The new year is already off to a busy and interesting start in the world of cybersecurity. In addition to an interview with Google’s Sandra Joyce, this newsletter covers the Hive ransomware group take-down, the T-Mobile breach, Chat GPT, and much more.
Be sure to sign up for the newsletter here to join our mailing list so you never miss an edition.
Story Behind the Story: Interview with Sandra Joyce
Sandra Joyce has had an exceptional career from being an intelligence officer in the Air Force to becoming a Vice President at Google and Head of Mandiant Intelligence. She shared her story and advice to other women who want to join this field in an interview with Consortium Networks’ policy analyst, Abby Sonnier.
Washington Watch: Winter 2023
The Winter 2023 edition of Washington Watch is out! Washington Watch is an amalgamation of executive, congressional, and judicial action on various topics within cybersecurity designed to inform on the trends and conversations happening in Washington surrounding cyber. We hope the information provided here will help your organization prepare for any changes it will need to make based on legislation or other federal action that may be taken and that it will start a conversation about the national movement towards greater cybersecurity and resilience.
Driving the Headlines
FBI Shuts Down the Hive Ransomware Group: What Does it Mean for my Organization?
The big news in ransomware this month was the FBI’s takedown of the Russia-based Hive Ransomware-as-a-Service (RaaS) group. This group, which was known for its particular tendency for attacking hospitals and schools, extorted over $130 million from its victims.
Many have celebrated the operation as a win in the fight against ransomware. Unfortunately, these cheers are indeed ill-founded as the ransomware business interruption caused by the bust will be minimal.
Hive will likely regroup to form a new organization and be back up and running within a matter of weeks, but more than that, the RaaS market is expansive and with the number of options intrusion groups have in the space, the loss of one, even one as prolific as Hive, is not going to have any major impact on operations.
Furthermore, the ransomware business sector is rapidly expanding. The lingering effects of the pandemic, recent tech lay-offs, and growing economic hardship across the world, dark web job markets have grown in an attempt to draw in disgruntled talent. Hacker groups are seeking out developers, attackers, designers, analysts, and more, offering salaries of up to $20,000 a month alongside flexible working hours, bonuses, paid vacations, and other benefits.
The standard playbook of ransomware attacks is changing as well. Companies have become more ransomware-proof with offsite backups, increased network visibility, and tested incident response procedures. This means that far less are paying ransoms like they did in the past because they know they are resilient to having their data encrypted and inaccessible. The attackers are adapting.
Instead of solely encrypting data of a company and demanding payment for a decryption key, RaaS groups now ensure they exfiltrate the data as leverage against a company, threatening to leak or sell the data if the company does not pay the ransom. With the increasing regulatory landscape that permits higher and higher fines for this kinds of leaks and the reputational damage that comes along with a data leak, groups are more likely to receive payment than if they solely lock up the data and make it impossible to access.
As this trend unfolds, it is important to stay on top of the landscape and ensure your organization is protected against these attacks. While it is beneficial to the entire community that businesses have significantly increased resiliency to ransomware attacks, it cannot stand idle as the attackers innovate.
The T-Mobile Data Breach and API Security
Early this month, one of the largest wireless network operators in the United States, T-Mobile, filed a disclosure notice to the SEC that a breach was discovered in its networks. This breach, which impacted over 37 million customers, was carried out by a hacker able to access the data through a single Application Programming Interface (API). Financial data was not compromised, the ongoing investigation found, but customers’ personal identifiable information (PII) including names, addresses, emails, and phone numbers was obtained in the breach.
This is not the first time that T-Mobile has suffered a significant data breach and only recently settled a $350 million settlement for a previous incident that occurred in 2021. As part of that settlement, it also committed an additional $150 million to security upgrades. The 2021 breach was carried out by a 21-year-old American who gained access to the organization through an unprotected router who said then that the security at T-Mobile was “awful.”
APIs, which are critical for businesses to connect services and transfer data, are found in customer, partner, and internal-facing applications and inherently expose application logic and PII, making them a prime target for attackers and a priority for cybersecurity teams. Attacks on this kind of network infrastructure are becoming increasingly common, so it is not surprising to see such a high-profile instance in T-Mobile.
