Leading the charge in cybercrime take downs.

Dave Bittner: Interpol leads cybercrime take downs. ALPHV/Blackcat is in a “tug of Tor” with the FBI. The Senate confirms a new leader for Cyber Command and NSA. Rite Aid is banned from using facial recognition. CISA prepares a new approach to information sharing. Remote encryption of ransomware. CitrixBleed is exploited to access customer data. An update on the Kyivstar cyberattack. The Tallinn Mechanism solidifies Western support for Ukraine's cybersecurity. In today’s Learning Layer segment, host Sam Meisenberg talks with Shelby Ludtke about passing the new ISC2 Certified in Cybersecurity (CC) exam. And GCHQ introduces youngsters to code breaking.

Dave Bittner: Today is December 20th, 2023. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Interpol leads cybercrime take downs.

Dave Bittner: We begin today with news from Interpol that 'Operation HAECHI IV', an international law enforcement effort, led to the arrest of 3,500 suspects in various cybercrimes and the seizure of $300 million in illicit proceeds. The operation, spearheaded by South Korean authorities and involving agencies from 34 countries, took place from July to December 2023. It targeted voice phishing, romance scams, sextortion, investment fraud, money laundering from online gambling, business email compromise, and e-commerce fraud.

Dave Bittner: Interpol's I-GRIP initiative helped flag and freeze 82,112 bank accounts linked to these crimes. Of the total seized, $199 million was in hard currency, and $101 million was in digital assets like NFTs associated with cybercrime. 

Dave Bittner: The operation highlighted new trends in digital investment frauds and "rug pull" scams involving NFT platforms. Additionally, AI and deep fake technologies are emerging as tools for creating realistic synthetic content to deceive victims. The UK authorities disrupted several AI-based impersonation, blackmail, and investment fraud cases.

Dave Bittner: While AI gives an advantage to cybercriminals, Interpol is adapting its strategies to combat these evolving threats. Compared to the previous 'HAECHI III' operation, 'HAECHI IV' saw a 260% increase in arrests, marking a significant advancement in international efforts against transnational cybercrime.

ALPHV/Blackcat “tug of Tor”.

Dave Bittner: After the AlphV/Blackcat ransomware gang's website was seized by the FBI, a message purportedly from the criminals claimed they had regained control, announcing a lift on their self-imposed ban on targeting certain institutions. However, some visitors, including Recorded Future’s The Record, still saw the FBI's splash page, leading to confusion about who actually controlled the site.

Dave Bittner: Experts explained that the site, an onion service on the Tor network, operates differently from standard websites. Its address is a public key, and control is determined by who owns the corresponding private key. The FBI had seized numerous public/private key pairs from AlphV/Blackcat, leading to a potential tug-of-war for control. Both the FBI and the ransomware group could be aggressively submitting entries to direct traffic to their version of the site.

Dave Bittner: Professor Steven Murdoch from University College London mentioned the possibility of law enforcement conducting a denial of service or a man-in-the-middle attack using the private key. He advised against visiting the compromised site, as it poses security risks. This "tug of Tor", as Recorded Future calls it,  reflects the ongoing battle between law enforcement and cybercriminals over domain control.

Senate confirms new leader for Cyber Command and NSA.

Dave Bittner: The U.S. Senate confirmed Air Force Lt. Gen. Timothy Haugh as the new leader of U.S. Cyber Command and the National Security Agency, concluding a yearlong hold on military nominations by Sen. Tommy Tuberville over the Defense Department's abortion policy. Haugh, who previously held the second-in-command position at Cyber Command and led the Air Force's digital and information warfare branch, replaces Army Gen. Paul Nakasone. His appointment followed scrutiny from Sen. Ron Wyden regarding the NSA's data purchasing practices. The Senate also confirmed Army Maj. Gen. William Hartman as Haugh’s deputy. These confirmations enable further leadership changes within Cyber Command and the NSA, particularly in their cybersecurity directorate.

Dave Bittner: In other agency news, The NSA's 2023 Cybersecurity Year in Review details its key achievements in enhancing national security through cybersecurity initiatives. Notable accomplishments include the inauguration of the AI Security Center within the Cybersecurity Collaboration Center, aimed at advancing secure AI integration within National Security Systems and the Defense Industrial Base. The NSA also enhanced its global cybersecurity impact by countering threats like Russian cyberespionage and malicious cyber activities from China, in collaboration with U.S. and international partners. Additionally, there was a 400% increase in enrollments for NSA’s no-cost cybersecurity services by Department of Defense contractors, significantly strengthening the Defense Industrial Base's infrastructure.

