CyberWire Daily - Cyberespionage, and ransomware as misdirection. A new Python-based supply chain attack. Traffic on the Static Expressway. KillNet continues to plague hospitals. And Telegram may be compromised.
Episode Date: February 3, 2023CISA has released six ICS Advisories. A look at a North Korean cyberespionage campaign. ChatGPT and its attack potential. A new Python-based supply chain attack. There’s traffic on the Static Expres...sway: ClickFunnels seen in use for redirection. KillNet continues its campaign against hospitals. Ransomware as misdirection for cyberespionage. Part two of my conversation with Kathleen Smith of ClearedJobs.Net discussing trends in the cleared space. Our guest is Eric Bassier of Quantum talking about the multi-layered approach to ransomware protection. And Russian surveillance extends to Telegram chats. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/23 Selected reading. Delta Electronics DIAScreen (CISA) Mitsubishi Electric GOT2000 Series and GT SoftGOT2000 (CISA) Baicells Nova (CISA) Delta Electronics DVW-W02W2-E2 (CISA) Delta Electronics DX-2100-L1-CN (CISA) Mitsubishi Electric GT SoftGOT2000 (CISA) No Pineapple! –DPRK Targeting of Medical Research and Technology Sector (WithSecure) Hackers linked to North Korea targeted Indian medical org, energy sector (The Record from Recorded Future News) North Korean hackers stole research data in two-month-long breach (BleepingComputer) ChatGPT May Already Be Used in Nation State Cyberattacks, Say IT Decision Makers in BlackBerry Global Research (BlackBerry) Supply Chain Attack by New Malicious Python Package, “web3-essential” ((Frotinet) Leveraging ClickFunnels to Bypass Security Services (Avanan) Report: 'KillNet' targeting hospitals in countries helping Ukraine in war efforts (Becker’s Hospital Review) Intelligence agency says ransomware group with Russian ties poses 'an enduring threat' to Canada (CBC) Les ransomwares, couverture des groupes APT pour du cyber-espionnage (Le Monde Informatique) The Kremlin Has Entered the Chat (WIRED) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA has released six ICS advisories,
a look at a North Korean cyber espionage campaign,
chat GPT and its attack potential,
a new Python-based supply chain attack,
there's traffic on the static expressway,
click funnels are seen in use for redirection,
Killnet continues its campaign against hospitals,
ransomware as misdirection for cyber espionage.
Part two of my conversation with Kathleen Smith from clearedjobs.net,
discussing trends in the cleared space.
Our guest is Eric Basier of Quantum,
talking about the multi-layered approach to ransomware protection,
and Russian surveillance extends to telegram Chats.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, February 3rd, 2023. We start today with a quick look at some patches that came out yesterday. CISA,
the U.S. Cybersecurity and Infrastructure Security Agency, released six industrial control system advisories on Thursday.
They cover equipment from primarily Delta and Mitsubishi. It's the old familiar drill.
Operators should review their systems and apply the patches in accordance with the vendor's
instructions. Researchers at WithSecure are tracking a campaign by North Korea's Lazarus Group that's targeting healthcare research, a manufacturer of technology used in energy, research, defense, and healthcare verticals, as well as the chemical engineering department of a leading research university.
One of the targeted healthcare research organizations was based in India.
The attackers compromised their targets using known vulnerabilities
in unpatched Zimbra platforms. The researchers believe the threat actor's motive is cyber
espionage. It's safe to assume, given the targeting and the Lazarus Group's involvement,
that the kind of espionage in question is industrial. A survey by BlackBerry has found that 71% of IT professionals believe
that nation-state actors are already using ChatGPT to assist in launching cyber attacks.
BlackBerry says ChatGPT's ability to help hackers craft more believable and legitimate-sounding
phishing emails is the top global concern at 53%,
along with enabling less experienced hackers to improve their technical knowledge
and develop more specialized skills and its use for spreading misinformation.
The majority of respondents believe that chat GPT still has more potential for good than for evil,
although 95% of them think governments will need to regulate
these types of advanced AI tools. Researchers at Fortinet have discovered a malicious PiPi
package called Web3 Essential that will download a malicious executable. The malware appears to
be designed to steal login credentials and payment card information from browsers,
including Google Chrome, Microsoft Edge, and Firefox. The researchers note that the package
was published on the same day that its author joined the repository, and that given the frequency
of this pattern of simultaneously joining and publishing, it may be a wise idea to take precautions for downloading packages
published by newly joined authors. Avanon has released a report detailing a campaign
leveraging ClickFunnels to bypass security measures. ClickFunnels are described as an
online service that helps entrepreneurs and small businesses generate leads,
build marketing engines, and grow their businesses.
