CyberWire Daily - Detecting sandbox emulations. VEC supply chain attacks. Updates from the hybrid war. CISA and NSA offer IAM guidance. Other CISA advisories. Baphomet gets cold feet after all.
Episode Date: March 22, 2023Malware could detect sandbox emulations. A VEC supply chain attack. A new APT is active in Russian-occupied sections of Ukraine. An alleged Russian patriot claims responsibility for the D.C. Health L...ink attack. CISA and NSA offer guidance on identity and access management (IAM). Tim Starks from the Washington Post has analysis on the BreachForums takedown. Our guest is Ryan Heidorn from C3 Integrated Solutions with a look at the CMMC compliance timeline. And Baphomet backs out. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/55 Selected reading. ZenGo uncovers security vulnerabilities in popular Web3 Transaction Simulation solutions: The red pill attack (ZenGo) Stopping a $36 Million Vendor Fraud Attack (Abnormal Intelligence) Bad magic: new APT found in the area of Russo-Ukrainian conflict (Securelist) Unknown actors target orgs in Russia-occupied Ukraine (Register) New 'Bad Magic' Cyber Threat Disrupt Ukraine's Key Sectors Amid War (The Hacker News) Partisan suspects turn on the cyber-magic in Ukraine (Cybernews) Hacker tied to D.C. Health Link breach says attack 'born out of Russian patriotism' (CyberScoop) CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management | CISA (Cybersecurity and Infrastructure Security Agency CISA) ESF Partners, NSA, and CISA Release Identity and Access Management Recommended Best Practi (National Security Agency/Central Security Service) Identity and Access Management: Recommended Best Practices for Administrators (NSA and CISA) CISA Releases Updated Cybersecurity Performance Goals (Cybersecurity and Infrastructure Security Agency CISA) CISA Releases Eight Industrial Control Systems Advisories | CISA (Cybersecurity and Infrastructure Security Agency CISA) End of BreachForums could take a bite out of cybercrime (Washington Post) BreachForums says it is closing after suspected law enforcement access to backend (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Malware could detect sandbox emulations, a VEC supply chain attack.
A new APT is active in Russian-occupied sections of Ukraine.
An alleged Russian patriot claims responsibility for the D.C. HealthLink attack.
CISA and NSA offer guidance on identity and access management.
Tim Starks from The Washington Post has analysis on the breach forum's takedown.
Our guest is Ryan Heidorn from C3 Integrated Solutions with a look at the CMMC compliance timeline.
And Baphomet backs down.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, March 22nd, 2023. Transcription by CastingWords emulations to evaluate the potential outcome of the intended transaction before executing them,
primarily to combat theft and scams. The researchers found that malware could detect
that it was operating in a sandbox and then reveal its true malicious nature only when
actually executed in a real environment. The researchers dubbed this a red pill attack,
since the malware knows it's in a simulated environment. The researchers dubbed this a red pill attack since the malware knows it's in a
simulated environment. The researchers note that all vendors were very receptive to our reports
and most of them were quick to fix their faulty implementations. Some vendors, including Coinbase,
awarded Zengo with bug bounties. Abnormal security describes an attempted vendor email compromise attack
that tried to steal $36 million from a commercial real estate company.
The attackers posed as a trusted contact at an insurance firm,
sending the phishing emails from a domain that ended in.cam instead of.com.
The phishing emails contained phony invoices.
Kaspersky reported yesterday that it had discovered a new advanced persistent threat
operating against government, agriculture, and transportation organizations
located in the Donetsk, Lugansk, and Crimea regions.
The attacks begin with phishing emails whose payload is carried in malicious
attached word files that purport to be government documents. Once the fishhook is set, it installs
the PowerMagic backdoor and then the CommonMagic framework. Kaspersky says the campaign is thus
far unattributed. The organizations, government and otherwise, that Kaspersky refers
to in its report appear to be Russian occupation and separatist organizations, and so the suggestion
would be that the APT is acting either for Ukraine or at least against Russian interests,
but Kaspersky, a Russian company, carefully avoids either claim. Circumstantially, the campaign's purpose seems to be cyber espionage.
Make of it what you will, but someone using the hacker name Denfer has claimed, according to CyberScoop,
that he is a Russian patriot who breached DC HealthLink and obtained the personal data of many of the system's users,
including members of the U.S. Congress.
