The assassination attempt on former President Trump sparks online disinformation. AT&T pays to have stolen data deleted. Rite Aid recovers from ransomware. A hacktivist group claims to have breached Disney’s Slack. Checkmarx researchers uncover Python packages exfiltrating user data. HardBit ransomware gets upgraded with enhanced obfuscation. Threat actors can weaponize proof-of-concept (PoC) exploits in as little as 22 minutes. Google may be in the market for Wiz. Rick Howard previews his analysis of the MITRE ATT&CK framework. Blockchain sleuths follow the money.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
This Week on CSO Perspectives
Dave chats with Rick Howard, The CSO, Chief Analyst, and Senior Fellow at N2K Cyber, about his latest episode of CSO Perspectives which focuses on the current state of MITRE ATT&CK. If you are a N2K Pro subscriber, you can find this installment of CSO Perspectives here. The accompanying essay is available here. If you’re not a subscriber and want to check out a sample of the discussion Rick has with his Hash Table members about MITRE ATT&CK, you can find it here.
Selected Reading
Conspiracy theories spread swiftly in hours after Trump rally shooting (The Washington Post)
AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records (WIRED)
Pharmacy Giant Rite Aid Hit By Ransomware (Infosecurity Magazine)
Disney's Internal Slack Breached? NullBulge Leaks 1.1 TiB of Data (HackRead)
Malicious Python packages found exfiltrating user data to Telegram bot (Computing)
HardBit ransomware version 4.0 supports new obfuscation techniques (Security Affairs)
Hackers use PoC exploits in attacks 22 minutes after release (Bleeping Computer)
Google is reportedly planning its biggest startup acquisition ever (The Verge)
Automotive SaaS provider CDK paid $25 million ransom to hackers (BeyondMachines.net)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyberwire Network, powered by N2K. What's 2FA security on Kraken? Let's say I'm captaining my soccer team, and we're up by a goal against, I don't know, so does Springs FC. Do we relax? No way. Time to create an extra line of defense and protect that lead. That's like 2FA on Kraken, a surefire way to keep what you already have, safe and sound. Go to kraken.com and see what crypto can be. Not investment advice. Crypto trading involves risk of loss. Crypto currency services are provided to U.S. and U.S. territory customers by Payward Interactive Inc. PWI, DBA Kraken. You PWI's disclosures at kraken.com/legal/disposures. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies, like Atlassian, Flow Health and Quora, use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's v-a-n-t-a.com/cyber for $1,000 off Vanta. The assassination attempt on former President Trump sparks online disinformation, AT&T pays to have stolen data deleted, Rite Aid recovers from ransomware, a hacktivist group claims to have breached Disney's slack, checkmark's researchers uncover Python packages exfiltrating user data, hard-bit ransomware gets upgraded with enhanced obfuscation, threat actors can weaponize proof-of-concept exploits in as little as 22 minutes, Google may be in the market for whiz, Rick Howard previews his analysis of the MITRE ATTACK framework, and blockchain sleuths follow the money. It's Monday, July 15, 2024, I'm Dave Bittner and this is your Cyberwire Intel Briefing. Happy Monday and thank you for joining us here today. The shooting of former President Donald Trump at his campaign rally on Saturday quickly turned into a hotbed for conspiracy theories, flooding social media with unverified claims. Despite law enforcement efforts to clarify the situation, the political environment amplified these false narratives. Investigators identified the shooter and confirmed some details, but conspiracies flourished. Left-leaning accounts suggested a false flag operation by Trump's supporters, while some far-right voices accused President Biden of orchestrating the attack. Meghan Squire from the Southern Poverty Law Center highlighted how such incidents are often exploited for political agendas. Right-wing influencers and politicians like Representative Mike Collins insinuated high-level conspiracies, adding fuel to the misinformation fire. Social media posts from various accounts propagated claims of a deep-state plot or fabricated scenes. These narratives found fertile ground in a divided political landscape where consensus on basic facts is increasingly rare. Online bots amplified the noise. Experts like Graham Brookie of the Atlantic Council urged caution emphasizing the prevalence of false information during rapidly developing events. Despite these warnings, far-right channels continued to buzz with conspiracy theories and extreme rhetoric, including calls for civil war, and blaming various groups like Antifa and the Deep State. Social media platforms struggled to manage the spread of misinformation, tech executives like Elon Musk speculated publicly contributing to the confusion. Influential accounts pushed unfounded claims about the Secret Service's role and internal security policies further muddling the public discourse. Amid this chaos, misinformation experts stressed the importance of verifying information before sharing it online. The rapid spread of false narratives in the wake of Trump's shooting underscored the challenges of maintaining accurate