Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:02
You're listening to the CyberWire Network, powered
0:04
by N2K. In
0:12
the complex world of enterprise identity,
0:14
securing legacy web apps at scale
0:16
can be daunting. Strata
0:18
Identity makes it simple. With
0:21
Strata, you can effortlessly integrate
0:23
non-standard apps with any identity
0:25
service, like MFA or SSO,
0:27
with zero coding and zero
0:30
hassle. Designed by identity
0:32
architects for identity architects, Strata
0:34
works with every vendor, standard
0:36
and app architecture. This
0:38
means your apps can now speak
0:41
modern protocols and integrate seamlessly
0:43
with your chosen identity services. From
0:46
securing on-prem web apps to migrating
0:48
away from outdated identity providers or
0:51
consolidating them, Strata helps
0:53
you keep your complex access policies
0:55
as you modernize your identity infrastructure
0:57
and get rid of technical debt.
1:00
Join leading organizations like 3M,
1:03
Dallas County and CIBC in
1:05
securing your apps with Strata.
1:08
Visit strata.io/cyberwire, share your
1:10
identity security priorities and
1:12
receive a complimentary pair
1:15
of AirPods Pro. Offer
1:17
valid for organizations with over 5,000 employees.
1:21
Connect today at
1:24
strata.io/cyberwire. Pi
1:40
Pi puts a temporary hold on operations.
1:43
OMB outlines federal AI governance.
1:45
Germany sounds the alarm on
1:48
Microsoft Exchange Server updates. Cisco
1:50
patches potential denial of service vulnerabilities.
1:53
The U.S. puts a big bounty
1:55
on black cat. Darkula and Tycoon
1:57
are sophisticated fishing as a server.
2:00
One, don't dilly dally on the
2:02
latest Chrome update on our thread
2:04
sector segments. Hosts: David Molson has
2:07
Guess Sam Reuben Vp and Global
2:09
Head of Operations that unit forty
2:11
two to discuss Sam's testimony to
2:13
the Us Congress on the multi
2:15
faceted landscape of Ran Somewhere attacks,
2:18
ai and automation and the need
2:20
for more cyber security. Education and
2:22
data brokers Reveal alleged visitors have
2:24
had a fire island. It's
2:33
Thursday, March twenty eighth, Twenty twenty four
2:36
times a visitor and this is your
2:38
summer wire. To.
2:53
Combat an ongoing malware upload
2:56
campaign. The Python Package in
2:58
Deaths, Popeye. Temporarily.
3:00
Halted new project creations and
3:02
user registrations earlier today. Researchers.
3:06
From check marks identified a series
3:08
of malicious packages linked to a
3:10
typo squatting attack aimed at installing
3:12
these packages via the command line.
3:15
This. Sophisticated multi attack targets
3:17
the theft of crypto currency,
3:20
wallets, browser data, and various
3:22
credentials. The. Malware embedded
3:24
within the set up.t y
3:26
file of each package. Uses.
3:29
Obfuscated an encrypted code to
3:31
execute upon installation, retrieving further
3:34
encrypted payloads designed to pilfer
3:36
sensitive information. Additionally,
3:38
it incorporates a mechanism to
3:41
maintain it's presence on infected
3:43
systems across reboots. Ipi
3:45
later reported the issues as
3:48
being resolved and resumed normal
3:50
operations. The
3:52
White House has mandated Us federal
3:55
agencies to implement a I Safeguards
3:57
by December. including. appointing
3:59
chief AI officers and
4:02
establishing AI governance boards.
4:05
This directive, outlined in a memo from
4:07
the Office of Management and Budget, aims
4:10
to ensure responsible AI usage
4:12
that benefits the public and
4:14
enhances mission effectiveness while
4:16
acknowledging AI's limitations and risks.
