Key player unmasked in global ransomware takedown.

Western authorities I.D. a key member of Evil Corp. A major U.S. water utility suffers a cyberattack. ODNI warns of influence campaigns targeting presidential and congressional races. A California deepfakes law gets blocked. Europol leads a global effort against human trafficking. Trinity ransomware targets the healthcare industry. Qualcomm patches a critical zero-day in its DSP service. ADT discloses a breach of encrypted employee data. North Korean hackers use stealthy Powershell exploits. On our Threat Vector segment, David Moulton and his guests tackle the pressing challenges of securing Operational Technology (OT) environments. Machine Learning pioneers win the Nobel Prize. 

Today is Tuesday October 8th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Western authorities I.D. a key member of Evil Corp. 

Western authorities have identified Russian national Aleksandr Ryzhenkov as a key member of the Evil Corp cybercrime group and a LockBit affiliate, charging him with using BitPaymer ransomware. This revelation came alongside multiple arrests related to the LockBit scheme, including suspected money launderers in the UK and a LockBit developer in France. A “bulletproof hosting” provider was also arrested in Spain.

Ryzhenkov extorted U.S. businesses by encrypting their data and demanding ransom. Authorities also linked former Russian intelligence officer Eduard Benderskiy to Evil Corp, accusing him of protecting the hackers from internal Russian authorities. In response, the U.S., U.K., and Australia imposed financial sanctions on several individuals and entities linked to these cybercriminals.

LockBit’s operations, while still active, have been significantly weakened following law enforcement seizures of its infrastructure. Officials believe many of LockBit’s affiliates have moved to alternative platforms, as some data leaks on its darknet site are outdated or falsified. The investigation also revealed that LockBit’s system allowed the group to retain victim data despite promising to delete it.

A major U.S. water utility suffers a cyberattack. 

American Water, the largest regulated water utility in the U.S., revealed a cyberattack that led to the temporary suspension of customer billing. The company, serving over 14 million people in 14 states, detected unauthorized activity and took immediate protective measures, including shutting down certain systems. Despite the breach, operations and facilities were unaffected. The company is investigating the attack with law enforcement and assured customers they won’t face late fees while systems are down. American Water operates over 500 systems across 1,700 communities.

ODNI warns of influence campaigns targeting presidential and congressional races. 

One month before the U.S. presidential election, the U.S. intelligence community is monitoring foreign interference from Russia, China, and Iran. The Office of the Director of National Intelligence (ODNI) yesterday warned of influence campaigns targeting both the presidential and congressional races. These efforts aim to undermine trust in the election, particularly if the results are contested. Russia and Iran are focused on shaping voters’ preferences toward specific candidates, with Russia favoring Donald Trump and Iran supporting Kamala Harris. China, while not interfering in the presidential race, is targeting congressional candidates perceived as threats to its interests, especially regarding Taiwan. Russia is also attempting to sway congressional races by encouraging opposition to pro-Ukraine policies. The ODNI is monitoring additional influence operations from other foreign actors, including Cuba.

A California deepfakes law gets blocked. 

A U.S. federal judge has blocked most of California’s new law aimed at restricting election-related deepfakes, citing free speech concerns. The law, signed on Sept. 17, required online platforms to remove or label AI-generated content 120 days before an election. Plaintiff Chris Kohls, who creates political videos using AI, challenged the law, arguing it violated First Amendment rights. U.S. District Judge John A. Mendez agreed, granting a preliminary injunction, stating the law acted as a “blunt tool” that stifled free expression. While Mendez rejected most of the law, he upheld a provision requiring audio-only manipulated content to include periodic audible disclosures. California Governor Gavin Newsom’s office expressed confidence in the regulation, saying it protects elections while preserving free speech, and pointed to similar laws in other states.

Europol leads a global effort against human trafficking. 

Last month, global police forces collaborated in a Europol-led digital operation to identify human trafficking suspects and victims. The EMPACT hackathon involved 27 countries, including 19 EU states and others like the UK, Brazil, and Ukraine. Over four days, 76 experts focused on detecting online trafficking activities involving legal business structures, social networks, cryptocurrency, and gaming platforms. Investigators checked 252 entities, identifying 16 suspected traffickers and 60 potential victims. A dark web discovery revealed traffickers offering victims for sale or hire, with individuals priced between $800 to $60,000. Additionally, the operation targeted exploitation of Ukrainian refugees and uncovered disturbing “e-pimping” schemes. This crime-as-a-service involves online platforms offering courses to men on exploiting women through OnlyFans management. Human trafficking, often digitally enabled, continues to trap victims in forced labor, fraud, and sexual exploitation.