public information in a polarized and digitally driven society. Late last week, AT&T disclosed a significant data breach involving hackers stealing call records for tens of millions of customers. In an exclusive for Wired, Kim Zetter reports the company paid over $300,000 in Bitcoin to a hacker from the Shiny Hunters Group to delete the stolen data and provide proof of deletion. This payment was confirmed by blockchain tracking tools. A security researcher who goes by the name "Redington" facilitated the negotiation between AT&T and the hackers. The breach involved unsecured snowflake cloud storage accounts. The stolen AT&T data included call and text metadata but not content or names. Despite payment, some data may still be at risk. John Aaron Bins, believed to be responsible for the breach, was arrested in Turkey for a previous hack on T-Mobile. The breach's delayed disclosure was due to national security concerns. U.S. pharmacy chain Rite Aid recently fell victim to a ransomware attack by the Ransom Hub Group, which claimed to have stolen 10 gigabytes of data, including personal information of customers such as names, addresses and birth dates. Rite Aid announced it has restored its systems with the help of third-party cybersecurity experts and is fully operational again. The company emphasized its commitment to safeguarding personal information and is finalizing its incident response investigation. Ransom Hub, emerging in February 2024 and including former Alpha Black Hat affiliates, has been involved in several high-profile attacks. It's known for its aggressive tactics, including a second extortion attempt on change healthcare. Rite Aid, the third largest U.S. pharmacy chain, operates over 2,000 locations with revenues exceeding $24 billion. Activist Group Noel Bulge claims to have breached Disney, leaking 1.2 terabytes of internal Slack data. The leaked data supposedly includes messages, files, code and more, involving nearly 10,000 channels and sensitive information like unreleased projects and internal API links. Noel Bulge announced the breach on breach forums and X-Twitter, highlighting their mission to protect artists' rights and ensure fair compensation. The breach is yet to be verified, but it follows recent cyber attacks on AT&T and Ticketmaster. Noel Bulge is rumored to be linked to the lock-bit Ransomware gang. Disney has faced criticism for not paying royalties to artists and writers, with notable figures like Neil Gaiman and Alan Dean Foster speaking out against the company. Researchers at checkmarks have discovered an Iraq-based operation using malware hosted on the Python repository PIPI to search for files on victims' devices and exfiltrate them to a telegram bot. Malicious packages named in the research have been removed from PIPI. These packages contained malicious code in an init.py file that targeted files with .py.php.zip.png and .jpg extensions, sending them to a telegram bot. The bot, active since 2022, contains over 90,000 messages, mostly in Arabic, and is involved in various criminal activities like spam, login fraud and data theft. Researchers found the bot's operator maintaining several other bots for different nefarious activities. This attack highlights the persistent threat of supply chain attacks on PIPI, a popular target due to Python's widespread use. Users are advised to employ vulnerability scanners and threat intelligence before using third-party modules. Researchers from Cyber Reason have identified a new version of hard-bit Ransomware featuring advanced obfuscation techniques to avoid detection. Version 4.0 includes binary obfuscation enhancement with passphrase protection, complicating analysis. The Ransomware available in both CLI and GUI formats uses the Neshta virus for delivery and is a .NET binary obfuscated by a custom packer. Bit Ransomware, first seen in October 2022, does not employ double extortion but threatens further attacks if Ransom demands are unmet. The Ransomware deletes volume shadow copy services and alters boot configurations to prevent recovery. It disables Windows Defender antivirus features and ensures persistence by copying itself to the startup folder, mimicking the SVC host.exe file. Hardbit shares similarities with Lockbit, possibly as a marketing tactic. The initial access method remains unconfirmed, but brute force of open RDP and SMB services is suspected. The attackers use tools like Mimicats for credential theft and deploy Hardbit via a zip file named 111.zip. Version 3.0 and 4.0 also support a wiper mode. According to CloudFlare's 2024 application security report, threat actors can weaponize proof-of-concept exploits as quickly as 22 minutes after they're made public. The report, covering May 2023 through March 2024, highlights a rise in scanning activity for disclosed CVEs, command injections, and attempts to use available POCs. To combat this rapid exploitation, CloudFlare emphasizes using AI to develop quick detection rules as human response alone is insufficient. The report also notes that 6.8% of daily internet traffic is DDoS attacks, up from 6% to previous year, with spikes reaching 12% during major attacks. Google is considering a $23 billion acquisition of WIS, a cloud cybersecurity startup according to the Wall Street Journal. This potential purchase would be Google's largest ever nearly double the amount spent on Motorola