Cyber Briefing ~ 07/16/2024
McCrary Institute for Cyber & Critical Infrastructure Security
Working to protect and advance U.S. interests in the areas of cyber and critical infrastructure security.
While the federal government awaits final guidance from the Office of Management and Budget to modernize the Federal Risk and Authorization Management Program (FedRAMP), Rep. Gerry Connolly, D-Va., believes the program is "undeniably" in a state of limbo until that guidance is issued. However, Connolly noted that this "limbo" is an improvement from where the program was not long ago. Despite the lack of final OMB guidance, Connolly highlighted positive steps such as the administration's move to promote the presumption of adequacy, the growing cloud services marketplace, and new initiatives led by the General Services Administration. The deputy federal CIO also expressed optimism that the final policy will reflect many practices and improvements already underway within FedRAMP.
Google parent company Alphabet is reportedly close to acquiring cybersecurity startup Wiz for around $23 billion, which would be its largest deal ever. Wiz provides cloud security software and has seen rapid growth, reaching $350 million in revenue in 2023. The acquisition could boost Google's cloud computing business, which trails Amazon and Microsoft. However, it comes amid heightened antitrust scrutiny of significant tech mergers. It would provide a rare exit for Wiz's prominent Silicon Valley backers if completed.
According to WIRED, AT&T paid over $370,000 in Bitcoin this May to a hacker associated with the ShinyHunters group, claiming he deleted the company's stolen customer call and text records. The payment was facilitated by a security researcher acting as an intermediary. The hacker alleges the complete dataset of records for "nearly all" AT&T wireless customers was stolen by John Erin Binns and shared with him before Binns' arrest in Turkey. Though the hacker claims the data has been wiped, risks may remain since Binns distributed samples. AT&T says it learned of the breach in April. While no content was exposed, dates, durations, and cell tower IDs were included for calls and texts from May 2022 to January 2023. AT&T delayed notifying customers at the FBI's request.
AT&T has revealed that a hacker stole call and text message metadata from "nearly all" of its wireless customers. The data mainly dates back to 2022 and was taken from a third-party cloud workspace. While the stolen records do not include personal subscriber information, they contain details of how different phone numbers interacted. AT&T cooperates with law enforcement and believes the stolen data is not publicly available. The attack has been linked to American hacker John Binns, who claimed responsibility for a major data breach at T-Mobile in 2021.
The US military has launched the Commercial Augmentation Space Reserve (CASR) initiative to integrate commercial equipment into military space operations, enhancing cybersecurity for military satellites. The partnership aims to strengthen national security and avoid over-reliance on any single commercial entity while acknowledging the need to prioritize cybersecurity in the space industry. However, challenges such as inconsistencies in cyber requirements and potential risks with a larger pool of commercial suppliers must be addressed. Education and collaboration across sectors are crucial for proactive and well-informed decision-making in space cybersecurity.
State election officials have written a letter to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) expressing opposition to a draft rule requiring disclosing suspected cyberattacks within a specific timeframe. The officials argue that the proposed requirements are too burdensome for understaffed local government offices and suggest that the rules be voluntary instead of mandatory. They also call for more explicit definitions of a reportable cyber incident. The draft rules mandate reporting suspected breaches or significant cyberattacks within 72 hours and ransom payments within 24 hours.
Data from Disney's internal Slack channels, including discussions about ad campaigns, studio technology, and interview candidates, have been leaked online by a hacking group called Nullbulge. The group claims to have obtained swaths of data from thousands of Slack channels at Disney, including computer code and details about unreleased projects. Disney is currently investigating the matter.
The California Governor's Office of Business and Economic Development provides $27 million to fund 10 technology projects across five of the nation's busiest containerized import ports. The projects aim to address key challenges in port operations, including cargo routing, AI integration, climate resiliency, emissions reduction, trucking appointment systems, increased cybersecurity, and the development of new data standards. The goal is to improve data functionality and interoperability across California's statewide port network, which handles 40% of the U.S.'s containerized imports. This investment marks California's efforts to enhance supply chain digitalization and bolster maritime cybersecurity in the face of growing threats.