Is ChatGPT a Cybersecurity Threat
Though OpenAI released ChatGPT in November of last year, it has taken the public conversation by storm in the last month. In its own words, ChatGPT is “a state-of-the-art language generation model developed by OpenAI [which] uses deep learning techniques to generate human-like text based on the input it receives.” Universities, including Johns Hopkins University’s School of Advanced International Affairs (SAIS), are already incorporating the platform into the classroom while others are scrambling to ensure they can spot AI-generated essays and assignment responses. Outside of academic circles, people are using ChatGPT to generate recipes, organize travel, translating, basic research, and more.
Part of that “and more,” however, is to generate malware and prepare natural-sounding phishing emails through which to deploy said malware. The degree of success in doing so, however, is limited at best.
One black-hat-turned-white-hat hacker, Marcus Hutchins, told Cyberscoop that it took hours to get a functional piece of code out of ChatGPT and generally not possible to turn that into anything usable as malware. Though the platform may be able to generate code that could be malware after significant human input, it likely does not and will not have the ability to act as a stand-in for human expertise in creating malware.
ChatGPT stands to contribute to research, writing, and general question-asking, but it most likely will not be a security risk that your organization needs to worry about.
Policy Changes that Will Impact Your Business
The long awaited and heavily teased 2023 National Cyber Strategy is set to come out very soon and a preview by Slate indicates that there will be some sharp turns happening in the cybersecurity regulatory landscape. One of the biggest changes coming is the move from voluntary guidance to mandatory requirements for critical infrastructure organizations.
This change comes out of a realization that voluntary measures in almost any industry simply do not work. Cybersecurity can be expensive and there is already a massive gap in supply and demand for cyber talent. This new structure will impose industry-specific requirements that will force companies to shore up their cybersecurity posture.
CISA is making a shift toward the private sector as well with its top 2023 priority being “corporate cyber responsibility.” Though the guidance that comes out of CISA will be purely voluntary, a marked difference between the two announcements, the typically interior-facing agency will be able to reach formerly unreached audiences in this. If trends are to be believed, this may also mark the beginning of a path toward mandatory requirements for all organizations, even those outside of critical infrastructure sectors.
As this shift towards greater federal involvement in private sector cybersecurity unfolds, Consortium Networks will be here to help you make informed decisions ensuring best cybersecurity practices and compliance.
In Other News
Trends in hacking: In a confirmation of France’s claim that ransomware is on the decline as compared to the last three years, January saw far less ransomware attacks compared to other kinds of cyberattacks. While the business of ransomware is growing, the number of successful attacks has fallen. Some notable attacks to be aware of:
- Sandworm: Russian hacking group Sandworm is spinning up again in Ukraine with a new file-deleting malware.
- T-Mobile: 37 million U.S. customer data breached
- Education Sector: Schools in Iowa, Nantucket, and Massachusetts were all hit with cyberattacks that impacted operations
- Housing Agencies: Both the Los Angeles and Indianapolis housing authorities suffered ransomware attacks this month.
- The Guardian: The Guardian was hit with a ransomware attack in which the attackers had access to staff data.
- Denmark: Pro-Russian DDoS attacks in NATO member Denmark are growing in number and intensity.
- Paypal: 35,000 PayPal user data leaked; SSNs, tax information among other PII vulnerable following the credential stuffing attack
- Norton LifeLock: Hackers breached password manager accounts of almost one million account
Malware: A number of malware news that everyone should be aware of:
- Microsoft Exchange bugs are topping the list of exploited vulnerabilities affecting financial sector. The most prolific of these include CVE-2015-1635, CVE-2021-31206, CVE-2014-0160, CVE-2017-7269, and the set of CVEs known as ProxyShell
- Cisco announced that it would not release updates to address two vulnerabilities (CVE-2013-20025 and CVE-2023-20026) affecting routers sold until 2020
- Fortinet has patched a vulnerability (CVE-2022-42475) that allowed remote, unauthenticated execution of arbitrary code or commands which was heavily aimed at governments. Fortinet said that “the complexity of the exploit suggests an advanced actor” but no APT has been named responsible.
