CyberWire Daily - Adventures of ransomware, and other developments in cybercrime. Cyberespionage and hybrid warfare. A government shutdown averted. Cybersecurity Awareness Month is underway.
Episode Date: October 2, 2023Double-tapping ransomware hits the same victim twice. Exim mail servers are found exposed to attack. Iran's OilRig deploys Menorah malware against Saudi targets. North Korea's Lazarus Group targets a ...Spanish aerospace firm. Update your ransomware scorecards: LostTrust is a rebrand of MetaEncryptor. Increased domestic surveillance in Russia, done partly so propaganda can be more effectively targeted. Killnet claims to have hit the British Royal family with a DDoS attack. Michael Denning, CEO at SecureG for Blu Ventures, shares developments in zero trust as a part of our Industry Voices segment. Rob Boyce from Accenture Security talks about Dark Web threat actors targeting macOS. And Cybersecurity Awareness Month begins this week. Learn more about the Blu Ventures Conference here: https://www.bluventureinvestors.com/cyber-venture-forum For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/188 Selected reading. Two or More Ransomware Variants Impacting the Same Victims and Data Destruction Trends (FBI) FBI: Ransomware Actors Launching 'Dual' Attacks (Decipher) A still unpatched 0-day RCE impacts more than 3.5M Exim servers (Security Affairs) New Critical Security Flaws Expose Exim Mail Servers to Remote Attacks (The Hacker News) APT34 deploys new Menorah malware in targeted phishing attack (Candid.Technology) APT34 Deploys Phishing Attack With New Malware (Trend Micro) Iranian APT Group OilRig Using New Menorah Malware for Covert Operations (The Hacker News) Alleged Iranian hackers target victims in Saudi Arabia with new spying malware (Record) North Korean hackers posed as Meta recruiter on LinkedIn (CyberScoop) Lazarus APT Exploiting LinkedIn to Target Spanish Aerospace Firm (Hackread) North Korean Lazarus targeted a Spanish aerospace company (Security Affairs) Meet LostTrust ransomware — A likely rebrand of the MetaEncryptor gang (BleepingComputer) Ukraine at D+585: Trench fighting in the south. (CyberWire) Royal Family's official website targeted in cyber attack (Sky News) Royal family website hit by cyber attack (The Independent) The country ‘dodged a bullet’ after shutdown avoided, but the cyber threat still hovers (Washington Post) US Federal shutdown averted (or postponed): effects on cybersecurity. (CyberWire) Cybersecurity Awareness Month: perspectives from the cyber sector. (CyberWire) Kicking off NIST's Cybersecurity Awareness Month Celebration & Our Cybersecurity Awareness Month 2023 Blog Series (NIST) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Double-tapping ransomware hits the same victim twice.
XML servers are found exposed to attack.
Iran's oil rig deploys menorah malware against Saudi targets.
North Korea's Lazarus Group targets a Spanish aerospace firm.
Update your ransomware scorecards.
Lost Trust is a rebrand of MetaEncryptor.
Increased domestic surveillance in Russia, done partly so propaganda can be more effectively targeted.
Killnet claims to have hit the British royal family with a DDoS attack. Thank you. and Cybersecurity Awareness Month begins this week.
I'm Trey Hester, filling in for Dave Bittner with your CyberWire Intel briefing for Monday, October 3rd, 2023. The U.S. Federal Bureau of Investigation has issued a private industry notification
outlining emerging trends in ransomware attacks, including, quote, multiple ransomware attacks on
the same victim in close-date proximity and new data destruction tactics in ransomware attacks, end quote.
The Bureau notes that this use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransomware payments.
Second ransomware attacks against an already compromised system could significantly harm victim entities.
an already compromised system, could significantly harm victim entities.
Ransomware variants involved in these attacks include Avos Locker, Diamond, Hive,
Karakurt, Lockbit, Quantum, and Royal.
Bleeping Computer reports that millions of XML servers are exposed to a zero-day flaw that can allow an unauthenticated attacker to perform remote code execution.
