Mitigation continues on the global CrowdStrike outage. UK police arrest a suspected member of Scattered Spider. A scathing report from DHS says CISA ignored a directive to cut ties with a faulty contractor. Huntress finds SocGholish distributing AsyncRAT. Ransomware takes down the largest trial court in the U.S. A US regulator finds many major banks inadequately manage cyber risk. CISA adds three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Australian police forces combat SMS phishing attacks. Our guest Chris Grove, Director of Cybersecurity Strategy at Nozomi Networks, shares insights on the challenges of protecting the upcoming Summer Olympics. Rick Howard looks at Cyber Threat Intelligence. Appreciating the value of internships.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
The 2024 Summer Olympics start later this week in Paris. Our guest Chris Grove, Director of Cybersecurity Strategy at Nozomi Networks, discusses how, in addition to consumer issues, the actual events, games and facilities at the Olympics could be at risk of an attack.
This week on CSO Perspectives
This week on N2K Pro’s CSO Perspectives podcast, host and N2K CSO Rick Howard focus on “The current state of Cyber Threat Intelligence.” Hear a bit about it from Rick and Dave. You can find the full episode here if you are an N2K Pro subscriber, otherwise check out an extended sample here.
Selected Reading
Special Report: IT Disruptions Continue as CrowdStrike Sees Crisis Receding (Metacurity)
Suspected Scattered Spider Member Arrested in UK (SecurityWeek)
DHS watchdog rebukes CISA and law enforcement training center for failing to protect data (The Record)
SocGholish malware used to spread AsyncRAT malware (Security Affairs)
California Officials Say Largest Trial Court in US Victim of Ransomware Attack (SecurityWeek)
Finance: Secret Bank Ratings Show US Regulator’s Concern on Handling Risk (Bloomberg)
U.S. CISA adds Adobe Commerce and Magento, SolarWinds Serv-U, and VMware vCenter Server bugs to its Known Exploited Vulnerabilities catalog (Security Affairs)
Australian police seize devices used to send over 318 million phishing texts - Security - Telco/ISP (iTnews)
Internships can be a gold mine for cybersecurity hiring (CSO Online)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyberwire Network, powered by N2K. We get it. This interruption isn't what you actually want to be listening to right now. But at Credit Karma, we've learned that a little disruption can be a good thing, especially when it comes to the slow, outdated, and totally complicated financial system. We started shaking things up by offering free access to your credit scores, then we expanded into more areas of personal finance, and now we've added new tools and personalized features to make it easier to optimize your money and grow it faster. Download into it Credit Karma today and get everything you need to outsmart the system. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC2, ISO 27001, HIPAA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's v-a-n-t-a.com/cyber for $1,000 off Vanta. Everyone continues on the global crowd strike outage. UK police arrest a suspected member of scattered spider. A scathing report from DHS says CISA ignored a directive to cut ties with a faulty contractor. Huntress finds SOC-Golish distributing async rat. Ransomware takes down the largest trial court in the U.S. A U.S. regulator finds many major banks inadequately manage cyber risk. CISA adds three critical vulnerabilities to its known exploited vulnerabilities catalog. Australian police forces combat SMS phishing attacks. Our guest is Chris Grove, director of cybersecurity strategy at Nizomi Networks, with a look at the challenges of protecting the upcoming summer Olympics. Rick Howard looks at cyber threat intelligence and appreciating the value of internships. It's Monday, July 22nd, 2024. I'm Dave Bitner and this is your Cyberwire Intel Briefing. Happy Monday and thank you for joining us. It is great to have you here with us. The crowd strike IT outage has had significant global repercussions, impacting approximately 8.5 million devices and causing widespread operational disruptions. In the U.S., the airline industry has been particularly affected with more than 1,500 flights canceled for the third consecutive day. Delta Airlines, based in Atlanta, has struggled the most with Delta Chief Executive Ed Bastian reporting that the airline canceled over 3,500 flights. Bastian attributed the cancellations to the failure of a crew tracking tool, unable to process the high volume of changes triggered by the system outage. Delta has been offering waivers to affected customers in an effort to manage the fallout. Crowd strike CEO George Kurtz issued an apology for the outage, acknowledging the gravity and impact of the situation. He explained that the problem originated from a sensor configuration update released on July 19, which triggered a logic error leading to system crashes and blue screens of death on impacted devices. The specific update involved channel file 291, which controls how Falcon evaluates named pipe execution on Windows systems. Named pipes are used for inter-process or inter-system communication in Windows. The update intended to target malicious named pipes used in cyber attacks inadvertently caused the operating system crash. Crowd strike quickly identified and corrected the logic error, updating the content in channel file 291 and halting further changes. Despite this, some experts criticized Crowd strike for not following industry standard testing procedures, suggesting that the faulty update may have bypassed normal vetting processes. To assist