CyberWire Daily - Cisco fixes vulnerabilities in ICS appliances. NIST’s anti-phishing guidelines. OneNote exploitation. HeadCrab malware. Recent actions by Russian threat actors. Trends in state-directed cyber ops.
Episode Date: February 2, 2023Cisco patches a command injection vulnerability. NIST issues antiphishing guidance. HeadCrab malware's worldwide distribution campaign. The Gamaredon APT is more interested in collection than destruct...ion. Kathleen Smith of ClearedJobs.Net looks at hiring trends in the cleared community. Bennett from Signifyd describes the fraud ring that’s launched a war on commerce against U.S. merchants. And trends in cyberattacks by state-sponsored actors. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/22 Selected reading. Command-Injection Bug in Cisco Industrial Gear Opens Devices to Complete Takeover (Dark Reading) Phishing Resistance – Protecting the Keys to Your Kingdom (NIST) OneNote Documents Increasingly Used to Deliver Malware | Proofpoint UK (Proofpoint) HeadCrab: A Novel State-of-the-Art Redis Malware in a Global Campaign (Aquasec) Another UAC-0010 Story (The State Cyber Protection Centre of the State Service of Special Communication and Information Protection of Ukraine) Russia-backed hacker group Gamaredon attacking Ukraine with info-stealing malware (The Record from Recorded Future News) City of London traders hit by Russia-linked cyber attack (The Telegraph) ChristianaCare recovers from cyberattack, restores website service (6abc Philadelphia) Nation-State Threats and the Rise of Cyber Mercenaries: Exploring the Microsoft Digital Defense Report (CSO Online) Microsoft Digital Defense Report 2022 (Microsoft Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cisco patches a command injection vulnerability,
NIST issues anti-phishing guidance.
Headcrab Malware's worldwide distribution campaign.
The Gamerodon APT is more interested in collection than destruction.
Kathleen Smith of ClearedJobs.net looks at hiring trends in the cleared community.
Bennett from Signify describes a fraud ring that's launched a war on commerce against U.S. merchants.
And trends in cyber attacks by state-sponsored actors.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 2nd, 2023.
We begin with a note on some patches that have implications for many users,
and in particular for operators of industrial control systems. Researchers at Trellix discovered and disclosed two vulnerabilities in
Cisco appliances, one of which could be used to gain persistent root access to the affected system.
The more serious of the two vulnerabilities is CVE-2023-20076, a remote command injection flaw. The researchers
first discovered this flaw in a Cisco ISR4431 router, then found that it also affected a wide
range of other Cisco devices. Customers are urged to apply updates as soon as possible.
Trellix notes that Cisco was a model partner
in this research and disclosure process.
NIST has published a report
encouraging the use of phishing-resistant authenticators.
According to NIST's special publication draft 800-63-B4,
a phishing-resistant authenticator
offers the ability of the authentication protocol
to detect and prevent disclosure of authentication secrets and valid authenticator outputs to an
imposter-relying party without reliance on the vigilance of the subscriber.
NIST notes that these types of authenticators can only prevent attacks in which the threat
actor is trying to log into something. Users should still be wary of phishing attacks Proofpoint researchers have observed an increase in the use of Microsoft OneNote documents
as a delivery mechanism for malware in email by threat actors.
as a delivery mechanism for malware in email by threat actors.
Six campaigns were observed maliciously utilizing OneNote documents in December of last year,
with a significant increase to 50 involved campaigns seen last month.
Though the December campaign saw a large portion of the victims in the educational sector,
Proofpoint emphasizes that the attacks are distributed across a range of sectors,
with significant variety in messaging. TA-577, an initial access broker first observed by Proofpoint in mid-2020 and believed to have connections with a 2021 REvil incident,
was observed using this method to distribute Qubot malware in late January after the gang returned from a month-long hiatus.
Security firm Aqua Nautilus reports that a threat actor they're calling Headcrab
has been infesting servers around the world since this past September.
The researchers describe Headcrab as a new, elusive, and severe threat.
The Headcrab cybercriminals are said to use custom malware
that has often passed undetected
by both agentless and traditional antivirus approaches.
The headcrab botnet primarily targets Redis servers,
which Aquanautilus calls open-source, in-memory data structure stores
that can be used as a database, cache, or message broker
that lacks
authentication methods. They're intended for use on closed, secured networks rather than the
world wide web. Headcrab is thought to have infested at least 1,200 servers. Russian deployment of
Wiper malware in the latter part of January has drawn a great deal of attention, and it was
certainly a significant
development. But a report by Ukraine's State Cyber Protection Center of the State Service of Special
Communications and Information Protection notes that Gamerodon's recent activity has had a more
traditional objective, stating, analyzing the actions performed on the infected host after
gaining the opportunity to execute PowerShell
commands, we can conclude that the adversaries are focused more on espionage and info-stealing
rather than system-destroying activity.
