Cyber Briefing ~ 07/19/2024
McCrary Institute for Cyber & Critical Infrastructure Security
Working to protect and advance U.S. interests in the areas of cyber and critical infrastructure security.
Weekly Director's Note
Dear Readers,
This week on Cyber Focus, I had the pleasure of speaking with Matt McCabe , Managing Director at Guy Carpenter and a longtime friend and colleague. Our conversation delved into the complex world of cyber insurance , exploring its evolution over the past 25 years and how the insurance industry contributes to improving overall cybersecurity practices. We also discussed the potential need for a federal backstop for catastrophic cyber events, building on our recent testimony before the House Homeland Cyber Subcommittee .
The Cyberspace Administration of China is implementing a testing regime for large language models to ensure they align with "core socialist values ,”? as reported by Ryan McMorrow and Tina HU for the Financial Times . The testing process involves government officials conducting extensive audits of AI systems developed by major tech companies and startups, including ByteDance, Alibaba, and Moonshot. The review encompasses the models' responses to politically sensitive questions, particularly those related to President Xi Jinping.? Chinese AI chatbots are being programmed to provide politically correct answers on sensitive topics or to deflect certain queries altogether. I am grateful to live in the U.S.
Brian Krebs , with KrebsonSecurity , reported that recent investigations have shown a resurgence of the Russian cybercrime group Fin7 , contradicting earlier claims of its demise. It seems Mark Twain’s famous quip, “The reports of my death are greatly exaggerated,” applied just as well to cybercrime groups. According to research by security firm Silent Push , Fin7 has established a vast network of over 4,000 malicious hosts, targeting major brands and organizations through sophisticated phishing and malware campaigns. Their targets span a wide range of sectors, from financial services to technology companies, and they're even exploiting current events like the upcoming Summer Olympics in France.?
Following up on last week’s AT&T saga, Ryan Gallagher of Bloomberg News reported that the AT&T hack compromised call and text records of nearly all of its 100 million wireless customers, undermining U.S. national security . This breach, described as "pretty unique and horrible" by John Scott-Railton of The Citizen Lab , provides "a comprehensive view into people's private worlds." Meanwhile, James Rundle , Catherine Stupp , and Kim Nash of The Wall Street Journal reported that both the AT&T breach and a UnitedHealth Group attack were linked to the absence of MFA on key systems . The UnitedHealth attack alone is expected to cost over $2 billion to rectify. As I told the WJS, it's kind of amazing that ease and speed continue to trump security—which always costs too much until it's not enough.
Speaking of breaches, the scale of data breaches has reached a milestone, according to a report by Betty Lin-Fisher for USA TODAY . The Identity Theft Resource Center - Nonprofit 's latest Data Breach Report reveals that over 1 billion individuals have fallen victim to data breaches in just the first half of 2024, marking a staggering 409% increase from the same period last year. This surge is largely attributed to several "mega-breaches," including incidents at Ticketmaster and Advanced Auto Parts, but does not yet include the recent Change Healthcare breach information.
National Cyber Director Harry Coker, Jr. is tackling major cybersecurity challenges with a focus on collaboration and workforce development . According to Tim Starks of CyberScoop , Coker's top priorities include fostering "federal coherence" and addressing the cyber workforce gap. In an interview, Coker emphasized the importance of collaboration both within the federal government and with the private sector. He highlighted the ONCD's efforts to work closely with other agencies, such as National Institute of Standards and Technology (NIST) , and to promote economic prosperity as an aspect of cybersecurity.?
Speaking of NIST, they are facing potential budget cuts that could impact critical cybersecurity initiatives . According to Jacob Livesay ’s piece in Inside Cybersecurity , NIST's @Information Technology Laboratory chief Kevin Stine warned of possible "programmatic reductions" in fiscal 2025. These cuts could affect NIST's crucial work on standards development and vulnerability disclosure. The House Appropriations Committee has proposed a budget that’s $45 million below the agency's fiscal 2024 appropriation and $83.5 million below its request. As anyone who knows me can attest, I am an advocate for NIST as they are an unsung hero in the world of cybersecurity.?
The U.S. military launched a new initiative called Commercial Augmentation Space Reserve to strengthen cybersecurity for military satellites by integrating commercial equipment into military space operations. As Dr Sharon Lèmac-Vincere reports for Space.com , this partnership aims to enhance U.S. national security and competitive advantage in space. The move comes as the risk of cyberattacks on critical space infrastructure increases, with potential targets including both military and commercial spacecraft. This development highlights the growing importance of space as a critical infrastructure sector, aligning with my calls to designate it as such .