4:20
Agencies are instructed to detail AI tool
4:23
usage in annual reports and
4:25
make government-owned AI code public. This
4:28
is in addition to completion of
4:30
all actions from President Biden's AI
4:32
executive order, requiring agencies
4:34
to cease using non-compliant
4:36
AI systems unless critical
4:39
operations are at risk. The
4:41
memo also emphasizes transparency,
4:43
encouraging the sharing of
4:45
custom-developed AI code via
4:47
open-source platforms, and
4:49
mentions a $5 million proposal
4:52
to expand AI training within
4:54
the government. Germany's
4:57
Cybersecurity Authority, the BSI,
5:00
is currently calling on thousands
5:02
of organizations to update their
5:04
Microsoft Exchange software, highlighting
5:06
that at least 17,000 servers are
5:09
at risk from critical vulnerabilities. These
5:12
flaws are being exploited by
5:14
cybercriminals and state actors for
5:16
malware distribution, cyberespionage,
5:18
and ransomware attacks. Particularly
5:21
vulnerable sectors include education,
5:23
healthcare, judiciary, local government,
5:26
and medium-sized businesses. Despite
5:29
repeated warnings and a red-thread-level
5:31
declaration since 2021, many servers
5:34
remain outdated with
5:36
about 12 percent lacking security updates
5:38
and 25 percent running on old
5:40
patch versions of Exchange 2016 and
5:43
2019. BSI
5:47
President Claudia Plattner emphasized
5:49
the critical need for
5:51
cybersecurity prioritization, noting
5:53
the unnecessary risks to IT
5:55
systems, services, and sensitive data
5:57
due to neglect in updating these servers.
6:02
Cisco announced patches for several
6:04
vulnerabilities in its iOS and
6:06
iOS XE software that
6:08
pose a risk of unauthorized
6:10
denial-of-service attacks. The most
6:12
critical flaws have a CVSS score of 8.6.
6:16
Additionally, vulnerabilities were found
6:18
in the multicast DNS
6:20
OSPF version 2 and
6:23
the ISIS protocol, all
6:25
exploitable without authentication through crafted
6:27
packets. A secure boot
6:30
bypass in AP software, allowing
6:32
modified software loading via physical
6:34
access, was also patched. Seven
6:37
other medium severity issues were addressed,
6:39
including privilege escalation and command
6:42
injection. Cisco has
6:44
not observed these vulnerabilities being exploited in
6:46
the wild, but urges users
6:48
to upgrade their devices promptly to
6:51
prevent potential attacks. The
6:54
U.S. State Department is offering a
6:56
$10 million bounty for information on
6:58
the Black Cat Ransomware Group, responsible
7:00
for the cyber attack on UnitedHealth.
7:03
This initiative, part of the Rewards
7:05
for Justice program, seeks
7:07
details leading to the identification
7:10
or location of individuals involved
7:12
in state-sponsored cybercrime. The
7:15
Black Cat Group, also known as ALFV,
7:17
targeted UnitedHealth's tech unit
7:19
Change Healthcare, affecting
7:22
over 100 applications and compromising
7:24
sensitive data, including medical
7:26
records and payment details. The
7:29
attack severely disrupted healthcare payments and
7:31
treatments, with UnitedHealth only recently starting
7:33
to address a $14 billion
7:36
medical claims backlog. Despite
7:39
claims of a $22 million ransom
7:41
payment to Black Cat, it's unclear
7:43
if system control has been restored.
7:48
Cybersecurity analysts at Netcraft have uncovered
7:50
the use of the Darkula Phishing
7:53
as a Service platform by threat
7:55
actors to launch sophisticated attacks via
7:57
iMessage. has
8:00
supported over 20,000 phishing domains, targeting
8:03
more than 100 brands worldwide, primarily
8:06
impersonating postal services. This
8:09
service distinguishes itself by
8:12
leveraging encrypted messaging platforms
8:14
like iMessage and RCS
8:16
for smishing attacks, bypassing
8:18
traditional SMS scam defenses and
8:21
exploiting user trust. Darkula
8:24
offers easy to deploy phishing
8:26
sites with numerous templates, monetizing
8:28
through paid subscriptions. Its
8:31
anti-detection measures include obfuscating malicious
8:33
content paths and using domains
8:36
with cloaked front pages, significantly
8:39
enhancing its invasion capabilities.
