LockBit drops files that may or may not be from the Federal Reserve. Progress Software patches additional flaws in MOVEit file transfer software. A popular polyfil open source library has been compromised. DHS starts staffing up its AI Corps. Legislation has been introduced to evaluate the manual operations of critical infrastructure during cyber attacks. Researchers discover a new e-skimmer targeting CMS platforms. A breach at Neiman Marchus affects nearly 65,000 people. South African health services grapple with ransomware amidst a monkeypox outbreak. Medusa is back. On the Learning Layer, Sam and Joe discuss the CISSP's CAT format and how to walk into test day with confidence. The VA works to clear the backlog caused by the ransomware attack onChange Healthcare.
Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey using N2K’s comprehensive CISSP training course, which includes a simulated Computer Adaptive Test (CAT) final exam.
Sam and Joe discuss the CISSP's CAT format and how to walk into test day with confidence. Good luck Joe!
Selected Reading
Lockbit Leaks Files for Evolve Bank & Trust in Its Alleged ‘Federal Reserve’ Data Dump (Metacurity)
Progress Software warns of new vulnerabilities in MOVEit Transfer and MOVEit Gateway (Cyber Daily)
Polyfill supply chain attack hits 100K+ sites (Sansec)
Exclusive: DHS hires first 10 AI Corps members (Axios)
US House bill seeks to assess manual operations of critical infrastructure during cyber attacks (Industrial Cyber)
Caesar Cipher Skimmer targets popular CMS used by e-stores (Security Affairs)
Neiman Marcus confirms breach. Is the customer data already for sale? (Malwarebytes)
South Africa’s national health lab hit with ransomware attack amid mpox outbreak (The Record)
New Medusa malware variants target Android users in seven countries (Bleeping Computer)
After Crippling Ransomware Attack, VA Is Still Dealing with Fallout, Trying to Pay Providers (Military.com)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
(music) You're listening to the Cyberwire Network, powered by N2K. (music) (music) Identity architects and engineers simplify your identity management with Strata. Securely integrate non-standard apps with any IDP, apply modern MFA, and ensure seamless failover during outages. Strata helps you avoid app refactoring and reduces legacy tech debt, making your identity systems more robust and efficient. Strata does it better and at a better price. Experience stress-free identity management and join industry leaders in transforming their identity architecture with Strata. Visit strata.io/cyberwire, share your identity challenge, and get a free set of AirPods Pro. Revolutionize your identity infrastructure now. Visit strata.io/cyberwire and our thanks to Strata for being a longtime friend and supporter of this podcast. (music) (music) (music) (music) (music) Lockbit drops files that may or may not be from the Federal Reserve. Progress software patches additional flaws in Moved File Transfer software. A popular polyfill open source library has been compromised. DHS starts staffing up its AI core. Legislation has been introduced to evaluate the manual operations of critical infrastructure during cyber attacks. Researchers discover a new e-skemmer targeting CMS platforms. A breach at Neiman Marcus affects nearly 65,000 people. South African health services grapple with ransomware amidst a monkeypox outbreak. Medusa is back. On the learning layer, Sam and Joe discussed the SISB's cat format and how to walk into test day with confidence. And the VA works to clear the backlog caused by the ransomware attack on change healthcare. (music) It's Wednesday, June 26, 2024. I'm Dave Vithner and this is your Cyberwire Intel Briefing. (music) (music) Thank you for joining us here today, as always. It's great to have you with us. Following an apparent failure in negotiations, the Lockbit ransomware gang published a trove of files it claims to have stolen from the U.S. Federal Reserve. This Russian-linked gang posted 21 links to files, including directories, and archives from Evolve Bank and Trust. Recently, the feds accused Evolve Bank Corps of unsafe banking practices. Lockbit had threatened to release the data on June 25th if the ransom wasn't paid. They claimed to have 33 terabytes of sensitive banking information and they criticized the U.S. Central Bank's negotiator. Cybersecurity experts doubt Lockbit's claims, suggesting the gang seeks attention after Operation Chronos damaged its reputation. The release of Evolve's files supports this skepticism. This month, the Federal Reserve Board issued a cease-and-desist order to evolve Bank and Trust for deficiencies in anti-money laundering, risk management, and consumer compliance. The Federal Reserve hasn't addressed Lockbit's claims, but some data may have been collected during their investigations. Evolve, based in Memphis, Tennessee, serves individuals and small businesses in at least 17 states and reported $1.3 billion in assets in 2022. Known for partnerships with FinTech platforms like MasterCard and Visa, Evolve is investigating the breach and cooperating with law enforcement. The bank plans to provide more information as it confirms the details. Progress software has issued a security alert about two new vulnerabilities in its Moved File Transfer software. The first is a critical authentication bypass issue in Moved Gateway, and the second is a high severity bypass flaw in Moved Transfer's SFTP service. Progress has released patches and advises immediate upgrades to the latest versions. Testing by Rapid7 confirmed the vulnerabilities in default configurations, highlighting risks if attackers know a username, after which the account can authenticate remotely, and the SFTP service is exposed. Over 1,000 public-facing Moved Transfer servers are mainly in the U.S., and