A dark web take down.

Dave Bittner: The FBI takes down ALPHV/BlackCat. Comcast reveals breach of nearly 36 million Xfinity customers. Microsoft and Cyberspace Solarium Commission release water sector security report. Malware increasingly uses public infrastructure. Iran's Seedworm and its telco targets. QR code scams. Feds release joint analysis of 2022 election integrity. Joint advisory on Play ransomware group. In today’s Mr Security Answer Person, John Pescatore considers the risks of AI. Rick Howard talks with Lauren Brennan of GuidePoint Security about evaluating and maturing your SOC. Iranian gas stations running on empty.

Dave Bittner: It’s Tuesday, December 19th, 2023. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

FBI takes down ALPHV/BlackCat.

Dave Bittner: The U.S. Department of Justice, in collaboration with international partners from Germany, Australia, the EU, and the UK, has confirmed the takedown of a leak site operated by the ALPHV/BlackCat ransomware group. This ransomware-as-a-service gang faced a significant disruption, with the FBI playing a key role in developing a decryption tool that has aided over 500 victims. Victims are encouraged to seek further assistance from the Department of Justice.

Dave Bittner: The FBI's seizure of the site is displayed on a splash page, indicating the ongoing coordinated law enforcement action. This takedown also features the U.S. State Department's Rewards for Justice program, hinting that efforts to apprehend the group members continue.

Dave Bittner: Despite this action, experts like Michael McPherson of ReliaQuest caution that such takedowns typically result in only temporary disruptions. Ransomware groups often reemerge, sometimes rebranding and restructuring from remnants of other criminal organizations. ALPHV itself is thought to have originated from groups like DarkSide, BlackMatter, and REvil. Therefore, while the takedown is a significant hit to the ransomware ecosystem, it may not completely eradicate the threat posed by ALPHV and similar groups.

Comcast reveals breach of nearly 36 million Xfinity customers.

Dave Bittner: Comcast has revealed that a critical security flaw, dubbed "CitrixBleed," in Citrix networking devices led to the breach of nearly 36 million Xfinity customers' sensitive data. This vulnerability has been exploited by hackers since August, with Citrix releasing patches in early October. Despite this, many organizations, including Xfinity, failed to patch in time. The breach at Xfinity, Comcast's cable TV and internet division, occurred between October 16 and 19, but was only detected on October 25. By November 16, it was clear that customer data, including usernames, hashed passwords, contact information, dates of birth, partial Social Security numbers, and secret questions and answers, had been accessed. The extent of the breach, which potentially affects most of Comcast's over 32 million broadband customers, is still being evaluated. Comcast has not disclosed specific details regarding ransom demands or regulatory filings. The company insists there's no evidence of customer data leakage or attacks on customers. Xfinity is now urging customers to reset their passwords and recommends using two-factor or multi-factor authentication.

Microsoft and Cyberspace Solarium Commission release water sector security report.

Dave Bittner: Microsoft and the Cyberspace Solarium Commission (CSC) 2.0 have released a report addressing cybersecurity vulnerabilities in the water and wastewater sector. The report, based on expert roundtables, highlights significant cybersecurity gaps and resource deficiencies. Key recommendations include increased funding and support for the U.S. Environmental Protection Agency (EPA), expansion of existing federal programs, and enhanced public-private partnerships. The report emphasizes the importance of robust collaboration across sectors and levels of government. It also recommends public-private research on water system security and international norms to deter state-sponsored cyberattacks. The report notes the critical role of water systems in various sectors and underlines the need for a comprehensive, collaborative approach to cybersecurity. Additionally, Microsoft, CRI, and FDD have initiated a cybersecurity pilot program for small- and medium-sized water utilities to bolster defenses in this vital infrastructure sector.

Malware increasingly uses public infrastructure.

Dave Bittner: Researchers at ReversingLabs have discovered two novel malware campaigns exploiting GitHub in previously unseen ways. The first campaign used GitHub Gists to host second-stage malware payloads, disguised as network proxying libraries in PyPI packages. These packages contained Base64 encoded strings that pointed to secret Gists. The second campaign, likely from the same perpetrator, utilized git commit messages to relay malware commands. These methods of using GitHub for command and control infrastructure, particularly through Gists and commit messages, are new and undocumented in prior reports. The similar execution techniques and the abuse of uncommon GitHub features in both campaigns suggest the same malware author is responsible for these innovative attacks.

Iran's Seedworm and its telco targets.