8:42
Researchers say about 120 new Darkula domains
8:46
appear per day in 2024. Meanwhile,
8:50
the tycoon 2FA
8:52
phishing kit, targeting Microsoft 365
8:54
and Gmail accounts, has
8:56
been updated to evade detection more
8:59
effectively. Active since
9:01
August, 2023 and discovered by
9:03
Sequoia, this phishing as a
9:05
service platform uses an adversary in the
9:07
middle tactic to bypass
9:09
multi-factor authentication by stealing
9:12
session cookies. Recent
9:14
enhancements to the kit's JavaScript
9:16
and HTML coding alongside
9:18
improved evasion of security
9:20
scans and selective traffic
9:22
acceptance make tracking tycoon
9:24
2FA more challenging. The
9:27
kit, known for sophisticated phishing
9:29
attacks, including email phishing links
9:31
and imitation Microsoft login pages,
9:34
has been linked to over 1,200 domains. These
9:37
updates have made tycoon 2FA a
9:40
more formidable tool in the phishing landscape.
9:44
Google has updated Chrome for
9:47
Windows, Mac and Linux, addressing
9:49
seven security issues. Users
9:51
are advised to update Chrome promptly,
9:54
especially due to a critical vulnerability,
9:56
a use after free flaw in
9:58
the angle component. which
10:01
handles webGL content. This
10:03
vulnerability could allow attackers to
10:05
exploit heap corruption via a
10:07
crafted HTML page, potentially leading
10:09
to compromised systems. If
10:12
you can, don't delay. Update
10:14
Chrome today. Coming
10:24
up after the break on our threat vector
10:27
segment, host David Moulton talks with Sam Rubin,
10:29
VP and Global Head of Operations at Unit
10:31
42, about Sam's testimony
10:33
to the U.S. Congress on the
10:36
multifaceted landscape of ransomware attacks. Be
10:39
with us. When
10:53
it comes to ensuring your company
10:55
has top-notch security practices, things can
10:58
get complicated and time-consuming fast. Now
11:01
you can assess risk, secure the trust of
11:03
your customers, and automate compliance for SOC 2,
11:05
ISO 27001, HIPAA and more with a single
11:07
platform, Banta. Banta's
11:13
leading trust management platform helps
11:15
you continuously monitor compliance alongside
11:18
reporting and tracking risk. Plus,
11:21
save time by completing security
11:23
questionnaires with Banta AI. Learn
11:26
why thousands of global companies
11:28
use Banta to automate evidence
11:30
collection, unify risk management and
11:32
streamline security reviews. Watch
11:35
Banta's on-demand demo
11:38
at banta.com/cyber. That's
11:41
banta.None com slash cyber.
11:55
Imagine a world where you're always one step
11:57
ahead of cyber threats, your
12:00
defenses are impenetrable because you see
12:02
what others do. Welcome
12:04
to Team Cymru's Threat Intelligence
12:07
Solutions. With real-time access
12:09
to the world's largest threat intelligence
12:11
data ocean, they enable you to
12:13
turn the tables on attackers. Transform
12:16
your security from reactive to
12:18
proactive through accelerated threat hunting
12:20
and incident response made possible
12:22
through automation. Empower your
12:25
team with visibility and insights to
12:27
start defending your organization like never
12:29
before. Team Cymru, be
12:31
the hunter, not the hunted. Learn
12:36
more at
12:39
team-cymru.com/cyberwire. That's
12:42
team-cymru.com/cyberwire. David
12:53
Moulton is host of the Threat
12:55
Vector podcast right here on the
12:57
cyberwire network. In a recent
13:00
episode, he spoke with Sam Rubin, VP and
13:02
Global Head of Operations at Unit 42 to
13:05
discuss Sam's testimony to the
13:07
US Congress on the multifaceted
13:09
landscape of ransomware attacks, AI
13:11
and automation, and the need
13:13
for more cybersecurity education. There
13:17
was a hospital actually from
13:19
my home state of Vermont
13:21
there coincidentally, and there was
13:24
a school district from Texas
13:26
and they both spoke about
13:28
their experiences, victims of ransomware
13:30
attacks. And the administrator
13:32
from the Vermont hospital, what he
13:35
said was pretty remarkable
13:37
in that they ended up spending more
13:39
in the ransomware response and recovery at
13:42
the hospital than they did through
13:45
all of COVID and sort of
13:47
adjusting their protocols to providing
13:49
patient care during that pandemic. So
13:52
just incredibly painful
13:54
and impactful experience for them to go
13:57
through. Welcome
14:06
to Unit 42's Threat Vector, where
14:08
we share unique threat intelligence insights,
14:11
new threat actor TTPs, and
14:13
real-world case studies. Unit
14:16
42 has a global team
14:18
of threat intelligence experts, incident
14:20
responders, and proactive security consultants
14:22
dedicated to safeguarding our digital
14:24
world. I'm your host, David
14:26
Moulton, Director of Thought Leadership for Unit 42. Today,
14:44
I'm talking with Sam Rubin, VP and
14:46
Global Head of Operations at Unit 42,
14:48
about his testimony to
14:51
Congress. Sam shared insights about
14:53
the evolving sophistication and speed
14:55
of ransomware attacks, the changing
14:57
tactics of threat actors, and
14:59
the impact on sectors like education,
15:01
healthcare, and government. He
15:05
also talked about the importance of
15:08
AI and automation in cybersecurity defenses,
15:11
and the importance of public-private
15:13
partnerships in combating cyber threats.