affected customers, Crowd strike has published a remediation and guidance hub with detailed information on the faulty update and recovery steps. Microsoft also played a crucial role in addressing the issue, developing a custom win PE recovery tool to automate the removal of the faulty update. The tool is available for download and requires specific technical configurations for use. The incident has sparked a wave of malicious activities with bad actors exploiting the turmoil to conduct phishing scams and other cyber attacks. SISA and the UK's NCSC have issued warnings about increased phishing activities related to the Crowd strike outage. Australia's Home Affairs Minister Claire O'Neill also cautioned small businesses to be wary of scam attempts disguised as communications from Crowd strike or Microsoft. The broader implications of the outage have raised concerns about the fragility of the modern digital ecosystem and the concentration of power among key technology firms. Ann Newberger, the Deputy National Security Advisor for Cyber and Emerging Technologies, emphasized the need for resilience in a globally interconnected economy. Sir Jeremy Fleming, the recently retired head of GCHQ, echoed these sentiments, highlighting the accelerated risks due to technological interconnectivity. Regulators and lawmakers are calling for greater scrutiny of major tech firms, particularly Microsoft, which has a near monopoly on office productivity systems. All makers from the House Oversight, House Homeland Security and House Energy and Commerce Committees have requested briefings from Microsoft and Crowd strike to understand the causes and impacts of the outage. A recurring theme in the coverage of the incident, particularly in the broader tech press, is that many people had not heard of Crowd strike before this event. It's a useful reminder of how cyber security firms often operate behind the scenes until a significant disruption brings them to public attention. Law enforcement in the UK arrested a 17-year-old from Walsil suspected of being part of the Scattered Spider Cyber Crime Group, also known as UNC 3944 or Octopus. This arrest followed a joint operation by the UK National Crime Agency and the US FBI. The teenager is accused of targeting large organizations with ransomware and accessing their networks. He was arrested on suspicion of blackmail and Computer Misuse Act offenses, then released on bail. Evidence, including digital devices, was recovered for forensic examination. This arrest is part of a global investigation into the Cyber Crime Group, which has targeted major companies like MGM Resorts. Agent Spider has hacked numerous organizations, including Twilio, LastPass and DoorDash, often using social engineering tactics. The Department of Homeland Security's Inspector General released a scathing report on Wednesday, criticizing the Cyber Security and Infrastructure Security Agency and the Federal Law Enforcement Training Centers, FLETC, for failing to protect sensitive data. Both agencies ignored a direct order from DHS leadership to cease working with a high-risk contractor. The Inspector General's audit revealed urgent cybersecurity issues at SISA and FLETC. Despite a directive to stop using the contractor due to poor cybersecurity practices, both agencies continued their engagement without mitigating the risks. The contractor was not named in the report, but DHS's internal investigation highlighted significant security deficiencies in its operations. The report stated that by not mitigating the control deficiencies, SISA and FLETC potentially exposed sensitive, personally identifiable information and law enforcement training data to compromise. This included the names, social security numbers, dates of birth, genders, ranks, and titles of just under 38,000 DHS and federal law enforcement officers. Additionally, the contractor's software contained training materials on disarming active shooters and countering seaport terrorism. Researchers at Huntress have observed the JavaScript-downloader Malware-Sock-Golish, also known as "fake updates," being used to deliver the remote access Trojan async rat, and the legitimate open-source project Boink, that's Berkeley Open Infrastructure Network Computing Client. Boink is a volunteer computing platform maintained by the University of California for large-scale distributed computing. The Sock-Golish attack chain involves a malicious JavaScript file that downloads further stages, ultimately deploying a "fileless async rat variant" and a malicious Boink installation, the compromised Boink installation connects to fake servers to collect data and execute tasks, acting as a command and control server. Huntress reported the misuse to Boink administrators who have been aware of the issue since June of this year. The report includes indicators of compromise and Yara and Sigma rules. A ransomware attack has shut down the computer system of this superior court of Los Angeles County, the largest trial court in the US. The attack began early Friday and is unrelated to the recent CrowdStrike software update issue. The court disabled its computer network and kept it down through the weekend. Preliminary investigations show no evidence of compromised user data. The court serves 10 million residents with 1.2 million cases filed and 2,200 jury trials conducted in 2022. A U.S. regulator, the Office of the Comptroller of the Currency, has found that half of the major banks it oversees are inadequately managing risks such as cyber attacks and employee errors. Bloomberg reported that 11 of the 22 large banks under OCC supervision have insufficient or weak operational risk management. About