CyberWire Daily - Apple patches. Reviewing the cyber phase of a hybrid war. ShadowPad’s return. Phishing from the Static Expressway. Medical device threats. Security trends. Charming Kitten’s social engineering.
Episode Date: September 13, 2022Apple patches its software. Reviewing the cyber phase of a hybrid war. The return of the (ShadowPad) alumni. Phishing from the Static Expressway. The state of cloud security. Overconfidence comes at a... cost. Ann Johnson of Afternoon Cyber Tea speaks with Dr. Josephine Wolff from the Fletcher School about cyber insurance past. My conversation with FBI special agents Tom Sobocinski and Tom Breeden. And Charming Kitten and group-think in social engineering. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/176 Selected reading. Apple security updates (Apple Support) Ukraine Cyber War Update September 2022 (CyberCube) New Wave of Espionage Activity Targets Asian Governments (Broadcom Software Blogs) Chinese gov’t hackers using ‘diverse’ toolset to target Asian prime ministers, telecoms (The Record by Recorded Future) Leveraging Facebook Ads to Send Credential Harvesting Links (Avanan) Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities (FBI) CFO Cyber Security Survey: Over-Confidence is Costly (Kroll) Snyk’s State of Cloud Security Report Reveals 80% of Organizations Have Experienced a Severe Cloud Security Incident in Past Year (Snyk) Look What You Made Me Do: TA453 Uses Multi-Persona Impersonation to Capitalize on FOMO (Proofpoint) Iranian military using spoofed personas to target nuclear security researchers (The Record by Recorded Future) Alleged cyber commander of Iran’s Revolutionary Guard named by opposition outlet (Times of Israel) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Apple patches its software, reviewing the cyber phase of a hybrid war,
the return of the Shadowpad alumni,
fishing from the static expressway, the state of cloud security,
overconfidence comes at a cost.
Anne Johnson of Afternoon Cyber Tea speaks with Dr. Josephine Wolf
from the Fletcher School about cyber insurance.
My conversation with FBI Special Agents Tom Sobosinski and Tom Breeden.
And charming kitten and groupthink in Social Engineering.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, September 13th,
2022. We begin with a quick note about some patches from Apple. Late yesterday, Cupertino released eight patches affecting iOS,
macOS, tvOS, and watchOS. The iOS 15.7 update or the alternative upgrade to iOS 16 would be
particularly important since they address a zero-day flaw, CVE-2022-32-917. Six months into Russia's war against Ukraine, CyberCube has
reviewed Russian cyber operations. While their effect has fallen far short of pre-war fears,
those fears based largely on memory of Russian cyber attacks against Ukraine's power grid in
2015 and 2016, some trends have emerged
that are likely to continue through the end of the war and beyond. The close relationship between
Russian intelligence services and the criminal gangs they use effectively as privateers has
come into sharper relief. The advantage of using such gangs is not only the capacity the criminals contribute,
but also the degree of deniability they bring with them.
They've been deployed against economic targets,
but the selection of those targets is designed to stay below a level
that might provoke massive, perhaps even kinetic, retaliation.
CyberCube writes,
Russian ransomware gangs are focusing on large targets that fall just under the critical infrastructure threshold.
The intention is to work economic damage as a way of retaliating against and perhaps dissuading governments
that have provided Ukraine with material and diplomatic support.
CyberCube states, Russia is using criminal ransomware gangs to undermine the U.S. economy
while also avoiding direct war with the U.S.
European energy companies are also increasingly being targeted for their strategic value.
Russia is targeting governments in Europe that are assisting in Ukraine's defense.
