CyberWire Daily - CISA's new Binding Operational Directive. “CosmicEnergy” tool doesn’t pose a cosmic threat. Hackers’ homage to fromage in attacks against the Swiss government. Industry advice for the White House.
Episode Date: June 13, 2023CISA issues a new Binding Operational Directive. An update on CosmicEnergy. Hackers’ homage to fromage in attacks against the Swiss government. Ukraine's Cyber Police shut down a pro-Russian bot far...m. Clothing and footwear retailers see impersonation and online fraud. A 2021 ransomware attack contributed to a hospital closing. A proof-of-concept exploit of a patched MOVEit vulnerability. An industry letter calls for a new framework on the White House cybersecurity strategy. Joe Carrigan examines a ChatGPT fueled phishing scam. Our guest is Neha Rungta, Applied Science Director at AWS Identity discussing Amazon Verified Permissions. And trends in cyber risks for small and medium businesses. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/113 Selected reading. Binding Operational Directive 23-02 (US Cybersecurity and Infrastructure Security Agency) COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises (Mandiant) Dragos Analysis Determines COSMICENERGY Is Not an Immediate Threat (Dragos) More than 4,000 bots to discredit the Defense Forces of Ukraine and spread propaganda in favor of Russia: the police of Vinnytsia eliminated a large-scale bot farm (Ukraine Cyber Police) Ukraine police raid social media bot farm accused of pro-Russia propaganda (The Record) Widespread Brand Impersonation Scam Campaign Targeting Hundreds of the Most Popular Apparel Brands (Bolster) An Illinois hospital is the first health care facility to link its closing to a ransomware attack (NBC News) Ransomware attack causes Illinois hospital to close (Becker’s Hospital Review) New BlackFog research: 61% of SMBs were victims of a cyberattack in the last year (BlackFog) Switzerland warns that a ransomware gang may have accessed government data (The Record) Swiss government warns of ongoing DDoS attacks, data leak (BleepingComputer) Swiss Government Targeted by Series of Cyber-Attacks (Infosecurity Magazine) DDoS attack on Federal Administration: various Federal Administration websites and applications unavailable (The Federal Council of the Swiss Government) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA issues a new binding operational directive, an update on cosmic energy.
Hackers homage to fromage in attacks against the Swiss government.
Ukraine's cyber police shut down a pro-Russian bot farm.
Clothing and footwear retailers see impersonation and online fraud.
A 2021 ransomware attack contributed to a hospital closing.
A proof-of-concept exploit of patched
move-it vulnerabilities, an industry letter calls for a new framework on the White House
cybersecurity strategy, Joe Kerrigan examines a chat GPT-fueled phishing scam, our guest
is Neha Rungta, Applied Science Director at AWS Identity, discussing Amazon verified permissions,
and trends in cyber risks for small and medium businesses.
I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, June 13th, 2023.
We begin with some news from CISA, the U.S. Cybersecurity and Infrastructure Security Agency. The agency this morning issued Binding Operational Directive 23-02.
The directive requires federal civilian executive agencies
to remove specific networked management interfaces from the public-facing Internet
or implement zero-trust solutions within two weeks.
The directive's intent is to reduce the attack surface
that misconfigured or otherwise insecure management interfaces present to potential adversaries.
Researchers at Mandiant last May announced discovery of new malware they've coined Cosmic Energy
that appeared to have potentially been designed to disrupt electrical distribution
and associated critical infrastructure. Mandiant was cautious in its assessment and said that
cosmic energy may in fact have been a Russian red-teaming tool used in exercises to simulate
an electric infrastructure attack. Yesterday, Dragos released some reassuring conclusions
from its own research.
Cosmic energy is not related to either in-destroyer or crash override,
two known threats to infrastructure.
Dragos finds that the malware is non-functional in several respects and isn't, as it stands, a threat.
Much like the nation's famed cheese,
hackers have poked holes in the Swiss government's IT infrastructure in a ransomware attack against IT firm X-Plane.
The recent ransomware attack on X-Plane may have caused the exposure of Swiss government operational data, the record reports.
X-Plane, an IT provider serving a multitude of Switzerland's federal agencies,
was victimized in a May 23 ransomware attack that saw the leakage of 907 gigabytes of stolen files on the first of this month. The files are said to include sensitive data, including financial and taxation information, bleeping computer reports.
The Play ransomware gang has been cited as the perpetrator
of the attack by X-Plane. The nation's cybersecurity center and law enforcement were notified and are
aiding in the investigation of the attack. Switzerland's federal agencies have also been
targets of DDoS, claimed by pro-Russian hacktivist gang No Name that rendered the websites of multiple Swiss governmental
agencies and state-affiliated companies inaccessible yesterday, writes InfoSecurity magazine.
