Recent criminal activity–it’s as opportunistic as ever. Cyber risk to the pharma sector. Updates on the hybrid war. Returning Cobalt Strike to the legitimate red teams.
Tre Hester: Daixin Team claims ransomware attack against AirAsia. DraftKings users suffer credential harvesting and paycard theft. Assessing cyber-risk in the U.S. pharmaceutical industry. Killnet claims successes few others can discern. Carole Theriault on digital echo chambers and what's in it for us. Nancy Wang from Forta's Alert Logic discusses how she is helping more young women get into the STEM field and leadership positions. And Google seeks to render Cobalt Strike less useful to threat actors.
Tre Hester: From the CyberWire studios here at DataTribe, I'm Tre Hester with your CyberWire summary for Tuesday, November 22, 2022.
Daixin Team claims ransomware attack against AirAsia.
Tre Hester: The Daixin Team, a criminal ransomware game that was the subject of a joint CISA and FBI warning last month, has claimed a successful attack on Malaysian carrier AirAsia's networks. The gang claims on their portal, Hacker News reports, to have stolen personal information associated with 5 million passengers and all of the airline's employees. According to Tech Monitor, quote, "the attack is said to have happened on the 11 or 12 of November, and the Daixin Team has shared two spreadsheets showing what appears to be personal information from passengers and staff of the airline, including date of birth, country of birth, where the person is from, when employed for employees, and the secret question and answer used to secure accounts," end quote.
Tre Hester: In their advisory last month, the U.S. Cybersecurity and Infrastructure Security Agency and the FBI said that the Daixin Team appeared to base their ransomware on leaked Babuk Locker source code. They also said that the gang has been known for its concentration on the healthcare sector, but clearly this particular group of hoods is branching out.
DraftKings users suffer credential harvesting and paycard theft.
Tre Hester: DraftKings users have fallen victim to a hack, the Action Network reported yesterday. Some users reported suspicious bank activity from the online betting platform, such as changed login credentials and spam emails. The company, however, reports no breach of systems. CNBC reported yesterday that the online betting platform has said they found no evidence of a breach of systems following the hacking reports. The company reports that less than $300,000 of customer funds were affected, and DraftKings' co-founder and president for global technology and product, Paul Liberman, said in a statement, quote, "DraftKings is aware that some customers are experiencing irregular activity with their accounts. We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information," end quote. DraftKings says they intend to make whole any customers that were impacted by the hacks.
Tre Hester: Given that DraftKings thinks customer login credentials were compromised on other sites where they'd been reused, it's worth reflecting on two familiar security best practices. First, don't reuse passwords. And second, enable multifactor authentication where it's available.
Assessing cyber risk in the US pharmaceutical industry.
Tre Hester: Moody's Investors Service released a report last week on cyber risks in the pharmaceutical industry. The report says that, overall, the cyber risk to the pharmaceutical sector is low. The report details the pharmaceutical industry's systemic risks, labeling them as moderate, largely because of the sector's high profile and the significant potential for consequences of an attack. But cyber risk mitigations done by the industry as a whole keep the overall risk low, despite the moderate severity of systemic risks.
Killnet claims successes few others can discern.
Tre Hester: Killnet continues its program of nuisance attempts against Western targets of opportunity. The hacker auxiliary group has recently turned its attention to, among others, the British Royal Family, ComputerWeekly reports. These have been the now-familiar and largely ineffectual distributed denial-of-service attacks. Killnet made large and baseless claims of success, saying that it hit three targets in the U.K. - Banker's Automated Clearing Service, the London Stock Exchange and the official website of the Prince of Wales. The group said the royal official site was down, adding, perhaps this is due to the supply of high-precision missiles to Ukraine. Also today, all medical institutions, government services and online services will stop working. No one else sees any signs of such successes.
Google seeks to render Cobalt Strike less useful to threat actors.
