CyberWire Daily - "Cylance" ransomware (no relation to Cylance). Update on the 3CX incident. The FSB's arrest of Evan Gershkovich. Ukrainian hacktivist social engineering in the hybrid war.
Episode Date: April 3, 2023"Cylance" the ransomware (with no relation to Cylance, the security company). An update on the 3CX incident. The FSB's arrest of a Wall Street Journal reporter. Simone Petrella from N2K Networks unpac...ks 2023 cybersecurity training trends. Deepen Desai from Zscaler has the latest on cloud security. And Hacktivists claim to have tricked wives of Russian combat pilots into revealing personal information. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/63 Selected reading. "Cylance" ransomware (no relation to Cylance). (CyberWire Pro) New Cylance Ransomware Targets Linux and Windows, Warn Researchers (HackRead) New Cylance Ransomware strain emerges, experts speculate about its notorious members (IT PRO)Â More evidence links 3CX supply-chain attack to North Korean hacking group (Record) 3CX supply chain attack: the unanswered questions (Computing) 3CX Desktop App Compromised (CVE-2023-29059) (Fortinet Blog)Â Evan Gershkovich Loved Russia, the Country That Turned on Him (Wall Street Journal) The Ukrainian hoax that revealed the Russian pilots who bombed Mariupol theatre (The Telegraph) Ukrainian Hacktivists Trick Russian Military Wives for Personal Info (HackRead) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Silance the ransomware, with no relation to Silance the security company.
An update on the 3CX incident, the FSB's arrest of a Wall Street Journal reporter.
Simone Petrella from N2K Networks unpacks 2023 cybersecurity training trends.
Deepin Desai from Zscaler has the latest on cloud security.
And hacktivists claim to have tricked wives of Russian combat pilots
into revealing personal information.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Monday, April 3rd, 2023.
Palo Alto Network's Unit 42 late last week spotted a new strain of ransomware that's calling itself
Silance, with no relation to the security firm Silance acquired by BlackBerry in 2019.
The malware is targeting Windows and Linux systems. The ransom note instructs victims
to email the attackers to begin negotiations, and it reads, in part,
all your files are encrypted and
currently unusable, but you need to follow our instructions. Otherwise, you can't return your
data. Never. It's just a business. We absolutely do not care about you and your deals except
getting benefits. If we do not do our work and liabilities, nobody will cooperate with us. It's
not in our interests. The crooks responsible for
the attacks encrypt the victim's files with the extension.silence. Why they've chosen to pick
on silence in their nomenclature is unknown, but there's no obvious social engineering angle to
the use of the name. No attempt to impersonate BlackBerry Silance, for example. Hackreed reports that
the ransomware has already compromised several victims. The three CX desktop app attacks
increasingly look like the work of North Korea's Lazarus Group, the record reports. CrowdStrike
initially disclosed suspected nation-state involvement by the Lazarus Group, or Labyrinth Colima as CrowdStrike tracks it.
The outlet reports that Sophos on Friday also linked some evidence from the attacks to Lazarus,
reporting that a shellcode loader used had previously been seen only in Lazarus Group operations.
Computing reports that the attack likely was ultimately intended to deploy information-stealing malware
with a particular focus on browsing history.
Given the likely attackers, espionage makes sense as an ultimate goal.
Computing also notes that it's not yet publicly known how the attacker entered 3CX's systems
and whether or not they still have access.
Fortinet released threat research on
Thursday detailing the supply chain attack, which has been assigned the designation CVE-2023-29059.
They note that the primary targets have been organizations in Europe and North America,
and they provide indicators of compromise. The FSB's arrest of reporter Evan Gerskovich
is widely regarded in Western media as official hostage-taking,
and his arrest has been denounced as such by the U.S. State Department and the White House.
The AP reports that U.S. Secretary of State Antony Blinken
called his Russian counterpart, Foreign Minister Lavrov,
to demand the journalist's immediate release.
Secretary Blinken also demanded the release of Paul Whelan,
an American citizen whom Russia has detained for four years on espionage charges.
Russian state television takes a different line,
as commentators on a Rossiya One news show say that Gershkovich was never a journalist and filed no stories from Russia.
That's an easy charge to debunk.
The Wall Street Journal has published 11 stories with Gershkovich's byline in just March of this year,
and the paper is justifiably outraged at Russia's conduct.