Mobility in 2012. WIS, based in New York City, provides security tools and scanners for enterprises, enhancing cloud infrastructure security by normalizing layers across environments to identify and mitigate risks quickly. Observers speculate this acquisition targets Microsoft, which has faced multiple high-profile security breaches recently. Google Cloud's Thomas Curian is spearheading the acquisition, which aims to bolster Google's reputation as a secure cloud provider. This follows Google's previous security-focused acquisitions, including a $500 million cloud security startup in 2022, and the $5.4 billion purchase of Mandiant. However, the deal may face regulatory scrutiny under the Biden administration's anti-trust actions. Coming up after the break, Rick Howard previews his analysis of the MITRE ATTACK framework, stay with us. And now, a word from our sponsor, no before. Here would InfoSec professionals be without users making security mistakes, working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an InfoSec professionals greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed Security Coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. If users learn from their mistakes and strengthen your organization's security culture with Security Coach, learn more at nobefore.com/securitycoach. That's nobefore.com/securitycoach, and we thank no before for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit CloudFlare.com to protect your business everywhere you do business. It is always my pleasure to welcome back to the show Rick Howard. He is N2K Cyberwire's chief security officer, also our chief analyst and host of the CSO Perspectives Podcast. Rick, welcome back. Hey, Dave. So in this upcoming episode of CSO Perspectives, I know, right? You are taking a look at the MITRE ATTACK framework, and kind of where we stand with that. What can you share today, Rick? Well, you know, Dave, I'm a gigantic fan of the MITRE ATTACK framework. I've been singing its praises for almost a decade now, and much to my chagrin, it hasn't really caught on universally across the cyber security profession. And so I thought it was time to take a look at, see what's going right with the MITRE ATTACK framework and what are the obstacles that make it slow to adopt. Well, for folks who aren't familiar with it, can you give us a little bit of the backstory here? Yeah. There's a strategy for cyber security that made famous by the famous Lockheed Martin Research paper called Intrusion Kill Chain Prevention, right? And the idea there was instead of just blocking technical things, like malware or viruses or exploit code, without any concern about what the adversary was trying to accomplish, the Lockheed Martin people said, you know, it makes sense that every adversary, regardless of their motivation, they have to kind of go through a sequence of activity, okay? And it's like they have to recon, they have to do your network for weaknesses, they find those weaknesses, they build software that takes advantage of those weaknesses, they deliver that to some victim zero, right? And then they do other things to find the stuff they came to destroy or to steal, like lateral movement, and then they infiltrated out through their command and control channel. And that was a revelation back when that came out back in 2010. And then three years later, MITRE decided they were going to build this thing that we've affectionately called it the MITRE attack framework, I call it a wiki, right? Which they're basically tracking all the tactics, techniques, and procedures for known adversary campaigns across the kill chain, right? And so I thought this was a brilliant idea, right? Instead of just blocking the latest malware, we're going to actually try to block wicked spider, try to prevent wicked spider from having a success, right? And so I thought that was an obvious thing to do. But it turns out it's really hard to do well and hard to deploy and pretty expensive. Well, let's talk about that then. I mean, is that the primary set of things that are keeping it from having wider adoption is one of those easier said than done situations? Yeah, yeah, it makes it sound easy when I say it fast like that. And there's also confusion in the industry, too, because the Lockheed Martin paper came out back in 2010. A year after that, the Department of Defense released the diamond model, which takes that idea and expands it to intelligence teams about how they can actually track adversaries across the kill chain. And then two years after that, MITRE came up with their framework. And for the people not paying attention, that looks like three separate models, right? And it turns out that they're not. They all go together, right? You need the Lockheed Martin paper for strategy. You need the diamond model from the Department of Defense for how do you run your intel team to do that. And then you need the minor attack framework to collect the actual intelligence, right? So I think that's one of the things, there's confusion in the cyber security profession about what all those things mean. In the intervening years, have there been updates or has there been anything to keep this relevant? Oh, yeah, yeah, yeah, I criticize. But I love the thing, right? The minor folks have improved it immensely over the years. They updated about every year and a half or so, but they are completely