Tre Hester: And finally, Cobalt Strike is a legitimate penetration testing toolset, but it's often mentioned in dispatches as one that criminals and state actors abuse against their targets. The security firm Fortra, formerly Help Systems, developed Cobalt Strike so users could emulate an attack against their networks in the course of testing for vulnerable software. Unfortunately, since the toolset was introduced 10 years ago, threat actors have been able to abuse it as what Google calls, quote, "a robust tool for lateral movement in their victims' networks as part of the second-stage payload attack," end quote. Google is seeking to make such abuse more difficult by, quote, "releasing to the community a set of open-source YARA Rules and their integration as a VirusTotal Collection to help the community flag and identify Cobalt Strike's components and its respective versions. Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use we can help protect organizations, their employees and their customers around the globe."
Tre Hester: The rules focus on detecting versions of the tools being deployed across the system. The pirated versions are, Google explains, usually at least one version behind Fortra's latest version of Cobalt Strike. Screening them out and disabling them, Mountain View hopes, will take Cobalt Strike out of the criminals' hands and return it to legitimate red team users where it belongs.
Tre Hester: Coming up after the break, Carole Theriault discusses digital echo chambers and what's in it for us. And Nancy Wang from Forta's Alert Logic discusses how she's helping more young women get into the STEM field in leadership positions. Stick around.
Dave Bittner: Nancy Wang is VP of Technical Product Management at Alert Logic by Help Systems. Nancy is looking to solve the low female employee representation in technical fields like software development, cybersecurity and technical product management, especially in leadership positions.
Nancy Wang: When I joined Alert Logic in the R&D team - this was 10 years ago - I was the only female employee at the time out of almost, like, 200 people. Now, looking back, we have way more people in R&D and tech and then, you know, a lot of, like, pleasant change around female in leadership roles as well. But if we look at the stats, it's still not to the level that we - you know, we want to see, right? So you don't see the same amount of female tech employees or tech leaders compared to the male counterpart. So overall, I think the industry is definitely improving. And I've seen a lot more, you know, conference, events, recognition around female - Women in IT, Women in Technology conference and then Women's Alliance groups. Even here at Alert Logic, we have, like, a Women's Alliance team that formed last year. And it's all - you know, a lot of things are thriving, so definitely improved over the years.
Dave Bittner: What about at events and conferences and things like that? Are you finding a shift in the tone there? Are folks more welcoming?
Nancy Wang: I think so. I think so. It depends on sort of which type of conference that we're talking about, right? Of course, for, you know, specific conference related to the tech field, it's sort of slightly less focus around the gender. It's more on the subject matter, on the technical trend and industry focus. But then some of the recent conference I went to - you know, I went to - I spoke at the Women in Tech Texas conference, and I also attended the Women in IT Summit in New York this year. Those are - you know, a lot of focus are talking about, how do we bridge this gender gap in tech, in cybersecurity?
Nancy Wang: And a lot of people, including myself, are super-passionate about it. You know, we are saying, well, we are doing, in our day-to-day lives, about mentoring, you know, fellow female employees. What we're trying to do - we're brainstorm ideas about how do we even - reaching out to the younger generation. And for our next generation to come, this gap - what we want to see and what I want to see is this gap being smaller and smaller. And by the time - I have two girls. By the time my girls are entering the workforce, hopefully, this gap will not exist.
Dave Bittner: How far back do you suppose we need to go to get young girls interested and involved, and give them a sense that there is a place for them here? Do we begin in elementary school, middle school? Where do you suppose a good place is?
Nancy Wang: It's interesting you ask. So this one thing I learned, you know, attending this Women in IT conference this - earlier this year was I learned - someone showed me a study result, right? So study shows that the kids in the middle school ages, middle school years are actually the most crucial for them to determine what they can and cannot do in life. So I would say start from young, but then definitely focus on the middle school years. So one of the idea we came up with was kind of from a personal experience as well. Like, I spoke at the career day at my older daughter's class. So they are fifth-graders, and kids just - they are not aware, like, what cybersecurity is about. You know, what do you do as a product manager? So it's crucial to kind of explain the different career paths that entering STEM field can open up to, right? It's not necessarily always sitting there, sitting on their computer, programming. There are so many different career paths one can get into when they enter the technical field and STEM field.
