A North Korean hacking group targets healthcare, energy and finance. Leaked Leidos documents surface on the dark web. A Middle Eastern financial institution suffered a record-breaking DDoS attack. The latest tally on the fallout from the Crowdstrike outage. A cybersecurity audit of HHS reveals significant cloud security gaps. Docker patches a critical vulnerability for the second time. Google announced enhanced protections for Chrome users. In our latest Threat Vector segment, David Moulton speaks with Sama Manchanda, a Consultant at Unit 42, to explore the evolving landscape of social engineering attacks. If you’re heading to Paris for the Summer Olympics, smile for the AI cameras.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
In this segment of Threat Vector, David Moulton, Director of Thought Leadership at Unit 42, engages with Sama Manchanda, a Consultant at Unit 42, to explore the evolving landscape of social engineering attacks, particularly focusing on vishing and smishing.
As election season heats up, these threats are becoming more sophisticated, exploiting our reliance on mobile devices and psychological tactics. Sama provides expert insights into the latest trends, the psychological manipulations used in these attacks, and the specific challenges they pose to individuals and the democratic process. You can listen to Threat Vector every Thursday starting next week on the N2K CyberWire network. Check out the full episode with David and Sama here.
Selected Reading
Mandiant: North Korean Hackers Targeting Healthcare, Energy (BankInfo Security)
Data pilfered from Pentagon IT supplier Leidos (The Register)
DDoS Attack Lasted for 6 Days, Record created for the duration of the Cyberattack (Cyber Security News)
Threat Actor Distributes Python-Based Information Stealer Using a Fake Falcon Sensor Update Lure (CrowdStrike)
Fortune 500 stands to lost $5bn plus from CrowdStrike incident (Computer Weekly)
HHS audit finds serious gaps in cloud security at agency office (SC Media)
Docker re-fixes a critical authorization bypass vulnerability (CSO Online)
Google Boosts Chrome Protections Against Malicious Files (SecurityWeek)
At The 2024 Summer Olympics, AI Is Watching You (WIRED)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyberwire Network, powered by N2K. What's 2FA security on Kraken? Let's say I'm captaining my soccer team, and we're up by a goal against, I don't know, so does Springs FC. Do we relax? No way. Time to create an extra line of defense and protect that lead. That's like 2FA on Kraken, a surefire way to keep what you already have, safe and sound. Go to kraken.com and see what crypto can be. Not investment advice. Crypto trading involves risk of loss. Crypto currency services are provided to U.S. and U.S. territory customers by Payward Interactive Inc. PWI, DBA Kraken. VU-PWI's disclosures at kraken.com/legal/disposures. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's V-A-N-T-A.com/cyber for $1,000 off Vanta. The North Korean hacking group targets health care, energy, and finance. Leaked Lido's document surface on the dark web, a Middle Eastern financial institution suffered a record-breaking DDoS attack. The latest tally on the fallout from the CrowdStrike outage, a cybersecurity audit of HHS reveals significant cloud security gaps. Docker patches a critical vulnerability for the second time. Google announced enhanced protections for Chrome users. In our latest threat vector segment, David Moulton speaks with Sama Mankata, a consultant at Unit 42, to explore the evolving landscape of social engineering attacks. And if you're heading to Paris for the Summer Olympics, smile for the AI cameras. This Thursday, July 25, 2024, I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today. It is great to have you with us. A report from Mandiant reveals that the North Korean hacking group Andario, previously known for attacks on government and critical infrastructure, is now targeting health care, energy, and financial sectors. This group, linked to the DPRK's reconnaissance general bureau, has been sanctioned by the U.S. Treasury, known for sophisticated cyber operations, Andario employs advanced tools to evade detection and maximize impact. Mandiant, part of Google, tracks Andario's espionage efforts, including targeting nuclear facilities and defense systems. Now designated as APT 45, Andario has expanded to financially motivated operations, including ransomware. Since at least 2009, Andario has operated under various code names and is linked to the infamous Lazarus group. North Korea uses these cyber attacks to fund weapons development and boost its economy. The group's activities have broadened since a suspected COVID-19 outbreak in North Korea, now encompassing the health care sector. Mandiant warns that Andario can swiftly shift its focus to new targets. After a recent security breach, internal documents from Lidos Holdings, an IT services provider for the Department of Defense and other U.S. agencies, have surfaced on the dark web. The breach traces back to a 2022 cyber attack on Diligent Corporation, a governance software provider used by Lidos. Despite the attack occurring two years ago, Lidos only became aware of the circulating documents recently. Following this revelation, Lidos issued all necessary breach notifications. Most of the leaked information pertains to internal corporate matters, such as employee reviews and complaints, rather than any militarily sensitive data. This incident has drawn attention to Lidos, one of the defense industry's largest IT service providers, after its merger with Lockheed Martin's information systems and global solutions back