The claim heard ‘round the world.

LockBit claims to have hit the Federal Reserve. CDK Global negotiates with BlackSuit to unlock car dealerships across the U.S. Treasury proposes a rule to restrict tech investments in China. An LA school district confirms a Snowflake related data breach. Rafel RAT hits outdated Android devices. The UK’s largest plutonium stockpiler pleads guilty to criminal charges of inadequate cybersecurity. Clearview AI settles privacy violations in a deal that could exceed fifty million dollars. North Korean hackers target aerospace and defense firms. Rick Howard previews CSOP Live. Our guest is Christie Terrill, CISO at Bishop Fox, discussing how organizations can best leverage offensive security tactics. Bug hunting gets a little too real.

Today is Monday June 24th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

LockBit claims to have hit the Federal Reserve. 

The Lockbit ransomware group claimed to have breached the US Federal Reserve, stealing 33 TB of sensitive data, including Americans' banking information. They added the Federal Reserve to their Tor data leak site and threatened to release the data on June 25, 2024. No sample data has been published yet.

Lockbit's announcement detailed the Federal Reserve's role in managing money distribution across twelve banking districts in cities like New York, Chicago, and San Francisco. They mocked the negotiator handling the situation, calling them a “clinical idiot”, demanding a replacement within 48 hours.

Experts are skeptical, suspecting the announcement may be a ploy for attention, given the Federal Reserve's high-profile status. If true, a breach of this magnitude could have significant consequences.

The Federal Reserve has yet to comment, and of course there’s a good chance this is nothing more than bluster and bravado from the LockBit gang.

HelpNet security commented on the recent string of threat actors making false claims. Hackers sell fake data primarily for financial gain, similar to peddling fake jewelry. Other motives include gaining notoriety, creating distractions, damaging reputations, manipulating stock prices, and uncovering security processes. For instance, in March 2024, a Russian hacking group falsely claimed to hack Epic Games to gain visibility. Similarly, false breach claims, like the one against Sony in September 2023, can harm reputations despite being untrue.

Hackers can use tools like ChatGPT to generate convincing fake data. Organizations can combat fake breaches by monitoring the dark web, analyzing leaked datasets, preparing their workforce, keeping communication teams ready, deploying canary tokens, and using integrated security models like SASE to detect and block breaches in real-time.

CDK Global negotiates with BlackSuit to unlock car dealerships across the U.S. 

Car dealerships across North America were thrown into chaos after CDK Global suffered a massive IT outage caused by the BlackSuit ransomware gang. This disruption forced dealerships to revert to pen and paper for operations, impacting sales, inventory, and customer service. Major dealership groups like Penske Automotive and Sonic Automotive reported significant disruptions and implemented manual workarounds.

The BlackSuit ransomware gang is behind the attack, according to anonymous sources. CDK Global is negotiating with the gang to obtain a decryptor and prevent data leaks. The attack forced CDK to shut down its IT systems twice to contain the damage.

BlackSuit, which emerged in May 2023, is believed to be a rebrand of the Royal ransomware operation. The FBI and CISA have linked them to over 350 attacks and $275 million in ransom demands since September 2022. CDK also warned of threat actors posing as its agents to gain unauthorized access.

Treasury proposes a rule to restrict tech investments in China. 

The Treasury Department proposed a rule to restrict and monitor U.S. investments in China for AI, computer chips, and quantum computing, based on President Biden’s August 2023 executive order. This aims to prevent "countries of concern," including China, Hong Kong, and Macau, from enhancing their military and cyber capabilities with U.S. funds.

The rule requires U.S. citizens and residents to report transactions in these areas and prohibits funding AI systems for military applications in China. Biden also imposed tariffs on Chinese electric vehicles, highlighting political efforts to counter China. Treasury seeks public comments on the proposal until August 4, 2024, with a final rule expected afterward. Despite rising tensions, officials assert no intent to "decouple" from China.

An LA school district confirms a Snowflake related data breach. 

The Los Angeles Unified School District (LAUSD) confirmed a data breach after threat actors accessed its Snowflake account, stealing student and employee information. Snowflake is a cloud database platform used globally. Hackers began selling data from several companies, including LAUSD, on hacker forums.

A joint investigation by Snowflake, Mandiant, and CrowdStrike revealed that the threat actor, UNC5537, exploited stolen credentials from organizations without multi-factor authentication, downloaded their data, and attempted extortion.

