CyberWire Daily - Babuk resurfaces for criminal inspiration. Alert on PaperCut vulnerability exploitation. Too many bad bots. Phishing-as-a-service in the C2C market. KillNet's PMHC regrets.
Episode Date: May 12, 2023Babuk source code provides criminal inspiration. CISA and FBI release a joint report on PaperCut. There are more bad bots out there than anyone would like. Phishing-as-a-service tools in the C2C marke...t. CISA’s Eric Goldstein advocates the adoption of strong controls, defensible networks and coordination of strategic cyber risks. Our cyberwire producer Liz Irvin speaks with Crystle-Day Villanueva, Learning and Development Specialist for Lumu Technologies. And KillNet’s short-lived venture, with a dash of regret. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/92 Selected reading. Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers (Bleeping Computer) Ransomware actors adopt leaked Babuk code to hit Linux systems (Decipher) Hypervisor Ransomware | Multiple Threat Actor Groups Hop on Leaked Babuk Code to Build ESXi Lockers (SentinelOne) Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG (CISA) CVE-2023-27350 Detail (NIST) Proofpoint Emerging Threats Rules (Proofpoint) 2023 Imperva Bad Bot Report (Imperva) New phishing-as-a-service tool “Greatness” already seen in the wild (Cisco Talos) Ukraine at D+442: Russians say the Ukrainian counteroffensive has begun. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Babak Source Code provides criminal inspiration.
CISA and the FBI release a joint report on paper cut.
There are more bad bots out there than anyone would like.
Fishing as a service tools in the C2C market.
CISA's Eric Goldstein advocates the adoption of strong controls,
defensible networks, and coordination of strategic cyber risks.
Our Cyber Wire producer Liz Ervin speaks with Crystal Day Villanueva,
learning and development specialist for Luma Technologies.
And Killnet's short-lived ventures with a dash of regret.
I'm Dave Bittner with your CyberWire Intel briefing for Friday, May 12, 2023.
The leaked Babuk ransomware source code has become a treasure trove for ransomware operators,
Bleeping Computer reports. The Babuk code was leaked on a Russian forum in September of 2021,
and Sentinel Labs researchers discovered 10 ransomware families throughout the second half of 2022 and the first half of 2023 using VMware ESXi lockers based on the Babook code.
The researchers wrote in their release that
there is a noticeable trend that actors increasingly use the Babook builder
to develop ESXi and Linux ransomware.
The malware compromises VMware ESXi servers on Linux machines.
The researchers noted that
the talent pool for Linux malware developers is surely much smaller in ransomware development circles,
which have historically held demonstrable expertise in crafting elegant Windows malware.
Use of Babook code is expected to increase,
and may do so in tandem with the anticipated growth of the Go-based locker version that targets network-attached storage devices.
CISA and the FBI have released a joint report detailing the papercut vulnerability, CVE-2023-27350.
2327350. The FBI has observed the bloody ransomware gang attempting to exploit the vulnerability on papercut servers belonging to education sector targets. If an organization
finds it's been compromised, CISA and the FBI urge them to create a backup of their papercut servers,
wipe the application server, and restore the database from a safe backup point before April
2023. Organizations can also mitigate the risk by updating their applications to the latest version
in which the vulnerability has been fixed. Imperva's 10th edition of the Bad Bot Report
regarding autonomous bot traffic on the internet found that in 2022 almost 50 percent of
all internet traffic was from automated bots marking a five percent increase in automated
traffic the report also showed that good bots are increasing in prevalence with 17 percent of all
traffic and bad bots or those used by bad actors to troll for vulnerabilities, increased to 30%.
A new phishing-as-a-service offering called Greatness places advanced capabilities
in the hands of even relatively raw rookie hackers, Talos Intelligence reports.
The Greatness tool allows for more advanced capabilities within the phishing-as-a-service realm,
including multi-factor authentication bypass, IP filtering, and integration with Telegram bots.
The tool is focused specifically on Microsoft 365 phishing pages
and provides users with a builder to create convincing faux login pages.
Users have to deploy and configure a phishing
kit that they are given an API key for. According to the researchers, the phishing kit and API work
as a proxy to the Microsoft 365 authentication system, performing a man-in-the-middle attack
and stealing the victim's authentication credentials or cookies. Companies have been
most often targeted by greatness, the record reports.
Manufacturing, healthcare, and technology are the three most commonly targeted sectors in these attacks,
Talos researchers report, with the United States, United Kingdom, Australia, South Africa, and Canada
making up almost the entirety of the targeted base.
up almost the entirety of the targeted base. And finally, we've been watching Killnet's social media chatter for the hacktivist auxiliary's latest self-presentation. Killnet's impresario
Kill Milk expressed doubt about the Russian hacking auxiliary's organizational change to
a private military hacking company on Tuesday during a heart-to-heart with the group's followers.
