CyberWire Daily - Attacks on industrial systems in Europe and Africa. LolekHosted arrests. Notes from the hybrid war. The CSRB will investigate the cyberespionage campaign that exploited Microsoft Exchange.
Episode Date: August 14, 2023An African power generator has been targeted by ransomware. The APT31 group is believed to be responsible for attacks on industrial systems in Eastern Europe. There have been arrests related to the ta...kedown of LolekHosted. Ukraine's SBU has alleged that Russia's GRU is using specialized malware to attack Starlink. Microsoft has decided not to extend licenses for its products in Russia. Rick Howard opens his toolbox on DDOS. In our Solution Spotlight: Simone Petrella and Camille Stewart Gloster discuss the White House release of its cybersecurity workforce and education strategy. And the Cyber Safety Review Board will be investigating cases of cyberespionage against Exchange. Watch the full video of Simone and Camille here: Solution Spotlight: Simone Petrella and Camille Stewart Gloster For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/154 Selected reading. DroxiDat-Cobalt Strike Duo Targets Power Generator Network (Infosecurity Magazine) New SystemBC Malware Variant Targets Southern African Power Company (The Hacker News) Power Generator in South Africa hit with DroxiDat and Cobalt Strike (Security Affairs) Southern African power generator targeted with DroxiDat malware (Record) Common TTPs of attacks against industrial organizations. Implants for uploading data (Kaspersky ICS CERT) APT31 Linked to Recent Industrial Attacks in Eastern Europe (Infosecurity Magazine) Researchers Shed Light on APT31's Advanced Backdoors and Data Exfiltration Tactics (The Hacker News) LOLEKHosted admin arrested for aiding Netwalker ransomware gang (BleepingComputer) Russian spy agencies targeting Starlink with custom malware, Ukraine warns (The Telegraph) Russia Bans iPhones And iPads For Official Use: Report (BW Businessworld) Microsoft Suspends Extending Licenses For Companies in Russia (RadioFreeEurope/RadioLiberty) Department of Homeland Security’s Cyber Safety Review Board to Conduct Review on Cloud Security (US Department of Homeland Security) Microsoft Exchange hack is focus of cyber board’s next review (Record) Microsoft is under scrutiny after a recent attack by suspected Chinese hackers (Windows Central) The DHS’s CSRB to review cloud security practices following the hack of Microsoft Exchange govt email accounts (Security Affairs) Microsoft's role in data breach by Chinese hackers to be part of US cyber inquiry (Firstpost) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An African power generator has been targeted by ransomware.
The APT31 group is believed to be responsible for attacks on industrial systems in Eastern Europe.
There have been arrests related to the takedown of Lolic Hosted.
Ukraine's SBU has alleged that Russia's GRU is using specialized malware to attack Starlink.
Microsoft has decided not to extend licenses for its products in Russia.
Rick Howard opens his toolbox on DDoS.
In our Solutions Spotlight, Simone Petrella and Camille Stewart-Gloucester discuss the White House release of its Cybersecurity Workforce and Education Strategy.
And the Cyber Safety Review Board will be investigating cases of cyber espionage
against Exchange. I'm Dave Bittner with your Cyber Wire Intel briefing for Monday, August 14th, 2023.
Kaspersky has issued a warning regarding the emergence of a fresh iteration of the System BC malware. This new version has reportedly been utilized in an assault on a critical infrastructure power
generator situated within an undisclosed African nation. According to Kaspersky's analysis,
an unidentified threat actor directed their attention toward an electric utility in
southern Africa. The attack involved the deployment of cobalt strike beacons and droxydat,
which represents a novel variant of the System BC payload.
Kaspersky's experts speculate that the incident might have been
in the preliminary stages of a ransomware operation.
The timing of the attack places it within the third and fourth weeks of March 2023,
coinciding with a limited series of assaults worldwide, in which both Droxidad and Cobalt
Strike beacons played a role. Droxidad, described as a compact variant of System BC with a size of
approximately 8 kilobytes, operates as a system profiler
and a relatively uncomplicated SOX5-capable bot.
The presence of Droxydat was detected within the infrastructure
of the targeted electric utility.
The command and control infrastructure implicated in this incident
was associated with a domain named powersupportplan.com,
a domain with energy-related connotations.
This domain was found to resolve to an IP host that had already raised suspicions in previous
contexts. Kaspersky offered tentative attribution of the incident to a Russian-speaking cyber
criminal gang, specifically to FIN-12, which has also been called Pistachio Tempest.
FIN12 has hitherto been known for attacks against the healthcare sector.