Ill-meaning actors are taking advantage of the service's capability to create web pages
and are creating malicious pages with redirects to malicious links.
Targets receive an email requesting the review of a file, providing a document review link. The email link opens a falsified OneDrive page with a
Get Document button that redirects to a credential harvesting page. This incident is a textbook
example of the static expressway, hackers leveraging the legitimacy of sites for hidden
malicious purposes. Becker's Hospital Review reports that Kilnett has continued its attacks against hospitals in countries deemed hostile to Russia.
The attacks, distributed denial-of-service attacks for the most part, have afflicted medical organizations in the UK, the Netherlands, the US, Germany, Poland, and the Scandinavian countries.
Why hospitals, one might ask?
Probably because they're wreckable, that is, because they
have large, difficult-to-defend attack surfaces. And then there's the possibility of terrorism
they present. Interfere with them and you'll frighten people. Killnet isn't discriminating
and it isn't sophisticated, but it's communicating. Be afraid is the message, and it's precisely the message
Kilnett's masters in the Russian intelligence service
are interested in communicating.
Other cases that touch Russia's hybrid war are more complicated.
The Russian-speaking ransomware gang Lockbit
continues its financially motivated campaigns,
most recently against financial tech firm Ion,
where, computing reports,
the gang has demanded that it be paid by tomorrow. Canada's communications security
establishment warned that LockBit will almost certainly remain an enduring threat to both
Canadian and international organizations into 2023. LockBit has taken care to position itself as a simple apolitical criminal organization
and not a cyber auxiliary working under Russian state supervision. But it certainly operates with
the permission of and at the sufferance of the Russian government, and the relationship with
that government is complex and imperfectly understood. Le Monde Informatique, for one,
argues that not only Russian,
but North Korean and Chinese services as well
are using ransomware as a cover for cyber espionage.
And finally, it may be that some platforms
aren't as private as their users might hope.
Telegram, a platform that's enjoyed a reputation for anonymity, seems to have been
penetrated by Russian security services. Wired reports that dissidents have been receiving
police attention that seems to be accounted for only by Telegram's cooperation with the authorities.
Chat with due caution, Telegram users. Some of the folks you've been chatting with have had their
doors kicked in, and that probably is, as Pravda used to say, no accident.
Coming up after the break, part two of my conversation with Kathleen Smith of ClearedJobs.net,
discussing trends in the cleared space.
Our guest is Eric Basier of Quantum, talking about the multi-layered approach to ransomware protection.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Digital backups have been around as long as we've had computers. I can remember making multiple copies
of programs I'd written, using cassette tapes back in the day and later floppies and external
hard drives. And of course, today there's a focus on the cloud. There's that old saying that history
may not repeat itself, but it sure does rhyme. Eric Basier is Senior Director of Products at
backup storage vendor Quantum, and I spoke with him about the renewed interest in tape backup systems.
One of the longtime best practices in data protection was called a 3-2-1 data protection approach.
And I mean, this goes back, you know, 15 years or 20 years or more.
And the 3-2-1 data protection approach
calls for having three copies of your data.
So you would want one primary copy of that data
and then two backup copies, effectively.
And you would want to have those three copies
on two different types of media.
And you would want to have at least one of those copies be off-site.
And that was for disaster recovery purposes.
And so the 3-2-1 rule has been a long-time kind of best practice rule.
So three copies of your data, two different types of storage, and then make sure at least
one of those copies is off-site.
Well, recently, both Quantum and other data protection vendors in the industry are kind
of talking about a 3-2-1-1 multi-layer data protection strategy, where it's three copies
of data on two different types of storage. And we'll talk a little bit more about that.
One of those copies should be off-site, but one should be offline.
And that's that last one that gets added.
So the multi-layered approach now is talking about,
make sure you've got a copy of your data off-site.