Kill Milk explained that he had made a terrible-heart with the group's followers. Killmilk explained that
he had made a terrible mistake in making the group a PMHC and took full responsibility for
what he now regrets as a misstep. He explained that while attempting to acquire more servers
for their botnet, he had drawn the attention of the FBI, and as a result, the organization's
botnet was seized. He then added
that he would not be going to the government for support and requested donations from his fan base.
He ended his heart-to-heart by saying, give us all we ask for and within 30 days there will only be
Native Americans left in the USA. Presumably, he meant that with the correct material supply, he and his no longer
merry band of renegades could and would send the U.S. back to the Stone Age. Since this airing of
grievances, the organization has changed its telegram handle back to the original We Are
Killnet. On Thursday, May 11th, the group announced that thanks to the donations they'd received,
they would be able to purchase more resources and continue their patriotic labor of love.
It remains unconfirmed whether Kilnett's botnet infrastructure was swept up by the FBI's Operation Medusa,
but if Kilnett's botnet were indeed tightly coupled to the FSB's network Operation Medusa expunged from its U.S. computers,
then this would be a key indicator of Killnet's ties to the Russian agents.
Killnet's de-rebranding came after the group launched its own telegram-based cryptocurrency exchange.
They've boasted that they can deliver cash to anyone in the Russian Federation
and that they're looking to expand to other countries.
The group is charging a 6% processing fee for amounts under $5,000,
dropping as amounts grow larger,
with the fee for transferring more than $100,000 coming in at a low, low 3%.
Last but not least, Kilnet announced its Telegram-based OSINT tool,
which they claim to be the best in the world in the right hands.
The Telegram bot reportedly allows for name searches, social media account research,
IP address tracing, license plate lookups, and various other phone number and email address
queries, many of which only apply to Russia. Why anyone would use Kilnett's OSINT tool instead of
an off-the-shelf tool with multi-country querying capabilities is not immediately clear.
An interesting puzzle is that the tool seems to only query Russian-owned social media and public databases,
which seems to go against Kilnett's promise not to operate against or inside of Russia proper.
Perhaps the OSINT is for domestic surveillance. In any case,
there's been some barking in Russian state-controlled media that Russians insufficiently
enthusiastic about the special military operation are not really worthy of the name Russian at all.
Coming up after the break,
CISA's Eric Goldstein advocates the adoption of strong controls,
defensible networks, and coordination of strategic cyber risks. Our CyberWire producer Liz Ervin speaks with Crystal Day Villanueva,
Learning and Development Specialist for Luma Technologies.
Stay with us.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io. And I am pleased to be joined by Eric Goldstein. He is Executive Assistant Director for
Cybersecurity at the Cybersecurity and Infrastructure Security Agency. Eric, welcome back to the show.
Thanks so much, Tim. Good to be here. You know, you and I have spoken about CIS's mission of stopping the threat,
and I want to touch today on hardening the terrain,
of making it harder for those bad folks to come at us.
What can you share with us about that part of your mission?
Thanks, Dave.
You know, one of the most challenging aspects of cybersecurity for any organization
is quite simply the breadth of guidance, best practices, standards that they may have to adopt.
And what we have seen is perhaps a lack of understanding of which controls, which mitigations, which investments are most effective in actually protecting an organization against the threats that we in the community see in the wild.
If an organization, as almost all do, have a limited security budget for the next quarter,
the next fiscal year, how do they allocate those security dollars to most effect?
And so we are really focused at CISA, working with the broader community,
both experts in cybersecurity companies, as well as operators of infrastructure
to really identify those most
important controls and mitigations, and then being laser-focused on both encouraging and
measuring adoption so we can actually step back and say the country is getting more secure year
on year, and we think our adversaries are going to have a harder time getting after their goals
and achieving objectives on American networks. How do you all do that?
I mean, how do you measure success?
You know, we were really excited last year to release the first iteration of what we
call our cybersecurity performance goals.
And this is a really succinct list of now 39 security outcomes and actions all aligned
around the NIST cybersecurity framework and prioritized
by cost, complexity, and impact. And the goal to perform its goals is for any organization,
but particularly small and medium ones, to be able to step back and say, you know, I really cannot
build a fully mature, fully modern security program this quarter, this fiscal year, maybe even next? What can I do to most
increase my odds of preventing, detecting, responding to, and recovering from a cybersecurity
incident? And that's what the performance goals gives you, is that really prioritized list of
specific actions and outcomes to take, again, aligned around those variables that enable
prioritization. So the entities can say, you know, I'm going to do those lowest cost, highest impact actions first,
and then build from there.
