Salt in the wound. - CyberWire Daily

Summary8 min read

Summary of "CyberWire Daily" Episode: "Salt in the Wound" (February 13, 2025)

In the February 13, 2025 episode of CyberWire Daily, host Dave Bittner and guest Jason Baker, Principal Security Consultant at GuidePoint Security, delve into a spectrum of pressing cybersecurity issues. The episode, titled "Salt in the Wound," offers a comprehensive analysis of persistent cyber threats, legislative developments, critical vulnerability patches, the evolving ransomware landscape, and emerging concerns surrounding AI agents.

1. Persistent Threats from Salt Typhoon

Salt Typhoon, a notorious Chinese hacker group, continues to pose significant threats despite prior exposures. Bittner highlights their sustained activity in breaching global telecom networks:

"Salt Typhoon remains highly active. They're using compromised Cisco devices to establish covert communication channels and exfiltrate data." [02:30]

Between December and January, Salt Typhoon successfully infiltrated five telecoms, ISPs, and over a dozen universities across multiple countries, including the U.S. They exploited vulnerabilities in Cisco's iOS software to gain full control over network infrastructures. Despite U.S. government warnings and Treasury sanctions, the group has broadened its targets to include educational institutions in Argentina, Indonesia, and beyond, signaling an aggressive stance in cyber espionage.

2. Expansion of Russian Cyber Actor Seashell Blizzard

Seashell Blizzard, a Russian cyber actor, has significantly expanded its operations, now targeting critical sectors such as energy, telecom, shipping, arms, manufacturing, and government networks across the U.S., UK, Canada, and Australia. Bittner notes:

"Seashell Blizzard has expanded the group's reach, securing persistent access to critical sectors like energy, telecom, shipping, arms, manufacturing, and government networks." [04:10]

Microsoft reports that Seashell Blizzard leverages vulnerabilities in remote access software, including ConnectWise, Screen Connect, and Fortinet FortiClient. Using sophisticated scanning tools and exploit kits, they breach network perimeters and deploy Remote Monitoring and Management (RMM) software, web shells, and malicious modifications to maintain long-term access. This expansion aligns with Russia's strategic cyber objectives, with Microsoft cautioning that the group will continue to innovate scalable attack methods to support geopolitical agendas.

3. EFF Sues Doge Over Federal Workers' Data Access

The Electronic Frontier Foundation (EFF) has initiated a lawsuit against Elon Musk's Department of Government Efficiency (Doge) and the Office of Personnel Management (OPM) to block unauthorized access to millions of U.S. government workers' data:

"Doge, created in January to cut federal spending, allegedly gained unauthorized access to OPM's vast employee database, which includes PII, financial, health, and classified information." [06:00]

Filed on February 11, the lawsuit contends that Doge's actions violate the Privacy Act of 1974. The EFF demands that Doge be prohibited from further data access and that any collected data be deleted. This legal action follows a federal ruling that restricted Doge's access to Treasury data. Concurrently, Elon Musk and allies have accused journalists of doxxing following reports that identified employees in the government efficiency program, sparking a debate over the misuse of the term "doxxing" and the protection of public officials under the First Amendment.

4. House Republicans Advocate for Comprehensive Data Privacy Bill

House Republicans, led by Representative John Joyce, have formed a working group to draft a comprehensive data privacy bill aimed at establishing a national standard:

"With 13 states enacting their own privacy laws, Republicans argue that a national standard is necessary to protect Americans' rights and maintain the U.S.' leadership in digital tech." [08:30]

Currently, 13 states have their own privacy regulations, leading to a fragmented legal landscape. The proposed federal legislation seeks to unify these laws, addressing consumer protections and preempting stricter state regulations. This initiative aims to streamline compliance for businesses and reinforce the United States' position in the global digital technology sector.

