The CyberWire Daily Podcast 3.20.23
Ep 1783 | 3.20.23

Cl0p ransomware at Hitachi Energy. Alleged TikTok surveillance of journalists. Hacktivist auxiliary hits Indian healthcare records. Cyberattack on Latitude: update. BreachForums arrest.


Dave Bittner: Cl0p ransomware hits Hitachi Energy. The US Department of Justice investigates ByteDance in alleged surveillance of journalists. A hacktivist auxiliary hits Indian health care records. Pirated software is used to carry malware. The effects of cyberattack on Latitude persist. Adam Meyers from CrowdStrike shares findings from the 2023 CrowdStrike Global Threat Report. Rick Howard has the latest preview of "CSO Perspectives." And Pompompurin is elected for an alleged role in breach forums.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 20, 2023. 

Hitachi Energy confirms Cl0p ransomware attack, data breach.

Dave Bittner: Hitachi Energy, a subsidiary of the Japanese technology giant Hitachi, has confirmed that it sustained a data breach after falling victim to a Cl0p ransomware attack, BleepingComputer reports. The threat actor carried out the attack via a vulnerability (CVE-2023-0669), in Fortra's GoAnywhere MFT. Hitachi Energy said in a press release that the threat actor accessed employee data in some countries, but there's no evidence that any customer data was breached. 

US Department of Justice investigates ByteDance in alleged surveillance of journalists.

Dave Bittner: Forbes reported Friday that the Fraud Section of the U.S. Department of Justice Criminal Division, working with the Office of the US Attorney for the Eastern District of Virginia, has been investigating ByteDance for attempts some of its employees made to use TikTok in collecting location information and other personal data pertaining to journalists. ByteDance has distanced itself from the employees' actions, saying, we have strongly condemned the actions of the individuals found to have been involved, and they are no longer employed at ByteDance. Our internal investigation is still ongoing, and we will cooperate with any official investigations when brought to us. The Wall Street Journal has an overview of the internal investigation ByteDance opened into the incident this past December. That internal investigation is still in progress, but ByteDance's TikTok subsidiary says it's taken some steps to prevent a recurrence. TikTok has said it was restructuring its internal Audit and Risk Control department and removed all user data access and permissions for the department." 

Hacktivist auxiliary hits Indian healthcare records.

Dave Bittner: CSO, citing observations made by security firm CloudSEK, reports that the Russian hacktivist auxiliaries of the Phoenix group have compromised health care information in India. Phoenix claimed to have obtained sensitive data and posted samples in confirmation of their attack. CloudSEK writes, an analysis of the samples shared concluded that the affected entity is the health management information system belonging to the Indian Ministry of Health. Phoenix, a group associated with KillNet, indicated that the attack was retaliation for India's agreement to the sanction and oil price cap the G20 imposed over Russia's invasion of Ukraine. 

Dave Bittner: This interest in attacking health care organizations is not unusual. Microsoft's Azure Network Security team reported Friday that the health care sector is now providing the principal target set to KillNet and its affiliates. As had been the case in the past, these attacks have shown a strong preference for botnet-driven distributed denial-of-service attacks. The incident at the Indian Ministry of Health is thus an outlier in terms of attack type, but it's entirely consistent with the Russian auxiliaries' target selection practices. 

Pirated software used to carry malware.

Dave Bittner: The Kiev Independent reports that pirated software offered by Russian threat actors commonly carries Trojan payloads. The State Service of Special Communications and Information Protection of Ukraine warned yesterday that torrent streaming of unlicensed software remains a threat to both organizations and individuals. They state, hackers Trojanize ISO and installation files and upload the infected software to torrent trackers for free access. When a victim has such files downloaded and installed on their device, hackers gain access to the device's storage, while staying invisible for a long time. The practice of using pirated software is an old one, common in the Near Abroad, as the SSSCIP points out - stating, In many post-Soviet countries, system administrators working for organizations and companies of various forms of ownership still use unlicensed software, including operating systems, shared via torrent trackers. By installing a copy of cracked software from a torrent, they actually give Russian special agencies access to their workstations' drives. Using cracked operating systems is especially dangerous, as cybercriminals have full administrator access to any device such a system is installed on. 

Effects of cyberattack on Latitude persist.

Dave Bittner: Australian fintech provider Latitude has taken its systems offline as the cyberattack it sustained last week remains active, Reuters reports. The company says that both the Australian Federal Police and the Australian Cyber Security Centre were investigating and that it intends to restore service gradually over the next few days. ABC describes the effects the incident has had on a representative group of customers. 

