Podcasts
CyberWire Daily
Ep 2115
The CyberWire Daily Podcast 7.25.24
Ep 2115 | 7.25.24

Playing doctor with cyberattacks.

Show Notes
Transcript

A North Korean hacking group targets healthcare, energy and finance. Leaked Leidos documents surface on the dark web. A Middle Eastern financial institution suffered a record-breaking DDoS attack. The latest tally on the fallout from the Crowdstrike outage. A cybersecurity audit of HHS reveals significant cloud security gaps. Docker patches a critical vulnerability for the second time. Google announced enhanced protections for Chrome users. In our latest Threat Vector segment, David Moulton speaks with Sama Manchanda, a Consultant at Unit 42, to explore the evolving landscape of social engineering attacks. If you’re heading to Paris for the Summer Olympics, smile for the AI cameras.

Today is Thursday July 25th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A North Korean hacking group targets healthcare, energy and finance. 

A report from Mandiant reveals that the North Korean hacking group Andariel, previously known for attacks on government and critical infrastructure, is now targeting healthcare, energy, and financial sectors. This group, linked to the DPRK's Reconnaissance General Bureau, has been sanctioned by the U.S. Treasury. Known for sophisticated cyber operations, Andariel employs advanced tools to evade detection and maximize impact. Mandiant, part of Google, tracks Andariel's espionage efforts, including targeting nuclear facilities and defense systems. Now designated as APT45, Andariel has expanded to financially motivated operations, including ransomware. Since at least 2009, Andariel has operated under various codenames and is linked to the infamous Lazarus group. North Korea uses these cyberattacks to fund weapons development and boost its economy. The group's activities have broadened since a suspected COVID-19 outbreak in North Korea, now encompassing the healthcare sector. Mandiant warns that Andariel can swiftly shift its focus to new targets.

Leaked Leidos documents surface on the dark web. 

After a recent security breach, internal documents from Leidos Holdings, an IT services provider for the Department of Defense and other US agencies, surfaced on the dark web. 

The breach traces back to a 2022 cyberattack on Diligent Corporation, a governance software provider used by Leidos. Despite the attack occurring two years ago, Leidos only became aware of the circulating documents recently. Following this revelation, Leidos issued all necessary breach notifications.

Most of the leaked information pertains to internal corporate matters, such as employee reviews and complaints, rather than any militarily sensitive data. This incident has drawn attention to Leidos, one of the defense industry's largest IT service providers after its merger with Lockheed Martin's Information Systems & Global Solutions in 2016.

Based in Reston, Virginia, Leidos employs about 47,000 people and reported $15.4 billion in revenue for 2023. 

A Middle Eastern financial institution suffered a record-breaking DDoS attack. 

A Middle Eastern financial institution suffered a record-breaking six-day Distributed Denial of Service (DDoS) attack by the hacktivist group SN_BLACKMETA. This prolonged assault, consisting of ten waves and totaling 100 hours of attack time, demonstrated the growing sophistication of cyber threats. The attack peaked at 14.7 million malicious requests per second, significantly disrupting the institution's web services. Radware’s Web DDoS Protection Services mitigated the impact, blocking over 1.25 trillion malicious requests. SN_BLACKMETA, known for ideologically driven attacks, announced the assault on Telegram. Their tactics include targeting critical infrastructure and leveraging public support through transparency. 

The latest tally on the fallout from the Crowdstrike outage. 

CrowdStrike warns organizations about a fake recovery manual for Windows devices impacted by a Falcon platform update outage, which spreads Daolpu information-stealing malware. Attackers used phishing emails with a malicious Word attachment mimicking Microsoft's support bulletin. When enabled, the attachment's macros download a DLL file, decoded by Windows certutil, allowing Daolpu to exfiltrate browser-stored credentials and cookies. CrowdStrike provided a YARA rule and indicators of compromise. BleepingComputer suggests Daolpu may originate from Vietnam.

According to cloud monitoring, modeling and insurance services provider Parametrix, the July 19 Microsoft-CrowdStrike outage resulted in a direct financial loss of approximately $5.4 billion for Fortune 500 companies, with an average loss of $44 million per organization, rising to $150 million for the most affected, such as airlines. Parametrix reported that only 10%-20% of these losses are covered by cyber insurance. The healthcare sector faced the largest loss at $1.94 billion, followed by banking at $1.15 billion. The incident impacted a quarter of Fortune 500 companies, including all six major airlines and 43% of retailers. Observers say this highlights the need for better risk diversification and management in the face of systemic cyber events.

