]

8. Conclusion

In "Hackers Move From Data Theft To Complete Destruction," Jim Love underscores the dynamic and escalating nature of cybersecurity threats. From the strategic shift of cybercriminals towards destructive attacks and the exploitation of critical software vulnerabilities to international efforts in dismantling major cybercrime networks, the episode provides a comprehensive overview of the current cybersecurity landscape.

Listeners are encouraged to stay vigilant, prioritize updating and securing their systems, and remain informed about the latest threats and protective measures to safeguard their businesses and personal information in an increasingly risky digital era.

“Stay ahead of the threats by understanding their evolution and implementing robust security strategies,”
— Jim Love [19:45]

For more detailed reports and insights, listeners can refer to the show notes available at technewsday.com.

This summary encapsulates the key discussions and insights from the December 4, 2024 episode of Cybersecurity Today, providing a comprehensive overview for those who haven't had the opportunity to listen.

Loading summary

Transcript1 lines

[00:01]
Jim Love
Hackers shift from data theft to total destruction. VEEAM patches a critical vulnerability in its service provider console. Privacy commissioner of Saskatchewan recommends an increase in credit monitoring to 10 years. Russia sentences a cyber criminal leader to life in prison and Europeans take down another major cyber crime network. This is CYBERSECURITY today. I'm your host Jim Love. As more and more companies have developed effective backup strategies, cybercriminals are evolving their attacks, moving beyond traditional ransomware attacks to focus on highly destructive campaigns that render systems inoperable. According to a recent report from Palo Alto Networks, these attacks go beyond stealing or encrypting data. They aim to cripple businesses entirely by corrupting systems and halting operations. Unlike traditional ransomware, which holds data hostage for payment, these newer tactics involved wiping data, corrupting virtual machines, and deploying malware designed to destroy key operational systems. Sam Rubin of Palo Altos unit 42 explains that attackers are now targeting large software vendors and service providers, knowing they can disrupt hundreds of connected businesses through a single breach. One of the groups known to have made this pivot is Scattered Spider, the group behind the MGM and Caesars attacks. One example involved hackers forcing the company to disconnect over 100 customers for weeks to ensure safety even if they weren't directly compromised. In another case, a company lost millions of dollars daily from a complete shutdown and quickly paid a ransom to stop the bleeding. These attacks often leverage sophisticated entry points, including phishing, exploiting unpatched software vulnerabilities, and social eng engineering. The differences lie in their intent and execution. Rather than merely demanding money for restored access, they aim to cause such severe operational disruption that the victim faces immense financial and reputational pressure to simply pay up. Rubin noted that this approach demands more preparation from the attackers. They must research a company's dependencies, understand its vendors, and exploit vulnerabilities across a broader ecosystem. While these tactics require greater effort and cost, the payoff can be massive due to the high stakes involved. Paolo Alto warns that such attacks are likely to increase, especially as hackers adopt generative AI tools to uncover new vulnerabilities. While companies need to have strategies to deal with these attacks, they also have to be cognizant of the risks they have from suppliers and software as a service vendors veeam, a company that provides backup and recovery as a service, has issued security updates that address two vulnerabilities in in its service provider console. VSPs, including a critical remote code execution, or RCE, flaw, rated 9.9 out of 10 in severity. The RCE vulnerability identified as CVE2024 2448 could allow attackers to execute arbitrary code from the VSPC Management Agent machine. A second, flawless CVE2024. 42449 could enable attackers to steal NTLM hashes and delete files on affected servers. These vulnerabilities impact VSPC versions 8.1.0.21377 and earlier, including builds 7 and 8. While these flaws require the management agent to be authorized on the server, Veeam urges service providers using supported versions to update immediately. Unsupported versions are also likely vulnerable and should be upgraded to the latest release. Veeam's products are widely used by over 550,000 customers worldwide, including 74% of global 2,082% of Fortune 500 companies. The company has had a number of critical software vulnerabilities over the last year and has been targeted with a number of recent ransomware campaigns. Maybe a wise thing to check to make sure you've got this one up to date. A ransomware attack on Inmar Strategies in Saskatchewan, A subsidiary of firm called Sencora exposed the sensitive personal information of 7,293 people in Saskatchewan. Compromised information includes health records, medication details and personal identifiers, according to a report by the Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzynski. The breach discovered in February, prompted Sencora to notify affected individuals by May and implement measures like system segmentation to prevent future attacks. The company also offered two years of free credit monitoring. Krusaninski recommends, though extending it to 10 years, warning that stolen data can be exploited long after a breach. Previously, Kruzanisky had been asking for five years, but he's decided since then, at least in this case, that amount of time was insufficient. More than 600,000 individuals have had their personal information exposed in a data breach involving SL Data Services, another background check company. The breach included sensitive records such as full names, addresses, email addresses, employment details, social media accounts, criminal records, and property ownership reports stored in unprotected PDF files totaling over 713 gigabytes. The vulnerability was discovered by cybersecurity researcher Jeremiah Fowler, who reported that the database lacked encryption and password protection. It remained publicly accessible for a week before SL Data Services secured the information. The data raised concerns about potential access by malicious actors, though no evidence has yet emerged of exploitation. Like the larger national public data breach affecting 2.9 billion people, this breach poses risks of social engineering attacks. Victims may not be aware that they were even affected as Background checks are often conducted without their direct involvement. While no Social Security numbers or payment information were included, experts warn that the breadth of exposed data could still enable scams and identity theft. Russia has sentenced Stanislav Zimoisev, leader of the Hydra Dark Web market, to life in prison for his role in running the world's largest illicit online marketplace. Moiseyev was also fined 4 million rubles. His 15 accomplices received sentences ranging from 8 to 23 years in penal colonies and fines totaling 16 million rubles. The group was convicted of producing and selling nearly a ton of drugs across Russia and Belarus. Hydra market, active until 2022, was a major hub for drug sales, money laundering and cybercrime services, serving 17 million users and generating $1.35 billion annually. German and US authorities dismantled its servers in a joint operation, seizing 51 million in cryptocurrency. The platform's Bitcoin bank mixer further obscured transactions, complicating law enforcement efforts. This case is part of an unusual crackdown by Russian authorities on cybercriminals. While Russia typically avoids prosecuting hackers targeting foreign entities, it has taken action in select cases. For example, the R Evil ransomware group was shut down after its 2021 Colonial Pipeline attack disrupted U.S. fuel supplies. The sentencing of Moiseyev and arrests of other cybercriminals have led to a lot of speculation as to why Russia appears to be changing its approach to cybercrime. One theory has been that President Joe Biden has specifically intervened, requesting that Russia take action, something Russia has denied. Another is that these groups may not have been paying their tax to the Russian authorities. Whatever the reasoning, this marks a potential shift in Russia's handling of high profile cybercrime operations, and it's worth seeing how this develops. An international law enforcement operation has dismantled Matrix, an encrypted messaging platform used by at least 8,000 criminal accounts to coordinate illegal activities. The operation, codenamed Operation Passion Flower, involved Europol, Eurojust and authorities from multiple European countries, including France, the Netherlands and Germany. Police discovered Matrix while investigating the phone of a suspect involved in the 2021 shooting of journalist Peter R. De Vries. Over three months, authorities intercepted 2.3 million messages sent through the platform, which provided encrypted messaging, video calls and anonymous browsing, as well as transaction tracking. Users would pay up to $1,700 for customized Google Pixel devices and subscriptions to the service. Simultaneous raids across four countries resulted in the shutdown of 40 servers. The arrests of five suspects, including a 52 year old Lithuanian believed to be the platform's operator and the seizure of 970 encrypted phones, €645,000 in cash and cryptocurrency, and four vehicles. Matrix has been marketed under several names, including Matrix and Total sec. Authorities warn Matrix users that their communications may be exposed. However, those who use the service for privacy rather than illegal activities can request exemptions from investigations. The takedown follows similar operations against platforms like encroachat and sky ecc, which have led to thousands of arrests for crimes including drug trafficking and money laundering. This follows on our story on Monday, where we noted another European takedown of a digital piracy service that was also funding money laundering and cybercrime. Score another one for the good guys. That's our show for today. You can find links to reports and other details in our show notes@technewsday.com we welcome your comments, tips and the occasional bit of constructive criticism@editorialechnewsday.ca I'm your host, Jim Love. Thanks for listening.