A digital disappearance in Utah.
Cyber-kidnapping in Utah. Hospitals sue for data recovery. The US Department of Homeland Security assesses cyber threats to the US. Mac malware is on the rise. Cameras hacked by Russian intelligence services provide targeting information. Ransomware roundup. An NPM dependency campaign. Google recommends enhanced safe browsing. Rob Boyce from Accenture describes the Five Families and the trend of hacker collaboration. And the FTC wants to hear your cloned voice.
Today is January 3rd twenty twenty four! I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Cyber-kidnapping in Utah.
We begin today with the strange and disturbing case of Kai Zhuang, a 17-year-old Chinese foreign exchange student, who became the center of a complex "cyber kidnapping" case after disappearing from his host city, Riverdale, Utah. Initially feared kidnapped following a ransom demand to his parents in China, Zhuang was eventually found cold and scared in a tent near Brigham City. Earlier concerns feared a forceful abduction, but Zhuang had in fact left his host family's home voluntarily. Investigators believe he was manipulated by cyber kidnappers targeting foreign exchange students, particularly from China. These criminals deceive both the student and their family, demanding ransoms while convincing the victim to isolate themselves and simulate captivity.
Local Police, collaborating with the FBI and both U.S. and Chinese embassies, learned that Zhuang's family in China had paid around $80,000 to Chinese bank accounts after receiving threats and a photo indicating Zhuang's peril. This case falls into a pattern of what’s being called "cyber kidnappings" where the kidnappers maintain control over the victim and extort the family using fear tactics.
The search for Zhuang involved warrants for various records and surveillance footage analysis. He was located after extensive efforts, including the use of drones. Local police are advocating for vigilance against such crimes and stress the importance of trusting and cooperating with law enforcement. The investigation continues as authorities seek to apprehend the cyber kidnappers involved.
Despite the cold and his ordeal, Zhuang was medically cleared and eager to reconnect with his family. Once found, he reportedly requested a nice, hot cheeseburger.
Hospitals sue for data recovery.
Two New York not-for-profit hospitals, Carthage Area Hospital and Claxton-Hepburn Medical Center, part of the North Star Health Alliance, are seeking a court order to recover data stolen in an August ransomware attack by the LockBit gang. The hospitals, serving over 220,000 residents in various counties, had sensitive files including patient information compromised, forcing patient redirection for urgent care.
Post-attack, the hospitals' IT teams worked on system stabilization, with plans to reschedule affected appointments. The stolen data, including personal and health information, was found stored on Wasabi Technologies' servers in Boston. In response, the hospitals filed a lawsuit, assisted by the FBI, against the cybercriminals. They request the court to compel Wasabi to return the data and mandate the ransomware group to destroy all copied data.
This incident is part of LockBit's broader pattern of attacks, including disruptions in German hospitals and Toronto's Hospital for Sick Children, causing delays in emergency care and treatment. LockBit, a ransomware-as-a-service operation active since 2019, has targeted major organizations globally, extorting approximately $91 million from U.S. entities alone in over 1,700 attacks since 2020. The hospitals' legal action aims to safeguard their stolen data and mitigate further risks to patient privacy and care continuity.
US Department of Homeland Security assesses cyber threats to the US.
In its annual Homeland Threat Assessment for 2024, the US Department of Homeland Security's Office of Intelligence and Analysis predicts a continuing Russian threat in cyberspace. It draws particular attention to three expected areas of Russian activity against the US to emanate from Russia's war against Ukraine: influence operations, privateering by cyber criminals and disruption by hacktivist auxiliaries, and cyberespionage by intelligence services. Iran and China are also prominently mentioned among the cyber threats expected to be active against the US this year. Much of Iran's activity can be expected to be connected to the war between Hamas and Israel. China represents a major continuing threat. Tensions over Taiwan are expected to continue and probably increase, but most of China's activity in cyberspace will in all likelihood be directed toward long-term political and (especially) economic competition with the US and other rivals. Notably absent from the threat assessment is North Korea.
Mac malware is on the rise.
Security expert Patrick Wardle published a detailed blog analyzing a significant increase in macOS-targeted malware in 2023, with 21 new families identified, marking a 50% rise from 2022. These threats include ransomware like LockBit and Turtle, and a predominant number of information stealers like PureLand and Realst. Notably, North Korean APT groups were highly active, producing malware such as SmoothOperator and RustBucket. Other threats included the SparkRAT backdoor, Geacon backdoor, and WSClient proxy. Persistent threats like iWebUpdater and new variants of CoinMiner and XLoader were also observed, alongside unverified reports of malware like hVNC and ShadowVault. This surge underscores the growing interest of cybercriminals in targeting Apple devices.
