Major crackdown on international cybersecurity.

Dave Bittner: A major ransomware gang is taken down in an international sweep. CISA and the WaterISAC respond to the Aliquippa cyberattack. Attacks against infrastructure operators hit business systems. Qlik Sense installations are hit with Cactus ransomware. Researchers discover a Google Workspace vulnerability. A hacktivist auxiliary compromises a Russian media site. In an exclusive interview, Eric Goldstein, Executive Assistant Director at CISA, describes their new Secure by Design Alerts program launching today. Tim Starks from the Washington Post shares some insights on the latest legislation dealing with section 702 surveillance. And security teams need not polish up that resumé after a breach.

Dave Bittner: Today is November 29, 2023. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Major ransomware gang taken down in international sweep.

Dave Bittner: In a major international cybersecurity crackdown, law enforcement from seven countries, with the support of Eurojust and Europol, targeted a sophisticated criminal network responsible for ransomware attacks on over 1,800 victims across 71 countries, as reported by BleepingComputer. The operation culminated in the arrest of the network's ringleader, the detention of four suspects in Ukraine, searches at 30 locations, and the seizure of over a hundred digital equipment tools.

Dave Bittner: The criminals, playing varied roles within the network, executed their attacks through multiple methods. These included brute force attacks, SQL injection techniques, use of stolen credentials, and phishing emails with malicious attachments to infiltrate IT networks. Once inside, they employed malware such as Trickbot and post-exploitation frameworks like Cobalt Strike or PowerShell Empire to stay undetected and further penetrate the systems. Often undetected for months, the attackers eventually deployed various types of ransomware, including LockerGoga, MegaCortex, HIVE, or Dharma, and then demanded ransoms in bitcoin for decryption keys.

Dave Bittner: This collaborative operation, involving law enforcement agencies from France, Germany, the Netherlands, Norway, Switzerland, Ukraine, and the United States, signifies a significant stride in the global fight against cybercrime. The effectiveness of such international cooperation highlights the growing emphasis on tackling cyber threats that cross national boundaries.

CISA and the WaterISAC respond to the Aliquippa cyberattack. 

Dave Bittner: The US Cybersecurity and Infrastructure Security Agency (CISA) has identified Unitronics programmable logic controllers (PLCs) as the compromised systems in the recent attack on the Municipal Water Authority of Aliquippa. CISA has issued urgent recommendations for water utilities using these PLCs. These include changing default passwords, implementing multifactor authentication for all remote access, disconnecting PLCs from the open internet and using a Firewall/VPN for necessary remote access, regularly backing up logic and configurations, changing the default TCP port to avoid targeted cyber attacks, and updating PLC/HMI to the latest versions. The Water Information Sharing and Analysis Center (WaterISAC) also highlighted the need for better operational security, especially when releasing information to the media, as evidenced by an image released by the water authority that inadvertently revealed sensitive system details. This incident emphasizes the critical need for enhanced cybersecurity measures in essential public utilities.

Attacks against infrastructure operators hit business systems.

Dave Bittner: Ransomware attacks continue to target infrastructure operators, with recent incidents focusing on utility business systems rather than control systems. The North Texas Municipal Water District (NTMWD) experienced a cyberattack impacting its business network, as reported by the Record. Alex Johnson, NTMWD's director of communications, confirmed that while most of their business network has been restored, their core water, wastewater, and solid waste services remain unaffected. However, their phone system was compromised, and an investigation with third-party forensic specialists is underway to determine the extent of any unauthorized activity and potential data impact.

Dave Bittner: Additionally, Security Affairs notes that the Daixin Team cybercriminal group has claimed responsibility for the NTMWD attack, alleging the theft of sensitive information including board meeting minutes and personnel details.

Dave Bittner: In a separate incident, Slovenia's state-owned power generation company, Holding Slovenske Elektrarne (HSE), was hit by a ransomware attack affecting its communication and information infrastructure, according to Help Net Security. HSE General Director Dr. Tomaž Štokelj assured that control over power plants was maintained, safety was ensured, and electricity trading continued, albeit with some limitations on transactions as a precaution.

Qlik Sense installations hit with Cactus ransomware.

Dave Bittner: Arctic Wolf has identified a ransomware campaign by Cactus that is exploiting vulnerabilities in publicly exposed installations of the Qlik Sense cloud analytics and business intelligence platform. Qlik had previously issued patches for these vulnerabilities earlier in the year. According to Arctic Wolf's researchers, this campaign represents the first known instance where threat actors deploying Cactus ransomware have utilized Qlik Sense vulnerabilities for initial access into systems. This development highlights the importance of promptly applying security patches to protect against such exploits.