In May of 2022, it was one of the gangs prominently featured in the U.S. Department of Health and Human Services report,
Ransomware Trends in the HPH Sector.
FIN12 has changed its target selection, but not its playbook.
The group's motivation is financial. FIN 12 has changed its target selection but not its playbook.
The group's motivation is financial.
Some news reports have said the incident occurred in South Africa, but that's incorrect.
It took place in an unidentified country in the southern part of the African continent.
Earlier last week, another report from Kaspersky found that APT31, also known as Judgment Panda or Zirconium,
is targeting industrial systems in Eastern Europe. The researchers state,
the attackers aimed to establish a permanent channel for data exfiltration,
including data stored on air-gapped systems. In total, we have identified over 15 implants and their variants planted by the threat actors in various combinations.
Kaspersky notes that the attacker's architecture allows the threat actor to change the execution flow by replacing a single module in the chain.
APT-31 is generally regarded as an intelligence operation of the Chinese government.
Much of its activity has involved industrial espionage,
but the group has also been implicated in collection of political intelligence.
A joint Polish-U.S. operation brought down the Lolic-hosted bulletproof hosting provider last
week, The Record reports. The U.S. FBI and the IRS were joined in the action by the Regional Prosecutor's Office in Katowice
and the Central Bureau for Combating Cybercrime in Krakow. Europol announced the arrests of five
administrators of the service in Poland. Luluk Hosted was a player in the criminal-to-criminal
marketplace. The Telegraph reports that Ukraine's State Security Service has claimed that Russia's GRU is attempting to deploy malware against the Starlink satellite communication system with a view to collecting data on Ukrainian troop movements.
There's little else out on this story, but we'll be following it closely for any developments.
Workers at Russia's Ministry of Digital Development are no longer permitted to use either iPhones or iPads for work developments. Workers at Russia's Ministry of Digital Development are no longer permitted to
use either iPhones or iPads for work purposes. The responsible minister announced the order Friday,
Reuters reports. Personnel at the ministry will still be permitted to use iPhones for personal
needs, but they are henceforth prohibited from using them for work email or for accessing work
applications. The ban is generally believed to have been prompted by an FSB report in June
that Apple devices had been compromised by the US NSA, probably with Apple's connivance.
Apple has denied both the compromise and its alleged cooperation in undercutting its own security.
If iOS devices represent the security risk the FSB says they do, a partial ban seems a curious
response. Microsoft stopped sales to Russia when Russia invaded Ukraine in February 2022.
It did continue to license products that had been purchased before the invasion.
Radio Free Europe Radio Liberty reports that Microsoft has now served notice that such licenses will not be renewed after September 30th.
Active licenses will run through their expiration dates and then will terminate.
This decision will further isolate the Russian IT sector from the global supply chain,
and Russia's IT sector is far from self-sufficient.
The U.S. Department of Homeland Security's Cyber Safety Review Board, the CSRB,
has announced that its third investigation will focus on approaches government, industry,
and cloud service providers should employ to strengthen identity management and
authentication in the cloud. The board stated, the CSRB will assess the recent Microsoft Exchange
online intrusion, initially reported in July 2023, and conduct a broader review of issues
related to cloud-based identity and authentication infrastructure affecting applicable CSPs and their
customers.
The department began considering whether this incident would be an appropriate subject of the
board's next review immediately upon learning of the incident in July. The board will develop
actionable recommendations that will advance cybersecurity practices for both cloud computing
customers and CSPs themselves. The investigation will represent the third such inquiry in the CSRB's history.
The first report covered Log4J. The second looked into the Lapsus group.
Microsoft characterized the incident as a case of cyber espionage,
and it attributed the operation to a Chinese-associated group it tracks as Storm 0558.
The group typically gained access to email accounts via stolen credentials.
The CSRB, a relatively young organization chartered in September 2021 as directed by executive order,
is neither a regulatory nor an enforcement agency.
Like the National Transportation
Safety Board on which it was modeled, the CSRB investigates important incidents with a view to
identify relevant lessons learned to inform future improvements and better protect our communities.
coming up after the break rick howard opens his toolbox on ddos in our solution spotlight simone petrella and camille stewart gloucester discuss the
white house release of its cyber security workforce and education strategy. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Camille Stewart Gloucester is Deputy National Cyber Director for Technology and Ecosystem Security in the office of the National Cyber Director in the White House.
In this edition of our Solution Spotlight, she speaks with N2K President Simone Petrella.
of our Solutions Spotlight. She speaks with N2K President Simone Petrella. I am joined today by Camille Stewart-Glaster, Deputy National Cyber Director for Technology and Ecosystem at the
White House. In her role, Camille leads technology, supply chain, data security, and cyber workforce
and education efforts for the Office of the National Cyber Director and led the team that
recently released the National Cyber Workforce and Education Strategy last week. Camille, thank you so much for joining.