In the event that there's a localized disaster and you need to recover,
make sure you have one copy that's offline,
so that if you do get hit with a ransomware attack or some
different types of malware or cyber threats, you can recover a pristine copy of that data
and get back to business quickly. And what are some of the available strategies there for storing
data offline these days? Kind of interesting things we've seen in our own business and that we're seeing
from our customers is a lot of large enterprises and even large cloud providers are turning to
kind of a retro technology, which is digital tape, LTO tape. Tape is unique in that, unlike disk-based storage systems or flash-based
storage systems, tape storage systems by their nature are physically air-gapped. The data itself
is stored on a magnetic tape, and it is physically separated from the device that's connected to the network, which in this case is a tape drive.
And so we've had a lot of our customers, even those that have totally gotten rid of tape in their environment, looked at it now.
And with the, you know, again, strengthening cybersecurity being a top priority, they're starting to add tape into their environment and make a copy of
data on tape.
And that really serves as that copy that is truly offline.
So it's interesting.
We've seen a bit of a reversal in the perception of it where I think for many years, tape was
perceived as maybe not as relevant, maybe a tertiary copy or something.
But I think now it's being seen as increasingly relevant as a way to combat this threat of the cyber threats that are out there.
I'm an old video guy.
Admittedly, it's been probably at least a decade or so since I was in that world.
It's been probably at least a decade or so since I was in that world.
But I remember there being tape robotic systems where the swapping of the tapes was pretty much an automated sort of thing.
Is that still in play?
Like all other enterprise data storage technologies, the technology for that has evolved quite a bit so i talked to a lot of customers and maybe old tape you know or people that used tape many years ago and in their minds they picture this
huge you know i don't know refrigerator size thing right right now you know we can um you know
small rack mounted device tape robotic system three rack units can hold, you know, 50 tapes.
So with current tape capacities, you're talking about, you know, well over a petabyte of data.
You know, so even for smaller businesses, you know, it's a pretty small investment, pretty small footprint, and you can get that offline protection.
And where do we stand in terms of speed?
Obviously, tape is linear in its very nature,
but if I want to restore my systems,
I want to do it as quickly as possible.
What's the state of the art there?
Yeah, the tape drives,
which are the device that can really read and write the data on the tape,
the currently shipping generation is LTO 9,
so that's the ninth generation of LTO tape drives.
And with each generation,
the streaming performance of the tape drives
has more or less doubled.
So like hard drives, like flash drives,
we continue to improve the performance of the tape drives
as well as the capacity of the tapes themselves. When I think about restoring from tape,
I would generally say it will take, I would say, minutes to recover data from a tape
robotics system. And obviously, it depends a lot on how much data you're recovering, how big is the data set, but it generally takes one to two minutes to load the tape, to rewind the tape, and kind of get to that first bit of data.
Once that happens, the tape drives can actually stream a huge amount of data very quickly.
amount of data very quickly.
So, you know, that is, it's a consideration with tape.
It does, it will take, you know, minutes to recover a small amount of data from tape.
And, you know, if you have a huge amount of data to recover, it may take some time.
But yeah, that gives kind of a general sense of what to expect anyway.
Right.
No, it's a mindset shift. I mean, and I'm sort of experienced it in real time that you're still not putting all your eggs in one basket, but it's a different way of
distributing the risk than I think a lot of us have grown accustomed to. Yeah. And we started
kind of talking about a multi-layered data protection approach.
I mean, I think that that's what we advocate.
I think that's what is a best practice in the market.
I think tape should be part of those multi-layered data protection infrastructures.
And I've had a lot of these sorts of conversations in the last two or three years,
including Quantum has done some webinars
with an ethical hacker.
He now recommends this to all of his clients
because he was trying to figure out
how to hack into a system like this
and he's stumped.
He can't figure it out.
So I do think it's,
what is kind of retro has become really relevant
just because of some of its properties.
And I don't want to gloss over, I think quantum has really led the way here in terms of innovation in some tape software features that allow us to create that.
In a sense, it's kind of an immutable data vault, you know, is really what we've created with our systems.
That's Eric Basier from Quantum.
There's a lot more to this conversation.
If you want to hear more, head on over to the CyberWire Pro
and sign up for Interview Selects,
where you'll get access to this and many more extended interviews. And I'm pleased to be joined once again by Kathleen Smith.
She is the Chief Outreach Officer at ClearedJobs.net.
Kathleen, it's always great to welcome you back to the show.
You know, in our previous segment, we were talking about some of the things that you've been tracking in the cleared community
and helping folks find jobs, all that sort of thing.
There were a couple of items
that we didn't have time to get to.
So why don't we just pick up there?
What are some of the other things
that you're looking at here?
