LockBit claims to have hit the Federal Reserve. CDK Global negotiates with BlackSuit to unlock car dealerships across the U.S. Treasury proposes a rule to restrict tech investments in China. An LA school district confirms a Snowflake related data breach. Rafel RAT hits outdated Android devices. The UK’s largest plutonium stockpiler pleads guilty to criminal charges of inadequate cybersecurity. Clearview AI settles privacy violations in a deal that could exceed fifty million dollars. North Korean hackers target aerospace and defense firms. Rick Howard previews CSOP Live. Our guest is Christie Terrill, CISO at Bishop Fox, discussing how organizations can best leverage offensive security tactics. Bug hunting gets a little too real.
Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
Guest Christie Terrill, CISO at Bishop Fox, joins to discuss how organizations can leverage offensive security tactics not just as strategies to prevent cyber incidents, but as a critical component of a cyberattack recovery process.
Rick Howard sits down with Dave to share a preview of what’s to come at our upcoming CSOP Live event this Thursday, going beyond the headlines with our panel of Hash Table experts for an insightful discussion on emerging industry trends, recent threats and events, and the evolving role of executives in our field.
Selected Reading
LockBit claims the hack of the US Federal Reserve (securityaffairs)
Why are threat actors faking data breaches? (Help Net Security)
CDK Global outage caused by BlackSuit ransomware attack (bleepingcomputer)
US proposes rules to stop Americans from investing in Chinese technology with military uses (AP News)
Los Angeles Unified confirms student data stolen in Snowflake account hack (bleepingcomputer)
Ratel RAT targets outdated Android phones in ransomware attacks (bleepingcomputer)
Sellafield Pleads Guilty to Historic Cybersecurity Offenses (Infosecurity Magazine)
Sellafield nuclear waste site pleads guilty to IT security breaches (Financial Times)
Facial Recognition Startup Clearview AI Settles Privacy Suit (SecurityWeek)
New North Korean Hackers Attack Aerospace and Defense Companies (cybersecuritynews)
Spatial Computing Hack (Ryan Pickren)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
[Music] You're listening to the Cyberwire Network, powered by N2K. [Music] The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. [Music] [Music] Blockbit claims to have hit the Federal Reserve. CDK Global negotiates with black suit to unlock car dealerships across the U.S. Treasury proposes a rule to restrict tech investments in China. An L.A. school district confirms a snowflake-related data breach. Rafael Rat hits outdated Android devices. The U.K.'s largest plutonium stockpiler pleads guilty to criminal charges of inadequate cybersecurity. Clearview AI settles privacy violations in a deal that could exceed $50 million. North Korean hackers target aerospace and defense firms. Rick Howard previews CSOP Live. Our guest is Kristi Terrell, Chief Information Security Officer at Bishop Fox, discussing how organizations can best leverage offensive security tactics. And bug hunting gets a little too real. [Music] It's Monday, June 24th, 2024. I'm Dave Bitner and this is your Cyberwire Intel Briefing. [Music] Happy Monday and thank you for joining us. It is great, as always, to have you here with us. The Lockbit ransomware group claims to have breached the U.S. Federal Reserve, stealing 33 terabytes of sensitive data, including Americans' banking information. They added the Federal Reserve to their Tor data leak site and threatened to release the data on June 25th. No sample data has been published yet. Lockbit's announcement detailed the Federal Reserve's role in managing money distribution across 12 banking districts in cities like New York, Chicago, and San Francisco. They mocked the negotiator handling the situation, calling them a clinical idiot, demanding a replacement within 48 hours. Experts are skeptical, suspecting the announcement may be a ploy for attention given the Federal Reserve's high-profile status. If true, a breach of this magnitude could, of course, have significant consequences. The Federal Reserve has yet to comment, and, of course, there's a good chance that this is nothing more than bluster and bravado from the Lockbit gang. HelpNet security commented on the recent string of threat actors making false claims. Hackers sell fake data primarily for financial gain, similar to peddling fake jewelry. Other motives include gaining notoriety, creating distractions, damaging reputations, manipulating stock prices, and uncovering security processes. For example, in March of this year, a Russian hacking group falsely claimed to hack epic games to gain visibility. Similarly, false breach claims like the one against Sony in September of last year can harm reputations despite being untrue. Hackers can use tools like chat GPT to generate convincing fake data. Organizations can combat fake breaches by monitoring the dark web, analyzing leaked data sets, preparing their workforce, keeping communication teams ready, deploying canary tokens, and using integrated security models like SASE to detect and block breaches