hackers are already exploiting these vulnerabilities. Previous similar vulnerabilities have led to widespread exploitation, including by the Clop Ransomware Gang. Polyfill software is a JavaScript library that enables old browsers to support modern web features by providing necessary code implementations. Researchers now say Polyfill.js, a widely used open source library, has been compromised. Over 100,000 sites, including JSTORE Intuit and the World Economic Forum, embed polyfill.js using CDN.polyfill.io. In February, a Chinese company acquired the domain and GitHub account, subsequently injecting malware into mobile devices via these sites. Complaints on GitHub were quickly removed. The malware, decoded by Sansec, redirects mobile users to a fake sports betting site using a domain mimicking Google Analytics. It targets specific mobile devices at certain times, avoids admin users and delays execution when web analytics are detected. The original author advises against using Polyfill as modern browsers no longer needed. Trust where the alternatives are available from Fastly and Cloudflare. The Department of Homeland Security has hired its first 10 members for its new 50-person AI core, aiming to leverage artificial intelligence across its operations. The team will focus on areas such as countering fentanyl trafficking, combating online child sexual exploitation and enhancing cyber security. DHS Secretary Alejandro Mayorkas highlighted the significant interest in this initiative, which aims to safely and responsibly deploy AI within the federal government. The initial hires come from diverse backgrounds, including government, big tech, startups and research communities. Mayorkas noted the stiff competition for these roles with over 3,000 applications facilitated by new flexible hiring practices for AI jobs. Bipartisan legislation has been introduced in the U.S. House to create a public report for evaluating the manual operations of critical infrastructure during cyber attacks. The bill, led by Congressman Dan Crenshaw and Representative Seth Magaziner, aims to address rising cyber threats from nations like China, Russia, Iran and North Korea. The Contingency Plan for Critical Infrastructure Act requires the Cybersecurity and Infrastructure Security Agency and FEMA to assess how critical infrastructure can transition to manual operation during cyber incidents and evaluate current response plans. This includes examining costs, challenges and policy recommendations to ensure continuous operation. The bill underscores the need for private sector involvement in protecting vital systems such as water, energy, transportation and communications. Researchers at Sukori discovered a new "E" skimmer, the Caesar-Siphur skimmer, targeting "E" stores using CMS platforms like WordPress, Magento and OpenCART. This skimmer modifies the WooCommerce Checkout PHP page to steal credit card data, using tactics such as mimicking Google Analytics and obfuscating code. The skimmer uses a Caesar-Siphur to conceal its payload by encoding the domain hosting the malicious code. Attackers register domains with slight misspellings to evade detection. The malware connects to a remote server via WebSocket, customizing responses for each infected site. Some scripts check for logged-in WordPress users. Researchers found Russian comments in older script versions. Luxury retail chain Neiman Marcus has informed customers of a May cyber attack compromising a database with personal information. The breach affected just under 65,000 people, exposing names, contact details, dates of birth and gift card numbers, excluding pins. The attacker, Spider, offered the data for sale on breach forums, including customer shopping records and employee data. The breach is linked to the Snowflake incident, which has affected multiple brands. The sale post has since disappeared from breach forums. South Africa's National Health Laboratory Service is grappling with a ransomware attack disrupting lab result dissemination amid an outbreak of monkeypox. The attack began Saturday, deleting system sections, including backups and requiring extensive rebuilding. The NHLS, operating 265 labs nationwide, has shut down certain systems for repairs and enlisted external cybersecurity firms. Despite functional labs, automated report generation is disabled, forcing urgent results to be communicated manually. The attack, using an unidentified ransomware strain, did not compromise patient databases. South Africa's health sector, already strained by ransomware attacks, faces increased urgency due to the monkeypox outbreak with three deaths and 16 confirmed cases. The government is under pressure to enhance cybersecurity, especially as global health care systems face similar ransomware threats. The Medusa banking Trojan for Android, also known as Tanglebot, has re-emerged after a year of relative inactivity, targeting countries including France, Italy, the US, and the UK. The latest campaigns use compact variants with fewer permissions and new features, like initiating transactions directly from compromised devices. Discovered by researchers at Kleefi, these campaigns involve 24 different operations using SMS phishing to distribute malware through fake apps. Medusa's updated versions now request fewer permissions, retain key logging and SMS manipulation capabilities, and introduce commands for actions like screen overlay and screenshot capturing. Despite no presence on Google Play, the threat is growing as its distribution methods evolve. Coming up after the break on our learning layer segment, Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 SISBE certification journey. Stay with us. Enterprises today are using hundreds of SAS apps. Are you reaping their productivity and innovation benefits, or are you lost in the sprawl? Enter SAVI security. They help you surface every SAS app, identity, and risk, so you can shine a light on shadow IT and risky identities. SAVI monitors your entire SAS attack surface to help you efficiently eliminate toxic risk combinations and prevent attacks. So go on, get SAVI about SAS and harness the productivity benefits, fuel innovation while closing security gaps. Visit SAVI dot security to learn more. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. [MUSIC] On today's learning layer segment, our host Sam Meisenberg is joined once again by my Hacking Humans co-host Joe Carrigan to continue their discussion of Joe's ISE2 SISBE certification journey. Today, they're discussing the CAT format and how to walk in to test day with confidence. [MUSIC] Welcome back to the learning layer segment. Today, we're continuing our conversation with Joe Carrigan as he gets ready for his CISSP. This is a special one because we keep saying, I think last time we said you're in the home stretch, Joe, but you're in the home stretch. This is real. This is right before you cross the finish line. It's right. This is where you're sprinting. Let's start with the elephant in the room. That's the cat in the room, which is this test is going to be different than other tests that you've taken. On an adaptive test, you can't go backwards because this actually makes sense. It needs to adapt to you in real time depending on if you get the question right or wrong. So it's scoring you in real time. Therefore, since you chose it and you moved on, you can't go back and change your answer. What does adaptive mean? What's happening behind the scenes? Well, basically, let's just pretend we're on question one. We're on question number one. If you get that question right, the engine, the cat engine behind the scenes is saying, "Oh, Joe got this question right, so I'm going to feed him a question that's slightly harder." You get that one wrong. "Oh, it's going to feed you a question that's slightly easier." That's what we mean by adaptive. So that's it. That's the whole thing. That's what's happening behind the scenes. If you were to open the hood of a cat, how it basically works is it's trying to get you to a point where you get every other question wrong. So it's trying to get you, the average test taker, to basically where you're hovering or straddling something called a passing threshold. So basically what's happening is it's saying at the end of this test, the minimum, how many questions Joe is a minimum on the test? 100. 100. Right. At question 100, is Joe completely above this passing threshold? And if you're above, you pass. If you're below at question 100, you fail. If you're straddling the line, what happens next Joe? You get more questions. You get more questions. Up to how many? Up to 50 more. It can end at any point. It can be 101, it can be 102, 110, whatever. Now there's something unique about those questions from 101 to potentially 150. That's different from questions 1 to 100. Do you know the difference? I don't. There are no experimental questions. There are no experimental questions. In 101 to 150. Okay. So what is an experimental question? I feel like I'm being used as a guinea pig here. You are. You actually are. You, what they do is they need to test out, you know, the validity of questions. So they give it to real test takers. And then they use that data. Say, is this a fair question? Are enough people getting it right? Not people getting it wrong? And then if it passes all the rounds of testing, it will show up on a future exam. Okay. The experimental question is unscored. The thing is, you don't know which questions are experimental, which aren't. So you need to approach every question like it's the real deal. Okay, hold on. So in the first in the first 100 questions, you're going to be some number of experimental questions. I'll tell you the number. Okay. What is it? Well, let me ask you, if you are, if you were a test maker, how many questions, how many experimental questions would you put on the test? How many think is fair? Ten. That's what CompTIA does. About 10. About 10. This is C-I-I-S-C squared. I bring up CompTIA to compare them to I-Z2. CompTIA says 10. I-Z2 says 25. 25? 25% of the questions are experimental. Wow is right. Yeah. So this is why people walk out of the test and they're like, what just happened? Right. They feel like they failed, even though they didn't. They feel floored. They feel confused. They're like, I didn't study that content. What happened? Right. Hardly is because they're throwing you experimental questions. And this is why it's so important not to spend too much time on one single question because there's a 25% chance. It actually doesn't matter. So I take 100 questions. Yes. 25 of them don't count. Correct. If I'm above the passing threshold with the 75 that do count. Correct. Test is over. Correct. When they feed you more questions from 101 to 150, they all count. It's all real. Okay. I think it was like overtime. Every question matters. Right. That could be the one question that puts you above or below. I like to tell people you should bank enough time to make sure you have more time towards the end of those questions. Okay. And you want to give yourself enough time in case you go to overtime because all those questions are real. They impact your score so much. And you want to spend a lot of time on those questions since they're so important. What else you want to know about the cat? Maybe we should tell people what cat stands for. Computer adaptive tests. Yes. Yes. And all it means is just adapting to you as a test taken away to get a question right over. Did we cover that? I don't know if we did. I can't remember. Now people know. Right. And also what you don't want to do. You don't want to look silly in front of your friends. You