5. Fortinet Addresses Critical Vulnerability

Fortinet has released patches for a critical vulnerability in its FortiOS security fabric that could allow attackers to escalate privileges to Super Admin:

"The flaw stems from improper privilege assignment, making it possible for a compromised upstream FortiGate device to grant an attacker full system control." [09:50]

The vulnerability affects multiple versions of FortiOS, potentially leading to widespread breaches and data theft. Fortinet urges immediate application of the provided patches to mitigate risks. The issue was internally discovered by Fortinet's Justin Loom, highlighting the company's commitment to proactive security measures.

6. Google Identifies Cybercrime as National Security Threat

Google’s latest cybersecurity report categorizes cybercrime as a national security threat, increasingly leveraged by state-backed groups from Russia, China, Iran, and North Korea:

"Governments leverage cybercriminals for tools, talent, and even full-scale operations." [11:15]

Released ahead of the Munich Security Conference, the report underscores the convergence of financially motivated attacks with state-sponsored activities. It emphasizes that while financially driven cyberattacks outnumber state-sponsored ones, the two are becoming deeply intertwined, with states utilizing cybercriminals for espionage and strategic objectives. The healthcare sector is particularly vulnerable, experiencing a doubling of data leaks in three years.

7. Palo Alto Networks Issues 10 New Security Advisories

Palo Alto Networks has issued ten new security advisories addressing various vulnerabilities, including a high-severity flaw in Pan-OS that allows unauthenticated attackers to bypass firewall authentication:

"While it doesn't enable remote code execution, it could impact system integrity and confidentiality." [12:30]

The advisories also cover vulnerabilities in Cortex XDR Agent and other Pan-OS components. Palo Alto Networks has released patches and recommended mitigations, such as restricting access to trusted IPs, to prevent exploitation. None of these vulnerabilities have been exploited in the wild as of the report.

8. Symantec Reports Chinese APT Utilizing Ransomware Tools

Symantec has identified a Chinese Advanced Persistent Threat (APT) group repurposing ransomware tools for cyber espionage:

"A ransomware attack using tools typically linked to Chinese cyber espionage groups was likely carried out by an individual hacker." [13:45]

The attack involved a Toshiba executable to sideload a malicious DLL, deploying the Plug X backdoor previously used by Mustang Panda, a Chinese APT group. From July 2024 through January, the PlagueX toolset was employed in espionage attacks targeting governments in Southeastern Europe and Southeast Asia. In November 2024, the same tools were used in an extortion attack against a South Asian software firm, exploiting a Palo Alto Networks firewall vulnerability to deploy RA World ransomware. Symantec suggests the possibility of insider involvement or ties to Bronze Starlight (Emperor Dragonfly), a Chinese-based APT known for using ransomware as a decoy.

9. Massive IoT Data Breach Exposes 2.7 Billion Records

A significant IoT data breach has exposed 2.7 billion records, including Wi-Fi passwords, IP addresses, and device identifiers linked to Mars Hydro and LG LED Solutions Ltd.:

"The 1.17-terabyte unprotected database was publicly accessible without encryption or authentication." [14:30]

Discovered by cybersecurity researcher Jeremiah Fowler and reported to VPN Mentor, the breach involved plain text Wi-Fi credentials, device MAC addresses, API tokens, and error logs. The data was associated with Mars Hydro's Mars Pro app, used to control IoT grow lights. While access was promptly restricted after Fowler's report, the duration of the exposure and potential malicious access remain uncertain, raising concerns about data security in IoT devices.

10. Evolving Ransomware Landscape: Insights from Jason Baker

Guest Jason Baker provided an update on the ransomware landscape, noting significant disruptions to major ransomware groups:

"We saw a lot of realignment in the primary ransomware groups responsible for the bulk of observed victims in the space." [15:34]

Law enforcement efforts, including the takedown of Lockbit by the UK National Crime Agency and the disappearance of Alpha (Black Cat) following their attack on Change Healthcare, have created vacancies within the ransomware ecosystem. This has led to the emergence of new groups quickly absorbing affiliates from disrupted entities. Baker expressed optimism about continued law enforcement successes in 2025 but acknowledged that the fragmentation of ransomware groups could lead to increased complexity in combating threats.