Cameras hacked by Russian intelligence services to provide targeting information.
Ukrainian authorities have dismantled two surveillance cameras in Kyiv, alleging they were hacked by Russia to spy on air defense and critical infrastructure. These cameras, originally for residents to monitor their surroundings, were reportedly manipulated by Russian intelligence to stream sensitive footage on YouTube, aiding in directing drones and missiles during an attack on Kyiv and Kharkiv. This assault resulted in casualties and injuries. Since Russia's invasion in February 2022, Ukraine's security service, SBU, has blocked around 10,000 cameras potentially used by Moscow for missile strike planning. Investigations revealed many Ukrainian cameras using Russian Trassir software, capable of detailed surveillance, were linked to servers in Moscow, accessible to Russian security services. Ukrainian law prohibits sharing imagery of attack sites to prevent aiding enemy targeting, with violations carrying severe penalties.
We have reports of a number of ransomware incidents to share.
The US division of Xerox has sustained a cyberattack that may have involved the theft of personal information, the Record reports. BleepingComputer notes that the INC Ransom ransomware gang added the company to its data leak site on December 29th.
On December 29, 2023, Florida-based Akumin Inc., a provider of radiology and oncology services, disclosed a data breach stemming from an October 11 ransomware attack. The breach exposed a range of sensitive information, including names, contact details, birthdates, Social Security and driver’s license numbers, as well as health insurance and medical data. While taking its systems offline and conducting an investigation, Akumin confirmed the intrusion involved confidential patient information.
Sweden's Coop supermarket chain is dealing with a cyberattack by the Cactus ransomware gang on its Värmland branch since December 22. The gang, targeting large entities since March, breached Coop's network through VPN vulnerabilities and malicious online ads. The attack disrupted card payments, prompting a temporary website and external cybersecurity aid. Though stores stayed open with alternative communication channels, this isn't Coop's first ransomware ordeal. The had a 2021 incident with Kaseya ransomware impacting 800 stores.
NPM dependency campaign.
Checkmarx warns of an apparent troll campaign in the NPM registry that could lead to denial-of-service incidents. A user uploaded a package named “everything” to the registry, which “relies on every other public NPM package, resulting in millions of transitive dependencies.” As a result, users who install the package will experience “issues like storage space exhaustion and disruptions in build pipelines.”
The user is remorseful, and says he didn’t realize he wouldn’t be able to delete the package once it was incorporated into other users’ projects.
Google recommends enhanced safe browsing.
Cybernews reports a that new hack exploiting the OAuth2 protocol is compromising Google accounts, allowing cyberattackers to maintain valid sessions and regenerate cookies even after IP or password resets. Google has acknowledged the issue, stating that such attacks are not new and that they have taken action to secure affected accounts. Contrary to reports, Google affirms that stolen sessions can be invalidated by users signing out or revoking access remotely. Users are advised to remove any malware and enable Enhanced Safe Browsing in Chrome. The exploit, part of the Lumma Infostealer malware, manipulates the GAIA ID token and is quickly being adopted by various Infostealer groups. At least five such groups are reportedly using this technique, with one developer claiming to have discovered the exploit in October 2023. Cybersecurity firm Hudson Rock has observed the trend and interacted with the developer, who provided a demonstration.
The FTC wants to hear your cloned voice.
And finally, the US Federal Trade Commision, the FTC, today opened submissions for its Voice Cloning Challenge. According to the agency, while voice cloning technology offers potential benefits like medical aid for individuals who've lost their voices, it also poses significant risks, including fraud and the misuse of biometric data. The FTC has initiated this exploratory challenge to develop comprehensive solutions, from products to policies, aimed at protecting consumers from these harms. The challenge seeks to spur preventative solutions and, if unsuccessful, will signal to policymakers the need for stricter controls on this emerging technology.
This is, of course, ridiculous. Who would possibly fall for a cloned version of the voice of one of their favorite presenters, especially one that they listen to every day? The idea is absurd.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
Hey CyberWire listeners, as we near the end of the year, it’s the perfect time to reflect on your company’s achievements and set new goals to boost your brand across the industry next year. We’d love to help you achieve those goals. We’ve got some unique end-of-year opportunities, complete with special incentives to launch 2024. So tell your marketing team to reach out! Send us a message to firstname.lastname@example.org or visit our website so we can connect about building a program to meet your goals.
We’d love to know what you think of this podcast. You can email us at email@example.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.