one-third of these banks received poor ratings for overall management. This comes amid rising concerns following last year's bank failures and a major global computing systems outage. The OCC's operational risk assessments contribute to camel's ratings, which influence regulatory scrutiny and capital requirements. Acting Comptroller Michael Sue has emphasized the need for effective risk management. In May 2023, Sue testified before Congress about the importance of proactive supervisory actions and risk mitigation from third-party vendors using new technologies. SISA has identified and added three critical vulnerabilities to its known exploited vulnerabilities catalog. First, there's a severe vulnerability with a CVSS score of 9.8 affecting Adobe Commerce and Magento open source. This flaw involves an improper restriction of XML external entity reference, which can lead to arbitrary code execution. Next is a high severity directory traversal vulnerability in SolarWinds ServeU, scoring 7.5 on the CVSS scale. Discovered by Hussein Dar, this vulnerability allows attackers to read sensitive files on the host machine. Using the disclosure and the publication of Proof of Concept Exploit code, threat intelligence firm Grey Noise observed active exploitation attempts. And finally, there's an information disclosure vulnerability in VMware vCenter Server with a CVSS score of 6.5. This issue arises from improper file permissions, enabling malicious actors with non-administrative access to obtain sensitive information. SISA has ordered federal agencies to remediate these vulnerabilities by August 7 to protect their networks. Australian police forces have seized 29 SIM boxes and thousands of SIM cards in raids across several states to combat SMS phishing attacks. In New South Wales, 26 SIM boxes capable of sending large volumes of text messages were found, having sent over 318 million messages in recent months, scamming victims out of millions. In Victoria, three SIM boxes were seized, potentially capable of sending hundreds of thousands of malicious messages daily. Six arrests were made with charges laid. Growing up after the break, Chris Grove, director of cybersecurity strategy at Nizomi Networks, chairs insights on the challenges of protecting the upcoming Summer Olympics. And Rick Howard looks at cyber threat intelligence. They with us. And now, a word from our sponsor, no before. Where would infosec professionals be without users making security mistakes? Working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed security coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Most users learn from their mistakes and strengthen your organization's security culture with security coach. Learn more at nobefore.com/securitycoach. That's nobefore.com/securitycoach. And we thank no before for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. Chris Grove is director of cybersecurity strategy at Nozomi Networks. I recently caught up with him for insights on the challenges of protecting the upcoming summer Olympics. To talk about the Olympics, this is a very exciting year. This can be a very big game. So 13 million tickets sold and somewhere between 11 and 15 million visitors and 181,000 people working. These are varying numbers out there. Showing up for a temporary event is very complex and very challenging from a cybersecurity perspective. That's what we're going to talk about today are some of these challenges and how the critical infrastructure comes into play and how we can manage that security for such a large amount of people and volume in a short period of time. That is where the challenge starts. Yeah. I guess there are obvious things that folks think about, things like the tickets and protecting people's credit cards, all that consumer-facing kind of stuff. But we're talking about a lot of infrastructure as well. Yeah, if you think about it, in order to run these Olympics, it's literally like building a smart city in a very short period of time. They have water, waste water, power distribution, camera systems, locks, heating, air conditioning, all kinds of other building automation stuff, public transportation systems and digital signage and the amount and the vast array of equipment needed is just not typical for something that most people would build in their day-to-day life for sure. It's very complex and very fast-moving and very large-scale. Can you give us an idea of how a city will go about something like this? I mean, how much of this is integrated? How much of it is siloed? Is there a sort of a best practice to approaching something like this? That depends question every time they post the Olympics in a different place, there will be different answers, I believe. But they do start many years in advance and a lot of what they do is probably 80% is done before the actual Olympics happen in the last 15 to 20% of everything from the labor involved is during the games itself. So they do spend a lot of time, it's not just pouring concrete, it's acquiring land and coming out, working with city planners to develop and ensure that the infrastructure is able to handle the demand. Not just from an electricity perspective, but water, wastewater, like I said, and being able to handle people in emergencies, there's other dimensions involved from hotel rooms. How does your airport, is it able to handle this volume? So they really start many years in advance, they work across sectors and try to ensure that all the pieces of the puzzle are basically in place to make sure that the games can be smooth. What about the integrity of the games themselves? I mean, I'm thinking about things like timers, like scoreboards, you