A press release from the Swiss government portal says that measures are in place to
restore access to the sites and applications after the agency quickly caught on to the attack.
Ukraine's cyber police on Monday announced
the arrest of three bot farmers who were operating from a garage in the west-central Ukrainian city
of Venetia. They were engaged in automated disinformation distributed through inauthentic
accounts they ran in the Russian interest. The record reports that about 500 bogus accounts were created each day
at the hands of these bot farmers and were used to disseminate pro-Russian propaganda and
disinformation. Their motivation may have been primarily financial, as they received payments
in Russian rubles of about the equivalent of $13,500 per month, presumably from Russian paymasters. The rubles, which are currently
prohibited in Ukraine, were laundered through illicit payment services like WebMoney and
PerfectMoney, then converted to cryptocurrencies and loaded onto bank cards. The crew was also
allegedly engaged in criminal fraud on various e-commerce platforms.
Speaking of fraud, researchers at Bolster have observed a phishing campaign that's impersonating more than 100 clothing and footwear brands. It's direct fraud targeting online consumers.
The impersonated brands include Nike, Puma, and Adidas, among others. The threat actors have used over 6,000 domains,
more of half of which are still active. The researchers note that some of the scam sites
appear prominently in Google search results. St. Margaret's Health in Spring Valley, Illinois,
is shuttering its operations, which they've blamed in large part on the fallout of a ransomware
attack on their systems, NBC News reports.
Becker's Hospital Review writes that the hospital's coming June 16th closure
follows a 2021 ransomware attack that rendered St. Margaret's unable to submit claims to payers.
Not only did the claim information not get submitted,
but the systems were down for at least 14 weeks and required
months of catch-up and recovery. The financial pressure this induced wound up being a factor
in its closure, said Vice President of Quality and Community Services at the hospital, Linda Burt.
The health system also ended operations at a Peru-Illinois-based facility in January.
Industry leaders are calling for a new framework for the
U.S. national cybersecurity strategy, as the signatories believe that issues surrounding
identity were not adequately addressed in the existing form of the cyber strategy.
The Cyber Wire received a copy of the letter, whose signatories include the American Bankers
Association and the Better Identity
Coalition, among others. The groups advocate enhanced protections against identity-related
cybercrime. Their recommendations include launching a task force dedicated to accelerated
development of tools to guard against identity crimes and documentation of the budget savings
achieved when digital identity infrastructure and tools are implemented.
Also suggested was a prioritization of the National Institute of Standards and Technology's
Identity and Attribute Validation Services with the end goal of a digital identity framework
encompassing standards and best practices for identity security.
standards and best practices for identity security. And finally, researchers at Black Fog have determined that 61% of small and medium businesses have sustained a successful cyber
attack in the past 12 months. Organizations were said to see around five successful breaches or
attacks on average, with business downtime as the primary business impact of cyber attacks,
affecting 58% of those surveyed. The researchers write that the successful attacks also negatively
impacted customer trust and retention, with a third of all respondents reporting that the customers. Coming up after the break, Joe Kerrigan examines a Chet GPT-fueled phishing scam.
Our guest is Neha Rungta, Applied Science Director at AWS Identity,
discussing Amazon verified permissions. Stay with us. Do you know the status of your compliance
controls right now? Like right now? We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. As we noted on yesterday's program,
the AWS Reinforce Conference is taking place this week in Anaheim, California,
and the CyberWire is happy to be a media partner for the event.
A highlighted announcement at the event is the general availability launch of Amazon
Verified Permissions, a scalable permissions management and fine-grained authorization
service for building applications. For details on the launch and why it matters,
I spoke with Neha Rungta, Applied Science Director at AWS Identity.
Amazon Verified Permissions is a permissions management
and authorization service
for a wide range of applications,
including healthcare applications,
banking applications,
productivity apps,
a dog walking app,
anything you can think of.
And it empowers developers
to centralize their permissions management
by decoupling their authorization logic from their business logic.
And verified permissions uses the Cedar policy language.
It's an in-house authorization language that we developed at AWS and open sourced last month at the Open Source Summit.
Well, let's dig into some of the specifics here.
I mean, first of all, can you give us an example of a typical use case?
Imagine you are a developer of a banking application and you want to provide your CFO the ability
to define which employees can access what company bank accounts under what circumstances.
Employees can access what company bank accounts under what circumstances.
And for that, you want consistency, scalability, and security.
So before talking about what Amazon Verified Permissions gives you,
I'll talk a little bit about what happens today.
So as a developer, you often end up adding authorization logic within the application logic itself.
Now, if that banking application needs a
mobile version, you'll have to go copy all the authorization logic from the original version.