A recent report by Sophos reveals that ransomware attacks are having a relatively greater impact on the energy, oil, and gas sectors. As reported by Christian Vasquez for CyberScoop , the victims experienced longer recovery times and higher costs, with more than half taking over a month to recover , up from 19% in 2022. The report , based on responses from over 200 cybersecurity and IT leaders, highlights that nearly half of successful attacks occurred due to unpatched vulnerabilities. Notably, the energy, oil, and gas sectors are now more likely to pay ransom demands than use backups for recovery, a first-time occurrence according to the report. Chester Wisniewski , global field chief technology officer at Sophos, attributes this vulnerability to older technologies and minimal IT staffing in these sectors.
To wrap things up this week, generative AI is enhancing cybersecurity operations in government agencies , according to a report by Keely Quinlan for StateScoop . While AI and Machine Language have been used in cybersecurity for years, generative AI now provides an additional layer of protection thanks to its ability to synthesize data from threat scans and provide contextual information. Andy Hanks , a senior director at the Center for Internet Security , says that generative AI "changes the game when it comes to processing lots of data very fast and giving you that contextual information." State CISOs like Michael Geraghty of New Jersey and John Godfrey of Kansas are leveraging generative AI to improve threat detection algorithms and customize detection systems.?
War Eagle,
National Cyber Director Harry Coker discusses his key priorities, including pushing for greater "federal coherence" by collaborating with and uniting other parts of the federal government. He also emphasizes the importance of fostering cybersecurity skills and boosting the cyber workforce, noting that the government and private sector must work together to address this challenge. Additionally, Coker is focused on providing more support to state, local, tribal, and territorial governments, who are increasingly facing nation-state cyber threats. Overall, Coker is committed to tackling the "hard problems" in cybersecurity, recognizing that these challenges will continue to evolve but that progress can be made through strategic partnerships and innovative approaches.
The notorious cybercrime group FIN7 is advertising and selling its custom security evasion tool, AvNeutralizer, on darknet forums to other criminal hacking groups. The tool bypasses threat detection systems on victims' devices and has been observed in numerous intrusions involving various ransomware strains. FIN7 is using multiple pseudonyms to mask its identity while promoting the sale of the tool, which is priced between $4,000 to $15,000. The group's development and commercialization of specialized tools like AvNeutralizer significantly enhances its impact and demonstrates its advanced operational strategies, making attribution more challenging.
An international law enforcement operation targeting a sprawling West African organized crime and cyber fraud network has led to 300 arrests, $3 million in seized assets, and 720 blocked bank accounts. The operation, dubbed Jackal III, took down the notorious "Black Axe" criminal syndicate, one of the most prominent West African transnational organized crime groups engaged in cyber fraud, human trafficking, drug smuggling, and other illicit activities globally. The results underscore the critical need for global collaboration to combat these extensive criminal networks and their financially damaging cyber fraud schemes, which have caused over $43 billion in losses worldwide.
The U.S. Department of the Treasury and an industry-led nonprofit have released resources to help financial institutions, especially smaller banks, navigate secure cloud adoption. The guidance addresses gaps identified in the Treasury's previous report on the industry's cloud usage, providing a roadmap, best practices, and strengthened transparency to enhance cloud security and resilience across the financial sector.
Ransomware attacks disproportionately impact the energy, oil, and gas sectors, with utilities increasingly willing to pay ransom demands to retrieve encrypted data rather than rely on backups. Recovery times have steadily increased, reflecting the growing complexity and severity of these attacks and a lack of preparedness among these critical infrastructure organizations. The report highlights that nearly half of successful attacks occurred due to unpatched or unmitigated vulnerabilities, while just over a quarter were due to compromised credentials. Energy, oil and gas, and utilities organizations are also more likely to fall victim to exploiting unpatched vulnerabilities compared to other sectors. The actual cost of ransomware could be much higher due to the general lack of understanding on the broader threat landscape caused by lax reporting laws. However, the Cybersecurity and Infrastructure Security Agency is working to address this through new reporting requirements for critical infrastructure organizations.
