CyberWire Daily - Disinformation and its often overlooked potential for denial-of-services.
Episode Date: October 20, 2023Hacktivism and influence operations in the Hamas-Israel war. An OilRig cyberespionage campaign prospects a Middle Eastern government. Emailed bomb threats in the Baltic. Darkweb advertising yields ins...ight into ExelaStealer malware. Casio discloses breach of customer data. The FCC proposes a return to net neutrality, while Consumer Financial Protection Bureau proposes data-handling rules under Dodd-Frank. Deepen Desai from ZScaler shares insights on MOVEit transfer vulnerabilities. Our own Simone Petrella speaks with Google’s Tatyana Bolton about the challenges of bridging the cyber talent gap. And RagnarLocker has been taken down by international law enforcement. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/201 Selected reading. Intel, defense officials tell senators that Israel did not strike hospital  (The Hill) Early U.S. and Israeli Intelligence Says Palestinian Group Caused Hospital Blast. Cyberattacks linked to Israel-Hamas war are soaring (Fast Company) NSO, Israeli cyber firms help track missing Israelis and hostages (Haaretz) Lithuanian interior minister says emailed bomb threats are coordinated regional cyber-attack (Baltic Times) Another InfoStealer Enters the Field, ExelaStealer (Fortinet Blog) Q3 Report: Email Threat Trends Latest edition: PDF Popularity, Callback Phishing and Redline Malware (VIPRE) