CyberWire Daily - Criminal-on-criminal action in the dark web. The cyber phases of the hybrid war heat up. ICS vulnerabilities. Codespaces and malware servers. Blank-image attacks. Social engineering.
Episode Date: January 19, 2023A hostile takeover of the Solaris contraband market. Ukraine warns that Russian cyberattacks continue. An overview of 2H 2022 ICS vulnerabilities. Codespaces accounts can act as malware servers. Blank...-image attacks. Campaigns leveraging HR policy themes. Dinah Davis from Arctic Wolf has tips for pros for security at home. Our guest is Gerry Gebel from Strata Identity describes a new open source standard that aims to unify cloud identity platforms. And travel-themed phishing increases. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/12 Selected reading. Friday the 13th on the Dark Web: $150 Million Russian Drug Market Solaris Hacked by Rival Market Kraken (Elliptic Connect) Russia-linked drug marketplace Solaris hacked by its rival (The Record from Recorded Future News) Cyber-attacks have tripled in past year, says Ukraine’s cybersecurity agency (the Guardian) Ukraine: Russians Aim to Destroy Information Infrastructure (Gov Info Security) Ukraine says Russia is coordinating missile strikes, cyberattacks and information operations (The Record by Recorded Future) ICS Vulnerabilities and CVEs: Second Half of 2022 (SynSaber) Abusing a GitHub Codespaces Feature For Malware Delivery (Trend Micro) The Blank Image Attack (Avanan) Phishing Attacks Pose as Updated 2023 HR Policy Announcements (Abnormal Security) Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns (Bitdefender) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A hostile takeover of the Solaris contraband market.
Ukraine warns that Russian cyber attacks continue.
An overview of the second half of 2022 ICS vulnerabilities.
Codespace accounts can act as malware servers.
Blank image attacks.
Campaigns leveraging HR policy themes.
Dinah Davis from Arctic Wolf has tips for pros for security at home.
Our guest is Jerry Gable from Strata Identity
to describe a new open source standard
that aims to unify cloud identity platforms
and travel themed fishing increases.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary
for Thursday, January 19th, 2023.
Happy Thursday to you all. It is great to have you here with us today.
Researchers at Elliptic report that, as they put it, Friday the 13th was unlucky for the bad guys over at Solaris. Solaris is one of the biggest dark web drug markets, a principal successor to
the old Hydra market, which was taken down in April of 2022. Last week, the rival dark web
market Kraken, which has no connection with the legitimate cryptocurrency exchange of that name,
compromised and took control of Solaris. Elliptic explains, Kraken attributed
its successful takeover to poor operational security by Solaris admins, allowing the hack
to take place over three days without notice. Logs apparently confirming Kraken's full control
of Solaris were also shared. There's been bad criminal blood between Solaris and Kraken for some time,
and there are signs that some of Solaris' criminal customers have also been dissatisfied with service
they've received from the market. Both Solaris and Kraken are based in Russia. There's therefore a
wartime angle to the story, and it suggests that criminal rivalries among Russian gangs have endured
through their recruitment as cyber auxiliaries of the Russian security and intelligence services.
Solaris is associated with the Killnet Patriot hacktivist group, which has become the most
prominent Russian cyber auxiliary. Kraken is reckoned to be pro-Kremlin as well,
but that hasn't inhibited it from taking a whack at its rival.
The ineffectuality of Russia's cyber operations against Ukraine have been surprising.
As we've had occasion to note, they've fallen short of the expectations set during half a decade of pre-war cyber attacks against Ukrainian infrastructure.
cyber attacks against Ukrainian infrastructure. But Ukraine wants to warn the rest of the world that the danger, while for now successfully being contained, isn't over. The Guardian reports that
Viktor Zora of Ukraine's State Service of Special Communication and Information Protection is
visiting Britain's GCHQ this week and has said that Russian cyber attacks have tripled over the past year and continue at a
high rate. Interestingly, he said that in some cases, cyber attacks supportive to kinetic effects
have been seen. That is, Ukraine seen signs that Russia is attempting to integrate cyber operations
and information operations with missile strikes and action on the ground. Mr. Zora's remarks are consistent with a report his agency issued earlier this week
titled Cyberattacks, Artillery, Propaganda,
General Overview of the Dimensions of Russian Aggression.
