CyberWire Daily - Challenges to intelligence-sharing. The complexity of supply-chain security. Ransomware developments. Notes on Russia’s hybrid war, including possible sensor data manipulation.
Episode Date: August 8, 2023Reports on a 2020 Chinese penetration of Japan's defense networks. MOVEit-connected supply chain issues aren't over. Akamai looks at the current state of ransomware. Mallox ransomware continues its ev...olution. Machine identities and shadow access. Ukrainian hacktivist auxiliaries hit Russian websites. Joe Carrigan unpacks statistics recently released by CISA. Our guest is Jeffrey Wheatman from Black Kite discussing the market shift from SRS to cyber risk intelligence. And radiation sensor reports from Chernobyl may have been manipulated. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/150 Selected reading. China hacked Japan’s sensitive defense networks, officials say (Washington Post) Japan says cannot confirm leakage after report says China hacked defence networks (Reuters) MOVEit hack spawned around 600 breaches but isn't done yet - cyber analysts (Reuters) Mallox Ransomware Group Revamps Malware Variants, Evasion Tactics (Dark Reading) TargetCompany Ransomware Abuses FUD Obfuscator Packers (Trend Micro) New IAM Research by Stack Identity Finds Machine Identities Dominate Shadow Access in the Cloud, Revealing Easy Attack Vector for Hackers (Business Wire) Ukraine-Linked Group Claims It Hacked Website Of Moscow Property Registration Bureau (RadioFreeEurope/RadioLiberty) Ukraine-linked group claims it hacked Moscow property registration bureau website – RFE/RL (Euromaidan Press) Pro-Ukrainian hackers breach Moscow engineering service website (New Voice of Ukraine) Ukrainian state agencies targeted with open-source malware MerlinAgent (Record) The Mystery of Chernobyl’s Post-Invasion Radiation Spikes (WIRED) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Reports on a 2020 Chinese penetration of Japan's defense networks, Thank you. and hacktivist auxiliaries hit Russian websites, Joe Kerrigan unpacks statistics released by CISA,
our guest is Jeffrey Wietman from Black Kite
discussing the market shift from SRS to cyber risk intelligence,
and radiation sensor reports from Chernobyl may have been manipulated.
I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, August 8th, 2023. The Washington Post reports on the basis of recently obtained information from U.S. and Japanese sources that in the fall of 2020, the U.S. NSA discovered a major Chinese penetration of classified Japanese defense networks.
Chinese penetration of classified Japanese defense networks. According to the Post,
the hackers had deep persistent access and appeared to be after anything they could get their hands on, plans, capabilities, assessments of military shortcomings, according to three
former senior U.S. officials who were among a dozen current and former U.S. and Japanese
officials interviewed who spoke on the condition of anonymity because of the matter's sensitivity.
Reuters says that Japan was unable or unwilling to confirm
whether information had been compromised.
The incident complicated U.S.-Japanese defense cooperation,
especially intelligence sharing,
which has grown closer as China adopts an increasingly assertive policy in
East Asia. Russia's war against Ukraine has repeatedly shown the value of intelligence
sharing among friendly intelligence services. Anything that causes suspicion of whether that
sharing can be done safely and securely is a win for the adversary. Reuters puts the tally of organizations breached in ways
traceable to the Movit vulnerability exploitation at 600 and counting, and cites experts who say
that many more breaches, possibly thousands more, are likely in the future. The Klopp gang began
exploiting Progress Software's MoIt on May 27th.
Progress realized something was amiss and began investigating on May 28th.
On May 30th, it had learned enough to issue a warning, and on May 31st, Progress made a patch available.
The continued exploitation illustrates the complexity and interdependence of software supply chains
and of the difficulty of getting users to patch promptly and effectively.
Akamai has published a report looking at the ransomware landscape in 2023.
The researchers found that the rampant abuse of zero-day
and one-day vulnerabilities in the past six months
led to a 143% increase in victims
when comparing the first quarter of 2022 with the first quarter of 2023.
Akamai also notes that ransomware groups now increasingly target the exfiltration of files,
which has become the primary source of extortion,
as seen with the recent exploitation of Go Anywhere and MoveIt.
This underscores the fact that file backup solutions, though effective
against file encryption, are no longer a sufficient strategy. If the crooks threaten you with doxing,
they're not going to care whether your files are backed up or not. The more copies, the merrier.
So, think of backups as necessary, but not sufficient.
as necessary but not sufficient.
Trend Micro warns that the target company ransomware,
also known as Malox,
is using the fully undetectable obfuscator engine Batcloak.
The threat actors use vulnerable SQL servers to deliver the Remcos rat,
which is then used to deploy target company.