Report: Google Workspace vulnerability discovered.

Dave Bittner: Researchers at Hunters Security have uncovered a design flaw in the Domain-Wide delegation feature of Google Workspace. This flaw, termed "DeleFriend," could potentially be exploited for privilege escalation and unauthorized access to Workspace APIs without requiring Super Admin privileges. The vulnerability opens the door for a range of unauthorized activities, such as the theft of emails from Gmail, data exfiltration from Google Drive, and other illicit actions within Google Workspace APIs across all identities in the targeted domain.

Dave Bittner: Upon discovering this flaw, Hunters reported it to Google. They are now collaborating with Google's security and product teams to develop effective mitigations. However, a Google spokesperson has stated to Dark Reading that the issue reported by Hunters does not constitute an inherent security flaw in Google's products. Google emphasizes the importance of adhering to best practices, such as ensuring all accounts have the minimum necessary privileges, as a fundamental strategy to counter such threats.

Hacktivist auxiliary compromises Russian media site.

Dave Bittner: InformNapalm reports that hacktivists of Ukraine's Cyber Resistance have succeeded in penetrating networks belonging to the Department of Information and Mass Communications (DIMC) at the Russian Defense Ministry. They've made off with internal files that show how the Department monitors international media coverage of Russia's war, summarizes it for internal Ministry consumption, and then selectively repurposes its take to support disinformation campaigns. The general tenor of the Department's information operations is to represent the war as going well, according to plan, and to depict Russian forces as capable and effective.

Dave Bittner: Coming up after the break, my conversation with Eric Goldstein, Executive Assistant Director at CISA, describing their new Secure by Design Alerts program launching today. Tim Starks from The Washington Post shares insights on the latest legislation dealing with Section 702 surveillance. Stay with us. [ Music ] It is always my pleasure to welcome back to the show Eric Goldstein. He is Executive Assistant Director for Cybersecurity at CISA. Eric, welcome back.

Eric Goldstein: Thanks, Dave. It's always good to be here.

Dave Bittner: So, exciting announcement today from you and your colleagues at CISA. You are launching a new program. This is called the "Secure by Design Alerts program." Bring us up to date here. What does this entail, and why is CISA launching this program?

Eric Goldstein: Thanks, Dave. You know, as you and many of your listeners will recall, you know, we at CISA as well as partners across the community have been focused on this concept of secure by design, really for well over a year, and the idea here is that we can most effectively reduce the prevalence of damaging intrusions not only by steps taken by individual enterprises but by designing technology in a way that is more secure by design and default, and, of course, we released a major piece of guidance earlier in the fall that was joint-sealed by 14 other countries, but we also realize that sometimes, for some in the community, this concept of secure by design can seem a bit abstract, can seem a bit separated from the lived realities of organizations that are experiencing breaches like damaging ransomware attacks far too frequently. And so our new Secure by Design Alert product series is really focusing on how secure-by-design decisions actually lead to specific harms for organizations, school districts, small business, water utilities across the country. And so our first Secured by Design Alert is focused on exposed web interfaces, which we know are often targeted by adversaries. There have been recent examples where major adversary campaigns have targeted exposed web interfaces on edge devices, but we also know that it is a design decision about whether a web interface is exposed as a default and that's a design decision where vendors can wipe out thousands of intrusions just by making a simple configuration change for how the product is deployed, and we're going to keep doing these Secure by Design Alerts to really call attention to how design decisions relate to real-world impacts and harms for organizations around the world.

Dave Bittner: And how do you imagine folks out there who are responsible for security in their organizations implementing this?

Eric Goldstein: You know, our goal is really to help organizations ask better questions of their vendors, and so just using the example of our first Secure by Design Alert, you know, a lot of our guidance specific to this risk of exposed web interfaces have been to tell enterprises, for goodness sakes, remove your web interface from the open Internet, or if you have to expose it, make sure that it's well controlled, and that has caused just a surge of activity and churn for organizations large and small around the world. We want organizations to do that work but also to start asking, hey, why is this configuration setting insecure to begin with? And start asking their vendors to make better, safer decisions in how their products are designed and the default configurations they come with, and for vendors to take more accountability for the security outcomes of their customers to make design decisions that lead to more secure outcomes.

