Crowdstrike releases a postmortem. LoanDepot puts a multimillion dollar price tag on their ransomware incident. RHADAMANTHYS info stealer targets Israelis. Zola ransomware is an advanced evolution of the Proton family. Firefox fixes several high-severity vulnerabilities. Researchers at Certitude uncover a vulnerability in Microsoft 365’s anti-phishing measures. Threat actors exploit legitimate anti-virus software for malicious purposes. Samsung’s new bug bounty program offers rewards up to a million dollars. Guest Adam Marré, CISO at Arctic Wolf, joining us to share his observations on the ground at Black Hat USA 2024. Ransomware gangs turn the screws and keep up with the times.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
Guest Adam Marré, CISO at Arctic Wolf, joining us to share his observations as our man on the street from Black Hat USA 2024.
Selected Reading
CrowdStrike Publishes Technical Root Cause Analysis of Faulty Falcon Update (Cyber Security News)
Ransomware Attack Cost LoanDepot $27 Million (SecurityWeek)
RHADAMANTHYS Stealer Weaponizing RAR Archive To Steal Login Credentials (Cyber Security News)
New Zola Ransomware Using Multiple Tools to Disable Windows Defender (GB Hackers)
Firefox Patches Multiple High Severity Vulnerabilities (Cyber Security News)
Exploring Anti-Phishing Measures in Microsoft 365 (Certitude Blog)
Hackers Hijack Anti-Virus Software Using SbaProxy Hacking Tool (Cyber Security News)
Samsung to pay $1,000,000 for RCEs on Galaxy’s secure vault (Bleeping Computer)
Turning the screws: The pressure tactics of ransomware gangs (Sophos News)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
(upbeat music) You're listening to the Cyberwire Network, powered by N2K. - This episode is brought to you by Shopify, whether you're selling a little, or a lot. Shopify helps you do your thing, however you chitching. From the launch your online shop stage, all the way to the, we just hit a million orders stage. No matter what stage you're in, Shopify's there to help you grow. Sign up for a $1 per month trial period at Shopify.com/specialoffer, all lowercase. That's Shopify.com/specialoffer. (upbeat music) - Identity architects and engineers simplify your identity management with Strata. Securely integrate non-standard apps with any IDP, apply modern MFA, and ensure seamless failover during outages. Strata helps you avoid app refactoring and reduces legacy tech debt, making your identity systems more robust and efficient. Strata does it better and at a better price. Experience stress-free identity management and join industry leaders in transforming their identity architecture with Strata. Visit strata.io/cyberwire, share your identity challenge, and get a free set of AirPods Pro. Revolutionize your identity infrastructure now. Visit strata.io/cyberwire, and our thanks to Strata for being a long-time friend and supporter of this podcast. (upbeat music) (upbeat music) CrowdStrike releases a post-mortem. Lone Depot puts a multi-million dollar price tag on their ransomware incident. Rata Memphis info-stealer targets Israelis. Zola ransomware is an advanced evolution of the proton family. Firefox fixes several high severity vulnerabilities. Researchers at Certitude uncover a vulnerability in Microsoft 365's anti-fishing measures. Threat Actors expose legitimate antivirus software for malicious purposes. Samsung's new bug bounty program offers rewards up to a million dollars. Our guest is Adam Morei, CISO at Arctic Wolf, joining us to share his observations on the ground at Black Hat USA 2024. And ransomware gangs turn the screws and keep up with the times. (upbeat music) It's Wednesday, August 7th, 2024. I'm Dave Bitner and this is your Cyberwire Intel Briefing. (upbeat music) Thanks for joining us here today. As always, it is great to have you with us. CrowdStrike has released a detailed analysis of the Falcon sensor update issue that occurred on July 19th, causing system crashes for millions of Windows users. The problems stemmed from a mismatch between the expected input fields for the sensor's content interpreter and those provided by a new template type introduced in February. Specifically, the IPC template type required 21 input fields, but the sensor only supplied 20, a discrepancy missed during development due to the use of wild card matching criteria. The issue was triggered when a non-wild card criterion was deployed, causing an out-of-bounds memory read and resulting in crashes. CrowdStrike's report outlines several mitigations, including implementing compile time validation, adding runtime checks, expanding testing, correcting logic errors and introducing stage deployments. They're also providing customers with control over updates. As of July 29th, 99% of Windows affected systems were back online with a hot fix expected by August 9th. Two independent reviews of the Falcon sensor code have been commissioned by CrowdStrike. Lone Depot reported nearly $27 million in costs from a ransomware attack disclosed in January. The breach potentially compromised personal details of over 16 million individuals, including social security and financial account numbers. Expenses include investigation, remediation, customer notifications, identity protection, legal fees and litigation settlements. A $25 million accrual was recorded for class action litigation related to the incident. The Alpha Black Cat Ransomware Group claimed responsibility. A new cyber campaign has emerged