And oftentimes, these systems won't be even implemented in the same programming language.
Verified permissions makes it easy. It decouples the permissions from the application logic.
It decouples the permissions from the application logic.
After this consistency comes scalability.
The challenge with homegrown permissions management system is often they run into scaling challenges.
So when an application is designed, you can imagine there is a few hundred users, a few thousand permissions.
And if it's a U.S. bank that is now expanding its business in Europe and Asia, you'll have a lot more users, a lot more permissions that are governed by the regulatory requirements in these regions.
And that's what we have a lot of experience in AWS, running authorization at scale.
So we've leveraged our lessons in AWS to provide a scalable authorization solution. Access requests are evaluated within milliseconds. And as other AWS services, it does scale with the application.
And finally, here's how it helps with security. Today, the security administrators would have to
reconcile permissions across many different permission systems.
And that's hard. It can lead to blind spots.
Verified permissions provides security administrators
essentially an ability to centralize governance and auditing,
to be able to track who can do what.
So with verified permissions,
customers get consistency, scalability, and security.
So one of the things that you have noted here in the development of this is this notion of automated reasoning,
which is a technology you and your colleagues there at Amazon use.
Can you describe that for us? What part does that play?
So automated reasoning is the use of mathematical logic to solve customer problems.
In automated reasoning, you use a set of specialized facts about a particular domain.
An example is the rules of access control in AWS or the rules of network configurations in VPCs.
network configurations in VPCs. What automated reasoning does is it combines the facts with configurations to derive new facts. And it has powered features such as Amazon S3 Block Public
Access. It tells you with certainty, is this S3 bucket public? And the differentiation there is
the results are verifiable.
There is no guessing or probabilities.
It is computing the result from a fact.
It is explainable.
Why is this bucket public?
And we have leveraged the same techniques in the development of Amazon verified permissions.
I talked a bit about it uses a custom authorization language, CEDAR.
And to raise the assurance in the correctness and security of CEDAR, we follow a new verification guided development process. In this process, we formally model the authorization rules of CEDAR
and automatically prove the correctness of properties such as a
forbid statement will always trump a permit statement. And that's where automated reasoning
comes into play. And now that we've proved the correctness of the model, we use a technique
called differential random testing to ensure that the behaviors in the model match those of the
implementation. You know, zero trust is certainly a hot topic in the industry now. How does this
all intersect with that? Zero trust is all about continuous, dynamic, and consistent authorization. And with verified permissions,
it's easy to do that. You can specify fine-grained permissions to say, only healthy device posture.
With verified permissions now, it is easy to specify permissions such as grant access only if access requests are coming from healthy device
posture. And those types of flexibility and dynamic information that is easy for everyone to use,
each one of the applications. And that's why we believe verified permissions is a key to enabling zero trust across all aspects of your application development.
You mentioned CEDAR, the open source language in SDK.
Why was it important for you all to make that open source?
We want to democratize security.
And part access control is part of that.
So we looked at a lot of different options,
and we wanted an authorization language that is secure by design. It is secure, it is fast,
and easy to use. With us open sourcing Cedar, we want to build a community around access management
for folks to see this is how we are doing the
development. We want them to contribute and for it to become essentially a standard for how we do
authorization across multiple different types of applications. That's Neha Rungta, Applied Science
Director at AWS Identity.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast. Joe, welcome back.
Hi, Dave.
So caught my eye over from the folks at Inky. This is posted by Allison Rusk. This is about a phishing scam, which of course is something we talk about all the time over on Hacking Humans. Combine some phishing and some chat GPT. Can you unpack what's going on here, Joe? Right. So actually, it's victimizing chat
GPT and open AI by impersonating their brand. Now, we've talked on Hacking Humans how these guys
have calendars and follow the news and everything. Right. So they've seen that chat GPT has gotten
enormously popular. If you think about that, when did they launch it?
They launched it in like—
Six months ago, something like that?
By March of 2023 is when they had—so three months ago, they had a billion users.
Right.
Explosive growth.
Well, the scammers have noticed that.
scammers have noticed that.
And what they've done is they're using brand impersonation to impersonate ChatGPT by send, or OpenAI,
by sending out emails that look exactly like the emails
that get sent out when you sign up for a ChatGPT account
that say verify your email address.
Okay.