If you're not a subscriber to the Wall Street Journal,
the paper has moved Evan Gershkovich's articles from behind their paywall,
so you can read for yourself what he's been filing. And finally, Cyber Resistance, a pro-Ukrainian
hacktivist group, is reported to have inveigled the spouses of officers in the Russian 960th Assault Aviation Regiment,
responsible for killing some 600 civilians who had taken shelter in a Maripol theater last year,
as well as having hit hospitals,
into participating in a bogus morale-building calendar photo shoot,
in the course of which the identities of the regiment's officers were revealed.
The wife of the regiment's commander was duped into organizing the photo shoot.
The Telegraph writes, the 41-year-old believed she was communicating with an officer from her
husband's regiment, not a Ukrainian activist, when she agreed to take part and organize the
patriotic photo shoot in an airfield.
Hackeread reports that the information obtained included a great deal of sensitive data.
Info Napalm, a hacktivist group cooperating with the cyber resistance, explained,
among the large volumes of correspondence and spam in the mail dumps of the 960th AAR commander, Colonel Sergei Atreshenko,
we managed to find and isolate various detailed lists of pilots, performance evaluation records
of officers, bulletins, memos, theoretical and practical calculations, and so on,
which are of material interest for the Ukrainian intelligence.
material interest for the Ukrainian intelligence. Both Cyber Resistance and InfoNapalm have a longer track record than most hacktivist groups involved in Russia's war. They were formed in response to
Russia's 2014 invasion of Crimea. The data pulled and partially published by Cyber Resistance
unfortunately also included information about the wives themselves,
who after all flew no strikes and bombed no hospitals.
Coming up after the break, Ipin Desai from Zscaler has the latest on cloud security.
Simone Petrella from N2K Networks unpacks
2023 cybersecurity training trends. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The market for cybersecurity talent continues to be highly competitive.
It's true the layoffs that have been rolling through tech have touched cyber,
but overall people with cybersecurity skills remain highly employable,
which makes the care and feeding of your current cybersecurity staff all the more important.
And part of that is investing in training.
For insights on this, I turned to our own in-house expertise
and spoke with Simone Petrella, president at N2K Networks and CEO and founder
at CyberVista. It's really fascinating because 2022 has come out as the year that has shown
the most demonstrative demand for talent. So it continues to grow. And that growth in cybersecurity
talent demand has obviously grown
year over year. But if you look at cybersecurity job postings by volume, nine of the 10 highest
ranked months in cybersecurity job openings happened in the year 2022. So demand has
continued to increase for a number of factors. But then kind of counterintuitively, if you look at the demand for
upskilling workforce, how do we think about creative ways to fill this increasing demand?
There is a disconnect between the high desirability of organizations to create programs,
but then a fairly surprising stagnation in their ability to mature those programs.
They're getting really stuck.
Why do you suppose that is? What's the stumbling block here?
You know, to sort of back up for a second before I answer, the big statistic that comes from this
is actually based on a report done by LinkedIn around learning and development. And they found
that in 2021, 52% of organizations had a mid-stage maturity up-sealing program that they had already
put in place in their organization. And in 2022, and I should preface this by saying
over 80% of organizations were putting something like this in place. In 2022,
that number at mid-maturity had only crept up to about 54%. So there was only a 2% improvement in
maturity from moving to like early stage to mid-stage to then fully mature. I think the
reason for this disconnect ultimately boils down to the difficulty that organizations
have in coming up with an executable strategy around their talent development, especially
in fields that are highly specialized, like cybersecurity, like in tech and IT.
We see this because many of these organizations, you can't upskill if you don't have a clear
understanding and inventory of the roles that you need, the skills that are actually incumbent to
perform those roles, and then compare that against where your people are today. Either the ones you
have in your workforce or the ones that you plan on bringing on board. If you don't have those two
pieces of information, you can't come up with a pathway to provide them opportunities to upskill because they're
sort of like an inherent mismatch. I think that's one of the biggest things that I would hypothesize
is attributing to that stagnation on actually deploying these upskilling programs at scale.
Is there any concern for backfilling? I mean, I'm imagining
in a tight workforce, a tight hiring market where these skills are in short supply,
is there concern in the organization that if I upskill someone and move them up, then
who's going to do what they were doing before? I may just have shifted my problem around.