According to Trend Micro's zero-day initiative,
the specific flaw exists
within the SMPT service, which listens to TCP port 25 by default. The issue results from a lack
of proper validation of user-supplied data, which can result in a write past the end of a buffer.
An attacker can leverage this vulnerability to execute code in the context of a service account,
end quote. ZDI also notes that given the nature of
the vulnerability, the only salient mitigation strategy is to restrict the interaction with the
application. Bleepy Computer says that more than 3.5 million XM servers are currently exposed to
the internet. Trend Micro says the Iran-aligned threat actor APT34, also known as OilRig or
Helix Kitten, is using a new strain of malware
called Menorah to conduct cyber espionage. The researchers observed the malware delivered via
a spear phishing attack that targeted a Saudi Arabian entity. Menorah appears to be a new
variant of the SideTwist backdoor. Trend Micro states that the.NET written malware delivered
through the malicious document is primarily deployed for cyber espionage and possesses multifaceted capabilities. The malware can fingerprint
the targeted machine, list directories and files, upload selected files from the compromised system,
execute shell commands, and download files to the system. Compared to the previous variant of
SideTwist, the new variant has more functions to hash the traffic to the command and control server and make it stealthier to avoid detection.
ESET warns that North Korea's Lazarus Group targeted employees of a Spanish aerospace company by posing as job recruiters and sending Trojanized coding challenges.
The fake recruiter contacted the victim via LinkedIn messaging and sent two coding challenges required as part of the hiring process, which the victim then downloaded and executed on a company device.
The challenges were used to deliver a new remote-access Trojan called Lightless CAN,
which ESET says represents a significant advancement compared to its predecessor, Blinding CAN.
Lost Trust Ransomware became active this past March,
but achieved widespread notoriety only last month,
when it established a data dump site. It now appears, Bleeping Computer reports,
to represent a rebranding of the meta-encryptor ransomware, which itself only appeared in August
of 2022. The Russian parliament is considering expanding the FSB's domestic surveillance
to conduct a more extensive monitoring of Russian internet, banking, and telecommunications company users, the ISW reported. The surveillance would extend
beyond simple intrusion and monitoring and would amount to full control of databases,
with the FSB authorized to remotely access, edit, and delete information in Russian private
businesses' databases. The Russian tech sector, including Yandex, opposes the measure on the
grounds that FSB activities would render data less secure. The Institute for the Study of War
reports that Russian First Deputy Presidential Chief of Staff Sergei Kiryenko had engaged the
not-for-profit organization Dialog to categorize Russian internet users to tailor its messaging
to their beliefs, interests, and dispositions.
The categories, developed from both user data and information from government agencies,
classify the users by profession, interests, and political beliefs and specifically orient false news about the war in Ukraine and pro-war narratives toward Russian military personnel,
relatives of military personnel, and civil servants. The dialogue also sorts users as loyal or disloyal.
The classification and subsequent targeting seems to derive from dialogue's inability
to develop unified and clear narratives that would appeal to the Russian public as a whole.
Targeted messaging could also serve to promote self-censorship.
The British Royal Family's official website went down Sunday due to a DDoS attack, Sky News reports.
No data was lost and services on the site were restored within hours.
The Russian hacktivist auxiliary, Killnet, claimed responsibility in its Telegram channel, but those claims could not be verified.
And finally, October is Cybersecurity Awareness Month, and this year, the U.S. Cybersecurity and Infrastructure Security Agency has announced a theme they're calling Secure Our World.
As CISA explains, quote,
Not only will Secure Our World remain a consistent theme for every Cybersecurity Awareness Month in the future, but it will also launch as CISA's new Cybersecurity Awareness Program.
The idea behind the campaign is to educate Americans about simple ways they can improve their cyber hygiene.
educate Americans about simple ways they can improve their cyber hygiene. The four main recommendations are using strong passwords, activating multi-factor authentication,
recognizing and reporting phishing scams, and updating software to ensure all security patches
and salutations have been installed. The agency has created a Secure Your Business webpage that
focuses on corporate cybersecurity advice and a page dedicated to the tools geared towards small and medium-sized businesses.
