0:02

You're listening to the CyberWire Network, powered

0:04

by N2K. In

0:12

the complex world of enterprise identity,

0:14

securing legacy web apps at scale

0:16

can be daunting. Strata

0:18

Identity makes it simple. With

0:21

Strata, you can effortlessly integrate

0:23

non-standard apps with any identity

0:25

service, like MFA or SSO,

0:27

with zero coding and zero

0:30

hassle. Designed by identity

0:32

architects for identity architects, Strata

0:34

works with every vendor, standard

0:36

and app architecture. This

0:38

means your apps can now speak

0:41

modern protocols and integrate seamlessly

0:43

with your chosen identity services. From

0:46

securing on-prem web apps to migrating

0:48

away from outdated identity providers or

0:51

consolidating them, Strata helps

0:53

you keep your complex access policies

0:55

as you modernize your identity infrastructure

0:57

and get rid of technical debt.

1:00

Join leading organizations like 3M,

1:03

Dallas County and CIBC in

1:05

securing your apps with Strata.

1:08

Visit strata.io/cyberwire, share your

1:10

identity security priorities and

1:12

receive a complimentary pair

1:15

of AirPods Pro. Offer

1:17

valid for organizations with over 5,000 employees.

1:21

Connect today at

1:24

strata.io/cyberwire. Pi

1:40

Pi puts a temporary hold on operations.

1:43

OMB outlines federal AI governance.

1:45

Germany sounds the alarm on

1:48

Microsoft Exchange Server updates. Cisco

1:50

patches potential denial of service vulnerabilities.

1:53

The U.S. puts a big bounty

1:55

on black cat. Darkula and Tycoon

1:57

are sophisticated fishing as a server.

2:00

One, don't dilly dally on the

2:02

latest Chrome update on our thread

2:04

sector segments. Hosts: David Molson has

2:07

Guess Sam Reuben Vp and Global

2:09

Head of Operations that unit forty

2:11

two to discuss Sam's testimony to

2:13

the Us Congress on the multi

2:15

faceted landscape of Ran Somewhere attacks,

2:18

ai and automation and the need

2:20

for more cyber security. Education and

2:22

data brokers Reveal alleged visitors have

2:24

had a fire island. It's

2:33

Thursday, March twenty eighth, Twenty twenty four

2:36

times a visitor and this is your

2:38

summer wire. To.

2:53

Combat an ongoing malware upload

2:56

campaign. The Python Package in

2:58

Deaths, Popeye. Temporarily.

3:00

Halted new project creations and

3:02

user registrations earlier today. Researchers.

3:06

From check marks identified a series

3:08

of malicious packages linked to a

3:10

typo squatting attack aimed at installing

3:12

these packages via the command line.

3:15

This. Sophisticated multi attack targets

3:17

the theft of crypto currency,

3:20

wallets, browser data, and various

3:22

credentials. The. Malware embedded

3:24

within the set up.t y

3:26

file of each package. Uses.

3:29

Obfuscated an encrypted code to

3:31

execute upon installation, retrieving further

3:34

encrypted payloads designed to pilfer

3:36

sensitive information. Additionally,

3:38

it incorporates a mechanism to

3:41

maintain it's presence on infected

3:43

systems across reboots. Ipi

3:45

later reported the issues as

3:48

being resolved and resumed normal

3:50

operations. The

3:52

White House has mandated Us federal

3:55

agencies to implement a I Safeguards

3:57

by December. including. appointing

3:59

chief AI officers and

4:02

establishing AI governance boards.

4:05

This directive, outlined in a memo from

4:07

the Office of Management and Budget, aims

4:10

to ensure responsible AI usage

4:12

that benefits the public and

4:14

enhances mission effectiveness while

4:16

acknowledging AI's limitations and risks.

