CyberWire Daily - An update on cyber operations in Russia’s hybrid war. NPM compromise updates. CISA releases ICS security advisories. Free ransomware decryptors released. Disneyland's Instagram account hijacked.
Episode Date: July 8, 2022An update on cyber operations in the hybrid war. NPM compromise updates. Free decryptors for AstraLocker and Yashma ransomware. Johannes Ullrich from SANS on attacks against Perimeter Security Devices.... Our guest is Sonali Shah from Invicti Security with a look at DevSecOps anxiety. And who’s the villain who hijacked the Instagram account of Disneyland? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/130 Selected reading. Russia-Ukraine war: List of key events, day 135 (Al Jazeera) Russia-Ukraine war: Putin warns Moscow has 'barely started' its campaign (The Telegraph) Russian Cybercrime Trickbot Group is systematically attacking Ukraine (Security Affairs) US finance sector encouraged to stay vigilant against retaliatory Russian cyberattacks (SC Magazine) Someone may be prepping an NPM crypto-mining spree (Register) ICS CERT Advisories (CISA) Free decryptor released for AstraLocker, Yashma ransomware victims (BleepingComputer) Disneyland’s Instagram Account Hacked With a Series of Profane, Racist Posts (Wall Street Journal) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An update on cyber operations in the hybrid war,
NPM compromise updates, free decryptors for Astralocker and Yashma ransomware,
Johannes Ulrich from SANS on attacks against perimeter security devices,
our guest is Sonali Shah from Invicti Security with a look at DevSecOps anxiety,
and who's the villain who hijacked the Instagram account of Disneyland?
From the CyberWire Studios and Data Tribe,
I'm Dave Bittner with your CyberWire summary for Friday, July 8th, 2022. Operational pause or not, Russia's hybrid war seems to be as far from any quick resolution as ever. Russia's President Putin said yesterday during a meeting with senior leaders of the Duma
that he had no intention of backing down from his own maximalist goals and that Ukraine's
only option was to accede to all of Russia's demands. And any Ukrainian hope of battlefield
victory is a phantasm because Russia's been pulling its punches so far. He said,
everyone should know
that, by and large, we haven't started anything yet in earnest. IBM researchers recently discovered
that the Trickbot gang has been active against Ukrainian targets since Russia's war began,
and that it's been acting directly in the Russian interest. So Trickbot and similar gangs have been acting as privateers under state
direction. Since Trickbot cut its criminal teeth on financial crime, especially banking Trojans,
the financial sector ought to be on particular alert for any spillover from Russian privateering.
SC Magazine speaks with various industry experts who advise financial institutions
to keep their shields up.
Researchers at Reversing Labs detailed their discovery of a widespread supply chain attack
against the NPM repository earlier this week, publishing an update on Wednesday.
Though the exact scope of the attack wasn't initially clear,
researchers say the packages are potentially used by thousands of
mobile and desktop applications and websites, and in one instance a malicious package had been
downloaded over 17,000 times. Reversing Labs called the campaign Icon Burst. Their conclusion
is that Icon Burst represents a major software supply chain attack involving more than two dozen NPM modules
used by thousands of downstream applications, as indicated by the package download counts.
Application developers should be particularly alert to the problem,
which appears to represent an organized cooperative criminal effort.
Analysis of the modules reveals evidence of coordination with malicious modules traceable to a small number of NPM publishers and consistent patterns in supporting infrastructure such as exfiltration domains.
Reversing Labs says Icon Burst marks a significant escalation in software supply chain attacks.
The firm communicated its findings to the NPM security team on July 1st of
2022. Developers, Reversing Labs says, should assess their own exposure to the threat, and the
researchers have provided information that should assist them in doing so. There's been another
attack on the NPM supply chain, this one described by researchers at Checkmarks.
They say, Checkmarks' SCS team detected over 1,200 NPM packages released to the registry
by over 1,000 different user accounts.