know, all of those things that are part of the actual athletic competition, there's a cybersecurity element to that as well. Yes? Absolutely. The same problems that we face in regular enterprise, like somebody tweaked a switch somewhere and resulted in a webpage changing color or a light going on and off or a water system changing some consistency of a chemical, whatever it may be, could very well happen an event like the Olympics. It's not unfathomable to think that somebody would try to do something like that based on some of the things that we've seen in the past happen at the Olympics. It's from a cyber perspective. What about misinformation and disinformation, you know, sort of the public facing information stream? I suppose kind of to your point, there are folks out there who would love to see things go wrong, would love to see perhaps some chaos injected into this, in that that's a, I guess it's a combination of a human factor and technical element as well. Right. And even a nation-state element, there's in some cases, for example, some of the... disinformation that we're seeing happening around these games in 2024 have to do with Russia being banned from these games and competing under a neutral flag. So it's not really in their best interest that these games are the best ones that have ever existed. So they have a nation-state reason for some disinformation. We also saw in 2020 disinformation campaigns around discrediting a bunch of the non-Russian athletes. There were other disinformation campaigns going many years back. And if you think even around 2008, when we first started to see some of the ticket scams, some of those were borderline disinformation in a way. They were advertising, you know, special sections that didn't exist or trying to sell things that just simply weren't true, Bitcoin pieces and things like that. So yes, it's definitely gotten more than it was in the past. And it's one of the several threats that are being faced. Then there's also the physical aspect of that. If somebody were to not just use disinformation to influence someone's opinion, but to cause a panic and a public safety factor could come into play at that point. Can we touch on public safety? I mean, it just seems like that is a huge responsibility for the folks who are running these games here. They've got all of these people from all around the world, both the athletes, the spectators, the judges and referees, the media, and you have to provide for the safety of all those people. Yeah, that's definitely one of the biggest challenges of events like this is the public safety component. Of course, we like to think about interrupting the game, shutting the lights off or whatever. That's got a financial implication to it. But the public safety implication is really first and foremost, the main priority of all the planning. If everyone needs to come and go home safe and alive and without injury, secondary is making sure that they're entertained with the games. When a city goes through something like this, all of the construction, the planning, installing infrastructure for an event as big as the Olympics, when the games are over and everybody goes home, does the city end up with a lot of things having been upgraded? Is this a nice impetus for those sorts of things to happen? In some cases, yes, in some cases now it depends on the country and everything. There are instances where there are stadiums lying dormant and costing that particular host country a lot of money. This is not specific to the Olympics. This has to do with anything of this magnitude, like World Cup, et cetera. Not every city needs something of that nature or that large. If they don't find a way to support it from an economic standpoint, it does become a burden. But in other cases, it's a great way to test and bring in cutting-edge technologies. Sometimes it may be high-capacity internet backbones that weren't there before, that now they've laid in, and things like that are definitely going to be used in the future. Some of the physical infrastructure, many times they will either tear it down and convert it back to its original use or donate it and use it for something moving forward. It's a mixed bag, I think, for the host cities after the infrastructure has been used. Has there been any sense for folks like yourself who keep an eye on these things, or the line of work that you're in, any sense for how Paris is doing? Are they going to come in ready to go when it's time for the games to begin? I cannot speak to anything to do specifically with their security posture or how they feel or what they're ready for. I can speak to some of the things that I've seen publicly that is out there, and a lot of the partners that have been involved with the security preparations are looking at things that have happened in the past as a way to start and prepare for what they expect this time around. We are, the world is expecting everything that we've seen in the past, and then some new angles, probably, and some amplification of the volume, perhaps. Some of the attacks that came in in past Olympics were at the time they broke DDoS records for the most amount of traffic. We'll probably see things like that. New records broken in certain areas, not just on the field, but on the net as well. There's probably going to be a few things that maybe we haven't seen in the past. But I do think that everyone is prepared for that, and a lot of the leading brands are involved in making sure that they are safe for people and that they are successful. That's Chris Grove, director of Cybersecurity Strategy at Nizomi Networks. It is always my pleasure to welcome back to the show