The CyberWire Daily Podcast 11.6.23
Ep 1942 | 11.6.23

Precautions, preparations, and resilience against cybercrime and hacktivism.


Dave Bittner: A precautionary shutdown at a major US mortgage lender. Call centers as targets. A push to decouple data and identity. The cyber front in the Hamas-Israeli war. Hacktivism and state-sponsored cyberattacks against Israel. The instructive case of TASS and managing influence operations. Deepen Desai from Zscaler talking about the TOITOIN Trojan. Our guest is Joe Nocera, of PwC sharing their latest Global Digital Trust Insights survey and the impact of the SEC's new cybersecurity disclosure rules. And cybercrime on the side of Ukraine (or at least, cybercrime against Russia).

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Monday, November 6th, 2023.

A precautionary shutdown at a major US mortgage lender.

Dave Bittner: Mortgage lender Mr. Cooper (which was previously known as Nationstar Mortgage LLC), the largest mortgage lending company in the US, sustained a cyberattack last week that brought down its IT systems. BleepingComputer reports that the incident affected the company’s online payment portal. The company itself said, “Customers trying to make payments will not incur fees or any negative impacts as we work to fix this issue.”

Dave Bittner: The company further disclosed, “On October 31, Mr. Cooper became the target of a cyber security incident and took immediate steps to lock down our systems in order to keep your data safe. Our systems remain locked down, and we are working on a resolution as quickly as possible.” It wasn't immediately clear whether any customer data had been compromised. The company added, “We are actively investigating this event to determine if any data has been compromised. If customers are impacted, they will be notified and provided with identity protection services.”

Call centers as targets.

Dave Bittner: A report from TransUnion looks at fraud attacks targeting call centers in the financial industry, finding that “more than half of respondents say that fraud attacks on call centers are on the rise, based on growth from 2021 to 2022, with financial industry respondents noting an even more acute increase, with a full 90% of respondents indicating at least some observable growth in attacks.” (The company calls these attacks "omnichannel fraud.")

Dave Bittner: Lance Hood, senior director of omnichannel authentication at TransUnion, stated, “Through the use of tactics such as spoofed phone numbers and social engineering, combined with personal information obtained from identity theft scams and data breaches, fraudsters have become more focused on call centers as a target to access and take over accounts (ATO). More than ever, it’s critically important for call centers to find effective and efficient ways to separate legitimate callers from potentially fraudulent, high-risk ones in a way that reduces friction for the consumer.”

Decoupling data and identity.

Dave Bittner: An article by Bruce Schneier and Barath Raghavan in IEEE Spectrum outlines a new approach to cloud security called “decoupling” that could provide better privacy for data stored in the cloud. 

Dave Bittner: Schneier and Raghavan explain, “The less someone knows, the less they can put you and your data at risk. In security this is called Least Privilege. The decoupling principle applies that idea to cloud services by making sure systems know as little as possible while doing their jobs. It states that we gain security and privacy by separating private data that today is unnecessarily concentrated.”

Dave Bittner: They continue, “To ensure that cloud services do not learn more than they should, and that a breach of one does not pose a fundamental threat to our data, we need two types of decoupling. The first is organizational decoupling: dividing private information among organizations such that none knows the totality of what is going on. The second is functional decoupling: splitting information among layers of software. Identifiers used to authenticate users, for example, should be kept separate from identifiers used to connect their devices to the network.”

Dave Bittner: This approach advocated is similar to the idea of a software-defined perimeter, in which resources are restricted based on identities. You may have heard something about this in our podcast by Rick the Toolman.

The cyber front in the Hamas-Israeli war.

Dave Bittner: The National Interest yesterday published an assessment of cyber operations to date in the war between Hamas and Israel. Israel shut down Internet connectivity in Gaza during the first weeks of the war (and tightened the shutdown over the weekend), and Israel has sustained a variety of hacktivist assaults. Most of these have achieved at most nuisance-level effects. The most prominent were the successful hacktivist intrusion into the Red Alert civil defense missile warning system on October 8, and the October 12th hack of smart billboards in Tel Aviv to display pro-Hamas messages. Israeli defenses seem to have been largely successful in blunting state-directed attacks. 

Hacktivism and state-sponsored cyberattacks against Israel.