Gamerodon, also known as Primitive Bear, or in Ukraine's taxonomy UAC-0010, is generally
associated with Russia's FSB.
Kilnett's recent wave of distributed denial-of-service attacks against U.S. hospitals
seems to have ebbed, as may be seen in the case of Christiana Care,
whose website has returned to normal.
Other Russian criminal organizations, notably LockBit, continue to infest targets in the West. The Telegraph
reports that LockBit has deployed ransomware against the ION Group, a provider of software
to financial traders. The Telegraph says the incident, which began Tuesday, has thrown the
city into chaos, and ION placed the number of clients affected at 42. According to Bloomberg,
the U.S. Treasury Department is a bit more reserved,
saying yesterday that the attack poses no systemic risk to the financial sector.
The two gangs present an interesting contrast.
Hillnet has, from its inception, positioned itself as a patriotic hacktivist group
working in the Russian interest, and it's behaved accordingly.
Lockbit, on the other hand, while Russophone and based in Russia, declared its neutrality at the outset of the war
against Ukraine. They are, the gang says, apolitical criminals. Nonetheless, Lockbit attacks
targets outside of Russia, and for the most part in countries Russia regards as hostile.
of Russia, and for the most part in countries Russia regards as hostile. It also seems to have inherited some of the code and personnel Conti left behind when it retired its brand, and Conti
made no mystery about its own sympathies. It was solidly in the Russian camp. It's probably best
to make a distinction. Kilnett is an auxiliary of the Russian organs. Lockbid is a tolerated And finally, a CSO Online article authored by Microsoft Security yesterday takes a deep dive into the prevalent nation-state threat trends
identified in this year's edition of their Digital Defense Report.
In full disclosure, we note that Microsoft is a CyberWire partner.
Geopolitically motivated actors, essentially threat actors
who are run directly by state services or on behalf of state interests,
have a history of exploiting the software supply chain, but it now appears that their focus has
shifted to IT services in the supply chain. The widespread use of cloud solutions and managed
service providers makes them an attractive target for malicious actors. While these are as often as
not themselves the end targets,
their connections to customers in sectors like government policy and critical infrastructure
can be compelling. According to the research, 53% of nation-state attacks in the past year
preyed on the IT sector, NGOs, think tanks, and the education sector. The researchers cite the Russian-affiliated group Nobelium,
who fixated on cloud providers and MSPs as a means to reach government customers in the West,
as a prime instance that fits the bill.
Lebanon-affiliated Polonium, which received support from the Islamic Republic of Iran
as it worked against IT supply chains connected to Israeli defense and legal organizations
is another example.
Nation-state actors increasingly exploit zero days.
Microsoft notes that, on average,
14 days pass between the public disclosure of a vulnerability
and the appearance of an exploit in the wild.
These exploits are also pervasive due to the potential for reuse by multiple actors
within the limited time frame for exploitation.
And of course, there are always plenty of laggards who are slow to patch.
Also, cyber mercenaries are growing in importance.
They're a particular danger to dissidents, human rights defenders,
journalists, civil society advocates, and other private citizens by providing advanced surveillance-as-a-service capabilities, Microsoft says.
Governments, their auxiliaries, and privateers, they can all play in the criminal-to-criminal markets just the way the conventional criminal gangs do.
Coming up after the break,
Kathleen Smith from ClearedJobs.net looks at hiring trends in the cleared community.
Bennett from Signified describes the fraud ring
that's launched a war on commerce against U.S. merchants.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io. Researchers at security firm Signified have been tracking online fraud
targeting retailers, which peaked over the recent holiday season. It's a big operation,
Signified estimates, that the group made off with around $660 million last November
alone. For details on the operation, I spoke with the chief customer officer at Signified,
a gent who simply goes by the name Bennett. A couple things that really made us drawn to this
were that it was targeting kind of our e-commerce merchants, the, you know, kind of our bread and butter where we started and using very focused, deliberate and broad-based attacks
that are at the, call it very boring, $200 average order value. Think AirPods, right? From that
perspective, something that people want to buy for the holidays, you want to receive as a gift.
You as a consumer are shopping for a deal online.
You're like, man, inflation's really high.
I want to try to get a good deal.
I find a site that has good reviews.
They have a 25% off on the latest model.
Apple's not offering you any discounts directly on that model.
How can this be?
But the reviews are so good.
All right, I as a consumer, I'm going to buy that.
The fraudsters take that order.
They go use stolen financial information.
