Thousands of education sector devices have been maliciously wiped after an attack on a UK MDM firm. A perceived design flaw in Microsoft Authenticator leaves users locked out of accounts. SharpRino charges ahead to deploy ransomware. North Korea’s Stressed Pungsan provides initial access points for malware distribution. Magniber ransomware targets home users and SMBs. Google patches an Android zero-day. A new Senate bill aims to treat ransomware as terrorism. Microsoft ties security to employee compensation. Guest Kim Kischel, Director of Cybersecurity Product Marketing at Microsoft, discusses how AI is impacting the unified security operations center. A victim of business email compromise gets some good news.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
Guest Kim Kischel, Director of Cybersecurity Product Marketing at Microsoft, discusses how AI is impacting the unified security operations center and how it's changing the way defenders defend.
Selected Reading
Over 13,000 phones wiped clean as cyberattack cripples Mobile Guardian (CSO Online)
Design Flaw Has Microsoft Authenticator Overwriting MFA Accounts, Locking Users Out (Slashdot)
Network Admins Beware! SharpRhino Ransomware Attacking Mimic as Angry IP Scanner (Cyber Security News)
North Korean Hackers Attacking Windows Users With Weaponized npm Files (Cyber Security News)
Surge in Magniber ransomware attacks impact home users worldwide (Bleeping Computer)
Google Patches Android Zero-Day Exploited in Targeted Attacks (SecurityWeek)
Intelligence bill would elevate ransomware to a terrorist threat (CyberScoop)
Microsoft is binding employee bonuses and promotions to security performance (TechSpot)
Police Recover Over $40m Headed to BEC Scammers (Infosecurity Magazine)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
(phone ringing) - You're listening to the Cyberwire Network, powered by N2K. - My dad works in B2B marketing. He came by my school for career day and said he was a big row, Azman. Then he told everyone how much he loved calculating his return on ad spend. My friends still laughing at me to this day. - Not everyone gets B2B, but with LinkedIn, you'll be able to reach people who do. Get $100 credit on your next ad campaign. Go to linkedin.com/results to claim your credit. That's linkedin.com/results. Terms and conditions apply. LinkedIn, the place to be, to be. (upbeat music) - Identity architects and engineers simplify your identity management with Strata. Securely integrate non-standard apps with any IDP, apply modern MFA, and ensure seamless failover during outages. Strata helps you avoid app refactoring and reduces legacy tech debt, making your identity systems more robust and efficient. Strata does it better and at a better price. Experience stress-free identity management and join industry leaders in transforming their identity architecture with Strata. Visit strata.io/cyberwire, share your identity challenge and get a free set of AirPods Pro. Revolutionize your identity infrastructure now. Visit strata.io/cyberwire. And our thanks to Strata for being a long time friend and supporter of this podcast. (upbeat music) (upbeat music) Thousands of education sector devices have been maliciously wiped after an attack on a UK MDM firm. A perceived design flaw in Microsoft authenticator leaves users locked out of accounts. Sharp Rhino charges ahead to deploy ransomware. North Korea's stressed kung-san provides initial access points for malware distribution. Magneber ransomware targets home users and SMBs. Google patches an Android Zero Day. A new Senate bill aims to treat ransomware as terrorism. Microsoft ties security to employee compensation. Our guest is Ken Cashell, Director of Cybersecurity Product Marketing at Microsoft. Discussing how AI is impacting the Unified Security Operations Center. And a victim of business email compromise? Get some good news. (upbeat music) (upbeat music) It's Tuesday, August 6th, 2024. I'm Dave Bittner and this is your Cyberwire Intel Briefing. (upbeat music) (upbeat music) - Thank you for once again joining us here today. It is great to have you with us. A massive cyber attack on mobile guardian, a UK-based mobile device management firm has disrupted schools and businesses globally, affecting North America, Europe and Singapore. Thousands of iOS and Chrome OS devices were remotely wiped, causing data loss. The company is investigating and has temporarily halted services. The attack severely impacted Singapore's education sector with about 13,000 students from 26 secondary schools unable to access applications on their iPads and Chromebooks. Singapore's Ministry of Education removed the mobile guardian app as a precaution and is working to restore device functionality. The attack underscores vulnerabilities in educational systems and the need for stronger cybersecurity measures, including multi-factor authentication and regular security audits to protect critical infrastructure from sophisticated cyber threats. As multi-factor authentication becomes more prevalent, users increasingly rely on apps like Microsoft Authenticator to secure their accounts. CSO Online highlights what they describe as a significant design flaw that causes users to be locked out of their accounts. The problem arises when users add a new account via QR code scan, a common setup method leading to Microsoft Authenticator overwriting accounts that share the same username. This occurs because the app fails to append the issuer's name to the username, unlike other authenticator apps such as Google Authenticator. This oversight means that users frequently encounter issues when accessing their accounts, often blaming the company issuing