Protecting American data.
President Biden is set to sign an executive order restricting overseas sharing by data brokers. US Federal agencies warn of exploited Ubiquiti EdgeRouters. A new ransomware operator claims to have hacked Epic Games. A cross-site scripting issue leaves millions of Wordpress sites vulnerable. The Rhysida ransomware group posts a multi-million dollar ransom demand on a Children’s Hospital in Chicago. Mandiant tracks Chinese threat actors targeting Ivanti VPNs. The former head of DHS weighs in on a federal cyber insurance backstop. Domain Registrars offer bulk name blocking for brands. Our guest is Magpie Graham, Principal Adversary Hunter Technical Director at Dragos, reviews the key findings of Dragos’ Cybersecurity Year in Review report. Cameo celebrities are taken out of context for political gains.
Today is February 28th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
President Biden is set to sign an executive order restricting overseas sharing by data brokers.
President Joe Biden is set to sign an executive order to prevent the mass transfer of sensitive personal data of Americans to countries like China, Russia, and Iran. Targeting data brokers, the order mandates the Department of Justice to start a rulemaking process to restrict the bulk sharing of data, including genomic, biometric, health, geolocation, financial data, and personally identifiable information. Aimed at addressing national security risks, the initiative emphasizes collaboration with industry stakeholders to ensure the implementability of these rules while safeguarding national security interests. The process, expected to extend over months or years, will prohibit specific data broker transactions and establish restricted data transaction categories to protect critical security components. Additionally, it directs key departments to review federal grants and contracts to prevent sensitive health data from being transferred to the banned countries. This order focuses on the transfer of data overseas without imposing new domestic data handling standards. Previous administrations have highlighted concerns over foreign adversaries, particularly China, acquiring Americans' data through hacking or commercial transactions, with potential uses ranging from identifying intelligence agents to training AI models.
US Federal agencies warn of exploited Ubiquiti EdgeRouters.
The FBI, NSA, US Cyber Command, and international partners have issued a Cybersecurity Advisory warning about Russian state-sponsored actors exploiting Ubiquiti EdgeRouters for cyberattacks. These actors, identified as APT28 or Fancy Bear, have targeted various sectors across multiple countries since 2022, using compromised routers for operations like credential theft and establishing malicious landing pages. They've exploited vulnerabilities, including a patched zero-day, to install tools enabling further attacks. The FBI has discovered indicators of compromise and recommends remediating affected routers through hardware resets, firmware updates, and enhanced security measures. Network owners are advised to update systems and Outlook to protect against specific vulnerabilities exploited by these actors.
A new ransomware operator claims to have hacked Epic Games.
A report out of Australia says the Mogilevich gang, a new player in the ransomware arena, claims to have hacked Epic Games, the studio famous Fortnite, Unreal Tournament, and Gears of War. Mogilevich alleges possession of 189 gigabytes of data, including emails, passwords, payment information, and source code. The data is advertised for sale on their darknet site, with a hyperlink directing potential buyers to a contact page. Despite setting a deadline of March 4 for Epic Games to respond or for someone to buy the data, Mogilevich has not disclosed a ransom amount or provided evidence of the hack.
A cross-site scripting issue leaves millions of Wordpress sites vulnerable.
A critical stored Cross-Site Scripting (XSS) vulnerability has been found in the LiteSpeed Cache plugin for Wordpress, affecting over 4 million WordPress sites. This flaw could let attackers execute malicious scripts by failing to sanitize user input. The vulnerability puts unpatched sites at risk of data theft and unauthorized access. Users are urged to update to version 5.7.0.1 or later for protection.
The Rhysida ransomware group posts a multi-million dollar ransom demand on a Children’s Hospital in Chicago.
A ransomware attack by the Rhysida group on Chicago's Lurie Children’s Hospital has led to a $3.4 million ransom demand. Lurie Children's Hospital is a major pediatric center in the Midwest. The facility remains operational but has experienced disruptions, including canceled appointments and surgeries. The hospital is actively working on system recovery, and advises patients to bring printed insurance cards and medication lists to appointments. The Rhysida group, known for targeting healthcare institutions, has listed the stolen data for sale for 60 bitcoins. The U.S. Department of Health and Human Services has previously issued warnings about Rhysida's increasing focus on the healthcare sector.
Mandiant tracks Chinese threat actors targeting Ivanti VPNs.
