Conspiracy theories in politics.

The assassination attempt on former President Trump sparks online disinformation. AT&T pays to have stolen data deleted. Rite Aid recovers from ransomware. A hacktivist group claims to have breached Disney’s Slack. Checkmarx researchers uncover Python packages exfiltrating user data. HardBit ransomware gets upgraded with enhanced obfuscation. Threat actors can weaponize proof-of-concept (PoC) exploits in as little as 22 minutes. Google may be in the market for Wiz. Rick Howard previews his analysis of the MITRE attack framework. Blockchain sleuths follow the money. 

Today is Monday July 15th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The assassination attempt on former President Trump sparks online disinformation. 

The shooting of former President Donald Trump at his campaign rally on Saturday quickly turned into a hotbed for conspiracy theories, flooding social media with unverified claims. Despite law enforcement efforts to clarify the situation, the political environment amplified these false narratives.

Investigators identified the shooter and confirmed some details, but conspiracies flourished. Left-leaning accounts suggested a "false flag" operation by Trump's supporters, while some far-right voices accused President Biden of orchestrating the attack. Megan Squire from the Southern Poverty Law Center highlighted how such incidents are often exploited for political agendas.

Right-wing influencers and politicians, like Rep. Mike Collins, insinuated high-level conspiracies, adding fuel to the misinformation fire. Social media posts from various accounts propagated claims of a deep state plot or fabricated scenes. These narratives found fertile ground in a divided political landscape, where consensus on basic facts is increasingly rare. Online bots amplified the noise.

Experts like Graham Brookie of the Atlantic Council urged caution, emphasizing the prevalence of false information during rapidly developing events. Despite these warnings, far-right channels continued to buzz with conspiracy theories and extreme rhetoric, including calls for civil war and blaming various groups like antifa and the "deep state."

Social media platforms struggled to manage the spread of misinformation. Tech executives like Elon Musk speculated publicly, contributing to the confusion. Influential accounts pushed unfounded claims about the Secret Service's role and internal security policies, further muddling the public discourse.

Amid this chaos, misinformation experts stressed the importance of verifying information before sharing it online. The rapid spread of false narratives in the wake of Trump's shooting underscored the challenges of maintaining accurate public information in a polarized and digitally-driven society.

AT&T pays to have stolen data deleted. 

Late last week AT&T disclosed a significant data breach involving hackers stealing call records for tens of millions of customers. In an exclusive for Wired, Kim Zetter reports the company paid over $300,000 in bitcoin to a hacker from the ShinyHunters group to delete the stolen data and provide proof of deletion. This payment was confirmed by blockchain tracking tools.

A security researcher who goes by the name Reddington facilitated the negotiation between AT&T and the hackers. The breach involved unsecured Snowflake cloud storage accounts. The stolen AT&T data included call and text metadata but not content or names. Despite payment, some data may still be at risk.

John Erin Binns, believed to be responsible for the breach, was arrested in Turkey for a previous hack on T-Mobile. The breach's delayed disclosure was due to national security concerns.

Rite Aid recovers from ransomware. 

US pharmacy chain Rite Aid recently fell victim to a ransomware attack by the RansomHub group, which claimed to have stolen 10GB of data, including personal information of customers such as names, addresses, and birthdates. Rite Aid announced it has restored its systems with the help of third-party cybersecurity experts and is fully operational again. The company emphasized its commitment to safeguarding personal information and is finalizing its incident response investigation.

RansomHub, emerging in February 2024 and including former ALPHV/BlackCat affiliates, has been involved in several high-profile attacks. It is known for its aggressive tactics, including a second extortion attempt on Change Healthcare. Rite Aid, the third-largest US pharmacy chain, operates over 2,000 locations with revenues exceeding $24 billion.

A hacktivist group claims to have breached Disney’s Slack. 

Hacktivist group NullBulge claims to have breached Disney, leaking 1.1 TiB (1.2 TB) of internal Slack data. The leaked data supposedly includes messages, files, code, and more, involving nearly 10,000 channels and sensitive information like unreleased projects and internal API links. NullBulge announced the breach on Breach Forums and X (formerly Twitter), highlighting their mission to protect artists' rights and ensure fair compensation.

The breach is yet to be verified, but it follows recent cyberattacks on AT&T and Ticketmaster. NullBulge is rumored to be linked to the LockBit ransomware gang. Disney has faced criticism for not paying royalties to artists and writers, with notable figures like Neil Gaiman and Alan Dean Foster speaking out against the company.

Checkmarx researchers uncover Python packages exfiltrating user data. 