A cybersecurity audit of HHS reveals significant cloud security gaps. 

A cybersecurity audit of the Department of Health and Human Services’ Office of the Secretary (HHS OS) revealed significant cloud security gaps, exposing sensitive data to potential cyberattacks. Conducted in mid-2022 by the HHS Office of the Inspector General and BreakPoint Labs, the audit included penetration testing and phishing simulations. It found that over 30% of HHS systems were cloud-based, with vulnerabilities like lack of multifactor authentication and poor access controls. Twelve specific security gaps were identified, with the most critical involving network access. Despite some positive outcomes from phishing simulations, the audit highlighted severe risks to HHS OS's cloud systems, emphasizing the need for improved security measures. This report, publicly released this week, comes amid increasing cyber threats to healthcare and government systems, prompting initiatives to bolster defenses.

As a side note, It's puzzling that the audit report on HHS’s cloud security, conducted in mid-2022, has taken two years to be released. In the rapidly evolving field of cybersecurity, such a delay undermines the relevance of the findings and recommendations. Cyber threats and vulnerabilities can change drastically in just months, making it critical for audit results to be timely to ensure effective remediation and adaptation to current risks.

Docker patches a critical vulnerability for the second time. 

Docker has urged users to patch a critical vulnerability, CVE-2024-41110, affecting certain Docker Engine versions, allowing privilege escalation via specially crafted API requests. Discovered in 2018 and initially fixed in Docker Engine v18.09.1, the patch was not included in later versions, leading to a regression. This flaw allows attackers to bypass authorization plugins (AuthZ) and execute unauthorized commands. Although the exploitability is low, Docker recommends updating to the latest version or restricting API access if updating isn't possible.

Google announced enhanced protections for Chrome users. 

Google announced enhanced protections for Chrome users against malicious file downloads. Since last year, Chrome has provided AI-powered warnings for potentially harmful files, featuring distinct icons, colors, and text to help users make informed decisions. These warnings have reduced the number of bypassed alerts and increased user compliance. Google now performs automatic deep scans on suspicious files for users in the Enhanced Protection mode, which has proven effective in detecting new malware. For password-protected encrypted archives, Enhanced Protection users are prompted to send the file and password to Safe Browsing, while Standard Protection users receive a password prompt and metadata check. All uploaded data is deleted shortly after scanning to ensure privacy.

 

Coming up on our Threat Vector segment, Palo Alto Networks’ David Moulton talks with Sama Manchanda about the evolving landscape of social engineering attacks, particularly focusing on vishing and smishing as the election season heats up. 

We’ll be right back. 

Welcome back. You can find out more about Threat Vector in our show notes. 

If you’re heading to Paris for the Summer Olympics, smile for the AI cameras. 

And finally, Matthias Houllier is cofounder of Wintics, one of four French companies to win Olympic contracts to transform Paris's CCTV cameras into a high-tech monitoring tool for the Olympics. "With thousands of cameras, it's impossible for police officers to react to every camera," Houllier says. Wintics first made a splash in 2020 by helping Paris count cyclists with algorithms linked to 200 traffic cameras. Now, they're stepping up to count people in crowds and alert operators when too many hit the deck.

Houllier assures us there's no Big Brother decision-making happening here. "It's just anonymous shapes," he says. His team trained ministry officials on the software, which just raises alerts for the humans to check out. He argues it's a privacy-friendly alternative to facial recognition, saying, "We're not analyzing personal data. No faces, no license plates, no behavioral analytics."

Privacy activists, however, are not buying it. Noémie Levain, a staunch defender of civil liberties, is on a mission with 6,000 posters to warn Parisians about "algorithmic surveillance." She contends that analyzing images of people inherently involves personal data, likening it to facial recognition tech.

Levain fears these surveillance systems will linger long after the Olympians have left. "This technology will reproduce the stereotypes of the police," she says, arguing that it will amplify discriminatory practices. As Parisians brace for the Olympic invasion, many, like Levain, plan to escape to the south, dreading the post-Games surveillance city they'll return to. "The Olympics is an excuse," she asserts. "The government, companies, and police are already thinking about after."

It’s the age-old tension between security and privacy, gold-medal edition.
For me, I’ll be watching the game on the TV, and hoping the river stays clean enough so they can run the triathlon. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.