CyberWire Daily - A glimpse into Mr. Putin’s cyber war room. 3CXDesktopAppsupply chain risk. XSS flaw in Azure SFX can lead to remote code execution. AlienFox targets misconfigured servers.
Episode Date: March 31, 2023The Vulkan papers offer a glimpse into Mr. Putin’s cyber war room. The 3CXDesktopApp vulnerability and supply chain risk. A cross site scripting flaw in Azure Service Fabric Explorer can lead to rem...ote code execution. Rob Boyce from Accenture Security on threats toEV charging stations. Our guest is Steve Benton from Anomali Threat Research, sharing a ‘less is more’ approach to cybersecurity. And AlienFox targets misconfigured servers. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/62 Selected reading. A Look Inside Putin's Secret Plans for Cyber-Warfare (Spiegel) Secret trove offers rare look into Russian cyberwar ambitions (Washington Post) 7 takeaways from the Vulkan Files investigation (Washington Post) ‘Vulkan files’ leak reveals Putin’s global and domestic cyberwarfare tactics (the Guardian) Contracts Identify Cyber Operations Projects from Russian Company NTC Vulkan (Mandiant) 3CX DesktopApp Security Alert - Mandiant Appointed to Investigate (3CX) Information on Attacks Involving 3CX Desktop App (Trend Micro) 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component (SecurityWeek) There’s a new supply chain attack targeting customers of a phone system with 12 million users (TechCrunch) Super FabriXss: From XSS to an RCE in Azure Service Fabric Explorer by Abusing an Event Tab Cluster Toggle (CVE-2023-23383) (Orca Security) Dissecting AlienFox | The Cloud Spammer’s Swiss Army Knife (SentinelOne) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Vulcan papers offer a glimpse into Mr. Putin's cyber war room,
the 3CX desktop app vulnerability and supply chain risk, The Vulcan Papers offer a glimpse into Mr. Putin's cyber war room.
The 3CX desktop app vulnerability and supply chain risk.
A cross-site scripting flaw in Azure Service Fabric Explorer can lead to remote code execution.
Rob Boyce from Accenture Security on threats to EV charging stations. Our guest is Steve Benton from Anomaly Threat Research, sharing a less is more approach to cybersecurity and AlienFox targets misconfigured servers.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your Cyber Cyber Wire summary for Friday, March 31st, 2023.
A disaffected insider has apparently leaked sensitive information about Russia's preparation and waging of cyber warfare.
NTC Vulcan, a Moscow-based IT consultancy, has been exposed as a major contractor to all three of the principal Russian intelligence services, the GRU, the SVR, and the FSB.
Vulcan's specialty is the development of tools for cyber attack.
Der Spiegel, one of a group of media outlets that broke the story, sources it to a major leak,
stating, this is all chronicled in 1,000 secret documents that include 5,299 pages full of
project plans, instructions, and internal emails from Vulcan from the years 2016 to 2021.
Despite being all in Russian and completely technical in nature, they provide unique insight
into the depths of Russian cyber warfare plans. In a militarized country that doesn't just fight
with warplanes, tanks, and artillery, but with hackers and software. The Vulcan papers
reveal that the company is engaged in supporting a full range of offensive cyber operations.
Its services and products extend to espionage, disinformation, and disruptive attacks intended
to sabotage infrastructure, and the company also provides training to its customers in the
security and intelligence fields.
The Washington Post, another recipient of the leaks, ascribes them to a disaffected insider
who's motivated by opposition to Mr. Putin's war against Ukraine. The Post reports,
an anonymous person provided the documents from the contractor, NTC Vulcan, to a German reporter after expressing outrage about Russia's
attack on Ukraine. The leak, an unusual occurrence for Russia's secretive military-industrial complex,
demonstrates another unintended consequence of President Vladimir Putin's decision to take his
country to war. The anonymous leaker explained the motivation behind their actions, stating,
The company is doing bad things, and the Russian government is cowardly and wrong.
I am angry about the invasion of Ukraine and the terrible things that are happening there.
I hope you can use this information to show what is happening behind closed doors.
They also told their German contact, when declining to provide identification,
They also told their German contact, when declining to provide identification,
that they intend to vanish like a ghost for obvious reasons of personal security.
Taken as a whole, the documents show that Russia is devoting considerable attention to cyber battlespace preparation.
Keep those shields up.
Many companies' research units are reporting that a vulnerability in the widely used 3CX desktop app is being exploited in a supply chain campaign that may prove as significant as,
for example, the SolarWinds incident. SentinelOne, Sophos, and CrowdStrike have all made public
reports about the intrusion, with 3CX itself issuing its own warning yesterday morning.