It was, Denfer said, an idea born out of Russian patriotism,
presumably because of the congressional and other government worker data the compromise of DC HealthLink would reveal.
The potential for harassment, embarrassment, or simple violation of privacy is obvious.
The self-proclaimed attacker
said he breached the health care service by simple Google dorking, the persistent and clever
searching for information that ought to be secured but isn't. When asked by CyberScoop to provide
proof of Russian nationality, Denver told the publication they'd simply have to take his word for it. CyberScoop is properly reticent in its story,
and Denfer's claims should be at best regarded as not proven.
CISA and NSA have released, as part of their Enduring Security Framework,
Identity and Access Management Recommended Best Practices Guide for Administrators.
The ESF's IAM best practices are organized into five
categories, Identity Governance, Environmental Hardening, Identity Federation and Single Sign-On,
Multi-Factor Authentication, and IAM Monitoring and Auditing. Each class of best practice is
accompanied by an explanation of what it is, why it matters, and how it's
implemented, with notes on the threat landscape interspersed in the discussion. An appendix to
the document contains a checklist of actions organizations can take now. If you'd like a
brief primer on identity and access management, check out our most recent episode of WordNotes,
where we discuss exactly that. CISA has published an update to
its cybersecurity performance goals. These are cross-cutting goals intended to be applicable
across all critical infrastructure sectors. CISA says the CPGs are voluntary practices that
businesses and critical infrastructure owners can take to protect themselves against cyber threats. The CPGs have been reorganized,
reordered, and renumbered to closely align with NIST CSF functions, identify, protect, detect,
respond, and recover to help organizations more easily use the CPGs to prioritize investments as
part of a broader cybersecurity program built around the CSF. CISA has been busy with other matters as well.
Yesterday, the agency released eight industrial control system advisories.
They affect Keylight, Delta Electronics, Siemens, Vysam, Rockwell Automation, and Hitachi Energy Products.
Operators should review the alerts and apply updates in accordance with the vendor's instructions.
And finally, hey everybody, remember how yesterday we asked, speaking of Baphomet,
the guy who said he would be taking over as a proprietor of a revived Breach Forums,
whom can you trust if you can't trust someone with a demonological hacker name?
Boy, were we ever wrong.
someone with a demonological hacker name. Boy, were we ever wrong. Turns out, the record reports,
that Baphomet has changed his mind about bringing back Breach forums. His Infernal Majesty posted yesterday, this will be my final update on Breach as I've decided to shut it down. I'm aware this
news will not please anyone, but it's the only safe decision now that I've confirmed that the Glowies
likely have access to Palm's machine. He added, any servers we use are never shared with anyone
else, so someone would have to know the credentials to that server to be able to log in.
I now feel like I'm put into a position where nothing can be assumed safe, whether it's our
configs, source code, or information about our users,
the list is endless.
This means I can't confirm the forum is safe,
which has been a major goal
from the start of this show.
There will also be some uncertainty
in criminal circles
as to whether the FBI has the goods
on more people than just Pompompurin.
Allegedly, we say, of course, since Pomp Pourin is entitled to the legal presumption of innocence.
But with respect to Mr. Baphomet and the whole underworld of cybercrime,
we still say, good hunting, FBI.
Mr. Baphomet, may the feds be with you.
with you.
Coming up after the break, Tim Starks from the Washington Post has analysis on the breach forum's takedown.
Our guest is Ryan Heidorn from C3 Integrated Solutions with a look at the CMMC compliance
timeline.
Stay with us. Do you know the status of your compliance controls right now?
Like right now. We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. CMMC stands for the Cybersecurity Maturity Model Certification.
It's a program that was announced in 2019 by the U.S. Department of Defense,
and it's aimed at combating the theft of intellectual property from organizations that are on a DOD supply chain.
For insights on what CMMC means for government contractors,
I checked in with compliance expert Ryan Heidorn from C3 Integrated Solutions.
Yeah, this program actually goes back well over a decade in different forms.
So the DOD has been trying to combat the threat of
nation-state adversaries stealing sensitive intellectual property on everything from
fighter jets to nuclear submarines from companies that are in the defense industrial base or DIB.
And the vast majority of those companies are actually small businesses. So if you think
small manufacturers, tech companies, R&D, and these
companies really face the same challenges around cybersecurity as a small business in any other
industry. What's important to note is that CMMC is likely to impact any company with a DoD contract,
and there's an estimated 300,000 plus companies playing various roles on these supply chains.
