cozy bear

Andy Thompson, CyberArk Labs Offensive Security Research Evangelist returns to Trust Issues for a deep dive into the recent APT29 breach of Microsoft. In conversation with host David Puner, Thompson explores the intricate details of the January 2024 attack, dissecting the tactics employed by the APT29 threat actor, also known as Cozy Bear, Cozy Car, The Dukes – or, as Microsoft refers to the group: Midnight Blizzard. From the initial password spray technique to the exploitation of OAuth applications, listeners are taken on a journey through the breach's timeline – and learn how, ultimately, it all boils down to identity. The discussion touches upon the nuances of threat actor nomenclature, the significance of various bear-themed aliases and the professional nature of state-sponsored cyber espionage groups. Throughout the episode, practical insights and cybersecurity best practices are shared, offering organizations valuable strategies to bolster their defenses against evolving cyber threats. For a comprehensive analysis of the APT29 Microsoft data breach and detailed recommendations for improving cybersecurity posture, check out the accompanying blog post written by Andy Thompson.

Mother of All Breaches. The Midnight Blizzard attack. Nation state cyber conflicts. January 2024 has seen a blitz in cyber  attacks. In this week's episode, hosts Stan Wisseman and Rob Aragao delve into the alarming start to the new year.

1.    Mother of All Breaches (MOAB):

·       Unprecedented Scale: Over 26 billion records compromised, impacting major platforms like Twitter, LinkedIn, Adobe, and Dropbox, along with government agencies worldwide.

·       Data Complexity: The breach includes not only credentials but also sensitive data, creating substantial value for malicious actors.

·       Organization: The breach was meticulously organized, posing a significant threat to data security and privacy.

2.    Midnight Blizzard Attack:

·       Notorious Group: Midnight Blizzard, also known as Cozy Bear and APT29, resurfaces 

·       Targeted Organizations: Microsoft and HPE were among the targets, with a focus on compromising Office 365 exchange environments.

·       Attack Strategy: Utilizing password spraying and brute force, the attackers gained access to a legacy test nonproduction account, subsequently creating malicious OAuth applications.

·       Specific Targeting: The attackers selectively targeted executives, cybersecurity teams, and legal teams, aiming to gather intelligence on Microsoft's activities.

3.    State-Sponsored Cyber Warfare (Russia vs. Ukraine):

·       Escalating Tensions: Ongoing cyber warfare activities between Russia and Ukraine intensify, with a warning of disruptive and destructive attacks.

·       Advanced Tactics: Russian cyber forces, particularly Midnight Blizzard, demonstrate advanced capabilities, impacting Ukrainian e-services, utility companies, and online banking.

·       AI Integration: Ukraine effectively employs AI in its defense, utilizing facial recognition and cyber capabilities to counter cyber threats.

The hosts emphasize the importance of proactive measures, including password changes, multi-factor authentication adoption, and vigilant identity governance. The discussion underscores the evolving landscape of cyber warfare, encompassing both kinetic and cyber threats.

Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com

This week in InfoSec (12:55)

With content liberated from the “Today in infosec” Twitter account and further afield

11th December 2010: The hacker group Gnosis released the source code for Gawker's website and 1.3 million of its users' password hashes.

After a jury found Gawker's parent company liable in a lawsuit filed by Hulk Hogan and awarded him $140 million, Gawker shut down in 2016. 

https://twitter.com/todayininfosec/status/1734217170173763907

14th December 2009: RockYou admitted that 32 million users' passwords (stored as plain text) and email addresses were compromised via a SQL injection vulnerability. RockYou's customer notification said "it was important to notify you of this immediately"...10 days after they became aware.

https://twitter.com/todayininfosec/status/1735357287147995514   

Not really infosec https://x.com/depthsofwiki/status/1735147763447595024?s=20 but 14th Dec 2008 was the infamous Bush shoeing incident. Where Bush ducked the shoes thrown by Al-Zaidi while the Iraqi PM Nouri Al-Maliki tried to parry it. 