Dave Bittner: What do you say to folks out there who are going to say, "Oh, I see," you know, "CISA is naming and shaming now."

Eric Goldstein: Yeah, you know, our goal here isn't to name and shame, in part because the problem is so pervasive. There is no vendor out there that is doing a perfect job of secure by design. Every vendor, and most acknowledge this, have room to grow and room to mature, and so our hope here is to help the community as a whole focus on an equilibrium or responsibility between enterprises and vendors, such that every vendor can take steps to advance security across their customers.

Dave Bittner: What do you imagine the cadence being of these sorts of alerts?

Eric Goldstein: You know, I wish I could say that the cadence will be infrequent, but we know that most of the intrusion campaigns and vulnerabilities that we see do have some secure-by-design issue at their root, and so, you know, these certainly won't be a weekly cadence, but we do expect to issue these periodically throughout the year as we see major vulnerabilities or intrusion campaigns that could have been to some degree addressed through different decisions made by different vendors.

Dave Bittner: What's the best way for folks to keep up on these alerts to keep current?

Eric Goldstein: As always, our website is cisa.gov. There is an easy way to sign up for email alerts on our webpage, and, of course, we also blast them out to the all-relevant social media platforms.

Dave Bittner: All right, well, Eric Goldstein is Executive Assistant Director for Cybersecurity at CISA. Mr. Goldstein, thank you so much for joining us.

Eric Goldstein: Thanks to you, Dave, and happy holidays. [ Music ]

Dave Bittner: And it is always my pleasure to welcome back to the show Tim Starks. He is the author of The Cybersecurity 202 at The Washington Post. Tim, welcome back.

Tim Starks: Thank you, and by the way, it is my pleasure, Dave.

Dave Bittner: Well, it's likewise. I think we have a mutual admiration society for each other.

Tim Starks: Me, too.

Dave Bittner: I've been reading your coverage in The Post about some movements here with Section 702 and Senator Mark Warner, who I think it's fair to call a usual suspect when it comes to this sort of thing. Bring us up to date here. What's the latest?

Tim Starks: Yeah, even if he wasn't a usual suspect, and I think that's accurate, his committee is the Intelligence Committee and they're one of the two committees, well, four, if you count the House side, one of two committees, Intelligence and Judiciary, that do deal with the Section 702 spying power, as we know, expiring at the end of this year. The administration's been making a big press on Congress to do something about this, especially because they say they've been using this -- these surveillance powers to go after cyberattacks and cyberattackers. So Senator Warner, you know, we've been waiting all year for someone to introduce legislation on this Section 702 thing, knowing that it expires at the end of the year, and as of, yeah, as of Tuesday, that happened with Senator Warner. We have seen a couple of other proposals floating around out there, but Senator Warner is, I would say, the potentially the most important so far, partially because of the jurisdiction that his committee has, partially because it has a co-sponsor on the Republican side who is his top committee member on the Republican side. That's Marco Rubio. It also has the top Republican member on the Judiciary Committee. That's Lindsey Graham. So you're talking about some important players here. You're talking about some coordination that's happened with the administration and with the House Intelligence Committee leadership. So it looks like perhaps the biggest so far. There have been another one from some very, very, very skeptical members about how Section 702 has been used on the privacy side. Senator Wyden and some other senators like that, as well as House members like that, including some very far-right members as well, in addition to the very liberal types that have been much more focused on reauthorizing it with warrant requirements for when they seek information on U.S. communications. This one doesn't quite go that far, and naturally, the civil liberty groups are not happy about it, but this does seem like an important marker of where some of the sights are coming down, and that way, at minimum, it's a very important proposal.

Dave Bittner: Yeah, Senator Warner strikes me as being practical and I think that's what's happening here. I mean, your reporting, I believe you refer to this as "trying to thread that needle."

