CyberWire Daily - Cyberespionage, from war floating to phishing. An update on ESXiArgs. Fresh sanctions against ransomware operators, and more takedowns may be in the offing.
Episode Date: February 9, 2023War-floating. A phishing campaign pursues Ukrainian and Polish targets. Pakistan's navy is under cyberattack. A new criminal threat-actor uses screenshots for recon. ESXiArgs is widespread, but its ef...fects are still being assessed. The UK and US issue joint sanctions against Russian ransomware operators. Robert M. Lee from Dragos addresses attacks to electrical substations. Our guest is Denny LeCompte from Portnox discussing IoT security segmentation strategies. And is LockBit next on law enforcement’s wanted list? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/27 Selected reading. Chinese Balloon Had Tools to Collect Communications Signals, U.S. Says (New York Times) UAC-0114 Campaign Targeting Ukrainian and Polish Gov Entitities (The State Cyber Protection Centre of the State Service of Special Communication and Information Protection of Ukraine) NewsPenguin, a Previously Unknown Threat Actor, Targets Pakistan with Advanced Espionage Tool (BlackBerry) Screentime: Sometimes It Feels Like Somebody's Watching Me (Proofpoint) Florida state court system, US, EU universities hit by ransomware outbreak (Reuters). No evidence global ransomware hack was by state entity, Italy says (Reuters) Ransomware campaign stirs worry despite uncertain impact (Washington Post) VMware Security Response Center (vSRC) Response to 'ESXiArgs' Ransomware Attacks (VMware Security Blog) CISA and FBI Release ESXiArgs Ransomware Recovery Guidance (CISA) United States and United Kingdom Sanction Members of Russia-Based Trickbot Cybercrime Gang (U.S. Department of the Treasury) Ransomware criminals sanctioned in joint UK/US crackdown on international cyber crime (National Crime Agency) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
War floating!
A fishing campaign pursues Ukrainian and Polish targets.
Pakistan's navy is under cyber attack.
A new criminal threat actor uses screenshots for recon.
ESI ARGS is widespread, but its effects are still being assessed.
The UK and US issue joint sanctions against Russian ransomware operators.
Robert M. Lee from Dragos addresses attacks on electrical substations.
Our guest is Denny LeCompte from Portnox, discussing IoT security segmentation strategies.
And is LockBit next on law enforcement's wanted list?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 9th, 2023. Examination of debris from the Chinese balloon the U.S. Air Force shot down off Myrtle Beach earlier this week continues,
but the U.S. State Department has announced that the balloon was a surveillance system.
The New York Times reports that it was a floating collection platform.
Specifically, it was engaged in collection of signals intelligence, a capability that became
known to the U.S. before the balloon was shut down and its wreckage recovered. Close flyby
inspections by U-2 aircraft were able to determine that the Chinese system was set up for SIGINT as the balloon made its leisurely way from Montana to South Carolina.
The U.S. statement said the balloon's payload included antenna arrays
likely capable of collecting and geolocating communications,
and the craft packed enough solar panels to drive a large set of electronic sensors.
All of this, the U.S. pedantically explained,
was clearly for intelligence surveillance and inconsistent with the equipment on board
weather balloons. The State Department rather legalistically and humorlessly observed that
any company that made and operated the balloon was surely closely connected with the Chinese
government. Ukraine's State Service of
Special Communication and Information Protection State Cyber Protection Center, we'll just call
them the SSS-CIP, reports that a Russian cyber espionage campaign is fishing for targets in the
Ukrainian and Polish governments. The SSS-CIP writes, and Polish government organizations, taking advantage of fake web pages, impersonating
the legitimate web resources of the Ministry of Foreign Affairs of Ukraine and the Central
Cybercrime Bureau of Poland. The adversary TTPs are quite common and known for using
email subjects related to malware scanning and benefiting from PowerShell scripts execution.
BlackBerry blogged today about a new threat actor they've called News Penguin,
seen targeting Pakistani organizations.
Using the upcoming Pakistani Navy's International Maritime Expo and Conference as a phishing lure,
the actor attaches a malicious document utilizing a remote template injection technique
and embedded malicious
Visual Basic for Applications macro code to deliver the next stage of the attack, which
leads to the final payload execution.
The eventual payload contains an XOR-encrypted Penguin encryption key, as well as the content
disposition response header name parameter set to get latest news during the HTTP response,
both of which contributed to the name given to the actor by the researchers.
BlackBerry says,
News Penguin is a previously unknown threat actor relying on unseen tooling
to target Pakistani users and potential visitors
of the Pakistani International Maritime Expo and
Conference. There's no attribution so far, but BlackBerry thinks that News Penguin's motivation
is espionage and not profit. Proofpoint reported yesterday on the activities of a threat actor
they're tracking as TA-866. They call the activity, first observed in October of last year, screen time, and Proofpoint
says it starts with an email containing a malicious attachment or URL and leads to malware
that Proofpoint dubbed wasabi seed and screen shotter. In some cases, Proofpoint observed
post-exploitation activity involving AHKBOT and Radamanthus Steeler.
Proofpoint designates TA866 as an organized actor
able to perform efficient and effective tasks
given the resources at the group's disposal.
A new version of the ESXi ARGS ransomware
appears to prevent data recovery via flat files.
Bleeping Computer reports that a second wave of the ransomware appears to prevent data recovery via flat files. Bleeping Computer reports that a
second wave of the ransomware campaign began yesterday and that ESXI ARGs developers have
updated the malware to encrypt flat files. This means that the data recovery script released by
CISA will likely no longer work on servers infected with the updated version of ESI ARGs.
no longer work on servers infected with the updated version of ESI ARGs.
Bleeping Computer adds that servers infected earlier may still be recoverable by using CISA's tool.
CISA yesterday issued a guide for using the script.
The Washington Post notes that the ESI ARGs campaign appears to have had a somewhat muted impact compared to earlier widespread ransomware or pseudo-ransomware campaigns,
such as WannaCry or NotPetya.
Italy's National Cybersecurity Agency says, according to Reuters, that it's unclear who's behind the campaign.
In particular, there's no obvious involvement of a state actor.
This morning, the U.S. Treasury Department's Office of Foreign Asset Control and the U.K.'s
National Crime Agency jointly sanctioned seven members of a gang that's operating the Trickbot
malware. The individuals sanctioned are also involved with the Conti and Rayuk ransomware
strains. The National Crime Agency says the seven cybercrimin criminals are now subject to travel bans and asset freezes and are severely restricted in their use of the global financial system.
The U.S. Treasury Department drew particular attention to the way the Russian government has long provided a safe haven for cyber criminals.
The U.S. Treasury Department said, in part, Russia is a haven for cyber criminals where groups such as TrickBot freely perpetrate malicious cyber activities against the U.S., the U.K., and allies and partners. These malicious cyber activities have targeted critical infrastructure, including hospitals and medical facilities, during a global pandemic in both the U.S. and the U.K.
pandemic in both the U.S. and the U.K. Last month, Treasury's Financial Crimes Enforcement Network identified a Russia-based virtual currency exchange, BitsLotto Limited, as a primary
money laundering concern in connection with Russian illicit finance. These sanctions represent
another action against ransomware coming as it does on the heels of the international effort
to disrupt the operation of Hive. There may be others to follow. CyberScoop reports some
informed speculation that LockBit may be the next high-profile target. The Russian gang tooted its
apolitical horn early in Russia's war against Ukraine when many of its criminal colleagues
were signing up as cyber auxiliaries
for Moscow's organs. Yet it's been functioning effectively as a privateer, objectively at least
supporting Russia's war effort. Lockbid's been doing some woofing about the Hive takedown.
Representative is a tweet shared via VX Underground in the last week of January,
via VX Underground in the last week of January, stating,
Nice news. I love when FBI pwned my competitors, which is one way of looking at it.
But LockBit's gotten bigger and more irritating, even as it's grown cockier.
So good hunting, FBI, Interpol, Europol, NCA, and every police agency in Europe and North America. After the break, Robert M. Lee from Dragos addresses attacks to electrical substations.
Our guest is Denny LeCompte from Port Knox, discussing IoT security segmentation strategies.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. IoT devices giveth and IoT devices taketh away. They can add functionality and convenience, but also expand your organization's attack surface. Denny LeCompte is CEO at security firm Port Knox, and I reached
out to him for insights on IoT security segmentation strategies. A lot of these devices are built to be
cheap. They are not built to be secure. There's a manufacturing run, and they will ship these
things, and there's maybe no security at all. It's gotten a little better, but if that's from terrible to nearly bad, it's not good at all, right? You've got,
you know, devices will be shipped with a blank password, a blank admin password. So if someone
were to move into your, somehow get access to your network, they can log onto these things.
And some of them are basically Linux computers
so that it is possible for somebody to use that
as a kind of base camp
to then make other lateral moves
to get to more interesting things.
They don't really want your camera,
but your camera is a beachhead into your network
and they can use that.
So it is a real security threat,
especially just because they are really not built for management the way a laptop or a server or firewall is, right?
So that's the problem for IT pros everywhere.
Well, can you walk us through what the process is like when someone decides they want to do this?
What's the best way to go about it?