Rite Aid, the drugstore operator, disclosed a cybersecurity breach in June where an unknown third party impersonated a company employee and accessed certain customer data, including names, addresses, dates of birth, and driver's license numbers. However, the company stated that social security numbers, financial information, and patient data were inaccessible.
The US Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team exercise targeting an unnamed federal agency. CISA gained initial access by exploiting an unpatched Solaris vulnerability. The agency took weeks to patch it after notification. Later, phishing attacks and cracking weak passwords expanded access. For five months, the agency failed to detect the intrusion activity. CISA stressed the need for defense-in-depth protections. Overreliance on known indicators of compromise (IOCs) was flagged. Log collection practices were deemed ineffective, too. The exercise showed that federal agencies must improve intrusion detection abilities.
The Russia-based cybercrime group Fin7, known for attacks costing victims billions, was declared inactive in 2023 after US convictions. But Fin7 has revived in 2024, setting up thousands of fake websites impersonating media and tech firms. Fin7 relies on Stark Industries Solutions hosting, linked to Russian state hacking against Ukraine. Methods include typosquatting, malicious ads, phishing, and spoofing brands like Google and Twitter. Fin7 exploits events like the Olympics. Though said to be gone, their rapid regrowth shows the need for renewed enforcement efforts. Law enforcement should refocus on Fin7's extensive rebuilt infrastructure.
Hacktivist group NullBulge claims to have breached Disney, leaking 1.1 TiB of internal Slack data. The alleged leak includes messages, files, code, and more from Disney's development team Slack workspace. NullBulge aims to protect artists' rights and ensure fair compensation. Disney has faced criticism over not paying royalties to some creators recently. Though unverified, if accurate, the breach could have been done via infostealer malware. It follows significant breaches at AT&T and Ticketmaster in the US, too. Disney has not commented on the alleged Slack breach yet. But it could expose sensitive internal data amid disputes over payments. NullBulge highlights this issue in justifying the attack.
According to a report by the manufacturing institute MxD, manufacturers in the defense ecosystem tend to have overconfidence in their cybersecurity capabilities despite shortcomings in workforce training, governance, and supply chain risk management. The report reveals a disconnect between the perception and execution of cybersecurity protocols, highlighting the "Dunning-Kruger" effect, where individuals with low competence overestimate their abilities. The report emphasizes the need for improved cybersecurity posture, including greater senior leadership engagement, enhanced internal capabilities, and consideration of cybersecurity in future-oriented business planning.
Senators Jacky Rosen, Todd Young, and Angus King have introduced the "Healthcare Cybersecurity Act" to enhance collaboration between CISA and the Department of Health and Human Services (HHS) in improving cybersecurity and providing resources to non-federal entities. Meanwhile, Senate Intelligence Chairman Mark Warner is urging HHS and the White House to issue cyber regulations for hospitals, citing the growing threat of healthcare cyberattacks. Warner emphasizes the need for mandatory minimum cyber standards to ensure the prioritization of cybersecurity in the healthcare sector.
Distributed Denial of Secrets (DDoSecrets) has mirrored Wikileaks' published data on its own site after Wikileaks founder Julian Assange entered a plea deal requiring the deletion of unpublished classified info. DDoSecrets aims to preserve the data as Wikileaks' site has deteriorated, risking information loss. The transparency group published the mirrors, including files on Yemen, the CIA, and Hillary Clinton emails, alongside a site revamp. While this archives controversial dumps like Saudi medical records, DDoSecrets won't censor Wikileaks data. DDoSecrets is also launching new transparency projects separate from data preservation to aid sensitive work like publications. Founders say community involvement is key for the data library's stability. They did not communicate with Wikileaks about mirroring amid the site's ongoing dysfunction.