Rite Aid banned from using facial recognition.

Dave Bittner: US drugstore chain Rite Aid has settled Federal Trade Commission (FTC) charges by agreeing to a five-year ban on using facial recognition technology for surveillance, due to its misuse leading to consumer harm. The FTC's order requires Rite Aid to implement comprehensive safeguards against such harms and discontinue the technology if risks to consumers are unmanageable. The settlement follows Rite Aid's deployment of facial recognition from 2012 to 2020, which resulted in consumers being wrongly accused due to false-positive identifications. The misuse disproportionately impacted people of color and violated a 2010 data security order. Rite Aid is also required to delete collected images and related data, notify consumers about biometric enrollments and actions against them, and establish a robust data security program. The order awaits approval from bankruptcy and federal district courts and modification by the FTC. 

CISA prepares a new approach to information sharing.

Dave Bittner: The US Cybersecurity and Infrastructure Security Agency (CISA) has announced plans to revamp its Automated Indicator Sharing (AIS) program, focusing on three main areas:

Dave Bittner: Simplification: CISA will launch the Threat Intelligence Enterprise Services (TIES) to unify and streamline cyber threat intelligence sharing. TIES Exchange Platform will integrate information from partners and commercial sources, offering a consolidated view for enhanced communication and engagement.

Dave Bittner: Partner-Centered Design: The platform will be developed based on feedback from federal agencies, critical infrastructure organizations, and governments at various levels, focusing on adding value and ease-of-use.

Dave Bittner: Learning from Experience: CISA aims to address past challenges with AIS, ensuring ease of sharing and receiving information, providing context for prioritized action, and delivering value that enhances existing cybersecurity capabilities. The focus will also be on maintaining privacy and confidentiality.

Dave Bittner: The new plans will go into effect in 2024.

Remote encryption of ransomware.

Dave Bittner: Researchers at Sophos have identified a significant increase in remote encryption ransomware attacks, with a 62% rise since 2022. Prominent ransomware groups like Akira, ALPHV/BlackCat, LockBit, Royal, and Black Basta are employing this technique. In these attacks, adversaries use a compromised endpoint, often with inadequate protection, to encrypt data on other devices within the same network. This approach bypasses modern security systems, as the malicious activities, including ingress, payload execution, and encryption, occur on an unmanaged machine, with data transmission being the only sign of compromise.

CitrixBleed exploited to access customer data.

Dave Bittner: Comcast's recent data breach, affecting its Xfinity unit, has been traced to attackers exploiting a Citrix vulnerability known as Citrix Bleed. Discovered during a routine cybersecurity check on October 25, the breach occurred between October 16 and 19, after Cloud Software Group had already issued a patch on October 10. Despite promptly patching, Comcast didn't fully mitigate the risks, as attackers had already hijacked authenticated sessions. Mandiant's alert on October 17 emphasized the need to terminate all active sessions post-patching, a step Comcast missed. The widespread exploitation of Citrix Bleed continues, impacting various organizations including aerospace giant Boeing, with nearly 420 IP addresses recently detected launching related attacks.

Update on the Kyivstar cyberattack.

Dave Bittner: According to Reuters, Ukrainian telecommunications provider Kyivstar has overcome difficulties as it continues to stabilize its networks. Reports yesterday had claimed that Kyivstar had restored most of its services as it recovers from a Russian cyberattack it sustained late last week. Reports from Ukraine, however, indicated that difficulties with voice communications persist in some areas.

Tallinn Mechanism established to solidify Western support for Ukraine's cybersecurity.

Dave Bittner: Meanwhile, His Majesty’s Government this morning announced the establishment of the Tallinn Mechanism to build Ukraine's capacity for cyber defense. The announcement states,  "The Foreign Ministries of Canada, Denmark, Estonia, France, Germany, The Netherlands, Poland, Sweden, United Kingdom and the United States have formalised the Tallinn Mechanism on 20 December 2023," "It aims to coordinate and facilitate civilian cyber capacity building to help Ukraine uphold its fundamental right to self-defence in cyber space, and address longer-term cyber resilience needs." The Mechanism is expected to continue the public-private cooperation that has figured so prominently in the war so far.