They buy that from a legitimate retailer
with that stolen financial information
from an irrelevant third-party member
who's going to file the chargeback eventually.
And then the original consumer who wants that 25% off receives actual AirPods, and the fraudsters pocket the profit
from that. So it's actually very sophisticated in a triangulation perspective, and there's some
nuances and it gets even more complex, but that's ultimately what we were able to deduce was
happening here. And who ultimately loses out here? I mean, is it the merchants that the fraudsters are
buying the product from that eventually get that charge back?
That's exactly correct. So in a card not present environment, the onus for protecting against
fraudulent financial instruments usually falls on the retailer, depending on the payment instrument
type. And that's definitely
the case with credit card payments. Now, your report points out the success of this group.
And as you said, they're inching up near a billion dollars a volume here. That's a lot.
What do you suppose is the reason for their success here? Yeah. So to put this into context, we estimate
that the attempts are over three and a half billion at this point. So if you're thinking
about a success rate, call it 20% success rate in terms of getting through across all of e-commerce.
Our clients, thankfully, we were able to blunt some of that.
But the reason that they've been successful is they're targeting these items that retailers
want to sell. And they're targeting items, ranges, and very clearly, obviously, gifting-type
activities ahead of the holidays on order values that normally do not receive scrutiny.
So if you think about a retailer that maybe has an average order value of 500 bucks, right,
for example, so maybe a consumer electronics provider, someone who is buying a cart of $100,
$150, $200, that's below your median, It's below your average. It's below your hottest items.
If you have one of the more antiquated systems in place where you have human beings taking a
look at orders, those human experts are going to be focusing on your big ticket items because
that's historically where fraud has been more prevalent in the United States. So I think that's a big reason of success,
is that the fraudsters reverse-engineered
the kind of basic elements of defense
that have been deployed in e-commerce.
And then there's a whole level of sophistication
once they found any measure of pushback
or the ability to deflect the attacks.
But I think at its root, they seem to
really understand how the retailers have been protecting themselves and saying, okay, well,
if you built a fence around this or you've put a lock key on this piece, well, I'll just go around
to the other side door. So what are the red flags for the retailers themselves? Are there any things that they can have their radar up for?
Yes, absolutely. So the key things to be looking at are high purchase velocity. And so that means,
for example, let's say, for example, we're talking about a top-of-the-line gadget that
people want to get. It's very normal for there to be higher purchase velocity, more orders
related to that ahead of the holidays. So again, the fraudsters kind of know that. And the key to
looking at and determining if you have an issue is, are there many types of people with the same
names, with the same emails, with the same IPs? You need to take a look at kind of a holistic
emails, with the same IPs. You need to take a look at kind of a holistic graph of the types of orders that are coming in and saying, gosh, we didn't used to get so many orders going to
Portland, but now the Portland orders are up 10,000%. Portland is a known reshipper hub,
for example. So there's all kinds of things like that where you can slice and dice the data,
regardless of the type of systems you have, and say, okay, all right, this piece of my business has really dramatically changed. Let's
take a look at that. As soon as the fraudsters developed any sense that the retailers were
pushing back and blocking their orders, they would kind of up-level the agents on their side that
were targeting that site. And they'd start little things like address manipulation,
or they'd change things like purposely trying to confuse
and bypass the security systems that would come in place.
So I think one other, stepping back a little bit,
the United States has not really faced a kind of brute force,
broad-based attack like this, where there are human beings that are trained on what to do
in, let's call it a call center,
that have been organized and trained on,
hey, this particular site will allow you to address,
manipulate the delivery address
in a way that will confuse its fraud systems
and allow the order to go through.
Here are the 10 ways that you should try that.
Go through this playbook.
And just as a customer service agent might legitimately have a playbook and a flowchart
to go through, that has been built by people who know what they're doing and then given
to an army of human beings and said, okay, when you encounter this resistance, go to
flowchart 2B and execute this playbook.
Okay, report back on whether or not that's successful or not.
Okay, rinse and repeat.
So I think that the key is, as soon as the retailers identify this larger amount of orders
with any abnormal elements related to them, followed by chargebacks,
abnormal elements related to them, followed by chargebacks. You need to raise the gates up and really start paying more attention to those orders. The fraudsters seem very focused, because they are
ultimately selling it to end consumers, on particular products that are selling very well.
So we've seen a lot of people who may not have the most sophisticated defenses
be somewhat helpful in deflecting this attack
by targeting their highest value items.
That's the exact dangerous thing to do
when you're trying to make sales.
So there's obviously a balancing act there,
but that's kind of the success that we've seen.
Bennett is Chief Customer Officer at Signified.
You can hear an extended
version of this interview on this week's episode of the Hacking Humans podcast.
