Ukraine’s fight to restore critical data.

Dave Bittner

You're listening to the Cyberwire Network.

Liz Stokes

Powered by n2k. This episode is brought to you by Dutch Bros. Big smiles, rocking tunes and epic drinks. Dutch Bros. Is all about you. Choose from a variety of customizable handcrafted beverages like our Rebel Energy drinks, coffees, teas and more. Download the Dutch Bros app for a free medium drink plus find your nearest shop, order ahead and start earning rewards. Offer valid for new app users only. Free medium Drink Reward upon registration. 14 day expiration terms apply. See Dutchbros.com.

Dave Bittner

Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off Russian hackers attack Ukraine' registers, not Lockbit is a new ransomware strain targeting macOS and Windows. Sophos discloses three critical vulnerabilities in its firewall product. The Bad Box botnet infects over 190,000 Android devices beyond trust patches two critical vulnerabilities hackers stole $2.2 billion from cryptocurrency platforms in 2024. Officials dismantle a live sports streaming piracy ring. Rockwell Automation patches critical vulnerabilities in a device used for in industrial systems. A new report from Dragos highlights ransomware groups targeting industrial sectors. A Ukrainian national is sentenced to 60 months in prison for distributing the Raccoon infosteeler malware. We bid a fond farewell to our colleague Rick Howard, who's retiring after years of inspiring leadership, wisdom and camaraderie. And the Lock Bit gang teases what's yet to come. It's Friday, December 20th, 2024. I'm Dave Buettner, and this is your Cyberwire Intel Briefing. Happy Friday and thanks for joining us here today. Ukraine has experienced one of the largest cyber attacks on its state registers, suspected to be carried out by Russian hackers linked to the gru, such as the Sandworm group. The attack disrupted access to over 60 state databases containing critical information like biometric data, business records and property ownership. Ukrainian authorities, including the Ministry of Justice, temporarily suspended access while investigating pro. Russian group Zaknet claimed responsibility, stating it had stolen and deleted data from the registers, including backups. Officials confirmed backups exist and data will be restored, though the process may take weeks. The attack caused nationwide disruptions affecting government services, business operations and E government apps. Ukraine views this attack as part of Russia's broader cyber warfare, potentially prosecuting it as a war crime. A new ransomware strain, Not Lockbit poses a significant threat with advanced cross platform capabilities targeting both macOS and Windows. Written in Go, it employs sophisticated tactics including targeted file encryption, data exfiltration and self deletion mechanisms to complicate recovery. Not Lockbit closely mirrors the behavior and tactics of the infamous Lockbit ransomware, leveraging similar encryption techniques and extortion strategies while expanding its capabilities to target both macros and Windows systems. NotLockbit encrypts sensitive data files using AES and RSA protocols and exfiltrates stolen data to attacker controlled cloud storage for double extortion purposes. It deletes original files, renames encrypted ones, and modifies desktop wallpapers to display Ransom notes on macOS. It uses system commands to enhance its attack. The ransomware is highly evasive, leveraging obfuscation to bypass detection. Variants suggest tailored attacks or ongoing development. Organizations should adopt proactive defenses including backups, endpoint protection and user education. As Not, Lockbit's emergence highlights the escalating sophistication of ransomware threats. Sophos has disclosed three critical vulnerabilities in its firewall product, allowing potential remote code execution. The first involves a pre authentication SQL injection in the email protection feature, exploitable under specific conditions. The second relates to reused SSH passphrases during high availability setup, risking privileged account exposure. The third enables authenticated users to execute arbitrary code via the user portal. Sophos has issued automatic hotfixes and manual updates, urging organizations to apply them promptly and follow mitigation measures to safeguard their networks. The Bad Box botnet has infected over 190,000 Android devices, primarily Yandex 4K, QLED smart TVs and Hisense T963 smartphones, according to BitSight. Originating from a supply chain compromise, Bad Box malware comes pre installed on low cost devices including TVs and smartphones, and enables activities like residential proxying, ad fraud and remote code installation. Daily communication with the botnet involves over 160,000 unique IPs mostly from Russia, China and Brazil. BitSight urges caution in choosing trusted device manufacturers to mitigate these risks. Beyond Trusts Privileged remote access and remote support solutions have two critical vulnerabilities posing significant security risks. The first, with a CVSS score of 9.8, enables unauthenticated command injection, while the second allows privilege escalation for attackers with administrative access. Both have been actively