On June 18, the hacker "Sp1d3r" listed LAUSD data for $150,000. Another hacker, "Satanic," had earlier sold different LAUSD data. LAUSD is working with the FBI and CISA to investigate. Students, teachers, and staff should stay vigilant against potential phishing attacks using this leaked data.

Rafel RAT hits outdated Android devices. 

The open-source Android malware 'Rafel RAT' is being widely used by cybercriminals to attack outdated devices, often deploying a ransomware module demanding payment via Telegram. Researchers at Check Point detected over 120 campaigns using Rafel RAT, including those by known threat actors like APT-C-35 and originating from Iran and Pakistan.

High-profile organizations in the government and military sectors, mainly in the U.S., China, and Indonesia, are among the targets. Most victims run Android versions 11 or older, which are no longer receiving security updates.

Rafel RAT spreads through fake apps mimicking popular brands and requests risky permissions during installation. It supports various commands, including ransomware and device lock. To defend against these attacks, avoid dubious APK downloads, avoid clicking on suspicious URLs, and use Play Protect.

The UK’s largest plutonium stockpiler pleads guilty to criminal charges of inadequate cybersecurity. 

Sellafield Limited, managing the world's largest plutonium stockpile, has pleaded guilty to all charges related to cybersecurity failings from 2019 to 2023. The UK’s Office for Nuclear Regulation confirmed the plea and stated there was no evidence of exploitation or hacking. A sentencing hearing is set for August 8.

The charges involve not adequately protecting sensitive IT network information, though public safety was reportedly not compromised. Despite past media claims of Russian and Chinese hacker intrusions dating back to 2015, Sellafield asserts these issues only emerged when external staff accessed its servers and reported vulnerabilities. Sellafield’s cybersecurity is now described as "robust" by its lawyers.

Clearview AI settles privacy violations in a deal that could exceed fifty million dollars. 

Clearview AI settled an Illinois lawsuit alleging privacy violations from its photo database, in a deal potentially exceeding $50 million. The settlement offers plaintiffs a share of the company's future value, with $20 million allocated for attorney fees. Preliminary approval was granted by Judge Sharon Johnson Coleman.

The lawsuit, consolidating cases nationwide, claimed Clearview violated privacy by scraping photos from the internet. Clearview previously settled a 2022 Illinois case, stopping sales to private entities but allowing work with law enforcement.

Clearview denies liability in the current settlement. The agreement, facilitated by mediator Wayne Andersen, acknowledges Clearview's lack of funds for a larger payout. Privacy advocates criticized the deal for not stopping Clearview’s practices. A campaign will notify eligible U.S. plaintiffs with data in Clearview's database from July 2017 onward.

North Korean hackers target aerospace and defense firms. 

Researchers from CyberArmor have uncovered a sophisticated malware campaign, "Niki," likely linked to North Korean hackers targeting aerospace and defense firms. This campaign uses job description lures to deliver a multi-stage attack, installing a powerful backdoor that provides remote access and data exfiltration capabilities. Indicators point to the Kimsuky group as the culprit. The backdoor employs advanced obfuscation techniques to evade detection. 

 

 

We’ll be right back

Welcome back

Bug hunting gets a little too real. 

Imagine finding a bug that literally fills your room with bugs. Well, that's exactly what happened with a new exploit researcher Ryan Pickren discovered in visionOS Safari, running on Apple’s VisionPro headset. This bug allows a malicious website to bypass all warnings and fill your room with animated 3D objects like crawling spiders and screeching bats.

When Apple announced the Vision Pro, they touted its impressive privacy protections. But while exploring the technology, Ryan Pickren found an overlooked loophole in an old 3D model viewing standard. By using Apple’s AR Kit Quick Look, he could force Safari to spawn these objects without any user interaction. The kicker? These objects persist even after closing Safari.

The exploit is simple. Using JavaScript to auto-click a hidden link, he could flood the victim's space with 3D models. Imagine hundreds of spiders crawling around your room, with no easy way to get rid of them except by physically tapping each one.

Ryan Pickren reported the bug to Apple, and they assigned it a CVE and paid him a bug bounty. 

This discovery highlights the need for a more nuanced approach to vulnerability triaging in the era of spatial computing. As we venture into hyperrealistic mixed reality, our threat models must evolve to consider the deeply personal nature of these devices.

So, next time you find yourself donning the Vision Pro, beware of unexpected visitors. While virtual reality is designed to be immersive, nobody wants their home turned into a digital haunted house filled with virtual bugs and screeching bats. It’s like an episode of Black Mirror, but with more spiders. Happy bug hunting. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.