The CyberWire Daily Podcast 1.5.24
Ep 1977 | 1.5.24

Disruptions to the internet.

Transcript

BGP attack disrupts Internet service. Data breach law firm breached. Remcos RAT returns. Poison packages in the PyPI repository. Hacktivist personae and GRU fronts. BreachForums impresario re-arrested. Cyber National Mission Force gets a new leader. On our Solution Spotlight, Simone Petrella talks with ISC2 CEO Clar Rosso about putting a dent in the cybersecurity workforce gap. LinkedIn as a dating platform? 

Today is January 5th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

BGP attack disrupts Internet service.

Orange Spain, one of that country’s primary mobile network operators,  faced an internet outage after a hacker breached its RIPE (Réseaux IP Européens Network Coordination Centre) account, altering BGP (Border Gateway Protocol) routing and RPKI (Resource Public Key Infrastructure) configuration. RIPE is the regional Internet registry for Europe, the Middle East, and Central Asia. BGP is crucial for directing internet traffic by allowing organizations to link their IP addresses with AS (Autonomous System) numbers and advertise to connected routers. However, it's based on trust, making it vulnerable to hijackings when a rogue network falsely announces IP ranges associated with another AS number, redirecting traffic maliciously.

The hacker, known as 'Snow', modified Orange Spain's AS number and enabled an invalid RPKI configuration, a cryptographic method to ensure only authorized routers can advertise an AS number and its IP addresses. This improper implementation caused Orange's IP addresses to be incorrectly announced, leading to network performance issues.

The breach likely occurred due to weak security, specifically the absence of two-factor authentication on the RIPE account, and a simple password 'ripeadmin'. The credentials were possibly stolen via information-stealing malware, found in a public leak. RIPE has restored control to Orange and urged all users to update passwords and enable multi-factor authentication. 

Data breach law firm breached.

In what has become an all too frequent story of bitter irony, San Francisco-based Orrick, Herrington & Sutcliffe, a law firm specializing in handling regulatory requirements for companies during security incidents, suffered a cyberattack in March 2023, exposing personal and health data of over 637,000 individuals. Hackers accessed detailed information, including names, birth dates, government IDs, and medical and financial details from clients like EyeMed Vision Care, Delta Dental, MultiPlan, Beacon Health Options, and the U.S. Small Business Administration. Despite not detailing the breach method or ransom demands, Orrick has settled class action lawsuits accusing it of delayed breach notifications. The firm expressed regret and emphasized its commitment to data protection, indicating no further notifications for additional businesses.

Remcos RAT returns.

Researchers at Uptycs report that UAC-0050, a threat actor active since 2020, is deploying the Remcos RAT through phishing attacks while employing new methods to evade detection. This group, known for targeting Ukrainian and Polish entities, now uses a pipe method for interprocess communication, increasing its adaptability and sophistication. Recent attacks have involved a malicious LNK file targeting Ukrainian military personnel with fake consultancy roles. The file bypasses security measures by collecting information about installed antivirus products and executing remote scripts to download and launch Remcos RAT. This malware harvests system data and browser login information, with its evasion tactics marking an advanced leap in UAC-0050's operational strategies.

Poison packages in the PyPI repository.

Fortinet researchers identified three malicious packages in the PyPI repository, targeting Linux systems with a crypto miner. Authored by "sastra," the packages named modularseven, driftme, and catme amassed over 400 downloads before removal. These packages' indicators of compromise (IoCs) matched a previously discovered package, "culturestreak." The attack is initiated via an "import" statement, which triggers the download of a shell script and a CoinMiner file from a remote server. The script fetches a configuration file and the mining executable, with the attacker disabling features for compatibility and using the "nohup" command for background execution and persistence. These packages showcase advanced tactics to evade detection and maintain malicious functions by storing critical commands remotely, enhancing concealment and control over the disclosure of malicious code.

BreachForums impresario re-arrested.

Conor Brian Fitzpatrick, 23, of Peekskill, NY, and better known by his hacker name "pompompurin," who took a guilty plea in July to charges related to the operation of the criminal BreachForums site and his possession of child pornography, has been re-arrested. He'd been out on bond awaiting sentencing, and he was taken back into custody for reported violations of his parole, the Record reports.

Hacktivist personae and GRU fronts.

BleepingComputer describes the effects of the wiper phase of the recent cyberattack against Kyivstar. Illia Vitiuk of the Ukrainian SBU described it as extensive and devastating, with challenging recovery efforts. Kyivstar, which fully restored services by December 20th, hasn't confirmed the SBU's account and denied data loss or theft. An ongoing investigation is exploring various lines of inquiry. Adam Meyers of CrowdStrike attributes the attack to Russia's GRU, specifically the VOODOO BEAR group, which likely operated under the pro-Russian hacktivist persona Soltnsepek. The attack, coinciding with disruptions across Kiev, is seen as part of Russia's broader cyber and psychological operations aimed at undermining public trust in Ukrainian institutions and demonstrating the power of combined physical and digital warfare.

Cyber National Mission Force gets a new leader.

U.S. Cyber Command's Cyber National Mission Force (CNMF) will see a leadership change as Marine Corps Maj. Gen. Lorna Mahlock takes over from Army Maj. Gen. William Hartman. The CNMF, activated in 2014 with 39 joint cyber teams, plays a pivotal role in Cyber Command's operations and was made a permanent organization in 2022. Mahlock, the first Black woman to become a brigadier general in the Marine Corps and the service's first female chief information officer, recently served as the military deputy director for the National Security Agency's Cybersecurity Directorate. Her appointment was delayed due to a blanket hold on military promotions but proceeded after Senator Tommy Tuberville lifted the hold. Hartman is set to become Cyber Command’s new deputy chief, while Mahlock's former role at NSA will be assumed by Brig. Gen. Jerry Carter. Congratulations to Maj. Gen. Mahlock.

 

On our Solution Spotlight, Simone Petrella talks with ISC2 CEO Clar Rosso about putting a dent in the cybersecurity workforce gap.

 

LinkedIn as a dating platform? (Catphishing soon to follow.)

Business Insider reports a trend: people are looking for love on LinkedIn. There's a view, apparently, that it's easier to filter out poseurs, creeps, and losers there than it is on other, more traditional, lonely-hearts sites. (The tradition only goes back about twenty-five years, but that's very OG by Internet standards.) The potential for catphishing is obvious. 

Our love lorn desk reminds us of the saga of Robin Sage, the fictitious online persona created in 2009 by white hat hacker Thomas Ryan. Accounts on popular social media platforms presented Robin Sage as a 25-year-old "cyber threat analyst" at the Naval Network Warfare Command with a MIT background and a decade of experience. The phony accounts engaged with nearly 300 security specialists, military staff, and intelligence agents. Despite being entirely fictitious, she was approached for consulting roles by prominent companies like Google and Lockheed Martin and received dinner invites from male contacts.

We actually know someone who brought a resume to a first date. Maybe that acquaintance was ahead of the curve, and not just odd.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.