Biden vs. Trump: A tale of two cybersecurity strategies. - CyberWire Daily

Summary

CyberWire Daily: “Biden vs. Trump: A Tale of Two Cybersecurity Strategies”
Released on November 19, 2024
Host/Author: N2K Networks

Introduction

In this episode of CyberWire Daily, N2K Networks delves into the contrasting cybersecurity strategies of former President Donald Trump and current President Joe Biden. The discussion navigates through policy shifts, emerging threats, and the evolving landscape of cyber defense in the United States. Additionally, the episode covers significant cybersecurity incidents, updates on ransomware activities, and an in-depth interview with Asaf Dahan from Palo Alto Networks on North Korean cyber threats.

I. Biden vs. Trump: Divergent Cybersecurity Strategies

The episode opens with an analysis of the anticipated overhaul of U.S. cybersecurity policy under a potential second Trump administration. Drawing insights from Eric Geller’s article in Wired, the discussion highlights how Trump's approach is set to prioritize business interests, aggressive offensive measures, and deregulation. This stands in stark contrast to Biden's focus on corporate accountability, spyware restrictions, and AI safeguards.

Key Points:

Regulatory Changes: Trump is expected to dismantle Biden-era regulations on critical infrastructure cybersecurity, citing industry burdens. This includes weakening rules affecting rail, aviation, and water systems, shifting towards voluntary compliance and incentives.

“Trump is poised to expand military cyber operations, emphasizing accountability for Chinese and Russian cyberattacks.”
— Eric Geller, Wired
Spyware and AI Policies: Under Trump, spyware regulations are likely to favor market growth over human rights, benefiting firms like NSO Group. AI regulations requiring transparency and safety measures may be repealed to encourage innovation.
Military Cyber Operations: Expectation of enhanced roles for Cyber Command, potentially forming a separate military cyber branch to counteract adversarial cyber activities more effectively.
Corporate vs. Military Focus: The Trump administration may deprioritize corporate accountability and AI safety in favor of military-led cyber initiatives, aligning more closely with corporate interests and reducing overall regulatory oversight.

II. Escalating Cyber Threats in the US Energy Sector

An editorial from Cyberscoop by Sachin Bansal and Brian Harrell emphasizes the increasing cybersecurity threats faced by the U.S. energy sector. As the sector integrates complex supply chains, clean energy technologies, and digital systems, vulnerabilities proliferate, particularly through third-party vendors.

Key Insights:

Third-Party Risks: A KPMG report reveals that third-party risk accounts for 45% of breaches in the energy sector, significantly higher than the global average of 29%.

“The shift to greener, software-driven energy grids introduces additional risks, with renewable energy companies scoring lowest on cybersecurity metrics.”
— Sachin Bansal & Brian Harrell, Cyberscoop
Regulatory Responses: Initiatives by the Department of Energy and the Federal Energy Regulatory Commission aim to enhance supply chain security through revised standards and cybersecurity principles.
Resilience Building: Emphasis on government-industry collaboration to secure the supply chain, adopting consistent frameworks, and fostering transparency to bolster cybersecurity resilience.

III. Palo Alto Networks Addresses Critical Vulnerabilities

Palo Alto Networks has patched two significant zero-day vulnerabilities exploited in Operation Lunar Peak. These vulnerabilities pertain to:

Authentication Bypass Flaw: Allows attackers to gain administrative access via the PAN-OS management interface.
Privilege Escalation Issue: Enables root access, posing severe risks to firewall management interfaces.

The Cybersecurity and Infrastructure Security Agency (CISA) has added these flaws to its Known Exploited Vulnerabilities catalog, urging organizations to apply the necessary fixes by December 9.

IV. Ransomware Threats: SafePay, Akira, and Embargo Groups

The ransomware landscape continues to evolve with several active groups intensifying their operations:

SafePay Ransomware Group:
- Victim Count: 22 victims as of November.
- Tactics: Utilizes Remote Desktop Protocol (RDP) access to encrypt files and exfiltrate data, incorporating strategies from other ransomware groups like alfv and BlackCat.
- Technical Details: Employs tools such as WinRAR and FileZilla for file transfers, with a Cyrillic-based kill switch to avoid attacks in CIS countries.
Akira Ransomware Group:
- Recent Activity: Leaked data from 32 new victims in a single day last week.
- Operational Model: Functions as ransomware-as-a-service, impacting over 350 organizations globally and earning an estimated $42 million.
- Targets: Primarily U.S.-based organizations, including business services and critical infrastructure.
Embargo Ransomware Group:
- Current Incident: Pressuring American Associated Pharmacies (AAP) to pay a second $1.3 million installment following an initial payment.
- Method: Engages in double extortion by threatening to leak 1.5 terabytes of stolen data.
- Sector Focus: Increasingly targets healthcare institutions, including Georgia's Memorial Hospital and Manor.