Bittner added:

"With ransomware as a service, decapitation operations or taking out a specific leader doesn't necessarily handle the underlying affiliates which still continue to operate and just find a new home." [19:27]

This resilience within the ransomware community highlights the challenges in significantly reducing ransomware activities solely through leader takedowns.

11. Emerging Threats from AI Agents

The episode concluded with a discussion on the evolution of AI agents and their potential security risks:

"Imagine waking up to find your AI assistant accidentally ordered 100 pounds of onions or booked you a surprise trip to Siberia." [27:25]

As AI assistants, developed by OpenAI, Anthropic, and Google DeepMind, gain capabilities to perform actions like browsing the web, filling out forms, and booking reservations, they become susceptible to manipulation by cybercriminals. Experts warned about scenarios where AI agents could be exploited to carry out unauthorized transactions or accept malicious terms, underscoring the need for robust oversight and security measures to prevent such vulnerabilities.

Notable Quotes with Timestamps

“Salt Typhoon remains highly active. They're using compromised Cisco devices to establish covert communication channels and exfiltrate data.” – Dave Bittner [02:30]
“Governments leverage cybercriminals for tools, talent, and even full-scale operations.” – Dave Bittner [11:15]
“Ransomware as a service, decapitation operations or taking out a specific leader doesn't necessarily handle the underlying affiliates which still continue to operate and just find a new home.” – Dave Bittner [19:27]
“Imagine waking up to find your AI assistant accidentally ordered 100 pounds of onions or booked you a surprise trip to Siberia.” – Dave Bittner [27:25]

Key Takeaways

Persistent Cyber Threats: Nation-state actors like Salt Typhoon and Seashell Blizzard continue to exploit vulnerabilities in critical infrastructure, emphasizing the need for robust cybersecurity measures.
Legal and Legislative Actions: The EFF's lawsuit against Doge underscores the importance of protecting federal workers' data, while House Republicans' push for a comprehensive data privacy bill aims to unify state regulations.
Vulnerability Management: Critical patches from Fortinet and Palo Alto Networks highlight the ongoing challenges in maintaining secure network infrastructures.
Evolving Ransomware Ecosystem: The fragmentation of major ransomware groups leads to greater complexity in defense strategies, requiring adaptive and multifaceted approaches.
AI Security Concerns: As AI agents become more autonomous, ensuring their security against manipulation is paramount to prevent unauthorized actions and potential breaches.

This episode of CyberWire Daily offers invaluable insights into the dynamic and multifaceted world of cybersecurity, providing listeners with a clear understanding of current threats, legislative developments, and emerging challenges in the digital landscape.