Nancy Wang: So based on that study, you know, we came up with the idea of saying, hey; why don't we, a group of leader - female leaders in the technical field - why don't we offer free, in-person and virtual career days for just - you know, not just our kids, for just anybody, right? We offer that up, and we provide this just level of awareness so that we can let the girls know, try - you know, don't be afraid of trying new things. Be confident. You do not shut the door in front of you before you even, you know, explore the potential.
Dave Bittner: What are some of the stories that you hear from some of these young women as you talk to them? Is there a bit of realization, a revelation that perhaps this is something they can pursue? Or do some of them already have their sights set on it?
Nancy Wang: Yeah, I definitely got a lot of interest, so - in, you know, speaking to my daughter's class. And then I did a similar sort of training and class to the Girl Scout group my older one is in as well. I think it's just - it's an interesting field for them, right? It's - they have no idea what cybersecurity is about. They even correlate it to kind of some of their life experiences. Like, a lot of girls are - or, you know, girls and boys are playing a lot of games now. And they're saying, oh, you know, like, some people are reaching out to me on this game, and they're strangers. They want to kind of, you know, chat with me.
Nancy Wang: And then I just - I kind of quoted, hey, this is a way of hacking into your lives. And this is, like, relevant to social engineering. You know, that kind of relationship - it triggers their interest, I hope. You know, I think I definitely see a lot of interested eyes in the audience. And I hope this kind of triggers them to research more later on in their lives and in their study as well.
Dave Bittner: That's Nancy Wang from Alert Logic.
Tre Hester: Our U.K. correspondent Carole Theriault files a report on digital echo chambers and what's in it for us.
Carole Theriault: So I was thinking about these digital echo chambers of ours - you know, how our online media feeds present us each with content, opinions and ads curated just for us individually. Of course, I can see the benefit for providers like YouTube or Facebook and the like. If a user consumes some content without bouncing out early or immediately starting a new search, chances are that they might like to see something similar. And, of course, we know that's how they win. You stay on the site. They boost their ad revenue potential. But the question is, what's in it for us, if anything at all? Recent research and opinion on the topic of echo chambers showed a number of different angles. For instance, I saw that a Harvard Business Review report said that the higher leaders go, the more likely they are to find themselves in an echo chamber, surrounded by people who think like them and agree with them - a problem if you're trying to find a solution to a problem and can only look at it from one perspective.
Carole Theriault: A recent study from New York University says that, by many measures, mass polarization is on the rise in the U.S. Americans are more willing to condone violence, less open to relationships that cut across party lines and are more prone to partisan-motivated reasoning. And the concern is that social media is accelerating this polarization.
Carole Theriault: I'm not an expert, but in my little world, echo chambers have served to make people more certain of their opinions and less tolerant of others, and me included. On some issues, I've been utterly flabbergasted about how other people seem to respond to the same story - like, completely perplexed and sometimes even emotional. But I have to remember that what shaped my opinion was very different to what shaped their opinions. Who knows where we would each be and what positions we would take if we swapped chambers for a beat or three?
Carole Theriault: One research paper suggested that randomly disrupting our feeds with other viewpoints on a topic serves to calm polarity in opinion. But another focusing on radical echo chambers said that when a group felt invaded by opposing viewpoints, they undermined or marginalized the invader, suggesting that there might be limited potentials to counter messages, to underline radical behaviors in these chambers.
Carole Theriault: Now we've seen Elon Musk, the richest man in the universe and the new owner of Twitter, warning that it is important for the future to have a common digital town square. Others argue, no, no, that this type of polarization actually correlates with increases in inequality and economic decline. So there are a lot of opinions and a lot of research and no answers that I see. But echo chambers seem dangerous to me. What do you think? This was Carole Theriault for the CyberWire.
Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks and proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Tre Hester, filling in for Dave Bittner. Thanks for listening. We'll see you back here tomorrow.