Researchers at Checkmarx have discovered an Iraq-based operation using malware hosted on the Python repository PyPI to search for files on victims' devices and exfiltrate them to a Telegram bot. Malicious packages named in the research have been removed from PyPI. These packages contained malicious code in an init.py file that targeted files with .py, .php, .zip, .png, .jpg, and .jpeg extensions, sending them to a Telegram bot.

The bot, active since 2022, contains over 90,000 messages mostly in Arabic, and is involved in various criminal activities like spam, login fraud, and data theft. Researchers found the bot's operator maintaining several other bots for different nefarious activities. This attack highlights the persistent threat of supply chain attacks on PyPI, a popular target due to Python's widespread use. Users are advised to employ vulnerability scanners and threat intelligence before using third-party modules.

HardBit ransomware gets upgraded with enhanced obfuscation. 

Researchers from Cybereason have identified a new version (4.0) of HardBit ransomware featuring advanced obfuscation techniques to avoid detection. Version 4.0 includes Binary Obfuscation Enhancement with passphrase protection, complicating analysis. The ransomware, available in both CLI and GUI formats, uses the Neshta virus for delivery and is a .NET binary obfuscated by a custom packer. HardBit ransomware, first seen in October 2022, does not employ double extortion but threatens further attacks if ransom demands are unmet.

The ransomware deletes Volume Shadow Copy Service (VSS) and alters boot configurations to prevent recovery. It disables Windows Defender Antivirus features and ensures persistence by copying itself to the “Startup” folder, mimicking the svchost.exe file. HardBit shares similarities with LockBit, possibly as a marketing tactic. The initial access method remains unconfirmed, but brute force of open RDP and SMB services is suspected. The attackers use tools like Mimikatz for credential theft and deploy HardBit via a zip file named 111.zip. Version 3.0 and 4.0 also support a wiper mode.

Threat actors can weaponize proof-of-concept (PoC) exploits in as little as 22 minutes. 

According to Cloudflare's 2024 Application Security report, threat actors can weaponize proof-of-concept (PoC) exploits as quickly as 22 minutes after they are made public. The report, covering May 2023 to March 2024, highlights a rise in scanning activity for disclosed CVEs, command injections, and attempts to use available PoCs.

To combat this rapid exploitation, Cloudflare emphasizes using AI to develop quick detection rules, as human response alone is insufficient. The report also notes that 6.8% of daily internet traffic is DDoS attacks, up from 6% the previous year, with spikes reaching 12% during major attacks.

Google may be in the market for Wiz. 

Google is considering a $23 billion acquisition of Wiz, a cloud cybersecurity startup, according to The Wall Street Journal. This potential purchase would be Google's largest ever, nearly double the amount spent on Motorola Mobility in 2012. Wiz, based in New York City, provides security tools and scanners for enterprises, enhancing cloud infrastructure security by normalizing layers across environments to identify and mitigate risks quickly.

Observers speculate this acquisition targets Microsoft, which has faced multiple high-profile security breaches recently. Google Cloud's Thomas Kurian is spearheading the acquisition, which aims to bolster Google's reputation as a secure cloud provider. This follows Google's previous security-focused acquisitions, including a $500 million cloud security startup in 2022 and the $5.4 billion purchase of Mandiant. However, the deal may face regulatory scrutiny under the Biden administration's antitrust actions.

 

Next, Rick joins me to talk about his latest CSO Perspectives episode out today that focuses on the current state of MITRE ATT&CK. 

You can find links to Rick’s full episode and essay in our show notes. If you are not an N2K Pro subscriber, there’s also a link to free sample of the episode. 

Blockchain sleuths follow the money. 

And finally, CDK Global, a top software provider for car dealerships in North America, reportedly forked out a hefty $25 million ransom in Bitcoin to resolve a massive cyberattack. This attack had disrupted operations at over 15,000 dealerships across the U.S.

Blockchain sleuth ZachXBT revealed that the ransom, amounting to 387.367 BTC (about $25 million), was paid on June 22, 2024, to a blockchain address controlled by the BlackSuit ransomware group. CDK didn't handle the transaction directly but enlisted a specialized firm to deal with the demands.

Following the payment, CDK Global's services were swiftly restored. Though the company kept mum about the details, blockchain intelligence platform TRM Labs confirmed the transaction. They noted the funds were later moved to centralized exchanges.

Curiously, CDK Global took a week after the payment to restart services, likely to beef up security and patch vulnerabilities. This incident stands as the largest ransomware payment of 2024, topping Change Healthcare's $22 million payout in March.

CDK Global paid the ransom, but it was the blockchain sleuths who stole the show by following the money. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.