exploited, with one now in CISA's known exploited vulnerabilities catalog. Beyond Trust has released urgent patches and worked with third party experts to investigate and address the breach. Organizations should remediate immediately to avoid further exploitation. Hackers stole $2.2 billion from cryptocurrency platforms in 2024, with 61% of the funds attributed to North Korean attackers, according to Chainalysis. The number of incidents rose from 282in 2023 to 303in 2024, a 21% year on year increase. Notably, the intensity of attacks dropped after a June summit between Vladimir Putin and Kim Jong Un, reducing North Korean thefts by 54%. However, attacks overall have grown more frequent, with larger exploits above $100 million and smaller hacks around $10,000, increasing. Chainalysis urges rigorous employee vetting, improved key hygiene, and stronger industry law enforcement collaboration to combat these threats, the alliance for Creativity and Entertainment has dismantled one of the largest live sports streaming piracy rings, Marquee Streams, based in Vietnam with over 821 million visits in 2023. Targeting US and Canadian audiences, the operation streamed sports events from major US leagues and global competitions affecting ACE members. ACE seized 138 domains associated with the ring, issuing a warning to piracy operators worldwide. The takedown highlights the unique threat piracy poses to live sports broadcasts. Rockwell Automation has patched critical vulnerabilities in its Allen Bradley Power Monitor 1000, a device used for energy control in industrial systems. The flaws allow attackers to take over devices, execute remote code, or launch denial of service attacks. Exploitation requires no authentication and could disrupt production by halting power monitoring or compromising networks. A firmware update addresses these issues. Researchers urge immediate updates to protect Internet exposed devices and prevent industrial system breaches. Dragos third quarter 2024 industrial ransomware analysis identified 23 ransomware groups targeting industrial sectors, including new and rebranded entities like APT73 linked to Lockbit remnants. Key attacks include CDK Global paying $25 million to Blacksuit, and Halliburton losing $35 million to ransom. Hub groups increasingly exploit VPN vulnerabilities, bypass MFA, and target virtual environments like VMware ESXi. The use of initial access brokers in ransomware as a service models has grown, enabling scalable operations. Tactics such as living off the land, advanced persistence, and custom malware highlight evolving threats. Ukrainian national Mark Sokolovsky was sentenced to 60 months in prison for his role in distributing the Raccoon Infosteeler malware. Operating under a malware as a service model, Sokolovsky charged $200 per month in cryptocurrency for access to the malware, enabling threat actors to steal credentials, financial data, and personal information via phishing campaigns. The stolen data fueled financial fraud and was sold on criminal forums. After dismantling Raccoon's infrastructure in 2022, the FBI recovered over 50 million stolen credentials. Sokolovsky will also pay $910,000 in restitution. Elsewhere, Romanian national Daniel Christian Julia, age 30, was sentenced to 20 years in prison for his role in Netwalker ransomware attacks targeting health care, education, law enforcement and government sectors. Operating under a ransomware as a service model, Hulia extorted victims during the COVID 19 pandemic, collecting $21.5 million in Bitcoin and using proceeds for luxury investments. U.S. and Romanian authorities collaborated to arrest and extradite Hulia in 2023. This case underscores the commitment to combating ransomware with the doj, emphasizing the need for strong cybersecurity defenses. Coming up after a fond farewell to our colleague Rick Howard and the Lockvit gang teases what's yet to come. Stay with us. And now a word from our sponsor, Know before it's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBefore's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco 35 vendor integrations and Counting Security Coach analyzes your Security Stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbe4.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why Cloudflare created the first ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. We have a special segment for you today. Break out your Kleenex as we share a Fond Farewell to N2K's CSO and our CSO Perspectives host, Rick Howard.

Liz Stokes

My name is Liz Stokes, and while I'm not tucked away in the fabled depths of the Cyberwire's secret sanctum sanctorum, rumored to be somewhere underwater along the Patapsco river near the Baltimore Harbor, I am here reaching out to you, our listeners, to join us for our heartfelt farewell. Today we say goodbye to a dear friend and one of the true legends here at N2K CyberWire, Rick Howard, who's finally ready to swap out his endless collection of hats for an adventure called retirement. This is our chance to look back and share just how much Rick has meant to all of us over the years. So sit back, relax and join us in celebrating this incredible man and all the laughter, stories and memories he's given us. We'll start off with an introduction.