Dave Bittner: Whatever the effectiveness of Israeli cyber defenses, some state-sponsored threat actors have intervened on the side of Hamas (much of this activity is Iranian, some of it Russian). Palo Alto Networks' Unit 42 this morning reported that an Iranian threat group, "Agonizing Serpens" (which other researchers call "Agrius," "BlackShadow," "Pink Sandstorm," or "DEV-0022") is conducting a two-phase campaign against Israeli universities and research organization. The first stage is data theft, with the data subsequently used to dox the victims. Unit 42 sees this as fundamentally an influence operation as opposed to traditional espionage. The information stolen is both personal and proprietary, and doxing is central to the operation; its goal is "to sow fear or inflict reputational damage." The second stage is a wiper attack, which the researchers characterize as a "scorched earth" approach that renders affected endpoints unusable. The attackers gain access through vulnerable web servers through which they deploy web shells. Unit 42 describes three tools used in the wiper phase as novel, not previously seen: MultiLayer (which covers the attacker's tracks), MultiList (which inventories files on the affected system), and MultiWip (the wiper proper).

Dave Bittner: Uptycs reports that one hacktivist group, GhostSec, formerly an Anonymous affiliate, may be turning its attention to Israel. "Previously dedicated to tracking and disrupting ISIS-related online propaganda, they notably collaborate more closely with law enforcement and intelligence agencies than their predecessor, Anonymous, Uptycs comments. Their recent activity against Israeli targets, however, suggests a shift in the group's interests and focus, especially since that activity is centered on its GhostLocker ransomware-as-a-service operation. The evident profit motive suggests a new complexity to GhostSec's goals and objectives.

Managing influence operations: the case of TASS.

Dave Bittner: The chief of the major Russian news service TASS was replaced on July 5th, a few days after the Wagner Group's abortive march on Moscow. The Moscow Times reports that the removal was indeed a sacking, and not a retirement or voluntary resignation. The paper quotes an unnamed Russian government official on the change in leadership at TASS: “TASS covered all this," that is, the Wagnerite mutiny, "in too much detail and promptly. Some kind of insanity has happened to them. They have forgotten that their main task is not to report the news. It’s to create an ideologically correct narrative for the Kremlin.” The official added an assessment that TASS now understood its role, and that it would be properly aligned in the future. “The neutrality of TASS is of no use to anyone right now. It’s wartime and presidential elections are looming. The chief [and by the “chief,” the official means Mr. Putin] must win on record. Under the new director general, TASS will be more aggressive and provocative.” And presumably better disciplined.

Cybercrime on the side of Ukraine.

Dave Bittner: While cybercriminals have worked for Russia in the hybrid war, either as privateers or co-opted contractors, they've been much less in evidence on the Ukrainian side. HackRead reports, however, a departure from this pattern. Russia's second largest insurer, Rosgosstrakh, has apparently sustained a significant data breach. Someone with the nom-de-hack "Apathy" has offered the stolen data for sale on Breach Forums. The asking price is $50,000, payable in Bitcoin or Monero.

Dave Bittner: HackRead summarizes the data that appear to be on offer: "The compromised data includes full access to the investment and life insurance department records dating back to 2010. The breach, which has put approximately 3 million bank statements at risk, has also compromised data on 730,000 individuals, with approximately 80,000 individuals’ Russian Social Security Numbers (SNILS) and 45,000 individuals’ complete bank routing information now in jeopardy. The breach also includes access to all life insurance policies and contracts, as well as associated attachments such as passports and scanned documents of public officials or their immediate relatives."

Dave Bittner: The attack seems be criminally motivated, with no obvious admixture of political or military purpose. (The compromised data do seem to include relatively full information on three Russian GRU agents, but that's hardly enough to qualify the hack as a wartime coup.) Insofar, however, as the cyberattack inconveniences and embarrasses a major Russian enterprise, objectively (as TASS used to say, and may now start saying again) it works in the interests of Ukraine.

Dave Bittner: Coming up after the break, Deepen Desai from Zscaler talks about the TOITOIN Trojan. Our guest is Joe Nocera from PWC sharing their latest global digital trust insights survey and the impact of the SEC's new cybersecurity disclosure rules. Stay with us. [ Music ] Joe Nocera is a principal in PWC's cybersecurity practice. PWC recently published their global digital trust insights survey and I reached out to Joe Nocera for insights on that as well as how the SEC's new cybersecurity disclosure rules will impact companies as they prepare for compliance.

Joe Nocera: One of the interesting things that caught our eye was only about 1/3 of the organizations that responded said that they were consistently performing the 8 leading cyber practices that we kind of laid out in the report. And that was a little bit surprising. We thought we would see a little bit more of an uptick there. I think the other thing that was a key take away was cloud related threats was one of the top priorities that organizations were most concerned about. It came up time and time again. And then lastly, you know, 79% of the organizations that we surveyed had a plan that increased their cyber budget in 2024. And so those were I think some of the key take aways.

