CyberWire Daily - Cybercrime and cyberespionage: IceFire, DUCKTAIL, LIGHTSHOW, Remcsos, and a tarot card reader. US cyber budgets, strategy, and a DoD cyber workforce approach. Five new ICS advisories.
Episode Date: March 10, 2023New IceFire version is out. A DUCKTAIL tale. Social engineering by Tehran. DPRK's LIGHTSHOW cyberespionage. The President's Budget and cybersecurity. The US Department of Defense issues its cyber work...force strategy. Remcos surfaces in attacks against Ukrainian government agencies. DDoS at a Ukrainian radio station. Dave Bittner sits down with Beth Robinson of Bishop Fox to share their 2023 Offensive Security Resolutions. Caleb Barlow from Cylete on the security implications of gigapixel images. And CISA releases five ICS advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/47 Selected reading. IceFire Ransomware Returns | Now Targeting Linux Enterprise Networks (SentinelOne) DUCKTAIL: Threat Operation Re-emerges with New LNK, PowerShell, and Other Custom Tactics to Avoid Detection (Deep Instinct) Iran-linked hackers used fake Atlantic Council-affiliated persona to target human rights researchers (CyberScoop) Iranian APT Targets Female Activists With Mahsa Amini Protest Lures (Dark Reading). Iran threat group going after female activists, analyst warns (Cybernews) Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970 (Mandiant) Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW (Mandiant) Cybersecurity in the US President's Budget for Fiscal Year 2024. (CyberWire) Biden’s budget proposal underscores cybersecurity priorities (Washington Post) Biden Budget Proposal: $200M for TMF, CISA With 4.9% Budget Boost (Meritalk) Cybersecurity Poised for Spending Boost in Biden Budget (Gov Info Security) Deputy Secretary of Defense Signs 2023-2027 DoD Cyber Workforce Strategy (U.S. Department of Defense) In new cyber workforce strategy, DoD hopes 'bold' retention initiatives keep talent coming back (Breaking Defense) Remcos Trojan Returns to Most Wanted Malware List After Ukraine Attacks (Infosecurity Magazine) February 2023’s Most Wanted Malware: Remcos Trojan Linked to Cyberespionage Operations Against Ukrainian Government (Check Point Software) Radio Halychyna cyber-attacked following appeal by Russian hacker group (International Press Institute) CISA Releases Five Industrial Control Systems Advisories | CISA (Cybersecurity and Infrastructure Security Agency CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A new IceFire version is out.
A DuckT Tale Tale.
Social Engineering by Turan.
DPRK's light show cyber espionage.
The President's budget and cyber security.
U.S. Department of Defense issues its cyber workforce strategy.
Remco surfaces in attacks against Ukrainian government agencies.
DDoS at a Ukrainian radio station.
Dave Bittner sits down with Beth Robinson of Bishop Fox Thank you. From the CyberWire studios at DataTribe, I'm Trey Hester, filling in for Dave Bittner
with your CyberWire summary for Friday, March 10th, 2023.
A new version of the IceFire ransomware is targeting Linux systems within enterprise networks,
according to researchers at SentinelOne. The ransomware was previously limited to Windows systems.
The threat actors behind IceFire launched double extortion attacks
against large enterprises in the technology, media, and entertainment sectors.
The ransomware has been deployed against entities in Turkey, Iran, Pakistan, and the United Arab Emirates,
which researchers note are not typically the focus of organized ransomware actors.
The Linux version of IceFire is deployed via CVE-2022-47986, a recently disclosed vulnerability in IBM's
Aspera FastPix file-sharing software. The record notes that IBM issued a patch for the flaw on
January 18th. Deep Instinct says the malware operation tracked as DuckTale resurfaced at
the beginning of February of 2023 with an updated set of malware. The goal of the
operation is to install malware that will steal browser cookies with a particular focus on session
cookies for Facebook business accounts. The researchers note that it's not entirely clear
what the threat actor does after they gain access to the Facebook accounts.
While it might be possible to get the credit card information that is used for paying for
ads in the compromised accounts,
this doesn't seem plausible.
There are far better, cheaper, and easier ways to gain credit card information.
End quote.
Deep Instinct found one Facebook page tied to DuckTale that appeared to be intimidating a legitimate brand that sells kitchen appliances.
Deep Instinct theorizes that this page was used to scam users with fraudulent sales
and to distribute malware, though the researchers add, quote,
Since we have only identified one such instance,
we can't assess exactly whether this is a one-time event
or whether this is the usual operational method for DuckTale.
