Transcript
Dave Bittner (0:02)
You're listening to the Cyberwire Network.
Liz Stokes (0:04)
Powered by n2k. This episode is brought to you by Dutch Bros. Big smiles, rocking tunes and epic drinks. Dutch Bros. Is all about you. Choose from a variety of customizable handcrafted beverages like our Rebel Energy drinks, coffees, teas and more. Download the Dutch Bros app for a free medium drink plus find your nearest shop, order ahead and start earning rewards. Offer valid for new app users only. Free medium Drink Reward upon registration. 14 day expiration terms apply. See Dutchbros.com.
Dave Bittner (0:42)
Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off Russian hackers attack Ukraine' registers, not Lockbit is a new ransomware strain targeting macOS and Windows. Sophos discloses three critical vulnerabilities in its firewall product. The Bad Box botnet infects over 190,000 Android devices beyond trust patches two critical vulnerabilities hackers stole $2.2 billion from cryptocurrency platforms in 2024. Officials dismantle a live sports streaming piracy ring. Rockwell Automation patches critical vulnerabilities in a device used for in industrial systems. A new report from Dragos highlights ransomware groups targeting industrial sectors. A Ukrainian national is sentenced to 60 months in prison for distributing the Raccoon infosteeler malware. We bid a fond farewell to our colleague Rick Howard, who's retiring after years of inspiring leadership, wisdom and camaraderie. And the Lock Bit gang teases what's yet to come. It's Friday, December 20th, 2024. I'm Dave Buettner, and this is your Cyberwire Intel Briefing. Happy Friday and thanks for joining us here today. Ukraine has experienced one of the largest cyber attacks on its state registers, suspected to be carried out by Russian hackers linked to the gru, such as the Sandworm group. The attack disrupted access to over 60 state databases containing critical information like biometric data, business records and property ownership. Ukrainian authorities, including the Ministry of Justice, temporarily suspended access while investigating pro. Russian group Zaknet claimed responsibility, stating it had stolen and deleted data from the registers, including backups. Officials confirmed backups exist and data will be restored, though the process may take weeks. The attack caused nationwide disruptions affecting government services, business operations and E government apps. Ukraine views this attack as part of Russia's broader cyber warfare, potentially prosecuting it as a war crime. A new ransomware strain, Not Lockbit poses a significant threat with advanced cross platform capabilities targeting both macOS and Windows. Written in Go, it employs sophisticated tactics including targeted file encryption, data exfiltration and self deletion mechanisms to complicate recovery. Not Lockbit closely mirrors the behavior and tactics of the infamous Lockbit ransomware, leveraging similar encryption techniques and extortion strategies while expanding its capabilities to target both macros and Windows systems. NotLockbit encrypts sensitive data files using AES and RSA protocols and exfiltrates stolen data to attacker controlled cloud storage for double extortion purposes. It deletes original files, renames encrypted ones, and modifies desktop wallpapers to display Ransom notes on macOS. It uses system commands to enhance its attack. The ransomware is highly evasive, leveraging obfuscation to bypass detection. Variants suggest tailored attacks or ongoing development. Organizations should adopt proactive defenses including backups, endpoint protection and user education. As Not, Lockbit's emergence highlights the escalating sophistication of ransomware threats. Sophos has disclosed three critical vulnerabilities in its firewall product, allowing potential remote code execution. The first involves a pre authentication SQL injection in the email protection feature, exploitable under specific conditions. The second relates to reused SSH passphrases during high availability setup, risking privileged account exposure. The third enables authenticated users to execute arbitrary code via the user portal. Sophos has issued automatic hotfixes and manual updates, urging organizations to apply them promptly and follow mitigation measures to safeguard their networks. The Bad Box botnet has infected over 190,000 Android devices, primarily Yandex 4K, QLED smart TVs and Hisense T963 smartphones, according to BitSight. Originating from a supply chain compromise, Bad Box malware comes pre installed on low cost devices including TVs and smartphones, and enables activities like residential proxying, ad fraud and remote code installation. Daily communication with the botnet involves over 160,000 unique IPs mostly from Russia, China and Brazil. BitSight urges caution in choosing trusted device