Among the more striking Russian successes
in what has generally been an
underwhelming performance in cyberspace were early campaigns that deployed wipers against
targets in Ukraine and adjacent areas of Eastern Europe. CyberCube states,
there has been a dramatic rise in the normalization of wiper malware being used as a
weapon in this war. Russia has advanced its long-term project of
internet isolation. This has been in part by design, driven by a perceived Russian need to
control information domestically, and in part by necessity, as Western technology firms withdrew
from the Russian market. In any case, an isolated Russian sovereign internet is thought likely to
provide a more secure safe haven for the criminal gangs Russia tolerates and uses, whether it will
provide as convenient a line of departure for criminal operations. While Russian cyber operations
have not had the devastating effects widely predicted during the run-up to the war,
they've nonetheless affected the calculations of the insurance market.
CyberCube observes,
In response to this pattern of increased cyberactivity,
insurers and brokers need to take proactive measures to manage their exposures.
Lloyd's recently introduced a requirement that all stand-alone cyberattack policies
must exclude liability
for losses arising from state-backed attacks. The clarity the war clauses will introduce may
prove beneficial to the insurance market. CyberCube believes this mandate will help reduce uncertainty
and enable more insurers to participate with confidence based on a clearer understanding of what is covered and what is excluded.
The Symantec Threat Hunter team has released a report detailing new espionage activity targeting governments and public entities.
Attackers formerly connected with Shadowpad, a remote-access Trojan,
have been leveraging legitimate software packages in order to load their malware payloads known as dll side loading the attacks have been seen since 2021 with the intent for
the threat actors to gather intelligence there's no attribution yet but the target selection is
suggestive the current campaign appears to be almost exclusively focused on government or
public entities, including head
of government in the prime minister's office, government institutions linked to finance,
government-owned aerospace and defense companies, state-owned telecom companies, state-owned IT
organizations, and state-owned media companies. The targets are Asian states. While Symantec is
reticent about attribution,
the record points out that the tactics, techniques, and procedures
have a great deal in common with those used by Chinese intelligence services in earlier campaigns.
Avanon researchers report today that they have discovered hackers
exploiting the Facebook ads manager for credential harvesting campaigns.
The attackers have been seen sending phishing emails,
posing as Facebook and threatening to disable a victim's account
for being reported or violating their terms of use,
and providing what appears to be a Facebook link
through which the victim can appeal to rectify the situation.
The link is actually a lead generation form from the hacker's Facebook
ads manager, which is used to steal credit card numbers and other information. Avanon explains
that this method is effective because of what they call the static expressway, hackers using
legitimate sites appearing on static allow lists to bypass filtering and make themselves more likely to reach the end target.
The FBI has issued an advisory that warns of a growing risk to medical devices posed by a combination of unpatched software
and increasing threat actor attention.
The Bureau states,
In addition to outdated software, many medical devices also exhibit the following additional vulnerabilities.
Devices used with the manufacturer's default configuration are often easily exploitable by cyber threat actors.
Devices with customized software require special upgrading and patching procedures,
delaying the implementation of vulnerability patching.
Devices not initially designed with security in mind
due to a presumption of not being exposed to security threats.
There are two reports out today on significant security trends. First, Snyk released its State
of Cloud Security report detailing risks and challenges that have arisen with the adoption
of the cloud. Eighty percent of respondents say they suffered a cloud security incident.
Startups and the public sector have been most affected at 89% and 88% respectively.
41% of respondents say that cloud-native services make security more complicated,
but 49% see deployment as faster with improved cloud security.
Second, Kroll has released their 2022 edition of the report
Cyber Risk and CFOs Over Confidence is Costly.
Reportedly, 87% of CFOs are confident in the cybersecurity capabilities of their company,
but 4 out of 10 have never had briefings from information security
leadership before. In contrast, 66% of CISOs believe that their company was vulnerable to
an attack, with 82% of CISOs saying that the organizations in their industry were vulnerable.
71% of CFOs saw more than $5 million in financial losses from a cybersecurity attack that occurred
in the past 18 months, with 82% reporting a loss in valuation of 5% or more in that same time period.
And finally, Proofpoint researchers today described a phishing campaign
operated by the Iranian threat group TA-453, also known as Charming Kitten, Phosphorus, or APT-42.