End quote.
In any case, DuckTale will bear watching.
Researchers at SecureWorks discovered a campaign from the
Iranian Cobalt Illusion threat group that leverages the death of Masa Amini as bait,
Dark Reading reports. Cobalt Illusion is also known as Charming Kitten APT42, Phosphorus TA453,
and Yellow Garuda. The threat group uses a bogus Twitter handle and represents itself as working
with the Atlantic Council, CyberNews reports. The account has also been seen engaging with posts
surrounding the protests following the death of Masa Amini, which SecureWork researchers say
will help them appear sympathetic to protesters' interests and demands and create an illusion of
shared interests. SecureWork CTU Rafi Pilling said
in a statement, quote, the threat actors create a fake persona and use it to build rapport with
targets before attempting to fish credentials or deploy malware on the target's device.
Having a convincing persona is an important part of this tactic, end quote. Mandian researchers
have been tracking a campaign from suspected North Korean espionage
group UNC-2970, seen to be targeting media and tech companies in the Western world.
The suspected North Korean threat actor is linked with high confidence to UNC-577,
a group also known as Temp Hermit, in action since 2013. UNC-577 was seen targeting primarily South Korean
companies, with some attacks by the group on a global scale, whereas the probably-related UNC-2970
has been primarily targeting entities in the West. These attacks begin on LinkedIn,
with the threat actor posing as recruiters and reaching out to targets.
Mandiant researchers have identified files and
suspicious drivers within compromised hosts. A dropper, LightShift, delivers the LightShow
payload, which then performs arbitrary read-and-write operations to kernel memory
that aid in obfuscation from endpoint detection and response software. It's a case of bring-your-own
vulnerable devices since LightShow relies on trusted yet
vulnerable drivers to function. The president's budget for fiscal year 2024 has been published
and addresses cybersecurity across the spectrum of the federal government's operations.
The budget will now go to Congress for the usual review, debate, modification, and passage. The
budget throughout ties appropriate spending
requests to the national cybersecurity strategy. Much of that funding will go not only to counter
the work of adversaries like China and Russia in cyberspace, but also for more enforcement
actions against cybercrime, to the countering of malign influence, and to bolstering federal
cybersecurity. The U.S. Cybersecurity and Infrastructure Security Agency would receive
under the plan a budget of $3.1 billion, an increase of $145 million over current funding.
The DoD released their 2023-2027 Cyber Workforce Strategy Thursday. The agency wrote in a press
release, quote, The strategy will enable the DoD to close workforce development gaps,
resource workforce management,
and development initiatives,
stay at the forefront of technological advances,
securely and rapidly deliver resilient systems,
and transform into a data-centric enterprise
with optimized workforce analytics, end quote.
The strategy contains four human capital pillars
centered around identifying, recruiting, developing, and retaining cyber talent, breaking defense rights.
The foundational strategy is intended to make cybersecurity roles in government more attractive to potential employees, as it has struggled to compete with private sector roles and their offerings, Axios reports.
Mark Gorick, DoD Principal Director for Resources and Analysis, said in a briefing,
quote, so we have to compete on mission and other tangibles to the department.
Leadership, organizational culture, and mission is the key there, end quote.
Checkpoint reports seeing the Remcos remote access Trojan as the payload in phishing messages being
sent to Ukrainian government organizations. Remcos distributes itself through malicious Microsoft Office documents,
which are attached to spam emails,
and is designed to bypass Microsoft Windows UAC security
and execute malware with high-level privileges.
End quote.
Halchina FM, a radio station in western Ukraine,
was inaccessible briefly on March 2 due to a
distributed denial-of-service attack by the hacktivists of Russia's Narodnaya Cyber Army,
the International Press Institute reports. The attack is typical of the nuance-level
hacktivism cyber-auxiliaries have established during the present war.
And finally, CISA yesterday released five industrial control system advisories.
Check your systems and apply updates per vendor instructions.
Coming up after the break, Dave Bittner sits down with Beth Robinson of Bishop Fox to share their 2023 offensive security resolutions.
And Kayla Barlow from Silete
discusses the security implications of gigapixel images.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
New Year's resolutions have come and gone, but it's never too late to resolve to do better. To that end, offensive security company Bishop Fox recently released a report titled
2023 Offensive Security Resolutions, highlighting ways offensive security teams can keep pace with attacks evolution in 2023.