Chinese cyberespionage group UNC5325 has exploited vulnerabilities in Ivanti Connect Secure VPN to deploy new malware for persistence, despite patches. These attacks, following initial zero-day exploits reported by Volexity, involve sophisticated malware like LittleLamb.WoolTea and PitStop, aimed at U.S. and Asia-Pacific region targets in defense, technology, and telecom. Mandiant's analysis reveals UNC5325's deep understanding of Ivanti appliances, using malware and modified tools to evade detection and persist through updates. Despite their sophistication, Mandiant says the group’s attempt to persist through a factory reset failed due to encryption key changes. This activity underscores the ongoing threat from Chinese actors leveraging zero-day vulnerabilities against critical infrastructure.
The former head of DHS weighs in on a federal cyber insurance backstop.
In the wake of the devastating NotPetya cyberattack in 2017, the pharmaceutical giant found itself in a protracted legal battle over a $700 million insurance claim. This case spotlighted a growing concern in the digital age: who bears the financial responsibility for massive, state-sponsored cyberattacks?
The insurers contested Merck's claim, arguing that the attack, attributed to the Russian government, was a "hostile or warlike act," excluding it from standard property and casualty coverage. This dispute underscored a critical gap in the cybersecurity insurance market: the difficulty in covering losses from cyberattacks that have the scale and impact of military actions.
In a recent appearance on the Cyberwar Podcast, Former Department of Homeland Security Secretary Michael Chertoff proposed a solution akin to the Terrorism Risk Insurance Act (TRIA) of 2002, which was created in response to the 9/11 attacks and provided a federal backstop for insurance claims related to terrorism. Chertoff's suggestion was for the federal government to serve as a financial backstop for insurers in the event of catastrophic cyberattacks, offering a layer of security to both insurers and policyholders against the unpredictable and potentially immense costs of such incidents.
The debate over a federal backstop highlights the need for clear criteria and definitions for what constitutes a cyberattack warranting government support. This includes considerations around the attack's perpetrator, motives, and the extent of damage caused. The complexity of attributing cyberattacks to specific actors and understanding their impacts complicates the establishment of such a framework.
Moreover, the proposal raises questions about moral hazard, where companies might underinvest in cybersecurity measures if they expect government bailouts for significant attacks. This concern underscores the importance of tying any federal support to stringent cybersecurity standards, ensuring that only those who take reasonable precautions to secure their networks can qualify for assistance.
Domain Registrars offer bulk name blocking for brands.
Domain Name Registrars are now offering a service called GlobalBlock, which enables businesses to block registration of domain names infringing on their brand, including homoglyphs and variations. This service provides subscription-based protection against domain squatting and phishing attacks. For instance, it can prevent the registration of domains that misuse or mimic brand names, addressing issues like typosquatting and homograph attacks. While the service could streamline brand protection and reduce the need for manual domain registration, it does raise concerns about free speech and domain hoarding. Critics, including the EFF, argue that such automated blocking might suppress legitimate expression and discussions about brands, as domain names themselves can be a form of speech. The debate centers on finding a balance between protecting trademarks and ensuring freedom of expression online.
Cameo celebrities are taken out of context for political gains.
And finally, our B-List celebrity desk tells us of a strange but ultimately predictable case of online misinformation. A TikTok video, using paid Cameo messages from celebrities like Dolph Lundgren and Lindsay Lohan, falsely claimed Hollywood stars supported overthrowing Moldova's pro-European president, Maia Sandu. The celebrities, unaware of the video's political motive, were tricked into participating, believing they were offering personal messages. Cameo is a platform where ordinary folks can pay celebrities to record short greetings and messages for family members and loved ones, wishing them a happy birthday or congratulating them on a promotion or an anniversary. Cameo, of course, condemns such misuse, and faces serious challenges in preventing its platform from being exploited for deceptive purposes.
Of course, clever editing of video clips to achieve a specific outcome is nothing new. Way back in season five of the Simpsons, Smithers accidentally shared with Lisa Simpson a clip he had hastily assembled of Mr. Burns.
Today’s guest is Magpie Graham, Principal Adversary Hunter Technical Director at Dragos, sharing the trends in the industry.
Welcome back, To hear the full interview with Magpie, please tune in to Control Loop. We’ll have a link in the show notes.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.