CyberWire Daily - An illicit market in account restoration. Resilience and the cyber workforce: a snapshot. New post-exploitation technique in Amazon Web Services.
Episode Date: August 2, 2023An illicit market in account restoration. Resilience and the cyber workforce. New post-exploitation techniques in Amazon Web Services. Incursions into Norwegian government networks went on for four mo...nths. Rob Boyce from Accenture Security describes a “Perfect Storm” in the Dark Web threat landscape. Carole Theriault shares mental health social media warnings for teens. And the Russian legislation seeks to reduce or eliminate online privacy. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/146 Selected reading. Amazon employees leak secret info that marketplace sellers can buy on Telegram (CNBC) Cyber Workforce Benchmark Report (Immersive Labs) Mitiga Security Advisory: Abusing the SSM Agent as a Remote Access Trojan (Mitiga) Cado Security Labs 2023 Threat Findings Report (Cado Security) Cyberattack on Norway Ministries Lasted at Least Four Months (Bloomberg) CISA and International Partner NCSC-NO Release Joint Cybersecurity Advisory on Threat Actors Exploiting Ivanti EPMM Vulnerabilities (Cybersecurity and Infrastructure Security Agency) Putin Outlaws Anonymity: Identity Verification For Online Services, VPN Bypass Advice a Crime (TorrentFreak) Russia Is Returning to Its Totalitarian Past (Foreign Policy) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An illicit market in account restoration,
resilience in the cyber workforce, new post-exploitation techniques in Amazon Web Services, incursions into Norwegian government networks went on for four months.
Rob Boyce from Accenture Security describes a perfect storm in the dark web threat landscape.
Harold Terrio shares mental health social media warnings for teens.
And the Russian legislation seeks to reduce or eliminate online privacy.
I'm Dave Bittner with your CyberWire Intel briefing for Wednesday, August 2nd, 2023.
Being banned from any platform is unpleasant.
It can seem arbitrary or unfair, and it's often either
beyond the possibility of appeal or can be appealed only at considerable cost in time and expense.
It's a particularly troublesome experience for third-party sellers in the Amazon marketplace
who face a loss of income in addition to simple inconvenience. A market has grown up in which
brokers offer assistance in restoring
banned sellers' accounts. They often do so, however, illicitly. CNBC reports that the brokers
frequently work by offering kickbacks to Amazon insiders who take advantage of their position
to override bans. Amazon isn't alone. Other large third-party markets are facing similar problems, but Amazon's size makes the problem particularly evident.
Christy DeStefano, an Amazon spokesperson, told CNBC,
to protect our store and hold bad actors accountable.
In addition to account restoration services,
company insiders have also been found selling internal data,
the better to help third-party sellers game the company's system to better position themselves for success in the online market.
Immersive Labs has released its Cyber Workforce Benchmark Report,
noting significant improvements in response time to cyber incidents.
The report notes organizations' median response time
to emerging threats improved by one-third,
indicating a significant increase in the speed of response
and continued progress compared to the year prior.
Enterprises have enhanced their knowledge
about newly discovered threats and vulnerabilities,
enabling them to respond more rapidly than ever before.
The researchers point to the Log4J crisis as a watershed moment
that could well have been a catalyst for this urgency,
given its catastrophic impact on organizations around the world.
Mitiga has published a report looking at a new potential post-exploitation technique in AWS.
The technique involves running AWS's System Manager agent as a remote-access Trojan
on both Linux and Windows machines, controlling the endpoint using another AWS account.
The researchers explain, the SSM agent, a legitimate tool used by admins to manage their instances,
can be repurposed by an attacker who has achieved high privileged access on an endpoint with SSM
agent installed to carry out malicious activities on an ongoing basis. This allows an attacker who
has compromised a machine hosted on AWS or anywhere else, to maintain access to it and perform various malicious activities.
Unlike using common malware types, which are often flagged by antivirus software,
using an SSM agent in this malicious manner allows the attacker to benefit from the reputation
and legitimacy of this binary to cover their tracks.
Cato Security has published its 2023 Cloud Threat Findings Report,
finding that SSH is by far the most commonly targeted service by cloud-focused threat actors.
The report states, since SSH is a protocol used across the internet, not just in cloud
infrastructure, this statistic is unsurprising. SSH allows secure communication between clients and servers
and is typically used for server administration.
This often means that SSH servers are internet-facing
and can pose an easy target if inadequately secured.
The researchers also found that botnet agents
are the most common form of malware targeting cloud services.
Stating,
The vast majority of observed traffic
is dedicated to spreading common botnet families. These include Mirai, XOR DDoS, and IRCBot,
a generic name for botnets making use of the IRC protocol. It's worth noting that samples
categorized as Mirai may actually be one of the many existing variants of this malware.
categorized as Mirai, may actually be one of the many existing variants of this malware.