Rant of the Week (22:10)

UK government woefully unprepared for 'catastrophic' ransomware attack

The UK has failed to address the threat posed by ransomware, leaving the country at the mercy of a catastrophic ransomware attack that the Joint Committee on National Security Strategy (JCNSS) yesterday warned could occur "at any moment."

The Parliamentary Select Committee reached this conclusion in a scathing report released December 13 that accused the government of failing to take ransomware seriously, and of providing "next-to-no support" to victims of ransomware attacks.

"There is a high risk that the government will face a catastrophic ransomware attack at any moment, and that its planning will be found lacking," the report concluded. "There will be no excuse for this approach when a major crisis occurs, and it will rightly be seen as a strategic failure."

Recent examples of ransomware infections at UK government institutions and critical private infrastructure are not hard to find.

Manchester Police, Royal Mail and the British Library have all fallen victim to ransomware attacks since September 2023.

In July 2023, the Barts Health NHS Trust hospital group was hit by the BlackCat ransomware gang. The NHS had already been taught a lesson about the vicious power of ransomware in 2017 when multiple Brit hospitals stopped taking new patients, other than in emergencies, after being hobbled by WannaCry.

Third-party providers of NHS software systems have been hit as well, taking systems offline and forcing care providers to revert to pen and paper.

In short, the situation with ransomware in the UK is already bad, and the JCNSS has predicted things will likely get worse.

Billy Big Balls of the Week (29:54)

Polish Hackers Repaired Trains the Manufacturer Artificially Bricked.

After breaking trains simply because an independent repair shop had worked on them, NEWAG is now demanding that trains fixed by hackers be removed from service.

They did DRM to a train. 

In one of the coolest and more outrageous repair stories in quite some time, three white-hat hackers helped a regional rail company in southwest Poland unbrick a train that had been artificially rendered inoperable by the train’s manufacturer after an independent maintenance company worked on it. The train’s manufacturer is now threatening to sue the hackers who were hired by the independent repair company to fix it. 

The fallout from the situation is currently roiling Polish infrastructure circles and the repair world, with the manufacturer of those trains denying bricking the trains despite ample evidence to the contrary. The manufacturer is also now demanding that the repaired trains immediately be removed from service because they have been “hacked,” and thus might now be unsafe, a claim they also cannot substantiate. 

Industry News (38:38)

EU Reaches Agreement on AI Act Amid Three-Day Negotiations

Europol Raises Alarm on Criminal Misuse of Bluetooth Trackers

Widespread Security Flaws Blamed for Northern Ireland Police Data Breach

UK Ministry of Defence Fined For Afghan Data Breach

UK at High Risk of Catastrophic Ransomware Attack, Government Ill-Prepared

MITRE Launches Critical Infrastructure Threat Model Framework

Microsoft Targets Prolific Outlook Fraudster Storm-1152

Vulnerabilities Now Top Initial Access Route For Ransomware

Cozy Bear Hackers Target JetBrains TeamCity Servers in Global Campaign

Tweet of the Week (46:06)  

https://x.com/WorkRetireDie/status/1732108681087508947?s=20

Come on! Like and bloody well subscribe!

Bill Curtis and Jane Albrecht continue their discussion on cybersecurity with author and tech-wiz, David Holtzman. What’s a Zombie Bot? Has a Trojan attacked your computer? How can we protect ourselves from Hackers?

This episode will both scare and enlighten you to all matters of personal and business cybersecurity. David Holtzman is a world-class information technologist, currently working with global block chain companies, with deep expertise in privacy, encryption, ethics, cybersecurity, digital registries and intellectual property.