in real time. Card dealerships across North America were thrown into chaos after CDK Global suffered a massive IT outage caused by the black suit ransomware gang. This disruption forced dealerships to revert dependent paper for operations, impacting sales, inventory, and customer service. Major dealership groups like Penske Automotive and Sonic Automotive reported significant disruptions and implemented manual workarounds. The black suit ransomware gang is behind the attack according to anonymous sources. CDK Global is negotiating with the gang to obtain a decryptor and prevent data leaks. The attack forced CDK to shut down its IT systems twice to contain the damage. Black suit, which emerged in May 2023, is believed to be a rebrand of the royal ransomware operation. The FBI and SISA have linked them to over 350 attacks and $275 million in ransom demands since September of 2022. CDK also warned of threat actors posing as its agents to gain unauthorized access. The Treasury Department proposed a rule to restrict and monitor U.S. investments in China for AI, computer chips, and quantum computing based on President Biden's August 2023 executive order. This aims to prevent countries of concern including China, Hong Kong, and Macau from enhancing their military and cyber capabilities with U.S. funds. The rule requires U.S. citizens and residents to report transactions in these areas and prohibits funding AI systems for military applications in China. President Biden also imposed tariffs on Chinese electric vehicles, highlighting political efforts to counter China. Treasury seeks public comments on the proposal until August 4th with a final rule expected afterward. Despite rising tensions, officials assert no intent to decouple from China. The Los Angeles Unified School District confirmed a data breach after threat actors accessed its snowflake account, stealing student and employee information. Snowflake is a cloud database platform used globally. Hackers began selling data from several companies, including the Los Angeles Unified School District, on hacker forums. A joint investigation by Snowflake, Mandiant, and CrowdStrike revealed that the threat actor, UNC 5537, exploited stolen credentials from organizations who weren't using multi-factor authentication, downloaded their data and attempted extortion. On June 18th, the hacker Spider listed LAUSD data for $150,000. Another hacker, Satanic, had earlier sold different LAUSD data. LAUSD is working with the FBI and SISA to investigate. Students, teachers, and staff should stay vigilant against potential phishing attacks using this leaked data. The open source Android malware Rafel Rat is being widely used by cyber criminals to attack outdated devices, often deploying a ransomware module demanding payment via Telegram. Researchers at Checkpoint detected over 120 campaigns using Rafel Rat, including those by known threat actors like APT C35, originating from Iran and Pakistan. High-profile organizations in the government and military sectors, mainly in the US, China, and Indonesia, are among the targets. Most victims run Android versions 11 or older, which are no longer receiving security updates. Rafel Rat spreads through fake apps mimicking popular brands and requests risky permissions during installation. It supports various commands, including ransomware and device lock. To defend against these attacks, users should avoid dubious APK downloads, avoid clicking on suspicious URLs, and use Play Protect. Sellafield Limited, the organization that manages the world's largest plutonium stockpile, has pleaded guilty to all charges related to cybersecurity failings from 2019 to 2023. The UK's Office for Nuclear Regulation confirmed the plea and stated there was no evidence of exploitation or hacking. A sentencing hearing is sent for August 8. The charges involve not adequately protecting sensitive IT network information, though public safety was reportedly not compromised. Despite past media claims of Russian and Chinese hacker intrusions dating back to 2015, Sellafield asserts these issues only emerged when external staff accessed its servers and reported vulnerabilities. Sellafield's cybersecurity is now described as robust by its lawyers. Clearview AI settled an Illinois lawsuit alleging privacy violations from its photo database in a deal potentially exceeding $50 million. The settlement offers plaintiffs a share of the company's future value with $20 million allocated for attorney fees. Preliminary approval was granted by Judge Sharon Johnson Coleman. The lawsuit, consolidating cases nationwide, claimed Clearview violated privacy by scraping photos from the Internet. Clearview previously settled a 2022 Illinois case stopping sales to private entities, but allowing work with law enforcement. Clearview denies liability in the current settlement. The agreement facilitated by mediator Wayne Anderson acknowledges Clearview's lack of funds for a larger payout. Privacy advocates criticize the deal for not stopping Clearview's practices. A campaign will notify eligible US plaintiffs with data in Clearview's database from July 2017 onward. Researchers from CyberArmor have uncovered a sophisticated