Investigators have concluded that a cyber espionage campaign against Norwegian government networks lasted four months before it was detected and action taken to stop it, Bloomberg reports.
The effort, generally attributed to Russian intelligence services,
exploited a now-patched vulnerability in Ivanti endpoint
manager Mobile. Yesterday, CISA and the Norwegian National Cybersecurity Center released a joint
cybersecurity advisory on the incident. The advisory, which includes extensive advice on
detection, remediation, and prevention, says mobile device management systems are attractive
targets for threat actors because they provide elevated access to thousands of mobile devices,
and APT actors have exploited a previous mobile iron vulnerability.
Consequently, CISA and NCSCNO are concerned about the potential
for widespread exploitation in government and private sector networks.
And finally, TorrentFreak, writing with
outrage, describes a bill signed into law by President Putin on Monday. Federal law number
406-FZ will prohibit foreign email systems, and it will require all domestic platforms to verify
the identity of all users by government-approved methods.
VPNs aren't banned outright, but the VPN services remaining in operation in Russia are compliant with state regulations and afford little, if any, anonymity or privacy. Attempting to evade identity
verification requirements will be risky, as the new laws criminalize preparation to make such attempts.
Posting information online that amounts to advice on how to use VPNs, Tor, and similar tools
for circumvention purposes will be considered a crime. On top, regular hosting providers will be
subjected to state registration and new obligations along similar lines to those imposed on VPN providers.
The law is an example of what foreign policy calls Russia's return to its totalitarian past.
Information control, censorship, and draconian suppression of dissent are becoming the norm.
Coming up after the break, Rob Boyce from Accenture Security describes a perfect storm in the dark web threat landscape.
Carol Terrio shares mental health social media warnings for teens.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
If you have a teen, and I do, chances are you're concerned about how much time that teen spends online on social media platforms.
Carol Terrio has been looking into the mental health of teens on social media platforms. She files this report.
platforms. She files this report. In mid-May, the American Psychological Association, the APA,
issued sweeping recommendations intended to help teens use social media safely. This was the first guidance of its kind. And just a few weeks later, the Surgeon General for the United States warned
of an urgent public health issue regarding
social media usage and youth mental health. The U.S. Surgeon General, Dr. Vivek H. Murthy,
called for more research to determine the extent of mental health and its impact on young people,
including the type of content generating the most harm, societal factors that could protect youth,
and ways in which social media can be beneficial.
Quote,
To date, the burden of protecting youth has fallen predominantly on children,
adolescents, and their families.
The entire burden of mitigating the risk of harm of social media
cannot be placed on the shoulders of children and parents.
Unquote. Yes, yes, and yes. It has fallen on parents to manage, and from what they tell me,
it is as thorny as a prickly pear. On one side, as a parent, your job is to keep your kids safe,
and being able to see where they are and be contactable is a pretty big component of safety.
So what do you do? You give your kid a phone.
But then there's the whole manner of the content available, the entire digital world at their
fingertips, including the socials. Cited reasons as to why social media is not good for kids are
numerous. They interfere with social work and grades. They're addictive. They increase anxiety
and depression. They interfere with sleep. They can expose kids to inappropriate content.
The Cleveland Clinic says that it can also impact daily behaviors and moods, with kids perhaps
showing signs of increased irritability, increased anxiety, and even lack of self-esteem.
So the U.S. Surgeon General called on social media companies
to prioritize safety and privacy in their product designs and ensure minimum age requirements are
enforced. For example, most social media platforms have a minimum user age of 13, which Murthy says
he believes is too early for kids to be on social media, describing the age as a time when kids are developing their identity and sense of self.
So until regulations catch up, what is a parent to do?
Psychologists say that adolescent brain development starts around age 10
and continues through early adulthood.
The APA cautions that sites that use like buttons
and artificial intelligence to encourage excessive scrolling
may be dangerous for developing brains
and recommends limiting social media
on these types of platforms through phone settings.
And in addition to the limits,
the APA strongly encourages ongoing discussions
about social media use and active supervision, especially in early adolescence.
Parents are encouraged to model healthy social media use, including taking social media holidays as a family.
I am not a social media addict, thank the lords, but many of my friends, including those with children, are.
And it may be time to put that phone away
when the kids are around.
I know, I know.
This was Carol Theriault for The Cyber Wire. And it is always my pleasure to welcome back to the show Robert Boyce.
He is Global Lead for Cyber Resilience and Managing Director at Accenture.
Rob, it's great to have you back. I want to touch today on some work that I
know you and your colleagues there at Accenture are doing when it comes to some things you're
tracking on the dark web. What's going on here? Yeah, thanks, Dave. And first of all, it's always
a pleasure to be here. So thank you again for hosting me. Yeah, we've actually been seeing
a really interesting uptick in the focus of threat actors in OT systems.
And I think OT systems have long been vulnerable to cyber attacks,
and we've known that, and we have seen some very focused attacks in the past.