Associated with Iran's Islamic Revolutionary Guard Corps,
the threat group is using a range of impersonated persona,
including the policy think tanks Chatham House,
the Pew Research Center, and the Foreign Policy Research Institute,
as well as the scientific journal Nature, to lend credibility to its phishing attacks.
It's not simple spoofing, however.
TA-453 includes more than one persona in the phishing email thread.
Proofpoint calls it multi-persona impersonation,
and the use of more than one seemingly plausible persona may lend credibility
to the approach. After all, if both nature and Pew are on it, it's got to be legitimate, right?
You're pretty sure you've heard of them. The approach can be expensive for the attacker in
terms of resources expended. They have to burn spoofed accounts more rapidly, but apparently
they judge it worthwhile. Targets of
the campaign have been persons and organizations involved with nuclear security, especially in the
Middle East. Coming up after the break, Anne Johnson from Afternoon Cyber Tea speaks with Dr. Josephine Wolf from the Fletcher School about cyber insurance and my conversation with FBI Special Agents Tom Sobosinski and Tom Breeden. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The U.S. FBI is actively engaged in outreach with businesses of all sizes across the nation,
bringing their resources and expertise to bear to help defend against cyber threats.
I recently met Thomas J. Sobocinski, special agent in charge of the FBI Baltimore field office,
and supervisor special agent Tom Breeden, who heads up cyber operations at the Baltimore field office.
Special agent in charge Sobocinski speaks first.
The FBI, obviously, we have been around for over 100 years now
and have a really robust background in investigations and collaboration,
both with our federal law enforcement partners and state partners,
but also with corporations. And so using those skills, we were and are continuing to leverage that now in the cyber realm.
And I think that it is obviously growing and will continue to grow.
And things like this podcast allow us to have that conversation with a wider audience.
Tom Breeden, in terms of the actual cyber part of the mission, that specialty, where do you plug into that?
From the cyber point of view, I think there is sometimes a hesitation.
Do you think only the FBI as a violent crime or counterterrorism, but we really believe strongly that we have a huge role to play
with any organization's cyber security program, and particularly from everything from providing
a threat picture of actors, but also if there's been some activity on the network, that aberration,
that strange activity on the network. We believe that we can
help any organization provide context to that threat activity and, in essence, beef up their
cybersecurity program in general. Well, help me understand then, how does that relationship work?
If I'm a business, is this a matter of reaching out and introducing myself to my local field office?
What's the ideal situation as far as you all are concerned?
There are 56 FBI field offices across the U.S.
And there are FBI personnel and U.S. embassies across the U.S.
And that's really what we think our strength is.
It's our ground game, so to speak, where in the U.S., I mean, we have cyber specialists at every field office.
And that's in, I mean, everywhere from New York to Maryland to Florida, name it, right, California.
We have agents there that are cyber specialists.
If a business can develop that relationship before an incident happens, it's only going to strengthen their security posture
because when that incident happens, they'll know it's someone to call. And it won't be like,
let me introduce myself. Sometimes there's several layers of legal counsels and cybersecurity teams
and firms in between. And that information can go smoothly when those relationships are already established.
S.S.C. Sobczynski mentioned about how far we've come.
I remember when I started working cyber, we would do what we call victim notifications.
And a lot of your listeners have—some of your listeners have had an FBI agent knock on their door or send an email or, hey, I want to talk to you about a threat in your network.
And there were times we responded with very little information.
And there were times when we would, unfortunately, back a decade or so ago, we would say, well, there's something in your network.
We can't really tell you what it is, but can you look and see if you see anything strange?
Those are tough times.
Those were hard interactions.
But we really, I think we've learned a lot since then.
interactions. But we really, I think we've learned a lot since then. And one of the feedbacks that we would receive, I remember from some CISOs, will say, I love it. You came to my door. You're
trying to help. I need context of this threat information. And that's what, when you're working
with the FBI, when you're collaborating with us, that's what we're going to work as hard as we can
to, so your company can be as strong as it could be.