This was done using automation, which include the ability to bypass NPM2FA challenge.
The operators, whom the researchers call Cuteboy, were using what
Checkmarks calls a fake identity as a service provider. They say, looking at the domains with
which Cuteboy is creating NPM users, we can deduce that they are using Mail.tm, a free service
providing disposable email addresses with REST API,
enabling programs to open disposable mailboxes and read the received emails sent to them with a simple API call. This way, Cuteboy can easily defeat NPM 2FA challenge when creating a user account.
So far, the operation seems to represent an initial experimental phase of a larger campaign.
The researchers say this cluster of packages seems to be a part of an attacker experimenting at this point.
The researchers think that Cuteboy is preparing a large-scale cryptojacking campaign using XMRig derivatives.
Checkmarks has also released information to help users identify the malicious activity.
They also warn that further exploitation of NPM can be expected.
They say, Cuteboy is the second attack group seen this year using automation to launch large-scale attacks on NPM.
We expect we will continue to see more of these attacks as the barrier to launch them is getting lower.
continue to see more of these attacks as the barrier to launch them is getting lower.
CISA, the U.S. Cybersecurity and Infrastructure Security Agency,
released three industrial control system advisories yesterday.
Bravo to Emsisoft! The company has released free decryptors for the Astralocker and Yamcha ransomware strains, Bleeping Computer reports.
Emsisoft tweeted,
The AstraLocker decryptor is for the Babic-based one
using.astra or.babic extension,
and they released a total of eight keys.
The Yashma decryptor is for the Chaos-based one
using.astraLocker or a random extension,
and they released a total of three keys. Bleeping Computer points out that Astraralocker or a random extension, and they released a total of three keys.
Bleeping Computer points out that astralocker, itself derived from babocklocker,
has gained a reputation for being both buggy and effective.
The operators of astralocker earlier this week released some decryptors
as they announced they were exiting the ransomware business,
saying that they had decided to turn to crypto mining.
They were probably kidding about getting into coin mining.
Not only did they close their announcement with an LOL,
but there's also some reason to think they were feeling the approach of law enforcement.
The Wall Street Journal reports that the Instagram account of Disneyland Resort
was briefly hijacked yesterday morning
by someone who identified himself as David Du and proclaimed himself a super hacker.
Mr. Du acted with apparently trivial motives.
He had some sort of beef with someone called Jerome, according to the independent fansite the Disney blog,
and he wanted to air that through his hack.
He was also disgruntled about some Disney employees,
saying he was here to bring revenge upon Disneyland.
Mr. Do posted a selfie and said he was tired of all these Disney employees mocking me.
The journal says the posts were both profane and racist,
and it quotes a Disney representative as saying,
We worked quickly to remove the reprehensible content, secure our accounts,
and our security teams are conducting an investigation.
We received comments from Arctic Wolf's VP of Strategy, Ian McShane,
who thinks the incident shows that cybercriminals are often motivated by concerns that are neither monetary nor political.
He wrote,
Many are keen to just inflict reputational damage.
High-traffic, high-follower accounts will always be a target for threat actors,
both sophisticated and the occasional rogue low-level amateur.
It's not yet known how Davidid do gained access to the accounts but mcshane noted
that compromises of this nature are almost certainly rooted in a fishing or credential
stuffing incident and of course the motivation of the attacker needn't be serious or even rational
just ask mr do wherever he may be.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
If you feel as though you and your colleagues in cybersecurity are stretched thin,
being asked to do more with less, and facing increased anxiety as a result, you're not alone. In a recent report published by Invicti Security focusing on DevSecOps professionals,
they found the high expectations placed on security pros sometimes leads to diminishing returns.
Sonali Shah is chief product officer at Invicti Security.
This is a very stressful job, right?
So, you know, 39% of data breaches stem from attacks on web applications.
So it's no surprise that that is more and more of a focus for
enterprises. And often it's on-the-job training for developers. So some of the key things that
we found is, on average, people were spending four hours a day addressing security issues.