Loading summary

Transcript19 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K.
[00:13]
Jason Baker
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try Deleteme. I have to say, DeleteMe is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Deleteme's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. Salt Typhoon is still at it Russian cyber actor Seashell Blizzard expands its reach. The EFF sues Doge to protect federal workers data House Republicans pursue a comprehensive data privacy bill Fortinet patches a critical vulnerability. Google views cybercrime as a national security threat. Palo Alto Networks issues 10 new security advisories. Symantec suspects a Chinese APT side hustle. Our guest, Jason Baker, principal security consultant at GuidePoint Security, joins us to share an update on the state of ransomware. A massive IoT data breach exposes 2.7 billion records and here come the AI agents foreign February 13, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thank you for joining us here today. It is great to have you with us. Salt Typhoon, the Chinese hacker group, has continued breaching global telecom networks despite exposure last fall. Cybersecurity firm recorded future reports that between December and January, the group hacked five telecoms and ISP and over a dozen universities across multiple countries, including the U.S. the hackers exploited vulnerabilities in Cisco's iOS software targeting routers and switches to gain full control of network infrastructure. Even after US Government warnings, media reports and treasury sanctions, Salt Typhoon remains highly active. They're using compromised Cisco devices to establish covert communication channels and exfiltrate data. The hackers have expanded beyond telecoms targeting universities in the U.S. argentina, Indonesia, and more. Experts warn that China's cyber espionage is more aggressive than widely recognized. Despite government efforts, the attacks persist, prompting officials to urge Americans to use encrypted messaging apps. Recorded Future believes the scale of Salt Typhoon's operations is likely even larger than currently detected. Microsoft has reported that Russian cyber actor Seashell Blizzard has enlisted a special initial access subgroup to enhance its ability to compromise high value global targets. This long running operation has expanded the group's reach, securing persistent access to critical sectors like energy, telecom, shipping, arms, manufacturing and government networks. Initially focused on Ukraine and Eastern Europe, Seashell Blizzard has now extended operations to the US uk, Canada and Australia. The subgroup exploits published vulnerabilities in remote access software including ConnectWise, Screen Connect and Fortinet Forticlient. Using scanning tools and exploit kits. They breach network perimeters, then deploy RMM software, web shells and malicious modifications to maintain long term access. These techniques align with Russia's strategic cyber objectives. Microsoft warns the group will continue innovating scalable attack methods to support Russia's geopolitical agenda. The Electronic Frontier foundation is leading a lawsuit against Elon Musk's Department of Government Efficiency to block its access to millions of US Government workers data alongside federal employee unions. The EFF filed the lawsuit on February 11 against Doge and the Office of Personnel management, arguing that Doge's access violates the Privacy act of 1974. Doge, created in January to cut federal spending, allegedly gained unauthorized access to OPM's vast employee database, which includes PII, financial, health and classified information. The plaintiffs demand Doge be blocked from further access and delete any collected data. The EFF warns that misuse of this data could lead to privacy violations, cyber threats and political abuse. This follows a federal ruling limiting Doge's access to treasury data. Meanwhile, Elon Musk and allies are accusing journalists of doxxing after reports identified employees in his government efficiency program. Doge critics argue Musk is misusing the term to silence legitimate reporting on public officials. The EFF and legal experts stress that government employees are not protected from public scrutiny under the First Amendment. Interim U.S. attorney Ed Martin hinted at criminal charges against reporters, though no federal anti doxing law exists. Wired and the Wall Street Journal reported on Doge hires, including an official with a history of racist posts. In response, Musk attacked reporters online while supporters targeted them with harassment. Experts say the backlash exposes hypocrisy. As Musk and Trump allies have previously doxxed federal employees, free speech groups are demanding clarification on legal threats against the press. House Republicans have launched a working group to draft a comprehensive data privacy bill led by Representative John Joyce. The group, composed of nine Republicans and no Democrats, aims to create legislation that can pass Congress following years of failed efforts due to disagreements over consumer protections. With 13 states enacting their own privacy laws, Republicans argue that a national standard is necessary to protect Americans rights and maintain the U.S. s leadership in digital tech, including AI industry groups, have pushed for a federal law that preempts stricter state regulations. Fortinet has patched a critical vulnerability in its fortaos security fabric, which could allow attackers to