CISA and the National Cybersecurity Alliance joined forces to develop a partner toolkit
complete with a PDF guide, a sample email to spread the word to employees,
and a Cybersecurity 101 presentation to educate staff and other stakeholders.
As well, CISA will be offering a series of free webinars throughout the month. The President and Congress first declared October Cybersecurity Awareness
Month in 2004, meaning this year marks its 20th anniversary. In honor of this milestone,
the National Institute of Standards and Technology has shared a timeline summarizing the history of
the agency's cybersecurity program. NIST will also be offering a blog series
covering various topics of interest
and hosting events throughout the month,
including a BlockCypher Modes of Operation workshop,
a social media challenge,
and Cybersecurity Career Week.
The first entry in this blog series
addresses the first week's theme,
enabling multi-factor authentication.
So, it's Cybersecurity Awareness Month.
Do you know where your multi-factor authentication. So, it's Cybersecurity Awareness Month. Do you know where your multi-factor
authentication is?
Coming up after the break,
Rob Boyce from Accenture Security
talks about dark web threat actors
targeting macOS. And, as part
of our sponsored Industry Voices segment,
Michael Denning, CEO at SecureG for Blue Ventures, shares developments in Zero Trust.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way Thank you. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Mike Denning is CEO at SecureG, provider of cloud-native PKI for Zero Trust.
In this sponsored Industry Voices segment,
he shares his thoughts on Zero Trust machine identity,
AI, and the current state of startup innovation and funding.
I usually use an analogy that involves a mall.
For people that are new to security or cybersecurity
or want to understand that,
when you grant permission previously, prior to zero trust,
you would grant access to the mall.
And in that mall, you'd be allowed to pretty much go to a Foot Locker or Macy's or the
Apple Store or visit pretty much any store you want once you got through that initial
door into the mall itself.
The zero trust paradigm changes that.
And what ends up happening now is you have to get into the mall.
You have to disclose your specific destination that you're intending to go.
Let's say Foot Locker.
You're allowed to go there, and then you're allowed to come back.
You're not allowed to visit any other stores on the way.
So that zero trust, to me, at the most simple level, is you're authenticated for a purpose.
You're allowed to for a purpose, you're allowed
to accomplish that purpose, and then you got to re-authenticate yourself if you plan to do
anything else. It's a great analogy. Let's talk about machine identity when it comes to zero
trust. What exactly do we need to know there? I think a lot with machine identity is just the
volume and complexity. As the market evolves, as you're
seeing new applications, the complexity of those applications that drive the command and control
of machines is becoming much more ethereal. And those things dissipate, they move away,
they maybe exist in a period of time. So some of the bigger challenges we're seeing in the marketplace are around how do you authenticate, validate, attest to things that maybe are turned up and turned down in a very short amount of time?
And virtualized environments and virtual networks even present kind of a unique challenge for zero trust.
And where do we stand when it comes to the availability of some kind of standardized
framework? Well, I think you look at how security, part of the work we're doing at my company is that
we're looking very closely at how standards can be used and deployed across
the smallest possible form factor, whether that form factor is a chip or a singular device
or even a virtualized Kubernetes cluster. The important part there is the ability to give an identity that might exist in a point
of time, and you have the control to turn it up and turn it down in a really short amount of time.
I think referencing public key infrastructure, it's a pretty well understood standard, but still
very complicated to deploy. And when you start adding the complexity of the speed with which
you want to turn up and
turn down virtualized environments, it becomes that much more complicated. So there's a lot of
work going on today, particularly in the IETF and some of the other standards bodies to help
companies understand how we're going to deal with kind of the emerging threat landscape when it
moves from just compromising individuals to
compromising the subsystems that make up the kind of unseen critical infrastructure that drives a
lot of our everyday lives. You know, Mike, I think it's fair to say that we're in this moment right
now where certainly the public's imagination has been captured by artificial
intelligence and it's being talked about far and wide. What part do you think it has to play in
the security marketplace here? I mean, to what degree does this need to have our attention?