the authentication rather than recognizing the flaw within Microsoft Authenticator. This misunderstanding results in wasted help desk resources as companies attempt to resolve an issue beyond their control. Experts have noted that this issue has persisted since the app's release in 2016, despite the availability of workarounds such as using alternative authentication apps or manually entering codes. The problem highlights a significant gap in Microsoft's design approach. Critics argue that Microsoft's decision not to align with industry standards, which would prevent such overriding issues, reflects a lack of consideration for user experience. The situation highlights the importance of designing software with both security and usability in mind. Ransomware as a service group Hunters International has developed Sharp Rhino, a new C# malware used as an initial infection vector and persistent remote access Trojan, delivered via a typo squatting domain mimicking angry IP scanner, Sharp Rhino increases privileges and moves laterally to deploy ransomware. Hunters International emerged in October 2023 and ranks among the top 10 ransomware actors. Strongly linked to the defunct Hive group, it uses a rust based encryptor to lock files with the dot locked extension after exfiltration. Sharp Rhino disguises itself as a legitimate network tool using a valid code certificate. It communicates with a cloud flare serverless architecture endpoint, the command and control infrastructure using obfuscated C# code and fileless malware tactics. Guard Dog Software identified two malicious packages in PIPI and NPM linked to a North Korean aligned thread actor cluster known as Stressed Pung San, aligning with Microsoft's moon stone sleet. These packages serve as initial access points for malware distribution, facilitating data exfiltration, credential theft and lateral movement within targeted environments. On July 7th of this year, an NPM user named Naga Siren 978 uploaded files which downloaded malware from a North Korean command and control server using malicious batch scripts and DLLs to target Windows systems. These packages employed a pre-install script to download and execute a DLL using the run DLL 32 utility and then self-destruct to avoid detection. Analysis revealed these packages impersonated legitimate ones by mimicking their names. The downloaded DLL appeared benign suggesting it might be an incomplete version or part of testing indicating possible experimentation by the thread actors. The Magnabur Ransomware campaign is aggressively targeting home users worldwide encrypting devices and demanding ransoms starting at a thousand dollars. Magnabur which began in 2017 as a successor to the Serber Ransomware has used various methods over the years including exploiting window zero days, fake updates and trojanized software cracks. This ransomware mainly targets individual users and small businesses who unwittingly download and execute malicious software. Recent spikes in Magnabur activity have been noted since July 30th with victims reporting infections after using software cracks or key generators. Once activated, Magnabur encrypts files and leaves a ransom note with a URL to a Tor site for payment. Currently there's no free decryptor for Magnabur's latest versions. Users are advised against using illegal software cracks as they pose significant security risks but you already knew that. Google announced its August 2024 security patches for Android addressing over 40 vulnerabilities including a zero day flaw. This high severity kernel vulnerability potentially exploited and targeted attacks can lead to remote code execution with system privileges. Discovered by Google's Clement LaSine it involves a use after free condition. Other patched vulnerabilities affect the framework, system, arm, imagination technologies, media tech and Qualcomm components including one critical Qualcomm flaw allowing a permanent denial of service condition. These updates aim to enhance Android security against privilege escalation, information disclosure and denial of service attacks. A new proposal from the Senate Intelligence Committee aims to combat ransomware by treating it like terrorism. Sponsored by Mark Warner, Democrat from Virginia, the bill seeks to name and shame ransomware gangs as hostile foreign cyber actors and designate countries that harbor them as state sponsors of ransomware allowing sanctions similar to those for terrorism. This would be the first US law directly linking ransomware to terrorism. The bill is intended to elevate ransomware to a national intelligence priority empowering US agencies to act more aggressively against threats. However, experts question its effectiveness noting that ransomware groups and their state sponsors are often already under sanctions and questioning if new ones would have any real impact. Critics argue the bill might be more symbolic than practical signaling Washington's commitment to addressing ransomware attacks. To address recent criticism for security issues in its products, Microsoft is now linking security performance to employee reviews and compensation. An internal memo from Microsoft's Chief People Officer, Kathleen Hogan outlines a new security core priority policy, emphasizing security over other considerations. Lack of focus on security may impact promotions, salary increases and bonuses. Employees are expected to integrate security into their work and demonstrate improvement in performance reviews tracked through the company's Connect Tool. This initiative extends to all roles with executives having security deliverables tied to their reviews. The policy aims to solidify Microsoft's