escalate privileges to Super Admin affecting multiple fortaos versions. The flaw stems from improper privilege assignment, making it possible for a compromised upstream fortigate device to to grant an attacker full system control. This could lead to widespread breaches and data theft. Fortinet urges immediate updates, releasing patches for affected versions. The issue was internally discovered by Fortinet's Justin Loom. Google's latest cybersecurity report warns that cybercrime has become a national security threat, increasingly exploited by state backed groups like those from Russia, China, Iran and North Korea. The report, released ahead of the Munich Security Conference, reveals that while financially motivated attacks outnumbered state sponsored ones, the two are now deeply intertwined. Governments leverage cybercriminals for tools, talent and even full scale operations. Ransomware gangs have shifted focus to Ukraine and Chinese and Iranian espionage groups supplement their activities with cybercrime. North Korea is notorious for cryptocurrency, theft and covert IT worker schemes. Despite growing threats, cybercrime gets less attention than state backed hacking. Google stresses international cooperation is needed to combat it. Healthcare is especially vulnerable, with ransomware attacks worsening patient outcomes and data leaks in the sector doubling in three years. Palo Alto Networks has issued 10 new security advisories, including a high severity vulnerability in Pan OS that allows unauthenticated attackers to bypass authentication via the firewall's management interface. While it doesn't enable remote code execution, it could impact system integrity and confidentiality. Patches and mitigations are available with risk reduced by restricting access to trusted IPs. Another high severity flaw involves command injection but requires admin privileges. Additional advisories address Cortex XDR Agent and Panos vulnerabilities, none of which have been exploited in the wild. A ransomware attack using tools typically linked to Chinese cyber espionage groups was likely carried out by an individual hacker. According to Symantec. The attack leveraged a Toshiba executable to sideload a malicious dll, deploying a Plug X backdoor previously used only by Mustang Panda, a Chinese APT group. From July 2024 through January of this year PlagueX was used in espionage attacks targeting governments in southeastern Europe and Southeast Asia. However, In November of 2024, Plug, the same tool set was used in an extortion attack against a South Asian software firm. The attacker exploited a Palo Alto network's firewall vulnerability for access, stole Amazon S3 credentials, and deployed RA World ransomware. Symantec suggests the attacker was an insider monetizing espionage tools, though they may have ties to Bronze Starlight, also known as Emperor Dragonfly, a Chinese based APT known for using ransomware as a decoy. A massive IoT data breach exposed 2.7 billion records containing Wi Fi passwords, IP addresses and device identifiers linked to Mars Hydro, a China based Grow light manufacturer, and LG LED Solutions Ltd. A California registered firm. Discovered by cybersecurity researcher Jeremiah Fowler and reported to VPN Mentor, the 1.17 terabyte unprotected database was publicly accessible without encryption or authentication. It contains plain text, WI fi, ssids and passwords, device Mac addresses, API tokens and error logs. The data appears tied to Mars Hydro's Mars Pro app, which controls IoT grow lights despite its privacy policy. Claiming no user data collection, Fowler alerted LG LED and Mars Hydro, leading to rapid restriction of access, but it remains unclear how long the data was exposed or if it was accessed maliciously. Coming up after the break, Jason Baker from GuidePoint Security joins us to share an update on the state of ransomware and here come the AI Agents stick around Cyber threats are evolving every second, and staying ahead is more than just a challenge, It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. Look at this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber. That's vanta.com cyber for $1,000 off. Jason Baker is principal security consultant at Guidepoint Security. I caught up with him for an update on the state of ransomware.
[15:34]
Dave Bittner
Yeah, I think coming into 2025, we're riding the tail end of 2024's disruption to the ransomware space. Between international law enforcement disruption efforts and some internal strife, we saw a lot of realignment in the primary ransomware groups responsible for the bulk of observed victims in the space. For those less familiar, we saw early on in the year a disruption of Lockbit as part of Kronos, a UK National Crime agency led disruption effort which took some time to catch up, but eventually saw the long term head or largest ransomware group gradually tapering off to barely any impact in the space. And a little bit further into the year, we saw the second largest group, Alpha, also known as Black Cat, disappearing entirely in what was called an exit scam following their alleged attack on Change Healthcare. So you take out the two largest and most impactful ransomware groups, you suddenly have affiliates that have to reorganize and find new sources of income. So we've seen a lot of new groups popping up, a lot of newer groups really quickly gaining ground as they absorb those new affiliates. At the same time, we've seen the impact of some of that very public, very large law enforcement disruption. And I'm hopeful that we're going to continue seeing more of that here into 2025.