Rick Howard

My name is Rick Howard and officially I have three titles. Chief Security Officer, Chief Analyst, and Senior Fellow at the Cyber Wire. Unofficially, I'm an amateur geek professional kibitzer in a general purpose security wonk.

Liz Stokes

Now that we all know who he is, we're here to celebrate a milestone. A bittersweet one at that. Our friend and colleague Rick Howard is hanging up his cybersecurity cape and stepping into a well deserved retirement. It's hard to imagine the Cyberwire without Rick, but if there's one thing we know for sure, it's that his legacy will live on in everything we do. Rick, you've been the heart and soul of this team, guiding us with your wisdom, your wit, and of course your endless marvel references. We've shared some unforgettable moments and had plenty of laughs along the way. Like you trying to break it down for some of us less techy folks.

Rick Howard

If I were to put all the authentication methods as rest stops on a hundred mile road between the two great cities of oh my God, this is not secure at all. To nirvana. We've solved security. The user ID password pair rest stop would be just a mile out of omg. Just slightly better than having no credentials at all. The email verification rest stop would be about 25 miles out on this journey.

Liz Stokes

Or this one where you so graciously add some sports humor to this teachable.

Rick Howard

Moment, I'm going to try my hand at a sports metaphor, so bear with me. This past summer, the coach at my local high school football team, the mighty West Springfield Spartans, put a call out to the local fans. He needed volunteers to film his opponent's teams in the upcoming season. I enlisted with a cackle of tech dads to film one of the competitors. By tech dads, I mean we all came from the tech sector and didn't necessarily know anything specific about the sport of football. And yes, I realized that cackle is normally reserved for a group of hyenas, but I thought it was appropriate for this group of wisecracking dads. Anyway, we attended a South County Stallion game and filmed the plays we thought were pertinent. Later, we got a slightly miffed email from the coach wondering where the rest of the film was. It turns out that he wanted both sides of the game filmed the Stallions offense and defense, whereas our cackle thought the important stuff was just the Stallions offense. It might have had something to do with the amount of beer consumed, but I'm going to plead the fifth on that one. And at this point you should be asking yourself, what exactly does Rick's cackle adventure have to do with xdr? Well, sports and infosec are similar in at least one respect. Collecting all the data available, as opposed to collecting the most obvious data or the easiest, will improve your chances of defeating the adversary.

Liz Stokes

It wasn't just the laughs, though. Rick had a unique way of weaving his love for superheroes and other nerdy classics into anything we were working on. Whether it was Iron man or Benedict Cumberbatch in his favorite movie, the Imitation Game. Rick, you somehow made Marvel relevant to cybersecurity. I mean, who else could do that?

Rick Howard

In the Marvel Studios classic Infinity war, released in 2018, Iron man, played by Robert Downey Jr. Star Lord, played by Chris Pratt, and Doctor Strange, played by Benedict Cumberbatch, discuss the plan to defeat Thanos. Dr. Strange uses the Time Stone to move forward in time to view all of the potential outcomes of the upcoming battle. By doing this, he becomes the first superhero to use a Monte Carlo simulation in film. I've been binge watching Marvel Agents of SHIELD over at Disney plus for the last month or so. I have to say, if you're a Marvel fan or a science fiction fan, or even just a super spy fan. This little TV show that ran on ABC from 2013 to 2020 is really quite good. Created by Josh Whedon of Buffy the Vampire Slayer, Firefly and the Avengers fame. The production values are really quite high for a TV show created almost 10 years ago, and it's the perfect mindless entertainment I've been craving during the pandemic. My clip this week comes from the 2014 movie the Imitation Game. Have you seen it, Dave?

Dave Bittner

No, I'm not familiar with that one.

Rick Howard

Oh, this is one of my all time favorites. It's directed by Morton Tyldum and he's probably most famous to our audience for the Netflix TV series Tom Clancy's Jack Ryan. The movie stars Benedict Cumberbatch. Most famous for the excellent BBC TV series Sherlock and the six year and six movie run in the Marvel Cinematic Universe. Playing Doctor Strange.