malware campaign, NICKI, likely linked to North Korean hackers targeting aerospace and defense firms. This campaign uses job description lures to deliver a multi-stage attack, installing a powerful back door that provides remote access and data exfiltration capabilities. Indicators point to the Kim Suki group as the culprit. The back door employs advanced obfuscation techniques to evade detection. Coming up after the break, Rick Howard previews CSOP live, and our guest is Kristi Terrell, Chief Information Security Officer at Bishop Fox, discussing how organizations can best leverage offensive security tactics. Stay with us. ♪♪ ♪♪ When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at Vanta.com/Cyber. That's V-A-N-T-A.com/Cyber for $1,000 off Vanta. ♪♪ Most of our listeners who deal with legacy privileged access management products know they tend to be expensive, difficult to deploy, and hard to use. Keeper security is the answer. Keeper's Zero Trust solution delivers password, secrets, and connection management in one easy-to-use platform. It's fast to deploy, agentless, clientless, and has no implementation fees. Plus, Keeper is FedRAMP authorized. That's why we trust Keeper to prevent breaches and gain full control over privileged users. Visit keeper.io/cyberwire to schedule a quick demo. That's keeper.io/cyberwire. And thanks to Keeper security for supporting our podcast. ♪♪ Christy Terrell is CISO at Bishop Fox. I recently caught up with her to discuss how organizations can best leverage offensive security tactics. Offensive security, which can be whittled down to more simple things like penetration testing, red teaming, those types of activities. Generally, people think of it as more proactive. You know, we're going to do these things periodically. X number of times per year upon requests. And it's all to find issues, you know, preferably before external parties and preferably before the bad guys find them. But what we're seeing is, you know, as things have sped up, and we do more frequent releases of apps and environments change, that these same types of activities are both needed more frequently. And when there is some type of attack or incident or breach, it can actually complement how a company can respond to that. Hmm. Well, before we get into the recovery process component here, can we talk about the frequency? I mean, how can an organization, as you say, in kind of this increased cadence, how do they dial in how often they should be doing these things? Well, the minimum bar has been for a long time, and I think still is annual testing, right? Something that customers often require of the B2B relationships, and it's something that's in lots of policies and frameworks. But because things are changing so frequently, there is much more of a need to have results more frequently. And so the type of testing actually has to change. It can't just be a single point in time, comprehensive, deep dive, analyze all the source code, you know, look at it kind of clean slate. You can't do that every month, every quarter, even every week, right? So I think the type of testing services or testing activities you could do for yourselves internally needs to be more looking at incremental changes, looking at data fees you could even get from the outside, looking at things from like emerging threats, just more comprehensive, but also looking at things at smaller chewable bites at once. >> And how does this fit into a compliance regime here? You mentioned that lots of folks are obligated to do something on an annual basis. Does this supplement that? >> Yes, I mean, it's actually, it won't, I would say it might not help you with some of the compliance requirements because they're always a little behind the times, and they still may have those kind of just do something annually, do something upon major release. But what you can do is whether you're working, you know, with a third party of that third party validation or doing some activities yourselves, you can still create an issue of those types of reports that then at least say, you know, what was found on what date and that you're fixing those things, right? Because let's just say you were doing testing that was once a quarter, and your obligation is only annual. There's various ways you could do that for compliance, right? You can give them the most recent quarterly assessment you could, you know, if someone's kind of an always on test, you could just get a point in time report. So there's various ways when we've dealt with this with our customers because we've been definitely thinking about that. But there's various ways that you could still provide the assurance for compliance purposes that you're doing the activities that they want while actually being ahead of the curve and doing things, you know, even more frequently and faster. >> And I suspect, wouldn't it be so that if you were doing these more frequently, when it comes time for that annual review, that it may help make that less of a heavy lift and maybe have there be fewer surprises? >> Absolutely. And typically for compliance purposes, what you do annually and what is usually provided by a third party that has a report and letter of