CyberWire Daily - BellaCiao from Tehran; PingPull from Beijing: two cyberespionage tools. SLP exploitation. Ransomware as an international threat. The state of hacktivism. Digital evidence or war crimes.
Episode Date: April 26, 2023BellaCiao is malware from Iran's IRGC, while PingPull is malware used by the Chinese government affiliated Tarus Group. Ransomware continues to be a pervasive international threat. An overview of hack...tivism. Our guest is CyberMindz founder Peter Coroneos, discussing the importance of mental health in cybersecurity. Johannes Ullrich shares insights from his RSAC panel discussions. And Ukraine continues to collect evidence of Russian war crimes. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/80 Selected reading. Unpacking BellaCiao: A Closer Look at Iran’s Latest Malware (Bitdefender Blog) Chinese Alloy Taurus Updates PingPull Malware (Unit 42) Abuse of the Service Location Protocol May Lead to DoS Attacks (Cybersecurity and Infrastructure Security Agency CISA) #RSAC: Ransomware Poses Growing Threat to Five Eyes Nations (Infosecurity Magazine) Hacktivism Unveiled, April 2023 Insights into the footprints of hacktivists (Radware) FBI aiding Ukraine in collection of digital and physical war crime evidence (CyberScoop) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Bella Chao is malware from Iran's IRGC,
while PingPol is malware used by the Chinese government-affiliated Taurus Group.
Ransomware continues to be a pervasive international threat.
An overview of hacktivism?
Our guest is CyberMind's founder, Peter Koronius, discussing the importance of mental health in cybersecurity.
Johannes Ulrich shares insights from his RSAC panel discussions.
And Ukraine continues to collect evidence of Russian war crimes.
From the RSA Conference in San Francisco, I'm Dave Bittner with your CyberWire summary
for Wednesday, April 26,
2023. Iran's APT Charming Kitten, sponsored by Tehran's Islamic Revolutionary Guard Corps, has been seen using a new strain of
malware known as Bella Chow, Bitdefender reported this morning. The group, known also by many names
including Mint Sandstorm, Phosphorus, APT35, and APT42, uses this individually tailored dropper
to deliver payloads from their command and control server.
Bitdefender said that each sample collected was tied up to a specific victim
and included hard-coded information such as company name,
specially crafted subdomains, or associated public IP address.
The malware has been seen in use against victims in the U.S. and Europe,
but also against targets in Turkey and India.
The exact point of infection is unknown, but researchers conjecture a Microsoft Exchange exploit chain software vulnerability or something similar.
The researchers suspect the Italian moniker for this Iranian native malware, Bella Chow, may be a reference to a folk song of the same name about
resistance fighters. Researchers at Palo Alto's Unit 42 discovered a new malware strain they're
calling PingPol. It's used by Taras, a cyber espionage group attributed to China. PingPol
targets Linux machines and has been used in conjunction with the Sword 2033 backdoor.
Unit 42 explained that although Taras has been historically active against telecommunications
companies in Asia, Europe, and Africa, recently researchers have noticed increased activity
spreading to financial institutions and government entities.
spreading to financial institutions and government entities.
BitSight reported today that they discovered a new high-severity exploit for the Service Location Protocol,
stating SLP is a protocol that was created in 1997 through RFC 2165 to provide a dynamic configuration mechanism for applications in local area networks.
a dynamic configuration mechanism for applications in local area networks. The exploit, dubbed CVE-2023-29-552, allows attackers to launch DDoS attacks against open
SLP instances.
CISA explains, the service location protocol allows an unauthenticated remote attacker
to register arbitrary services.
This could allow an attacker to use spoofed UDP traffic
to conduct a denial-of-service attack with a significant amplification factor.
Bitsight explained, attackers exploiting this vulnerability could leverage vulnerable instances
to launch massive denial-of-service amplification attacks with a factor as high as 2,200 times,
potentially making it one of the largest amplification attacks ever reported.
BitSight urges businesses to disable SLP on devices connected to the open Internet,
and if that's not possible, then firewalls should be configured to filter traffic on UDP and TCP port 427.
This will prevent external attackers from accessing the SLP service.
The Five Eyes Alliance is seeing a rising threat from ransomware, InfoSecurity magazine reports.
Felicity Oswald, the United Kingdom's National Cybersecurity Center's COO, noted at the RSA
conference that ransomware continues to be pervasive in the UK,
as very little skill is required to implement the malware.
Rita Erfurt, Threat Intelligence Senior Executive at the Australian Cyber Security Centre, said,
ransomware is the most destructive form of cybercrime facing Australia.