the CyberWire's chief security officer and chief analyst Rick Howard. Rick, welcome back. Hey, Dave. You know, Rick, there's that old joke, old, old, old joke about how. That's totally appropriate for you and me, sir. I didn't say you're an old joke or I'm an old joke, although the truth hurts sometimes. Oh, yeah. But there's that old joke about how military intelligence is an oxymoron, right? As an old army guy, I bet you've gotten more than your share of laughs about that phrase. It's so true. It's so true. But where are we with cyberintelligence? I know that's something that you're looking to cover here on your upcoming CSO perspective podcast. Yeah, we're taking a look at the current state of cyber threat intelligence because, you know, most people forget, you know, we do this stuff every day that you kind of assume that that kind of thing has been around for a long time. But really, for the commercial world, cyber threat intelligence wasn't the thing until Mandiant released their very famous APT1 paper back in 2013, something like that. You know, because, you know, the military have been doing cyber threat intelligence for about 10 years before that. They very famously chronicled the Chinese efforts at cyber espionage. They had cool code names for all that, like Titan Rain, but it didn't really catch on with the commercial world until a Mandiant released that paper and then all of a sudden everybody went, Oh my goodness, this is a thing we should all be doing. And so I thought it was time is now 15 years past that paper, 14 years, that we should take a look at how far we've come and I ran into an old buddy of mine, John Holquist. He is the chief intelligence guy at Google Mandiant, right? And he and I competed back in the day, I ran a commercial cyber intelligence group. He ran one. And so we compared notes about where it all started and where it is today. Yeah, it's interesting to me that, you know, how quickly it spun up to become something that was productized and sold and now folks can't do without it. Yeah. And another little phase that too is how every security vendor has their own cyber intelligence team as a marketing arm, you know, they use it as an excuse to say, you know, we found the, you know, wicked spider operating over here and all the customers that use our product stopped them, you know, they use it for that kind of thing. So it's a really interesting way to use cyber threat intelligence. Yeah. That is interesting. All right. Well, it is the CSO Perspectives podcast and the host is Rick Howard. Rick, thanks so much for joining us. Thank you, sir. And now a message from black cloak. What's the easiest way for threat actors to bypass your company's cyber defenses targeting your executives at home? That's because 87% of executives use personal devices to conduct business, often with zero security measures in place. Once execs leave your organization's secure network, they become easy targets for hijacking credential theft and reputational harm. Close the at home security gap with black cloak concierge cybersecurity and privacy award-winning and 24/7, 365 protection for executives and their families. Learn more at black cloak.io. And finally, an article in CSO online shares the story of Willem Westeroff. And say physiotherapist and pie maker who embarked on a cyber internship in 2016. While still an intern, he discovered a critical vulnerability in solar panel technology, which had the potential of compromising the Netherlands entire power grid. This breakthrough not only transformed his life, propelling him into global headlines and speaking at conferences, but also secured him a full-time role at IT sec where he had interned. Westeroff's story exemplifies the transformative potential of internships. According to ISC 2's 2023 cybersecurity workforce report, 24% of new cyber professionals started as interns. Matthew Prager from SISA emphasizes internships as essential for expanding the talent pool and providing valuable work experience that education alone cannot offer. John Anthony Smith of Conversant Group highlights the importance of mentoring interns to mold them into skilled professionals. While Alexandria Kaison from the Information and Communications Technology Council stresses the need for internships to teach both technical and soft skills, companies offering meaningful, project-based internships tend to secure more full-time hires with paid internships attracting higher-quality candidates. William Westeroff's journey from a diverse work background to a celebrated cybersecurity expert underscores the immense value of internships. For interns, these opportunities provide practical experience, essential skills, and a direct pathway into full-time employment, as seen with Westeroff's seamless transition to IT sec. For employers, internships are a strategic investment, offering access to fresh talent, innovative perspectives, and the chance to cultivate and retain skilled professionals tailored to their specific needs. By fostering an environment where interns are mentored and engaged in meaningful projects, organizations not only enhance their workforce, but also contribute to closing the cybersecurity skills gap, ensuring a robust and secure digital future. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. We'd love to know what you think of this podcast, your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes, or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here, tomorrow. [music] This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most, right now to frontline practitioners. Register early and save at M-Wise.io/Cyberwire, that's M-Wise.io/Cyberwire. [music]
