The CyberWire Daily Podcast 2.26.24
Ep 2011 | 2.26.24

LockBit reloaded: Unveiling the next chapter in cybercrime.


LockBits reawakening. China's ramp up to safety for vital sectors. Data leak leaves China feeling exposed. Malware hidden by North Korea in fake developer job listings. UK Watchdog rebukes firm for biometric scanning of staff at leisure centers. SVR found adapting for the cloud environment. DOE proposes cybersecurity guidelines for the electric sector. Wideness of breach in the financial industry revealed. Moving on to better things. Things are looking up in the cybersecurity startup ecosystem. UK's National Cyber Security Centre announced they are launching a Cyber Governance Training Pack for boards. N2K’s President Simone Petrella talks with Elastic's CISO Mandy Andress about the CISO role and the intersection of cybersecurity, law, and organizational strategy. And, there’s a facial recognition battle going on at Waterloo, the University of Waterloo that is.

Today is February 26th, 2024. I’m Tré Hester, Dave Bittner’s cooler stand-in. And this is your CyberWire Intel Briefing.

LockBits reawakening. 

The LockBit ransomware gang has reemerged with a new website, signaling its intent to continue malicious activities. This resurgence serves as a stark reminder of the persistent challenges faced by organizations worldwide. Despite previous takedowns and disruptions, LockBit’s return demonstrates the resilience and adaptability of cybercriminal organizations. Unveiling a new LockBit website reaffirms their commitment to expanding operations and attracting new victims. 

Key Takeaways from this return of Lockbit include:

Resilience of Cybercriminals: Despite law enforcement efforts to disrupt their activities, these adversaries are quick to regroup and resume their malicious operations. 

Sophisticated Tactics: LockBit is renowned for its sophisticated tactics, including double extortion schemes and targeted attacks on high-value assets. Their ability to evolve and innovate underscores the ever-present danger posed by ransomware threats. 

Ransomware-as-a-Service Model: LockBit's relaunch exemplifies the ransomware-as-a-service (RaaS) model, wherein cybercriminals provide their malicious software to affiliates in exchange for a cut of the profits. This model enables the rapid proliferation of ransomware attacks and poses significant challenges for defenders. 

Preventive Measures: To defend against threats like LockBit, organizations must adopt a multi-faceted approach to cybersecurity. This includes regular software patching, robust endpoint protection, network segmentation, and employee training. Additionally, implementing proactive threat hunting and incident response plans can help organizations detect and mitigate threats before they escalate.

Collaborative Defense: Given the global nature of cyber threats, collaboration among industry stakeholders is paramount. Sharing threat intelligence, best practices, and resources can enhance collective defenses and improve resilience against ransomware and other cyber attacks.

Stay tuned as their next steps unfold.

China's ramp up to safety for vital sectors.

Following the recent data breach of the Chinese Ministry of Public Security, China moves to bolster cybersecurity measures in key industries underscoring the global imperative to fortify defenses against cyber threats. With escalating cyber espionage and attacks, organizations worldwide must prioritize robust cybersecurity strategies. The growing sophistication of cyber adversaries necessitates proactive defense measures, including comprehensive risk assessments, advanced threat detection systems, and employee training. Collaborative efforts within and across industries are crucial for sharing threat intelligence and best practices to mitigate cyber risks effectively. 

Data leak leaves China feeling exposed. 

In a significant cybersecurity revelation, documents reportedly leaked on GitHub have exposed the inner workings of I-Soon (also known as Anxun), a Chinese information security company allegedly involved in extensive cyber espionage activities. The documents include contracts, product manuals, and employee lists, pointing to a comprehensive support system for Beijing's hacking endeavors. These tools demonstrate I-Soon's capability to infiltrate various systems, undetected.

Targets span across continents and sectors, implicating telecommunications firms, government departments, and even educational institutions in countries including India, Thailand, Vietnam, South Korea, and NATO members. Analyses of the documents suggest that I-Soon functions as an APT-for-hire, working with China's Ministry of Public Security (MPS) and possibly other state agencies. This collaboration aligns with Beijing's increasingly aggressive cyber espionage strategies. The leaked documents not only reveal the technical aspects of these operations but also shed light on the human element within I-Soon.

Malware hidden by North Korea in fake developer job listings.

Phylum’s research arm has unveiled a sophisticated malware campaign targeting developers through open-source npm packages. Attackers, disguising malicious code within seemingly benign packages like execution-time-async, aim to steal cryptocurrency and credentials. Techniques include masquerading as legitimate software, exploiting service and dormant accounts, and self-hosting malicious dependencies to evade detection. The campaign has evolved, responding to npm package takedowns by shifting tactics, including hosting malicious content on self-run servers. Evidence suggests a connection to North Korean state-sponsored activities, highlighting the significant risk to developers and the broader software supply chain. Developers are urged to exercise caution, vetting any code from the internet closely to avoid falling victim to these sophisticated attacks.

UK Watchdog rebukes firm for biometric scanning of staff at leisure centers.