Dave Bittner: You mentioned being a little surprised that folks weren't perhaps up to the level that you expected them to be. Were there any other surprises in the results here?

Joe Nocera: You know, I'd say an insight. I don't know if it was a surprise, given what was happening in the media, but concerns around AI and responsible use of AI and potential regulation and AI kind of jumped off the page at us a little bit. That was a top concern. And, as I said, I don't know that I was surprised given the media coverage that we were seeing around that topic in the spring when we designed the survey. Maybe the other thing is the number of large breaches, and we classified large breaches as breaches that were $1 million or more, increased significantly. It went up from I believe -- let me pull the exact data here. It went up from essentially about 26% of the respondents had experienced what we would have classified as a large breach and it went up to 36% of the respondents experienced a breach of $1 million or more. And so -- so that was, you know, quite a bit of an increase over prior years.

Dave Bittner: I know one thing you and your colleagues have an eye on is the increased scrutiny from the SEC when it comes to cybersecurity disclosure. Any insights there to share with us?

Joe Nocera: Sure. So I think there's no question that that's going to be a major enforcement priority for the SEC. And so they issued a proposed rule about 18 months ago and then they finalized that rule back in July. And it goes into effect in the late December, early January, time frame depending on when your annual reports need to be filed and when you potentially would have an incident. The rule itself really clarifies some of the existing guidance that the SEC always felt like was the law of the land as it related to the need to file an 8-K disclosure if you have a material cyber incident. What the proposed rule and final rule tried to do is be more prescriptive in what needed to be included in that 8-K and more particularly it put in a notice period. Right? It said that there was a four day reporting window once you determined a material breach had occurred. And so that's really, really I think a key aspect of the rule itself is that ticking clock. And a lot of the questions that we get from clients are really around materiality. You know, how they -- they think about whether or not a breach is material. Because, you know, we've see, you know, breaches happen every day. Sometimes it's an individual user that gets hit with ransomware. That's something that's very widespread. And how they begin to put some guardrails around the way they think about materiality. And what we've said there is really there's obviously the financial aspect that you very quickly can get your arms around your financial materiality. Most of our clients already have a financial materiality threshold that they use for financial reporting. And so you can look at your current breach costs and any other expected costs that are likely to come from the breach and you can land on a materiality financially pretty quickly. Where it gets to be more tricky in our view is on the intangible aspects of the breach. So think about the loss of intellectual property. Think about the erosion of brand in the market, customer trust. How do you begin to put some -- some guardrails or some considerations around whether or not a specific breach is going to impact your competitive positioning in the market to a degree that a reasonable investor would want to know that information. There's a lot more gray area there, and I think there's room for judgment. And many of our clients are asking for our help in defining the framework by which they make those types of considerations. And I think the other piece of this that's going to be equally important is the documentation that companies preserve after a breach that really allows them to show their math, if you will. To really allow them to just demonstrate their thinking and rationale for why they determine either something was material or to the extent they determine it was not material, that it was supported by a framework that was approved and accepted by the company. And so that's really on the 8-K side. The other aspect of the rule itself is on the 10-K disclosure side. That requires an annual disclosure of how the firm manages their cyber risk and includes a description of the management expertise that you have on board. Includes any risk assessments that you do, any programmatic things that you do to manage the risk, and then ultimately how that risk gets reported up to senior management and the board. And so I think there's going to be increased scrutiny that what gets described in that 10-K filing is one adequate and then two, you know, accurately reflects the reality on the ground of the way you're managing your cybersecurity program every day.

Dave Bittner: Going back to the global digital trust insights report, what are the take aways here? What do you hope people take away from the report?