in 2016. Next in rest in Virginia, Lidos employs about 47,000 people and reported $15.4 billion in revenue in 2023. A Middle Eastern financial institution suffered a record-breaking six-day DDoS attack by the hacktivist group SN Black Meta. This prolonged assault, consisting of 10 waves and totaling 100 hours of attack time, demonstrates the growing sophistication of DDoS, the attack peaked at 14.7 million malicious requests per second, significantly disrupting the institution's web services. Radware's web DDoS protection services helped mitigate the impact, blocking over 1.25 trillion malicious requests. SN Black Meta, known for ideologically-driven attacks, announced the assault on Telegram. Share tactics include targeting critical infrastructure and leveraging public support through transparency. CrowdStrike warns organizations about a fake recovery manual for Windows devices impacted by a Falcon platform update outage, which spreads Dauppu information-stealing malware. Attackers used phishing emails with a malicious word attachment mimicking Microsoft's support bulletin, when enabled, the attachment's macros download a DLL file, decoded by Windows CertUtil, allowing Dauppu to infiltrate browser-stored credentials and cookies. CrowdStrike provided a Yarrow rule and indicators of compromise. Bleeping computer suggests Dauppu may originate from Vietnam. According to cloud monitoring, modeling, and insurance services provider Parometrics, the July 19 Microsoft CrowdStrike outage resulted in a direct financial loss of approximately $5.4 billion for Fortune 500 companies, with an average loss of $44 million per organization, rising to $150 million for the most-affected, such as airlines. Parometrics reported that only 10 to 20 percent of these losses are covered by cyberinsurance. The healthcare sector faced the largest loss at $1.94 billion, followed by banking at $1.15 billion. The incident impacted a quarter of Fortune 500 companies, including all six major airlines and 43 percent of retailers. Observers say this highlights the need for better risk diversification and management in the face of systemic cyber events. A cybersecurity audit of the Department of Health and Human Services Office of the Secretary revealed significant cloud security gaps, exposing sensitive data to potential cyber attacks. Conducted in mid-2022 by the HHS Office of the Inspector General and Breakpoint Labs, the audit included penetration testing and phishing simulations. It found that over 30 percent of HHS systems were cloud-based with vulnerabilities like lack of multi-factor authentication and poor access controls. 12 specific security gaps were identified with the most critical involving network access. Despite some positive outcomes from phishing simulations, the audit highlighted severe risks to HHS's cloud systems emphasizing the need for improved security measures. This report publicly released this week comes amid increasing cyber threats to healthcare and government systems, prompting initiatives to bolster defenses. As a side note, it's puzzling that the audit report on HHS's cloud security, conducted in mid-2022, has taken two years to be released in the rapidly evolving field of cybersecurity, such a delay undermines the relevance of the findings and recommendations. Cyber threats and vulnerabilities can change drastically in just months, making it critical for audit results to be timely to ensure effective remediation and adaptation to current risks. Docker has urged users to patch a critical vulnerability affecting certain Docker engine versions, allowing privilege escalation via specially crafted API requests. Discovered in 2018 and initially fixed in Docker Engine version 18.09.1, the patch was not included in later versions, leading to a regression. This flaw allows attackers to bypass authorization plugins and execute unauthorized commands. Although the exploitability is low, Docker recommends updating to the latest version or restricting API access if updating isn't possible. Google has announced enhanced protections for Chrome users against malicious file downloads. Last year, Chrome has provided AI-powered warnings for potentially harmful files, featuring distinct icons, colors, and text to help users make informed decisions. These warnings have reduced the number of bypassed alerts and increased user compliance. Google now performs automatic deep scans on suspicious files for users in the enhanced protection mode, which has proven effective in detecting new malware. For password protected encrypted archives, enhanced protection users are prompted to send the file and password to safe browsing, while standard protection users receive a password prompt and metadata check. All uploaded data is deleted shortly after scanning to ensure privacy. Coming up after the break on the threat vector segment, David Moulton speaks with Sama Mankata, Consultant Unit 42 to explore the evolving landscape of social engineering attacks. Stay with us. And now, a word from our sponsor, no before. Here would InfoSec professionals be without users making security mistakes, working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an InfoSec professionals greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed Security Coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Security users learn from their mistakes and strengthen your organization's security culture with Security Coach. Learn more at knowbefore.com/securitycoach. That's knowbefore.com/securitycoach. And we thank know before for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. [music] David Moulton is host of the Threat Vector podcast right