[16:58]
Jason Baker
Can you help us understand how much of a difference these takedowns really make? I mean, to, to what degree have we really moved the needle here?
[17:07]
Dave Bittner
Yeah, it's an interesting question and there's, there's varying answers to what the disruption affects. So on one hand you have like, let's say, the least effective, just for point of comparison, and that's takedowns of commodity malware, let's say information stealing malware or, or crypto mixers or anything like that. Things that support the cybercrime economy. Unfortunately, there's so much waiting in the wings and so many different alternatives, so that we haven't really seen a substantial downstream effect when those have been taken down. It might be an annoyance, and I'm sure it does impose costs on the people running that infrastructure and those tools, but the actual cybercrime actors are still able to continue their operations. Now conversely, on the other end of things, we have the sanctions that were imposed on Lockbits ADMINISTRATOR Lock Bits sup which was sanctioned by the Australian, UK and US governments in the wake of Operation Kronos. Now, because of the way that ransomware as a service is structured, you don't really have a way, if you've been hit by Lockbit and you choose to make a payment, you don't have any way of guaranteeing that the payment you make isn't going to end up, at least in part in the hands of that administrator. So even though Lockbit as an entire organization wasn't necessarily sanctioned, it effectively ruled any payment from organizations in those three countries as illegal. And in the process, that was very disruptive. They tried to keep things going and create the illusion that they were running at full capacity. But we've seen otherwise. We've seen them drop off so on that other end, very, very effective at rendering the group essentially inoperable or not profitable, driving away all of their affiliates. And then there's everything in between, right from arrests and the like. Unfortunately, with ransomware as a service, decapitation operations or taking out a specific leaders doesn't necessarily handle the underlying affiliates which still continue to operate and just find a new home.
[19:13]
Jason Baker
Yeah, I mean, that's my next question is, you know, do when we take out the, when we cut off the head, as it were, do you know, is it like, you know, the old myth where, you know, three heads pop up to replace it?
[19:28]
Dave Bittner
I don't know if I'd say three heads so much as the body remains intact. Now you can make the argument that in the long term this increases the perceived risk of operating in the ransomware space. Right? It increases the perceived risk of continuing to operate, that you're likely to be doxed or publicly disclosed what your identity is or that you might be extradited or you might be indicted or anything like that. And that likely has some long term psychological impact on the affiliates and administrators supporting this. But again, those folks are still able to realign with new organizations. So it's not the, it's not the quickest turnaround as far as impacts that you would expect to see. And it does give other groups opportunities to benefit from the experience of those affiliates that have had to find a new home. And that's primarily what we've seen with, with Ransom Hope. Its roots are in the Knight and Cyclops ransomware and prior. And they came onto the scene in about February, just in time for Operation Kronos and for Alpha's exit scam. And they really quickly shot to the number one spot by Victim volume just because they were able to benefit from all of that available experience and for lack of a better term, talent.
[20:46]
Jason Baker
Is there any sense that these ransomware operators are kind of looking over their shoulder more than they used to, perhaps not feeling as invulnerable?
[20:58]
Dave Bittner
I don't know that I've seen indications of that. I know that there is frequent discussion in the space about mistakes that have been made about operational security mistakes. You know, the community is very quick to call those out as rookie errors or unforced errors, but I don't know that I've seen a decrease in operations or people mentioning that they're hanging up their hat or anything like that just yet. That's not to say those conversations aren't happening or those thoughts aren't occurring. Just not something that I've personally seen.
[21:30]
Jason Baker
What about on the regulatory side of things? I mean, we recently saw there was some discussion in the UK about outlawing ransomware payments, particularly from public organizations like schools and critical infrastructure. Are we seeing traction with that sort of approach?
[21:48]
Dave Bittner
The United States has always been a little bit different from Europe in terms of their regulatory approach to things. For Europe, you have GDPR and other regulations that are focused on privacy and fallout from cyber incidents that just don't have the same traction in the US in large part because of cultural differences in how we perceive policy and regulation impacts on private industry. I will say it has been easier to impose regulatory and notification requirements on the public sector in the United States as well as critical infrastructure or organizations which have a heavy public component that's been reflected in regulatory requirements from. I believe it's certia, I forget the full name of the law that requires reporting from critical infrastructure. Now that's not unusual. Where we see more pushback, especially in the United States, is in private industry. Just because there's always going to be an aversion to undo reporting requirements, administrative requirements, and that it's just a very cultural difference in the United States.