15:16
Let's get right into this conversation. Sam,
15:22
you traveled to Washington, D.C.,
15:24
set before Congress. What prompted
15:26
you to go out to
15:28
D.C. and talk to our
15:30
legislators? As a company,
15:33
Palo Alto Networks is very engaged
15:36
with the federal government, as well
15:38
as state and local governments. And
15:42
we got this opportunity just because of
15:44
the relationships that we have with various
15:46
lawmakers. They had scheduled a
15:48
hearing in September on the
15:52
threat of ransomware and how it's
15:54
impacting organizations. And so, just
15:56
as part of Palo Alto Networks' relationships, we
15:58
had this opportunity. was offered to me
16:00
and you know I jumped on it. So
16:04
your testimony placed a
16:06
significant emphasis on the
16:09
evolving sophistication of ransomware attacks.
16:13
What have you seen in this regard and
16:15
how should this evolution change the
16:17
approach to cybersecurity? I've
16:20
been in this space doing instant response
16:22
for 20
16:24
years and really helping
16:27
organizations respond to ransomware ever
16:29
since it's been sort of a threat
16:31
out there that organizations have faced at least
16:33
10 years and there's
16:36
been quite an evolution over that time.
16:38
Back when we started I would
16:41
characterize the attacks as sort of spray
16:43
and prey, indiscriminate
16:45
targeting based on phishing
16:48
and then what would happen
16:51
from a demand standpoint. You're looking at you know
16:53
$500, $1,000 to decrypt. Contrast that with
16:58
where we are today where many of the
17:00
targets are large
17:02
enterprises, large state or
17:05
federal government entities. The
17:07
demands are in the you know hundreds of
17:09
thousands to millions of dollars. I think our
17:11
median demand is around $650,000 that
17:15
we see and the tactics
17:17
that are being used are much more
17:19
sophisticated in terms of how they're getting
17:22
in and also what
17:24
they do after the threat actors break in.
17:27
Just a constant evolution of
17:30
sophistication and speed really. Talk
17:33
to me about that sophistication and speed
17:35
a bit more. First
17:38
of all let's talk about how they
17:40
break in. If you're thinking of it
17:42
from a MITRE attack standpoint it's
17:44
the intrusion vector. How are they
17:46
getting into the organization? And one
17:49
of the things that we see in terms of
17:51
sophistication is rapid
17:54
weaponization of disclosed
17:56
vulnerabilities. So things that are
17:58
essentially like a zero-day kind of
18:00
day one after notification or
18:04
within hours of notification, we
18:07
start to see weaponization of those
18:09
vulnerabilities and our incident
18:11
response team starts to get the call
18:14
for attacks
18:17
that have followed from those
18:19
very newly disclosed vulnerabilities. I think
18:21
for example, right now, past
18:24
week or two, we've seen the Avanti
18:26
VPN being an example
18:29
of that, but it's constant.