here on the N2K Cyberwire network. In this segment from their most recent episode, David speaks with Sama Mancada, a consultant at Unit 42, they explore the evolving landscape of social engineering attacks. There are three main parts to a fishing attack. There's the bait, the hook and the catch. The bait being the preparation, the juicy bait that someone falls for. With the hook, the attacker has got the information that they need to get the attention of the user and then get them to do something and this is the catch part, whether it's performing in action, clicking the link, something like that. Once the user has actually clicked and fallen for the hook, that's when the actual attack happens. The bait, the hook, the catch. Welcome to Threat Vector. The Palo Alto network's podcast where we discuss pressing cybersecurity threats, cyber resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. In today's episode, we'll discuss the evolving landscape of social engineering attacks, particularly focusing on fishing and smishing. As we approach the election season, the relevance of these threats has never been higher. We'll discuss how these techniques have adapted and grown more sophisticated over time, the psychological tactics behind them, and the specific challenges they pose to both individuals and the integrity of the democratic process. Joining us once again is Sama Minchata, a seasoned expert in cybersecurity from Unit 42. Samal shed light on the latest trends and provide insights into how to protect yourself and your organization from these insidious threats. Here's our conversation. Sama Minchata, welcome back to Threat Vector. It's been a while since you've joined us on the pod, and we're back to day to talk about fishing, smishing, kind of an update to our original shmish tales, especially as we're looking at the election season coming up. Glad to be back and thank you for having me back, always excited to talk about social engineering, the fishing, fishing, smishing. We're talking about elections and fishing and some of the dangers that are lurking on your phone. Maybe we start out with this idea of what is smishing and how does it differ from maybe traditional fishing or even fishing? Yeah, so smishing in general is the SMS form or message form of fishing. We've talked about fishing before. Fishing really is a social engineering scam where an attacker usually convinces or deceives people into revealing some sensitive information or doing something that they weren't intending to do. Some can be installing malware. It could be getting them to enter credentials, all that kind of good stuff, but very similar to fishing, again, is smishing, where usually fishing we see on an email platform usually of some kind, smishing is pretty similar, usually just comes in the form of a text message instead. How do psychological tactics play into manipulating a recipient for a fishing attack? That's one of the main reasons it's so successful is, again, it preys upon the weaknesses of people. Most in general, there's a lot of common tactics that we see across the board. Things like scare tactics or creating a sense of urgency, hones and only users fear of something happening that's supposed to happen, like, "Oh, this is super urgent. Somebody needs something, and I don't want to get in trouble because of this." It could also be, again, just playing into someone not noticing something off or different because maybe they're in a rush. That's one of those things where smishing, I think, is particularly successful, where it's, again, you're on your phone, and like we mentioned earlier, it's a lot harder sometimes when you're on a phone to be thinking about, "Oh, maybe I should hover over this link," and really think about where it's going on an email. It's much easier to do that. You're just like, "Oh, I'm in the middle of doing something," and this came up and I just was distracted. And I think, again, attackers, they're really good at their job also at the end of the day. This is what they're specialized in. So they've got a good handle on using people's weaknesses against it, and that's the entire premise of social engineering, is finding different things that people will fall for, and what ultimately is successful enough for them to get their foot in the door. How do attackers leverage current events and misinformation to enhance the effectiveness of their attacks? I think that's, again, that's one of the ways that they stay relevant. They use information that's going on to hear them build credibility and come across a legitimate source rather than just, again, trying to go straight for the information that's part of their bait is saying, like, for example, there's a hurricane that's coming in, right? And they can use that as like, "Oh, okay," like, whether as an attacker, they're spreading misinformation or they're trying to get the user to do something, like donate money or put their money somewhere type of thing. Using something that's like a current event, again, that just lowers the people are used to that. People are used to elect it if people who are campaigning using events like this to further their own goal. That is spreading information of some kind or influencing the voter in some way about maybe a person, a candidate, or about the process in general. Or also, it could also be, again, masquerading to get a donation. This is, again, a very popular time for campaigns to be soliciting donations and reaching out to all, you know, people from everywhere. So they're just not as maybe aware that, again, attackers are also doing the same thing and they're just hoping that a person doesn't