Well, one of the first challenges, if you're going to do it, is figuring out what the heck
is on your network. That's much more difficult than you would think, mostly because devices
don't just sort of raise their hand and say, this is what I am. So typically, you have to do some
sort of fingerprinting of the devices. And there's lots of ways to do this.
There are some ways that can be intrusive
where there's lots of scanning to figure it out.
We all refer to it as fingerprinting
because what you're trying to figure out
is from things about this device,
like what are the unique characteristics
that tell me that this is a Sony television or a Vizio or that it's this particular model?
That's what you want to know.
What's on my network?
Because if you can't identify, securing becomes very difficult.
And how do I segment?
How do I put the cameras over here and the TVs over there if I don't even know which is which?
Because they're just a bunch of dumb
IP addresses. So you've got some intrusive sort of aggressive scanning methods. You've also got
some more passive scanning methods. You could do things like DHCP gleaning, where it turns out the
way a network device makes a DHCP request is often pretty unique, especially if you combine it with other things like MAC addresses.
So there are databases full of MAC address.
I mean, there are folks who that's what they've done.
They will go, they have like a whole run of MAC addresses
that are assigned to a model of a particular device.
And so that you can then take the MAC address
and sort of make a guess.
And if you combine it with DHCP information
and maybe other information that has its talks in the network,
it reveals what it is.
So like our company is able to get like 95% accuracy.
Like other vendors can do this as well,
trying to figure out what it is.
Once you know what it is,
then you can set up your network
so that you have, again, different VLANs,
different sections of your network
that are very limited.
And there's no reason that the, you know,
the things that are in the,
like all the hand scanners, don't need access to anything else in the network.
So you can really constrain what they can do.
How do you make sure that you're not inadvertently introducing any sort of friction for your employees here?
Well, that's where you need some sort of access control solution.
Well, that's where you need some sort of access control solution. Because if you make this too manual, right,
there would be an approach where you just manually do this.
You're going to introduce a lot of friction
because then that manual process is going to make it
very difficult for everybody to log on.
So you need some automation here.
You need to be able to set up your devices
so that all your laptops and users,
probably you want to use certificates, digital certificates that do raise their hand and say,
this is what I am. I belong here. And you can compare them to Active Directory or Google
Workspace or some sort of other LDAP directory so that all of your users just get on invisibly.
And so then it's IT's problem to worry about the devices.
And ideally, what you want is to be able to do that fingerprinting and then have an access
control policy that says, you know, only devices of this make and model are going to be allowed
and then the others won't.
Or if I can't quite tell what you are, then I'm going to put you in a quarantine
beeline, which is very restricted. And then you can
maybe handle that manually. But you really have to have a lot of automation
to make this possible at all.
Are there any common pitfalls that you can help people avoid here?
Mistakes people make when trying
to set something like this up? To be honest, the biggest one we see is that people just think it's
going to be hard and then they don't do it. The number of customers we talk to have very little
segmentation at all is hot. The number of things that have wide access
is much too high.
So the main thing is you're going to
need some sort of software
solution. And probably the
most common is people get things that are
maybe more trouble than they're worth.
They can nominally solve the problem,
but in practice, it's so much
trouble that they, again,
they end up simplifying because they can't enable
simple policies to do what they want.
So the thing that we would recommend to folks
is to find a solution that is really low overhead,
that once you set it up,
everything is just gonna sort of happen in the background
and there's not gonna be a lot of maintenance on your part.
We have found cloud-based solutions are not going to be a lot of maintenance on your part.
We have found cloud-based solutions are usually going to be much lower maintenance
in this regard than anything on-premises.
That's Denny LeCompte from Port Knox. And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, it is always great to welcome you back to the show. We have seen several stories about folks going after power substations with guns and bullets and things like that.
In fact, as you and I are recording this, there were a couple of gentlemen from Tacoma, Washington, who've been charged in an attack on a power substation.
The story seems to indicate that they were basically going for a misdirection for another burglary.
But people look at this in the news and they see a pattern that people are going after these substations in ways they hadn't before.
I wanted your insights on this.
As somebody in this critical infrastructure world, what's your take on what's going on here and the degree to which we should
be concerned? Yeah, well, first of all, they're idiots. And second of all, the idea of people
shooting at transmission equipment, power lines, et cetera, is old, right? It's not a new thing.
Every utility, most utilities have to deal with that or dealing with people jumping across the
fence to kind of steal copper at a substation
to go sell for meth or crack or something.
I care a lot about the cybersecurity considerations.
Those are more impactful, those are more strategic, but everybody deals with idiots in the utility
industry.
It may not seem like a fun topic, but it's a real one.
There's no joke when I say that.
That's actually a pretty common issue.
Going back to the days of even Metcalf
when we had somebody take a 50 cal
and try to strategically shoot out substations
and transmission equipment.
This has been happening for a while.