Dave Bittner: Researchers at Symantec (Broadcom) warn that the Iranian cyberespionage group Seedworm, also known as "MuddyWater," is actively targeting telecommunications organizations in Egypt, Sudan, and Tanzania. Seedworm, known for its interest in telecom sectors, is notably focusing on African organizations in this campaign. While Seedworm has previously targeted African entities, its primary focus has generally been on the Middle East. The group's attention to an organization in Egypt is particularly significant due to Egypt's proximity to Israel, a frequent target of Seedworm's activities.

QR code scams.

Dave Bittner: Netcraft reports a recent phishing attack where attackers used a fake multifactor authentication (MFA) notification, seemingly from Microsoft, to deceive recipients. The notification included a QR code, which, when scanned, redirected users to a credential-harvesting site. The attackers cleverly exploited the common association of QR codes with setting up two-factor authentication (2FA). Victims were tricked into entering their Microsoft credentials on the phishing site, thereby compromising their login information.

Feds release joint analysis of 2022 election integrity.

Dave Bittner: A joint analysis by the DOJ, FBI, DHS, and CISA found no evidence that foreign government-affiliated actors compromised the 2022 U.S. federal election's integrity or security. The declassified report acknowledges that actors linked to Russia and China engaged in cyber activities targeting the election. Russian-affiliated hacktivists conducted a DDoS attack on a state election office's website, while Chinese-linked actors scanned state government websites and gathered publicly available voter information. However, these activities did not impact voting processes, change votes, disrupt vote tallying or transmission, alter voting technology, or compromise voter registration or ballots. The U.S. intelligence community had previously assessed the difficulty for foreign actors to manipulate elections at scale undetected. A separate ODNI report indicates that China, Russia, Iran, and others tried to influence voting and undermine confidence in U.S. institutions and elections, focusing on voter persuasion and opinion, rather than election integrity.

Joint advisory on Play ransomware group.

Dave Bittner: In a joint advisory, the US FBI, CISA, and Australia's ASD report that the Play ransomware group has launched around 300 attacks globally since June 2022, focusing on businesses and critical infrastructure. This group, known for its double-extortion method, exfiltrates and encrypts data, demanding ransoms in cryptocurrency. Play's techniques include exploiting public-facing applications, abusing valid accounts, and using services like RDP and VPN. To combat these threats, the advisory recommends implementing effective data recovery plans, enforcing strong password protocols, using multi-factor authentication, regularly updating systems, segmenting networks, and continuously monitoring and filtering network traffic. Additionally, it suggests validating security measures against frameworks like MITRE ATT&CK for Enterprise.

Dave Bittner: Coming up after the break, Mr. Security Answer Person, John Pescatore considers the risk of AI. Rick Howard talks with Lauren Brennan of GuidePoint Security about evaluating and maturing your SOC. Stay with us. [ Music ]

John Pescatore: Hi, I'm John Pescatore, Mr. Security Answer person. Our listener question for today's episode. Earlier this year, you put generative AI used by bad guys at the peak of overinflated expectations on a hype cycle. And its use by good guys just starting off in the trigger point. Things seem to be moving quickly with AI. What is your feeling about that positioning for early 2024? Hmm, analysts always hate when people check up on their predictions. First, a short definition for those not familiar with Gartner Hype cycles, which Gartner started in 1995. And were one of the more fun Gartner research notes I did over my 14 years there. A Gartner hype cycle tracks and predicts technology issues from inception or trigger point to peak of overinflated expectations down into the trough of disillusionment, then up the slope of enlightenment for some, not all, to reach the plateau of productivity. I think what I predicted has been pretty accurate. Where I screwed up was in what I left out. What I said about AI was, from a cybersecurity perspective, there are two major things to think about in relation to artificial intelligence. One, how will it be used against us? But also, two, how can we use it against the bad guys? What I should have listed as number one risks to think about was how will we misuse and misadminister business use of generators AI to cause self inflicted wounds. [Music] Many businesses and some government agencies move rapidly to use new technologies. And out of the box, every new technology is riddled with vulnerabilities and insecure default choices. In September, Microsoft, the 13 largest company on Earth, who was betting their future on AI gave us an example of that. Microsoft accidentally exposed 38 terabytes of private data on a company's AI GitHub repository. The sensitive data was made public when Microsoft published a bucket of open source training data that also included a disk backup of two former employees workstations, containing secrets, keys, passwords and over 30,000 internal teams messages. Exposure was enabled by an overly permissive shared access signature or SAS token on Azure that made sharing easier, but unfortunately ignored need to know common sense security rules. Oops. Before I go on, take a second to splash some cold water on your face. I'm going to use a sleep inducing term, governance. Data is the main ingredient for AI to provide value. Business mission use of AI requires government processes to be in place to make sure that AI data does not expose business and customer information, as well as to provide transparency to enable trust in the output of the AI models. Still with me? I may use a few other snoozer terms like risk and compliance, so keep that cold water handy. [Music] In 2008, the global financial crisis was caused by widespread use of financial models that claim to enable creation of low risk financial instruments known as derivatives. Unfortunately, no one really understood what the models were creating. And it turned out that often low risk meant really high risk just not the highest possible risk. Back then in the US, the Securities and Exchange Commission issued requirements that all such models be audited, and in 2023, the SEC did the same for any business use of AI models that might have meaningful impact on the business's bottom line, including the use of artificial intelligence or machine learning models and security controls in use to reduce risks. Essentially, governance and transparency are now required by law, thus the compliance term coming into play. A good place to get started on thinking through AI governance is NIST trustworthy and responsible AI Resource Center and the NIST risk management framework. If your organization is a Gartner client, they have also put out some very useful tools. I'm sticking with my original prediction that in February 2024, we will probably not be using generative AI to send our significant others Valentine's Day messages. But I will add a prediction. Through year end 2024 more business damage from AI will be caused by self inflicted wounds than by attacker use of AI. [ Music ] On that note, happy holidays, and thanks for listening. I'm John Pescatore, Mr. Security Answer Person. [ Music ]