V. Exploiting Spotify Playlists and Podcasts for Malware Distribution

Cybercriminals are leveraging Spotify's platform to disseminate malware through playlists and podcasts. By embedding QR codes and malicious links within titles and descriptions, scammers direct users to malware-laden sites or fake surveys. These tactics include promoting pirated software, game cheats, and ebooks.

Mitigation Efforts:

Spotify's Response: The platform has removed flagged content and reinforced its rules against malicious practices. However, combating such spam campaigns remains challenging due to the exploitation of third-party distribution services.

VI. Legal Actions: Extraditions and Sentencing in Cybercrime

Significant legal actions highlight the ongoing battle against cybercrime:

Extradition of Evgeny Sitsyn:
- Charges: Administering the Phobos ransomware, running a ransomware-as-a-service scheme since 2020.
- Impact: Phobos ransomware targeted over 1,000 victims worldwide, extorting over $16 million.
- Potential Penalty: Up to 120 years in prison if convicted.
Sentencing of Heather Razalkan Morgan:
- Involvement: Assisted her husband in laundering Bitcoin stolen during the 2016 Bitfinex cryptocurrency hack.
- Sentence: 18 months in prison for her role in concealing illicit funds through financial accounts and cryptocurrency mixers.

VII. In-Depth: North Korean Cyber Threats (Threat Vector Interview)

A significant portion of the episode features an in-depth interview with Asaf Dahan, Director of Threat Research at Palo Alto Networks' Cortex Team, hosted by David Moulton.

Key Discussion Points:

North Korean Cyber Operations:
- Historical Context: The 2014 Sony Pictures hack marked North Korea's entry into high-profile cyber attacks, driven by both political motives and financial gain.
  
  “North Korean threat actors are not script kiddies. They are a major cyber force to be reckoned with...”
  — Asaf Dahan [17:31]
Financial Motivation: Unlike other nation-state actors primarily driven by espionage or sabotage, North Korean hackers are significantly motivated by financial gain to support the impoverished nation under extensive sanctions.

“The financial motivation of the North Korean threat actors that really sets them apart... makes them more relevant to more organizations worldwide.”
— Asaf Dahan [17:31]
Notable Operations:
- 2014 Sony Hack: Aimed at halting the release of a movie parodying the assassination of Kim Jong Un.
- 2016 Bangladesh Bank Heist: Attempted to steal $1 billion, ultimately failing due to a typo, although $80 million was illicitly obtained.
Strategic Evolution: Over the years, North Korea has developed a more cohesive cyber warfare strategy, focusing on bank heists and financial cybercrimes to generate revenue.
Defensive Challenges:
- Human Factor: Asaf emphasizes that human behavior remains the weakest link in cybersecurity defenses, with social engineering being a primary method of attack.
  
  “The technology is great... but the one thing that is still very challenging is the human aspect of cybersecurity attacks.”
  — Asaf Dahan [23:06]
- Mitigation Strategies: Raising awareness, conducting extensive social engineering training, and leveraging technologies like Large Language Models (LLMs) and Generative AI for both offensive and defensive purposes.

Conclusion of Interview: David and Asaf underscore the importance of understanding the multifaceted nature of North Korean cyber threats, emphasizing that combating these sophisticated actors requires both technological solutions and robust human-centric defenses.

Closing Remarks

The episode concludes by highlighting emerging cyber threats, including the use of traditional mail for malware distribution in Switzerland and legal assurances for iPhone users against certain scams. The CyberWire Daily stresses the importance of continuous vigilance and adaptive strategies in the face of evolving cyber threats.

Notable Quotes:

“North Korean threat actors are not script kiddies. They are a major cyber force to be reckoned with...”
— Asaf Dahan [17:31]
“The technology is great... but the one thing that is still very challenging is the human aspect of cybersecurity attacks.”
— Asaf Dahan [23:06]

Final Notes

For a comprehensive understanding of the discussed topics, including the full Threat Vector interview, listeners are encouraged to access the complete episode through their preferred podcast platforms or visit CyberWire Daily.