Yeah, I just want to add to that.
I mean, I think to going back to the question,
which is when do you want to be reaching out to us?
It is absolutely before the event.
And so we want to have a relationship with you.
We want to be providing some of your listeners
the information that they need to protect themselves, not to just deal with something negative once it happens. And so it's really important to have that relationship. Now, obviously, we can't do that for everyone at the same level. So there are certain industries that are really important to us.
Obviously, clear defense contractors for obvious regions, but then also other critical infrastructure entities are really important.
And then there's a third piece that is also important, which is industries that are developing that may be vulnerable to other foreign actors.
And that's a piece that is, you know, changes minute by minute. And so, you know,
clear and defend contractor, obviously that's classified information. They're storing in a certain way. They know to protect this. But there are also industries that are creating new and
really exciting products, software, things in certain industries that could ultimately be used in a classified environment.
They just don't know it yet. And so it's important for us to have the relationships with them
so that they know in advance how they can protect this information. I mean, it's pretty clear that
this is a growing problem, number one, and it's an expensive problem. It's an expensive
problem if you are a victim, but it's also an expensive problem to keep yourself from becoming
a victim. And if there are ways that we, the FBI, can help you do that, that is now part of our
mission. It's what I have Tom and his team doing on a daily basis, not just the reaction to that problem.
What about, you know, I'm thinking about that CISO who wants to have the proactive relationship with you all, needs to make that case with the various powers that be within the organization, you know, particularly legal.
You know, you go anywhere on the Internet and they say, don't talk to the police.
Well, you guys are the police, you know? And so
how do you assure people that while you're helping out, you know, you're not going to be
rifling through a filing cap, you know, the people's worst nightmares about opening up a
can of worms? Yeah. So I would say, give us a chance for a dialogue first off, and we can come
in as a one-way street, you receiving all the information. That's no problem at the beginning. And if you like what you see, then maybe there's something there that
you're missing in your picture and you think, I'd like to learn more about that. And so it starts
with trust, Dave. I mean, we're under no illusions. This badge, it means a lot of things to a lot of
different organizations and different people. So we understand that there is certain viewpoints in that.
But my response to that would say,
give us a chance to have a discussion.
And I believe that what you'll find,
the strengths we bring to bear,
is not something you're going to get
from even a cybersecurity company, I would argue,
because the Bureau will have some of that,
but it'll have elements.
We'll bring something to the table
that really no other organization
in the world can really bring.
So I would say try and find out,
I guess, would be my response.
Yeah.
I would also add,
I mean, let's use a very basic analogy,
but a bank robbery.
So if a bank robbery happens,
the FBI is going to come.
You're going to want the FBI to come.
And we're going to investigate the robbery.
We're not going to investigate your bank, your records.
We're not going to go through other areas of your business that aren't affected by that robbery.
And so I think for companies to recognize that we have a really focused mission and that if you are that victim,
we are here to help you.
And I think the one thing that I would say
is the sooner you do that
and you get through the layers of legal
and other issues within your company
when you are a victim,
the more we're going to be able to do for you.
There are still things that we,
I mean, obviously we can't go into
the details of, but there are absolutely techniques and things that the FBI can bring to your company
to potentially reduce the vulnerability that you face, whether it's financial or with intellectual
property. For that CISO who wants to start that relationship, what's your advice?
What's the best way to get started?
Yeah, call your local FBI office.
If you're in Maryland or Delaware, it's called the local office here.
We're here, and we will get you connected to a cybersecurity investigator.
And the same throughout the whole U.S. Call your local office, and I think it will add to your program,
and I think it'll be, it will add to your program. And I think you will, it'll help your business.
That's Supervisor Special Agent Tom Breeden from the FBI's field office in Baltimore,
joined by Tom Sobosinski, Special Agent in Charge of the Baltimore Field Office.