What we're doing now is figuring out how can we, in an aggregate, anonymized way, measure
progress.
And so some of the performance goals, for example, that was focused around remediating
no exploited vulnerabilities,
or as we call them, KEVs, we can measure ourselves, right? We can see the prevalence of KEVs in internet-facing hosts across the country. Some of these will be working with partners in the
tech community to say, well, at an aggregate level, how are we doing on multi-factor authentication
adoption nationally and across sectors? And some of them are really going to be our regional cybersecurity team members going out,
knocking on doors, doing assessments using a self-service tool that we now have online
and really figuring out how we're doing.
But we feel this is the most effective way to drive adoption of the most important risk reduction measures
and then measure in progress so we can actually see how we're doing
and drive further investment where needed. How much of this is influence, of stateside
diplomacy, of being able to communicate both with the private sector, but then also
among your fellow government agencies to try to drive this forward?
Thanks, Dan. Influence is a huge part of it. And as you note, there's really a few elements.
First of all, there is just ensuring broad awareness
among the security community,
making sure that CISOs, IT teams, practitioners
understand, first of all, the importance
of prioritizing those controls and mitigations
that are actually tied back to the threats we are seeing
and reduce the most real-world risk,
and then also making sure that we're communicating
with business leaders to help them have that conversation.
And we are doing a tremendous amount of work
talking to board directors.
For example, we recently supported
the National Association of Corporate Directors
on their Cyber Risk Handbook
to really drive the understanding of cybersecurity
as a business risk and the
utilization of prioritized controls and mitigations therein.
And then, of course, there's influence across the government community so that what our
peer organizations who have different levers of authority, maybe incentives, maybe grants,
maybe regulation, are looking to drive some behavior that we can all lock around the same kernel of best practice
so we're all moving in the same direction
in a harmonized, cohesive way.
For our listeners, folks who want to do their part,
any words of wisdom here,
how they can contribute to CISA's mission?
Absolutely.
In this topic, I'll offer a few things.
The first is go to our website, cisa.gov, navigate over to cybersecurity performance goals, put it in the search bar, or just do a backslash CPGs, and take the self-assessment.
See how you're doing in adopting the performance goals.
Maybe consider reaching out to one of our regional team members for a conversation about where to go next.
Give us feedback on the
performance goals. So we have a GitHub repo that is perpetually open. I'll note we released the
second revision of the performance goals only a few months after the first. We're going to keep
doing cycles of these cross-sector goals even as we begin development of sector-specific goals
this year. But give us feedback. If these goals are
useful to your enterprise, let us know how. If there are ways that they could be more useful,
that's even better. And then third and finally, really do focus on some of those most impactful
risk reduction measures. One I'll call out is we know that many organizations have a backlog of
vulnerabilities a mile and a half long.
We also know that most of those vulnerabilities will never be exploited by an adversary, or they exist in a condition on the enterprise network that makes them less exploitable.
known exploited vulnerabilities, those that we know adversaries are already targeting in the wild, as well as getting organizations to adopt what we call stakeholder-specific
vulnerability categorization, which is one example, and there are several others out
there, of how entities can say, I'm not going to make it through this backlog of vulnerabilities
and the products I'm using.
How can I invest my resources towards the most useful
effect by focusing on those that are exploitable in my environment that adversaries are focusing on
and that would cause the most impact to my business functions if they were exploited?
That's the kind of thing that we think can drive best use of security dollars in what we know is
inevitably a limited environment. Eric Goldstein is Executive Assistant Director for Cybersecurity
at the Cybersecurity and Infrastructure Security Agency.
Eric, thanks so much for joining us.
Thanks as always, Dave.
Continuing to share some of the content we gathered at the RSA conference,
our Cyber Wire producer, Liz Ervin, spoke with Crystal Day Villanueva, Learning and Development Specialist for Luma Technologies.
Liz files this report.
My name is Crystal Day Villanueva,
and I'm the learning and development
specialist for Lumo Technologies. Fantastic. All right. So is this your first time at RSA?
No, this is my second time. Oh, fantastic. But it's been years. So I think my first time was
just before the pandemic. All right. So how has this compared to your last time?
It's I think it's it makes a big difference in the case of like where your
company is from before. So the first year that I came, we were very much in our first year as a
startup. So we had a much smaller booth. We really had to fight to get attention, like, you know,
the presence and you're competing with some very amazing companies, right? Very innovative. So in
the first, the first year it was intense, smaller team doing full eight-hour shifts every day.