Beth Robinson is senior content writer at Bishop Fox.
Threat actors exploit those same technologies that we use.
And every new technology adds to an existing or a completely new attack surface.
And attackers take advantage of our errors in creating and developing and deploying emerging technologies.
So cloud and AI, for example, are examples of this right now.
And those technologies are attack surfaces that are completely woven into many things you rely on each and every day, whether you know it or not.
Well, let's go through the report together here.
What are some of the highlights that caught your attention?
Absolutely.
So we've highlighted several technologies and skills that we plan to keep our eyes on in 2023.
But cloud security is the
biggest priority for our consultants and Cosmos operators. So while cloud is very ubiquitous
technology, and it's changed many aspects of modern life as we know it, it is still very much
an emerging technology in its own right. Things like human error and misconfigurations are very
prevalent in cloud environments, giving threat actors a whole new world of opportunities to take advantage of.
And then with COVID-19, without a doubt, significantly accelerated the adoption
of cloud technology with the sudden shift to remote work that really all of us have experienced.
And then you couple that with things like the increase in e-commerce and shipping of goods
instead of in-person shopping due to COVID. And this just really further complicates the security of cloud
environments for everyone. And those are just two examples out of many that we can give for
cloud computing and the complexity of it. One of the things that you all highlighted
here was the use of artificial intelligence and automation. What caught your eye there?
AI and automation are hugely prevalent technologies these days
and the attack surfaces that accompany them.
And that's, you know, it's a new technology, emerging technology.
And emerging technologies create expanded and brand new attack surfaces. So
as offensive security professionals at Bishop Fox, we have to be on both sides of the fence
to understand how the technology like AI, automation, machine learning, how it's adopted
and used by our customers and clients, but also how attackers see it from an exploitation perspective.
So with technologies like that,
we really have to be on the cutting edge of understanding artificial intelligence,
for example, as an emerging technology to see the exploitation and intrusion opportunities
that attackers will use so that we can find vulnerabilities in our clients' environments
before attackers have a chance to. When you all were putting together this report, was there anything that was unexpected or anything
that surprised you? Sure. Yeah. I think the metaverse attack surface management was a bit
of a surprise, but it's something, a very emerging technology with a brand new attack surface.
That's something that we have to keep our eyes on as, you know,
big heavy hitters like Disney and JP Morgan are taking the plunge into this type of digital
universe. So we have to see how attackers view the metaverse in order to, you know, protect our
customers in that attack surface environment. Yeah, it's a really interesting point how, you
know, something like that that is emerging, even though it's not a part of our day-to-day so far, it's something that folks still need to keep an eye on.
Absolutely, yeah.
And any new emerging technology really ties into this endless cycle of software and projects that largely focus on innovation and openness and speed first, right?
But security is often a secondary concern. So, you know, security issues tend to only surface when a technology
has achieved widespread deployment. And this, you know, things like this can be examples of this.
So based on the information that you all have gathered here, what are your recommendations?
Based on the information that you all have gathered here, what are your recommendations?
Recommendations would be to mix and match your security posture and your security controls.
Use a mix of defensive and offensive security and be focused on your attack surface and the ways that attackers view your attack surface.
And use offensive security to help map out your attack surface. Do you find that there's a little bit of a blind spot when it comes to offensive security?
Are there folks out there who overlook it or feel as though they don't necessarily need to
engage with it? Sure, of course. But I think it's coming into its own right. And I think it's really seen, we're seeing a surge in the need for offensive security, especially with the surge in emerging technologies and our reliance on cloud, artificial intelligence, blockchain technology, and perhaps you know, perhaps even metaverse, the metaverse world. And the best way
to protect yourself is, you know, like we do, we look at it from an attacker's perspective
to understand where the vulnerabilities are in those environments before attackers have a chance
to find them themselves. That's Beth Robinson from Bishop Fox. The report is titled
2023 Offensive Security Resolutions. If you want to hear more of this interview,
head on over to thecyberwire.com and sign up for Interview Selects, where you can have access to this and many more extended interviews. And I'm pleased to be joined once again by Caleb Barlow.
He is the founder and CEO at Silete.
Caleb, it is always great to welcome you back.
You know, I was recently thinking about that every time I upgrade my phone,
one of the main motivators for me there is to get an improved camera.
