Swift responses to cyberattacks.

Two swift responses to recent cyberattacks. Frontier Communications discloses cyberattack. Texas town repels water system cyberattack by unplugging. List of undesirables falls into the wrong hands. CryptoChameleon phishing kit impersonates LastPass. Ransomware payments trending down in Q1 2024 and a warning for small to medium-sized businesses. US auto manufacturers targeted by FIN7. Akira ransomware has made $42 million since March 2023. No more WhatsApp or Threads in China. Concerning drop in US cybersecurity job listings. Our guest is Zscaler’s Chief Security Officer Deepen Desai exploring encrypted attacks amidst the AI revolution. Meghan Markle hacked by Kate supporters.

Today is April 19th, 2024. I’m Tré Hester on the mic for Dave Bittner today. And this is your CyberWire Intel Briefing.

We begin today with two swift responses to recent cyberattacks. In the face of the recent SEC ruling, public companies must disclose cybersecurity incidents four business days after they determine the incident is material. Our first story follows that ruling. l

Frontier Communications discloses cyberattack.

US telecom provider Frontier Communications disclosed in an SEC filing yesterday that the company sustained a cyberattack on Sunday, Dark Reading reports. The attack resulted in the theft of personally identifiable information and caused the company to shut down some of its systems. The nature of the attack wasn't disclosed, but SecurityWeek notes that Frontier's response to the incident suggests that ransomware was involved. Frontier says it believes "the third party was likely a cybercrime group."

The company added, "As of the date of this filing, the Company believes it has contained the incident and has restored its core information technology environment and is in the process of restoring normal business operations."

Texas town repels water system cyberattack by unplugging. 

In the face of a cyberattack reportedly linked to Russia that targeted the water system of a small Texan city, one notable action taken was the decision to physically unplug computers from the network. This move, while seemingly simple, played a crucial role in mitigating the impact of the attack and preventing further infiltration into the city's critical infrastructure. 

List of undesirables falls into the wrong hands. 

Cybercriminals are leveraging ransomware to threaten the release of sensitive data stolen from global companies unless a ransom is paid. The World-Check list, a database of information on individuals such as terrorists, money launderers, and others with nefarious dealings. It's used by companies during Know Your Customer (KYC) checks, such as financial institutions seeking to verify their clients are who they claim to be. This is the second time the World-Check list has fallen into criminal hands. 

CryptoChameleon phishing kit impersonates LastPass.

LastPass warns that the CryptoChameleon phishing kit is offering LastPass branding in an attempt to gain access to users' password vaults, BleepingComputer reports. According to LastPass, the scam proceeds as follows:

"The customer receives a call from an 888 number claiming their LastPass account has been accessed from a new device and instructing them to press '1' to allow the access or '2' to block it.  

"If the recipient presses '2', they are told they will receive a call shortly from a customer representative to 'close the ticket.'  

"The recipient then receives a second call from a spoofed phone number and the caller identifies themself as a LastPass employee. This individual typically has an American accent. The caller will send the recipient an email they claim will allow them to reset access to their account. This will actually be a phishing email with a shortened URL that will send them to the 'help-lastpass[.]com' site designed to steal the user’s credentials."

The phishing site used in this campaign has since been taken down, but the scammers can easily shift to a new domain. LastPass says users should be wary of suspicious calls, texts, or emails.

Ransomware payments trending down in Q1 2024 and a warning for small to medium-sized businesses. 

Incident response firm Coveware reports that “In Q1 2024, the proportion of victims that chose to pay touched a new record low of 28%.” Victim organizations are increasingly able to withstand an encryption attack and restore operations without the need for a decryption key, they said, and the stolen data is often leaked or traded even after the victims have paid the ransom, which repeatedly proves that paying up is no guarantee. The report noted that the average ransomware payment continues the downward trend: in Q4 2023 it was $568,705, and in Q1 2024 it fell to $381,980. They noted attackers are turning to SMBs where the ransom demands are small and most attacks are likely to go undetected and unreported. 

US auto manufacturers targeted by FIN7.

According to the Record, a prominent cybercrime group FIN7 allegedly targeted a large automotive manufacturer based in the United States late last year. BlackBerry researchers tracked a spearphishing campaign by FIN7 where the members of the purportedly Russia-based group “identified employees at the company who worked in the IT department and had higher levels of administrative rights.” BlackBerry said they “found evidence that this attack was part of a wider campaign by FIN7.”

Akira ransomware has made $42 million since March 2023.

The US Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) have published a joint advisory on the Akira ransomware gang, noting that Akira operators have raked in $42 million from 250 victims since March 2023.

The advisory adds, "Based on trusted third party investigations, Akira threat actors have been observed deploying two distinct ransomware variants against different system architectures within the same compromise event. This marks a shift from recently reported Akira ransomware activity."

No more WhatsApp or Threads in China.

Apple has removed Meta’s WhatsApp and Threads apps from their China App Store, adding to the list of Western social media platforms inaccessible in the country. This move highlights China's stringent censorship policies and its control over digital communication platforms. Apple stated “The Cyberspace Administration of China ordered the removal of these apps from the China storefront based on their national security concerns.” 

Concerning drop in US cybersecurity job listings.

According to a study by CyberSN, the overall number of cybersecurity job postings in the US decreased by 22% from 2022 to 2023. This trend poses significant challenges for organizations in addressing cybersecurity threats effectively. Cybersecurity professionals must take proactive measures to address this shortage, including upskilling and reskilling efforts to meet evolving industry demands. Additionally, organizations should prioritize investing in talent development and retention strategies to attract and retain skilled cybersecurity professionals. By addressing the root causes of the cybersecurity skills gap and promoting a culture of continuous learning and development, the US can better prepare itself to defend against evolving cyber threats and safeguard critical digital infrastructure.

Coming up next, we’ve got Zscaler’s Chief Security Officer Deepen Desai talking about exploring encrypted attacks amidst the AI revolution. We’ll be right back

Welcome back.

Meghan Markle was hacked by Kate supporters. 

Straight from the UK desk here at N2K, correspondent Alice Carruth shared news of Meghan Markle’s new lifestyle website, American Riviera Orchard that was released in March,and how it faced a cyber hijack by an anonymous user sympathetic to Princess Kate’s recent cancer diagnosis. The anonymous royal enthusiast, with a flair for mischief, hijacked the site, sending visitors on a detour to a UK foodbank charity. Though not affiliated with the charity, the hijacker aimed to raise funds for The Trussell Trust. Meanwhile, Meghan’s original website, still under construction, directs users to an Instagram page, signaling future product launches ranging from makeup to household goods. Despite the digital detour, she shared her debut product, a jar of strawberry jam, while garnering buzz among friends and influencers, signaling an exciting venture ahead. We want to thank N2K UK correspondent, Alice Carruth for sharing this story and reminding us that even in the digital age, surprises can lead to sweet success. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Be sure to check out Research Saturday this weekend, where Dave sits down with Greg Lesnewich, a senior threat researcher at Proofpoint, as they discuss the research "From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering."

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.