The UK's Information Commissioner's Office has mandated Serco to halt the use of facial recognition and fingerprint scanning for monitoring over 2,000 employees across 38 leisure centers, citing unlawful biometric data processing. Highlighting the power imbalance and lack of opt-out options, the ICO demands the destruction of all unlawfully retained biometric data within three months. Emphasizing the risks and irreversible nature of biometric breaches, the ICO's enforcement stresses the need for fair and proportionate use of such technologies in the workplace. Reasonable privacy enforcement… what a concept. The Brits seem to have it made on their side of the pond.

SVR found adapting for the cloud environment.

A recent NCSC advisory highlights the threat posed by the SVR, also known as APT 29, as they adapt tactics for initial cloud access, targeting sectors from aviation to the military. Using techniques like brute forcing and exploiting dormant accounts for initial access, the SVr has moved beyond traditional on-premise network attacks. The use of residential proxies helps them stay undetected, posing significant challenges to cybersecurity risk management. Effective mitigations remain multi-factor authentication and identity and device enrollment policies. This evolution underscores the need for robust cybersecurity measures against sophisticated threats, especially as organizations increasingly rely on third party cloud-based infrastructure.

DOE proposes cybersecurity guidelines for the electric sector.

The US Department of Energy has announced new cybersecurity baselines for electric distribution systems and distributed energy resources like solar and wind. Developed in partnership with the National Association of Regulatory Utility Commissioners, the initiative aims to protect America's energy infrastructure against growing cyber threats. By providing uniform cybersecurity standards, the DOE seeks to prevent a fragmented approach to cybersecurity across states, enhancing the resilience of the nation's electric systems. The effort underscores a collaborative push towards safeguarding critical energy infrastructure against major risks, with further work planned in 2024 to develop implementation strategies and adoption guidelines for nationwide standardization.

Wideness of breach in the financial industry revealed.

In an update to our earlier coverage about the LoanDepot data breach, the company has now confirmed that nearly 17 million customers were impacted by the ransomware attack. The breach exposed sensitive personal information, including Social Security numbers, names, dates of birth, and financial details. This incident marks a significant escalation in cyber risks to the financial industry, with LoanDepot joining the ranks of companies like Fidelity National Financial, which have also suffered major cyberattacks recently. The full impact of this breach on LoanDepot's financial health remains to be seen.

Moving on to better things.

In a recent breach notification filed with the Maine Attorney General, U-Haul confirmed a data breach impacting 67,000 customers in the U.S. and Canada, compromising names, birthdates, and driver's license numbers. The breach occurred throughout the second half of 2023 and was initially discovered in December 2023. Affected customers have been notified. The breach, due to unauthorized access with legitimate credentials, led to enhanced security measures and free credit monitoring for affected individuals.

Things are looking up in the cybersecurity startup ecosystem.

Friend of the show David DeWalt, also the managing director of NightDragon and former CEO of both FireEye and McAfee, but definitely best known as friend of the CyberWire, just published an analysis and some optimistic predictions for the cybersecurity startup market in 2024. David reports that in 2023, cybersecurity investments fell by 40% amidst a broader 35% decrease in global venture capital. Despite this downturn, customer demand continues to grow. CISOs report increased budgets for 2024, with IT investment expected to rise by 8%. Seed rounds, making up 42% of the funding, highlight a sustained interest in early-stage innovation. And significant raises such as HEAL Security's $4.6 million, reflect confidence in startups tackling emerging risks like AI and quantum. The shift to more sustainable investment and business models is the key, and David predicts a strong 2024 across mergers, AI, and early stage companies. 

UK's National Cyber Security Centre announced they are launching a Cyber Governance Training Pack for boards. 

And this is a UK-heavy briefing today. The UK's National Cyber Security Centre announced they are launching a Cyber Governance Training Pack for boards to enhance cyber-risk management skills and knowledge. This initiative emphasizes boards' vital role in cybersecurity governance, offering practical guidance to leverage technology benefits and mitigate threats like cybercrime and ransomware. It complements another initiative, a proposed Cyber Governance Code of Practice by the Department of Science, Technology and Innovation, aiming to educate boards on risk management without needing to be tech experts.


Coming up we’ve got N2K’s President Simone Petrella talking with Elastic's CISO Mandy Andress about the CISO role and the intersection of cybersecurity, law, and organizational strategy.


There is a facial recognition battle going on at Waterloo, the University of Waterloo that is. 

An error showed up on a candy vending machine at the University of Waterloo recently. A student recognized the error and soon a photo of the error was circulated around the university. M&M machines throughout the University have been altered by students covering up the tiny hole in the front that is thought to house the camera for facial recognition. Noting that the demographics of a university tend to be those in their late teens and early 20s, students questioned the violation of privacy and use of the technology. They’ve taken it upon themselves to add their own sweets to the vending machines as those on campus now have creatively covered the holes with gum and other sticky substances. The vending machine company claims no ownership of the demographic data collected and M&M Mars has not responded to inquiries. It doesn’t look like this battle of Waterloo will have a sweet ending for the candy machines. In a nod to ABBA's "Waterloo," the situation might have the candy machines singing, "Waterloo, I was defeated, you won the war" as students cleverly outsmart the facial recognition systems.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.


We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Tré Hester. Thanks for listening.