Joe Nocera: So we talk about it from the perspective of six things that we think, you know, clients should do. First and foremost is we think every C suite executive needs to learn to speak a new language. And what we mean by that is the C [inaudible 00:17:23] needs to be prepared to talk in business terms and we need business leaders, whether it be the general counsel, the chief compliance officer, the CFO, to learn a little bit more technical language and be comfortable talking about cyber risk. The second thing that we encourage clients to do is to really think about new ways of managing cyber risk, particularly looking at the ability to quantify their cyber risk. That's going to be very important. Third is really understanding the regulatory guardrails and participating in industry organizations that are shaping the next round of regulation because we know that this is going to be an area of topics. You've got to get used to cyber being in the boardroom as a fourth priority. It's clear with the SEC guidance and frankly just industry trends that the CISO is going to need a seat at the table at the boardroom. We need the CISO to begin to think like a business owner, to think about how the company makes money and, you know, grows their revenue and delights their customers. And making sure that you do that in a secure way that doesn't impact that customer experience or the ability to get new products to market. And lastly it's going to require creative thinking as we think about new technologies like generative AI, robotic lossless automation, augmented reality, block chain, etcetera. Each of those is going to introduce new risk and new opportunities, and it's important for security professionals to really embrace those new technologies and to think creatively about the ways they can create value for the organization.

Dave Bittner: That's Joe Nocera from PWC. [ Music ] It is always my pleasure to welcome back to the show Deepen Desai. He is the global CISO and head of security research and operations at Zscaler. Deepen, it's great to have you back. You and your colleagues recently published some research on the TOITOIN Trojan analyzing a new multi stage attack targeting the Latin American region. What can you share with us here today?

Deepen Desai: Thank you, Dave. So yes. TOITOIN. Interesting name. Right? The moderate campaign that the team discovered over here signifies that we're in the time where the attacks no longer start or end with an executable or a final stage payload. There's like multiple stages involved. It starts from a stage one downloader which does some basic recon. In this case we saw the stage one was a simple downloader module that attempts to evade things like sand boxing, security, analysis, and then it tries to establish some level of persistence. It then progresses to a second stage payload which attempts to perform certain known vulnerability exploits. And this is where there's a loader module. There's an injector module. And then there is a privilege escalation module where the combination of these three payloads, the main goal over here is A to achieve escalated privilege. So if it's running as a user mode, they're trying to get to the kernel mode. That way they're able to do much more like disabling end point security solutions, monitoring solutions, and you know deleting backups and things like that. And then the final stage payload after the previous stage is successfully executed is the TOITOIN Trojan which is in that stealing sensitive information from the end points.

Dave Bittner: And they're targeting organizations in the Latin American region?

Deepen Desai: Yes. So this campaign was specifically targeting businesses in Latin American region. And there are certain things that we observed that further signified like one of the protection modules that they were specifically looking out -- so let me actually take a step back. So once attack is successful the TOITOIN Trojan gets installed. That Trojan will then transmit system information, things like what kind of web browsers are installed on the system. And then it will check for a very specific protection module. It's called topaz OFD. For those of you that don't know, it's basically a security plug in. And I was myself not aware of it until the team discovered this. This is apparently mandated in the Latin American region for online banking. This is where it's a topaz OFD Warsaw core dot EXE file that will be running on these systems. And the attacker is basically looking for that and looking for what version of this security module is installed on the system which further signifies that this malware is in that, businesses and consumers in Latin American region.

Dave Bittner: And ultimately is this a banking Trojan? They're going after money here?

Deepen Desai: Yeah. So the goal over here is two things. One is stealing information. We only saw early recon stage, but at the next level stage is where they will go after, you know, banking, financial information in an attempt to perform scams leveraging users' credentials.

Dave Bittner: And what are your recommendations here for folks to best protect themselves?

Deepen Desai: Yeah. I mean the way this specific malware attack starts is with a phishing email. It's an email that -- link that -- so the link actually points to Amazon EC2 instance so I'm not going to tell the users, hey, look at the domain because domain may appear to be legitimate. But this is where the organization needs to have that full TLS inspection inspecting all the content that's landing on the -- on your end user's laptop. And then having an inline phishing inspection. Very, very important. The final point over here that I've made before as well is you need to have security awareness training which is built in these -- in these inline security controls. So to elaborate on that, what we do, and I do this for Zscaler employees as well, if -- when someone is about to make a mistake, say they clicked on a link in this phishing email, a page pops up that says you're about to visit a destination that is not trusted. You should not be entering your credentials. Do not download files from this destination. Do not post for your financial informations like credit card. And the user has to click a button to then end up on the destination page. Right? So this by itself provides that security awareness training at the time the user is about to make the mistake rather than doing the training after the mistake happens. Don't get me wrong. The awareness training offline is also important. All right? But having investment in this inline control makes it very, very powerful at enabling your end users to do the right thing.

Dave Bittner: All right. Well, interesting insights, as always. Deepen Desai from Zscaler. Thank you so much for joining us. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Don't forget to check out the "Grumpy Old Geeks" podcast where I join Jason and Brian on their show for a lively discussion of the latest news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]