[22:54]
Jason Baker
What's your outlook for the coming year then, when it comes to ransomware? Any expectations for what we're likely to.
[23:00]
Dave Bittner
See in the new year? We've discussed this as this concept of a rising middle class in ransomware, which is to say that in the past a lot of ransomware victims were heavily and densely concentrated within those top two groups that lock bit and that alpha. And I think we're seeing a greater number of what would previously call mid tier groups, your Black bastards, your Yanlian, your play, your Akira, absorbing more of the operational load that we're Seeing in ransomware, so more victims spread out across a greater number of operating groups. We've also seen an increase in the number of distinct named groups. And I pick my wording carefully there, just because there may be some overlap between some of these groups of redundancy. But we're seeing more of these pop up and more of them stay around for longer, which is suggesting that the barriers to entry in ransomware continue to be reduced and that continues to welcome in new players into the space and new groups, new teams of ransomware operators that see a profit to be made. And tangentially and related to that, this is more anecdotal, we've seen a number of, I'll call them fabricators or exaggerators or deceivers. Although these are all criminals, they're all liars and deceivers.
[24:23]
Jason Baker
Right.
[24:24]
Dave Bittner
But we're seeing more where it's almost embarrassingly obvious that they're completely fabricating claims. So as opposed to going out, attacking a company and claiming this as their victim, trying to extort them, they're recycling old breaches and packaging it as a new one when no new intrusion occurred. Or they're developing a ostensible ransomware as a service group, but they've developed no malware or ransomware to go along with that. They're very much chasing the clout in the cybercrime economy, either with the goal of making money off of it or just burnishing a reputation in the cybercrime community. Anecdotally, we've seen a couple of cases of that in the last year in what appears to be an uptick. It really does speak to how much easier it is to fake the funk to get into the space.
[25:12]
Jason Baker
Now that's Jason Baker, Principal security consultant at Guidepoint Security. And now a message from our sponsor, zscaler. The leader in cloud security. Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust AI stops attackers by hiding your attack surface. Making apps and IPs invisible. Eliminating lateral movement. Connecting users only to specific apps, not the entire network. Continuously verifying every request based on identity and context. Simplifying security management with AI powered automation and detecting threats. Using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler, Zero Trust and AI. Learn more@Zscaler.com Security.
[26:49]
Alice Carruth
This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify, the global commerce platform that supercharges your selling wherever you sell. With Shopify, you'll harness the same intuitive features, trusted apps, and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at shopify.com tech. All lowercase. That's shopify.com tech.
[27:26]
Jason Baker
And finally, our HAL 9000 desktop tells us that AI assistants are getting an upgrade. And this time they're not just answering questions, they're taking action. OpenAI Anthropic and Google DeepMind are rolling out AI agents that can browse the Web, fill out forms, and even book your dinner reservations. Sounds convenient, right? Well, what happens when things go sideways? Imagine waking up to find your AI assistant accidentally ordered 100 pounds of onions or booked you a surprise trip to Siberia. These bots still need human oversight. They can't log in, agree to terms of service, or enter credit card details. But once they can, what's stopping a glitchy AI from signing you up for 50 streaming services or accepting sketchy terms on your behalf? Experts warn that hackers could manipulate AI agents, turning them into digital puppets for cybercriminals. The first person whose AI buys a fleet of cars. Well, that's going to be a story. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwiren2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
[30:01]
Unknown Host
Hey, everyone, grab your favorite mug and put the kettle back on the stove because afternoon cyber tea is coming back this season. I am joined by an all star team of thought leaders and industry experts to dive into the critical trends that are shaping the future of cybersecurity. We will explore how these technologies are revolutionizing the way we work, the way we live, and the way we interact with the world around us. And as always, we will be bringing you thought provoking discussions and fresh perspectives on what is driving the future of cybersecur security and what leaders can do now to protect their teams. Tomorrow, new episodes will be coming to you in February every other Tuesday, so subscribe now wherever you get your favorite podcasts.