assessment that goes with it is often what you're going to have to provide to your third parties and your own customers, right? And so, I mean, just from a point of pride perspective, you don't want to have a lot of things on that report. You prefer as an organization to identify and fix those earlier. >> Yeah, that's a really interesting point. Well, let's talk about the recovery process component of this. I mean, how does it play into that? >> Right. So, you know, my own experience and also that the Bishop Fox just to be clear is that we don't do the immediate triage of incident. We don't do immediate incident response. So, that's kind of not the perspective I have. It's just not the services that we provide. But we often get engaged with our clients when they are in those following days and weeks after an incident. And that's where we see how these services can be of help. So, I just want to make that caveat clear. Typically, when we're working with a customer, they've already been a previous customer of ours. They're not coming to us because they have a breach, right? So, we have a relationship with them. We already have paperwork with them. So, that's another kind of benefit of how we get to have a seat at the table to what they're going through. But let me use an analogy. Let's say that I live in New York City. So, this analogy is at least very apt for myself. Let's say you live in an apartment building. And there is a fire in a single apartment. It's obviously the immediate need for the fire department is to come out and put that fire out, right? You don't want that fire to spread. You don't want anyone to get harmed. There's imminent time sensitive things that have to happen. Immediately, you cannot wait to decide which fire department to call and go through analysis. You just have to get that issue fixed. So, let's say that gets fixed immediately. Fire is out. But often, there's not a question of what is the apartment building safe for residents to come back in? What was the cause of that fire? Was it because of a gas leak? That could be an issue for the whole building. Was it a single incident? Was it isolated? So, then there's actual work to be done of going through methodically through the building, by apartment perhaps, to really check that the building is truly safe and secure before you can say everyone can move back in, right? So, if you take that analogy, there's actually more work to be done in those, kind of, that gray area of, you've triaged the actual immediate incident, but there's a lot more work you now have to do to make sure that that same incident won't happen again. That's Kristi Terrell, Chief Information Security Officer at Bishop Fox. ♪♪ It is always a treat for me to welcome back to the show. My N2K Cyberwire colleague Rick Howard, he is our Chief Security Officer, also our Chief Analyst. Rick, welcome back. Hey, Dave. So, you and I usually talk about CSO Perspectives. You're a very popular podcast here on the show, but this week we've got something that's related but a little different. What's coming up here, Rick? Yeah, this is one of my favorite things we get to do. It's called CSO Perspectives Live. It's a webinar about an hour long. All right, and you know Dave, you do the news every day, and it comes fast and furious. Yeah, there's so many things that happen, right? It's tough to get your hands around what's going on. So, what this show does is it takes three -- well, two experts in me. I was going to say three experts, but -- right? And they pick a topic that -- a news item that they think is going to have the most impact, you know, from the last 90 days. And we can spend, you know, some time discussing the ramifications of it. So, it's really fun to do, and I love we get the opportunity to do it. Can you give us a little preview here? Who do you have lined up to be your experts? Yeah, these are two really old friends of mine. Don Capelli, she's the head of the OT cert for Dragoz. She's an original OG member of the Hashtable crew. And she's going to come in and talk about Volt Typhoon and the Russian hacktivist attacks on water utilities and give us some details there. That's going to be interesting. Yeah, I've had the pleasure of interviewing her a fan full of times, and it's always time well spent. She's amazing, right? Yeah. Really one of the smart people in the industry. And then right alongside her is Helen Patton, another old friend, another original Hashtable member. She's the cybersecurity executive advisor at Cisco. But, you know, I mention her all the time. She's working with me with the cybersecurity canon project. She's on the board there. And she's bringing this topic that, man, I hadn't thought about this, but it was -- I just started hearing inklings of it at the last RSA conference. She calls it the changing role of security leadership. And what's been floating around is that maybe the CISO -- that CISO job has become too big for one person. And maybe it's split into a technical role in a business role. And she's going to talk about the ramifications of that. That's intriguing. I know. Yeah. Maybe I'm glad I'm at the end of my career. I don't know how to mess with all that. Well, before