The report stresses signs that Russian attempts at coordinated operations have increased,
that Russian targeting has been not just indiscriminate,
but directed specifically and directly against civilians as part of an intentional campaign of
terror. The document also makes the case that Russian cyber operations can amount to war crimes
and that they probably have already done so. The cyber attacks have generally been parried by
Ukrainian defenses, but they remain an enduring threat.
The report ends with a call for more international cooperation against cyberattacks, whether by Russia or other authoritarian regimes,
and notes the value of considering those states' military doctrine in forecasting their probable courses of action in cyberspace. It calls for international
recognition of the ways in which cyber operations can constitute either crimes against peace or war
crimes, and it urges an expansion and tightening of economic sanctions against Russia. Whether
nation-state attacks against industrial control systems rise or not, it's worth taking stock of the known
vulnerabilities and mitigating them insofar as that's feasible within a reasonable risk
management framework. Sin Saber has published a report looking at ICS vulnerabilities cataloged
by the U.S. Cybersecurity and Infrastructure Security Agency in the second half of 2022.
The researchers found that 35% of vulnerabilities disclosed in the second half of 2022. The researchers found that 35% of vulnerabilities
disclosed in the second half of 2022 don't currently have a patch available, and 33%
will require a firmware update. Additionally, 43% of vulnerabilities were discovered by security
researchers rather than the equipment manufacturers. The researchers also note that
22% of the vulnerabilities require local or physical access to the system in order to exploit.
Researchers at Trend Micro have found that GitHub Codespaces, a cloud-based IDE that was released
in November 2022, can be abused to create a trusted malware file server. The issue lies in
Codespace's ability to share forwarded ports publicly, which allows developers to preview
their projects as an end user. The researchers write, we investigated the services offered by
this cloud IDE and found that one of its features for code development and collaboration, sharing forwarded ports publicly,
can be abused by malicious actors to create a malware file server
using a legitimate GitHub account.
In the process, these abused environments will not be flagged as malicious or suspicious even
as it searches malicious content, such as scripts, malware, and ransomware, among others,
and organizations may consider these events as benign or false positives.
The researchers explain that attackers can easily abuse GitHub code spaces
in serving malicious content at a rapid rate
by exposing ports publicly on their code space environments.
Trend Micro also notes that they haven't seen this technique used in the wild yet,
but as a proof of concept, it's worth preparing for.
Abnormal Security released research this morning on phishing attacks
purporting to be from internal HR departments with policy updates in the new year.
One of the attacks, a payload-based credential phishing attack,
claims to be from the victim's company human resources department,
informing them of updates to benefits packages.
The email asks for the review of an updated handbook,
which would lead to a credential harvesting login page imitating Microsoft.
And finally, as people return to travel as the pandemic ebbs,
criminals are returning as well.
Bitdefender has published a report looking at the prevalence of travel-themed phishing scams.
The researchers found that 60% of all travel-themed emails sent between December 20th and January 10th were phishing attacks.
Most of the attacks observed by Bitdefender targeted English-speaking users.
Most of the attacks observed by Bitdefender targeted English-speaking users. They say, particularly, spammers push their travel-themed lures on English-speaking recipients,
with 53% of correspondents targeting U.S. inboxes.
The U.S. is followed by Ireland, India, the U.K., and South Africa.
Germany trails at only 4%.
Many of the scams impersonate airlines, including
Southwest Airlines, Ryanair, Lufthansa, Air France, and American Airlines. These scams are designed
to gain access to travel rewards and loyalty accounts. Bitdefender says, airline loyalty
programs are highly desired digital assets for cyber criminals as they contain a wide variety
of personally identifiable information on travelers
and airline points that can be monetized on the dark web.
So travelers, you know what they say,
keep your friends close, your enemies closer,
and your loyalty programs closest of all.
Pretty sure that's how they say it.
Coming up after the break,
Dinah Davis from Arctic Wolf has tips for pros for security at home.
Our guest is Jerry Gable from Strata Identity on a new open source standard that aims to unify cloud identity platforms.
Stick around.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora, have continuous visibility into their controls with Vanta.
Here's the gist.