security first mindset across its workforce, crucial for maintaining trust in its software and services around the world. Coming up after the break, my conversation with Kim Cashell, Director of Cybersecurity Product Marketing at Microsoft, we're discussing how AI is impacting the Unified Security Operations Center. Stay with us. Enterprises today are using hundreds of SaaS apps. Are you reaping their productivity and innovation benefits or are you lost in the sprawl? Enter SAVI Security. They help you surface every SaaS app, identity and risk so you can shine a light on shadow IT and risky identities. SAVI monitors your entire SaaS attack surface to help you efficiently eliminate toxic risk combinations and prevent attacks. So go on, get SAVI about SaaS and harness the productivity benefits. Fuel innovation while closing security gaps. Visit SAVI.Security to learn more. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why CloudFlare created the first ever Connectivity Cloud. Visit cloudflare.com to protect your business everywhere you do business. Kim Cashel is Director of Cybersecurity Product Marketing at Microsoft. I recently caught up with her to discuss how AI is impacting the Unified Security Operations Center. I think AI, to start us off, is fundamentally changing the game for security. As an industry, and I think that goes on both sides, the adversaries as well as the defenders on the other side. And with that comes a tremendous amount of opportunity. And the way I like to talk about it from the defender side is, AI is really, we're at the early stages, but it's really exciting what we're already starting to see because it's really changing security on two fronts. It's one, how are we building AI into the solutions to drive effectiveness, to have this inherent better protection for security teams? And then secondly, how are we giving generative AI to security operations teams to uplevel their own skill set effectively? Can you give us some specific examples of where you think AI is best suited to amplify the capabilities of a security operations team? Yeah, absolutely. We've been for years talking about the security skills gap. That is only one example. I think the latest number is somewhere around 3.5 million unfilled jobs, but also most organizations will tell you that the security team, security operations team, can never be big enough. That's really where Gen AI can come in and really help. And a couple of examples, information is critical to responding to attacks effectively, to understand really the end-to-end impact of an attack. And often that means really hunting into the details of the signal and writing complex scripts to sometimes understand that data. And that's one great example where Gen AI can come in and use natural language to say, this is what I'm trying to do and have Gen AI ultimately generate those scripts for you. And just turn them around in seconds where that can take hours sometimes for even more seasoned security operations teams to write them. Do you understand a little bit of the hesitancy that some folks have here? I mean, there's certainly no shortage of hype when it comes to AI. And I imagine a lot of folks are careful about separating that hype from the reality. Absolutely. Gen AI or AI in general is a technology that we're going to have to prove out and actually showcase that it works. And one other example of we just talked about, hey, what are the tools that we're helping upskill AI? But the other side that I mentioned earlier is really, well, how are we using AI to build better tools and to build better protection? And I think that's where we're really heading into the direction of what I would refer to as better autonomous protection. So ultimately, how can we use AI to respond more effectively to the sophistication of attacks that we're seeing? And that's really where a unified approach is so important. One really unifying the all of the security tools and our research shows that organizations have somewhat close to 80 tools still that operate in silos. And unification is going to be key for AI to really work effectively. And one example that I love to give here is I talked about autonomous protection for a second is in a unified approach, signals are correlated and shared by design, which is really that fundamental shift in communication of the tools between themselves, if you will. And where autonomous protection comes in is recognizing active attack patterns that aren't just specific to one asset type, right? Attackers don't think in silos. They don't just look at your endpoints. They try to move across the various asset types. And one great example here that we have from a recent customer that we saw is where the attacker had access to domain admin accounts. It was an attack that lasted over several waves for about three and a half hours with a goal of ransoming, ultimately, encrypting the device. But it started from the identity. And here where AI came in was it recognized the patterns of the attack. And we were looking at an estate of about 4,000 devices all up. And what happened was that the unified approach to security here with this autonomous protection was able to save 99% and 99.6% of all devices. So it's a great example for how AI can be the difference between something that's maybe a little bit annoying, right? We had 0.4% of devices that you had to bring back into a healthy state and bring them back online versus the entire company losing productivity and being encrypted. What are your recommendations for best practices for folks to get started with this? Or are there particular places or strategies that are best to start that integration