Dave Bittner: That is John Pescatore, Mr. Security Answer Person. [ Music ]

Rick Howard: Back in October, the MITRE Corporation hosted the attack on a Ford auto conference at their company headquarters in McLean, Virginia. I got to sit down with Lauren Brennan, the team lead for SOC optimization at GuidePoint Security after she gave her keynote at the conference. And one of the reasons that I wanted to talk to her was the fact that here she is a young, relatively junior member to the Info Sec community, just three years now, and she's standing up in front of this miter attack crowd. You know the types, and I include myself among them, grumpy, seasoned professionals who have seen it all, done it all, and a bag of chips. It takes a lot to impress this group, and Lauren, knocked it out of the park. Now, a lot of newbies asked me how to break into cybersecurity. And I always tell them to start networking right now. And one of the ways to do that is to present at conferences. Pick a topic and make your case, and Lauren delivered that in spades. I started out by asking her about the speaking experience. Well, I'd be remiss if I didn't point this out, [inaudible 00:16:35] inherit the mitre attack Con 40 Conference, right? And you gave your very first security presentation. Is that right?

Lauren Brennan: Yeah.

Rick Howard: How was that?

Lauren Brennan: Oh, it was fantastic. I was a little bit nervous.

Rick Howard: Yeah.

Lauren Brennan: And sill a little bit nervous. Those nerves are still coming down. But I mean, everybody here was so welcoming. I mean, it was so -- nobody here was giving me any sort of you're doing bad kind of look, everybody was just so encouraging. And that was --

Rick Howard: Well, I sat through the presentation, and I told you before, but I wanted to tell everybody here, right. I couldn't believe that was your first presentation in front of a big crowd like that.

Lauren Brennan: Thank you.

Rick Howard: There was a lot of poise. A lot of great information. You did fantastic, so --

Lauren Brennan: I really appreciate that.

Rick Howard: Good job. But we want to talk about applying mitre attack to SOC operations, right? And kind of the current state, because you've been doing this for a while now. And mitre attack has been going on for over 10 years. But I have this feeling that the community has kind of stuck in things we did two or three years ago. We really haven't progressed that far. I just want -- I shouldn't have front loaded that question that way. Right? But my question is, do you feel like SOCs really utilize the mitre attack framework to their best ability?

Lauren Brennan: No. [Laughter].

Rick Howard: I don't think so either. [Laughter]

Lauren Brennan: And I think they did -- don't use it, because I don't think that they see all the areas that the mitre attack framework can be applied. So I talked about this in my talk is, you know, I consider, you know, there's four pillars that I consider of a SOC. You know, you have your operations, your procedures, your tooling, and your collaborations. Almost everybody applies the mitre attack framework to your tooling, to your detections to your tooling. However, it can be really, really helpful to apply it to these other pillars. You know, if you apply it to your operations, it can help you identify the broad level threats, the behaviors that you're looking for. It can help you when you're determining your mission for your SOC. If you apply it to your procedures, it can help you connect the dots between your procedures and your technology. So having --

Rick Howard: It's a way to tell the story.

Lauren Brennan: It's a way to tell the story. And then finally, it can provide the language that you need to do to talk with the other business units, the other leaders, people who might not understand all of what you're doing day to day in your SOC to, you know, it can give you that structured language to talk with them about it, you know, in your collaborative activities across. So while I see a lot of SOCs applying it to their tooling, not a lot of them apply it to other aspects. And so that's really where I want to see the mitre attack framework being utilized more is in the non technology specific space.