manufacturers to mitigate these risks. Beyond Trusts Privileged remote access and remote support solutions have two critical vulnerabilities posing significant security risks. The first, with a CVSS score of 9.8, enables unauthenticated command injection, while the second allows privilege escalation for attackers with administrative access. Both have been actively exploited, with one now in CISA's known exploited vulnerabilities catalog. Beyond Trust has released urgent patches and worked with third party experts to investigate and address the breach. Organizations should remediate immediately to avoid further exploitation. Hackers stole $2.2 billion from cryptocurrency platforms in 2024, with 61% of the funds attributed to North Korean attackers, according to Chainalysis. The number of incidents rose from 282in 2023 to 303in 2024, a 21% year on year increase. Notably, the intensity of attacks dropped after a June summit between Vladimir Putin and Kim Jong Un, reducing North Korean thefts by 54%. However, attacks overall have grown more frequent, with larger exploits above $100 million and smaller hacks around $10,000, increasing. Chainalysis urges rigorous employee vetting, improved key hygiene, and stronger industry law enforcement collaboration to combat these threats, the alliance for Creativity and Entertainment has dismantled one of the largest live sports streaming piracy rings, Marquee Streams, based in Vietnam with over 821 million visits in 2023. Targeting US and Canadian audiences, the operation streamed sports events from major US leagues and global competitions affecting ACE members. ACE seized 138 domains associated with the ring, issuing a warning to piracy operators worldwide. The takedown highlights the unique threat piracy poses to live sports broadcasts. Rockwell Automation has patched critical vulnerabilities in its Allen Bradley Power Monitor 1000, a device used for energy control in industrial systems. The flaws allow attackers to take over devices, execute remote code, or launch denial of service attacks. Exploitation requires no authentication and could disrupt production by halting power monitoring or compromising networks. A firmware update addresses these issues. Researchers urge immediate updates to protect Internet exposed devices and prevent industrial system breaches. Dragos third quarter 2024 industrial ransomware analysis identified 23 ransomware groups targeting industrial sectors, including new and rebranded entities like APT73 linked to Lockbit remnants. Key attacks include CDK Global paying $25 million to Blacksuit, and Halliburton losing $35 million to ransom. Hub groups increasingly exploit VPN vulnerabilities, bypass MFA, and target virtual environments like VMware ESXi. The use of initial access brokers in ransomware as a service models has grown, enabling scalable operations. Tactics such as living off the land, advanced persistence, and custom malware highlight evolving threats. Ukrainian national Mark Sokolovsky was sentenced to 60 months in prison for his role in distributing the Raccoon Infosteeler malware. Operating under a malware as a service model, Sokolovsky charged $200 per month in cryptocurrency for access to the malware, enabling threat actors to steal credentials, financial data, and personal information via phishing campaigns. The stolen data fueled financial fraud and was sold on criminal forums. After dismantling Raccoon's infrastructure in 2022, the FBI recovered over 50 million stolen credentials. Sokolovsky will also pay $910,000 in restitution. Elsewhere, Romanian national Daniel Christian Julia, age 30, was sentenced to 20 years in prison for his role in Netwalker ransomware attacks targeting health care, education, law enforcement and government sectors. Operating under a ransomware as a service model, Hulia extorted victims during the COVID 19 pandemic, collecting $21.5 million in Bitcoin and using proceeds for luxury investments. U.S. and Romanian authorities collaborated to arrest and extradite Hulia in 2023. This case underscores the commitment to combating ransomware with the doj, emphasizing the need for strong cybersecurity defenses. Coming up after a fond farewell to our colleague Rick Howard and the Lockvit gang teases what's yet to come. Stay with us. And now a word from our sponsor, Know before it's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBefore's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco 35 vendor integrations and Counting Security Coach analyzes your Security Stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbe4.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why Cloudflare created the first ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. We have a special segment for you today. Break out your Kleenex as we share a Fond Farewell to N2K's CSO and our CSO Perspectives host, Rick Howard.