targeting Israeli users, showcasing the Rata-Manthes Information Stealer, a sophisticated malware developed by Russian-speaking cyber criminals. Offered as malware as a service, Rata-Manthes is adept at data exfiltration employing an intricate infection chain. The attack uses social engineering tactics, sending Hebrew fishing emails impersonating notifications from calculus and Mako. These emails exploit urgency and fear by falsely alleging copyright infringement, prompting users to act quickly. The emails include a locked RAR archive containing a suspicious executable named copyrightinfringingimages.exe in Hebrew. Once executed, Rata-Manthes employs anti-analysis tactics to avoid detection and injects code into legitimate Windows processes, persisting through registry modifications. It steals credentials, browsing history, cryptocurrency info and system details, communicating with its C2 server over HTTPS. The malware also acts as a downloader for additional payloads. Zola Ransomware is the latest evolution of the proton family, first appearing in March of 2023. Discovered by Acronis researchers, Zola uses advanced techniques to disable Windows Defender and employs various hacking tools for privilege escalation, network reconnaissance and credential theft. It distinguishes itself with features like a single mutex to prevent simultaneous execution, administrative rights verification and a Persian language-based kill switch. Zola's preparation includes generating victim IDs, modifying registry values, disabling recovery options and killing 137 processes and 79 services to remove security measures. The Ransomware employs the cha-cha 20 algorithm for encryption and uses crypto plus plus for cryptographic functions, while falsely claiming AES and ECC encryption in Ransom notes. An anti-forensics measure fills the disk with uninitialized data to hinder recovery and forensic analysis. Zola is available in X86 and X64 versions, targeting a wide range of systems and retaining much of Proton's core functionality. Future variants are expected to continue this pattern of rebranding. Mozilla has released Firefox 129, addressing several high severity vulnerabilities to enhance browser security. The update fixes critical issues like out-of-bounds memory access and graphics handling, which could lead to memory corruption and sandbox escapes. Other vulnerabilities include obscuring full-screen notification dialogues, incomplete web assembly exception handling and use after free in JavaScript and index DB. These flaws post risks of spoofing, unauthorized data access and memory corruption. Mozilla advises users to update Firefox immediately to ensure a safer browsing experience. Researchers at Certitude recently uncovered a vulnerability in Microsoft 365's anti-fishing measures. They discovered a way to bypass the first contact safety tip, a feature that alerts Outlook users when they receive an email from an unfamiliar sender. This alert is inserted into the email's HTML body, but attackers can manipulate its appearance using CSS. By changing the background and font colors to white, the warning becomes invisible to the user. The team at Certitude demonstrated how attackers could further exploit this vulnerability by spoofing the icons that indicate encrypted and signed emails. By altering the HTML code and using Unicode characters to prevent Outlook from recognizing email addresses, they made phishing attempts appear legitimate. Despite Certitude's proof of concept and advisories submitted through the Microsoft researcher portal, Microsoft chose not to address the issue. Researchers at Level Blue Labs have identified a new tactic used by threat actors to exploit legitimate antivirus software for malicious purposes. The attack uses a tool called SBA proxy, which disguises itself as a legitimate antivirus component to establish proxy connections via command and control server. SBA proxy is distributed in various formats, such as DLLs, EXEs, and PowerShell scripts, and can easily evade detection due to its legitimate appearance and valid certificates. The attackers modify antivirus binaries like those from malware bytes and bit defender maintaining their benign appearance. Malicious binaries signed with valid certificates bypass security checks, making detection challenging. Level Blue Labs discovered that these binaries execute XOR encrypted shell code and establish CNC communication by hijacking antivirus functions. The lab developed detection methods, including Surakata IDS signatures to identify this threat with indicators of compromise available. Samsung has launched the important scenario vulnerability program, ISVP, a new bug bounty initiative for its mobile devices, offering rewards of up to $1 million for critical vulnerabilities. The program focuses on issues like arbitrary code execution, device unlocking, data extraction, and bypassing protections. Device unlocks with full data extraction can earn $400,000. The program aims to improve security by incentivizing reports of significant vulnerabilities. Samsung says they've paid over $800,000 in 2023, and they aim to surpass previous records with ISVP. Since 2017, Samsung has awarded nearly $5 million in bug bounties. Coming up after the break, Adam Marray from Arctic Wolf joins us to share his observations from Black Hat, USA. Stay with us. (upbeat music) (upbeat music) - Enterprises today are using hundreds of SaaS apps. Are you reaping their