Ransomware and social engineering trends. Expired certificate addressed. Ransomware groups target schools. Cyber updates in the hybrid war.

Dave Bittner: A ransomware report highlights targeting and classification. Phishing remains a major threat. Cisco addresses an expired certificate issue. LockBit and Medusa hit school districts with ransomware. US and Canadian cyber units wrap up a hunt forward mission in Latvia. Ben Yelin on NYPD surveillance. Our CyberWire producer, Liz Irvin interviews Damien Lewke, a graduate student at MIT. And an unknown threat actor is collecting against both Russia and Ukraine.

Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Thursday, May 11, 2023.

Ransomware report: targeting and classification.

 

Dave Bittner: The United States is number one in ransomware attacks. GuidePoint Security today released their GRIT Ransomware Report for April 2023. While the total number of organizations affected dropped 22 percent from March to April, the US maintains its place atop the leaderboard when it comes to being victimized by ransomware. The US had 179 victims, whereas the runner up, the United Kingdom, came in with a distant 18. Most widespread ransomware threats to the US have been LockBit, Bianlian, and AlphV. Manufacturing was by far the most targeted industry, followed by healthcare and technology. Looking at the gangs themselves, LockBit's numbers continued to grow this month. AlphV nearly doubled the number of its victims in the past month, and the researchers say April marked the most impactful month for Bianlian, which increased its victim count from 27 in March to 45 in April.

Phishing remains a major threat.

 

Dave Bittner: As the weather warms up, going out for a day of phishing may become more common. Cyber criminals think so, too, as phishing attacks remain on the top of the list in DNSFilter's State of Internet Security Q1 2023 report. The report showed a 61 percent increase in traffic leading to websites containing threats between October 2022 and March 2023 and named malware as the second threat behind phishing with new domains in third. Employees should remain vigilant in vetting emails they receive by not clicking on suspicious links and checking with their IT department when they receive enticing emails or opportunities from outside organizations.

Cisco addresses expired certificate issue.

 

Dave Bittner: Cisco released an informational post that describes how to identify a vEdge that has an expired certificate affecting control plane connections, which eventually impacts data plane connections resulting in loss of service. The expired certificate could result in loss of service if improperly handled or not handled fast enough. Cisco specifically tells users experiencing loss of connection to not reload their device as this could lead to a complete loss of service. Cisco writes, Reloading the device causes the graceful restart timers to reset, and the router will not be able to reconnect to the fabric. Keeping the router up will help ensure graceful restart does not occur, which will help to keep the data plane sessions up; and traffic will be able to pass while control connections are down. However, simply not restarting your device might not be enough to stave off loss of service, the register explained. And bear in mind, even if you don't manually restart or update your equipment, there are timers in the devices that will, by default, start a reload that will trigger disruption as a result of the now dead cert.

Dave Bittner: Cisco has begun rolling out software updates. The company has so far released 12 software patches to various versions of the vEdge software, the register rights. Based on the documentation, the patch likely amounts to certificate replacement. Unfortunately, it doesn't appear that the update will do much good for devices that have already been rendered inoperable by the expired certs. Cisco recommends customers with bricked gateways contact Cisco for assistance. Cisco has also released step-by-step processes to remedy the issue and correctly install the update, along with remarks for customers who have reloaded their devices prior to reading the post.

LockBit and Medusa hit school districts.

 

Dave Bittner: In a report released today by Verity, it was confirmed that two school districts, the Uniondale Union Free School District in New York State and the Pineland Schools in New Jersey fell victim to the Medusa and LockBit gangs and saw their data posted on leak sites by the respective groups. The Medusa ransomware group has been in action since June 2021. The gang performs double extortion attacks or attacks that both steal and encrypt sensitive data against their targets, which have included school districts. LockBit, a pervasive ransomware threat active since 2019, also performs double extortion attacks. The volume of its attacks is expected to increase over time.

US and Canadian cyber units wrap up hunt-forward mission in Latvia.

 

Dave Bittner: The Voice of America reports that a US Canadian hunt forward mission in Latvia has completed its three-month engagement. Latvia has been a strong supporter of Ukraine and, as such, has come under Russian cyberattacks. The hunt forward team focused on threats to Latvian infrastructure, C4 iosr.net quotes Baiba Kaskina, General Manager of CERT.LV as saying, With our trusted allies, the US and Canada, we are able to deter cyber threat actors and strengthen our mutual resilience.

An unknown threat actor is collecting against both Russia and Ukraine.

 

Dave Bittner: Malwarebytes reports on a cyber espionage group it's calling Red Stinger. The group has been quietly active for at least three years, and Malwarebytes identifies it with the operation Kaspersky has been tracking as Bad Magic. Malwarebytes says that Red Stinger has pursued targets on both sides of Russia's war against Ukraine and that the victimology renders attribution complex and unclear. Indeed, there is no credible attribution whatsoever, at least not yet. Malwarebytes writes that it's clear that the principal motive of the attack was surveillance and data gathering. There were many layers of protection implemented and extensive toolset at work and evidence of the targeting of specific entities. But Red Stinger has been at it for a while and in all probability will eventually betray itself through coding or tradecraft. A lot of people will be watching.