4:20

Agencies are instructed to detail AI tool

4:23

usage in annual reports and

4:25

make government-owned AI code public. This

4:28

is in addition to completion of

4:30

all actions from President Biden's AI

4:32

executive order, requiring agencies

4:34

to cease using non-compliant

4:36

AI systems unless critical

4:39

operations are at risk. The

4:41

memo also emphasizes transparency,

4:43

encouraging the sharing of

4:45

custom-developed AI code via

4:47

open-source platforms, and

4:49

mentions a $5 million proposal

4:52

to expand AI training within

4:54

the government. Germany's

4:57

Cybersecurity Authority, the BSI,

5:00

is currently calling on thousands

5:02

of organizations to update their

5:04

Microsoft Exchange software, highlighting

5:06

that at least 17,000 servers are

5:09

at risk from critical vulnerabilities. These

5:12

flaws are being exploited by

5:14

cybercriminals and state actors for

5:16

malware distribution, cyberespionage,

5:18

and ransomware attacks. Particularly

5:21

vulnerable sectors include education,

5:23

healthcare, judiciary, local government,

5:26

and medium-sized businesses. Despite

5:29

repeated warnings and a red-thread-level

5:31

declaration since 2021, many servers

5:34

remain outdated with

5:36

about 12 percent lacking security updates

5:38

and 25 percent running on old

5:40

patch versions of Exchange 2016 and

5:43

2019. BSI

5:47

President Claudia Plattner emphasized

5:49

the critical need for

5:51

cybersecurity prioritization, noting

5:53

the unnecessary risks to IT

5:55

systems, services, and sensitive data

5:57

due to neglect in updating these servers.

6:02

Cisco announced patches for several

6:04

vulnerabilities in its iOS and

6:06

iOS XE software that

6:08

pose a risk of unauthorized

6:10

denial-of-service attacks. The most

6:12

critical flaws have a CVSS score of 8.6.

6:16

Additionally, vulnerabilities were found

6:18

in the multicast DNS

6:20

OSPF version 2 and

6:23

the ISIS protocol, all

6:25

exploitable without authentication through crafted

6:27

packets. A secure boot

6:30

bypass in AP software, allowing

6:32

modified software loading via physical

6:34

access, was also patched. Seven

6:37

other medium severity issues were addressed,

6:39

including privilege escalation and command

6:42

injection. Cisco has

6:44

not observed these vulnerabilities being exploited in

6:46

the wild, but urges users

6:48

to upgrade their devices promptly to

6:51

prevent potential attacks. The

6:54

U.S. State Department is offering a

6:56

$10 million bounty for information on

6:58

the Black Cat Ransomware Group, responsible

7:00

for the cyber attack on UnitedHealth.

7:03

This initiative, part of the Rewards

7:05

for Justice program, seeks

7:07

details leading to the identification

7:10

or location of individuals involved

7:12

in state-sponsored cybercrime. The

7:15

Black Cat Group, also known as ALFV,

7:17

targeted UnitedHealth's tech unit

7:19

Change Healthcare, affecting

7:22

over 100 applications and compromising

7:24

sensitive data, including medical

7:26

records and payment details. The

7:29

attack severely disrupted healthcare payments and

7:31

treatments, with UnitedHealth only recently starting

7:33

to address a $14 billion

7:36

medical claims backlog. Despite

7:39

claims of a $22 million ransom

7:41

payment to Black Cat, it's unclear

7:43

if system control has been restored.

7:48

Cybersecurity analysts at Netcraft have uncovered

7:50

the use of the Darkula Phishing

7:53

as a Service platform by threat

7:55

actors to launch sophisticated attacks via

7:57

iMessage. has

8:00

supported over 20,000 phishing domains, targeting

8:03

more than 100 brands worldwide, primarily

8:06

impersonating postal services. This

8:09

service distinguishes itself by

8:12

leveraging encrypted messaging platforms

8:14

like iMessage and RCS

8:16

for smishing attacks, bypassing

8:18

traditional SMS scam defenses and

8:21

exploiting user trust. Darkula

8:24

offers easy to deploy phishing

8:26

sites with numerous templates, monetizing

8:28

through paid subscriptions. Its

8:31

anti-detection measures include obfuscating malicious

8:33

content paths and using domains

8:36

with cloaked front pages, significantly

8:39

enhancing its invasion capabilities.