I let you go, you mentioned the cybersecurity canon project. And you were just recently out that way at one of the canon events, right? Can you give us a little summary of your trip out? I believe it was Colorado, wasn't it? Yeah, it was at the Rocky Mountain Information Assurance Conference. And we gave the Hall of Fame Awards the two winners this year. Andy Greenberg for his book Tracers in the Dark and Dr. Eugene Spafford for his book Myths and Misconceptions. And I can't tell you what a fantastic job this is to be able to get on stage with those two brilliant people. I mean, Dr. Spafford, you know, he's one of the original cybersecurity founding fathers. Most of the things we think about now came from him, right? And Andy Greenberg, you know, he is a world-class cybersecurity journalist. Been writing for Wired magazine for almost a decade now. He's got two books in the Hall of Fame right now. And so, I mean, I just pinch myself sometimes. They let me do stuff like this. That's great. Yeah. Well, I mean, that's the cybersecurity canon. So for folks who are interested in checking that out, just search the regular places for cybersecurity canon? Yeah, absolutely. Ohio State University is a sponsor. So just look up canon that's one in. And Ohio State University, you'll find it. And there are book reviews for all the books we've considered for the Hall of Fame. So if you're looking to read a good book this year, don't read a bad one. And take a look at the book reviews first and make your choice. And then signing up for CSO Perspectives Live. Is that over on the Cyberwire website? Yes, it is. Go ahead and do that. You'll find it on the website. And it is. I mean, sure, I got the date right. 27 June at two o'clock Eastern Standard Time. All right. Terrific. Rick Howard is N2K Cyberwire's chief security officer and also our chief analyst. Rick, thanks so much for joining us. Thanks, Dave. ♪♪ Elevate your enterprise identity solutions with Strata. Seamlessly connect legacy apps to any identity provider, apply MFA effortlessly, and maintain identity continuity without disruptions. Strata reduces tech debt, enhances security, and provides a robust, efficient identity management system. Feel secure and efficient managing your identity infrastructure. Strata helps you streamline operations and ensure continuous identity availability. Visit strata.io/cyberwire, share your identity challenge, and receive a free set of AirPods Pro. Take control of your identity management today. Visit strata.io/cyberwire. And our thanks to Strata for being a longtime friend and supporter of this podcast. ♪♪ This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify. The global commerce platform that supercharges your selling, wherever you sell. With Shopify, you'll harness the same intuitive features, trusted apps, and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at Shopify.com/tech. I'll lowercase. That's Shopify.com/tech. ♪♪ And finally, imagine finding a bug that literally fills your room with bugs. Well, that's exactly what happened with a new exploit researcher Ryan Pickren discovered in VisionOS Safari, running on Apple's Vision Pro headset. The bug allows a malicious website to bypass all warnings and fill your room with animated 3D objects, like crawling spiders and screeching bats. When Apple announced the Vision Pro, they touted its impressive privacy protections. But while exploring the technology, Ryan Pickren found an overlooked loophole in an old 3D model viewing standard. By using Apple's ARKit Quick Look, he could force Safari to spawn these objects without any user interaction. The kicker? These objects persist even after closing Safari. The exploit is simple. Using JavaScript to autoclick a hidden link, he could flood the victim's space with 3D models. Imagine hundreds of spiders crawling around your room with no easy way to get rid of them except by physically tapping each one. Ryan Pickren reported the bug to Apple, and they assigned it a CVE and paid him a bug bounty. The discovery highlights the need for a more nuanced approach to vulnerability triaging in the era of spatial computing. As we venture into hyper-realistic mixed reality, our threat models must evolve to consider the deeply personal nature of these devices. So, next time you find yourself donning the Vision Pro, beware of unexpected visitors. While virtual reality is designed to be immersive, nobody wants their home turned into a digital haunted house filled with virtual bugs and screeching bats. It's like an episode of Black Mirror, but with more spiders. Happy bug hunting! [Music] And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at TheCyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan, our executive editor is Brandon Karp. Simone Petrela is our president, Peter Kiltby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here, tomorrow. (music) (music) (music) (music) (music) (music) This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cyber security challenges we face. It's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most, right now, to frontline practitioners. Register early and save at M-Wise.io/Cyberwire. That's M-Wise.io/Cyberwire. (music)