The number of data breach victims has surpassed 1 billion for the first half of 2024, a staggering 409% increase from last year. This eye-popping figure is driven by a handful of mega-breaches, such as those impacting Ticketmaster and Advanced Auto Parts, which account for over 900 million victims. The Identity Theft Resource Center warns that every person, business, and organization must view data and identity protection with greater urgency in the face of these escalating cyber threats. Consumers are advised to practice good cyber-hygiene, including using multi-factor authentication, unique passphrases, secure payment methods, and caution with suspicious links and attachments. With data breaches accelerating, protecting personal information has never been more critical.
Chinese officials are aggressively testing and regulating large language models developed by tech companies to ensure they "embody core socialist values." This involves mandatory government reviews, with models required to respond to a litany of politically sensitive questions related to President Xi Jinping and other topics deemed harmful by the Communist Party. Companies must implement extensive censorship measures, including maintaining databases of banned keywords, to avoid generating content that could be seen as subversive. The result is AI chatbots that dutifully parrot the government's talking points while avoiding or replacing responses on topics the regime deems off-limits. This represents China's efforts to exert unprecedented control over the content generated by advanced AI systems as part of its broader push to shape the country's technological development along ideological lines.
A hacker group called "NullBulge" claims to have stolen over 1 TB of Disney's internal Slack messages and files from nearly 10,000 channels, including unreleased projects, code, images, login credentials, and links to internal websites and APIs. The group alleges this was an act of protest over AI-generated art, and they have also published personal information of a purported Disney insider who they claim provided access to the data.
A U.S. judge has dismissed most of the SEC's lawsuit against software company SolarWinds over its handling of the Sunburst cyberattack. The judge allowed the SEC to pursue a fraud claim related to a pre-attack statement on SolarWinds' website about its cybersecurity practices but dismissed all other claims based on pre-attack disclosures and those related to post-attack statements. The ruling is a partial victory for SolarWinds in the ongoing legal battle over the company's response to the major cyberattack.
In recent years, subsea fiber optic cables that connect the global internet, particularly those in North Atlantic waters, have been intentionally damaged or cut through. There is growing suspicion that Russian fishing trawlers, which have been observed lingering over the cables during these incidents, may be involved. This raises concerns about the potential military and intelligence roles these fishing boats may perform and the implications for undersea infrastructure. These incidents could serve as training exercises or a signal of Russia's capabilities in disabling communications and undersea sensors. This kind of gamesmanship is reminiscent of geopolitical trolling, and with the increasing territorial conflicts due to climate change, more incidents like these can be expected.
Russia recently used AI to create over 1,000 online personas that spread pro-Russian propaganda to Americans. The author argues that the US was unprepared to defend against this new disinformation threat. She recommends that social media companies use AI to detect bots and governments support more research into defending against AI propaganda. Ultimately, an educated public is needed.
领英推荐
A U.S. District Court judge dismissed most of the charges in a civil fraud case filed against SolarWinds by the U.S. Securities and Exchange Commission . However, the court sustained the SEC's claims of securities fraud based on SolarWinds' security statement. The case related to the 2020 Sunburst supply chain hack impacted thousands of customers.
Bassett Furniture Industries, Inc. has temporarily shut down its manufacturing facilities after a "threat actor" gained unauthorized access to some of its IT systems, disrupting business operations. While the company's stores and e-commerce remain open, its ability to fulfill orders has been impacted. Bassett is working to contain the incident and get its systems back online, but the full scope of the attack is still unknown.
思科 has released a patch for a critical vulnerability (CVE-2024-20419) in its Smart Software Manager (SSM) On-Prem product that allows unauthenticated remote attackers to change the password of any user, including administrators. The vulnerability has a maximum CVSS 3.1 severity score of 10/10. Cisco advises customers to apply the patch as soon as possible, as there are no known workarounds. The flaw is due to improper implementation of the password-change process and could allow attackers to access the web UI or API with compromised user privileges. This vulnerability affects SSM On-Prem and SSM Satellite versions before 7.0, so organizations should upgrade to the latest patched versions.
A newly identified hacker group, TAG-100, is conducting a suspected cyberespionage campaign targeting high-profile government and private sector organizations, primarily in the Asia-Pacific region. The group has used open-source remote access tools like Pantegana and SparkRAT and exploited various internet-facing devices to gain initial access to victims. While the researchers could not definitively attribute the group to a specific country, the victim profile aligns with historical targeting by Chinese state-sponsored groups. The widespread availability of open-source tools allows less capable groups to conduct such operations while enabling higher-tier actors to avoid detection.