8:42

Researchers say about 120 new Darkula domains

8:46

appear per day in 2024. Meanwhile,

8:50

the tycoon 2FA

8:52

phishing kit, targeting Microsoft 365

8:54

and Gmail accounts, has

8:56

been updated to evade detection more

8:59

effectively. Active since

9:01

August, 2023 and discovered by

9:03

Sequoia, this phishing as a

9:05

service platform uses an adversary in the

9:07

middle tactic to bypass

9:09

multi-factor authentication by stealing

9:12

session cookies. Recent

9:14

enhancements to the kit's JavaScript

9:16

and HTML coding alongside

9:18

improved evasion of security

9:20

scans and selective traffic

9:22

acceptance make tracking tycoon

9:24

2FA more challenging. The

9:27

kit, known for sophisticated phishing

9:29

attacks, including email phishing links

9:31

and imitation Microsoft login pages,

9:34

has been linked to over 1,200 domains. These

9:37

updates have made tycoon 2FA a

9:40

more formidable tool in the phishing landscape.

9:44

Google has updated Chrome for

9:47

Windows, Mac and Linux, addressing

9:49

seven security issues. Users

9:51

are advised to update Chrome promptly,

9:54

especially due to a critical vulnerability,

9:56

a use after free flaw in

9:58

the angle component. which

10:01

handles webGL content. This

10:03

vulnerability could allow attackers to

10:05

exploit heap corruption via a

10:07

crafted HTML page, potentially leading

10:09

to compromised systems. If

10:12

you can, don't delay. Update

10:14

Chrome today. Coming

10:24

up after the break on our threat vector

10:27

segment, host David Moulton talks with Sam Rubin,

10:29

VP and Global Head of Operations at Unit

10:31

42, about Sam's testimony

10:33

to the U.S. Congress on the

10:36

multifaceted landscape of ransomware attacks. Be

10:39

with us. When

10:53

it comes to ensuring your company

10:55

has top-notch security practices, things can

10:58

get complicated and time-consuming fast. Now

11:01

you can assess risk, secure the trust of

11:03

your customers, and automate compliance for SOC 2,

11:05

ISO 27001, HIPAA and more with a single

11:07

platform, Banta. Banta's

11:13

leading trust management platform helps

11:15

you continuously monitor compliance alongside

11:18

reporting and tracking risk. Plus,

11:21

save time by completing security

11:23

questionnaires with Banta AI. Learn

11:26

why thousands of global companies

11:28

use Banta to automate evidence

11:30

collection, unify risk management and

11:32

streamline security reviews. Watch

11:35

Banta's on-demand demo

11:38

at banta.com/cyber. That's

11:41

banta.None com slash cyber.