understaffed. Okay, it's a very small intel team. So they don't update it in real time, which I would prefer to have happen, right? And they only cover nation state activity, which is great, but there's a whole set of cyber crime campaigns out there that I would love to have that kind of intel for. And so I guess that the bottom line to all this is I would like somebody, some benefactor to come out and say, let's give MITRE a bunch of money so they can get this fully functional, all right, so that everybody can adopt it. >> So in terms of this week's episode of CSO Perspectives, how are you approaching the topic here? >> Well, we did as we went out and got one of the original contributors to it, Frank Duff. He is now the chief innovation officer at a company called Tidal. But he was on the ground floor when they started trying to make it work back in 2013. So we get his perspective about how it all started. And then we talk to Amy Robertson, she's a chief intelligence engineer at MITRE and kind of the face for, the current face for MITRE attack, and she gives us the modern view of it. So it's a really interesting conversation with all three of us. >> You know, looking back through your own career here, I mean, this came out when you were chief security officer at Palo Alto Networks, right? >> Yes, it was. >> How did you integrate this into the stuff that you did there? I mean, was it sort of a, was it a light bulb moment for you? Like, aha, here's the thing we've been waiting for, folks. >> It really was for me. It was a eureka moment for me, but I have to admit, I struggled commencing the powers of be at Palo Alto Networks to understand what I was talking about. Underneath me at that job, I ran the public facing intelligence team called Unit 42. So we changed our whole schema for how do we track bad guys inside the Palo Alto Networks data to track adversaries across the kill chain using the MITRE attack framework, right? So, but you've heard me talking about this, Dave, what I really want from vendors and what I try to convince Palo Alto Networks to do is I need a dashboard that says, you know, let's say a wicked spider, they do 100 things in their attack sequence. If you see one of those things in your network, yeah, it might be wicked spider, but if you see 80 of the 100 in your network, that's wicked spider, right? And so, and you better make sure you have all the prevention controls in place to stop that guy from being successful. >> Yeah. All right. Well, Rick Howard is N2K CyberWire's chief security officer, also our chief analyst and the host of CSO Perspectives, which you can find right here on the N2K CyberWire network and wherever you get your favorite podcasts, Rick, thanks so much for joining us. >> Thank you, sir. [MUSIC] >> And now a message from Black Cloak. What's the easiest way for threat actors to bypass your company's cyber defenses targeting your executives at home? It's because 87% of executives use personal devices to conduct business, often with zero security measures in place. Once execs leave your organization's secure network, they become easy targets for hijacking, credential theft, and reputational harm. Close the at home security gap with Black Cloak Concierge Cybersecurity and Privacy, award-winning 24/7, 365 protection for executives and their families. And more at blackcloak.io. And finally, CDK Global, a top software provider for car dealerships in North America, reportedly forked out a hefty $25 million ransom in Bitcoin to resolve a massive cyber attack. The attack had disrupted operations at over 15,000 car dealerships across the US. Blockchain Sleuth Zach XBT revealed that the ransom, mounting to just over 387 Bitcoin, about $25 million, was paid on June 22, 2024, to a blockchain address controlled by the Black Suit Ransomware Gang. CDK didn't handle the transaction directly, but enlisted a specialized firm to deal with the demands. Following the payment, CDK Global's services were swiftly restored, though the company kept mum about the details. Blockchain intelligence platform TRM Labs confirmed the transaction. They noted the funds were later moved to centralized exchanges. Curiously, CDK Global took a week after the payment to restart services, likely to beef up security and patch vulnerabilities. This incident stands as the largest Ransomware payment of 2024, topping Change Healthcare's $22 million payout in March. CDK Global paid the ransom, but it was the blockchain sleuths who stole the show by following the money. And that's the Cyberwire, for links to all of today's stories, check out our daily briefing at TheCyberwire.com. Don't forget to check out the Grumpy Old Geeks Podcast, where I contribute to a regular segment on Jason and Brian's show every week. You can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes, or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karp. Simone Batrella is our president, Peter Kilpe is our publisher, and I'm Dave Bitner. Thanks for listening. We'll see you back here tomorrow. [music] On September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-WISE, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-WISE features one-to-one access with industry experts and fresh insights into the topics that matter most, right now, to frontline practitioners. Enter early and save at M-WISE.io/Cyberwire that's M-WISE.io/Cyberwire. [music]