Yeah, I think a lot of that, the industry is really relying on automation and places to gain efficiencies through technology and other ways that can allow for the knowledge base to shift in some of these roles.
of skill requirements is actually around the digital transformation that's occurring in companies, meaning we're going from traditional security, you know, deployment and operations
into cloud environments. And so in our research, over 41% of organizations we spoke to plan to
increase their investment in the cloud. That's shifting the type of personnel and
skills they require to conduct security in the cloud. It's not replacing another, it's just a
shift in what they have to focus on. A good majority of the rest of the skill sets ultimately
do still boil down to the same old bread and butter that we think about when we think about
security best practices, vulnerability management,
identity and access management, security and defense operations. The organizations that are
finding success here, what do they have in common? Are there any common aspects that you see when
those folks rise to the top? Yeah, I think one of the biggest drivers, and many of them all stem back to culture,
is the organizations that are the most successful really tie a people strategy.
And when I say a people strategy, I not only mean recruiting, but retention,
talent development to their business goals and objectives.
The organizations that have an executive and a leadership team that understand
the correlation between high-performing teams and people to how that can help the business,
I think are more successful because they're inherently baking in not only to the culture,
but also the expectations of the business, that this is something that will help the business
succeed, not just a nice-to-have for individuals to progress in their own career.
I think the kind of secondary component to that that I touched on is around culture.
We are in a state of the world right now where employees do demand to have an opportunity to
progress and develop in their field. And I think organizations that have really doubled down on building a more
people-centric culture are faring better. And then seeing the results, because the metric that many,
if not most organizations use when looking at development ROI is retention, right? How
is our retention rate improving based on on things that we're doing? And
that's inclusive of not only here's a pathway for people, but what are opportunities that we have to
use talent in different parts of the organization that ultimately keeps them in our organization,
even if it's not in the same division or specialty area.
In terms of how organizations come at this, how important is it
that they stay focused in terms of the sourcing and how they target what they're after here?
Yeah, that's a really interesting question. In 2022, in the research we conducted,
87% of our respondents reported that they're using two or more vendors' training methods,
including on-the-job and internal methods, to actually upscale their talent.
And I think that's great.
I think that the overall increase in that number is indicative of the degree of importance
that organizations are putting on it. But it also comes with the pitfall
of the tragedy of too many choices without a kind of anchoring strategy or plan to leverage them
in the way that makes that type of upskilling and those development opportunities most effective
to the business, right? Like if the overarching
goal is to tie an upskilling program and talent development to the business goals, and then you're
using three plus different types of solutions to get there, you're potentially at risk of kind of
throwing a lot of individually interesting and great initiatives at the wall, but not necessarily
letting any of them stick.
And then you're incapable of kind of tying them back to that singular strategy.
That's our own Simone Petrella, president at N2K Networks and CEO and founder at CyberVista. And joining me once again is Deepan Desai.
He is the global CISO and head of security research and operations at Zscaler.
Deepan, it is always great to welcome you back to the show. And I know you and your colleagues recently released a report that was looking at cloud security, or perhaps the opposite of that.
Can you share with us what exactly is it that you all dug into here? public cloud security categories where we monitor for things like misconfigurations,
vulnerabilities, compromised accounts, supply chain attacks, you know, some of the configurations
used for ransomware defense. And the goal over here is to, you know, call out where are we seeing
opportunities for improving the security posture for the public
cloud environments that we're seeing out there.
So one of the key stats I'll call out is 55% of the organizations that we studied as part
of this data set are leveraging more than a single cloud provider.
So we're living in a world where it's a hybrid cloud approach.
You will have Azure, you will have AWS, you will have GCP, and so on.
And 66% of these organizations have some form of cloud storage buckets.
So they are leveraging these cloud environments for storing data.
And what are you tracking there in terms of trends? What directions
are we headed here? Yeah, so the key findings, as I mentioned earlier, what we did were we classified
them into these five types of threats or risks that we see around public cloud environments.
So I'll start with the misconfiguration, where we saw some of these
numbers are staggering, but this involves any kind of misconfiguration. That's where you need to have
continuous monitoring and mitigation, a solution that allows you to do that, a CNAP solution.
So we saw 98% of organizations have some form of misconfigurations in their cloud environment that can lead to data leakage or cause any other risk to their infrastructure
because they're inadvertently exposing those workloads,
those assets to the internet.
The second one is vulnerabilities.
So this is where public cloud environment is where you're running workloads.
You are using compute resources.
So we saw 17%, a little over 17% of the organizations had workloads which were vulnerable to some form of known vulnerabilities.
So this is where you have a workload running.
