In today’s cybersecurity news…
US research using psychology against threat actors
The Intelligence Advanced Research Projects Activity, IARPA, picked five research teams to look into threat actor behavior, hoping to boost cybersecurity measures by better understanding motives and possibly predict future actions. Roughly 150 people will work on the research, with teams from Raytheon, Peraton Labs, Charles River Analytics, SRI International, and GrammaTech. The teams will take different approaches, like monitoring security researchers for biases that could apply to threat actors and designing fake networks to waste threat actors’ time. Program manager Kimberly Ferguson-Walter said threat actors routinely take advantage of known human biases, and defenders should attempt to do the same.
AI leveling up unsophisticated threat actors
Speaking at an event in Washington, US Treasury CISO Sarah Nur and FBI cyber division deputy assistant director Cynthia Kaiser both said that new AI tools made it easier for less sophisticated threat actors to become “at least mildly better,” allowing for things like performing scripting tasks and finding coding errors. Also at the event, assistant secretary for cyber and technology security in the State Department’s Bureau of Diplomatic Security Gharun Lacy said he’s seen AI used as an amplifier by threat actors, used to improve their best skills. All said the government needs to improve information sharing and coordination with partners across public and private sectors.
(FedScoop)
London Hospital attacks linked to Qilin
UK National Cyber Security Centre CEO Ciaran Martin said the Qilian ransomware organization likely performed the attack against the pathology service provider Synnovis earlier this week. Martin said the Russia-based group likely performed the attack for financial gain, not to specifically disrupt primary healthcare. Bleeping Computer noted Qilin’s leak site remains down, although it’s unclear if it’s related to the attack. Over the last year, Qilin developed an advanced customizable Linux encryptor designed to target enterprise virtual machines specifically.
Researchers find Chinese espionage operation
Security researchers at Sophos detailed an operation dubbed “Crimson Palance” operating in Southeast Asia throughout 2023, with unmanaged access likely starting in early 2022. This used three distinct clusters of intrusion activity that showed signs of coordination. Attack techniques and infrastructure align with Chinese state-sponsored actors. The operators primarily looked to prolong access to networks to collect sensitive military and technical information from victims.
Thanks to today’s episode sponsor, Conveyor
Use Conveyor to fly through any customer security review in minutes. There’s a reason our customers have dubbed Conveyor their ‘favorite security tool of the year’.
Test it out in a free proof of concept at www.conveyor.com and mention this podcast for 5 free questionnaire credits when you purchase a Pro plan.
Australia suing Medibank over data breach
The Australian Information Commissioner filed a lawsuit against the health insurance giant over a 2022 cyber attack that impacted roughly 9.7 million Australians. The regulator alleges Medibank “failed to take reasonable steps to protect personal information” that resulted in “ a serious interference with the privacy of a very large number of individuals.” Under Australia’s Privacy Act of 1988, Medibank could face up to a $2.22 million fine for each case of unauthorized access, so theoretically up to $21 trillion. The Federal Court will determine any actual fine amount. After the attack, Australia revised the Privacy Act to cap fines at $50 million, but that cap does not apply to prior breaches.
Interpol makes cyber sabotage arrests
Moldovan authorities coordinated with French prosecutors and the FBI to detain four people suspected of attempting to sabotage Interpol’s Red Notice system. Red Notice is used to alert 195 member countries of wanted individuals. The suspects allegedly paid intermediaries millions of dollars to inform people listed on Red Notice as well as attempting to delete notices. The UK National Crime Agency also said it uncovered the names of other individuals accepting bribes for similar actions. Interpol said it added “additional measures” to ensure the system could not be abused with similar incidents going forward.
RansomHub shows signs of a rebrand
A new report from researchers at Symantec shows that the RansomHub ransomware strain represents an update to Knight ransomware. Knight operators shut down its rasnowmare-as-a-service operation in February 2024, putting its source code up for sale. RansomHub claimed its first victim that same month. The researchers found significant code overlap between the two, including identical command-line help menus and the use of Gobfuscate to avoid detection. Earlier this week, Mandiant researchers published a report that RansomHub began attempting to recruit affiliates from recently shuttered groups like LockBit and BlackCat.
American Radio Relay League discloses cyber attack
The ARRL serves as the national association of amateur radio enthusiasts in the US. It previously disclosed on May 16th that a “serious incident” took down its phone systems and Logbook of the World service, which logs successful radio contacts from users around the world. The organization now confirms that a “malicious international cyber group” orchestrated the incident. The ARRL involved the FBI to investigate saying the “unique” attack comrpomised servers, cloud-based systems, PCs, and networking equipment. It’s unclear if the attack exfiltrated any data.