Transcript

Dave Buettner (0:02)

You're listening to the CyberWire network, powered by N2K. Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. You know I started my first business back in the early 90s and oh what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row. All of that technical stuff, the legal stuff, the registrations of the business, the taxes, all of those things that you need to go through when you're starting a business, the hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run and protect your business all in one place and they save you from wasting hours making sense of all that legal stuff. Launch, run and protect your business. To make it Official today@legalzoom.com you can use promo code CYBER10 to get 10% off any LegalZoom business information product, excluding subscriptions and renewals that expires at the end of this year. Get everything you need from set up to success@legalzoom.com and use promo code CYBER10. That's legalzoom.com and promo code CYBER10. Legalzoom provides access to independent attorneys and self service tools. Legalzoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm, LZ Legal Services LLC. Pundits predict Trump will overhaul US cybersecurity Policy experts examine escalating cybersecurity threats facing the US energy sector. Palo Alto Network's patches apparently zero days, Akira and SafePay ransomware groups claim dozens of new victims. A major pharmacy group is pressured to pay a $1.3 million ransomware installment. Threat actors are exploiting Spotify playlists and podcasts. An alleged Phobos ransomware admin has been extradited to the US rapper Razzle Khan gets 18 months in prison for her part in the Bitfinex cryptocurrency hack. On today's threat vector, David Moulton speaks with Asaf Dahan, director of threat research at Palo Alto Network's Cortex Team, about the rising cyber threat from North Korea and Swiss scammers send snail mail. It's Tuesday, January 19th, 2024. I'm Dave Buettner and this is your Cyberwire intel briefing. A second Trump administration is expected to overhaul U.S. cybersecurity policy, prioritizing business interests, aggressive offensive measures and deregulation over the Biden era of focus on corporate accountability spyware restrictions and AI safeguards In an article for Wired, Eric Geller writes that Trump is likely to dismantle Biden's regulatory efforts on critical infrastructure cybersecurity, citing industry burdens. Rules impacting rail, aviation and water systems could be scrapped or weakened with a shift toward voluntary compliance and incentives. Efforts like CISA's disinformation campaigns and AI safety initiatives focused on societal harms may also end, reflecting Trump's emphasis on free speech and reduced regulation. Spyware policies are expected to favor market growth over human rights concerns, benefiting firms like NSO Group. AI regulations requiring transparency and safety measures may be repealed, favoring innovation over safeguards. Trump is poised to expand military cyber operations, emphasizing accountability for Chinese and Russian cyberattacks. Cyber command could see enhanced roles, including potentially forming a separate military cyber branch. Policies blocking Chinese tech could also resurface. Initiatives pushing companies to design secure software and accept liability for vulnerabilities may stall, while slogans like secure by design may persist. New regulations are unlikely, reflecting the administration's alignment with corporate interests. CISA's Cybersecurity Incident Reporting rules could be scaled back, exempting sectors or limiting required disclosures. Ultimately, Trump's cybersecurity agenda may favor deregulation and military action while sidelining corporate accountability, spyware restrictions and emerging AI safety policies. In an editorial for cyberscoop, Sachin Bansal, president of Security Scorecard, and Brian Harrell, former assistant secretary for infrastructure protection at the Department of Homeland Security, say the US Energy sector faces escalating cybersecurity threats as it integrates complex supply chains, clean energy technologies and digital systems. National Security Advisor Jake Sullivan recently highlighted the critical need for supply chain security as vulnerabilities in software and third party vendors present significant risks to vital infrastructure. A KPMG report revealed that third party risk accounts for 45% of breaches in the sector, compared to a global average of 29%. The shift to greener, software driven energy grids introduces additional risks, with renewable energy companies scoring lowest on cybersecurity metrics. Coupled with the potential for foreign exploitation, particularly by China, these factors underscore the urgency of a unified strategy. Efforts to enhance resilience include the Department of Energy's supply chain cybersecurity principles, supported by major firms like ge, Vernova and Siemens. Regulators such as the Federal Energy Regulatory Commission are revising standards to address supply chain risks. Meanwhile, the White House is exploring cybersecurity ratings for infrastructure sectors. However, challenges remain. Attacks such as the Colonial Pipeline ransomware incident show how breaches in IT systems disrupt operations. Utilities struggle with the resources and expertise to counter growing threats, the authors say. A collective effort between government and industry is vital to secure every link in the supply chain. By adopting consistent frameworks, measuring progress and fostering transparency, the energy sector can bolster cybersecurity resilience, safeguarding critical infrastructure and global stability. Palo Alto Networks has patched two zero day vulnerabilities exploited in Operation Lunar Peak. The first is a critical authentication