Let's take an example, Lock4j.
When Lock4j vulnerability was disclosed, there were tons of workloads that potentially had that library running in it.
And now if that workload is exposed to the internet, the threat actors will rapidly build exploits and search for these kind of assets. And then they will target and exploit vulnerability
and try to take control of these assets.
The third category was compromised accounts.
And this is where we look at configurations
that strengthen your security posture
or make you resilient against any kind of compromised account activity. So
in this case, we saw 97% of organizations were using privileged user access controls without
MFA enforcement. Now, in my opinion, MFA is a must. We're now actually starting to talk about traditional MFA versus what we need to do next, because even MFA is no longer sufficient.
Threat actors are able to evade that in some of the advanced attacks that we're seeing.
But MFA is bare minimum thing you can do.
Just relying on user password and not enforcing MFA is very, very weak security posture. So we saw 84% of organizations gave
IAM power users administrative privileges without MFA enforcement. 43% of the organizations
had instances that were exposed to the internet and have identities with data access.
exposed to the internet and have identities with data access. And then 57% of organizations that were using AWS Lambda services, again, violating least privilege access principle
by assigning overprivileged roles to the users in this environment.
So what I just described is these are some of the weaknesses that threat actors will exploit in order to take over full control of the environment, either by using stolen credentials.
And if there's no MFA, they get in, then they do even more damage.
If there is MFA, it significantly reduces the risk over there.
It certainly is a sobering set of numbers.
I am curious on your sort of analysis of that.
I mean, how do you suppose the people who are posting these numbers, how do they rationalize that?
At this point in the game, how do you rationalize not having more robust MFA, for example?
How do you rationalize not having more robust MFA, for example?
Yeah, I mean, it's just, you know, many of these organizations will have MFA on their internal IDP side, right?
For corporate employees and stuff, but similar security mechanism. Either they don't have the public cloud environment embedded with a single sign-on,
which is one of the best practices, or they're just missing out on configuring MFA on the public cloud environment side. So it's not that they're not using MFA anywhere. It's just this public
cloud environment, which is probably relatively new
for some of these organizations in their usage.
They're not enforcing best practices.
And also one important point I'll call out over here.
I'm talking about the enforcement piece, right?
So it is possible for someone
to create a privileged user account without MFA.
And if you enable that configuration,
it will enforce the user to always have MFA configured,
without which they will not be allowed to access
any of the resources in public cloud environment.
So we're just focused on the configuration element right now.
Doesn't necessarily mean that all the users didn't configure MFA.
There are a couple more buckets.
I mean, the fourth one is supply chain attacks.
This is where you have a public cloud environment
and you're collaborating with a third party
or you have a third party who is doing admin work
for some of the assets or some of the applications
that are running in the environment.
So think of contractors or third-party integration workers.
Again, over there as well,
we noticed some of the access control pieces were lacking.
And 68% of these organizations have external users
with admin permissions to public cloud environment,
which makes governance a big challenge, right?
And it does increase the risk of supply chain attack
where one of these vendors were to get hit
and Threat Actor leverages their access
to target the organization's data set.
So that's the supply chain risk.
And then finally, and this was surprising to me,
and maybe we need to do more knowledge sharing sessions on this. Maybe public cloud vendors need
to do more enlightening sessions around this, because this is around ransomware controls.
And this feature, it's called MFA delete and versioning. You need to enable that. What it essentially does
is when you attempt to delete a file and think of these cloud storage as your backups. So say you
got hit with a ransomware, the ransomware threat actor will go after your backups. If they attempt
to delete the file, if you have this MFA delete and versioning feature enabled,
there will be a version of your file saved, right? Unless they're also able to gain escalated privileges and do additional damage. But Amazon's S3 versioning enables multiple
object variants to be kept in the same bucket. So when that file is actually deleted by the threat actor, you still
are able to recover from that previous version of the file. So we saw 60% of the organizations
did not have this piece enabled for the cloud storage buckets.
Do you suppose that's just ignorance that they didn't know it was available?
that's just ignorance that they didn't know it was available?
Absolutely. There is no other reason why you wouldn't enable that.
My opinion is that's a strong security best practice recommendation
for anyone that's using cloud storage buckets.
Alright. Well, interesting insights and good advice as always.
Deepan Desai, thank you for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security, huh?
I join Jason and Brian on their show
for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed. The Cyber Wire podcast is a production
of N2K Networks, proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.