There's more to our conversation, and we will be dropping an extended special edition of this interview in your CyberWire podcast feed.
You can also find the full interview on our website, thecyberwire.com.
Microsoft's Anne Johnson is host of the afternoon Cyber Tea podcast right here on the Cyber Wire Network. And in a recent episode, she spoke with Dr. Josephine Wolfe, Associate Professor of Cybersecurity Policy with the Fletcher School.
They talked about cyber insurance, past, present, and future.
Here's Anne Johnson.
about cyber insurance, past, present, and future. Here's Anne Johnson. Could you give us a brief history on how the cyber insurance industry has changed and evolved since its initial inception?
And what were the initial goals and motivations of cyber insurance providers then? And how has
that changed or stayed the same over time? Absolutely. So I think one of the things that's
often surprising to people is how
long cyber insurance has been around, that we've, you know, gone almost two and a half decades now
with varieties of these policies available for purchase. But you're absolutely right,
they've changed an enormous amount over that time, which isn't surprising when we look at sort of how
the cyber threat landscape has shifted. So if you rewind all the way back to 1997,
when sort of the first cyber-focused policy is offered, there's a lot of fear around Y2K.
There's a lot of fear around sort of what if all of the computers suddenly crash, either because
of malware or because we haven't prepared well enough for this changeover in dates. As a few
more companies, I would say, especially in like retail, start to buy these policies, those concerns are heightened somewhat by states in the United
States starting to pass these data breach notification laws. And so that begins sort of
2003, 2004. We start to see more and more states getting interested in that, led by California.
And those laws start to make companies
more concerned about these breaches of personal information of their customers, because now they
know they're going to have to report those breaches. They're not going to just be able to
sort of sweep it under the rug or not tell anybody about it. And as soon as you start reporting them,
you run the risk that your customers are going to file lawsuits. And now, sort of, I would say starting around 2015
to 2017, we start to see increases in ransomware. We start to see a lot of concern about sort of
infrastructure being compromised and operations being shut down by cyber attacks. There's
much more interest in how are we going to pay extortion-related costs, how are we going to
compensate for lost business during outages related to cyber attacks. And you've seen these
cyber insurance policies really expand. Can you talk about the differences between how cyber
insurers think about those type of similar catastrophic events and talk about if there
are any fundamental similarities between
a cyber insurance policy and what our listeners or consumers would think about their personal
insurance policies. It's a great question, and there definitely are similarities, right? You
think about something like car insurance, that's a new technology, or what was at one point a new
technology and is continuing to evolve that we're trying to manage risk around. You think about flood or other natural disasters insurance, you're talking about
these really large scale, difficult to predict events related to certain types of cyber attacks
as well. But there are also, I think, some really kind of crucial differences. And a big one that I
would say spans almost all of those types of insurance you just mentioned is that we know a lot more about when these incidents happen, when we're talking about
car accidents, when we're talking about floods, when we're talking about people dying with life
insurance or things like that, right? It's very rare that you have a lot of car accidents that
just go completely unreported and nobody's aware that they've happened. And so the big
difference that you sort of start from if you're an insurer is you don't have great data around
cyber risk, right? You've got slightly better data around breaches of personal information because
states have been requiring reporting of that for a long time. But when it comes to something like
ransomware, which really kind of takes insurers by surprise in 2019, 2020, when those rates start spiking,
you're working from a very incomplete data set of sort of which are the ransomware attacks that
make the news that people either choose to disclose or have to disclose for some reason.
And that sort of inability to collect consistent and complete data is a huge obstacle if you are trying to do the kind of
actuarial underwriting. The podcast is Afternoon Cyber Tea with Anne Johnson. You can find more
right here on the Cyber Wire network at AfternoonCyberTea.com. Thank you. the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means
for you and for Canada. This situation has changed very quickly. Helping make sense of the world when
it matters most. Stay in the know. Download the free CBC News app or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.