bypass flaw allowing attackers to gain admin access via the Pan OS management interface. The second is a privilege escalation issue enabling root access. These vulnerabilities targeted exposed firewall management interfaces and have been addressed in Pan OS updates. CISA has added the flaws to its known exploited Vulnerabilities catalog, urging fixes by December 9 to mitigate risks. The SafePay cybercrime operation, a new ransomware group deploying Lockbit based malware, has claimed 22 victims as of November of this year, according to Huntress. The group exploits Remote desktop protocol access to encrypt files and exfiltrate data. SafePay's ransomware is derived from a well documented lockbit variant and incorporates tactics from other groups like alfv, blackcat, including UAC bypasses and Living off the Land binaries for privilege escalation. Huntress identified vulnerabilities in SafePay's Tor site, enabling deeper insights into its operations. SafePay employs tools like WinRAR for archiving stolen data and FileZilla for file transfers, often uninstalling them afterward to cover their tracks. The ransomware includes a Cyrillic language based kill switch to avoid attacks in the Commonwealth of Independent States countries. Meanwhile, the Akira Ransomware group leaked data from 32 new victims in a single day last week, according to Cyber Int. Active Since March of 2023, Akira operates as a ransomware as a service and has impacted over 350 organizations globally, earning an estimated $42 million targeting business services, critical infrastructure and other sectors. Akira primarily focuses on U S based organizations, but also attacks entities in Canada, Europe and beyond. Cyber Int reports that most victims were directly added to Akira's leaks sections on its Tor site, bypassing the usual news section. This aggressive activity, which aligns with trends of escalating ransomware operations, mirrors similar mass victim disclosures by groups like Lockbit. Akira's rapid growth and record breaking victim counts indicate its expanding influence in the global cybercrime ecosystem. The Embargo Ransomware group is pressuring American Associated Pharmacies to pay a second $1.3 million installment of an alleged 2.6 million doll ransomware deal after already receiving the first payment. The group, which claims to have stolen one and a half terabytes of data, has threatened to leak the information by midweek if the payment isn't made. Embargo accuses AAP of prioritizing system restoration over customer data protection. Embargo's tactics include double extortion, a common strategy among ransomware gangs, researchers note. Embargo targets various sectors worldwide and has increasingly targeted health care, including Georgia's Memorial Hospital and Manor. Embargo, which surfaced this year, denies political affiliations, focusing instead on opportunistic attacks. Experts warn of potential class action suits and growing risks without stronger privacy laws. To deter such cybercrime threat, actors are exploiting Spotify playlists and podcasts to promote pirated software, game cheats, spam links and dubious websites, leveraging Spotify's strong reputation and SEO presence to boost visibility. Using targeted keywords and links in titles and descriptions, scammers direct users to malware laden sites or fake surveys. Some playlists, like one advertising a Sony Vegas Pro crack and Spammy podcasts, use synthesized speech to lure users into clicking links, leading to ad heavy or malicious sites. These tactics extend to promoting game cheats and pirated ebooks. Cybercriminals often exploit third party podcast distribution services to bypass platform safeguards. Spotify has removed some flagged content and emphasized its rules against malicious practices, but the challenge of combating such spam campaigns persists. Russian national Evgeny Sitsyn, age 42, has been extradited to the US to face charges related to administrating the Phobos ransomware, according to the Department of Justice. Accused of running a ransomware as a Service Scheme since 2020, sits in allegedly developed and sold Phobos ransomware to affiliates who targeted over 1,000 victims worldwide, including schools and hospitals, extorting over $16 million. Affiliates used stolen credentials to encrypt and exfiltrate data, pressuring victims to pay ransom. Sitsen faces up to 120 years in prison if convicted. Heather Razalkan Morgan, a self proclaimed rapper and entrepreneur, was sentenced to 18 months in prison for assisting her husband, Ilya Lichtenstein, in laundering Bitcoin stolen during the infamous 2016 Bitfinex cryptocurrency hack. Liechtenstein, who received a five year sentence, stole over 119,000 Bitcoin worth $71 million then and now, valued at $10.8 billion. Morgan, aware of the fund's illicit origins since 2020, helped conceal them through financial accounts, virtual currency exchanges and mixers like Bitcoin Fog. Prosecutors recommended leniency, citing her clean record and limited personal gain. Coming up after the break. Today's Threat Vector David Moulton speaks with Asaf Dahan about the rising cyber threat from North Korea. Stay with us. And now a word from our sponsor, Know before it's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBe4, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBe4's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35 vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefore.com SecurityCoach that's knowbefore.com SecurityCoach and we thank KnowBe4 for sponsoring our show. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. On today's segment from the Threat Vector, podcast host David Moulton speaks with Asaf Dahan, director of Threat Research at Palo Alto Network's Cortex Team. They're discussing the rising cyber threat from North Korea.