From breach to battle: The escalating threat of Midnight Blizzard.

Russian hackers persist against Microsoft’s internal systems. Change Healthcare systems are slowly coming back online. Russian propaganda sites masquerade as local news. Swiss government info is leaked on the darknet.  Krebs on Security turns the tables on the Radaris online data broker. The NSA highlights the fundamentals of Zero Trust. The British Library publishes lessons learned from their ransomware attack. Researchers run a global prompt hacking competition. CheckPoint looks at Magnet Goblin. Experts highlight the need for psychological safety in cyber security. Our guest is Dinah Davis, Founder and Editor-In-Chief of Code Like A Girl, sharing the work they do to inspire young women to consider a career in technology. And the I-Soon leak reveals the seedy underbelly of Chinese cyber operations. 

Today is March 8th, 2024 and International Women’s Day. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Russian hackers persist against Microsoft’s internal systems. 

Russian state-sponsored hackers, known as Midnight Blizzard or Nobelium, have again targeted Microsoft, leveraging data from a January breach of the company's corporate emails. In that initial attack, the group accessed and stole staff emails and documents. Recently, Microsoft detected attempts by Midnight Blizzard to use this stolen information to access its source code repositories and internal systems. The tech giant noted an escalation in the hackers' tactics, including a significant increase in 'password spray' attacks. Despite the concerning activity, Microsoft assured there's no evidence of compromise to its customer-facing systems. The company has been contacting customers potentially affected by the initial data theft to help implement protective measures. This ongoing cyber conflict has slightly affected Microsoft's stock value, and there has been no response from the Russian embassy regarding these incidents.

Change Healthcare systems are slowly coming back online. 

Change Healthcare, part of UnitedHealth Group, is gradually restoring its systems after the late February cyberattack that severely impacted its operations, disrupting the U.S. health system's claims and payment infrastructure. As of Friday, electronic prescribing services for pharmacies are fully functional, with the broader payments platform expected to be operational by March 15. The company is working to reestablish connectivity for its medical claims technology with testing set to begin in the week of March 18. UnitedHealth says they are committed to mitigating the attack's effects on consumers and care providers, offering funding support to those affected. The attack, attributed to the AlphV/BlackCat ransomware group, led to significant cash flow issues among large healthcare providers. UnitedHealth has not disclosed whether a ransom was paid, but that comes amidst reports of a $22 million payment and ongoing scams within the ransomware group.

Russian propaganda sites masquerade as local news. 

The New York Times chronicles a series of fake news websites with names like D.C. Weekly, New York News Daily, Chicago Chronicle, and Miami Chronicle which are falsely presenting themselves as local news outlets. They are, in fact, Russian creations aimed at disseminating Kremlin propaganda, interlace legitimate news with fabricated stories to influence public discourse in the U.S. This strategy reflects Russia's longstanding efforts to manipulate American opinions, especially as the presidential election approaches. Researchers from Clemson University’s Media Forensics Hub have identified these sites as part of a larger network potentially set up for disinformation campaigns. Despite appearing genuine at first glance, these websites often contain inaccuracies and sometimes blatant falsehoods. The discovery underscores the sophisticated and targeted nature of modern disinformation efforts, posing a significant threat to electoral integrity and public trust.

Swiss government info is leaked on the darknet.  

The National Cyber Security Centre (NCSC) reported a significant data breach at the IT firm Xplain, attributed to the Play ransomware gang on May 23, 2023. Xplain serves key Swiss government departments, including the army and police. The breach exposed sensitive and classified information, including data from the Federal Office of Police and the Federal Office for Customs and Border Security, and the information was subsequently published on the darknet. Analysis revealed 1.3 million files were leaked; 65,000 deemed relevant to the Federal Administration, with the majority relating to the Federal Department of Justice and Police. Personal data, technical documents, classified information, and readable passwords were among the compromised data. The Swiss government has initiated an administrative investigation into the breach, emphasizing the importance of collaborative efforts in managing cybersecurity incidents.

Krebs on Security turns the tables on the Radaris online data broker. 

Krebs on Security takes a closer look at Radaris, a data broker that specializes in selling detailed information on individuals, including addresses, phone numbers, and relatives. Despite its significant online presence, it faces criticism for not allowing easy removal of personal information, resulting in an “F” rating from the Better Business Bureau. The co-founders, Gary Norden (Igor Lybarsky) and his brother Dan (Dmitry Lybarsky), have diverse business interests including Russian-language dating services and ties to a California marketing firm working with a sanctioned Russian media conglomerate. Radaris' practices have drawn legal attention, including a class-action lawsuit for violating the Fair Credit Reporting Act and a recent lawsuit for misusing names for commercial purposes in Illinois. Despite regulatory efforts, the broad legal exemptions for public records may limit significant changes to Radaris and similar people-search companies' operations.

The NSA highlights the fundamentals of Zero Trust. 

The National Security Agency (NSA) issued a Cybersecurity Information Sheet (CSI) that outlines the fundamental elements of Zero Trust, with the goal  limiting adversary lateral movement within an organization’s network to access sensitive data and vital systems.