Episode Timestamps:

00:52 Hacking, Phishing, and Personal Attacks

1:52 How Hackers Attack YOU

4:07 Antivirus Software

5:34 No Real Protection Against Hacking

6:55 Real Life Hacking Examples

7:43 Things you can check before being Hacked

10:37 Hacking Cases during Covid

11:48 What not to do to stay safe from Hackers and VPN

13:07 Passwords

15:07 Password Lockers and Hacks

15:52 Positive Takeaways and Hacking

19:42 Insider Threats and Business

21:48 Individual Responsibility and Old-World Business Tactics

24:06 Final Words 

----------------------

Learn More:  https://www.curtco.com/meetmeinthemiddle

Follow Us on Twitter: https://www.twitter.com/politicsMMITM

Hosted by: Bill Curtis and Jane Albrecht

Edited and Sound Engineering by: Joey Salvia

Theme Music by: Celleste and Eric Dick

A CurtCo Media Production

https://www.curtco.com

See omnystudio.com/listener for privacy information.

Bill Curtis and Jane Albrecht discuss cybersecurity with author and tech-wiz, David Holtzman. They dive deep into the Colonial Pipeline Hack, ransomware, and Solar Winds. You’ll learn about the capabilities of Russia, China, and other nations in the cyber-wars. Do you want to know what Zero Day means, who’s DarkSide, Fancy Bear and Cozy Bear?... which software is the safest, Apple or Microsoft? And how wars will be fought in the future? This two-part series on cyber-intelligence will certainly deliver.

Episode Timestamps:

3:16 Why do countries get hacked? David Holtzman is a world-class information technologist, currently working with global block chain companies, with deep expertise in privacy, encryption, ethics, cybersecurity, digital registries and intellectual property.

5:05 The Colonial Pipeline Hack

6:16 Panic Buying and Hacks (DarkSide)

9:19 Two Types of Hackers

10:30 Negotiating with Hackers

11:08 The Solar Winds Hack and Russia

12:54 Deduction and knowing who’s the Hacker

14:34 Tracking what information was hacked

16:16 How to handle the backdoor second hack attack

17:45 Lessons Learned from Hackers and USA Cyber intelligence

20:36 Trump and classified intelligence

21:36 Do we have proof that Trump passed info onto the Russians?

23:36 What is Zero Day?

24:54 Apple vs Microsoft and Hacking

28:02 Mutual assured annihilation

29:50 Ramifications of Hacking

32:44 Cold War References and destruction

34:00 Defending against Russian Aggression 

----------------------

Learn More:  https://www.curtco.com/meetmeinthemiddle

Follow Us on Twitter: https://www.twitter.com/politicsMMITM

Hosted by: Bill Curtis and Jane Albrecht

Edited and Sound Engineering by: Joey Salvia

Theme Music by: Celleste and Eric Dick

A CurtCo Media Production

https://www.curtco.com

See omnystudio.com/listener for privacy information.

Traficomin opas tietomurtojen havaitsemiseen
https://www.kyberturvallisuuskeskus.fi/fi/julkaisut/opas-tietomurtojen-havaitsemiseen

FireEyen julkaisema tekninen kuvaus SUNBURST-takaovesta
https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html

Bloombergin uutinen SolarWindsin tietoturvatilanteesta
https://www.bloomberg.com/news/articles/2020-12-21/solarwinds-adviser-warned-of-lax-security-years-before-hack

SolarWindsin johtohahmot möivät osakkeita juuri ennen tietoturvapoikkeaman julkaisua
https://www.washingtonpost.com/technology/2020/12/15/solarwinds-russia-breach-stock-trades/

Pfizerin koronarokote takaisinmallinnettu
https://berthub.eu/articles/posts/reverse-engineering-source-code-of-the-biontech-pfizer-vaccine/

Let's Encrypt ja Android-ongelmat
https://arstechnica.com/gadgets/2020/12/lets-encrypt-comes-up-with-workaround-for-abandonware-android-devices/

Microsoftin ja McAfeen perustama "Ransomware Task Force"
https://www.zdnet.com/article/microsoft-and-mcafee-headline-newly-formed-ransomware-task-force/

Center for Internet Security:n ohjeet kiristyshaittaohjelmatapauksissa
https://www.cisecurity.org/white-papers/security-primer-ransomware/