A hacker claims to have been paid around $400,000 in Bitcoin by AT&T in mid-May to delete stolen customer call and text logs. The payment timing aligns with the telecom's breach response. While AT&T won't confirm a ransom payment, sources say the company did pay hackers. It's unclear if intermediaries were used. The relatively low payment amount compared to other breaches could be due to no financial records being accessed. The hack was part of a campaign that compromised Snowflake accounts. AT&T says it doesn't believe the now-deleted data was made public.
According to Cloudflare's 2024 Application Security report, threat actors quickly weaponize publicly available proof-of-concept exploits, sometimes in as little as 22 minutes. Between May 2023 and March 2024, Cloudflare observed heightened scanning for known CVEs, followed by command injection attempts using available PoCs. Most targeted were flaws in Apache, Coldfusion, and MobileIron products. A key example is CVE-2024-27198 in JetBrains TeamCity, exploited just 22 minutes after the POC's release. Cloudflare says AI is needed to develop fast detection rules, as human-written rules often lag behind attackers. The report also found that DDoS comprises 6.8% of all internet traffic, up from 6% the prior year, showing increased attack volume.
The National Science Foundation has constructed a new Leadership-Class Computing Facility at the University of Texas at Austin. Expected to open in 2026, the facility will house the Horizon supercomputer, which aims to advance computational research through improved hardware and services. Horizon is projected to increase simulation performance 10 times over the current Frontera system and enable significantly more advanced AI capabilities. The facility will collaborate with science centers nationwide to expand access. Its goal is to support research breakthroughs in science, AI, and other disciplines.
The article argues that cybersecurity needs to focus more on prevention and early threat detection rather than just responding to attacks. It states that cyber threats are increasing exponentially, costing trillions of dollars globally. The shift to remote work has expanded the attack surface. Cyber threat intelligence, which involves collecting and analyzing data on threats, is crucial for anticipating and mitigating attacks. Organizations using CTI detect breaches earlier and have better prevention. CTI provides benefits like early threat detection, faster response times, efficient resource allocation, collaboration, and strategic planning. The article advocates using a combination of strategic, tactical, operational, and technical intelligence based on an organization's needs.
John Binns, a U.S. citizen currently incarcerated in Turkey, is reportedly connected to the recent data breach at AT&T, affecting almost all of the company's customers. Binns was previously indicted for a breach at T-Mobile in 2021. The stolen data includes call and text records from a third-party cloud service provider used by AT&T and reveals the numbers AT&T customers interacted with over several months in 2022. The breach highlights the sensitive nature of the stolen information.
The National Cyber Summit in Huntsville aims to unite cyber professionals from various industries, fostering collaboration and knowledge sharing. With a focus on workforce development and cybersecurity education, the summit solidifies Huntsville's position as a cyber hub.
AT&T has disclosed a major data breach that occurred through a third-party cloud platform, Snowflake, exposing phone numbers and metadata related to calls and texts for AT&T wireless customers as well as customers of other wireless providers. The breach occurred between April 14 and April 25, during which records of customers' calls and texts were accessed. The stolen data includes phone numbers, call volumes, and cumulative call durations. "Nearly all" of AT&T's wireless customers, including those using mobile virtual network operators (MVNOs) like Boost Mobile, Cricket Wireless, H2O, and Straight Talk Wireless, are affected. While the sensitive personally identifying information (PII) has not been compromised, the inclusion of cell site identification numbers raises concerns about potential location tracking and targeted social engineering attacks. The stolen data can be used for phishing attempts, identity theft, and other malicious activities.
A major data breach targeting customers of cloud storage company Snowflake is growing into one of the largest-ever breaches. Criminal hackers have been attempting to access customer accounts using stolen login details, with data breaches at Ticketmaster and Santander potentially linked to the attacks.
Privacy and security experts are calling the recent hack on AT&T Inc. one of the worst breaches in the history of American telecommunications providers. The hack, which occurred in April, resulted in the theft of records of calls and text messages from nearly all of AT&T's over 100 million wireless customers. While the stolen data did not include audio or written contents of communications, it included metadata such as call and text timestamps and location data, which can be used to create detailed profiles of individuals. The breach raises concerns about national security and the potential exposure of both personal and government secrets. The telecommunications sector is a prime target for hackers due to the valuable personal information it holds.