Rick Howard: You could let it out of the cage, right?

Lauren Brennan: Yeah.

Rick Howard: You can talk to business leaders about the mitre attack framework, and it's okay.

Lauren Brennan: Yes, yes.

Rick Howard: It's not something we should protect and be precious about, right?

Lauren Brennan: Yes. I mean, and it is [inaudible 00:19:15] it is a very, very technical framework, but there's a lot of detail on it. It's very technical, it's there's tons of techniques. You can go into a lot of depth of it. But it's also very easy to lift that detail off and to be visual with it, to showcase it. So be able to visually just show your leadership, this is where we are now. This is where we have some gaps. And this is how we want to get to that, you know, new end state is very important. And the mitre attack framework can help you do that in a very structured way because it is really easy to understand from a definition perspective of what each thing is doing and what each technique a tactic and what the goals are. And the procedures are to then take that and translate that more visually, lift up the technical aspect, lift up the in the weeds details of it, to talk to your leadership, to talk to somebody. I mean, I was able to explain my talk and give my talk to my mom two days ago, you know, when I was practicing for this. And she didn't really understand mitre attack framework and then I was able to kind of explain to her what it was and she was like, okay, that makes sense. You know, it's so she got the visual aspect of it, she got it. Even if she didn't understand the details, she still got what I was trying to do in the end state that I was trying to talk about.

Rick Howard: Listeners of this show know that I'm a giant fan of the mitre attack framework, but I do have some nitpicks about it, right?

Lauren Brennan: Yeah. Yeah.

Rick Howard: And I would like it to get better. Okay. And the reason I think it's a fantastic idea is it changed our mindset about how to protect the enterprise, right? As opposed to just being passive and doing defensive operations that would affect any kind of adversary. The mitre attack framework allows us to speak the same language, like you said in your talk about how very specific adversaries attack their victims. And if you know that they do 10 things on their campaign, wouldn't it make sense that we should block all 10 things and try to defeat the adversary and not just defeat the tools that any kind of adversary. I guess the question is, why is it hard?

Lauren Brennan: So I think there are a couple areas here. So one, there is just so much to the framework, you have to sift through, you have to understand, you have to know your own systems really well in order to be able to identify kind of some of the techniques. I mean --

Rick Howard: Better than the bad guys.

Lauren Brennan: Better than the bad guy. [Laughter] And so I didn't really touch on it in my talk. I mean, I could have done a whole talk about, you know, one of the foundational activities is, what's your -- what do you have in your system? What are your assets? Have you done an asset inventory, so like, that's a big part of it is knowing your system is better than the adversary. And that takes time, and that takes effort. How to actually disseminate --

Rick Howard: Yeah.

Lauren Brennan: -- the information from threat reports that makes it actionable for your SOC to be able to build new detections for is hard. You know, well, how do I look at that information and be able to apply it to my SOC? You know, if it's hard for, you know, to determine what the audience is, it's hard to pull out that information.

Rick Howard: Well, perfect. Thank you for doing this.

Lauren Brennan: Yeah. Thank you.

Rick Howard: Congratulations on your first presentation at a security conference. [Music] It's [inaudible 00:22:12].

Lauren Brennan: Thank you. This is also my very first podcast.

Rick Howard: Well, there you go.

Lauren Brennan: So it's a lot of firsts for me today. Hopefully I did well.

Rick Howard: Well, you can go home and take the rest of the year off, I'm thinking, okay, because you've pretty much done it all right here today. All right.

Lauren Brennan: I think so. Yeah. Thank you so much.

Rick Howard: That was Lauren Brennan, the team lead for SOC optimization at GuidePoint Security. [ Music ]

Dave Bittner: And finally on Monday, a cyber attack initially reported as a software problem disabled about 70 percent of Iran's gasoline stations. Iran's oil minister, Shavad Algae confirmed the incident as a cyber attack. While Iranian media pointed fingers at Predatory Sparrow, a group allegedly linked to Israel. Predatory Sparrow has a notable history of regional cyber operations. The group claimed responsibility for the attack on their telegram channel, stating it was in response to the aggression of the Islamic Republic and its proxies. They had previously warned of consequences for Iran's actions. The attack targeted gas station point of sale systems, payment systems, and central servers. Iranian gas distributors are now resorting to manual backups to mitigate the disruption. It looks like Predatory Sparrow decided to give Iran the lesson in fueling tensions. [ Music ] And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at CyberWire@n2k.com. We're privileged that N2K and podcasts like the Cyberwire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2k strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Erban, our mixer is Trey Hester, with original music by Elliot Peltzman. Our executive producers are Jennifer Eiben and Brandon Karp. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]