Dave Bittner: Coming up after the break, Ben Yelin looks at NYPD surveillance. Our CyberWire producer Liz Irvin interviews Damien Lewke, a graduate student from MIT. Stay with us.

Dave Bittner: It seems like just yesterday we were all at the RSA Conference where our producer Liz Irvin was on the show floor conducting interviews. She files this report with her conversation with Damien Lewke, a graduate student at MIT.

Damien Lewke: My name is Damian Lewke. I'm currently a graduate student at MIT. Before MIT, I worked at CrowdStrike and then at Palo Alto Networks across product marketing solutions, architecture, and sales engineering. And, when I graduate, I'm going to be a product manager at Arctic Wolf.

Liz Irvin: So first things first. How are you liking your RSA experience so far?

Damien Lewke: I've loved it. RSA is always kind of like a back-to-school reunion, right? Having been in the industry for about eight years, it's really cool getting a chance to connect with some old friends. But it's really interesting to see some of the new and interesting problems that people are solving. There's always kind of a buzzword of the conference. So everything from SIM to EDR to XDR to now, some of the use cases around AI and machine learning, natural language processing. So it's cool. It's amazing to see how dynamic it is, especially post pandemic, just to see the fact that, say, the conference is back to its original vibrancy and enthusiasm and dynamism. It's amazing to be back in short. Short answer long.

Liz Irvin: So how do you think this year has compared to the last couple of years that you've been here, especially with COVID and everything? Have you seen much of a difference?

Damien Lewke: Comparing this year to a few of the other years, in terms of the scale and number of companies on, say, the expo floor, it certainly increased. I feel it gets a bit bigger and busier. Again, more people solving interesting problems. I'd say what's been interesting to see from a sessions perspective, is how the focus has shifted. I think it used to be a lot of buzzwords and vendor pitches. You see a lot more sessions around public-private partnership, a lot of examples of government organizations and international government organizations collaborating with folks in industry and working together to solve big problems. So I'd say, in terms of comparison, every year is unique. You know, RSA Conference is kind of like a mansion. Every room is unique, but there's room for everybody. I would say in terms of vibrancy and dynamism, it's never been better.

Liz Irvin: Yeah. So you mentioned down on the floor. Have you seen anything down on the floor that's really piqued your interest in new tech or anything like that?

Damien Lewke: Oh, yeah. Of course. So, I mean, XDR, of course. It's interesting to see that that has gone from kind of a niche idea or a couple of vendors talking about it to something pretty ubiquitous. In terms of really interesting, I've seen some pretty fascinating stuff around SOC automation and augmentation so folks looking at natural language processing assisting cyber defenders. Some also some really cool examples of new, like, mobile application security techniques. I mean, it's amazing. We use smart devices all the time. And I think a lot of folks think about mobile application security as MDM, but it's so much more than that. So looking at a few folks out there on the back end of the south hall, I thought that was really fascinating.

Liz Irvin: So the theme this year is Stronger Together for RSA. Do you think stronger together is a good theme in general?

Damien Lewke: I think so. But, fundamentally, cybersecurity is a team sport. And we are stronger together. To use an old systems engineering adage, the whole is truly greater than the sum of its parts. And, you know, there are folks in government talking about the fact that there's a technology ecosystem where folks do have a place in -- cybersecurity is a somewhat Byzantine industry, right, a lot of folks solving very specific problems. But, at the same time, you know, coming together and working not just as an industry but looking at government partnerships, looking at partnerships with academia and synthesizing kind of those three legs of the cybersecurity stool and being stronger together, I think it's great. I'd say in terms of just the vibe, I know that's not a very technical term. But the vibe here is very jovial and dynamic. And people seem very open and engaging, which is really inspiring and exciting to see. I don't want to say it's been acrimonious in the past. But I certainly would say there's just a better feeling of almost say, like, cautious optimism today, which is amazing to see in here.

Liz Irvin: I'm sure you've heard the acronym for Chief Information Security Officer, correct? How do you pronounce that?

Damien Lewke: CIS-so.

Liz Irvin: CIS-o. Okay. All right. Fantastic

Damien Lewke: Although it should be CIS-o.

Liz Irvin: CIS-O?

Damien Lewke: Because it -- CIS-a, CIS-o.

Liz Irvin: Okay.

Damien Lewke: CIS-o. I learned something today.

Liz Irvin: Okay.

Damien Lewke: It's CIS-o.

Liz Irvin: There you go. All right. Quick change of minds, I guess. All right. Thank you so much for the interview.

Damien Lewke: Thank you.

Liz Irvin: Appreciate it.

Dave Bittner: That's CyberWire producer Liz Irvin speaking with Damien Lewke.

And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security and also my cohost on the Caveat Podcast. Ben, welcome back.

Ben Yelin: Good to be with you, Dave.

Dave Bittner: So the NYPD, which I guess is probably our nation's largest police department.