Pompompurin arrested for alleged role in BreachForums.

Dave Bittner: And finally, Conor Brian Fitzpatrick, who goes by the hacker name Pompompurin, 19 years young, has been arrested in Peekskill, N.Y., by the FBI. A statement by John Longmire, the FBI special agent who made the arrest, reads in part, at approximately 4:30 p.m. on March 15, 2023, I led a team of law enforcement agents that made a probable cause arrest of the defendant in Peekskill, N.Y. Thereafter, I swore out a criminal complaint on that day in the United States District Court for the Eastern District of Virginia, in which I formally charged the defendant with one count of conspiring to solicit individuals with the purpose of selling unauthorized access devices. Special Agent Longmire further stated, when I arrested the defendant on March 15, 2023, he stated to me in substance and in part that his name was Conor Brian Fitzpatrick. He used the alias Pompompurin. And he was the owner and administrator of BreachForums, the data breach website referred in the complaint. 

Dave Bittner: BreachForums is generally regarded as the successor to RaidForums, the criminal market taken down by the FBI in 2022. BreachForums in general and Pompompurin in particular have been a thorn in the side of the FBI for the last several years, according to KrebsOnSecurity. In November of 2021, for example, Pompompurin Pooran took credit for a caper in which thousands of bogus emails were sent from FBI and associated email addresses. More recently, RaidForums participants were involved in the infiltration of InfraGard. They applied for and obtained membership by impersonating the CEO of a financial services company. From that membership, they were able to compromise information on roughly 80,000 InfraGard members. That data was subsequently offered for sale on RaidForums. Mr. Fitzpatrick was presented in federal court in White Plains, N.Y., and released on a $300,000 unsecured bond signed by his parents, Bloomberg reports. A note on his alleged hacker name. Pompompurin is a golden retriever from the Hello Kitty universe, which suggests that, precocious as he may be, Mr. Fitzgerald, in some ways, remains very young. 

Dave Bittner: Coming up after the break, Adam Meyers from CrowdStrike shares findings from the 2023 CrowdStrike Global Threat Report. Rick Howard has the latest preview of "CSO Perspectives." Stay with us. 

Dave Bittner: Adam Meyers is head of intelligence at CrowdStrike, where they recently released their 2023 CrowdStrike Global Threat Report. I reached out to Adam Meyers for details on the report. 

Adam Meyers: There's a calculus that goes into this stuff. I call it a calculus at least. And in ransomware, the calculus is measuring downtime and trying to create enough downtime that it effectively creates a situation where it's cheaper to pay the ransom than to continue trying to fight through it. And with data extortion, that changes, right? Now, the calculus is no longer about the downtime. The calculus is about what are the legal and regulatory and compliance impacts of losing all of the sensitive data and it being published on the internet? Think about GDPR and HIPAA and all the various privacy acts. And a victim organization facing an extortion demand, you know, they do the math real quick, and they recognize this could be a $100 million problem or a $10 million problem. And, you know, they're going to probably pick the smaller problem. 

Dave Bittner: What are we tracking these days in terms of the criminals being good to their word? You know, if you pay them, do they hold up their end of the deal? 

Adam Meyers: They do, yeah. You know, as you would expect, they're coin operated. They're financially motivated. And that's one of the big drivers of this change, you know, when you think about - organizations have really taken heed, and they've created robust backup solutions. And they've done all of this work to ensure that ransomware isn't effective against them. They've got EDR solutions that can detect ransomware as it's executing and starting to encrypt files. And the - you know, even when they are successful, there's this playbook that's been developed over the past couple of years. And, you know, I think of it almost like a hostage negotiation, right? They're like, well, I don't know what Bitcoin is or I'm not authorized. It's a lot of money. And then they start doing the can you unlock this file so you could prove that you can do what you say you can do? And then they grind them down on price, and they kind of wait them out, you know, because this threat actor wants to make money. And that playbook is incredibly frustrating for the threat actor. 