CDO Trends reports that a study from Rubrik on Data Security says that 72% of organizations have actually paid hackers using ransomware,
yet only 16% saw success in data retrieval using attacker-supplied tools.
National representatives in attendance from the UK, Australia, the US, and Canada
noted that their national cybersecurity strategies are currently in the works or have recently been published. Infosecurity magazine notes that
Canada and Australia's cyber strategies are still in development and under review.
The UK saw the release of its national strategy in December of last year,
and the US finalized theirs last month.
and the U.S. finalized theirs last month.
Radware issued a report this morning offering an overview of the current state of hacktivism.
Much of the genuine politically motivated actions
have pursued familiar targets.
Israel, for example, comes in at number one
among the countries targeted,
but the emergence of hacktivist organizations
serving as cyber auxiliaries to governments,
especially the Russian government, is a noteworthy development.
The Russian hacktivist organizations include Killnet, no name 05716,
which wants everyone to understand that they're not working for Killnet,
and The Passion Group, which began its career as a Killnet affiliate,
but which has recently shown signs of morphing into a profit-driven criminal gang with an advocacy side hustle.
Radware's conclusion sums up the record the Russian hacktivists have compiled, stating,
Pro-Russian hacktivists have been actively attacking anyone who supports Ukraine or goes against Russia for over a year now.
anyone who supports Ukraine or goes against Russia for over a year now.
Killnet has been dedicated to its cause and has had the time to build experience and increase its circle of influence across affiliate pro-Russian hacktivist groups. We've seen groups
like Noname05716 successfully exploring crowdsourced botnets, with Financial Incentives
and Passion Group providing DDoS-as-a-service attacks to
like-minded groups. While NoName05716 is the major force to be reckoned with in terms of DDoS attacks,
Killnet's influence, reach, and tactics are growing and changing, and they're not showing
signs of slowing down or retiring soon. Killnet, by the way, has been promising a big announcement this evening
at 10 p.m. Moscow time. We'll be keeping our eyes out for it.
And finally, Ukraine is collecting evidence of alleged Russian war crimes,
with a view toward both prosecuting those responsible, should they become available
for prosecution, or at least toward ensuring the preservation of the historical record
and assuring that the history is told accurately.
In this effort, they're receiving international assistance,
some of it from the U.S. Federal Bureau of Investigation.
These investigations are groundbreaking
in that so much of the relevant evidence is digital, CyberScoop reports.
Digital forensics will be important not only for
investigating cyber attacks against civilian infrastructure, but also for geolocation of
perpetrators in the vicinity of their crimes. Devices can put their owners at the scene,
and that holds for war crime investigations as well as for ordinary criminal cases.
We would add two other potential spheres of investigation,
collection of communications authorizing and organizing atrocities, and collection of
communications that could amount to incitement. There's been no shortage of incitement to genocide.
Coming up after the break, our guest is CyberMinds founder Peter Koronius,
discussing the importance of mental health in cybersecurity.
Johannes Ulrich from the SANS Technology Institute shares insights from his RSAC panel discussions.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Peter Koronius is the founder of CyberMinds, which has gotten a start in Australia,
addressing the importance of mental health in cybersecurity.
He stopped by to visit with us here at the RSA conference to celebrate their launch here in the US.
We launched CyberMinds in the US yesterday morning. First thing really, and it was really our
extension of the CyberMinds program into the US for the first time. So very excited. We had some
great representation. The director, Jen Easterly, was kind enough to give us some words of support.
She wasn't able to attend in person, but she sent a beautiful video.
And I think what we're realizing and what we're seeing
is that the problems that we encountered in Australia in the last few years
I think are fairly universal around burnout in cyber teams.
So it was really great to just see the warm reception we got
and the recognition for the issues that we're attempting to address. Well, let's clarify that. What is the mission of CyberMinds? Well, it's pretty simple,
really. I mean, I've got a long background in cybersecurity, but I've also had a very long
background and exposure to neuroscience and personal development. And in a way, I was keeping
them separate. I was using the personal development strategies in my own career
when I was heading the Internet Industry Association in Australia.
It was sort of my secret weapon.
It was how I kept on game and could switch off when I needed to.
But I guess during the pandemic,
I was starting to see more and more burnout in teams,
cyber teams and amongst my peers.
And finally, one day, the penny dropped and I thought,
look, here's the opportunity to integrate these two passions
of the personal development, you know, relaxation,
optimisation of the mind and bringing it into cyber security
for the first time.
And that's really the mission now is to go in with tangible on-the-ground support now,
more than just talking about it,
going in and actually delivering a very powerful protocol,
which we can talk about,
but it's had extensive use in the military in the US and in Australia.
So we know it works.