CDK Global's CEO, Brian MacDonald, promises financial compensation to dealerships affected by the recent cyberattack and software outage. The company has also offered a free tool for training on cyber incident preparedness. CDK Global faces lawsuits related to the cyberattack and outage, with dealerships claiming harm to their businesses and compromised data.
Russian jamming of GPS signals is causing disruption to navigation systems in Eastern Europe, affecting countries such as Estonia, Latvia, Lithuania, Finland, Sweden, Poland, and Germany. The purpose of the jamming is unclear, with some suggesting it is a spillover effect from Russian air defense measures, while others believe it is a deliberate attack on non-combatant nations. The jamming has impacted commercial flights and poses significant challenges to aviation safety.
Senator Gary Peters sent a letter to CISA Director Jen Easterly expressing concerns that CISA's draft rule to implement the Cyber Incident Reporting for Critical Infrastructure Act could require over-reporting of cyber incidents. Peters said this could unnecessarily burden employees and limit CISA's ability to analyze breaches and support critical infrastructure. He requested CISA carefully consider public comments and ensure regulations don't overburden cybersecurity professionals.
The SEC is expanding its use of internal accounting control provisions to include cybersecurity incidents, charging companies like R.R. Donnelley over breaches despite proper disclosures. This signals more aggressive enforcement that has raised concerns even among Republican commissioners. A judge's upcoming ruling on the SEC's similar charges against SolarWinds, which calls it a "wholesale rewriting" of the law, could provide guidance on interpreting the accounting rules' scope.
The North Atlantic Treaty Organization (NATO) plans to establish a new Integrated Cyber Defence Centre at its Belgium headquarters. The center aims to monitor cyber threats, improve resilience, and protect NATO's networks and cyberspace operations. This comes as NATO members face increased politically-motivated cyberattacks since Russia's invasion of Ukraine. The center will leverage advanced technologies and industry experts to enhance NATO's cyber situational awareness and defense.
Hackers breached AT&T's Snowflake cloud environment and stole records of calls and texts for nearly 110 million wireless customers over a 6-month period last year. The exposed data didn't include personal info but listed interacted phone numbers and call lengths from Jan to Oct 2022. AT&T said it detected the 11-day Snowflake intrusion in April with help from cyber experts and is working with the FBI, though credentials stolen elsewhere enabled the breach.
CDK Global, a software provider for thousands of car dealerships across the US, appears to have paid a $25 million ransom in bitcoin to hackers last month to restore its systems after a cyberattack. The payment hasn't been confirmed but blockchain records show the bitcoin transfer to an account linked to the BlackSuit ransomware gang. This would be a huge payout even amid a surge in costly ransomware attacks.
Vyacheslav Igorevich Penchukov, aka "Tank," the leader of the Zeus malware gang, has been sentenced to 18 years in prison and ordered to pay over $73 million. Penchukov, who had been on the FBI's most-wanted list for years, pleaded guilty to conspiracy charges related to racketeering and wire fraud. His arrest and conviction mark a significant blow against Eastern European cybercriminals, highlighting the challenges faced by law enforcement in extraditing individuals from Russia and Ukraine.
AT&T has announced that hackers accessed six months' worth of phone and text message records for "nearly all" of its customers. The data, which was taken from AT&T's Snowflake instance, includes phone numbers and cell site ID numbers, but does not contain content or personally identifiable information. AT&T believes that at least one person connected to the breach is in federal custody. The incident is part of a series of data breaches involving the cloud platform Snowflake. The stolen data could be valuable to scammers, hackers, and nation-backed threats.
Researchers have discovered that the wallets connected to the ransomware group responsible for the CDK Global cyberattack received a payment of over $25 million just two days after the attack was made public. The payment was made in bitcoin and is believed to be connected to the BlackSuit group. While the evidence suggests that CDK Global may have made the ransom payment, it has not been confirmed. The $25 million payment would be the second-largest ransom payment on record.