11:55

Imagine a world where you're always one step

11:57

ahead of cyber threats, your

12:00

defenses are impenetrable because you see

12:02

what others do. Welcome

12:04

to Team Cymru's Threat Intelligence

12:07

Solutions. With real-time access

12:09

to the world's largest threat intelligence

12:11

data ocean, they enable you to

12:13

turn the tables on attackers. Transform

12:16

your security from reactive to

12:18

proactive through accelerated threat hunting

12:20

and incident response made possible

12:22

through automation. Empower your

12:25

team with visibility and insights to

12:27

start defending your organization like never

12:29

before. Team Cymru, be

12:31

the hunter, not the hunted. Learn

12:36

more at

12:39

team-cymru.com/cyberwire. That's

12:42

team-cymru.com/cyberwire. David

12:53

Moulton is host of the Threat

12:55

Vector podcast right here on the

12:57

cyberwire network. In a recent

13:00

episode, he spoke with Sam Rubin, VP and

13:02

Global Head of Operations at Unit 42 to

13:05

discuss Sam's testimony to the

13:07

US Congress on the multifaceted

13:09

landscape of ransomware attacks, AI

13:11

and automation, and the need

13:13

for more cybersecurity education. There

13:17

was a hospital actually from

13:19

my home state of Vermont

13:21

there coincidentally, and there was

13:24

a school district from Texas

13:26

and they both spoke about

13:28

their experiences, victims of ransomware

13:30

attacks. And the administrator

13:32

from the Vermont hospital, what he

13:35

said was pretty remarkable

13:37

in that they ended up spending more

13:39

in the ransomware response and recovery at

13:42

the hospital than they did through

13:45

all of COVID and sort of

13:47

adjusting their protocols to providing

13:49

patient care during that pandemic. So

13:52

just incredibly painful

13:54

and impactful experience for them to go

13:57

through. Welcome

14:06

to Unit 42's Threat Vector, where

14:08

we share unique threat intelligence insights,

14:11

new threat actor TTPs, and

14:13

real-world case studies. Unit

14:16

42 has a global team

14:18

of threat intelligence experts, incident

14:20

responders, and proactive security consultants

14:22

dedicated to safeguarding our digital

14:24

world. I'm your host, David

14:26

Moulton, Director of Thought Leadership for Unit 42. Today,

14:44

I'm talking with Sam Rubin, VP and

14:46

Global Head of Operations at Unit 42,

14:48

about his testimony to

14:51

Congress. Sam shared insights about

14:53

the evolving sophistication and speed

14:55

of ransomware attacks, the changing

14:57

tactics of threat actors, and

14:59

the impact on sectors like education,

15:01

healthcare, and government. He

15:05

also talked about the importance of

15:08

AI and automation in cybersecurity defenses,

15:11

and the importance of public-private

15:13

partnerships in combating cyber threats.

15:16

Let's get right into this conversation. Sam,

15:22

you traveled to Washington, D.C.,

15:24

set before Congress. What prompted

15:26

you to go out to

15:28

D.C. and talk to our

15:30

legislators? As a company,

15:33

Palo Alto Networks is very engaged

15:36

with the federal government, as well

15:38

as state and local governments. And

15:42

we got this opportunity just because of

15:44

the relationships that we have with various

15:46

lawmakers. They had scheduled a

15:48

hearing in September on the

15:52

threat of ransomware and how it's

15:54

impacting organizations. And so, just

15:56

as part of Palo Alto Networks' relationships, we

15:58

had this opportunity. was offered to me

16:00

and you know I jumped on it. So

16:04

your testimony placed a

16:06

significant emphasis on the

16:09

evolving sophistication of ransomware attacks.

16:13

What have you seen in this regard and

16:15

how should this evolution change the

16:17

approach to cybersecurity? I've

16:20

been in this space doing instant response

16:22

for 20

16:24

years and really helping

16:27

organizations respond to ransomware ever

16:29

since it's been sort of a threat

16:31

out there that organizations have faced at least

16:33

10 years and there's

16:36

been quite an evolution over that time.

16:38

Back when we started I would

16:41

characterize the attacks as sort of spray

16:43

and prey, indiscriminate

16:45

targeting based on phishing

16:48

and then what would happen

16:51

from a demand standpoint. You're looking at you know

16:53

$500, $1,000 to decrypt. Contrast that with

16:58

where we are today where many of the

17:00

targets are large

17:02

enterprises, large state or

17:05

federal government entities. The

17:07

demands are in the you know hundreds of

17:09

thousands to millions of dollars. I think our

17:11

median demand is around $650,000 that

17:15

we see and the tactics

17:17

that are being used are much more

17:19

sophisticated in terms of how they're getting

17:22

in and also what

17:24

they do after the threat actors break in.

17:27

Just a constant evolution of

17:30

sophistication and speed really. Talk

17:33

to me about that sophistication and speed

17:35

a bit more. First

17:38

of all let's talk about how they

17:40

break in. If you're thinking of it

17:42

from a MITRE attack standpoint it's

17:44

the intrusion vector. How are they

17:46

getting into the organization? And one

17:49

of the things that we see in terms of

17:51

sophistication is rapid

17:54

weaponization of disclosed

17:56

vulnerabilities. So things that are

17:58

essentially like a zero-day kind of

18:00

day one after notification or

18:04

within hours of notification, we

18:07

start to see weaponization of those

18:09

vulnerabilities and our incident

18:11

response team starts to get the call

18:14

for attacks

18:17

that have followed from those

18:19

very newly disclosed vulnerabilities. I think

18:21

for example, right now, past

18:24

week or two, we've seen the Avanti

18:26

VPN being an example

18:29

of that, but it's constant.