And part of that is the number of pixels that I'm able to gather,
allowing me to zoom in and crop and do all that kind of stuff that I want to do.
The imaging capabilities of our devices are pretty extensive.
And you point out that there are some potential security implications here. Well, there's a thing out there, and they're not that new. They're called gigapixel images.
And, you know, in the classic cliche of a picture's worth a thousand words,
if you haven't seen a gigapixel image, Google it. They are simply amazing. In short,
it's an image, usually of a landscape or a cityscape or something like that, that's at such high resolution.
You know, let's say you can see buildings and mountains at a distance.
You can then drill all the way down to see inside of an apartment.
And depending on the image, even read writing on the wall.
If you see a car, you know, maybe just as a little blip in the image, you can drill right down into that small dot and zoom all the way down
so you can literally read the license plate.
So these are essentially military surveillance images
in terms of their quality
that would have normally been the thing
reserved for government images,
but they can now be created
with simple off-the-shelf hardware,
a special gimbal,
and a regular 20 megapixel camera.
Yeah, I remember seeing one, I believe it was all the way back from Obama's second inauguration,
and just remarkable that how you could, exactly as you say, you start off with this wide shot,
but then go pick out faces in the crowd. What are people wearing? who has a hair out of place?
That sort of thing.
Well, what's even more interesting about that particular image, which is one of them that I'm particularly fascinated by, is you can see the Secret Service positions.
You can see them on rooftops where they're gathered.
You can literally count how many of them there are.
You know, so these things are often used at, used at sporting events to gather pictures of fans in
the crowd and see what everybody's laughing at and doing in detail. But the point is, anybody can
create one of these things now, right? In fact, you don't even need to buy the equipment. You can
just rent it. And the way it works is this gimbal moves the camera very slowly, incrementally over
the course of maybe an hour, gathering upwards of a thousand
images, and then an AI engine merges them together. So the upper left corner of the image
might have been taken an hour before the lower right corner of the image, but the AI stitches
it together in a way that it's basically a continuous image. These things have some really
interesting security ramifications if, let's say, your business or maybe we're getting into kind of civil liberties conversations, you're taking a more persistent gigapixel image of, let's say, a cityscape because of the level of detail that you can get access to is literally just mind-boggling.
I mean, like I said, you can read what's written inside somebody's apartment.
Well, and we've seen incidences where people have been able to pull fingerprints off of
photographs of people who are just waving at the camera, that the resolution is so high.
I'm curious, what is to be done here other than to be aware? What's your message to the security
folks out there in terms of having
this sort of thing on their radar? Well, two things. First of all, we're all nerds. Go play
with it. It's crazy cool, right? Fair enough. Fair enough. That's the first image. The first point.
The second point, though, is if you happen to have a business that happens to be, you know, maybe in manufacturing or agriculture or something
like that, where a view of your business, especially a persistent view of your business
could release intellectual property or other things you don't want people to know about.
You need to be very aware of this. So, you know, I happen to live in Massachusetts. It's pretty
darn flat other than in the city of Boston. I'm
not worried about a gigapixel image. On the other hand, if I live someplace like Phoenix or Colorado
City, where you have lots of really high vantage points that can take in the entire cityscape,
then gigapixel imaging is a major issue to be worried about. Again, if your business has
something that you don't want people to see from afar, including inside your conference rooms, if you have big windows. So, you know,
again, go check it out. This is no joke in terms of how simple and low cost this is to be able to
gather images at unbelievable quality. And, you know, I think we're even going to have law
enforcement looking at these things saying, hey, why put up a security camera? I'll just grab an image of
the whole city every 15 minutes. Yeah. All right. Well, Caleb Barlow, thanks for joining us.
Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out this weekend's episode of Research Saturday,
where Dave Bittner sits down with Ron masses of Imperva to discuss their work on the Google Chrome SIM stealer vulnerability.
That's research Saturday.
Check it out.
The cyber wire podcast is a production of N2K networks proudly produced in
Maryland out of the startup studios of data tribe,
where they're co-building the next generation of cybersecurity teams and
technology.
Our amazing cyber wire team is Elliot Peltzman, Brandon Karp, Eliana White, Pru Prakash, Liz
Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Maria Vermasis, Ben Yellen, Nick
Falecki, Millie Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janine Daly, Jim Hochite,
Chris Fressel, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Simone Petrella, and I'm Trey Hester, filling in for Dave Bittner. Thank you all so much for having me.
Enjoy your weekend. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.