Trinity ransomware targets the healthcare industry. 

A new ransomware strain called Trinity has targeted at least one U.S. healthcare entity, according to the U.S. Department of Health and Human Services (HHS). In an advisory, HHS warned that Trinity poses a significant threat to the healthcare sector, with tactics resembling other ransomware strains like Venus and 2023Lock. First spotted in May 2024, Trinity has already affected seven victims, including healthcare providers in the U.S. and U.K. The ransomware encrypts files and demands payment in cryptocurrency within 24 hours, threatening to leak stolen data. It also scans networks to exploit vulnerabilities and spread. No decryption method is available. Trinity shares similarities in its code and ransom notes with Venus and 2023Lock, suggesting possible collaboration among these threat actors.

Qualcomm patches a critical zero-day in its DSP service. 

Qualcomm has released patches for a critical zero-day vulnerability (CVE-2024-43047) in its Digital Signal Processor (DSP) service, affecting multiple chipsets. The flaw, reported by Google Project Zero and Amnesty International Security Lab, is caused by a use-after-free weakness, leading to memory corruption. Qualcomm warned that the vulnerability has been exploited in targeted attacks. Patches have been provided to OEMs, with recommendations for immediate deployment. Qualcomm also fixed a high-severity issue (CVE-2024-33066) in the WLAN Resource Manager.

ADT discloses a breach of encrypted employee data. 

Home security company ADT revealed in a regulatory filing that a hacker compromised a third-party business partner’s systems, using stolen credentials to access ADT’s network. The hacker exfiltrated encrypted internal employee data, but ADT believes customer information and security systems were not affected. ADT is working with federal law enforcement and has implemented countermeasures, though some disruptions occurred. The breach follows a previous incident in which hackers stole customer order information, attempting to sell it on the dark web in July.

North Korean hackers use stealthy Powershell exploits. 

PowerShell-based malware is a type of fileless malware that exploits PowerShell to execute malicious scripts in memory, helping it evade detection by antivirus solutions. Recently, North Korean hackers, specifically the APT37 group, launched a cyber campaign called “SHROUDED#SLEEP,” targeting Southeast Asian countries, particularly Cambodia. The campaign begins with phishing emails containing malicious zip files disguised as PDFs or Excel documents. These trigger a sophisticated PowerShell-based attack chain that deploys multiple payloads, including a backdoor called “VeilShell,” enabling remote access to compromised systems. The malware uses advanced evasion techniques like extended sleep intervals and AppDomainManager hijacking to maintain stealth. It communicates with command-and-control servers via HTTPS, executing JavaScript to gain persistence. Recommendations to prevent infection include avoiding unsolicited file downloads, monitoring the Windows Registry, and using endpoint logging tools like Sysmon.

 

We’ve got our Threat Vector segment up next. Host David Moulton and cybersecurity experts Qiang Huang (Pronounced Chung Hwang), Palo Alto Networks VP of Product Management for Cloud Delivered Security Services, and Michela Menting (Pronounced Mick-A-la menting), Senior Research Director in Digital Security at ABI Research, discuss the pressing challenges of securing Operational Technology (OT) environments. 

We’ll be right back

Welcome back

Machine Learning pioneers win the Nobel Prize. 

And finally, The 2024 Nobel Prize in physics was awarded to John Hopfield and Geoffrey Hinton for their pioneering work in machine learning, which laid the foundation for today’s AI advancements. Hinton, often called the “godfather” of AI, and Hopfield, a Princeton professor, developed artificial neural networks based on the brain’s structure, enabling machines to learn from experience rather than following preset instructions. Their discoveries, including Hopfield’s 1982 network and Hinton’s Boltzmann machine, revolutionized AI, transforming fields like healthcare and space exploration.

Hinton has expressed growing concern about the potential dangers of AI, even leaving his role at Google to raise awareness. While he acknowledges AI’s incredible potential to improve productivity, he worries that AI could surpass human intelligence and become uncontrollable. Despite these concerns, Hinton remains proud of his work, recognizing both its promise and risks as AI continues to shape our future.

Still no Nobel Prize for podcasting…priorities, people…

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.