Dave Bittner

Yeah, that's probably where I know him best.

Rick Howard

Yeah, that's where he gets his most famedom I guess, right? But in this scene he's playing one of my all time computer science heroes, the inspirational Alan Turing.

Liz Stokes

And yeah, and of course the list goes on and on and on. But beyond the humor and pop culture, Rick was a constant source of knowledge. Every day with him was a chance to learn something new. Whether it was the latest threat actor or the next big cybersecurity trend, Rick made sure we were always on our toes, always understanding the cybersecurity field in ways that just made sense.

Rick Howard

When we first started doing this podcast back in 2020, the intrusion kill chain prevention strategy was one of the first topics we covered. In 2022, we covered it again. And of course when we published the first Principles book back in 2023, I dedicated chapter four to the idea. In the book and the podcast, I made the case about why these three research efforts should be considered collectively and not separately. They are three significant elements coming together. One is a strategy document, the Lockheed Martin paper. One is an operational construct for defensive action, the MITRE framework. And one is a methodology for cyber threat intelligence teams, the diamond model. You don't choose one model over the other. All of these models work in conjunction with each other. To be clear, though, there wasn't a lot of collaboration between the research groups. The Lockheed Martin people weren't saying, hey, we're doing the strategic piece. DoD you work on the intelligence piece, and Mitre, you build an intelligence wiki. No, different parts of the infosec profession were all thinking along the same lines, working independently and coming to different conclusions. The difference between coming straight through the firewall and using a VPN can be found at layer three of the TCP IP stack, the network layer. With a vpn, the client establishes a secure tunnel, an encrypted path at layer three to the VPN server on the inside of the perimeter. Think of coming straight through the firewall as akin to walking through the front door of your office building. As you badge in with the card reader and work your way through the security checkpoint, everybody can see what you're doing with a vpn, though. It's like you're in a Star Trek TV show. You walk into a transporter room on the outside of the firewall and pop out on the inside of the firewall, completely bypassing any security.

Liz Stokes

Rick, you're not just an incredible colleague, you're an amazing person. Your passion for cybersecurity is infectious and your commitment to this field has inspired so many. We've been lucky to have you and we know the entire cybersecurity community feels the same way. You will be missed not just for your expertise, but for your kindness, your humor, and the way you make us all feel a part of something bigger.

Rick Howard

One of the things I like about the cybersecurity field is it's this profession is more than just the business bringing money in. You are actually have a mission that is trying to prevent bad things from happening to good people. That's why I hope I remember that we gave that a shot. I may have been successful, may not have, but we certainly were trying and I hope people remember that.

Liz Stokes

From everyone here at N2K Networks, we just want to say thank you Rick. Thank you for the laughs, the lessons and the countless memories. Enjoy your retirement. You've earned it. We'll miss you more than words can say, but some of us would at least like to try.

Dave Bittner

I really don't know what to say other than I'm really going to miss my first day. N2k buddy. It's definitely going to be a lot less exciting without Rick Howard's booming voice coming over through walls, doors, podcast speakers everywhere.

Liz Stokes

Well Rick, you know what they say. Old CSOs, they never die. They only fade away. But you will never fade away. You are always in our hearts. Best of luck. We'll miss you and can't wait to run into you back on the baseball field of Moneyball. This is Alice Carruth wishing Rick Howard.

Dave Bittner

A very happy retirement. I'm sure you're gonna find something to keep you occupied with your time.

Liz Stokes

Now you've got a lot of it back.

Dave Bittner

Boy.

Liz Stokes

Rick Howard, I am going to miss you very, very much. I know you'll still be around because I always need book recommendations. And don't worry, you're not gonna be too far. Who am I going to go have lunch and talk all Star Trek things with in the future? I'm gonna miss you so much. And I promise you, I am going to go watch Serenity and Firefly. Just wanted to pop in really quick.

Dave Bittner

And say it's been an honor working with you.

Liz Stokes

One of my favorite, favorite memories of my professional career, honestly, is brainstorming CSO perspectives in its infancy with you and slowly watching you turn that show from just an idea into something truly special. I've absolutely loved working with you.

