CISA’s news trifecta.

A roundup of news out of CISA. California reveals data brokers selling the sensitive information of minors. Permiso Security shares an open-source cloud intrusion detection tool. Darktrace highlights a campaign exploiting DropBox. EU's Cyber Solidarity Act forges ahead. A White House committee urges new economic incentives for securing OT systems. Paysign investigates claims of a data breach.  Our guest is Alex Cox, Director Threat Intelligence, Mitigation, and Escalation at LastPass, to discuss what to expect after LockBit. And Axios highlights the clowns and fools behind ransomware attacks. 

Today is March 11th, 2024. I’m Dave Bittner. And this is your N2K CyberWire Intel Briefing.

A roundup of news out of CISA. 

Last month, the Cybersecurity and Infrastructure Security Agency (CISA) discovered it had been hacked, leading to the shutdown of two key computer systems. These systems were instrumental in sharing cyber and physical security tools among various government levels and for assessing chemical facility security. Despite the breach, CISA reported no operational impact, emphasizing their ongoing efforts to modernize and enhance system security. The incident exploited vulnerabilities in virtual private networking software by Ivanti, which had been previously identified — by CISA — as a risk. This breach, suspected to be linked to a Chinese espionage group, highlights the universal risk of cyber vulnerabilities, even among cybersecurity entities. The irony underscores the importance of prepared incident response plans for all organizations.

Meanwhile, CISA announced steps to enhance open source software (OSS) security, following a summit with OSS community leaders. Initiatives include promoting package repository security principles, enabling better collaboration with OSS infrastructure operators, and publishing materials to aid in vulnerability and incident response improvements. Significant contributions include the Rust Foundation's plans for Public Key Infrastructure on Crates.io, the Python Software Foundation's expansion of PyPI for secure publishing, and enhanced security measures by Packagist, Composer, npm, and Maven Central. These actions involve implementing multi-factor authentication, digital attestations, and security audits, aiming to secure critical infrastructure reliant on OSS. CISA Director Jen Easterly emphasized the importance of these efforts in partnership with the OSS community to bolster the ecosystem's security.

Staying with CISA for just a bit longer, the U.S. Government Accountability Office (GAO) reviewed CISA's 13 operational technology (OT) cybersecurity products and services, revealing positive feedback from 12 out of 13 non-federal entities. Challenges were noted, including difficulties experienced by seven entities such as the DOD's Defense Cyber Crime Center and the Department of Energy’s Office of Cybersecurity. Key issues included delays in vulnerability reporting and insufficient CISA staff with OT skills. Despite these challenges, positive experiences with CISA's advisories, tools, and training were highlighted. GAO recommends CISA improve customer service measurement and workforce planning for its OT services. CISA, recognizing these challenges, has initiatives like the Industrial Control Systems working group to enhance OT security. DHS has concurred with GAO's recommendations, indicating plans for implementation to bolster OT cybersecurity collaboration and services.

California reveals data brokers selling the sensitive information of minors. 

A report out of California reveals that out of 480 data brokers registered with the California Privacy Protection Agency, 24 sell data on minors, 79 trade in precise geolocation, and 25 deal in reproductive health information. This disclosure, mandated by California's DELETE Act, highlights the trade in sensitive personal data. The DELETE Act becomes effective in 2026, and will allow consumers to request the deletion of their personal data with ease. Experts criticize the current system's failure to protect children's privacy, noting that federal laws like COPPA are inadequate. The Act also introduces penalties for non-registration and mandates periodic audits of data brokers to ensure compliance, aiming to enhance consumer privacy and data protection.

Permiso Security shares an open-source cloud intrusion detection tool. 

Permiso Security has introduced CloudGrappler, an open-source tool designed to enhance the detection of cloud environment intrusions by APTs. Leveraging Cado Security's cloudgrep tool, CloudGrappler supports searches in AWS, Azure, and Google Cloud Storage, focusing on the TTPs of major threat actors. It provides a granular analysis of security incidents, helping to quickly identify anomalies. The tool includes a data_sources.json file for scan scope definition and a queries.json file with predefined and customizable TTPs. Upon completion, CloudGrappler generates a detailed JSON report of findings, aiding security teams in prompt response. 

Darktrace highlights a campaign exploiting DropBox.  