Adam Meyers: And so with data extortion, that playbook doesn't work anymore. Right now, it's like an express kidnapping where, you know, they want, you know, $100,000 to get somebody back, and you're like, well, I can only do 50. And they're like, for 50, you could have half of them, right? Like, that's not a palatable option. So now the threat actor has the control. They have - they can pull the levers and kind of drive the, you know, conversation forward. And that's what data extortion allows them to do. When that ransomware playbook comes out and they're like, well, I don't know what Bitcoin is or I'm not authorized, the threat actor can come back and say, OK, well, we're going to release 10 gig of your sensitive customer data to the internet and let's see if you figure it out. And so now they're able to kind of, you know, really control that conversation. And to your point, encryption's hard, right? It's noisy, and ransomware is - attracts a lot of attention, and it can break things. And so removing that complexity means that the threat actor just has to steal the data, and it simplifies their whole process. 

Adam Meyers: And, you know, ransomware as a service has been very prevalent over the past couple of years. And with ransomware as a service, you're - you know, as the threat actor, you're using this ransomware platform, and you're paying them 20% of your ransom for the use of their platform. You know, when you're doing data extortion, you don't need that, right? You remove the complexity of all of the encryption. You remove the complexity of the ransomware, and you get to keep 100% of the proceeds versus 80%. 

Dave Bittner: Based on the information that you all have gathered here, what's the advice? What's the actionable steps people can take to better defend themselves? 

Adam Meyers: That's definitely a great question. When you look at data extortion in particular, which is, you know, really on the rise - in fact, we mention in the report that 70% of the attacks that we observed this year don't even involve malware. They're what we call malware-free. Where a lot of these threat actors are coming in - and, you know, it's not just the extortionists. There's lots of different threat actors taking advantage of this. They're coming in by stealing legitimate credentials or phishing legitimate credentials. 

Adam Meyers: And just yesterday Microsoft released something like 80 different vulnerabilities. A number of them were critical. One of them is in Microsoft Outlook. And with a properly crafted calendar invite, effectively, you can force somebody to pass their Windows authentication to an arbitrary server, meaning that they can capture your username and password effectively just by sending you a calendar invite. And so once they have those credentials, they're able to log in. Maybe an organization has multi-factor authentication. I hope they do. But that doesn't stop the attacker because now they could social engineer past that six-digit number. Or they can do SIM swapping attacks where they target their phone number. Or they can, you know, do some social engineering if it's one of those pop-up authentications. 

Adam Meyers: So it hasn't stopped the attackers. In fact, you probably remember last summer a group called Lapsus$ was pretty active, and one of their victims was Microsoft itself. And that was, you know, the work of a threat actor that really wasn't using a lot of tooling. They just used kind of social engineering and sneakiness to get in. And this is really only countered with something like identity protection. We used to say in this industry - and, you know, this is a quote from Ronald Reagan - trust but verify. And that kind of guided a lot of the infosec world for a while. But, you know, now I think we're in this world of zero trust, where you have to make sure that just because Dave says he's Dave, that doesn't necessarily mean that he is Dave. We have to verify that. 

Adam Meyers: And so we have to change that paradigm of trust but verify. And now it has to be verify, then trust. And that is changing the process. That's changing the methodology. And it's incorporating technology like identity protection, which can look at every one of Dave's logins and make sure that Dave is who he says he is. You know, Dave usually uses an iPhone coming in from New York, but today it's an Android coming in from Oxford. Why is that? Let's do some digging, and let's look for, you know, some behaviors that we can kind of pin to that and say, this is not how Dave typically operates. And now we can contain Dave's user account, not just his machine but his user account. And that is really the answer that a lot of organizations have figured out they need to be moving into in the next year. 

Dave Bittner: That's Adam Meyers from CrowdStrike. 

Dave Bittner: It is always my pleasure to welcome back to the show Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, welcome back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So for the past couple of weeks, you and I have both been traveling, not together... 

Rick Howard: (Laughter). 

Dave Bittner: ...But to different places with different vacations and... 

Rick Howard: I'm glad you specified that. OK. 

Dave Bittner: Yeah - different work-related things and so on and so forth. And so we have not crossed paths in a couple of weeks. We haven't had a chance to record these conversations about what is coming up on your podcast, "CSO Perspectives." But here we are. We are near the end of March. And I realize that you are on your final episode of this season, so please bring us up to speed and catch us up. 

Rick Howard: Well, that's right. Season 12 is coming to an end this week at "CSO Perspectives." And so we'll be on hiatus until just after the big RSA Security Conference in April of next month. 

Dave Bittner: I guess the interns down in the sanctum sanctorum will need some time to bang away on their typewriters for Season 13. Is that right? 

Rick Howard: Yeah, it's true. Every once in a while we have to let them out of their cages for a bit 'cause, you know, they start to get a little testy, OK? 