There's plenty of science that supports its effectiveness.
And I think our contribution as CyberMinds
is to just work with organizations
and to start bringing teams back from burnout
and back into the sort of zone where we want them to be.
What is your sense in terms of the problem itself,
the problem of burnout within cybersecurity?
To what degree is it the nature
of the job? Is it the nature of the people who are attracted to that kind of job or a spectrum
in between? I think it's a combination of factors. One thing I will say is that we've done a fairly
deep analysis now of the drivers of burnout in cyber. And there really is, in my mind, something particular and unique about working in cybersecurity
that means that it stands apart from other professions and not to take away from the
stresses that they encounter and many people have encountered during COVID particularly.
But with cybersecurity, we've identified at least 15 factors
that all in combination come to bear on teams
and are driving this burnout.
And we really think that there isn't very much to compare
outside of cybersecurity.
So, you know, I think we're familiar with what some of those factors will be.
It's the relentless nature of the attack environment.
It's the invisibility of success,
so you don't really know when you're winning.
Right, we did all these things, congratulations, nothing happened.
Yeah, and that's very hard.
And so that plays into a lack of recognition
for the value of the work that our cyber peers are doing.
In addition, on top of that,
you've got the high visibility of failure.
And particularly, I would say,
the downstream consequential effects of a single failure,
potentially affecting, as we've seen in Australia and elsewhere,
tens of millions of people.
And so, you know, that plus another 12 or so factors
start to create a very unique environment
that, quite frankly, our brains are not optimised for.
And the result of that is we start to see
cyber professionals questioning their own effectiveness in the job.
They start to doubt their own efficacy.
And that of one of the...
..of the three metrics that predict resignation intent
as burnout metrics,
that's the one that is actually in our research
outpolling that even of frontline healthcare workers.
So just to sort of condense that point,
what our research is showing is that on that one metric
that predicts the intention to resign,
cyber people are polling worse
than even the frontline healthcare workers.
And that should be a concern for all of us for obvious reasons.
Let's talk about the framework itself then. How are you all approaching this problem?
So I mentioned the IRS protocol. It stands for integrative restoration. It was developed in
California actually by Dr. Richard Miller and he I-Rest Institute. So he's really the true mental health pioneer in this space.
He's a clinical psychologist. And they had taken the protocol into the US military in
2004, actually, and they were using it to help treat PTSD in returning veterans from
Iraq and Afghanistan. And they found pretty quickly
that they were getting quite remarkable results.
Also, it was being used very effectively
to address anxiety, depression, insomnia,
a lot of even pain management,
but a lot of the things that we see manifesting
within cyber teams now,
and particularly I would say
the most critically affected units would be around the
SOC analysts right and this constancy of you know the incoming and they're having to
sort through false positives and and that sort of kicks the brain into a hyper vigilant state
which over time I think is really not sustainable. So the protocol has had this extensive application in the military
and it was officially endorsed actually by the Army Surgeon General in 2010
as a Tier 1 complementary therapy.
So I looked at this and I thought, you know,
there are a lot of similarities between military and cyber security
in terms of the defensive posture that you have to take
and really the toll that it takes on the individuals.
And so I approached the Iris Institute.
I'd done the training myself as a facilitator
and I started piloting it and I was seeing great results in Australia
and I thought, well, the general population,
because these measures we use have got general population norms that
are already established. But then we can go in and look at how you're comparing with other
professional groups, as I said, the frontline healthcare workers or teachers or other professions.
But more importantly, we can also start to build a picture of where your organisation sits in
relation to other organisations within cyber security.
And what we hear from the people that we're running our programs is that they start to make better decisions
because they're not now coming out of their flight
and fight the limbic system in the brain,
but they're actually more able to come back
into a present-centred state
where they need to access the prefrontal cortex and where all
the you know the good decision making occurs and we're moving them back into that to that zone
and also we give them the ability to switch off when they go home that the protocol can be used
before sleep or if you wake up in the middle of the night which i'm sure many people can relate to
sure yeah mind is racing.
And it's because you've carried a lot of subconscious stuff into sleep
and it wants to break through and be heard.
And as that happens,
you actually start to get development in other parts of the brain
that are involved with emotional regulation,
seeing things in perspective.
Even empathy starts to build
and you become, you know, the team morale improves
because everyone's feeling a little bit more
restored emotionally
so yeah, it's very powerful
very interesting how it works
That's Peter Koronius from Cyberminds And it is always my pleasure to welcome back to the show Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute.
And he is also the host of the ISC Stormcast podcast.
