CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 29: October 03 2022

Links 

https://www.latimes.com/california/story/2022-09-30/hackers-set-monday-deadline-for-lausd-to-pay-up-or-have-private-data-posted-on-dark-web

https://www.darkreading.com/attacks-breaches/solarmarker-attack-wordpress-fake-chrome-browser-updates

https://www.esentire.com/blog/popular-info-stealing-malware-solarmarker-is-using-watering-hole-attacks-and-fake-chrome-browser-updates-to-infect-business-professionals-warns-esentire

https://www.darkreading.com/threat-intelligence/cybercriminals-see-allure-bec-attacks-ransomware

https://arcticwolf.com/resources/blog/incident-response-insights-from-arctic-wolf-labs-1h-2022/

https://www.justice.gov/usao-hi/pr/honolulu-man-pleads-guilty-sabotaging-former-employer-s-computer-network

https://krebsonsecurity.com/2022/09/fake-ciso-profiles-on-linkedin-target-fortune-500s/

Vice Society sets a deadline for LA School District to pay ransom 

  • deadline was posted on web site maintained by Vice Society 
  • On Tor network 
  • Also confirmed they were responsible to three different journalists 
  • Amount of Ransome not disclosed. 
  • “The papers will be published by London time on Oct. 4, 2022, at 12 a.m.,” the webpage states.  
  • Midnight in London would translate to 4 p.m. Monday in Los Angeles. 
  • claim to have stolen 500 gigs of data 
  • District staff believes confidential information of employees was not stolen 
  • They are less certain about information related to students, which could include names, grades, course schedules, disciplinary records and disability status. 
  • School District and law enforcement haven’t attributed the attack 
  • CISA did put out a warning to educations about the group. 
  • School Superintendent did acknowledge the attack came from a group that is familiar to law enforcement and known to attack school systems. 
  • School District not negotiating 
  • “What I can tell you is that the demand — any demand — would be absurd,” Supt. Alberto Carvalho said. “But this level of demand was, quite frankly, insulting. And we’re not about to enter into negotiations with that type of entity.” 
  • Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate.” 
  • Attack 
  • Happened on Sept 3rd 
  • Labor Day 
  • Holiday’s often when hackers target. 
  • Once detected by district staff all systems were shut down. 
  • Everything was back online by the scheduled Tuesday return date. 
  • 600,000 users had to reset passwords and systems were gradually screened for breaches and restored 
  • Left Trip Wires in system 
  • Possible to damage more systems or data or access when accidentally tripped. 
  • Hackers this year have attacked at least 27 U.S. school districts and 28 colleges 
  • 36 of those organizations had data stolen and released online 
  • at least two districts and one college paid the attackers 
  • Typical Extortion 
  • Pay or Release 

SolarMarker Makers uses spamdexing to target tax consulting organization 

  • Group behind “SolarMarker” found targeting a global tax consulting company 
  • Company has a presence in US, Canada, UK and Europe 
  • Using fake “Chrome browser updates” 
  • SolarMarker 
  • multistage malware attacking browsers 
  • exfil autofill data 
  • exfil saved passwords 
  • exfil saved credit card info 
  • First seen in 2020 
  • .Net malware 
  • Powershell installer 
  • Attack 
  • Detected exploiting WordPress sites 
  • Medical manufacturers website 
  • End User on Tax consulting agency 
  • Searched for manufacturer by name on Google 
  • Disguised as a Chrome update. 
  • But is based upon victim, could be Firefox or Edge 
  • Tricked them into download and running SolarMarker 
  • Group is known for using SEO techniques to raise their malware pages up in ranking 
  •   

BEC Attacks on the Rise 

  • Research on ransomware all over the place 
  • Some reports higher 
  • Some reports lower 
  • Undisputed champion 
  • BEC 
  • Business Email Compromise 
  • 2022 
  • according to Arctic Wolf’s “1H 2022 Incident Response Insights 
  • More than doubled in April, May and June 
  • 17% to 34% 
  • Abnormal Security 
  • Reports of BEC attacker per mailbox up 84% this year 
  • Why? 
  • Crypto fluctuations 
  • Easier to get away with 
  • 2021, BEC attacks accounted for 35%, or $2.4 billion, of the $6.9 billion in potential losses tracked by the FBI’s Internet Crime Complaint Center (IC3) 
  • Protection 
  • Multifactor 
  • Network segmentation 
  • Data segmentation 
  • Zero-trust 
  • Security awareness 

Former IT Administrator Criples Company 

  • Casey K. Umetsu, Sr 
  • Age 40 
  • IT Professional with company for 2 years 
  • Administering Network, Helpdesk like stuff 
  • Hawaii-Based Financial Company 
  • Contract Terminated 
  • Pled Guilty 
  • accessed his former employer’s website and made configuration changes to redirect web and email traffic to external site 
  • Crippled the company 
  • Used his own credentials 
  • Then locked out the IT department from fixing changes 
  • End Game 
  • All to be hired back at a higher salary 
  • Backfired when the FBI investigated 
  • January 19, 2023 sentencing 
  • maximum of 10 years of prison time 
  • fine of up to $250,000. 

LinkedIN CISO Struggles 

  • Krebs on Security Blog Reports 
  • Creation of a number of fake CISO accounts. 
  • No attribution yet 
  • Big Companies 
  • These are made to appear to be CISO at major 500 companies 
  • Chevron 
  • ExxonMobile 
  • Even search results will bring up the fake accounts, near the real ones 
  • Some are well crafter, some rushed and some copy pieces from other CISOs 
  • Cybercrime Magazine’s CISO 500 
  • Fell for the fake CISO 
  • Listing one as a person on the listing 
  • Madiant 
  • Thinks its North Korean hackers trying to get jobs at crypto companies 
  • LinkedIN 
  • Battling the fakes 
  • In our transparency report we share how our teams plus automated systems are stopping the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scam