A supply chain attack on enterprise phone company 3CX may have compromised thousands
of business networks, the record reported yesterday. The company, which Bleeping Computer
says, provides services to companies like American Express, Coca-Cola, McDonald's, BMW,
like American Express, Coca-Cola, McDonald's, BMW, Honda, Air France, Toyota, Mercedes-Benz,
IKEA, and the UK's National Health Service, confirmed yesterday that its desktop app had contained malware. The desktop app, TechCrunch reports, is used for voice and video calls.
Chief Executive of 3CX, Nick Galea, initially noted surprise in a Twitter thread that the compromise was not reported by Sentinel-1 sooner,
but Sentinel-1's Juan Andres Gerozade noted the issue's presence in 3CX's support forums as far back as March 22nd.
Security Week reports that 3CX Chief Information Security Officer Pierre Jordan said that the intrusion
could be the work of a state-sponsored advanced persistent threat. He said,
the issue appears to be one of the bundled libraries that we compiled into the Windows
Electron app via Git. Worth mentioning, this appears to have been a targeted attack from an
advanced persistent threat, perhaps even state-sponsored, that ran
a complex supply chain attack and picked who would be downloading the next stages of their malware.
The vast majority of systems, although they had the files dormant, were in fact never infected.
Cybersecurity firm Huntress has reported almost 2,800 intrusions within their partner base.
CrowdStrike also confirmed activity on both
Windows and macOS and found the malware to be notarized by Apple, which the outlet says
indicates that the tech giant checked it for malicious elements and failed to find any.
However, that seems to no longer be the case, as users are now seeing a warning before the installation of the app.
The approximately 400-megabyte Mac application was confirmed by Patrick Wardle to contain suspicious activity, the outlet reports.
TechCrunch notes that Linux, iOS, and Android versions of the app
still appear unaffected at this time.
Researchers at Orca Security discovered a cross-site scripting
vulnerability affecting Azure Service Fabric Explorer. The vulnerability, which Orca calls
Super Fabrics, can allow remote attackers to leverage an XSS vulnerability to achieve remote
code execution on a container hosted on a Service Fab fabric node without the need for authentication.
Microsoft issued a patch for the flaw in its March 2023 Patch Tuesday fixes.
Organizations that have updated Service Fabric Explorer to the latest version
are protected against this vulnerability.
For more on this vulnerability, see CyberWire Pro.
And finally, we close with a look at another commodity being traded in the
criminal-to-criminal market. SentinelOne describes AlienFox, a toolset designed to steal credentials
and API keys from at least 18 cloud service providers. The toolset is being sold over
Telegram and is under active development. AlienFox opportunistically targets misconfigured web servers,
hosting web frameworks such as Laravel, Drupal, Joomla, Magento, OpenCart, PrestaShop, and WordPress.
The toolkit will then dump the server's configuration files and extract cloud API keys and secrets.
The researchers state that the spread of AlienFox represents
an unreported trend toward attacking more minimal cloud services unsuitable for crypto mining
in order to enable and expand subsequent campaigns.
Coming up after the break, Rob Boyce from Accenture Security looks at threats to EV charging stations.
Our guest is Steve Benton from Anomaly Threat Research, sharing a less is more approach to cybersecurity.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Be honest.
Do you consider yourself a security tools pack rat?
It's easy to do these days with vendors making the compelling case that if only you add their special solution that protects like no other,
your organization will be safer, you'll sleep better at night,
and will receive the admiration of
friends, family, and co-workers alike. Steve Benton is VP of Threat Research at Anomaly,
and he makes the case that when it comes to security tools, sometimes less is more.
Every tool that you've got is creating data. It's causing cost to you as an organization in terms
just to operate the technology, but also those that have to look after it and process what it produces.
And is it aligned to your current threat landscape and the current threats in which you're facing?
Is the legacy of what you've acquired holding you back as an organization?
And you can't let go of the past in order to grab what you need to in order to assure yourself into the future.
This is a big challenge for any organization, and especially in the security sphere.
Because let's face it, security is an overhead for an organization.
It's part of your cost base.
And you need to be exercising that cost base in the most effective and efficient way possible.
But you need to ensure
then that you've got that means to assess what you truly need from what you've acquired and what
do you need to acquire going forward and can you justify that and put the budgets in place
to make that happen. How do you recommend that organizations go about that self-assessment?
Well, you've got to do it with rigor. You've got to do it with honesty.
The simplest way that I've approached doing it in my past
is I sort of draw, if you like, a bell curve.