I think you'll see the evolution of AI. All the not all the headlines I think in AI today are the generative language.
I think inside of security, it's going to be slightly different.
We've been working over the last 25 years of my time in the security industry around identifying anomalous behavior.
identifying anomalous behavior. And so I do think that AI can play a critical role in helping to understand the nuances. And they're getting smaller and smaller as people tend to obfuscate
their movements within networks, within systems, with permissions. AI will be able to help further refine where to look. AI will be able to help sharpen the systems and the inputs to say, hey, this is really anomalous behavior.
Focus your attention.
Because it's always been, for us in the security industry, the challenge of finding the needle in the haystack of needles.
of finding the needle in the haystack of needles, right?
And so I really think AI will be helped to inspect things in a much more granular level
and bring those to the top.
You know, as an entrepreneur yourself,
and as you mentioned,
someone who's been in the industry for some time now,
can we talk a little bit about the place
of these innovative startups in the community here,
the important role that they play? Yeah, I think we're doing that a lot. I've only been the CEO
of this company about 18 months. Before that, I was a partner at a cybersecurity-focused,
early-stage, seed-stage, A-round venture investors. There's a lot, I think, for folks that have a good idea in the cybersecurity space, there's a lot of excitement and helping hands, if you will, that want to see us as entrepreneurs in the cybersecurity space succeed.
I'm in the Washington, D.C. area, so you get a lot of public sector expertise fighting nation-state attacks.
But you see it across Silicon Valley and Boston and New York.
I think the events like the one that Blue was putting on later this month, we get a lot of people, there's just excitement.
You want to see what's next.
Those are the kind of things that are going to be really bringing entrepreneurs with savvy tech investors, with a support system to do it, I think, is what's required. companies across the board is taking a pause, right? There's still a lot of opportunity for
early-stage startups, but I think you're seeing kind of check sizes are a little smaller.
People want to see a little more traction for some of the most innovative companies.
They want to see customer one. They used to be okay with an idea. Now they want to see customer
one, two, or three signing off to that. So I think it's pretty interesting what's happening.
one, two, or three signing off to that. So I think it's pretty interesting what's happening.
It's causing entrepreneurs to get sharpened the pencils a little bit. I think we're starting to see more fractional work. We've kind of gone from quiet quitting to, I think, a lot of
fractional talent. So whether it's software developers or finance professionals,
legal professionals tend to always be in this fractional type role until the companies get bigger.
But I think that's the thing that we're seeing is that having the right person even 20% of their time is better than having 100% of the post-COVID, you know, quiet quitting combined with the people are having to get smarter with a little stingier with their deployment of capital.
That's Mike Denning, CEO at SecureG.
Thank you again to Michael Denning for joining us.
He's appearing on behalf of the Blue Cyber Venture Forum.
You can find details for the conference through the link in our show notes. And I'm pleased to be joined once again by Robert Boyce. He is Managing Director and Global Lead for Cyber Resilience at Accenture.
Rob, it's always great
to have you back.
I know you and your colleagues
there at Accenture
have been looking into
some dark web threat actors
that seem to be targeting
macOS lately.
What are you looking at here?
Yeah, thanks, Dave.
And it's always a pleasure
to speak with you.
You know, this is really interesting.
I mean, we've gone back to 2019 to start pulling some trends
around threat actors targeting macOS.
And we are seeing, since 2019,
a thousand times more activity
in the interest of finding vulnerabilities or access
or ways around, ways to bypass security features of macOS.
And 2023 already has surpassed 2022 six months into the year.
And so it is clear that this is becoming much more of a focus area for threat actors right now.
You know, as a longtime macOS user myself, I will cop to a certain smugness when it comes to feeling as though the system that I've chosen
is comparatively secure to some of the other ones
that are out there.
Is that no longer justified?
I think there's a lot of people
who have the same sentiment as you, including myself.
I'm not so a Mac OS user.
And I think as of today, I would still say that,
of course,
Mac is a more secure platform,
but there's a lot of that that has been because of the lack of targeting
from threat actors.