Trend Micro says,
since the initial efforts were terminated
and blocked by the existing solutions,
the attackers opted to use
the FUD-wrapped version of their binaries.
The FUD packer used by Remcos
and the one used by the target company ransomware
has a style of packaging
that closely resembles the style used by Batcloak.
Using a batch file as an outer layer and afterward
decoding and loading using PowerShell to make a LOL bins execution. Target Company,
it should be unnecessary to say, but of course it's not, has no connection with the Minneapolis
based retail giant. It's just the name of a malware strain, and the alternative name, Malox, has no
connection to either malls or big draft animals. It's just the name they gave it. In any case,
keep an eye out for incursions. Stack Identity has published a report looking at identity and
access management trends, finding that shadow access, the invisible and unmonitored identity and
access, increases the risk of breaches, malware, ransomware, and data theft that current IAM tools
are not built to mitigate. The proliferation of shadow access is caused by two factors.
First, visibility to who's accessing your data and who has access to data is scattered across cloud IAM, cloud IDP, infrastructure as code, data stores, and HR systems.
Second, visibility to who's authorized to access your data is scattered across ticketing systems, emails, spreadsheets, and screenshots.
As an aside, the report also found that only 4% of identities in enterprise cloud environments are human, while the rest are non-human identities.
Shadow access is commonly a legacy problem involving over-permissioned accounts that are permitted to persist on a network, overlooked and unattended. Radio Free Europe Radio Liberty reports that a Ukrainian hacktivist group
calling itself Pseudo-RMRF claimed in its Telegram channel to have compromised the site of
Moskour BTI, Moscow's property registration bureau. Pseudo-RMRF has been heard from before,
surfacing in reports of a cyber attack against the Skolkovo Foundation
in 2022. The group said that its goal was collection, specifically information about
state officials, politicians, military, and special services officers who support the Ukraine war.
That information, pseudo-RMRF said, had been handed to Ukraine's defense forces. They also claimed to
have destroyed data and infrastructure. Their claims were made not only in Telegram, but on the
Moscow BTI website, pseudo-RMRF defaced. Some reports called the compromised site an engineering
service website, probably because the data Moscow BTI holds includes building plans and
technical diagrams. UAC-0154, a threat group whose provenance and allegiance is unclear,
has used the open-source tool Merlin Agent as the fishhook in a campaign against Ukrainian
government sites, the record reports. Merlin Agent is a post-exploit
command and control tool, that is a remote access trojan, intended for use in legitimate research
and testing, but like many such products, it's a dual-use item. CERT-UA, Ukraine's cyber defense
authority, says that the typical fish bait in the current campaign has been a document named
internalcyberthreat.chm. The sender misrepresents itself as acting on behalf of CERT-UA.
The campaign seems to be cyber espionage, but attribution is unclear. Merlin agent is widely
available, and the threat actor, UAC-0154, hasn't been clearly associated with any government.
And finally, there's a suggestive and disturbing report due at Black Hat later this week.
Citing research by Ruben Santamarta, scheduled to be presented in full at Black Hat this Thursday,
Wired reports that radiation sensor data from the Chernobyl exclusion area
may have been manipulated during the Russian army's brief occupation of Chernobyl during
February and March of 2022. The sensors showed troubling but inexplicable spikes in radiation
levels. Those reports appear to have been bogus, the data possibly manipulated by a cyber attack.
The published abstract of Santamarta's talk says,
Evidence confirms that the radiation levels depicted by a very specific set of real-time
radiation maps, which during those days were consulted by millions of people and also consumed
as a single source of information by media outlets and official entities,
did not correspond to the actual physical conditions of the Chernobyl exclusion zone.
If the data was indeed manipulated in a cyber attack, that's troubling.
Corruption of sensor data in industrial systems would represent a major safety issue for many sectors and for the public at large.
Coming up after the break, Joe Kerrigan unpacks statistics recently released by CISA.
Our guest is Jeffrey Wietman from Black Kite,
discussing the market shift from SRS to cyber risk intelligence.
Stay with us.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
My guest today is Jeffrey Wietman. He's a former Gartner analyst and now cyber evangelist at Black Kite, focusing on the business impact of third-party risk and solutions to treat those
risks. This is part of our Industry Voices series of sponsored content. Our conversation centers on
the market shift from SRS to cyber risk intelligence. Here's Jeffrey Wietman.