However, they're also saying, or configuring these emails
to look like they're coming from the person's IT department. So if I know your email address, I know what company you're from. Right. Probably put something together. It looks like it comes from your IT department. Okay. And a lot of corporations are starting to use ChatGPT. Right. as corporate customers. So they're sending these emails out and they're trying to harvest
credentials with this. So what they do is they send an email out that is using something called
the Interplanetary File System, which is a distributed file system for sharing files, but it also allows you
to host web pages on it. So it's really hard to take these phishing sites down. Because it's a
peer-to-peer system. It's a peer-to-peer system, exactly. Right. I can take down one node, take
the stuff off of one node. It's gone off that node, but it still exists on the network, so somebody can still find it. Okay. So, that's the first problem. The next thing is that the
email of the user is encoded in the URLs of the, or is included in the URLs, the query string of
the URL. So, a couple weeks ago, I was talking about putting an at sign in a URL. If you put
that in the server section of the URL, everything before the at sign gets ignored. Right. But if you
put it in the query string or after the resource name, it's fine to have an at symbol in there.
Okay. So these RFCs and all the way things happen, they're convoluted. Yeah. So there's all these
different ways you can hide
stuff in there. But when, if I'm the malicious actor, I can say, okay, well, what's this guy's
email address that I'm supposed to, that I'm trying to catch credentials for? Yeah. So
depending on their domain, I can have them, I can have them see a page that looks exactly like their login page for their corporation.
Oh.
And that's what's happening is this one phishing kit is impersonating tons of different
corporations.
Huh.
And when people see it, they're asked to log in with their credentials.
Now, the URL does not look anything like the real URL with the exception of the fact that it does have their email in it.
Right.
So if they just look – and that's the last argument.
So if they just look at the end of the email, it'll say, like, Inky uses the example inky.com.
Yeah.
And that will be at the end of the email.
Huh.
So perhaps that contributes also to people filling this out.
When you go to enter your password, it says,
login failed, enter your password again. Right? So it's asking you to enter it twice
so it can harvest it twice. There's all kinds of reasons you do that. Number one is you can
validate the information is correct if they enter the same password twice. You don't want to let
them enter a fake password. Maybe you want
them to go, oh, okay, well, how do they know this isn't my password? Let me try my real password.
Or number two, if they do enter the password incorrectly the first time, you can get a second
chance to get it. It just increases the accuracy is all this does. What happens after you enter
your email address and password on this site is actually you don't have to enter your email.
These hackers have kindly figured it out and put it in there for you.
Okay.
So it's already there.
Right.
Isn't that nice?
These guys are really looking out for your best.
Once you've entered your password twice, there's some JavaScript that changes the window.location property by using the replace method.
Okay.
So it actually takes the end of your email address and puts that in the www, you know,
puts a www on the front of it and calls window.location.replace, which will replace the
current URL or current location in your history.
So if you hit the back button, you can't go back to
the phishing page. Oh, interesting. Which is really cool. And it's out of your browser history.
So that artifact may not exist. It'll still be in any place else it was logged,
but it won't be in the user's browser history. So fairly sophisticated phishing campaign.
Really sophisticated phishing. I would say this is a very sophisticated phishing campaign. Yeah.
Inky has some best practices. They say, carefully inspect the display name and the sender's email
address. I don't know how reliable that is. The sender's email address is being spoofed here.
Right. Recipients should confirm with their employer if they're requested to sign into a new system.
That's a good idea.
Yeah.
But that should be your policy.
Right, right.
Hover over links to see where it goes.
That may or may not work here because if you see the end of the link, you're going to see that it says yourcompany.com.
Yeah.
And you're going to go, okay, this looks legit.
It's a lot harder to do on mobile as well.
And a lot harder to do on mobile. Yeah. That's a big problem on mobile. Yeah. And you're going to go, okay, this looks legit. It's a lot harder to do on mobile as well. And a lot harder to do on mobile.
That's a big problem on mobile.
Yeah.
My recommendation is just put in some kind of multi-factor authentication for everybody.
So that if this does happen and the user enters your username and password,
preferably a hardware-based multi-factor authentication.
Right.
Like something from the Fido Alliance that they still can't get access
because they don't have access to the hardware token.
Right.
There's been research from Google that shows that they distributed their Titan, the Google
Titan, which is a FIDO Alliance product or FIDO compliant product.
Yeah.
And they just stopped these phishing attacks from leading to account compromise.
Right.
And with thousands of users, they just stopped it.
Right.
Yeah.
Amazingly effective.
Right.
Yeah.
All right.
Well, again, this is from the folks over at Inky.
It's a blog post titled, Fresh Fish Chat GPT Impersonation Fuels a Clever Phishing Scam.
Joe Kerrigan, thanks for explaining it to us.
It's my pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence
routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is
Trey Hester with original music by Elliot Peltzman. The show was written by Rachel Gelfand.
Our executive editor is Peter Kilby and I'm Dave Bittner. Thanks for listening. We'll see you back
here tomorrow. Thank you. are not only ambitious, but also practical and adaptable. That's where Domo's AI and data
products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.