Like, listen, Windows is all over the world, right?
It is a number one operating system.
It still is a number one operating system right now.
So it's not surprising that threat actors
have been targeting that with emphasis.
And as we have seen,
there is no shortage in security vulnerabilities
that we continue to see through that operating system.
I think what we're really saying now is we need to be more mindful
that that concept of buy a Mac and be secure is going to be a little less certain.
We are absolutely seeing threat actors
on the dark web advertise for wanting to buy
either exploits that will bypass
critical security features of macOS,
such as Gatekeeper or TCC,
Transparency Consent Controls.
And they're offering,
we've seen one offer for $500,000 to be able to get
an exploit or a bypass of macOS Gatekeeper. We've seen other offers for up to a million dollars for
a similar exploit available on the platform. So we know that the demand now is there.
Which I think will follow the demand is going to be the very talented hackers
that will start to produce the content to meet this demand.
And this is where we really haven't seen.
The focus has just not been there in the past,
but we are now seeing threat actors
have a much higher focus on being successful in this space.
How much of this is a sense of,
you know, the folks who tend to use macOS are being specifically targeted?
In other words, is the value coming from the folks who are using these systems,
or is the value coming from the fact that these vulnerabilities are fewer and farther between, or is it a blend of both?
or is it a blend of both?
I remember reading a report a little while ago that estimated, I think, 23, this was in 2020,
23% of corporate devices are now running on macOS.
And that was two, three years ago.
So I am sure it's more than 25% at this point.
So you can start to see it.
It's not just maybe targeting the people
who are using them as much as it is now
of consequence in an enterprise.
And if we want to think about being able to cause maximum disruption or be able to obtain maximum
foothold within an environment, we need to now consider macOS to be part of that enterprise
solution. So I just think it's a shift over time of organizations adopting this technology
that is now pushing threat actors to have more of a focus
in that area. And so what are your recommendations here for organizations who have
macOS systems installed? Should they have a heightened sense of vigilance?
I think people now need to start understanding that what we did think, as you said earlier,
what we thought before to be true where macOS was less targeted, impenetrable,
we should now reframe that thinking to think about our macOS systems to be similar to any other IT system we have within our enterprise,
and it needs to be protected the same.
Organizations need to keep watch in this space.
They need to make sure that they're up to speed on their thread until it's coming in,
or if they have a dark web search team, that this is now part of their collection requirements
to really continue to keep focus on what is happening in this space.
Because I promise it's going to go from, we haven't seen this, to overnight, we will see
a significant impact. And then because we're going to have very, very smart hackers creating this
content, that knowledge will start trickling down to the next level. And then we will see
more and more focus in this space, especially when people are offering half a million to a million
dollars for a single exploit. And we have already started to see threat actors selling
macOS exploitation capabilities already. So we know it's happening.
We've also seen LockBit 3.0 start to talk about
creating ransomware for macOS systems in particular.
Now, we haven't seen it in the wild yet,
but they have confirmed that they are developing and testing.
So it will just be a matter of time, I think,
until we start seeing more exploitation in the macOS space.
All right. Well, Rob Boyce is Global Lead for Cyber Resilience and Managing Director at Accenture.
Rob, thanks so much for joining us. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full
suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. $100 when you open a no monthly fee RBC Advantage banking account. And we'll give another $100 to a charity of your choice.
This great perk and more, only at RBC.
Visit rbc.com slash get 100, give 100.
Conditions apply.
Ends January 31st, 2025.
Complete offer eligibility criteria by March 31st, 2025.
Choose one of five eligible charities.
Up to $500,000 in total contributions.
and total contributions.
And that's it for The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know
what you think about this podcast.
You can email us
at thecyberwire at n2k.com.
Your feedback helps us ensure
we're delivering the information
and insights that help keep you
a step ahead in the rapidly changing world of cybersecurity. This episode was produced by Liz Ervin and senior producer Jennifer Ivan. Thanks for listening. We'll see you back here tomorrow. Thank you. can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.