So SRS, Security Rating Services, came out a number of years ago. And what they do is we
collect data from the outside and we can assess the security posture of years ago. And what they do is we collect data from the outside and
we can assess the security posture of an organization and that gets fed into third-party
risk. The problem is historically, it's been very much, okay, here's your score. You have a 400 or
you have a C. What we have seen though, is that does not drive better decision-making. You need
more than a score in order to actually
manage risk, assess risk, prioritize, etc. So what we have done is we've actually created a
mechanism where we can provide financial context. So you're a C, but you have regulated data or
you're critical to our production, whether digital or physical, And therefore, you can reprioritize. We also have
mechanisms for assessing where the exposures are in our third-party ecosystem for ransomware.
We've seen a lot of recent issues with particular software packages. SolarWinds is the real big one
from a number of years ago. And the most recent one is MoveIt. MoveIt is a very simple,
maybe not simple, but a basic mechanism for moving data securely from one place to another.
Well, tons of companies are using it and don't realize it. So being able to identify where in
that ecosystem those things sit, help you understand where your exposures are, where you
should be looking, where you should be paying attention. So the market is evolving and we're leading the charge on that to move from just
having a score, a number, or a letter to providing intelligence so that sourcing people, vendor
management people, business people can make better and more informed and critically defensible
decisions about what risks they want to treat versus which
ones they want to accept. So, I mean, I think that really brings us to third-party risk management.
And why is that such a priority these days? It seems to me more than ever.
I always ask people a very simple question. If your biggest partner gets hit with ransomware
and they're down for a week, how long are you down for? And the answer is typically longer than a week because everybody's doing just in time.
And then I think also to layer on top of that, we're seeing a lot of legal and regulatory
requirements around managing third parties' digital ecosystem, particularly within financial
services. The latest one is DORA out of the EU, which has a whole section on third-party
risk. And they're telling you, you need to monitor those risks. You are responsible for
what's going on there. So we're starting to see that. And then the other thing, I always say,
cybersecurity is only a part of managing your supply chain, but it often has an outsized impact
because if a company manufactures widgets for you and they get hit
with ransomware, they probably can't send you the widgets. They probably can't pay their bills.
They probably can't send invoices out. They can't pay their staff. And it becomes this sort of
cascading failure. And if you don't at least have visibility and intelligence into your third-party ecosystem,
it becomes virtually impossible to report to your board, report to your senior executives
about what risks you have.
What are your recommendations then for organizations who want to explore this, who are looking
to delve into this notion of cyber risk intelligence?
What's a great way to begin?
So the first thing, and I know a lot of technology people are going to not be comfortable with this,
you have to go talk to your business stakeholders internally and understand who are they doing
business with? Who are they sharing data with? Who are they relying on in order to achieve their
goals and objectives? Then we need to look at how to prioritize those. Not all of those partners are
of the same value. Not all of them are of the same criticality. And then we need to start assessing
what the risk exposures are, understanding what they're doing from a cybersecurity perspective.
Historically, you sent out questionnaires, and even assuming the questionnaires were accurate day one, which is
open for discussion over time, 90 days, they're less valuable, 183, you know, a year out, three
years out. And we know from talking to people, some people are reassessing their partners every
three years, which is beyond risky. So being able to understand where your exposures are,
beyond risky. So being able to understand where your exposures are, looking at single points of failure, being able to have ongoing discussion with your third parties so that you can help
them understand, look, from the outside in, here's what the attackers are seeing. Here's
what the hackers are seeing. You need to take a look at this because you're exposed. You're
very susceptible to ransomware. And we know that because we've done
research, companies that are getting victimized by ransomware are not doing some basic blocking
and tackling. And we can see that from the outside. And that's where that intelligence
comes in. And then finally, I spent a lot of years coaching CISOs and CROs and their ilk,
and they tend to struggle communicating with business stakeholders. And I think the
main reason for that is they're not talking about the financial element. So being able to bring in
cyber risk quantification and being able to assess the financial impact of a breach or ransomware or
data loss in your partner ecosystem. And you can have great conversations there. If you go to your executives
and say, well, we think something real bad might happen, they're not going to give you any money
and they're not going to solve the problem. But if you say, look, this partner exposes us to $10
million worth of risk over the year, then they're going to perk their heads up and they're going to
start paying a lot of attention. And then I think finally, building this continuous improvement loop
is really, really important. It's not just a point-in-time snapshot. It's reassessing and
reevaluating over time and being able to reprioritize. Business models change,
architectures change, businesses change. You need to be able to change the way you assess and report
on risk. And ultimately, you want to be
able to go to the CEO and the board and say, look, here's the overall financial exposure within our
digital ecosystem. And right now, most organizations are unable to do that. And if all you're doing is
bringing one score, one letter, one number without that financial context, without a compliance
context, it just doesn't give you defensible decision making.