300,000 plus companies playing various roles on these supply chains. So obviously that's a wide impact and CMMC certification will be required to win or participate on new DoD contracts with a
phase rollout expected to extend into 2025. So it's an important program to pay attention to.
It could represent an existential threat for organizations that are relying on DoD business as
a revenue source. Yeah, I'm curious for that aspect of it. I mean, to what degree, I guess,
can you give us a notion of the spectrum to which this is a burden for various organizations?
Sure. So CMMC has three different maturity levels, levels one, two, and three, and they each have a set of security requirements. But most of the industry is pretty focused on level two, which is the level that's required for organizations that are handling this type of sensitive data called controlled unclassified information or CUI.
or CUI. That's the type of information that the DoD is looking to protect on companies'
private networks with CMMC. And really, in level two, you're looking at 110 different security requirements. And of those 110, there's an underlying 320 assessment objectives.
So what that means is there's 320 different things that an assessor needs to check or validate for an organization to
pass that level two assessment. And these are going to range from things that are fairly simple,
like perform background checks on your employees, all the way to very complex and nuanced
requirements like only use certain forms of validated cryptography to protect this controlled
unclassified information.
So it's really quite an undertaking.
And what's the word on the street here from the folks who are on their way to getting this done?
What are their thoughts on having to do this?
Well, it's really important to note that while CMMC is new as a program,
these underlying requirements are not new at all.
So defense contractors have actually been required to implement these security requirements,
which come from a NIST publication called NIST 800-171 since the end of 2017.
However, the reason we have CMMC right now is because repeated reports from industry and the DOD inspector general have shown that companies have really overwhelmingly failed to implement these requirements.
So CMMC is really an enforcement mechanism for the requirements, and it's going to require some organizations to undergo a third-party assessment and certification before they can participate in new DOD contracts.
So where do we stand now in terms of the timeline and organizations being able to meet it?
Yeah, well, CMMC rulemaking is expected to hit what's called the Federal Register in the May
2023 timeframe. And there's a lot of uncertainty still on whether we're going to
get CMMC as what's called an interim final rule or a proposed rule. That distinction is probably
too nuanced to unpack on today's show. But really, suffice to say that the rollout timeline will be
slightly extended if we get a proposed rule rather than an interim final. So there's a lot
of conversation around that right now. But my number one piece of advice to companies in the defense industrial base is
you don't need to wait to see what's changing in CMMC because it's highly, highly unlikely that
we're going to see any changes to the underlying security requirements. So we already know what's
going to be on the test. It could easily take you a year or more to be ready for an assessment. So organizations that are in kind of a kick-the-can mindset might already be out of time.
Well, I mean, let's dig into that. What is your advice for organizations't prepare overnight, right? So in CMMC, there's a mix of technical and non-technical controls that, in my experience, could take, you know, 8, 12, 18 months, even for a small organization to implement and to adequately prepare for that assessment.
assessment. When you really dig into the security requirements, some of them are just very basic security hygiene. I mean, things that any organization should be doing to all the way,
like I said, to some more complex undertakings. I think a useful strategy for preparing for CMMC
is to really step back and understand what is the scope of IT systems, business processes that this is going to apply to.
There's a huge difference
in whether you're applying these requirements
to the entire organization
versus a relatively narrow scope
for where this controlled, unclassified information
is being handled.
That's Ryan Heidorn from C3 Integrated Solutions.
It is always my pleasure to welcome back to the show Tim Starks. He is the author of the Cybersecurity 202 at the Washington Post.
Tim, welcome back.
Hi, Dave.
So today you write about the end of breach forums and how that might affect the cybercrime ecosystem.
Can we start off with just some descriptive stuff here for folks who may not be keeping up to date here?
What's the background we need to know about breach forums? Yeah, I would say it's arguably, if not definitively, the most popular forum that had been going for hackers to essentially trade in stolen information among
other kinds of cybercrime. It had taken over for a similar forum called Raid Forums last year.
And yeah, this has been a big, big part of the cybercrime ecosystem during that time and has been quite popular and infamous.
The thing it was in the headlines most recently for was that someone claimed to have posted the data from the D.C. HealthLink breach there.
That was the one that ended up getting, I think, 17 members of Congress, their information compromised.