Ben Yelin: I believe so.

Dave Bittner: I would imagine so. Yeah. They recently had a little event where they were highlighting some of the new initiatives that they have. And one of them caught my eye. They have the ability to -- they have a gun, Ben. They have a gun, that they can launch a sticky GPS tracker at your car.

Ben Yelin: Does this feel like a James Bond tool here? MacGyver? Or maybe just Austin Powers.

Dave Bittner: I was going to say Inspector Gadget, but those are fine. But the utility of this is that it is supposed to cut down on high speed pursuits, which I think is a good thing. I know lots of police forces have been trying to dial that down because they're potentially dangerous to everyone involved but, more importantly than that, pedestrians or innocent bystanders. They also came out and said that they would love people in areas of the city where they're having trouble with vehicle thefts to purchase themselves an Apple AirTag tracker and put that in their vehicle. In fact, the NYPD is giving away 500 of these so that it's easier for folks to track their vehicles if they have been stolen. What do we think of all these initiatives, Ben? Are there any problems here?

Ben Yelin: There are some problems. I think, you know, we should acknowledge that the New York Police Department has a very difficult job. They -- there has been an uptick in crime over the past several years, although I know crime has actually -- violent crime has gone down for one or two consecutive years. But there are certainly some serious problems to solve. High speed car chases are extremely dangerous to those involved, to law enforcement, and to pedestrians. So, to the extent that you can cut down on those high speed chases by using this gun that shoots out a GPS device that attaches to a car, I think that would be a valuable tool for the NYPD to use. I don't see any major constitutional problems with this type of tactic, largely because, if you reasonably believe that somebody is going to be involved in a car chase, that they're not responding to the siren or the police lights, that they're not going to pull over, that's pretty good probable cause for you to deploy this tool.

Dave Bittner: Right.

Ben Yelin: Granted, that's -- it's extra judicial. It's not like you're calling up the magistrate judge and saying, Hey. Can I fire this gun at a moving vehicle. But I do think it can be a useful tool as long as it's not abused. Of course, there's always the potential to abuse it. We've seen that happen with some of these surveillance tools in the past. I've got more of a problem with urging people and suggesting that people put AirTags, Apple AirTags inside their vehicles.

Dave Bittner: Right.

Ben Yelin: This sounds like a good idea. I mean, it's sort of how -- like how police departments have been encouraging people to use Amazon Ring devices on their homes --

Dave Bittner: Right.

Ben Yelin: -- and giving them out at various events. But those AirTags could be used against people and could certainly violate those people's civil liberties in a number of circumstances. So, if the New York Police Department is keeping a record of which vehicles have AirTags, let's say you're suspected of some type of petty crime, nonviolent crime, law enforcement already has the ability to track you down. What if you're just delinquent on parking tickets? What if the New York City Police Department has an interest in your political activities or your religious activities? Once they've encouraged you to install that Peltzman, that subjects you to a novel form of surveillance, real-time vehicle tracking, which I think can be problematic. Now, it is voluntary. But I think people should know that, if they're going to be involved in this crime fighting effort, that they're potentially creating a risk for themselves by putting such a device in their vehicle. I think there's obviously justification for cutting down on these high speed chases to make it easier for police to recover stolen vehicles. But there's certainly -- all of this doesn't come without risk.

Dave Bittner: Yeah. Would the police have to -- or have the opportunity to go to Apple, say, for some of this tracking data if they needed it or wanted it?

Ben Yelin: So yes. They definitely have the opportunity to do it. Apple might be one of the few companies that might fight back against this type of request, given that Apple prides itself on digital privacy.

Dave Bittner: Yeah.

Ben Yelin: You'd really have a hard time suppressing this type of evidence in court because a person, at least theoretically, would have installed the device in its -- in their own vehicles. So, certainly, you lose that expectation of privacy in your movement. And I think Apple, even if it resisted a response to a subpoena, they can't really do anything if the government ends up getting a warrant for it. I think it'd be pretty easy to obtain a warrant on the right circumstances. So I don't think that's going to be a major help to individuals. It is advantageous for privacy that it's Apple since they're one of the few companies that fights these requests regularly. But I don't think it's going to be the type of situation where Apple saves you from this type of law enforcement surveillance.

Dave Bittner: Interesting. Yeah. I can't help wondering if some clever entrepreneur's going to come out with some special kind of car wax that is extra slippery.

Ben Yelin: I mean, they already have robot dogs. So we're talking about a department that, I mean, it's almost comedic at this point. The New York City Police Department has every conceivable surveillance tool. Many of them, there have been documented cases of abuse. So, you know, proper oversight of this department is certainly in order.

Dave Bittner: Oh, they're embracing technology.

Ben Yelin: Yeah. We'll put it that way. That's what they say in their press conferences so....

Dave Bittner: Right. All right. Well, it's interesting stuff to keep an eye on for sure. As always, Ben Yelin, thanks so much for joining us.

Ben Yelin: Thank you, Dave.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyber wire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester with original music by Elliot Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.