That's a lot of time. On top of that time, developers also have to
release code based on internal timelines, right? So you can imagine the stresses puts on it,
releases, it ends up causing overtime. You know, we had 50% of the respondents say they'd logged
in over weekends or on their own time in the evening to work on security-related issues.
One in three blew off, you know, date night or a night out with friends in the time of COVID
when it's, I think, hard enough to find dates.
Like, this is particularly relevant.
And then even, you know, once, even after they've spent all the hours remediating issues,
there's that anxiety of the next one.
So we found 81% of professionals,
they're likely to, they're already feeling anxious about the next vulnerability,
even just after they finished remediating the last one.
Is there a sense for the ways in which this is affecting their ability to put out the quality work that is expected of them. Absolutely, it is.
It is.
We found often developers are releasing insecure code.
And it's not because they want to.
It's because there's pressure to release code.
It's because maybe they don't have the training to do so.
So that is absolutely happening.
And we witness it every day
when you hear about the breaches.
But what's really interesting is that they, in general,
are very proud of their work.
So 94% of the respondents said that digital transformation
and the move to a remote work model in the recent years
has made their role more valuable and rewarding.
88% said they're proud to put cybersecurity professional on a dating profile.
And, you know, majority of them felt like they're saving their companies over a million dollars a year by the work they're doing to prevent data breaches.
So, you know, it's frustrating, it's draining, but they're proud of the work they're doing.
What is the sense of the relationship they have with their companies?
In other words, do they feel as though the companies are doing their best to support them or is there a gap there?
There is a gap.
And I see that every day when I'm talking to our customers.
I think, you know, the gap is not in acknowledgement. So security teams know that
development teams are overworked. They know that they often don't have enough people,
that often they don't have the skills. So if you go to university and study coding,
you'll go through four years and never take a class on how to securely build code.
So there's absolutely agreement and acknowledgement that this is a difficult job to do.
And in some cases, companies are able to support their developers so they feel like it's a journey
they're taking together. In other cases, it causes friction and you see turnover. It's a relatively strong job market. And so what we've seen is that
companies that help their developers and help security professionals to weave security into
their daily lives, that really helps retain people and improve job satisfaction.
that really helps retain people and improve job satisfaction.
I see the benefits of having automation help lift some of the workload off of these people.
What about the purely human side of it?
You're checking in on folks, making sure that people are hanging in there and doing the best they can. It strikes me particularly as so many of us have moved to remote work.
That's as important as ever. You're absolutely right. It's moving from just development to sort of DevSecOps practices
is as much a technology change as it is a culture change. So the automation, integrating all of your
products together, making sure you've got accuracy, That's the technology part. The people part of it is making sure people have the resources. Developers and security teams
have the resources they need. So that's part of what I was just talking about, the security
champions program. So if developers know that they've got somebody, one of their own often,
that they can go to for help, that's
hugely beneficial.
Somebody that is working on their time zone, speaks their language.
It's interesting.
One of the customers I recently spoke to said that they launched a security champions program
earlier this year, and they were surprised at how many developers wanted to be a part
of it.
this year, and they were surprised at how many developers wanted to be a part of it.
And partially that's because having the word security anywhere on your resume is a huge plus because developers, they understand they need to learn about security and they want to learn
about security. So I think having those support mechanisms is hugely helpful. The other thing actually that I've seen very rarely, but I have seen it be very beneficial
is to build security into quarterly business objectives. So instead of just saying, all right,
the, the, you know, quarterly objective for the, you know, product engineering is to release this feature on time, if you have in there, it's release it as expected on time
and with no high severity vulnerabilities, right?
You build it right into there.
So it just becomes part of the objectives.
And then you recognize it, you call it out.
So you're rewarding people, not just for delivering a new feature, but delivering
it with high quality, which means it does what it's supposed to do and it is secure.