Dave Bittner: Yeah. 

Rick Howard: You know how they can be (laughter). 

Dave Bittner: They want stuff like food and water. 

Rick Howard: They're so demanding, right? 

Dave Bittner: And needy, yeah. 

Rick Howard: So for this last show of the season, though, I'm previewing a talk that I will be giving at the RSA Conference next month with a friend of mine, Todd Inskeep. It's called "The Emperor Has No Clothes: The Current State of the CISO." 

Dave Bittner: Now, my recollection is that you interviewed Todd sometime before the holiday break last year, and you guys were talking about this relatively new development in the CISO career path. Bring me - refresh my memory. What was that? 

Rick Howard: Yeah, it's called a fractional CISO, right? It's essentially a CISO consultant for organizations that don't have a CISO yet, and need to start their fledgling InfoSec programs. And you can hire one of these folks to get you started and maybe check in from time to time to help with, you know, various projects. So after the interview, Todd and I got to talking about the current state of the CISO career path, and afterwards we said, hey; this might make a great talk at some conference somewhere. And much to our surprise, the RSA Security Conference selection committee accepted our proposal. So we're presenting at RSA this year. 

Dave Bittner: Wow. Congratulations. Why is it called "The Emperor Has No Clothes"? 

Rick Howard: Well, you know, the bad news is that for the most part, the chief information security officer is not the chief of anything, really, you know? People hold those positions are not at the same level as, say, the CFO, the CTO or even the chief legal officer. CISO is really just a fancy title that means you're in charge of security for the company, but probably buried a couple of layers down in the bureaucracy. 

Dave Bittner: What's the good news then? 

Rick Howard: (Laughter) Well, there is good news 'cause I love this job. 

Dave Bittner: OK. 

Rick Howard: So in the past seven years or so, there have been a series of jobs open up that require CISO experience. Like, we have the CISO evangelist that you get for all the security vendors. We got the new kind of CISO that understands software development, the - I call them the DevSecOps CISO. If you're following my podcast, you know we're trying to learn how to do cybersecurity risk, so we got that kind of a CISO. And the latest one is the chief security product officer, where vendors are hiring former CISOs to come in and help them secure their products. So if you're attending the RSA security conference next month, come join me and Todd on Thursday afternoon. I promise it will be a lively discussion. But for those that are not going to go to the conference, this last episode will give you kind of a preview of what we're going to talk about. 

Dave Bittner: So let me just - I mean, it's called The Emperor Has No Clothes, but you will be fully clothed, right? 

Rick Howard: Well, no promises, OK? No promises. 

Dave Bittner: All right. I don't know if that will attract people or repel them, Rick, but speaking of RSA, let's... 

Rick Howard: Try to get that out of your head now. Try to go to sleep and not think about that, all right? So... 

Dave Bittner: It's a good thing this is no - there's no video here. So speaking of RSA, there will be a lot of us from N2K in attendance doing our thing. We interview people, meet people. We're even hosting a lunch for all of the CyberWire's Hash Table members, and that's going to be a lot of fun. I would be remiss if I didn't mention the fact that N2K and Wiley publishing are releasing your new book in conjunction with the conference. Tell us about the book. What is the title, and what is it all about? 

Rick Howard: So the title is "Cybersecurity First Principles: A Reboot of Strategy and Tactics." And you know this, Dave, with the "CSO Perspectives" podcast, we spent the last three years talking about getting back to first principles in our field, and that has been some of the most rewarding work I've done in my entire career. The downside is that the information is scattered across the CyberWire website and delivered in little small dollops of audio from the podcast, so the book is our attempt to get all of it into one convenient container. And the hardcover book will be released at the RSA conference, and you can pre-order it now on Amazon, and then the Kindle versions and the audiobook will come out soon after that. In fact, I'm currently right - as I leave this interview, I'm going to begin recording the audiobook, so that's what I'm working on. 

Dave Bittner: Oh, nice. And you're going to be signing books at the conference bookstore, right? 

Rick Howard: Yeah. Immediately after my talk with Todd on Wednesday afternoon, I'll be signing my book outside the conference bookstore, so if anybody listening is attending the conference, please come on by. I would love to meet you. 

Dave Bittner: All right. Terrific. Well, Rick Howard is the CyberWire's chief security officer, our chief analyst, but more important than any of that, he is the host of the "CSO Perspectives" podcast. Rick, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.