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Multi-cloud adoption continues to grow, with some reports indicating that the majority of organizations are making use of more than one public cloud service. This opens the potential for security and risk
management challenges, since each of the cloud providers uses their own proprietary identity
system and policy language. Jerry Gable is head of standards at Strata Identity, where they're
leading an open-source industry standards initiative called IDQL, Identity Query Language,
initiative called IDQL, Identity Query Language, and HEXA Orchestration.
So some of our founders and early management team, they were part of SAML, the Security Assertion Markup Language, from back in the early 2000s that was one of the first standards
for federated identity so you could have single sign-on across different application domains.
There's a lot of history and DNA within the company here to really not only embrace standards
but really support them in a significant way.
As the founders began Strata as an identity orchestration company that deals with identity across domains,
primarily authentication, but other aspects as well,
in a multi-cloud environment.
They realized that if you take it one step farther
and look at access policies across a multi-cloud kind of environment,
they realized there's no standard there.
Every platform, it seems like every implementation of an application has its own way of doing
access policy.
So that was the genesis or the motivation for coming up with IDQL or identity query
language is an attempt to standardize or normalize that access policy across a multi-cloud
environment where IDQL can be the single point of definition of access policy.
And then we use the Hexa open source software to translate that IDQL format into the format
of the target or bespoke system.
into the format of the target or bespoke system.
And you have quite a number of folks on board here who have joined this effort.
That's right.
We have a mix of vendors and end users
that are part of the working group at the moment
and a number of individual contributors as well.
Can you give us some insights
as to some of the technical challenges
that go on behind the scenes here? I'm just thinking with the variety of cloud providers
out there, they all have their own proprietary standards here. It must be a bit of a puzzle to
get them all to work. That is spot on. It's definitely a big challenge.
If it was easy, anyone could do it, right?
And it's also why it's a big commitment
to really bootstrap this effort.
We started in the middle of last year
and started looking at what's the right architecture for such a system.
And then we took the three main cloud platforms and started with them.
And in each case, it's a lot of research, you know,
looking into the APIs that are available for managing policy.
You know, it's not about managing users,
but managing roles and groups and policy formats.
A lot of research into that documentation and those APIs.
And then on the software development side,
again, trying to experiment,
do a lot of trial and error
to get things working the way we want them to.
So that gives you a sense of some of the challenges we've come across.
And also that they are so different.
Each platform, if you look again just at the main three cloud platform providers,
each of their APIs is so different,
and they have a similar but different mix of technical capabilities up and down the
stack whether you're talking about the idp you know the identity provider functionality or how
you authenticate to various kinds of proxies that can sit in front of applications and yes it's it's
a complex mix but we're trying to you know take chunks that we can solve and work on them and just make continuous progress.
That's been our approach so far.
Yeah, I would imagine along the way, making sure that you're not introducing any security issues on your own.
That's quite true.
And this is where I think the CNCF model is very helpful. We're a sandbox
project at CNCF, the Cloud Native Computing Foundation, and they really emphasize the
security aspect. So we're doing code scans, we're doing vulnerability scans, as well as staying up
to date on any vulnerabilities that might affect
the different components that we are working with. Because you're absolutely right, we're dealing with
the access policies to sensitive or valuable resources, so we don't want to introduce a new
vector of attack in our work. You mentioned that despite Strata having a leadership role in this effort, this isn't a product, this is an open industry standard.
Why is Strata choosing to invest in this, to spend time in this project for the greater community?
We made the decision pretty early on when we decided to tackle this challenge that it's something that was bigger than just a commercial product that Strata could introduce.
So we felt it was more valuable to contribute this to the industry rather than just to make another commercial product to address it.
So that was the basic motivation.
Not a whole lot more to say to that,
which we just thought it was bigger than Strata itself. That's Jerry Gable from Strata Identity. And I'm pleased to be joined once again by Dinah Davis.
She is the VP of R&D Operations at Arctic Wolf.
Dinah, it's always great to welcome you back to the show.
I want to touch base with you.
I saw you and your colleagues there at Arctic Wolf had a blog post recently
about improving your security posture at your home.
I think this is something worth visiting here.
What do you got to share with us today?
Yeah, I mean, we often think about hackers trying to come at a company like through company resources, right?
But they're really going to try from every angle possible.