Johannes,
great to see you. Great to see you actually in person. I'm standing across from you here. It's all different. It's so decadent, isn't it? It's one of the great things about this conference is
you get to see so many people face to face, so you only get to see remotely along the way. Well,
speaking of the conference, you are presenting here this year, or actually you did present here this year.
Tell us about your program.
Yeah, so I'm part of the SANS panel again.
I think we're doing this now for 10 plus years.
We were talking about this earlier, kind of hard to remember when it all started.
Right.
But the idea is always that we talk about emerging threats,
things that are already kind of an issue
but are probably going to be of more concern
in the next year or so.
So that's what is of the theme of this.
And we narrowed it down to the top five of these threats.
Okay.
Can we go through some of them together?
Yeah.
So we have on the panel Heather Mihalik.
We have Katie and we have Steven Sims and Ed Skow,
this is sort of managing it all.
And Katie talked
about, for example, these search
engine optimizations that's
more and more happening now, in particular with Google,
where essentially attackers
are just buying ads for their malware, which is
an amazing kind of concept, but
it works. But
yeah, it does work.
And they're able to really sort of trick people into basically downloading malware
instead of the legitimate software they looked for.
So this is a situation where, let's say,
I was looking for the latest copy of Zoom
or something like that, and I do a search in Google,
and the first ad that would pop up
would pretend to be from Zoom,
but would actually have malware embedded in it?
Correct, and it's going to a page that looks like Zoom.
So it's really hard for anybody really
to figure out what they're downloading.
So that's a challenge here.
And of course, Google hasn't really been super responsive
to all of this.
That's a troubling aspect of this,
that Google hasn't been speedier in getting on top of this.
I feel like this virus total thing
that I hear,
that may help.
Let's continue down the list.
What are some of the other things
you guys are looking at?
And then, of course,
chat GPT is a big thing.
Stephen Sims and Heather
will sort of talk a little bit about this.
Stephen,
what about the technical aspects?
And how do you basically
socially engineer chatGPT
into writing
malware for you? And what some of the
tricks are that people have figured
out in how to
sort of convince ChatGPT
to do that? They put some controls
in here. If you just outright ask
it to write malware,
it usually doesn't work. But then you
can, for example, ask it, hey, let's
pretend you're writing a movie script. How about
you in that movie?
So, fairly simple things.
Now, Heather is going
more into sort of the personal
aspect of this.
And she has some fairly troubling,
at least to me, kind of conversation with
ChatGPT and her son.
She used ChatGachi PT to write texts to send to her son
that are supposed to pretend that she's a teenage girl.
Oh, interesting.
And actually, I think she said her son mentioned one of those texts
was like one of the best he ever received from her,
with all the emojis
and such.
Oh, interesting.
So Chachibi
really got the tone
pretty right here.
Interesting.
Well, I mean,
perhaps there's an upside
where we can have
cross-generational
communications,
have it serve as
a translation layer
between us and our kids.
Right, exactly.
Now learn how to talk
with your kid.
Hey, whatever it takes, right?
As the parent of a teenage boy,
I welcome anything that helps us
see eye to eye.
What else are you guys looking at?
And then I'll be talking about
attacks against developers.
This is something that we have seen more and more of
lately, like for example
this LastPass issue where a home system of a developer
was compromised,
essentially led to the compromise
of the entire organization, more or less.
We also had this again with 3CX,
where that trading software
that was downloaded
was then used to compromise the organization.
So where developers are taking a lot of the brunt
of these attacks because they are the supply chain.
So when we talk about supply chain attacks
and we talk about malicious libraries,
well, how did that library become malicious?
A developer sort of was involved at one point,
whether that developer willingly collaborated
or whether someone made the developer collaborate
by installing malware on their system,
that's where they have the big problem here.
Yeah.
So RSA Conference does a great job
of putting these panels online for folks to view afterwards.
Will this be included in that?
Are you being videotaped or recorded?
Yeah, definitely being recorded.
I'm not sure whether it will be online
for free or whether it will be
online for
people who actually paid and attended a conference.
Usually, at least after a few
months or so, they make it
freely available online.
Any other things from the conference
that have drawn your attention
here before we wrap up?
It's big as ever before.
Like last year, I think it felt like a trial run kind of.
Right, right.
But now it's sort of back to normal and it's big.
Lots of vendors, lots of noise also on the floor.
That's what I noticed.
It felt quieter last time.
Yeah, I think that's right.
I think that's right.
So back to normal, for better or for worse, right? All right. Well, Johannes Eldrick, thanks so much for joining us. Thank you.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. Thank you. and email at cyberwire at n2k.com. Your feedback helps us ensure
we're delivering the information and insights
that help keep you a step ahead
in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer
Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show
was written by John Petrick. Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.