Dave Bittner: Coming up after the break, in today's Learning Layer segment, host Sam Meisenberg talks with Shelby Ludtke about passing the new ISC2 Certified in Cybersecurity Exam. Stick around.

Sam Meisenberg: Welcome back to another episode of "Learning Layer." Today on "Learning Layer," I'm joined by a very special guest, my colleague, Shelby Ludtke, and she is here because she just passed the Certified in Cybersecurity Exam from ISC2. Before we get into all of that, though, can you just tell us like a little bit about yourself and your background?

Shelby Ludtke: Sure, yeah. So I have a background in something completely unrelated to cybersecurity, much like yourself. So yeah, my degree is actually in history and history of arts, but I've been in the cybersecurity space in sales for the past five years, with a variety of different types of companies. So a managed network security provider, a ZTNA startup, and now I'm here at N2K.

Sam Meisenberg: So it sounds like, in a weird way, you're kind of the perfect candidate for the Certified in Cybersecurity, because for those who don't know, it's supposed to be an entry-level exam to help people learn the lexicon of cybersecurity. So why did you want to challenge yourself and sit for this exam?

Shelby Ludtke: I think it's really important, you know, especially in sales, to be able to speak with integrity and understanding to your clients. So it was really important to me to kind of understand their pain points, understand what their day-to-day look like. You know, and I've been sort of buzzing around the periphery in this space. And so, I just really wanted to challenge myself and understand, you know, what have I picked up by osmosis? Where can I dive deeper?

Sam Meisenberg: So you obviously picked up enough by osmosis and in your studies, because like I said, you passed. So let's talk about that experience. Let's talk about exam day. So tell me like a little bit about exam day experience. What you were feeling. What was going through your brain and sort of like what happened during the test itself?

Shelby Ludtke: Yeah, so it was definitely nerve-racking experience. I won't lie. It's been a long time since I've had to, you know, put myself in a situation like that where, you know, I walked into a community college that is local to me where the exam was being administered, and it definitely felt, you know, like academia a little bit. And so, it was definitely a hat that I haven't worn in a while. Certainly, a lot of protocols in place. So walking into the room, it's, you know, very strict about what you're allowed to bring in with you. You know, a lot of scrutiny over my identification. I was very nervous about making sure I had all -- my passport and my license and everything with me. But in terms of the actual, you know, the test itself, which I think, you know, is the other big piece that you asked. You know, the test itself was far more challenging than I think I had expected it to be. The way that the test is structured, there is no back button. So it's a -- it's a one-time through, and that's it.

Sam Meisenberg: So meaning, if we can just kind of elaborate on that a second, you select your answer choice.

Shelby Ludtke: Yep.

Sam Meisenberg: You click next, and there's no going back to change your answer choices.

Shelby Ludtke: Yeah, there's no going back. So, which was kind of a different experience. I had done some practice tests, and that was, you know, that was a feature that I had become accustomed to, being able to kind of like things for review later. So all I really had was a dry erase board that they provided and dry-erase marker. And so, I was able to kind of jot down a few notes and help myself kind of think through things. I'm a really visual learner. So sometimes it's helpful for me to have that option. But yeah, I think, you know, the test itself, the other kind of big, big thing that stuck out to me is that there's often more than one answer that could be correct. And so, you really have to rely on your instincts and, you know, what you've, you know, gained during study to make the best choice possible.

Sam Meisenberg: So let's -- we talked about exam day. Let's back up. How did you prepare? How did you get yourself in a position to pass the test?

Shelby Ludtke: So the -- you, actually, recommended to me that I take the (ISE)2 course that had been offered. You know, I love a deal. So a free course is always a great option.

Sam Meisenberg: But sometimes, you do get what you paid for, though. So just so everybody is aware.

Shelby Ludtke: That's true. That's true, but yeah. So the course itself, you know, I spent a few weeks. I really tried to make sure that I was giving myself time to absorb the material, not to cram everything in that, you know, I am a busy working mom. So it was definitely important to me that I, you know, give myself digestible bits of information. But I will say you know, the course itself, there's certainly a portion of it that is pretty common sense and felt really -- not redundant but just familiar. I knew a lot of those kinds of, you know, the initial questions. You know, a lot of like the physical controls types of questions were really just common sense. But once we got into sort of the networking portion, it definitely became more technical. So I really focus my time there. So from there, I actually used N2K's QBank so that I could build myself practice exams that were sort of, you know, going to replicate the time and length of the actual exam, and that, I sort of worked through methodically. So I certainly got very nervous that I wasn't going to be ready for exam day but kind of pushed through it, and by the time I was ready to go to the exam, I was getting passing scores and felt like it was go time.