Sam Meisenberg is the host of N2K Cyberwire’s Learning Layer, and I asked him to explain the details of the NSA’s report, and why it matters. 

The British Library publishes lessons learned from their ransomware attack. 

The British Library has published a detailed report documenting their response to a ransomware cyber-attack in October 2023 by the Rhysida gang. The report outlines the attack's impact, response, recovery efforts, and lessons learned. It highlights the exfiltration of 600GB of data, including personal information, and the destruction of server infrastructure, severely affecting the Library's operations and services. The report outlines the transition from crisis response to recovery with a program they call Rebuild & Renew, aiming for a more secure, resilient, and innovative Library. Key lessons emphasize the importance of network monitoring, external security expertise, multi-factor authentication, intrusion response, network segmentation, business continuity, cyber-risk awareness, and the management of legacy technology.

Researchers run a global prompt hacking competition. 

Researchers from a number of Universities and research organizations organized a prompt hacking competition, where the goal was to exploit vulnerabilities in AI models to achieve specific outcomes. Participants engaged in creative prompt engineering, employing various techniques to manipulate the AI's responses. 

The winning team's approach combined manual prompt engineering with keen observations of the model's behavior in response to specific keywords and adversarial inputs. 

For advanced levels, participants explored the use of different languages, special characters, and formatting to bypass model restrictions or exploit its processing behavior. This included the strategic use of Unicode representations and changing input languages to influence the model's output.

The competition revealed the creativity and ingenuity required to manipulate AI models effectively. Teams used a mix of manual experimentation, observation, and even automated tools to refine their prompts and achieve the desired outcomes. The challenge of prompt hacking showcased the potential for both exploiting and understanding AI model vulnerabilities, emphasizing the importance of robust model design and the need for ongoing research into AI security and prompt engineering techniques.

CheckPoint looks at Magnet Goblin. 

Researchers at CheckPoint describe the activities of Magnet Goblin, a financially motivated threat actor exploiting 1-day vulnerabilities in systems like Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ. Magnet Goblin employs custom malware, including a Linux variant of NerbianRAT and MiniNerbian. The report also covers Magnet Goblin's use of compromised Magento servers in its campaigns and the deployment of MiniNerbian to establish footholds. The infrastructure analysis reveals the utilization of multiple tools and suggests potential links to other campaigns and malware, including Cactus Ransomware. The report concludes by emphasizing the challenge of distinguishing unique actors amidst widespread exploitation and underscores the strategic leveraging of vulnerabilities by actors like Magnet Goblin.

Experts highlight the need for psychological safety in cyber security. 

Creating a culture of psychological safety is essential for enhancing cyber resilience, according to security experts participating in a fireside chat at the Ignite on Tour conference in London. BAE Systems' CISO Dr. Mary Haigh, National Gas's CTO Darren Curley, and Palo Alto Networks' CTO Haider Pasha highlighted the importance of fostering open communication across teams to address breaches or vulnerabilities efficiently. Pasha noted the shift towards making cybersecurity a collective responsibility within organizations, a change driven by the recent prioritization of security due to digitalization's risks. Dr. Haigh stressed the necessity of a culture where staff can report incidents without fear of blame, underscoring the importance of leadership in nurturing an environment where raising concerns is encouraged. This approach is vital as cyber attacks become quicker and costlier, with potential legal repercussions for CISOs. The discussion also covered the dire consequences of security incidents in critical infrastructure, emphasizing the need for trust and accountability to improve a company's security stance.

Coming up and in celebration of International Women’s Day, we’ve got my conversation with Dinah Davis. Dinah is the Founder and Editor-In-Chief of Code Like A Girl. We discuss the work they do to inspire young women to consider a career in technology.

 

The I-Soon leak reveals the seedy underbelly of Chinese cyber operations. 

And finally, the recent leak of documents from I-Soon, a private contractor with ties to China's government, has exposed the underbelly of the country's hacking industry, revealing a world where sex, alcohol, and lavish dinners are tools of the trade to curry favor with government officials. Executives at I-Soon were seen arranging opulent banquets and karaoke sessions with women as part of their strategy to secure lucrative contracts, showcasing a blatant mix of business and pleasure aimed at winning over clients and officials. The documents also reveal instances of paying substantial "introduction fees" to intermediaries who could connect them with high-value projects, emphasizing the lengths to which these companies will go to maintain and expand their influence.

Behind the facade of slick marketing and professed patriotism, the reality of the hacking industry in China is one of competitive maneuvering and questionable ethics. The leaked chats detail late-night binge drinking and gift exchanges designed to solidify relationships with both officials and competitors, highlighting the importance of personal connections over professional merit.

This leak not only casts a shadow over the Chinese hacking industry's practices but also exposes the complex relationship between private contractors like I-Soon and the Chinese state. Despite their reliance on each other, the industry's reliance on unsavory methods to secure contracts and intelligence paints a troubling picture of the lengths to which these entities will go to advance their interests.

So, winning those lucrative contracts with the Chinese government might require sophisticated algorithms and stealthy cyber tactics, but at the end of the day, liquor is quicker.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.