Tim Starks: Yeah, yeah, and it's a very difficult needle to thread. You know, this issue of the warrant requirement is the biggest deal with the side that is very, very, very upset about the way Section 702 has been used. You know, the administration keeps saying, "We've made improvements. These abuses you've seen, we're going to get rid of them. We've taken these steps to make sure it doesn't happen. We're taking these steps to make sure it doesn't happen." But the civil liberties types do not trust that. They say, "We've heard that from you before. We've heard that from you many past years, and we keep hearing about more abuses, so if you're going to go in and get communications where you're querying American names or identifiers to get those communications, we need you to have a warrant for that." The Warner proposal does not do that entirely. It doesn't -- so you can't go in there and query for evidence of crime. That has been something of a concern because this was supposed to be a -- an anti-terrorism law. So we're like, wait, how much are we using this for? What are we using this for that? The issue, though, is that, that there aren't very many of those that have happened that we know about, according to the FBI, anyway, that is a very, very tiny, minute number, and that's where the civil liberty groups say, "Mm, yeah, okay, thanks for taking care of that one little thing, but that's not what we're really concerned about."

Dave Bittner: So we're on a bit of a time crunch here with this expiring at the end of the year. What are the odds that this will go through?

Tim Starks: You know, I've been skeptical for a long time, you know, once it started getting into the summertime and we weren't having any proposals put forward, I'm like, that's kind of a bad sign. You know, it takes Congress a while to have hearings, may have had hearings, but to have hearings on the legislation, to have markups, and we're just now in the last few weeks, really, starting to get a sense of where people are going to come down on this. I am of the mind that the -- probably the likeliest thing that happens would be an attempt to put a short-term extension through. I don't know if that's even likely. And then there are questions about whether it's even necessary. At least on the civil liberties side, they say, "Look, there was an -- there was an authorization they got for this kind of warrantless surveillance back in April of last year. That'll hold through a year." So they might have a few more months, depending on who you ask. I don't see anyone suddenly fixing everything on this in time, because one of the things we've left out here is that while the Senate Judiciary Committee seems to be pretty much simpatico with what's going on with this bill, I say that a little speculative just based on what I've heard about Senator Durbin, who's the chairman of that committee, we obviously know where Senator Graham's coming down, but I think he's going to be amenable to this based on what I know. Congressman Jim Jordan, who's the chairman of the Judiciary -- Judiciary chairman on the House side, has very much been more talking about, well, maybe the FBI shouldn't even be involved in 702, and he suggested that he likes that Wyden bill I mentioned that has a warrant requirement for all of that communications for the American side. So his role in this, what the house might be able to do in terms of exploring ways of attaching this to other legislation, that seems a little a little difficult. I just don't see a resolution to this by the end of the year that will be neat. I could see a potential short-term resolution, or I could see it dragging into next year.

Dave Bittner: So might we see throughout the beginning of next year what things look like with Section 702 having been sunset?

Tim Starks: It really kind of depends. I mean, you know, one of the things I've talked to about people who have been involved in this, you know, actual program is that they need what they call "certainty" if they're going to start planning ahead. So if we assume that what the group's say, that the short-term extension is not needed, that the authorization that the court put in place last year will last for a few months, then maybe we won't see an immediate effect. We might start seeing some panic from the NSA and the agencies that work on this about what they're going to do once they start trying to prepare for the next batch of surveillance. That might be where we see some complications, but it might not actually lead to the surveillance completely going away until a few months later.

Dave Bittner: All right. Well, as we like to say, time will tell.

Tim Starks: Yeah.

Dave Bittner: Tim Starks is the author of The Cybersecurity 202 at The Washington Post. Tim, thanks so much for joining us.

Tim Starks: Hey, thank you, Dave. [ Music ]

Dave Bittner: And finally, according to a report from Trellix, cybersecurity teams are now more likely to receive support from their boards than face job termination following a cyberattack. This counters the longstanding fear among cybersecurity professionals of being scapegoated and fired post-incident. Key findings from Trellix's "The Mind of the CISO" report, which surveyed 500 chief information security officers, reveal that only 13% of companies reduced staff or fired personnel within the first year after a major cybersecurity incident. However, job cuts do occur over time, with 23% and 31% reporting staff reductions one to three years and over three years post-incident, respectively. In fact, companies are more inclined to bolster their cybersecurity efforts immediately after an attack. Forty-six percent of CISOs reported increased budgets for new tools and technology, 38% noted the creation of new jobs, and 44% added contracted services to enhance cybersecurity measures. Still, the report highlights that job losses still transpire as companies gain a clearer understanding of the breach's circumstances. This ongoing risk, compounded by impending Securities and Exchange Commission regulations, places CISOs under heightened liability concerns. The evolving landscape illustrates a shift towards proactive support in the immediate aftermath of cyber incidents, yet underscores the lingering challenges faced by cybersecurity leaders in the longer term. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. Our executive producer is Brandon Karpf. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]