That's Jeffrey Wheatman from Black Kite.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hey, Joe.
Hi, Dave.
Some interesting stats came out of CISA recently,
and actually the folks over at Duo did a little analysis of it that caught my eye here.
the folks over at Duo did a little analysis of it that caught my eye here. And I'm curious,
so what are some of the things here from CISA that you think are worth sharing here?
I think there's a lot in this report that's very interesting. Number one, more than 50% of successful intrusions at organizations began with a valid account for initial access.
Okay. What that means is there was some account that was open. This could
be an old employee's account or an admin account with default passwords. That's how they classify
it in here. But I would say that anything that even a user account, if you, you know, a current
user or current employee account would be a valid account, an account that has a reason to exist
and was how they gained initial access.
These attacks are initiated or actually begun long before they actually set foot into the system,
into the environment. And usually the first kinetic action is they send an email in to
phish some credentials or try to do something. But once they're actually going to get access,
more than 50% of the time, they're using a valid account, which speaks to how effective phishing and spear phishing are.
Right.
Which is the next point.
It's kind of down at the bottom of this article, but spear phishing has a 33% success rate.
That is one in three spear phishing emails is successful.
And that only 13% of spear phishing attempts are blocked,
I would assume that means by some automated means. Right. And that makes sense to me that
spear phishing attempts don't get blocked because generally when you're going to do a spear phishing
attack, you sit down and you think about what you're going to write. And you actually write
something good or maybe nowadays you use chat GPT to write a nice phishing email or worm GPT
as it is now, right?
Yeah.
You can actually
go out and use that.
But
the spear phishing attack
is always going to be
more successful
than just a standard
phishing attack
or even a spam,
you know,
spam phishing attack.
Sure.
Because
first off,
it's only going to one person.
It's specifically crafted
for that person.
Right. So 87% of the time is just going to one person. It's specifically crafted for that person. Right.
So 87% of the time is just going to pass right through a spam filter
or a phishing filter or some kind of security product
that's intended to block it.
That's not going to happen
because it doesn't match any signatures out there.
It's a new creation,
and it's tailored to do what it's going to do.
When the person sees it,
in cybersecurity terms,
they're very likely to click on the link
or take the action that they're told to take. Right. I say very likely with 33% because normally
a successful phishing email is maybe like a 1% success rate. Yeah. A spam phishing attempt,
like the Nigerian print scam, that might have well under a tenth of a percent success rate.
Yeah.
But a spear phishing attack, remarkably effective.
Mm-hmm.
CISA also observed that 78% of links and attachments are blocked,
which prevents the execution of any malicious activity,
which is good.
Sounds like the majority of things are getting blocked,
but that means about one in five is getting through.
Right. Which is not really a good record for a security product or for security products or for
security posture at an organization. Well, yeah. And I would say, I guess one way to look at this
is that that's one line of defense. Correct. Right. So if, you know, four out of five
things are getting handled by your automation, that means the remaining one out of five,
in this case, seems to me like this is where your security awareness training comes in and
things like that, or perhaps a secondary system. We always talk about defense in depth. Yes.
This seems to me like the successful
organizations are going to have those kinds of things in place. Yeah, they are going to have
those kinds of things in place because you're 100% correct. There is this concept of the cyber
kill chain. Was it MITRE that put that out? Yeah. But yeah, there's some parts of it you don't have
any control over, right? Right. And like I say, the very early part of a cyber attack is going to be reconnaissance.
And that is pretty much out of your control as an organization.
There's nothing you can do to stop people from just gathering open source intelligence
and calling in and probing and finding things.
Yeah.
That's hard to prevent against.
But once the rest of the attack is going on,
yeah, they're going to have to do a phishing attack.
That might get stopped.
That email might get stopped.
Then they're going to have to convince a user.
There's another opportunity to stop it.
If the user is tricked into going out somewhere,
then that's another opportunity to stop it.
You can have multi-factor authentication that pretty much shuts down account takeover if you
use something like FIDO2 or just makes it more difficult, so it has to be personally involved.
There's all kinds of opportunities to stop it. And you're right, defense in depth is the way to go.
Yeah. Because along that kill chain,
the attacker has the disadvantage. They have to be right every single time.
You only have to be right once.
That's an inversion of what we usually hear, how it's usually described, right?
But the flip side of that is they can do that all day long.
Right.
As long as they're doing that, you have to do it.
You have to stop them somewhere along that line every single time they try.
They only have to get through the entire process once.
All right. Interesting statistics here. I think some of these were a little surprising to me.
Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave. Thank you. I approach can keep your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Trey Hester
with original music by Elliot Keltzman.
Our executive editor is Peter Kilpie
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.