DOJ strikes justice.

The DOJ shuts down the Warzone rat. Ransomware hits over twenty Romanian hospitals, and Rysida gets a decryptor. Canada may ban the Flipper Zero. Chinese espionage claims against the US are light on facts. Australia looks to criminalize doxxing. Federal IT leaders seek better coordination with CISA and the JCDC. Wired looks at the effect of cyberattacks on inequality. Our guest is Manny Felix, Founder and CEO of US Cyber Initiative, sharing their work in unlocking cyber career opportunities for young people. And this thumb drive will self-destruct in five seconds.

Today is February 12th, 2024.. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The DOJ shuts down the Warzone rat.

The U.S. Justice Department has taken decisive action against the distribution of 'Warzone' Remote Access Trojan (RAT) malware, which enabled cybercriminals to exploit victims' devices for data theft and surveillance. Authorities shut down the "warzone.ws" website and three related domains, and unveiled indictments against individuals in Malta and Nigeria involved in the malware's sale and support. Daniel Meli, 27, from Malta, was arrested and charged with offering malware services since 2012, including Warzone and Pegasus, with a U.S. court seeking his extradition. Prince Onyeoziri Odinakachi, 31, from Nigeria, was also arrested, charged with hacking and providing customer support for Warzone purchasers. The operation saw collaboration across international law enforcement, including the FBI, Europol, and agencies from multiple countries, leading to the disruption of Warzone's infrastructure. Meli faces up to 25 years in prison and a minimum fine of $500,000, while Odinakachi could face 15 years and a similar fine.

Ransomware hits 21 Romanian hospitals, and Rysida gets a decryptor.

A ransomware attack over the weekend targeted a medical management and patient data software platform in Romania, used by at least 21 hospitals, rendering the system offline by encrypting its database. The Romanian Ministry of Health announced that the attack is under investigation with the aid of IT and cybersecurity experts from the National Cyber Security Directorate (DNSC), as they explore recovery options and implement precautionary measures for unaffected hospitals. The attack impacted various medical centers, including emergency, oncology, and cardiovascular hospitals. There's currently no information about the ransomware group responsible or whether patient data was compromised. The software provider RSC has not commented on the incident.

Meanwhile, Korean researchers have created a decryptor for files encrypted by Rhysida ransomware, known for attacks on high-profile targets since May 2023. The decryptor's development hinged on analyzing the ransomware's use of the LibTomCrypt library and its pseudorandom number generator for key and initialization vector generation. The breakthrough was identifying the PRNG's reliance on the ransomware's execution time, allowing the researchers to predict the encryption key and vector by the order of files encrypted and the random numbers generated. This research marks the first successful decryption of Rhysida ransomware, offering hope for mitigating its impact.

Canada may ban the Flipper Zero. 

Canadian officials are poised to ban the sale and use of the Flipper Zero, a popular hacking tool, due to concerns over its potential for malicious use, particularly in escalating car thefts. Announced by Minister François-Philippe Champagne, the ban aims to curb the rising trend of vehicle thefts, which see around 90,000 cars stolen annually, costing the country approximately $1 billion. The Flipper Zero, retailing at $169, is a versatile device capable of testing vulnerabilities in various wireless networks and systems. While it's marketed towards tech enthusiasts and white-hat hackers for penetration testing, its misuse has raised alarms, leading to its impending prohibition in Canada. This move highlights the ongoing challenge of balancing the empowerment of ethical hacking with the prevention of technology's nefarious applications. Critics of Canada’s pending prohibition wonder why officials aren’t focusing their energy on improving automobile security. 

Chinese espionage claims against the US are light on facts. 

Researchers at Sentinel One highlight the fact that when Western cybersecurity reports detail nation-state espionage, especially linking such activities to China, the reports base their claims on thorough technical evidence. In contrast, Chinese claims about Western espionage, particularly from the U.S., lack this level of detail, relying more on policy-driven narratives than on technical proof. This discrepancy has been a consistent pattern, with Chinese cybersecurity entities typically refraining from publishing in-depth technical data, instead echoing information from foreign sources or leaked U.S. documents. This approach shifted slightly in 2021 when China began to more actively disseminate narratives about U.S. cyber operations, yet still without presenting new technical evidence. Recent allegations from China about U.S. hacking, including claims of targeting the Wuhan Earthquake Monitoring Center, remain unsubstantiated. The narrative push appears more propaganda-driven than based on factual analysis, highlighting a strategic play by China to frame the U.S. negatively in the global cybersecurity discourse without adhering to the evidentiary standards expected in Western cybersecurity circles. This dynamic underscores a broader geopolitical contest in the domain of cyber intelligence and information warfare, where the balance between making public accusations and providing concrete evidence remains a contentious issue.