And one popular way that they've been making progress is through people's personal
accounts, right? So even if we look at the May Cisco breach, the hacker there gained access to
the employee's personal Google email account. This was really interesting. It wasn't just that they
reset passwords and stuff, but once they did that, they were able to get into their Chrome browser password store and extract all the passwords from
there. One of which was really bad, which was the VPN access to their work. Which like, people,
your VPN access, any work password should never be in a personal
password store anyway, full stop. But again, this is why maybe using a Chrome browser or the
Safari key password store is not a great idea. Having things separated makes it harder.
Well, let's go through some of the things that really caught your eye
here. What are some of the ones that rise to the top of your attention? So you want to use VPNs as
much as possible, right? So if you're at home in a coffee shop or anywhere that is not the office,
you could be subject to a man-in-the-middle attack, which is when somebody is able to pretend
they're actually your home Wi-Fi
or the coffee shop Wi-Fi
and give you access to the internet through that,
but see everything you're typing.
So if that happens, if you're using a VPN,
what a VPN is going to do is encrypt
all the data going through.
And so even if you are in the middle of a man in the middle
of tech, wow, that's some inception right there. You're going to be fine, right? So that's, those
are really important. Also using MFA, multi-factor authentication, right? So even if they got his
whole password store, if he'd had MFA or a second factor authentication,
it still would have been hard for them to get in, right?
Right, right.
I remember seeing a study from Google,
it was probably a year ago now,
where they said that people who put MFA
like on their Gmail accounts don't get hacked.
It wasn't like 90%. It was like 100%.
If you have a hardware key, you're probably good to go.
Yeah, because like, okay, I liken it back to when I grew up.
I grew up in Winnipeg, Manitoba, Canada.
And it happens to be the car theft capital of Canada,
or it was in the 90s.
Let's put it that way.
I have no idea if it still is. Okay. And so what we used to do is like, we had this thing called the club
and it was like this metal bar that you put across your steering wheel and you locked it
and it made it so you couldn't turn the wheel. So even if they hotwired your car, they couldn't,
they couldn't turn that wheel. Now, could they still get that off with a massive saw or something like that?
Sure, they could.
But if they're going down the street looking into the driver's seats of all the cars,
the ones with the clubs aren't going to get hit because it's just too much work.
Right?
And I think that's the same principle that's happening when you put MFA on your accounts.
Right?
You've made it harder unless
they really, really want you for a very specific reason, they're not going to bother, right?
Here's a good one that I failed at recently. Secure your physical devices. So that means
do not leave things on airplanes. I feel like there's a story here.
Yeah, I might have just done that recently.
It was very annoying.
Oh, no.
Oh, no.
If you leave it on an airplane while it's in airplane mode, it's very hard to get to.
But here's a good thing to do. emergency contact on the front of the phone because it will turn the airplane mode off when
they call you for 24 hours and you can get the device wipe and find your phone, Google or iPhone
in there. So it does happen. I wasn't worried when I lost my phone because I have all the passwords set. I have MFA on my Google accounts.
I was able to reach my phone and security wipe it.
So it's not an issue,
but it's still not something I would have liked to do in the future.
I don't think I'll ever do that again.
But when you're running for a connection,
sometimes it's easy to misplace some things.
Yeah, leave that in that pocket in the front of the seat next to you.
I mean, it brings up a good point that I've heard people say when you're traveling,
which is not to put all of your electronic eggs in one basket.
In other words, you have your mobile device and it gets lost.
You need to have another device to be able to go and try to change whatever settings
you need to on that original device. A hundred percent. So, you know, I was able to log into
my computer that I also had with me and, you know, get the device wipe. And then, you know,
until I got my phone back, I was able to use my iPad for the key store.
I was so happy that I had an authenticator that backed up into the cloud.
So you know, like Google Authenticator, I use a different one.
I use the one that LastPass uses.
And so you can back it up into your LastPass account.
I'm very careful not to use the same password keeper app. So I use 1Password for my passwords and LastPass for my authenticator. So they're
in two separate systems entirely. But I was able to pull that all up on my iPad and relive.
I had very little disruption to my life
other than not being able to receive text messages
while the phone was lost.
And, you know, kept going and I wasn't really worried.
All right.
Well, good tips for sure.
Dinah Davis, thanks for joining us. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman. The show was
written by John Petrick. Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for
listening. We'll see you back here tomorrow. Thank you. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.