And joining me once again is Kathleen Smith. She is the Chief Outreach Officer at ClearJobs.net.
Kathleen, it's always great to welcome you back. I want to touch today on some of the trends that you are seeing in your specific area. Of course, that's working with folks who have clearances and
are looking for employment there. What are some of the things that you're tracking as we make our way into 2023 here? Well, obviously the biggest topic is remote
work. We have seen that the pandemic really did change work across the board, commercial and in
the government cleared space. I was happy to see that we had set up a foundation almost 10 years ago when the CIO of the GSA, Casey Coleman, now over at Salesforce, had really talked about setting up workplaces within the government agencies to be more set up for telework, more set up for remote work, and then technology caught up and we were able to have
more secured laptops, secured phones, and personal devices. And then all of a sudden the pandemic
happened and we needed those tools to be able to complete supporting the mission.
Conversations happened very quickly in those first few weeks of the pandemic.
What work needed to be done in a SCIF?
What work can be done remotely?
How did each agency respond?
How did each government contractor respond to their customer needs?
Who had the relationships to be able to have those really very quick conversations?
And then this sort of panned out. We saw
people not wanting to return to work. We saw people who decided to leave the security-cleared
community and take other work. But it also started the employers thinking about how they could
maintain their talent and recruit better talent by offering them these new options.
So when we've done our interviews on security cleared jobs, who's hiring and how, we always talk to the recruiters on, do you have remote work?
Do you have hybrid work?
How did you set that up?
And there are now specific titles as far as the kind of work there is. There is work that has to be
done on-site. There is no question. And it is in every single job description. This is an on-site,
in-person job. Then there are jobs that are hybrids that say you can work two or three days
remotely and then two days a week. You have to be be on site. Then there's other work that is remote, but you have to be within two hours of your employer's
facility because you have to come in once a month or twice a month for a face-to-face meeting. So
we've seen that a lot as well. And then there is remote work. But I was just talking to somebody who said,
this is amazing. We've seen this in two years go from no remote work, no hybrid work, to we have
flexible options depending on the security clearance level, depending on which project
you're on. So that's obviously the big news that's going to continue shaking up the security
cleared market as far as recruiting is concerned.
I think the other thing that the pandemic brought was understanding that a work-life balance is more than just being able to pick up your kids from soccer.
That it means understanding doing this work to support the mission does have a certain amount of stress to it.
And that government contractor employers really have to look at the stress level and the overall mental health of their employees.
Are they making sure that they're supporting their career options?
Are they making sure that they're supporting their life situations?
As I said, more than just being able to get off at 3 o'clock to be able to go pick up someone at soccer or basketball?
That is a difficult sort of balance that has to be played because once you get into a certain amount of mental health issues, you then do put your security clearance in
jeopardy. So it's really talking more about how do you support your employees? How do you make sure
that they understand that you're there for them? And that really goes into the culture of the
company. And it's been really great to see since the pandemic that a lot of the government contract employers are really looking at that. I have a few more other issues,
but it looks like you might have a question or two. Well, I wanted to follow up on that notion
of who can come in and what needs to actually be done inside of a SCIF. Was there a re-evaluation process there where some of the government
organizations or contractors took a fresh look at this and said, you know, have we just been,
but just by default saying all this stuff needs to happen in a SCIF because everybody comes in
every day, we have the SCIF here, we might as well do it. Was there a fresh look at that,
you know, to say this is our new reality? Definitely. It was definitely a fresh look at that to say, this is our new reality? Definitely. It was definitely a fresh look because when you think about a secured facility, it had
a certain person capacity while we were all talking about having to have social distancing.
So if you had a facility that could accommodate 100 people by certain health standards during
the first few months of the pandemic,
you had to have only 30 people in there. So it was more of a logistic situation than anything else.
And then it was a quick scan down to, okay, what needs to be done face-to-face? What needs to be
done on certain networks? Is there a certain amount of this work that can be done that's
just admin and paperwork that can be done someplace else.
But I think it really, everyone came together.
So that's one of the really great things about working, supporting the mission.
At the end of the day, you all are working toward the same goal, making sure that work gets done to support the mission.
And I think everything else fell from that. I think that, as I said,
with the mental health issues, it was just all of a sudden everyone was trying to do really
important work, trying to do meetings, but also have their kids on their computers and things
like that. So a certain amount of stress was happening. And I think employers-
Right. It was a pandemic itself.
It was definitely a pandemic itself. So I think that those two issues, remote work and mental health, really came out of COVID as, I don't want to say their benefits, maybe we should say their silver linings that we now can look at work very differently within the government contracting space.
All right. Well, Kathleen Smith, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Thank you. out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester,
with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.