Speaking of China, Duke Energy is set to decommission and phase out Chinese energy-storage batteries at a major Marine Corps base and its civilian projects, amid U.S. concerns over potential network vulnerabilities to Chinese government-linked hackers. This decision marks a shift in Duke Energy's strategy, aiming to replace battery technology from Chinese firm CATL with domestic or allied suppliers by 2027, reflecting broader U.S. efforts to secure critical infrastructure and support a robust American supply chain. Despite industry views that Chinese battery cells may not pose significant security risks, concerns over the potential for hacking through battery communications systems have prompted legislative actions to limit the use of Chinese-produced batteries in U.S. defense applications starting in 2027.

Australia looks to criminalize doxxing. 

Australia is set to introduce new federal laws to criminalize "doxxing" – the malicious publication of private information online. The effort was announced by Prime Minister Anthony Albanese in response to activists publishing the names and details of hundreds of Jewish individuals by anti-Zionist activists, sparking widespread condemnation.  These changes, aimed at protecting personal privacy, will make it a criminal offense to engage in doxxing, with exemptions for public interest journalism. The government's rapid response also includes plans to develop stronger laws against hate speech, reflecting a commitment to counter the rise of anti-Semitism and other forms of religious or faith-based targeting in Australia. This move has been welcomed by community leaders and marks a significant step in bolstering privacy and anti-hate speech protections at the federal level in Australia. 

Federal IT leaders seek better coordination with CISA and the JCDC.

Federal IT officials have called for improved coordination and stricter security standards from the Cybersecurity and Infrastructure Security Agency (CISA) and its Joint Cyber Defense Collaborative (JCDC). While acknowledging CISA's critical role in federal cybersecurity, tech leaders from the Treasury Department and the Department of Veterans Affairs stressed the need for more aggressive and common operating standards, rather than voluntary participation. They highlighted gaps in information sharing, especially regarding vulnerabilities and threat indicators from cloud service providers and major vendors. The officials also emphasized the importance of a centralized cyber defense strategy and better preparation against cyber threats, including those posed by artificial intelligence and machine learning. Collaboration within the JCDC, involving various federal and private entities, was recognized as positive but still developing. 

The Joint Cyber Defense Collaborative (JCDC) has unveiled its 2024 Priorities, reflecting a unified effort among public, private, and international partners towards key cybersecurity outcomes. Building on the previous year's agenda, the JCDC introduces three main focus areas: defending against Advanced Persistent Threat (APT) operations, with a special emphasis on threats from entities affiliated with the People's Republic of China (PRC); raising the cybersecurity baseline to protect critical infrastructure and reduce the impact of ransomware; and anticipating emerging technology risks, particularly the cybersecurity challenges posed by Artificial Intelligence (AI). These priorities aim to enhance the collective defense posture, support innovation in cyber defense, and ensure technology is secure by design.

Wired looks at the effect of cyberattacks on inequality. 

A story in Wired from Nicole Tisdale presents the case that Cyberattacks are exacerbating inequalities, impacting over 39 million people in 2023 through healthcare-related breaches alone, and disproportionately affecting marginalized communities including low-income families, communities of color, veterans, people with disabilities, and immigrants. These attacks target essential pillars of society such as healthcare, economic opportunity, education, and democratic participation, creating a civil rights crisis. Cybercriminals exploit vulnerabilities, leading to identity theft, financial fraud, and erosion of trust in crucial services. Notably, healthcare breaches have sown distrust among communities historically mistreated by medical systems, while economic attacks have stolen millions from public assistance funds, affecting those in financial hardship. Educational institutions face ransomware threats, compromising sensitive student information and threatening equitable access to education. Cyber operations also undermine democratic participation, using AI-powered disinformation to suppress minority votes and sow distrust in the electoral process. Tisdale concludes that addressing these cyber threats requires a concerted effort to build inclusive defenses and incorporate civil rights perspectives into cybersecurity strategies, emphasizing the urgent need for a comprehensive response to secure digital access and equity for all communities.

Today, we’ve got Manny Felix joining us. Manny is the Founder and CEO of US Cyber Initiative. He shares their work in unlocking career opportunities for young people interested in cyber and emergent technology.

 

This thumbdrive will self-destruct in five seconds.

And finally, our gadgets desk tells us about the Ovrdrive USB stick, nearing its crowdfunding target on Crowd Supply. The device features a self-destruct mechanism that can heat its flash chip to 100°C, offering a Mission Impossible-style data protection. Developed by Ryan Walker of Interrupt Labs, it includes a unique privacy feature where data remains hidden unless the device is inserted in a specific manner. Manufacturing challenges led to retaining the self-destruction circuitry without activation by default, encouraging DIY enhancements for interested users. Overdrive is Aimed at journalists, security experts, and open hardware enthusiasts, especially in regions with encryption restrictions. It has achieved 83% of its $3,500 goal, with 24 days remaining in the campaign.

Ethan Hunt, call your office. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.