I could even call it a hype cycle.
And so let's imagine at the very top of this bell curve
are the tools that you've assessed
that are absolutely hitting the sweet spot.
They're working in an optimal way for the organization,
and they're working efficiently in terms of the effort that you need to place within them
in order for them to operate, not just individually,
but how they operate as part of your ecosystem.
So any good security ecosystem has a set of overlapping and amplifying controls
that meet the needs of maintaining the security posture for
the organization. If we look at the left-hand side, you've maybe got tool sets that you've
acquired fairly recently that are still on the adoption slope. You haven't quite pulled them up
the slope to get them into that sweet spot of operation. But that could be because of what's
sitting on the right-hand side of this slope. So these are the tools that really have sort of established themselves, but they aren't really hitting the mark.
You're continuing to feed and water them.
You're continuing to utilize the output because you kind of have to process it because maybe that's the way you're judged.
That's the way your KPIs are judged in security operations.
But fundamentally, they aren't delivering the impact for you on the organization.
So what do you need to do? Well, you need to exit those tools on the right-hand side of the slope.
You've got to accelerate the adoption up to the top of the slope and then be sure of the ground
you're standing on at the top of that slope in terms of what is the value these overlapping
tools are giving you for your security posture. Why have you selected them and how are they
justified going into the future? So these are hard yards, but they're necessary and allow you as a security
leader to stand in front of your investors, your boards, your senior leadership team,
and the rest of the business to say why this expenditure is worthwhile and the value it's
delivering to the organization. What is the danger of being over-provisioned here?
I mean, is it a risk of things collapsing under their own weight?
There is an element of that for sure.
The more you've got, you're clearly adding to the complexity
of your security operation.
So being able to see the clarity of the visibility
of your security posture is absolutely vital.
Now, that clarity can be achievable when you're operating in what I call peacetime.
So what do I mean by peacetime?
Not that nothing's happening, but nothing of significant harm to your organization is
currently happening.
You have no cresting threats that are significant to the organization.
You have no current attack that you're aware of that's dangerous to your organization.
You're operating in a reasonably steady state.
And maintain the visibility with a complex set of tool sets.
You can live with that.
But then when you move into a wartime situation where you've got a complex threat approaching the organization,
you possibly have parts of the organization that are already compromised,
and you're trying to understand the extent of that. And you've got a complex ecosystem which can't give you answers with the immediacy that you need. Well, you've lost the precision
of your security operation. In fact, you've lost the grip of your security posture right when you
need it most. And that's the danger for the organization is that complexity, but also the overhead in terms
of the effort of people that need to be skilled and understand how to bring those tool sets
together. You're asking too much, especially when the chips are down in that kind of wartime situation.
You know, I'm reminded of, there was an old saying in advertising back in the Mad Men days of,
I know that 50% of my spend on advertising is wasted.
I just don't know which 50%.
Is that sort of philosophy at play here where people are afraid to shed some of these security
tools because there's always that what if over the horizon?
What if that's the tool that stops the threat?
And if I get rid of that tool, I'll be blamed for having gotten rid of that tool that might have over the horizon? What if that's the tool that stops the threat? And if I get rid of
that tool, I'll be blamed for having gotten rid of that tool that might have stopped the threat.
Well, you're absolutely right. And in fact, we know security vendors are always saying,
you need our tool. We're the ones that will define this. We're the ones that will keep you safe. So
there's an element of that. There's also an element with your security teams themselves
that they've got comfortable with certain tool sets and they're happy to live their lives there.
But what you actually need to do is to enlist your security operations, your top analysts,
your leaders in your security operations to come together and say, look, guys, we don't have any
sacred tools here. Let's actually take a step back together.
Let's look at this slope.
Let's look at what's up at the top of the hill and whether it's working effectively for us.
Let's look at what's sliding down the right-hand side.
And you know what?
I support you in making a bold decision to say, we will exit that,
but we'll understand why we have done it.
And we will have convinced ourselves that what we're sticking with and what we're downsizing to is the effective set of tools that will take us
through having the grip on our security posture now and into the future as we anticipate the
threats coming forward. That's Steve Bent more to this conversation. If you want to hear more, head on over to the
CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more
extended interviews.
And joining me once again is Robert Boyce. He is Managing Director and Global Lead for Cyber Resilience at Accenture.
Rob, it's always great to welcome you back to the show.
You know, my wife is currently car shopping,
and that means that one of the things she's considering is getting an EV car, an electric car. And so we've been weighing all the pros and cons with that.
And I know you and your colleagues have been looking at EV cars
and charging stations and some of the potential vulnerabilities there.