But quite honestly, the majority of OT impacts we see today
are usually a leakage from an IT incident
or some self-imposed shutdown due to uncertainty of what an IT incident may cause to an OT environment.
And so we've never, and I would say maybe even before 2021, when we saw the Colonial Pipeline disruption,
we saw threat actors really stay away from crossing the line into national
critical infrastructure and oil and gas due to potential, what it could mean in the state
of real potential warfare.
And then when we actually saw that event happen, because there was so much focus on this area,
we saw a lot of dark web marketplaces take down their OT tools and advertisements and things that they were talking about because they just didn't want to have that focus.
Just too much heat?
I think a little bit too much heat.
And then what we saw starting really when the Russian-Ukraine conflict happened is those rules started to go a bit out the window.
And so our team has been researching this.
We've seen a significant uptick really around into May this year
where we're seeing more and more threat actors on the dark web
start talking about targeting OT systems.
And really, OT systems of Western national critical infrastructure
as well as oil and gas.
That's been the focus.
And when we say targeting, what exactly are we talking about here?
They're looking to buy access into these environments. They're looking for people
who are creating exploits within the OT infrastructure or OT systems so that they
are able to, of course, successfully be able to cause disruption. I think the thing that's really
fascinating to me here is we're seeing, it's one of the first times I've seen this,
where we're seeing three different ideologies really have motivations in this space. Meaning,
we're seeing activists, of course, want to be able to target OT systems to maybe make
headlines in a meaningful way by causing national disruptions. We're seeing
financially motivated cyber criminals get into the space, just, of course, big surprise for money.
And as we see more and more requests or more and more demand, obviously there's more interest for
these financially motivated criminals to be able to produce materials,
assets that can help further exploitation in OT environments. And then we're seeing,
of course, the political motivated threat actors. And this is largely, as you can imagine,
representing Russia against all enemies of Russia. That's the most popular we're seeing there.
But it's been quite interesting to see these three ideologies,
one of the first times I've seen, all come together with a singular mission,
but for different purposes. And is it kind of coincidental that those three different directions are converging? I don't know if it's coincidental. I really,
again, I do think that the Russia-Ukraine conflict has opened the door to, I want to say encourage this behavior, but to make it not as, to make it more acceptable.
So I feel like, and a lot of it is in terms of, you know, hacktivists, again, targeting Western, primarily Western national critical infrastructure, as well as oil and gas, because of, you know, in support of Russian-Ukraine conflict.
And then, of course, the political motivations are similar. And, you know, when you have
financially motivated criminals, I think they just follow the money, right, where the demand is. So
I don't know if it's coincidental. I think it's just all of the right reasons came together to
really create almost what we would say is a perfect storm of opportunity for these three groups.
Yeah. So based on what you all are seeing here, what are your recommendations for those folks who are responsible for OT security?
Great question. And this has been quite honestly a challenge we've seen in industry. I think there's been this false notion that attackers will not be
as successful in OT environments because there's this concept of logical and physical separation,
which we now know, well, even if it was ever true, I'm not sure, but we now know is definitely not
true because we're seeing that leakage from IT to OT consistently when we see the disruptions in OT
today. And as well, there's a huge investment that needs to be made by threat actors to maybe
even purchase physical equipment to try and find vulnerabilities within that equipment.
But now that these threat actors are so well-funded, and the equipment's much more
readily available, even that has reduced the barrier to entry for interest here.
So the first thing I would say is organizations who have a large OT footprint,
especially again in national critical infrastructure and oil and gas, need to understand
that the threats to the OT environment are the same as the threats to the IT environment.
And I always find it interesting because the OT operators, they measure their business in terms
of minutes sometimes, as far as downtime, it's a direct
correlation to impacted revenue loss. And so the way that they think about OT, they think about it
more from resiliency, from uptime, human safety. And so what we find works very well is to create
those same themes from a security perspective and start to educate
the OT operators on why cyber risk is a very similar risk as that you would see and how
it directly impacts resiliency and uptime and revenue.
And so I guess, again, going back to your question, in the spirit of it just needs to
be a business objective to secure OT. And the risks there need to be
understood clearly. And the messaging of the importance of cyber really needs to be
framed up in a way that the OT owners and operators will understand
and how it correlates to the impact of their business.
All right. Well, Robert Boyce is Global Lead for Cyber Resilience and Managing Director at Accenture.
Rob, thanks so much for joining us.
Thank you for having me, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default-deny approach can keep your company safe and compliant.
With TD Direct Investing, new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%!
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31, 2025.. Visit td.com slash dioffer to learn more. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders and operators Thank you. Workforce Intelligence optimizes the value of your biggest investment, your people. We make
you smarter about your team while making your team smarter. Learn more at n2k.com. This episode
was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with
original music by Elliot Peltzman. The show was written by John Petrick. Our executive editor is
Peter Kilpie and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com