That's Sonali Shah from Invicti Security. There's a lot more to this conversation.
If you want to hear more, head on over to CyberWire Pro and sign up for
Interview Selects, where you'll get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
and i'm pleased to be joined once again by johannes ulrich he is the dean of research at the sands technology institute and also the host of the isc stormcast podcast johannes always
great to welcome you back to the show uh you know, I think as we've made our way through the pandemic
and there's been this massive move to folks working off-site,
there's this notion that perimeter security is a thing of the past.
But you want to make the point today, maybe not so fast.
Correct.
And the devices that we're using to implement those security controls,
like load balancers, firewalls, various proxy systems or such that we're using to implement those security controls, like load balancers, firewalls, various proxy systems
or such that we are using.
Probably one of the lines that I repeat the most is,
well, why is this connected to the internet in the first place?
And that usually refers to not just nuclear power plants
and elevators and door controls,
but also things like admin interfaces
for these perimeter security devices.
So you spend a lot of money buying a device like this,
protecting your users from attacks,
but then you're opening up the management interface
that's used to control that device to the world,
and sadly, that's then being exploited.
And is that primarily a matter of convenience for the users to be able to reconfigure things and not
have to be on-premises to do so? Yeah, that's often
the reason because if it is your VPN concentrate
that you're configuring here, you don't want to have to connect to the VPN
first because if you're messing up with your configuration, then
you can't connect to the VPN anymore.
And then you have to get pants and drive to the office
and all of that stuff to actually get this thing working.
And I think that's part of it.
Of course, you could still filter by IP address.
Another part is once you deploy them in the cloud,
it's really hard to drive to the cloud and restart things.
So that's where this sometimes happens.
And then also I think the perception that,
hey, this is an expensive device that I purchased,
the vendor probably took some care here.
As they say, don't look behind the curtain.
You often find a scaffolding of Perl and PHP code here
in your tens of thousand dollar devices
that probably hasn't been touched in the last 10 years.
And we have seen just the last month,
F5's big IP uplines again.
They sort of have an annual schedule
where they come up with a critical,
unauthenticated remote controlicated remote code execution vulnerability.
Yet again, I had one.
It took two days for a proof of concept to be released.
And as I sort of put it, it took like one week from Seroday to Mirai.
So in the end, the Mirai bot just took the vulnerability.
And of course, once it's at that point,
you can assume every exposed device out there has been probably exploited multiple times.
So what are your recommendations then?
Definitely secure those admin interfaces.
Secure devices are not inherently secure.
It's sad, but that's just a matter of fact.
So defense in depth. Yes, limiting access
to the admin interface to a couple of IP addresses, attackers can bypass that, but it'll maybe take
them another week to do that. So you have that first week to actually apply patches and then
learn how to patch these devices. It's not always easy to patch these devices.
Learn how to do it.
Do it regularly.
Don't just do it when there's an emergency out there.
Because the other problem is vendors release patches like on a monthly basis or whatever.
You may ignore them because they don't really fix any big security issues.
And last time you applied a patch, it caused some problem.
But the issue is if you're waiting too long, then the probability of a
problem becomes
larger and larger. And also,
usually the impact of that problem becomes
larger and larger, because now you have not
just one problem, you have like 12
problems, because you have to deal with
every single patch's
problem. So really updating
regularly, learning how to patch,
having some procedure around it.
So you can sort of press that button kind of when an emergency patch comes around to
apply the patch. You don't really have to make it a big deal and spend a lot of time on it.
Yeah. All right. Well, good advice as always. Johannes Ulrich. Thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Alden Wallstrom from Mandiant's Information Operations team. We're discussing
their comprehensive overview and analysis of the various information operation activities they've
seen while responding to the Russian invasion. That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin,
Elliot Peltzman, Trey Hester, Brandon Carr,
Eliana White, Puru Prakash, Justin Sabey,
Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening. We'll see you back here next week. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.