And today we're a bit more established and we have a lot more integrations and partnerships.
So it's nice to have people come and visit us and be like, Lu, Lu, and know you.
So seeing that growth between the first year and now is spectacular.
That's fantastic. So have you seen any differences from that before COVID era until
now after COVID? Yes, I've seen a lot of in terms of like everyone being more respectful within the
booths of other booths. So I think like especially for the main floor before COVID, there was a lot
of people on microphones and very loud sessions. And it was very disruptive.
Like it was very hard to concentrate.
People were fighting for attention.
Now it's a lot more like everyone's in the same mindset.
Everyone's respectful to each other's space
and everyone's messaging
because we're all here for like a good time
as well as cybersecurity.
So since COVID, do you think RSA is back in full swing?
Do you think like this is like going to be the new norm
from now on? Or do you think it is going to be the new norm from now on?
Or do you think it's going to change anymore throughout the years?
Well, I think it's definitely in full swing.
I think it's changed a lot in terms of safety and protocol and how you check in.
So I think that's been really good.
The only reason I would only consider it changing a bit is if regulations change for standards or if
something else were to happen big fingers crossed it doesn't but other than that I mean everyone's
here it's always fantastic to come because it's such an international presence as well so hearing
all the different languages and people being like hey I want to reach out we're in Europe we're in
Asia we're in Canada so I think we're good to go. How have you liked this RSA so far? Anything that you've seen on the floor that really excites you?
I know this is going to be cheesy, but like food.
Yeah, yeah. Food. I mean, like just the diversity of in terms of like food and representation, like being a Filipino American.
It's nice to see some of like the Asian food represented there, as well as like different wine labels from California.
Like I'm originally from the Bay, so it's nice to kind of just see that. Asian food represented there, as well as like different wine labels from California.
Like I'm originally from the Bay, so it's nice to kind of just see that.
But also just I like that there's a lot more partnership this year.
So I've noticed, so for example, our organization has different types of partners with like Forge Point.
And it'd be a thing where like, oh, come to our party, spread the word of your brand.
They can come up and then they'll invite them and they'll come the next day. So there's a lot more of like this collab.
Yeah, yeah. How does it feel to be here at RSA representing all of the women? I mean, you look around and there's a lot of men here, you know, and there's definitely a gender gap
in this industry. So what does it feel like to be here supporting women?
So I think in the first year, it was definitely a lot more intimidating. And that was also my first year at RSA. Like that is actually
a very good point compared to my first year, two years ago. And now I have noticed a lot of more
of a presence for, for women, especially women of color, which I'm very stoked about. Um, so I,
it's, it's really empowering. Like, I remember when it was my
first year, it was technically like my second and a half year in cyber, but my second company.
So, you know, you come in here and it can be really overwhelming and you can't help but have
imposter syndrome, right? And I told him, you know, if you have that feeling, that's a good
thing because that means you actually care about making an impact and you care about this industry. So if you feel that way, that's a good
thing. It's, I'd be worried if someone came in as a first timer and was like, I got this, you know,
and had no doubt. I was like, okay, I don't know if you really know what it's about. Absolutely.
Cause the learning curve is huge, right? Of course. Yeah. So what was nice was that there
was a few people that came to my booth and they're like, this is my first time in RSA.
Or they'd be like, honestly, it's my first year in cyber. And like, and I'm like, girl, I've
been there as a woman, as a woman of color. It's totally fine. And I was more than happy to reassure
them. I'm like, everything you feel, if you feel like this is a lot, it's totally normal and it's
okay. And you're going to do well. Like I'm here three or four years later and I'm doing well. You will too.
Yeah, I got to agree.
That's perfect.
So have you, I'm sure you've heard of the abbreviation
for Chief Information Security Officer.
How do you pronounce that abbreviation?
I would say CISO.
CISO?
Yeah.
Okay, awesome.
All right, that's the last question.
Thank you so much for taking the time.
Yeah, of course.
Thank you for pulling me aside.
This was a really nice conversation.
That's Cyber Wire producer Liz Ervin speaking with Crystal Day Villanueva from Luma Technologies.
Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant. To be continued... This weekend's Research Saturday and my conversation with Alexander Milinkovsky and Juan Andres Gierosade from Sentinel One's Sentinel Labs.
We're discussing Operation Tainted Love, Chinese APTs target telcos in new attacks.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. Your feedback helps us ensure
we're delivering the information and insights
that help keep you a step ahead
in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent
intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.