18:31
It's sort of what's disclosed
18:33
leads to very quickly rapid
18:35
weaponization and that's a
18:37
newer trend. Then when
18:39
we talk about after they break
18:41
in sort of post exploitation, the
18:44
sophistication is coming in how
18:46
quickly they're moving from intrusion
18:48
to exfiltration. And
18:50
we're seeing that drop. This is something that we've
18:53
measured for some time. And
18:56
between I think where we were in 2021,
18:58
where that dwell time was
19:00
about 30 days or so,
19:05
we're seeing it now one to
19:07
two days. So just they're getting
19:09
in, they're going much more quickly in
19:11
terms of when they're taking data, locking
19:13
files up, and that's making it very,
19:15
very hard to defend against. AI
19:18
and automation were key topics in your
19:20
testimony. What led you
19:22
to emphasize those technologies and how
19:25
do you foresee them shaping the
19:27
future of cybersecurity defenses against threats
19:29
like ransomware? Congress
19:33
was really interested in hearing from Palo Alto
19:35
Networks about both AI
19:37
as a threat as
19:40
well as AI and cyber defense. And
19:43
from a lawmaker's perspective, they're
19:45
really looking at what do we need to
19:47
do to be
19:50
thinking about how we protect our
19:52
citizens from the risks of AI,
19:54
whether that's sort of discriminatory lending
19:56
practices, whether it's the bad guys
19:59
using. AI, but
20:01
they also acknowledge that AI
20:03
can be used as a force for good. And
20:07
really that's a lot of what I
20:09
focused on in my testimony is how,
20:11
as defenders, we can
20:13
be using AI to do
20:15
a better job in protecting
20:18
our organizations. You
20:20
discussed the importance of preparing the cyber
20:23
workforce for tomorrow. How
20:25
should educational institutions or training
20:27
programs approach cybersecurity education? I
20:31
think we've seen tremendous progress in it
20:34
being even part of the curriculum. Certainly
20:37
when I went to college, while
20:40
there was sort of CF as
20:42
a discipline, there certainly wasn't really
20:44
cybersecurity. Now a
20:47
lot of universities and colleges
20:49
have cybersecurity specific programs. We
20:53
partner with a number of universities
20:55
to talk to their
20:57
students, to recruit. And
21:00
so I think just first of all,
21:02
recognizing that there's a need and there
21:04
is a tremendous shortage in
21:06
the workforce for having trained
21:10
cybersecurity experts and having people who
21:12
are ready to enter the
21:15
workforce in this area is a huge
21:17
step in the right direction. Absolutely.
21:19
Sam, thanks for joining me today on threat vector.
21:21
Yeah, my pleasure. Thanks for having me on, David.
21:32
If you're concerned about ransomware and extortion,
21:35
you should check out our webinar on
21:37
a bashed, unashamed and unpredictable, the
21:39
changing pace of ransomware. Sam, along
21:42
with unit 42's managing partner, Chris Scott
21:45
and consulting directors, David Ferron and Liam
21:47
Peltoner, share what it takes to keep
21:49
your organization protected. I'll include a link
21:51
to that webinar in the show notes.
21:55
That's it for threat vector this week. I
21:57
want to thank our executive producer, Michael Heller.
22:00
our content production teams, which
22:02
includes Shada Azimi, Sheila Droski,
22:04
Tanya Wilkins, and Danny Milrad.
22:07
I edit the show and Elliott Peltzman is
22:09
our audio engineer. We'll be back in two
22:11
weeks. Until then, stay
22:14
secure, stay vigilant. Goodbye
22:16
for now. Be
22:21
sure to check out the Threat Vector podcast
22:23
right here on the CyberWire Network and wherever
22:25
you can find us. And
22:43
now, a word from our sponsor,
22:46
Zscaler, the leader in cloud security.
22:48
Cyber attackers are using AI in
22:51
creative ways to compromise users and
22:53
breach organizations. In a
22:55
security landscape where you must fight AI
22:57
with AI, the best AI protection comes
23:00
from having the best data. Zscaler
23:02
has extended its Zero Trust architecture
23:04
with powerful AI engines that are
23:06
trained and tuned by 500 trillion
23:10
daily signals. Learn more
23:12
about Zscaler Zero Trust Plus
23:14
AI to prevent ransomware and
23:16
AI attacks. Experience
23:19
your world secured.
23:21
Visit zscaler.com/Zero Trust
23:23
AI. And
23:37
finally, the
23:39
recent discovery from Wired that nearly
23:41
200 mobile devices left
23:44
a digital breadcrumb trail from
23:46
Jeffrey Epstein's notorious island back
23:49
to their owners' homes and workplaces is
23:52
a disturbing testament to the pervasive lack
23:54
of privacy in our digital age. While
23:57
the visitors to Epstein's pedophile island.