can't say cat test or cat exam. That's like an ATM machine. There you go. When are you taking your test with day of the week? It's Monday. What time of the day? Three o'clock. Three thirty in the afternoon. Is it three or three thirty, Joe? It's three thirty. Okay. Three thirty to six thirty. Okay. I got the email today. Excellent. It might be a good idea to actually take your practice cat on a Monday at three thirty. Okay. So you get used to, you know, like, are you hungry at that time? What is your body doing? You know, you can sort of, it's just a clever way to get you more ready for game day. I will eat lunch before I do this. Normally I don't eat lunch because I, you know, eat breakfast and then I don't get hungry again until like five o'clock. Yeah. Exactly. And you don't want to get hungry during the test because then you're thinking about food and you're thinking about the content. Right. Also about food, test day is not the time to experiment with that new Indian place that you're thinking about. Don't change your routine at all for exam days, what I would say. Okay. So just stick with what you normally would. Think of it as like just another practice test. Yeah. That's how comfortable you want to be on exam day. They actually, whether you love them or hate them, Tom Brady talks a lot about like performing well and, you know, the biggest stage on the Super Bowl. And basically what he says is it's just another gate. Right. It's not. Of course it's not, right? You can't trick yourself, but you have to trust all the reps you've put in. And if you treat every moment during practice in the regular season as those high stress moments, then when the real thing happens at the highest stakes, it's just going to feel like another one on those practice test. Cool. Just as we wrap up here, Joe, and you're getting ready for the test day, what questions do you have? There's, there's nothing I'm wondering about. I'm just the, you know, the, the thing is that I, I, one of the big things that I'm going to need to do is, is to, is to try to focus and relax when I go in there. Yeah. And like you said, I've, I've put the work in. Mm hmm. I should be able to go in there and pass this test. It shouldn't really be a problem. Mm hmm. And I've got to go in with that mindset and get to the mental state, but, exactly. So Joe, yep, I am a betting man. Okay. I'm putting all my money on you. I know you're going to do it. Next time we talk, you will be a, well, you have to go through the credential process, but you will be one step closer to being a CSSP. Okay. So good luck. I hope so. [MUSIC] That's Sam Meisenberg and Joe Kerrigan. Good luck, Joe. [MUSIC] Quick question. Do your end users always work on company-owned devices and IT-approved apps? If the answer is no, then my next question is, how do you keep company data safe on all those unmanaged apps and devices? One password has an answer to this question, extended access management. One password, extended access management helps you secure every sign-in for every app on every device, because it solves the problem traditional IAM and MDM can't touch. Check it out at onepassword.com/xam. That's onepassword.com/xam. [MUSIC] This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify, the global commerce platform that supercharges your selling, wherever you sell. With Shopify, you'll harness the same intuitive features, trusted apps, and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at Shopify.com/tech. All lowercase, that's Shopify.com/tech. [MUSIC] And finally, four months after a devastating ransomware attack on change healthcare, which handles prescription processing and community provider payments for the Department of Veteran Affairs, efforts to clear the backlog of payments to pharmacies and medical providers are ongoing. The February 21st cyber attack disrupted services at hospitals and clinics, including those under the Defense Department and the VA. Despite immediate disconnection from the affected networks and thorough system checks, the VA faced a significant backlog of claims and invoices for services and prescriptions. The attack caused delays in pharmacy services for some veterans and greatly impacted the companies managing the VA's network of community and non-network providers. This disruption led to over 1 million delayed pharmacy prescriptions and 6 million delayed invoices handled by Optum Public Sector Solutions and TriWest Healthcare Alliance. During a press conference, VA officials shared that the backlog of pharmacy prescriptions should be cleared by August with payments completed by October 1st. They also aim to restore claims processing payments by July and regularize direct VA provider payments by February. Despite these challenges, officials reassured that patient care remains unaffected. Some providers have struggled due to delayed payments, but VA Secretary Dennis McDonough emphasized that the Department prioritized payments to non-network providers ensuring continuity of care, while the breach exposed some VA data, the full extent remains unclear, as change health care has not provided detailed information. Cyber attacks on the U.S. health care industry have increased significantly with the Department of Health and Human Services noting a 256 percent rise over the past five years. In response, the VA has enhanced its IT security measures and continuous training for employees to prevent future attacks. It's frustrating to see our military veterans who have sacrificed so much caught up in the middle of this cyber attack. [music] And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly-changing world of cyber security. If you like our show, please share a rating and review in your favorite PODPAS staff. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [MUSIC] [MUSIC] [MUSIC] [BLANK_AUDIO]