notice, essentially, that they're maybe putting their money somewhere where they're not supposed to be or they're sharing information with a source that they couldn't be. So looking ahead, what predictions do you have or do you have any emerging trends that you foresee in the evolution of cyber threats targeting elections? I think, you know, we're seeing this become more and more common. This is becoming a big topic every single election season, both in our general elections, our midterm elections, local elections, everything. And the fact that, you know, this is becoming more and more common and more and more prevalent, I don't think it's going to stop anytime soon. This is where we see things happening here in the US. We tend to see the same patterns in other countries as well. It's especially important to educate people that, again, to just be aware, knowing that these threats are out there, knowing that maybe everything that you see on the internet isn't always true and not taking everything at face value. I think those are lessons that go a long way, being a little bit skeptical, maybe, but not too skeptical is usually a good, usually good practice. Samo, what's the most important lesson a listener should take away from our conversation today? My big takeaway is, if you're not sure, don't click it. Samo, thanks for coming back on Fred Vector today. As always, it's a pleasure to talk to you. Hopefully, the tennis game continues to be fun over the summer, and I know our listeners are like me really interested in this topic, and I'm grateful that an expert like you would share your insights and opinions on the super important topic. Now, thank you so much for having me, it's always a pleasure chatting with you. That's it for Threat Vector today. Thank you for joining, and stay tuned for more episodes. If you like what you heard, please subscribe wherever you listen to your podcast, and leave us a review on Apple Podcast or Spotify. Your reviews and feedback really do help us understand what you want to hear about. I want to thank our executive producer, Michael Heller. I edit the show, and Elliot Peltzman mixes the audio. We'll be back in two weeks. Until then, stay secure, stay vigilant. Goodbye for now. Be sure to check out the Threat Vector podcast, wherever you get your favorite podcasts. And now a message from Black Cloak. What's the easiest way for threat actors to bypass your company's cyber defenses? Targeting your executives at home. That's because 87% of executives use personal devices to conduct business, often with zero security measures in place. Once execs leave your organization's secure network, they become easy targets for hijacking, credential theft, and reputational harm. Close the at-home security gap with Black Cloak Concierge Cybersecurity and Privacy. Award-winning 24/7 365 protection for executives and their families. Learn more at blackcloak.io. And finally, Matthias Holier is co-founder of WinTix, one of four French companies to win Olympic contracts to transform Paris' CCTV cameras into a high-tech monitoring tool for the Olympics. With thousands of cameras, it's impossible for police officers to react to every camera. Holier says, WinTix first made a splash in 2020 by helping Paris count cyclists with algorithms linked to 200 traffic cameras. Now they're stepping up to count people in crowds and alert operators when too many hit the deck. Holier assures us there's no big-brother decision-making happening here. "It's just anonymous shapes," he says. His team trained ministry officials on the software, which just raises alerts for the humans to check out. He argues it's a privacy-friendly alternative to facial recognition, saying, "We're not analyzing personal data, no faces, no license plates, no behavioral analytics." Privacy activists, however, are not buying it. Naomi LaValle, a staunch defender of civil liberties, is on a mission with 6,000 posters to warn Parisians about algorithmic surveillance. She contends that analyzing images of people inherently involves personal data, likening it to facial recognition technology. LaValle fears these surveillance systems will linger long after the Olympians have left. She says, "This technology will reproduce the stereotypes of the police," arguing that it will amplify discriminatory practices. As Parisians brace for the Olympic invasion, many, like LaValle, plan to escape to the South, dreading the post-game surveillance city they'll return to. The Olympics is an excuse, she asserts, the government, companies, and police are already thinking about after. It's the age-old tension between security and privacy, gold medal edition. For me, I'll be watching the game on the TV and hoping the river stays clean enough so they can run the triathlon. And that's The Cyberwire. For links to all of today's stories, check out our daily briefing at TheCyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@ntuk.com. We're privileged that N2K's cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. And how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Carp. Simone Petrella is our president, Peter Kilpe as our publisher, and I'm Dave Bitner. Thanks for listening. We'll see you back here, tomorrow. [MUSIC] This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. This is a great opportunity to help you get to know what you're doing. It's a great opportunity to help you get to know what you're doing. It's a great opportunity to help you get to know what you're doing. It's a great opportunity to help you get to know what you're doing. It's a great opportunity to help you get to know what you're doing. Go forward slash cyberwire. [MUSIC]