18:31

It's sort of what's disclosed

18:33

leads to very quickly rapid

18:35

weaponization and that's a

18:37

newer trend. Then when

18:39

we talk about after they break

18:41

in sort of post exploitation, the

18:44

sophistication is coming in how

18:46

quickly they're moving from intrusion

18:48

to exfiltration. And

18:50

we're seeing that drop. This is something that we've

18:53

measured for some time. And

18:56

between I think where we were in 2021,

18:58

where that dwell time was

19:00

about 30 days or so,

19:05

we're seeing it now one to

19:07

two days. So just they're getting

19:09

in, they're going much more quickly in

19:11

terms of when they're taking data, locking

19:13

files up, and that's making it very,

19:15

very hard to defend against. AI

19:18

and automation were key topics in your

19:20

testimony. What led you

19:22

to emphasize those technologies and how

19:25

do you foresee them shaping the

19:27

future of cybersecurity defenses against threats

19:29

like ransomware? Congress

19:33

was really interested in hearing from Palo Alto

19:35

Networks about both AI

19:37

as a threat as

19:40

well as AI and cyber defense. And

19:43

from a lawmaker's perspective, they're

19:45

really looking at what do we need to

19:47

do to be

19:50

thinking about how we protect our

19:52

citizens from the risks of AI,

19:54

whether that's sort of discriminatory lending

19:56

practices, whether it's the bad guys

19:59

using. AI, but

20:01

they also acknowledge that AI

20:03

can be used as a force for good. And

20:07

really that's a lot of what I

20:09

focused on in my testimony is how,

20:11

as defenders, we can

20:13

be using AI to do

20:15

a better job in protecting

20:18

our organizations. You

20:20

discussed the importance of preparing the cyber

20:23

workforce for tomorrow. How

20:25

should educational institutions or training

20:27

programs approach cybersecurity education? I

20:31

think we've seen tremendous progress in it

20:34

being even part of the curriculum. Certainly

20:37

when I went to college, while

20:40

there was sort of CF as

20:42

a discipline, there certainly wasn't really

20:44

cybersecurity. Now a

20:47

lot of universities and colleges

20:49

have cybersecurity specific programs. We

20:53

partner with a number of universities

20:55

to talk to their

20:57

students, to recruit. And

21:00

so I think just first of all,

21:02

recognizing that there's a need and there

21:04

is a tremendous shortage in

21:06

the workforce for having trained

21:10

cybersecurity experts and having people who

21:12

are ready to enter the

21:15

workforce in this area is a huge

21:17

step in the right direction. Absolutely.

21:19

Sam, thanks for joining me today on threat vector.

21:21

Yeah, my pleasure. Thanks for having me on, David.

21:32

If you're concerned about ransomware and extortion,

21:35

you should check out our webinar on

21:37

a bashed, unashamed and unpredictable, the

21:39

changing pace of ransomware. Sam, along

21:42

with unit 42's managing partner, Chris Scott

21:45

and consulting directors, David Ferron and Liam

21:47

Peltoner, share what it takes to keep

21:49

your organization protected. I'll include a link

21:51

to that webinar in the show notes.

21:55

That's it for threat vector this week. I

21:57

want to thank our executive producer, Michael Heller.

22:00

our content production teams, which

22:02

includes Shada Azimi, Sheila Droski,

22:04

Tanya Wilkins, and Danny Milrad.

22:07

I edit the show and Elliott Peltzman is

22:09

our audio engineer. We'll be back in two

22:11

weeks. Until then, stay

22:14

secure, stay vigilant. Goodbye

22:16

for now. Be

22:21

sure to check out the Threat Vector podcast

22:23

right here on the CyberWire Network and wherever

22:25

you can find us. And

22:43

now, a word from our sponsor,

22:46

Zscaler, the leader in cloud security.

22:48

Cyber attackers are using AI in

22:51

creative ways to compromise users and

22:53

breach organizations. In a

22:55

security landscape where you must fight AI

22:57

with AI, the best AI protection comes

23:00

from having the best data. Zscaler

23:02

has extended its Zero Trust architecture

23:04

with powerful AI engines that are

23:06

trained and tuned by 500 trillion

23:10

daily signals. Learn more

23:12

about Zscaler Zero Trust Plus

23:14

AI to prevent ransomware and

23:16

AI attacks. Experience

23:19

your world secured.

23:21

Visit zscaler.com/Zero Trust

23:23

AI. And

23:37

finally, the

23:39

recent discovery from Wired that nearly

23:41

200 mobile devices left

23:44

a digital breadcrumb trail from

23:46

Jeffrey Epstein's notorious island back

23:49

to their owners' homes and workplaces is

23:52

a disturbing testament to the pervasive lack

23:54

of privacy in our digital age. While

23:57

the visitors to Epstein's pedophile island.