process? Yeah, of course. So I think the first key to this is really look for that unified approach of your security solutions estate, which vendors, ultimately, can offer one broad, native breadth when it comes to extended detection and response or XDR for short. But then within the same tool set, complement that with a SIM solution that ultimately allows you to bring in any kind of security relevant data from within your network. And breaking down those silos of how the tools work together is going to be the first fundamental step. And then secondly, it's really about how do you improve the communication between the various teams that you need to make security work in your organization? Here, one of my favorite examples is when you think about identity, the security operations team, they're going to be at the front line of detecting threats and detecting identity attacks, which are so prevalent today. But then that information needs to seamlessly flow to that identity admin team so they can really adjust the controls that define how does access work in my organization. And in many companies, we still see that as a starting point. A, unify your tool set. And B, create more seamless communication flows between the teams that you need to up level your defenses. You mentioned that we're still kind of in early days with this sort of thing. Do you have any sense for where this might be headed? What the future might look like for these sorts of tools? I mean, I can only speculate, of course, and speak a little bit to what I know that Microsoft is doing on that front. But I think, like I said, we're at the beginning of AI, but we're already seeing the significant impact that it's having. For Gen AI, it's really all about, to me, how do we reduce the meantime to respond, right, for security teams themselves? How do we enable them with AI-powered capabilities to ultimately understand attacks faster and respond more effectively? And I think, at the end of the day, that's what security operations teams care about. It's really bringing down that meantime to respond. And then secondly, I think unification is going to be the number one key for AI to get more and more effective and really drive towards that more autonomous protection, which is in no way to say we're going to be able to work with super skilled security operations teams, but it's just how do we help them? How do we help defenders with building capabilities that are smart enough to respond to some of the most sophisticated attacks? That's Kim Cachelle, Director of Cybersecurity Product Marketing at Microsoft. And now a message from Black Cloak. What's the easiest way for threat actors to bypass your company's cyber defenses? Targeting your executives at home. That's because 87% of executives use personal devices to conduct business, often with zero security measures in place. Once execs leave your organization's secure network, they become easy targets for hijacking, credential theft, and reputational harm. Close the at home security gap with Black Cloak concierge cyber security and privacy, award winning 24/7 365 protection for executives and their families. Learn more at blackcloak.io. (upbeat music) - Whoa, landing in the count this big, totally changed my landscaping business. It's going to mean hiring more guys and more equipment and new trucks for the new guys to drive the new equipment in. I don't know if I'm ready. - You can do this. And Ford Pro-Fence Simple can help. Our experts are ready to make growing pains less painful for your business with flexible financing solutions that meet the needs of your business today when you need them. Get started at FordPro.com/financing. (upbeat music) - And finally, it's nice to be able to share good news from time to time. A Singaporean commodity firm narrowly escaped a significant loss when police intervened to recover nearly all of the $42.3 million taken in a business email compromise scam. Interpol reported that the firm mistakenly transferred the funds to a bank account on July 15th after receiving a fraudulent email that appeared to be from a legitimate supplier. The scam was discovered four days later when the actual supplier reported non-payment. The Singapore police force utilized Interpol's global rapid intervention of payments to track and withhold $39 million from the scammer's account. Authorities arrested seven individuals and recovered an additional $2 million. Interpol praised the swift cooperation between local law enforcement agencies in recovering the funds and identifying the perpetrators. BEC scams netted over $2.9 billion in 2023 underscoring the importance of such international collaboration. (upbeat music) And that's the cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how@n2k.com. This episode was produced by Liz Stokes, our mixer is Trey Hester with original music and sound design by Elliot Pelsmann. Our executive producer is Jennifer Eiben, our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilti is our publisher, and I'm Dave Bitner. Thanks for listening. We'll see you back here tomorrow. (upbeat music) (upbeat music) (upbeat music) Quick question. Do your end users always work on company-owned devices and IT-approved apps? If the answer is no, then my next question is, how do you keep company data safe on all those unmanaged apps and devices? One password has an answer to this question, extended access management. One password, extended access management helps you secure every sign-in for every app on every device because it solves the problem traditional IAM and MDM can't touch. Check it out at 1Password.com/XAM. That's 1Password.com/XAM. (upbeat music) (upbeat music) [BLANK_AUDIO]
