The CyberWire Daily Podcast 11.19.24
Ep 2193 | 11.19.24

Biden vs. Trump: A tale of two cybersecurity strategies.

Transcript

Pundits predict Trump will overhaul U.S. cybersecurity policy. Experts examine escalating cybersecurity threats facing the U.S. energy sector. Palo Alto Networks patches a pair of zero-days. Akira and SafePay ransomware groups claim dozens of new victims. A major pharmacy group is pressured to pay a $1.3 million ransomware installment. Threat actors are exploiting Spotify playlists and podcasts. An alleged Phobos ransomware admin has been extradited to the U.S. Rapper “Razzlekhan” gets 18 months in prison for her part in the Bitfinex cryptocurrency hack. On today’s Threat Vector, David Moulton speaks with Assaf Dahan, Director of Threat Research at Palo Alto Networks’ Cortex team, about the rising cyber threat from North Korea. Swiss scammers send snail mail. 

Today is Tuesday January 19th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Pundits predict Trump will overhaul U.S. cybersecurity policy. 

A second Trump administration is expected to overhaul U.S. cybersecurity policy, prioritizing business interests, aggressive offensive measures, and deregulation over the Biden-era focus on corporate accountability, spyware restrictions, and AI safeguards.

In an article for Wired, Eric Geller writes that Trump is likely to dismantle Biden’s regulatory efforts on critical infrastructure cybersecurity, citing industry burdens. Rules impacting rail, aviation, and water systems could be scrapped or weakened, with a shift toward voluntary compliance and incentives. Efforts like CISA’s disinformation campaigns and AI safety initiatives focused on societal harms may also end, reflecting Trump’s emphasis on free speech and reduced regulation.

Spyware policies are expected to favor market growth over human rights concerns, benefitting firms like NSO Group. AI regulations requiring transparency and safety measures may be repealed, favoring innovation over safeguards.

Trump is poised to expand military cyber operations, emphasizing accountability for Chinese and Russian cyberattacks. Cyber Command could see enhanced roles, including potentially forming a separate military cyber branch. Policies blocking Chinese tech could also resurface.

Initiatives pushing companies to design secure software and accept liability for vulnerabilities may stall. While slogans like “secure by design” may persist, new regulations are unlikely, reflecting the administration’s alignment with corporate interests.

CISA’s cyber incident reporting rules could be scaled back, exempting sectors or limiting required disclosures.

Ultimately, Trump’s cybersecurity agenda may favor deregulation and military action while sidelining corporate accountability, spyware restrictions, and emerging AI safety policies.

Experts examine escalating cybersecurity threats facing the U.S. energy sector.

In an editorial for CyberScoop, Sachin Bansal, president of SecurityScorecard, and Brian Harrell, former assistant secretary for infrastructure protection at the Department of Homeland Security, say the U.S. energy sector faces escalating cybersecurity threats as it integrates complex supply chains, clean energy technologies, and digital systems. National Security Advisor Jake Sullivan recently highlighted the critical need for supply chain security, as vulnerabilities in software and third-party vendors present significant risks to vital infrastructure. A KPMG report revealed that third-party risk accounts for 45% of breaches in the sector, compared to a global average of 29%.

The shift to greener, software-driven energy grids introduces additional risks, with renewable energy companies scoring lowest on cybersecurity metrics. Coupled with the potential for foreign exploitation—particularly by China—these factors underscore the urgency of a unified strategy.

Efforts to enhance resilience include the Department of Energy’s Supply Chain Cybersecurity Principles, supported by major firms like GE Vernova and Siemens. Regulators, such as the Federal Energy Regulatory Commission, are revising standards to address supply chain risks. Meanwhile, the White House is exploring cybersecurity ratings for infrastructure sectors.

However, challenges remain. Attacks, such as the Colonial Pipeline ransomware incident, show how breaches in IT systems disrupt operations. Utilities struggle with the resources and expertise to counter growing threats.

A collective effort between government and industry is vital to secure every link in the supply chain. By adopting consistent frameworks, measuring progress, and fostering transparency, the energy sector can bolster cybersecurity resilience, safeguarding critical infrastructure and global stability.

Palo Alto Networks patches a pair of zero-days. 

Palo Alto Networks has patched two zero-day vulnerabilities, CVE-2024-0012 and CVE-2024-9474, exploited in “Operation Lunar Peek.” CVE-2024-0012 is a critical authentication bypass flaw allowing attackers to gain admin access via the PAN-OS management interface, while CVE-2024-9474 is a privilege escalation issue enabling root access. These vulnerabilities targeted exposed firewall management interfaces and have been addressed in PAN-OS updates. CISA has added the flaws to its Known Exploited Vulnerabilities catalog, urging fixes by December 9 to mitigate risks.

Akira and SafePay ransomware groups claim dozens of new victims. 

The SafePay cybercrime operation, a new ransomware group deploying LockBit-based malware, has claimed 22 victims as of November 2024, according to Huntress. The group exploits Remote Desktop Protocol (RDP) access to encrypt files and exfiltrate data. SafePay’s ransomware is derived from a well-documented LockBit variant and incorporates tactics from other groups like ALPHV/BlackCat, including UAC bypasses and living-off-the-land binaries (LOLBins) for privilege escalation.