Sam Meisenberg: So Shelby, if you were talking to somebody who was gearing up for this exam, and they are just a couple of days away maybe from taking it, what would you say to them? What would like be one piece of advice that you would give them?

Shelby Ludtke: I think, you know, for me, the tipping point was taking the first practice exam that I had built, because I realized, you know, while I was going through that that it was far more complicated than what had been provided through the ISC2, you know, portal. It just was a very different type of test. I felt, you know, quite a bit more pressure. So I think I had gotten this like false sense of confidence after completing the prep course, certainly be ready for some tricky questions on the exam, regardless of how prepared you are.

Sam Meisenberg: So let's actually talk about that. What happens when you get to a tricky question? Like walk me through your process.

Shelby Ludtke: Yeah, I mean, I definitely encountered a few. I think, you know, most of -- again, there's absolutely no resources in the room or, you know, there's nowhere to look or nothing else but your own brain to solve that. And I think for most of us, you know, that's a pretty strange place to be. We're very used to, you know, hopping on your phone and just verifying something. So I think the biggest thing is don't panic. You know, trust yourself because, oftentimes, your first instinct is the right way to go. But definitely, if you're a visual learner like me, feel free to scratch -- make a few chicken scratch notes, you know, on your pad there.

Sam Meisenberg: Yeah, I can also imagine, too, like knowing, also, when to bail on those type of questions is helpful. Because sure, you can write down whatever you want. You could do the chicken scratch on the dry erase, but it might not trigger anything. And then, you're sort of just spinning your wheels wasting time. So it also, probably, is a good idea to like know when to get out on a tough question, too, right?

Shelby Ludtke: Absolutely. I think pacing yourself is also super important. I think, you know, I felt very comfortable with the time allotted. I ended up finishing early, but I think, you know, just the feeling of, you know, I could sit here and spin my wheels for an extra 10 minutes, and I'm never going to know this answer. You know, you just have to trust yourself and push on, because there's going to be plenty more questions that you can get right.

Sam Meisenberg: So Shelby, I want to thank you again for joining me on "Learning Layer." So what cert is up next?

Shelby Ludtke: Sec+.

Sam Meisenberg: Sec+. All right, I'm going to have you back on when you pass that class, okay?

Shelby Ludtke: Sounds great. Absolutely no pressure. I love it

Sam Meisenberg: Thank you for tuning into this segment of the "Learning Layer." If you're interested in pursuing the CC from ISC2 or any other certification, N2K has comprehensive practice tests to help you prepare for exam day. Get access to multiple learning tools, including tons of quizzes, flashcards, and simulated practice exams to help you walk into test day prepared and confident. For a limited time, all N2K certification practice tests are only $39. Visit n2k.com/certified to find your cert. Happy studying.

Dave Bittner: That's the "Learning Layer, with our host, Sam Meisenberg. And finally, the UK's spy agency, GCHQ, launched its annual code-breaking challenge for school children aged 11 to 18, aiming to keep young minds engaged during the winter break. Over 1,000 secondary schools have enrolled in the 2023 event, which features some of the most challenging puzzles to date. This third edition is centered around a Christmas card from Anne Keast-Butler, GCHQ's director, containing various puzzles that escalate in difficulty, testing codebreaking, math, and analytical skills. One puzzle involves grouping nine gift tags into three sets based on a common link, while another is a numerical brain teaser where each letter represents a different digit, with solutions related to Christmas. Besides these, the challenges include seven questions and a particularly tough maths-based bonus puzzle. Participants are encouraged to work in teams, utilizing diverse skills to solve the puzzles. The challenge also has a historical theme, featuring Bletchley Park, the wartime headquarters of GCHQ, where scientists broke the German Enigma code. A photograph from 1940, found in codebreaker Joan Wingfield's family album, is highlighted, emphasizing GCHQ's roots in cryptography and encryption and their relevance to the agency's current mission. This year's challenge also celebrates Bletchley Park's role in hosting the AI Safety Summit. GCHQ's Christmas challenge is like an advent calendar for the mind - but instead of chocolates, each door opens to a puzzle that might just take until next Christmas to solve. And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.