Thank you so much for having me, Simone. I'm excited to talk about the strategy.
Great. Me too. It's certainly an area I love to talk about all the time. So I think we're
going to have a great discussion here. Just to sort of set the stage before we really get into
the meat of it, The strategy that just was released
really is built around four pillars. And those are equipping every American with foundational
cyber skills, transforming cyber education, expand enhancing the national cyber workforce,
and strengthening the federal cyber workforce. That's a lot of ground that's covered across
those pillars and in this strategy. What are the big takeaways that you want the industry to walk away with as they review this
very hefty document? It is a big document, a big ambitious document that has a series of short-term,
medium-term, and long-term objectives. I want folks to take away from this is that the work
builds on itself. And if there's one thing I hope
people have started to see from ONCD is that we really want to make sure that the work that we
are doing is collaborative and considerate of all of the important perspectives that are represented
across the digital ecosystem. If the national cybersecurity strategy is to work, that means we
are moving towards an affirmative vision for the digital ecosystem. That means one that is resilient, defensible, and aligns to our values.
And there's some shifts that we talk about in that.
And if we achieve that, that means that we're going to have products that are secure by design, which means we need a workforce that is capable of understanding security no matter where in the lifecycle of a piece of technology.
And so across those four pillars,
we look at three imperatives.
First, how do we get everybody to the table?
Because we do have a deficit.
So we need more people to be doing this work,
but not just more people,
more people of different backgrounds.
The second is skills.
We need a skills-focused workforce.
We need the ability to gain lifelong skills. And that starts with the foundational cyber skill for every American that you kind of talked about. Right now, you know, reading, writing, and arithmetic are what people picture as the foundational things that you need to operate in society.
Last imperative is really focused on building ecosystems because we have found through all of that engagement that I talked about, that ecosystems, regional, local, that can really tailor to the needs of community, but also create these networks of feedback that can help inform how training happens, how education happens, how employers find their workforce are really vital to a thriving cyber workforce. That was kind of a lot, but I think those three imperatives are really honing
in on that. And the fact that all of those things needing to address the entire ecosystem of players
and the four pillars, but also those three things came from you all, came from everyone who engaged on this strategy.
Yeah, no, it makes complete sense. And having been in this space so long myself,
just one of the many challenges is there are so many stakeholders. Thinking about who you
reached out to, it is a very robust and rich community. What do you see as one of the things
or a number of the things that
are critical to the success of this strategy? Everyone taking ownership of the implementation
of the strategy. So what I hope is every person, every organization, every institution that picks
up this document recognizes that the federal government has the smallest piece of implementing
this strategy. We can provide
funding, we can work on the federal workforce. And that work has begun. That work started
August 9th in Nevada at UNLV, University of Las Vegas, where we had our director,
Kemba Walden, really launch a collaborative effort with academia, private sector, and a number of others
to have a conversation about what a cyber workforce ecosystem looks like there, what
those needs are, how the state and local governments can continue to support them
so that folks can get into the good paying jobs that are in the cyber workforce.
I love that you say that because it's so incumbent on the industry, whether it's academia or employers, to kind of step up and take responsibility.
So I want to go back to the concepts of ecosystems that you brought up because it's also something that is something I feel very passionate about, which is, you know, we have so many stakeholders in play
when we talk about cyber workforce. What is the White House's role going to be bringing these
stakeholders together, given the vastness of the industry and just how many providers there are in
a space? Yeah. I mean, we are conveners. Our goal is to pull folks together to help with resource
sharing and to catalyze action.
What I don't want to be is a bottleneck.
So I want organizations, I want regions, I want locales to feel empowered to go do this work with or without my or the office's involvement.
But where we can support, where we can bring organizations together, where we can help spark a cyber workforce ecosystem,
I want to do that as well. Our goal is that those more robust ecosystems will be a model for their
peers. How do we extract the best practices and the lessons learned so that they can be adapted
to different environments? They all won't look the same because they don't need to.
That's why there are local, regional, and quite frankly, even international ecosystems
so that they are tailored to the outcomes, the communities, the groups and organizations that
are part of it. There needs to be that flexibility and responsiveness to all of those factors,
but we want to help bring folks together.
So that'll be my goal, the convening.
Well, and let this be a PSA to everyone listening
that if you haven't picked up the strategy already
and read it, you need to.
So a lot of exciting things in store.