Security firm Darktrace has identified a sophisticated phishing and Malspam campaign exploiting Dropbox to target SaaS platform users. This new attack bypasses multi-factor authentication (MFA), encouraging recipients to download malware and compromise their login details. Attackers send emails from legitimate Dropbox addresses containing malicious links. A specific instance on January 25, 2024, involved an email to 16 Darktrace SaaS users, leading to a PDF hosted on Dropbox with a link to a fake Microsoft 365 login page, aiming to harvest credentials. Despite Darktrace's security measures, the campaign saw some success, with suspicious SaaS activity observed, including logins from unusual locations via VPNs. This incident underscores the sophistication of phishing attacks and the challenge of securing SaaS environments against credential theft, even with MFA in place.

EU's Cyber Solidarity Act forges ahead. 

The EU's Cyber Solidarity Act, a proposal introduced to bolster cyber resilience, received preliminary approval on March 5th, marking a significant legislative development. This act outlines measures to enhance EU-wide cyber defense capabilities. Key features include establishing a European Cybersecurity Alert System, powered by AI and analytics, for swift threat communication; a Cybersecurity Emergency Mechanism for preparedness testing in critical sectors, and a EU Cybersecurity Reserve offering incident response services. Additionally, it provides for financial support for mutual assistance in cyber incidents, encouraging collaboration among member states during severe attacks. Thierry Breton, EU Commissioner for Internal Markets, emphasized its critical role in establishing a "European cyber shield" for quicker threat detection and collective support mechanisms. Pending formal approval, the act envisions stronger EU-level cyber cooperation and mandates for critical infrastructure on preparedness testing, enhancing security for citizens.

A White House committee urges new economic incentives for securing OT systems. 

The National Security Telecommunications Advisory Committee, made up of representatives from the nation’s largest telecommunications companies as well as cybersecurity firms, urges the federal government to introduce economic incentives and new liability protections to boost cybersecurity in critical infrastructure. Recognizing that market forces alone are inadequate for encouraging essential cybersecurity investments, the committee suggests tax deductions, federal grants, and a nationwide educational push on available federal cybersecurity services like those from CISA, NSA, and NIST. Additionally, it calls for clear liability protections to facilitate freer information sharing on cyber threats. The recommendations aim to bridge the cybersecurity investment gap and simplify the complex cyber regulatory landscape, enhancing the protection of national security against heightened threats, as exemplified by the Chinese government-linked hacking group Volt Typhoon's activities in American infrastructure.

Paysign investigates claims of a data breach. 

Financial services firm Paysign is probing allegations of a data breach after a hacker purportedly offered to sell a database with millions of consumer records tied to the company. Despite these reports, Paysign says there's been no disruption to their services, allowing cardholders to continue using their accounts. The company is known for its prepaid card programs and digital banking services, and recently partnered with Mastercard for product development. A hacker named "emo" claimed to have stolen over 1.2 million records, including sensitive customer information, asserting the breach happened recently. 

Joining me today is Alex Cox, Director, Threat Intelligence, Mitigation, Escalation (TIME) at LastPass. Alex shares thoughts on what to expect after LockBit.

 

Axios highlights the clowns and fools behind ransomware attacks. 

And finally, experts argue that many hackers behind ransomware attacks are driven more by ego and a lack of impulse control rather than being organized criminal masterminds, Axios reports. This perception challenges the common belief among victim organizations that they are dealing with highly organized groups. Former FBI agent James Turgal highlighted the self-centered and egotistical nature of these cybercriminals, noting a lack of honor among thieves. Recent incidents, such as the ransomware attack on Change Healthcare and the subsequent implosion of the ransomware gang ALPHV over disputed ransom payments, underscore the internal conflicts and scams within these groups. The ransomware-as-a-service model has made entry-level hackers more valuable, facilitating their participation in cybercrime without needing advanced skills. This has led to frequent in-fighting and scams, even as victims often overestimate the sophistication of their adversaries.

It’s a point well-taken. How many times has an organization's breathless initial reporting on a cyber incident included something along the lines of, “We are dealing with sophisticated nation-state threat actors, and we feel there’s very little anyone could have done to protect themselves against an organization with these sorts of limitless resources.” 

And to be fair, sometimes that is indeed the case. But it’s also sometimes the case that, turns out, that sophisticated threat actor is just some kid with too much time on their hands and an overactive sense of curiosity. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.