The head of the Defense Intelligence Agency warns that Russia's recent actions in space, such as satellite maneuvers and anti-satellite weapons tests, could lead the country to learn dangerous lessons if they are not shown clear repercussions. The DIA chief says Moscow must face consequences for this destabilizing behavior in space, which could embolden further reckless actions. Experts are concerned that Russia is gaining valuable insights that could be applied to future conflicts, underscoring the need for a strong deterrent response from the U.S. and its allies.
The article argues that cybersecurity experts should shift their focus from pure prevention to building cyber resilience. While prevention is critical, being 100% protected from every cyber threat is impossible. Instead, organizations should invest heavily in preparing for, responding to, and recovering from cyber incidents. Key elements of a cyber resilience approach include building a security-focused culture, practicing incident response plans, designing systems and processes with security in mind, and having robust communication protocols in place. By embracing cyber resilience, companies can minimize the damage and disruption from inevitable cyber-attacks.
A class action lawsuit has been filed against CDK Global , the company that provides financial services to car dealers, alleging negligence after a June cyberattack crippled the company and thousands of dealers across the country. The lawsuit claims CDK failed to maintain adequate data security, leading to over $1 billion in lost sales and 56,200 fewer new vehicle sales during the 3.5-week attack. This is one of 10 suits filed against CDK by dealers and businesses impacted by the incident.
The ransomware attack on AT&T , caused by a hack of cloud provider Snowflake , exposed the metadata of nearly every network user. Security experts warn that this highlights the importance of robust third-party vendor management, including multifactor authentication, VPNs, and security awareness training.
This advisory from Australian and international cybersecurity agencies details the tactics, techniques, and procedures of the state-sponsored cyber group APT40, linked to China's Ministry of State Security. The group has repeatedly targeted Australian and regional government and private sector networks, rapidly exploiting vulnerabilities to gain initial access and establish persistence.
The cybersecurity landscape has reached unprecedented levels of attack activity, with organizations facing an average of 1,636 weekly cyberattacks in Q2 2024 - a 30% increase from the previous year. The education, government, and healthcare sectors were the hardest hit, underscoring the urgent need for robust cybersecurity measures.
According to a new Sophos report, the median ransomware recovery cost for the energy and water sectors has quadrupled to $3 million in the past year. The ransom payments in these critical infrastructure sectors have also jumped to over $2.5 million, half a million more than in other sectors. Experts warn that criminals are targeting these sectors to cause maximum disruption, urging organizations to take proactive steps to monitor vulnerabilities and rehearse incident response plans.
The National Institute of Standards and Technology (NIST) is concerned about potential budget cuts in fiscal year 2025 that could impact its cybersecurity and privacy programs. NIST's Information Technology Laboratory chief warned of "significant programmatic reductions" that could result in losing expertise and capabilities in critical areas like standards development. NIST officials emphasized the importance of the agency's persistent participation in international standards bodies, which budget constraints could threaten. The management of NIST's National Vulnerability Database is also a priority amid the potential budget challenges.
The National Institute of Standards and Technology (NIST) plans to release draft updates to its Privacy Framework and a new joint data governance profile this fall. The updates aim to improve privacy protections and data management practices. NIST is also working on IoT security, the intersection of AI and cybersecurity, and supporting election security efforts with partner agencies.
Jeff Greene , CISA's new cyber division chief, highlighted the agency's efforts to improve information sharing and the role of the Joint Cyber Defense Collaborative. Greene emphasized the need to streamline communication between CISA and the private sector and expand the JCDC's steady-state relationship with partners. He also discussed the importance of the Cybersecurity Information Sharing Act in encouraging companies to share threat information with the government.
The Information Technology Industry Council is asking CISA to ensure "real value" is provided to the industry based on information shared on cyber incidents as part of the upcoming mandatory reporting regime for critical infrastructure. ITI proposes recommendations to CISA, including investments in rapid resources, leveraging existing partnerships, and expanding efforts to analyze incident data.
Subscribe to our LinkedIn Cyber Briefing .
Subscribe to the daily Cyber Briefing email .
Subscribe to our Cyber Focus podcast .
Copyright ? 2024 Auburn University 's McCrary Institute. All Rights Reserved.