Dave Bittner

And hey, Rick, this is Peter.

Rick Howard

I just wanted to let you know.

Dave Bittner

I'm incredibly grateful for all the things that you've brought to our little company. It's been a joy working with you. You brought a lot of value to what we do and made this place a happier place to work. Wishing you well on your retirement. Hope you keep in touch. Take care.

Liz Stokes

Hey, Rick, this is Tim. We're going to miss you. Good luck with retirement. Hey, Rick, it's Maria Varmazes here. I wish you all the best in your retirement.

Dave Bittner

Thank you so much for all your.

Liz Stokes

Years of guidance and your cranky insights. The world of infosec.

Rick Howard

Hey, Rick, it's Ethan.

Liz Stokes

It was a pleasure working with you designing those courses. Have a great retirement.

Rick Howard

Look forward to hearing all about it, man. Wish you the best on your future endeavors, whatever that may be. I know you're going into retirement, so just kick back and enjoy, man.

Dave Bittner

Rick, what can I say that hasn't already been said? You were one of the first people that I interviewed when you were still at Palo Alto Networks and I was. Was just starting my job here at the Cyberwire. And how thrilling it's been that you joined our team and we've been able to do so many amazing things together. I'm going to miss you, man. But I wish you the best in all of your future endeavors.

Liz Stokes

Hey, Rick, it's Bennett. I wish I could say that it's been a pleasure and an honor working with you. Oh, wait, I can. It has been really, truly. It's been an honor working with you and learning from you and the content that you've created over these years. Working with us as a team will.

Dave Bittner

Live on for many years.

Liz Stokes

Hey, Rick, it's Emily. Happy retirement. It's been wonderful working with you for these last two years and getting to see you in your element.

Dave Bittner

Let me know if you ever want to head over to Silverado for lunch.

Liz Stokes

Anytime. But enjoy the the retirement and lots of things.

Dave Bittner

This is Brandon Karf and Rick, thank you so much for teaching us that the first principle of cyber security is.

Liz Stokes

We must reduce the probability of material.

Rick Howard

Impact due to a cyber event in.

Dave Bittner

The next two to three years.

Liz Stokes

I am very excited for your retirement.

Dave Bittner

Mostly because I'm just tired of fixing your math mistakes.

Liz Stokes

Thank you Rick Howard for everything. You've made an indelible mark on all of us and will carry your legacy forward. Wishing you all the best in your next chapter.

Dave Bittner

I want to personally thank Rick for always being so welcoming when I was brand new to the cybersecurity industry. I've learned a lot from Rick and wish him nothing but the best in all of his future endeavors. You're going to be missed, my friend. Best wishes and finally, after a rough year of takedowns and turmoil, the Lockbit ransomware gang seems to be revving its engines for a big comeback with Lockbit 4.0. Announced by the group's spokesperson, LockBitsUp, the new version promises wannabe cybercriminals a pen tester billionaire journey complete with Lamborghinis and girls. The gang is clearly aiming to recapture its former glory after Operation Chronos in February 2024 dismantled much of their infrastructure and exposed 7,000 decryption keys. Lockbit has a notorious past, evolving through various versions since 2019. But even with leaks and arrests, like Israeli developer Rostilov Penev, who allegedly pocketed 230,000 DOL dollars, the group remains persistent. While Lockbit 4.0 is set to debut in February 2025, researchers are already dissecting samples. Whether this relaunch makes Lockbit a cybercriminal kingpin again or just a flash in the pan remains to be seen. Either way, buck. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com well folks, it's that time of year. The N2K CyberWire team is getting ready to settle down into our long winter's nap. We'll be taking a publishing break starting on Tuesday, December 24 through Wednesday, January 1. Fret not. While we are out, we've got some fun surprises planned for you in your podcast feeds. If you've got some downtime or want to pop those AirPods in and not engage in any more family togetherness, head over to your favorite podcast app and check out our goodies. We'll emerge from our nap on January 2nd. See you there. Be sure to check out this weekend's Research Saturday and my conversation with Adam Kahn, VP of Security Operations at Barracuda. We're discussing their research the evolving use of QR codes in phishing attacks. That's Research Saturday. Check it out. This episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Carp. Simone Petrella is our president. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.