Hell, if you go out in certain parts of the country
you'll find people do target practice
against pylons and transmission lines, as an example.
It's just really stupid stuff.
And it causes a lot of money and cost to the utilities,
which goes right back to the rate payers.
And so it's just a bad thing for everybody.
Now, the reality is, I think some of this, in this case maybe misdirection,
but some of the reportings that we're hearing has a very close tie
to what we're seeing in a broader picture of misinformation
and amplification and disinformation of conspiracy theories and so forth.
There was a whole 5G is going to load vaccines into your body
and kill your kids kind of stuff.
And power utilities and power lines
are very closely associated.
Oh, look at that tower, and they're monitoring us.
There's been cases, I remember years ago,
that it was required by regulation
to put up cameras to monitor
unmonitored substation equipment,
just from a safety and environmental perspective.
Hey, utility, if it's an unmanned,
I shouldn't say unmonitored, unmanned substation,
like a distribution substation,
put up a little camera to be able to remotely view it.
By regulation, you've got to have positive control over it.
And I remember folks looking at that going,
that's the NSA and they're spying on us!
Going out and tearing down the camera system.
What are you idiots doing?
I don't want to position mental health as anything other than deserving attention,
but some of this isn't mental health.
Some of this is just instability by people staying on the internet too long
and diving into forums and so forth.
So anyways, not to go on too much of a rant,
but the reality is it costs a lot of money.
That cost is borne by all of society.
It's not a new issue,
but I do think we're entering a new era of it
where access to disinformation and misinformation
and the amplification of it
is going to see utilities get targeted more
as people associate big
government utilities, 5G, all this stuff together. It's an unfortunate situation.
I was looking at an article from KIRO7, which is a local affiliate in Tacoma, Washington,
and this line caught my eye. They said, the damage to the Tacoma power substations alone
is estimated to be at least $3 million.
Repairing a single damaged transformer
could take up to 36 months.
Does that track with your understanding?
Yeah, depending on what was done,
the cost could be on the low side.
It can very quickly go well above $3 million.
But the time does seem to be a little on the high side.
But it's possible given supply
chain issues. So normally people talk about replacing key transmission equipment taking
six months. That's not entirely true. I think people are a little sheepish to communicate the
exact amount of time. But generally speaking, most of the transmission equipment that we rely on is
not built in America anymore.
And so you're relying on other countries, sometimes competitive countries, to resupply that equipment. And even if they're trying to be helpful, even if they're trying to work with you,
that can be a nine to 12 month process. And then you got to talk about, you know, being able to
transport this key transmission equipment, which is usually going to be done by rail.
being able to transport this key transmission equipment,
which is usually going to be done by rail,
and that takes time.
And so, yeah, I think nine to 12 months to replace equipment is reasonable.
I would say, again, with the supply chain issues
that we're having, I could easily see that
reaching into 18 and 24 months.
36, I'd have to understand more about
exactly what equipment was shot up
and why they're estimating 36.
But again, when you're talking transmission equipment,
if you're talking like transformers and so forth
at that level, that transmission side of the house,
that's a very long, very expensive process for sure.
But it doesn't mean that the lights are going to be off for that long.
Oh no, no, no.
So this is, again, something I think a lot of people misunderstand.
But the electric system is an incredibly complex,
probably the most complex system humans have ever built,
and there's a lot of redundancy built into it.
Now that's hard to believe when we see things like outages in Texas,
or you hear about the impacts of cyber attacks.
It's like, well, how can that be?
Well, there are weaknesses in the system,
and smart understanding of that system
can kind of find those pressure points.
Again, one of the concerns about a cyber attack,
when one talks about like,
oh, we deal with hurricanes all the time,
cyber won't be that big of a deal.
Yeah, but hurricanes don't choose their targets,
and they're not strategic about it,
and they don't come back sort of twice
and hit all around the country at the same time.
And so cyber as a tool can impact a heck of a lot more than weather and so forth.
But weather and squirrels and idiots with rifles are a constant.
And so it's a lower impact, way higher frequency reality for these utilities.
But either way, going back to the discussion,
the electric system itself,
if you really don't know what you're doing,
you would have to be astronomically lucky to be able to take down a decent portion of it.
Because if a substation, as an example, goes down,
we expect that to happen,
just from random things, if not weather events.
So there's alternate routes.
It's just like a network from a computer
system perspective where there's different routes it can take across the environment.
You might have localized outages. You might have a small town that can't get power restored for
a couple weeks at a maximum. But you're not dealing with months of outages,
or you're not dealing with large portions of the electric system going down unless someone is strategic and thoughtful and kind of knows where those pressure points are.
All right. Robert M. Lee, thanks for joining us.
Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. practical, and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.