One thing that I'm really noticing
is a lot of people are looking
at their overall career progression
within the security cleared community. And I'm noticing that a lot of people are looking at their overall career progression within the security cleared community.
And I'm noticing that a lot more people are wanting to go into government work to be work, excuse me, work specifically for government agencies to improve business processes and to also expand their overall career experience. I know several people, predominantly women,
who are going from corporate world within the government contracting space into working for
government agencies to build their experience, build their relationships, and really bringing
corporate experience to solve some of these difficult problems. There was a very heated discussion today on LinkedIn
about how, shall we say backwards,
recruiting is within the government space,
maybe specifically a jobs platform
within the government agency space
that is just not up to standards
that we see in the corporate world.
And I've seen a lot of people
who have been human resource professionals and government contract recruiters say,
it's time to take the leap, go into government agencies and really try to understand what the
problems are and turn them around and see if we can speed up that process. As we know, that might take a
little bit longer than just a year or two. When we say backwards though, what exactly are people
getting at here? The application process to go in for a government agency is extensive. It's
more extensive than you would find it for any company within the government contract space.
And it is its own identity as far as the kind of questions they ask. And it really doesn't go
toward the skills that people need to do the work. It's more to fill out the bureaucratic
dots and cross the T's and stuff like that. I'm sorry. I'm fumbling that one
a little bit. You're being diplomatic. I'm trying to. I'm trying to. Not trying to get myself out.
I appreciate that. I think it's also that when I've talked to people, they've really said that
it's not about recruiting talent. It's more about managing the
bureaucratic process. And I think when we're talking about making sure we have the best talent
working for the government to support the mission, we need to make sure that we're doing a recruiting
process, which is a conversation and an engagement, rather than making sure people are going through the specific paces to fill the
job. The other thing that I'm seeing, which, you know, is something I enjoy seeing, but I wish it
would speed up a little bit more, is that there is a definite relationship between recruiting
and business development within government contracting. And we frequently hear of government contractors not
winning their re-competes or not winning proposals because they don't have a very competitive
contract or a very competitive proposal they put through. And our recommendation is always make
sure that you're talking to your recruiting department when you're going through your
contract proposal process, because
one, the recruiters will give you what the labor market categories are and can you really find
this talent? You know, I love salespeople. I love my salespeople, but you know, they,
they tell someone you can, we can get all of this. And then when they go back to their recruiter and
the recruiter says, there's absolutely no way I can get a Java programmer with a PhilScope Poly for $35 an hour.
So, you know.
We'll lose money on every employee, but we make up for it with volume. the fact that we're cross-pollinating between the corporate and government contracting space
and we're cross-pollinating between recruiting and business development.
When you're in an industry for over 20 years, you sort of wish some things would happen
and you sometimes have to stick around long enough to see them happen.
But it's really great to see it.
It's interesting to your first point about the hiring process itself.
I mean, it strikes me that there are already a lot of challenges of getting people into government space when it is so competitive in the private market.
And we hear so many people leaving the government because of the opportunities in the private market.
So any barrier you could remove there is going to be helpful, right?
It would be really great if we could remove some of these barriers. And it's a mentality
that is there within the government agencies, not just the processes. And I think it's going to take more than just someone flipping the switch and making
the government job board a little bit more effective. It's going to be taking the entire
process and changing it. Now, I have seen some highlights or some areas where people have really
changed this. Department of Homeland Security sort of started its own internship process
and started its own hiring program.
Several of the other agencies have said, you know,
the system is not moving fast enough.
We need to do something on our own.
And they do get approval to do it on their own.
The challenge is that not everybody
knows this, but the other challenge is that they still have to submit through the government job
board, which I think is the biggest problem. But that's just a personal opinion.
Yeah. Yeah. All right. Well, Kathleen Smith, thank you for sharing your insights as always.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Tom Bonner and Owen Wickens from Hidden Layer's SAI team.
We're discussing their research on weaponizing machine learning models with ransomware.
That's Research Saturday. Check it out.
machine learning models with ransomware.
That's Research Saturday.
Check it out.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin,
Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Maria Vermatsis, Ben Yellen, Nick Volecki, Millie Lardy, Gina Johnson, Bennett Moe,
Catherine Murphy, Janine Daly, Jim Hochite, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, Simone Petrella, and I'm Dave Bittner. Thanks for listening.
We'll see you back here next week.
Thank you.