Huntress identified vulnerabilities in SafePay’s Tor site, enabling deeper insights into its operations. SafePay employs tools like WinRAR for archiving stolen data and FileZilla for file transfers, often uninstalling them afterward to cover tracks. The ransomware includes a Cyrillic-language-based killswitch to avoid attacks in Commonwealth of Independent States (CIS) countries.

Meanwhile, the Akira ransomware group leaked data from 32 new victims in a single day last week, according to Cyberint. Active since March 2023, Akira operates as ransomware-as-a-service (RaaS) and has impacted over 350 organizations globally, earning an estimated $42 million.

Targeting business services, critical infrastructure, and other sectors, Akira primarily focuses on U.S.-based organizations but also attacks entities in Canada, Europe, and beyond. Cyberint reports that most victims were directly added to Akira’s “Leaks” section on its Tor site, bypassing the usual “News” section.

This aggressive activity, which aligns with trends of escalating ransomware operations, mirrors similar mass victim disclosures by groups like LockBit. Akira’s rapid growth and record-breaking victim counts indicate its expanding influence in the global cybercrime ecosystem.

A major pharmacy group is pressured to pay a $1.3 million ransomware installment. 

The Embargo ransomware group is pressuring American Associated Pharmacies (AAP) to pay a second $1.3 million installment of an alleged $2.6 million ransom deal after already receiving the first payment. The group, which claims to have stolen 1.5 terabytes of data, has threatened to leak the information by midweek if the payment isn’t made. Embargo accuses AAP of prioritizing system restoration over customer data protection.

Embargo’s tactics include double extortion, a common strategy among ransomware gangs. Researchers note Embargo targets various sectors worldwide and has increasingly targeted healthcare, including Georgia’s Memorial Hospital and Manor. Embargo, which surfaced in 2024, denies political affiliations, focusing instead on opportunistic attacks. Experts warn of potential class-action suits and growing risks without stronger privacy laws to deter such cybercrime.

Threat actors are exploiting Spotify playlists and podcasts. 

Threat actors are exploiting Spotify playlists and podcasts to promote pirated software, game cheats, spam links, and dubious websites, leveraging Spotify’s strong reputation and SEO presence to boost visibility. Using targeted keywords and links in titles and descriptions, scammers direct users to malware-laden sites or fake surveys.

Some playlists, like one advertising a “Sony Vegas Pro Crack,” and spammy podcasts use synthesized speech to lure users into clicking links leading to ad-heavy or malicious sites. These tactics extend to promoting game cheats and pirated eBooks.

Cybercriminals often exploit third-party podcast distribution services to bypass platform safeguards. Spotify has removed some flagged content and emphasized its rules against malicious practices, but the challenge of combating such spam campaigns persists.

An alleged Phobos ransomware admin has been extradited to the U.S. 

Russian national Evgenii Ptitsyn, 42, has been extradited to the U.S. to face charges related to administering the Phobos ransomware, according to the Department of Justice. Accused of running a ransomware-as-a-service scheme since 2020, Ptitsyn allegedly developed and sold Phobos ransomware to affiliates who targeted over 1,000 victims worldwide, including schools and hospitals, extorting over $16 million. Affiliates used stolen credentials to encrypt and exfiltrate data, pressuring victims to pay ransoms. Ptitsyn faces up to 120 years in prison if convicted.

Rapper “Razzlekhan” gets 18 months in prison for her part in the Bitfinex cryptocurrency hack.

Heather “Razzlekhan” Morgan, a self-proclaimed rapper and entrepreneur, was sentenced to 18 months in prison for assisting her husband, Ilya Lichtenstein, in laundering bitcoin stolen during the infamous 2016 Bitfinex cryptocurrency hack. Lichtenstein, who received a five-year sentence, stole 119,754 bitcoin—worth $71 million then and now valued at $10.8 billion.

Morgan, aware of the funds’ illicit origins since 2020, helped conceal them through financial accounts, virtual currency exchanges, and mixers like Bitcoin Fog. Prosecutors recommended leniency, citing her clean record and limited personal gain.

 

We’ve got our Threat Vector segment next. Host David Moulton speaks with Assaf Dahan from Palo Alto Networks’ Cortex team about the rising cyber threat from North Korea. We’ll be right back.

Welcome back. You can find the link to David and Assaf’s full conversation in our show notes and be sure to catch new episodes of Threat Vector every Thursday on your favorite podcast app! 

 

Swiss scammers send snail mail. 

And finally, in a twist straight out of a cybercrime time machine, hackers in Switzerland are using snail mail—yes, actual paper letters with stamps—to deliver malware. The Swiss National Cyber Security Center revealed that scammers are posing as MeteoSwiss, the federal meteorology office, and sending fake weather alert letters with QR codes. Scan the code, and instead of staying dry, you’ll download malware named Coper, designed to pilfer sensitive data from Android devices.

The fraudulent letters mimic official apps to exploit trust, catching victims off guard. Experts warn that while most of us have a healthy skepticism for digital phishing attempts, we’re less suspicious of old-school postal scams. Fortunately, this throwback hack targets only Android users in Switzerland—so iPhone owners can relax (for now). 

I can only imagine that the next stop on this nostalgia train could be telegrams, ‘Dear victim, kindly scan this code to ruin your life, STOP.’

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.