productivity and innovation benefits? Or are you lost in the sprawl? Enter savvy security. They help you surface every SaaS app. Identity and risk so you can shine a light on shadow IT and risky identities. Savvy monitors your entire SaaS attack surface to help you efficiently eliminate toxic risk combinations and prevent attacks. So go on, get savvy about SaaS and harness the productivity benefits. Fuel innovation while closing security gaps. Visit savvy.security to learn more. (upbeat music) (upbeat music) - The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why CloudFlare created the first ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. (upbeat music) (upbeat music) - It is always my pleasure to welcome back to the show, Adam Maray. He is Chief Information Security Officer at Arctic Wolf. And today he is joining us live from the Black Hat Conference in beautiful, warm Las Vegas. Adam, thanks for taking the time for us today. - Yes, coming to you live from the blast furnace here in Vegas. It is 111 degrees or will be today. So it's great to be here. - Yeah, well, thanks for joining us. And before we begin, for folks who aren't familiar with Black Hat or have never had the privilege of going to attend that conference, can you kind of compare and contrast it to some of the other shows? I mean, how is it different from the RSA conference and what is it about it that makes it worth your time? - Yeah, it's a great question. Well, we lovingly refer to this time in Vegas as hacker summer camp, because combined with Vegas B-Sides and DEF CON, it's really a conference where people talk a lot more in depth about the technology, about different vulnerabilities, how they can be exploited, and things really of that nature, which is a little bit different than RSA, which has come to be a little bit more of a vendor or business conference, which is also great and has its own strengths. But it's really fun to come here, especially for us practitioners to talk about, things in security operations centers, pen testers, hackers, all of that, and to get together. And there's even a lot of hands-on classes that happen in the various conferences, so people can up level their skills and get a chance to see some really interesting cutting edge things. What's your sense of the overall spirit of folks as they're coming into this conference here? Are people in a good mood or what's your take? Well, the feeling is always exciting when you come here, because a lot like summer camp, you get to see colleagues you haven't seen in a long time and catch up with people. I saw a gentleman I haven't seen in two and a half years, and we got to catch up for a minute. So there's all of that. So there's generally a lot of excitement in that way. But also this year, there's so many things happening, especially right now, right before and during this conference, that there is a high level of excitement. And I think people are looking forward to a lot of the talks to talk about things like election security and AI and all of that. I'm sure we'll get into that, but that's what the vibe is for me around, it feels very exciting here. You know, one of the challenges that folks face with a conference like this is time management. There's always, you know, so much you want to see, but only so much time. How do you approach that? How do you prioritize the things that you're going to be able to spend your time on? Yeah, it's a really great question, especially for security leaders and executives trying to balance, you know, meeting with customers, meeting with various vendors, the media, but then also being at the conference and attending the sessions and some of the closed door sessions that they have in association with the conference. So it's always a balancing act. I like to get the pass where I also get the digital version so I can watch some of the shows or some of the talks that I might miss later. And then really just have to prioritize what's most important to me at the time. Sometimes it's more important to be out there, you know, talking with various vendors and potential and current customers. And sometimes it's more important to really sit down and digest and get as much as I can out of the conference live as possible. So it really depends on the year and it depends on the person and what your focus is. What are the hot topics that you're seeing heading into this year's Black Hat? I mean, is AI still at the top of everybody's list? Yes, it is, but it's interesting right now, the keynote that's going on, I'll be stepping into as soon as I'm done talking to you, is all about election security. Jenn Easterly from CSAs here and talking about the security situation that everyone faces around the world, their elections around the world this year, not just this big one in the United States. And so I'm really interested to hear what the latest is on that, you know, according to our own research at Arctic Wolf, we know that so many municipalities and districts are woefully unprepared or feel like they're woefully unprepared for this. So that's something really interesting and it really does blend into the AI discussion because I'm looking forward to a lot of the talks about how, you know, white hat hackers and researchers are looking into making the LLMs that are so ubiquitous out there now that people are using those tools, using those to do things that, you know, maybe they weren't intended for and getting them to spit