Cyberpunk 2077 kiristyshaittaohjelma Androidille
https://www.kaspersky.com/blog/cyberpunk-2077-ransomware/38196/

Turvakäräjät swag-kauppa
https://teespring.com/turvakarajat

HelSec virtual meetup #5-tallenteet
https://www.youtube.com/playlist?list=PLJDd2aYn8T1CNLdxEdmv_asNyFZVijskA

Hakkeriradion rahoituskampanja
https://mesenaatti.me/1916/tehdaan-yhdessa-hakkeriradio/

Velikanin / H7 tekemä HelSec ANSI-taideteos
https://twitter.com/velikani/status/1336394148006551555?s=20

FireEyen julkaisu SolarWinds Orion-tuotteeseen ujutestusta takaovesta
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

Ydinaseet vaarassa SolarWinds-takaoven vuoksi
https://www.bleepingcomputer.com/news/security/solarwinds-hackers-breach-us-nuclear-weapons-agency/

ZDNetin uutisoinnit SolarWinds-aiheesta
https://www.zdnet.com/article/sec-filings-solarwinds-says-18000-customers-are-impacted-by-recent-hack/
https://www.zdnet.com/article/microsoft-and-industry-partners-seize-key-domain-used-in-solarwinds-hack/

Volexityn analyysi hyökkäyksestä
https://www.helpnetsecurity.com/2020/12/16/solarwinds-hackers-capabilities/

Helsingin Sanomien uutisointi SolarWinds-tapauksesta
https://www.hs.fi/ulkomaat/art-2000007687185.html

Vinoth Kumarin twiitti FTP-tunnuksista
https://twitter.com/vinodsparrow/status/1338431183588188160?s=21

Ghidran debugger-ominaisuus julkaistu
https://github.com/NationalSecurityAgency/ghidra/tree/debugger

Tutkijat onnistuivat lähettämään dataa käyttämällä muistia WiFi-korttina
https://www.zdnet.com/google-amp/article/academics-turn-ram-into-wifi-cards-to-steal-data-from-air-gapped-systems/

AIR-FI tieteellinen artikkeli
https://arxiv.org/pdf/2012.06884.pdf

Magecart-kollektiivi on ollut aktiivinen luottokorttitietojen varastamisessa
https://www.bleepingcomputer.com/news/security/stealthy-magecart-malware-mistakenly-leaks-list-of-hacked-stores/
https://www.bleepingcomputer.com/news/security/credit-card-stealer-hides-in-css-files-of-hacked-online-stores/
https://www.bleepingcomputer.com/news/security/credit-card-stealing-malware-hides-in-social-media-sharing-icons/

SanSecin tutkimus Magecartin käyttämästä remote access trojan (RAT)-haittaohjelmasta, joka vuotaa Magecartin uhrien tiedot
https://sansec.io/research/ecommerce-rat-leaks-victims

Revolut-virtuaalipankki
https://www.revolut.com/

Yritykset kärsivät verkkorikollisuudesta selvästi useammin Suomessa kuin muualla Euroopassa
https://yle.fi/uutiset/3-11695621

DoppelPaymer-kiristyshaittaohjelmaryhmittymä häiriköi uhrejansa nykyään puhelimitse
https://www.zdnet.com/article/fbi-says-doppelpaymer-ransomware-gang-is-harassing-victims-who-refuse-to-pay/

F-Securen 2021 kyberakatemia
https://emp.jobylon.com/jobs/70516-f-secure-cyber-security-academy-2021-finland/

Hacking, leaking, and the spreading of chaos.

How Russian Government hackers timed a Democratic National Committee email leak with Hillary Clinton's biggest scandal.

This week, we find out how Russia stepped over the line and tried to influence the outcome of the 2016 US Presidential Election.

This is the ninth episode of Russia, If You're Listening.

Each week, host Matt Bevan brings the story of a character involved in the investigation.

You can get in touch at russia@abc.net.au.