- Kronos malware, which most recently was known as a banking trojan in 2018, has reemerged and is being used in conjunction with ransomware primarily in Mexico
- KeePass open-source password management software has a newly codified vulnerability tracked as CVE-2023-24055. The vulnerability enables threat actors to inject a trigger that would export the entire username/password database.
- The Sh1mmer exploit allows actors to unenroll from enterprise-managed Chromebooks from device restrictions which would allow for downloads to avoid running into device security protocols.
Some Good News: On the bright side of things, Amazon announced new objects will have S3 encryption by default, New York added $35 million to its cybersecurity budget, and the International Counter-Ransomware Force kicked off this month.
In the Legal System:
- Fines: Ireland fined Met $400 million after a two year long investigation into the way the company processes data and France fined TikTok for $5.5 million for failures to adhere to the Data Protection Act.
- Arrests: A number of cybercriminals and criminal groups were arrested other otherwise judicially punished this month including a Romanian national, Dutch man, and a French member of the ShinyHunters Group.
- In the Courts: JPMorgan will face Ray-Ban in a lawsuit arguing that the bank failed to stop suspicious transactions stolen by cybercriminals, the Irish Privacy Regulator will take the European Union Data Protection Board to court over interference in its tenacious efforts to enforce privacy regulations in Ireland, and Google is being taken back to court by the Department of Justice for allegedly breaking anti-trust laws.
Policy and Politics
New Data Protection Laws: Virginia’s new data protection law based on the California Privacy Protection Act (CPPA) went into effect January 1 of this year along with CPPA updates. More comprehensive privacy laws will go into effect later this year with Colorado and Connecticut’s taking effect in July and Utah’s on December 31 of this year. Want to know more about how data privacy and cybersecurity are related? Check out this article we wrote this month in celebration of data privacy day.
Medical Device Applications: The Fiscal Year 2023 Omnibus gave the FDA authority to require certain medical device applications to provide information demonstrating the cybersecurity of those devices.
Congress: The House of Representatives introduced the Energy Cybersecurity University Leadership Act which would offer grants and funding to graduate and PhD students focused on cybersecurity and energy infrastructure. The American Data Privacy and Protection Act (ADPPA) moved out of committee and was introduced in the House this month– a huge step for a comprehensive data privacy bill that many thought was dead at the end of the last Congress.
Executive Agencies: The FCC proposed a new rule that would update and strengthen its data breach reporting requirements. CISA released a report providing recommendations for K-12 schools to address their cybersecurity risk. The NIST Cybersecurity Framework 2.0 concept paper was released with a draft of significant updates on the changes NIST is considering for its new framework and released an artificial intelligence risk management framework. The Transportation Security Agency (TSA) issued a directive for airports and carriers following the hack and leak of the no-fly list this month. Finally, the Department of Justice announced a new strategy for tackling ransomware that prioritizes victims even if it may make it harder to arrest attackers.
The Abraham Accords: The Abraham Accords, the peace agreements between Israel and various Middle Eastern and Northern African states, will soon be expanded to include cybersecurity. This expansion should help Israel in its continued challenges, including significant cybersecurity ones, with Iran.
January Recap: January saw Consortium Networks’ Sales Kickoff in Washington, D.C., where we were all able to get together and plan for a monumental year. We are all looking forward to a 2023 full of helping people find the best solutions to their cybersecurity problems.
On Our Radar
February 5-10: SANS Cyber Security Leadership NOVA, Tysons, VA
February 9: Data Connectors Cybersecurity Conference, Charlotte, NC
February 9: Endpoint Security in Fintech: Roadmap to Build a Secure Program, San Francisco, CA
February 10: Cyber Security Summit, Atlanta, GA
February 14: Defense & Innovation: A Cybercrime Symposium, Tampa, FL
February 22-23: National K-12 Cybersecurity Leadership Conference, Austin, TX
February 22: Silicon Valley Cyber Security Summit, San Francisco, CA
February 23: FutureCon, Washington, D.C.
February 23: Cyberscoop’s Zero Trust Summit, Washington, D.C.