out information that maybe they shouldn't. I'm also interested to hear about, you know, spread of misinformation that these AI tools are using and that in conjunction with the elections. So, you know, election security is kind of going throughout the conference. And of course it wouldn't be a conference today without a major focus on AI. So as I said, I'm really interested in hearing the talks about that. And also, I think I see a surprising number of sessions this year on how AI is being used by teams to improve their cybersecurity and improve like their security operations and vulnerability management programs. So I'm interested to hear how, you know, some of the top level teams and organizations are using AI in that way. - Yeah, it strikes me that, you know, being there, have been able to have those one-on-one or even group conversations with other people, being in the same room really gives you the opportunity to kind of cut through a lot of the hype that we see with technologies like AI and get to the ground truth of how this can really benefit your organization. - Absolutely, and I do feel like there's a feeling of openness at Black Hat that, you know, maybe get at some of the other conferences and DEF CON and where, especially in those hallway conversations or, you know, pulling somebody into a room, you really get to talk with them about what's really going on with their teams, what's really going on with their organization. And another big thing I'm hearing, maybe not so much in, you know, the session titles and things like that, but people are talking about is resilience and resilience in the face of any kind of tech outage or cybersecurity incident and really being able to get your organization back on its feet quickly. In fact, I was able to talk with Dimitri Alperovitch. Last night he wrote a great book called World on the Brink about the Rising Thread of China. But one of the things I asked him was, you know, what can organizations do today? And the big thing he said was resilience, learn how to be able to recover quickly from any kind of outage and that can really help you be set up, you know, to exist in this world with all the threats and all the things that we are facing as an organization. And I've heard that from a lot of people this week. Adam Marais is CISO at Arctic Wolf. He's joining us from the Black Hat Conference. Adam, thanks so much for taking the time for us. It's my pleasure. Thank you, Dave. (upbeat music) (upbeat music) Quick question. Do your end users always work on company-owned devices and IT-approved apps? If the answer is no, then my next question is, how do you keep company data safe on all those unmanaged apps and devices? One password has an answer to this question, extended access management. One password, extended access management, helps you secure every sign-in for every app on every device because it solves the problem traditional IAM and MDM can't touch. Check it out at onepassword.com/xam. That's onepassword.com/xam. (upbeat music) This episode is brought to you by Shopify, whether you're selling a little, or a lot. Shopify helps you do your thing, however you chit-ching. From the launch your online shop stage, all the way to the, we just hit a million orders stage. No matter what stage you're in, Shopify's there to help you grow. Sign up for a $1 per month trial period at Shopify.com slash special offer, all lowercase. That's Shopify.com/specialoffer. (upbeat music) And finally, updated research from Sophos shows that ransomware gangs are increasingly sophisticated in their tactics, adapting over time to exert more pressure on their victims. Initially, in 2021, tactics included threats to publish stolen data, contacting employees and alerting media outlets. These methods are still in use, but recent developments show that threat actors have become more creative and aggressive. They now exploit legitimate entities such as the media, legislation, and law enforcement to apply pressure on victims. This includes encouraging affected customers and employees to sue the victim organizations and using stolen data to highlight potential legal or regulatory violations. Ransomware groups such as Alpha Black Cat have even filed official complaints with regulatory bodies like the SEC, accusing victims of noncompliance. Other groups assess stolen data for evidence of wrongdoing to use as leverage. In some cases, ransomware operators publicly shame their victims or train themselves as vigilantes while targeting individuals with reputational damage by revealing personal or embarrassing information. Tactics also include leaking, highly sensitive information such as medical records and private images to further intimidate victims. The evolution of these tactics reflects a broader willingness to exploit any means available to coerce payment and damage reputations. As Ransomware groups grow more audacious, the threat landscape becomes more perilous, necessitating heightened vigilance and robust defenses from potential targets. (upbeat music) And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know if you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, our mixer is Trey Hester, with original music and sound design by Elliot Pelsman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Clark. Simone Petrella is our president, Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here. Tomorrow. (upbeat music) (chimes) (chimes) (chimes) (chimes) (beeping)