What can you share with us today?
Hi, Dave, and thanks so much for having me back.
And as an EV owner myself, I am also very passionate about this topic.
So this is, of course, something the security community
has been talking about a lot.
It just happens to be now that we're seeing so many more EVs on the road
that the topic's becoming even more prevalent.
And I think it's interesting because a lot of people are always asking,
well, don't combustion engine cars have computer chips?
Why are we not concerned about them?
And I think it's just the absolute magnitude of the presence of the computerized cars in EV.
A standard combustion engine maybe has 100, 150 chips in it, where these EVs are having 20 times that.
So as you can imagine, the exposure is just phenomenal.
The exposure is just phenomenal.
And then when you think about the connectivity that these cars have,
either typically have connections back to the manufacturer or the dealers or maybe even the rental agency,
just that level of tax surface makes them a very potentially interesting target for threat actors.
So what are the primary concerns here? I mean, are we talking about ransomware? Are we talking
about privacy issues? What are you all tracking? Yeah, it's a great question. And so, you know,
what we've seen in the research is that there's a number of different possible threat scenarios.
Ransomware is a great one.
So as you know, we've seen ransomware for the last several years
be a very big vulnerability for organizations.
But imagine threat actors were able to ransom your car
and you couldn't start it without having to pay them
or being able to move from a charging station into a car
or maybe even take over or penetrate an EV manufacturer
because they all have over-the-air updates
and being able to use that network
to compromise many vehicles simultaneously.
These potential scenarios are super fascinating.
And of course, as you can imagine,
there's a human safety element to this as well.
So as you're in your car
and someone's able to take over your car
and maybe start driving it for you,
and you don't have the control anymore,
that's a huge concern.
And we haven't seen this happen in the wild yet,
but we have seen researchers successfully
take over a car and make it drive erratically in the test scenario.
What about the charging stations themselves?
I mean, to what degree is there actually relevant or important communications going on between the stations and the vehicles?
Yeah, the charging stations are also super interesting.
I mean, especially the public charging stations, as you can imagine,
that they're typically connected to cloud or connected via cellular networks,
which makes them themselves a very attractive attack surface for threat actors.
And the majority of these charging stations are operating with an open protocol
that allows them to be able to take
many different manufacturers connecting to a single public charging station. So they have to
use some level of open protocol for that. And the information that's being transferred back and
forth is just being able to identify the car. But again, there is always the possibility of
malware being transmitted from a car to a charging station, from a charging station to a car.
And then, as you can imagine, the more and more cars that are using these public infrastructures, that being a possible attack factor is quite significant.
As an EV owner yourself, how do you approach this?
I mean, it's not like with a computer where you can say, hey, don't click the links.
Are there best practices to try to make yourself not be the low-hanging fruit?
I knew you would ask me this question when I said I had an EV myself.
And it's almost a little embarrassing for someone who's been doing security for 25 years.
But I can promise you, it wasn't even a consideration that I had when I was choosing my car.
I wanted something that was really cool.
It had a good user experience, good interface.
And just the prospect of full autonomous driving is very exciting.
So even someone like me definitely overlooked security as a possible requirement
when I'm buying it.
But there's some things that you can do
and some things that are harder.
I typically try and stay away from plug-in charging stations,
try and charge my car at home.
But when you're thinking about updates and things like that,
there's not really a lot of optionality, I would say,
in that you're taking the update or you're not taking the update from the manufacturer.
So at this time, there's not a lot a consumer can do.
What is exciting, we are seeing a lot of focus in this area, right?
So the Biden White House had a lot of people within the EV industry
back last, I think it was October, at the White House
talking about security in the space.
We've seen transportation agencies also start talking about security implications in the space.
So I think we're going to start seeing more regulations that will help manufacturers
start making sure that they're embedding more security. I think this is a very, very young
industry. And of course, as you can imagine,
with any young industry,
first to market is super important.
And so I think, I'm not saying security
has necessarily been overlooked,
but I don't think it's necessarily been a priority
from the manufacturer's point of view.
It's really, I think just with any young industry,
we need to learn more about security
and how it applies to this industry to make sure we're really safeguarding the consumers appropriately.
All right. Make sure you have your seatbelts properly fitted and secured, right?
Absolutely.
Yeah. All right. Rob Boyce, thanks so much for joining us. than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Dick O'Brien from Symantec's Threat Hunter team.
We're discussing their research, Blackfly, an espionage group targets materials technology.
That's Research Saturday. Check it out.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Thanks for listening. We'll see you back here next week.
Thank you. data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.