So that does give you a sense of what kind of thing happens there.
And so we had some movement from the FBI this week.
There was an arrest.
week there was an arrest. Yes, they arrested a 19-year-old fellow in New York City who they say claimed to be, or admitted to being the administrator. And that was Friday, I believe.
And so, yeah, that was the last thing that happened. Well, that was the thing that triggered
a series of events since. And those events are?
Well, so a new administrator popped up and claimed they were taking over the forum
and said that they had seen no information,
no suggestion that the user's information had been compromised.
Meaning, it's kind of a turnabout here in the sense that
these are usually where people are talking about other people's compromised information.
This was the users who this person, I don't know the person's gender, had said, I'm worried about protecting you, that is, the breach forum's users' data and information. And that was on Friday.
And then as of yesterday, Tuesday,
changed their minds.
Said, actually, we're not sure anything is safe anymore here.
Raising questions about whether the previous administrator had given information to the FBI
or perhaps the FBI had obtained information
about how to get into the system
and learn things about the users of breach forums.
So that is the end of breach forums as we know it.
And so I suppose this plays out in a way that the FBI probably hoped that it would, ultimately
the closure of this forum here, right?
I have to imagine that they're pleased with it.
They had seized the previous forum
that I mentioned, Raid Forums.
They'd seized that website entirely.
This is something that I think everybody agrees,
well, except for cyber criminals, anyway,
is a good thing that this has happened.
You know, at minimum, that site is gone,
but there might be other gains that
they make from this. The question then becomes, how long does this last? How long of a reprieve
do we have from English-language folk who traffic in this kind of information? How much of a reprieve
will we really have, and how long will there be before there's a successor to breach forms?
So the person that the FBI arrested who is alleged
to have been running breach forms, his name is Connor Brian Fitzpatrick. As you mentioned,
he was arrested in New York. Were folks surprised that this was being operated out of the U.S.?
Not to my knowledge. I guess I think that folks think of these sorts of forums as generally happening overseas, being Russian operations where they can do so without worry of being tracked down by the FBI.
So that particular detail certainly caught my eye.
I think it's notable, but I think that there are different forums.
This was, I guess, the predominant English language forum.
So it kind of makes sense in that context that it might be U.S.
Other forums might be in other languages.
Russia has had its own kind of forums before and probably still does.
So in this case, not surprising given the language that was being used in the forum.
Do you suppose that we might have sort of an accelerated game of whack-a-mole
that's happening here?
I mean, Breach Forums was around
for a shorter amount of time than Raid Forums was.
Maybe it's too soon to say
if the FBI is accelerating going after these sorts of things,
but it seems like it.
Oh, yeah.
I think there's a much more concerted effort
to be disrupting cyber criminals
and anybody who's doing bad stuff in cyberspace.
The idea is really outlined quite explicitly
in the national cybersecurity strategy
that just got released a couple weeks back.
And it's something that they've been signaling over time.
I remember speaking to Adam Hickey a couple weeks back. And it's something that they've been signaling over time. I remember speaking to Adam Hickey a couple weeks ago.
He was the former high top-level DOJ official
who worked on cyber cases.
He told me that one of the biggest differences at Justice
from the time he started to the time he left,
I think he was there starting at least in 2008,
if I recall correctly.
At any rate, that was one of the first changes he mentioned,
that this is something where we're really trying to go after these criminals
more directly and disrupt their operations.
I think to answer your second question, or second part of your question
about the whack-a-mole, yeah, I think that that's always kind of the game.
Cops and robbers, cat and mouse, there's always this constant crime happens, FBI responds,
law enforcement responds, criminals collect themselves, try to come up with a different,
better way to do things. In the case of the administrator of breach forums, the one who
recently said they were taking over, they're talking about moving to Telegram. So whether
the criminals follow that person or not, there will be a period where
there will be a rest, recovery, recoup, and try to regroup and do it better or in a way that's
safer, more long-lasting. Whether that is something that's successful, I think eventually
it will be. But whether we get into a situation where we keep having these companies pop up, not these companies, these forums pop up and then get beaten back down, I think that's a possibility that we're going to see more happen more often.
Yeah, as the law enforcement continues to turn up the heat.
Yeah.
All right.
Well, Tim Starks is the author of the Cybersecurity 202 at The Washington Post.
Tim, always a pleasure.
Thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you.