Last question, certainly not least though,
on a personal note,
having been doing this for the last year plus now and coordinating and herding all these cats, what's the one area of the strategy that you're the most excited or proud of?
So I think to start, it's the look across the entire environment, right?
Most strategies that you see focus on the national cyber workforce, focus on federal.
see, focus on the national cyber workforce, focus on federal, but coming together and thinking about how do we equip every American? How does that feed into their access and opportunity such that they
become part of the cyber workforce? And then how do we look at the entire national cyber workforce,
including the federal workforce and our international partners and how they feed
into our understanding of what our best practice is,
but also how we share that so that we're all thriving and getting the workforce that we need.
I think that holistic view and being able to set an affirmative vision around that
is the thing I'm most proud of. Camille, thank you so much for joining us today and sharing all
of your insights. Really appreciate all of your support and
putting out this strategy and getting it going. And best of luck as you hit the road with it.
That's Simone Petrella speaking with Camille Stewart-Gloucester,
Deputy National Cyber Director for Technology and Ecosystem Security
in the Office of the National Cyber Director in the White House.
It is always my pleasure to welcome back to the show Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst. Rick, great to have you back. Hey, Dave. So on this week's CSO Perspectives podcast, this is a Rick the Toolman episode, and I know you are focusing on DDoS prevention.
First of all, I have to say I love the Rick the Toolman episodes. I'm a big fan of the old 1990s
sitcom that you based it on. Of
course, I'm talking about Home Improvement starring Tim Allen. Yeah, I am too. I love that show. In
fact, David, you're going to love this. I just recently watched his early 1980s stand-up routines
and they were the precursor to the Home Improvement show. You can watch them on YouTube for free and
they are laugh out loud funny, right? I just love
that stuff. His stick that men are Neanderthals and obsessed over tools. I don't know. It appeals
to me at some base level and you know, I love it. So we are absolutely stealing his routine on these
Rick the Toolman episodes. Well, as I say to my wife all the time, Every home improvement project is an opportunity to buy a new tool. And I make good
use of that. Amazon boxes show up on the front porch and she just shakes her head ruefully at me
and says, the neighbors say, oh, the bidners are doing some construction. That's right. What's all
that noise? That's what's all that noise. And that's just me yelling and screaming and, you know,
smashing my thumb with hammers and things.
So as we were saying, this week you were talking about DDoS prevention.
So what's on tap for us?
Yeah, so DDoS stands for Distributed Denial of Service.
And it's a strategy that hackers use to deny their victims access
to key digital resources on the Internet.
And they basically come in three forms,
like volumetric to generate massive volumes of network traffic designed to completely saturate
the victim's bandwidth. We got the protocol strategy kind of designed to eat up the processing
capacity of network infrastructure resources, you know, like servers, firewalls, and load balancers.
This is at layer three and layer four of the TCP IP stack.
And finally, we have the application layer by initiating transaction requests that consume
finite resources like memory. But for me, though, it's been a minute since I looked at the latest
developments in DDoS prevention technology. So for this Rick the Toolman episode, we take a look at
the latest developments in DDoS prevention
and the hackers' motivations of using DDoS tools to accomplish some goal.
You know, it's a really interesting point you make about DDoS.
And, you know, on the daily podcast, particularly it strikes me when we're talking about the situation going on in Ukraine
that we talk about DDoS as if it's a nuisance-level attack.
Yeah.
And it can be, but I think one of the things you're going to dig into here, it can be more than that as well.
The bottom line here is that we have the technology that can make this work, you know, prevention against DDoS attacks, but you have to prepare for it.
So that's one thing.
Yeah.
The second thing is that it can be used for lots of different purposes by hackers, right?
You can use it for a ransomware idea,
pay us or we're going to keep doing this DDoS attack against you.
But what our guests were talking about was most times that they're seeing these days is a hacker will launch a DDoS attack
over here on the right side so they can do the cyber espionage stuff
over on the left that gets you looking right so you can move in left.
So all that's very interesting.
Yeah, a little misdirection.
All right, well, we will look forward to that.
That is CSO Perspectives.
It is part of CyberWire Pro.
Rick Howard, thanks for joining us.
Thank you. security solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed
to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the
Grumpy Old Geeks podcast, where I join Jason and Brian on their show for the lively discussion of
the latest security news every week. And find Grumpy Old Geeks where all the fine podcasts
are listed. We'd love to know what you think of this podcast. You can email us at cyberwire at
n2k.com. Your feedback helps us ensure we're delivering the information and
insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire are part of the daily intelligence
routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. your business needs ai solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.