24:00
may have been engaged in morally
24:02
reprehensible activities, the fact that
24:05
their movements were tracked and exposed
24:07
by data broker near intelligence throws
24:10
a stark light on the double-edged
24:12
sword of surveillance technology. Wired's
24:15
uncovering of this data demonstrates not
24:17
just the potential for holding the
24:19
corrupt accountable, but also the terrifying
24:22
precision with which individuals can be
24:24
monitored. This capability, rooted
24:26
in the murky dealings of data
24:28
brokers under the lax privacy regulations
24:30
of the U.S., shows
24:33
a concerning disregard for personal
24:35
boundaries. The data accurately
24:37
tracked individuals from luxury
24:39
accommodations to Epstein's lair,
24:42
highlighting the ease with which personal
24:44
movements are commodified. This
24:46
incident should serve as a wake-up call
24:49
for the urgent need for robust privacy
24:51
protections while the individuals
24:53
tracked to Epstein's island may not
24:55
evoke sympathy due to the island's
24:57
dark reputation. The broader
24:59
implications for privacy rights cannot
25:01
be ignored. The readiness
25:04
with which detailed location data
25:06
can be exploited underscores the
25:08
dire consequences of the U.S.'s
25:10
fragmented privacy laws compared
25:12
to stronger protections like those in
25:14
Europe. The revelation
25:17
about Epstein's island visitors while
25:19
showcasing the potential to uncover
25:21
illicit activities primarily exposes
25:24
a gaping hole in our privacy
25:26
defenses. It's a glaring
25:28
example of how individuals' whereabouts, regardless
25:30
of their actions, can be
25:33
traced and traded like currency. This
25:35
should alarm not just privacy advocates,
25:38
but anyone who believes in the
25:40
fundamental right to personal privacy without
25:42
unwarranted intrusion. The ongoing
25:44
failure of Congress to pass
25:47
comprehensive privacy legislation not
25:49
only leaves citizens exposed to
25:51
surveillance capitalism, but also
25:53
to the whims of any entity willing
25:55
to exploit their data for gain or
25:58
scrutiny. podcast,
26:00
my coast Ben Yellen and I often
26:02
wonder just what it's going to take
26:04
to get our dysfunctional US Congress to
26:06
act on federal privacy legislation.
26:08
It is a
26:11
sad reality that maybe, just maybe, something
26:13
like this where the rich and powerful
26:15
are caught being where they should not
26:18
be. Could be the
26:20
thing that moves the needle. And
26:31
that's the cyberwire. For links to
26:33
all of today's stories check out our
26:35
daily briefing at the cyberwire.com. We'd
26:38
love to know what you think
26:40
of this podcast. You can email
26:43
us at cyberwire at n2k.com. N2K
26:45
Strategic Workforce Intelligence optimizes the
26:48
value of your biggest investment,
26:50
your people. We make
26:52
you smarter about your team while
26:54
making your team smarter. Learn more
26:57
at n2k.com. This episode
26:59
was produced by Liz Stokes. Our
27:01
mixer is Trey Hester with original
27:03
music by Elliot Princeman. Our executive
27:05
producers are Jennifer Iben and Landon
27:08
Karp. Our executive editor is
27:10
Peter Kilpene and I'm Dave Bittner. Thanks
27:12
for listening. We'll see you back here
27:14
tomorrow. When
27:41
it comes to ensuring your
27:43
company has top-notch security practices,
27:45
things can get complicated and
27:47
time-consuming fast. Now you
27:49
can assess risk, secure the trust of
27:51
your customers and automate compliance for SOC
27:53
2, ISO 27001, HIPAA and
27:57
more with a single platform. Vanta's
28:01
leading trust management platform helps
28:03
you continuously monitor compliance alongside
28:06
reporting and tracking risk. Plus,
28:08
save time by completing security
28:10
questionnaires with Vanta AI. Learn
28:13
why thousands of global companies
28:15
use Vanta to automate evidence
28:18
collection, unify risk management, and
28:20
streamline security reviews. Watch
28:23
Vanta's on-demand demo at vanta.com
28:26
slash cyber. That's
28:29
VANTA.None com slash cyber.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More