24:00

may have been engaged in morally

24:02

reprehensible activities, the fact that

24:05

their movements were tracked and exposed

24:07

by data broker near intelligence throws

24:10

a stark light on the double-edged

24:12

sword of surveillance technology. Wired's

24:15

uncovering of this data demonstrates not

24:17

just the potential for holding the

24:19

corrupt accountable, but also the terrifying

24:22

precision with which individuals can be

24:24

monitored. This capability, rooted

24:26

in the murky dealings of data

24:28

brokers under the lax privacy regulations

24:30

of the U.S., shows

24:33

a concerning disregard for personal

24:35

boundaries. The data accurately

24:37

tracked individuals from luxury

24:39

accommodations to Epstein's lair,

24:42

highlighting the ease with which personal

24:44

movements are commodified. This

24:46

incident should serve as a wake-up call

24:49

for the urgent need for robust privacy

24:51

protections while the individuals

24:53

tracked to Epstein's island may not

24:55

evoke sympathy due to the island's

24:57

dark reputation. The broader

24:59

implications for privacy rights cannot

25:01

be ignored. The readiness

25:04

with which detailed location data

25:06

can be exploited underscores the

25:08

dire consequences of the U.S.'s

25:10

fragmented privacy laws compared

25:12

to stronger protections like those in

25:14

Europe. The revelation

25:17

about Epstein's island visitors while

25:19

showcasing the potential to uncover

25:21

illicit activities primarily exposes

25:24

a gaping hole in our privacy

25:26

defenses. It's a glaring

25:28

example of how individuals' whereabouts, regardless

25:30

of their actions, can be

25:33

traced and traded like currency. This

25:35

should alarm not just privacy advocates,

25:38

but anyone who believes in the

25:40

fundamental right to personal privacy without

25:42

unwarranted intrusion. The ongoing

25:44

failure of Congress to pass

25:47

comprehensive privacy legislation not

25:49

only leaves citizens exposed to

25:51

surveillance capitalism, but also

25:53

to the whims of any entity willing

25:55

to exploit their data for gain or

25:58

scrutiny. podcast,

26:00

my coast Ben Yellen and I often

26:02

wonder just what it's going to take

26:04

to get our dysfunctional US Congress to

26:06

act on federal privacy legislation.

26:08

It is a

26:11

sad reality that maybe, just maybe, something

26:13

like this where the rich and powerful

26:15

are caught being where they should not

26:18

be. Could be the

26:20

thing that moves the needle. And

26:31

that's the cyberwire. For links to

26:33

all of today's stories check out our

26:35

daily briefing at the cyberwire.com. We'd

26:38

love to know what you think

26:40

of this podcast. You can email

26:43

us at cyberwire at n2k.com. N2K

26:45

Strategic Workforce Intelligence optimizes the

26:48

value of your biggest investment,

26:50

your people. We make

26:52

you smarter about your team while

26:54

making your team smarter. Learn more

26:57

at n2k.com. This episode

26:59

was produced by Liz Stokes. Our

27:01

mixer is Trey Hester with original

27:03

music by Elliot Princeman. Our executive

27:05

producers are Jennifer Iben and Landon

27:08

Karp. Our executive editor is

27:10

Peter Kilpene and I'm Dave Bittner. Thanks

27:12

for listening. We'll see you back here

27:14

tomorrow. When

27:41

it comes to ensuring your

27:43

company has top-notch security practices,

27:45

things can get complicated and

27:47

time-consuming fast. Now you

27:49

can assess risk, secure the trust of

27:51

your customers and automate compliance for SOC

27:53

2, ISO 27001, HIPAA and

27:57

more with a single platform. Vanta's

28:01

leading trust management platform helps

28:03

you continuously monitor compliance alongside

28:06

reporting and tracking risk. Plus,

28:08

save time by completing security

28:10

questionnaires with Vanta AI. Learn

28:13

why thousands of global companies

28:15

use Vanta to automate evidence

28:18

collection, unify risk management, and

28:20

streamline security reviews. Watch

28:23

Vanta's on-demand demo at vanta.com

28:26

slash cyber. That's

28:29

VANTA.None com slash cyber.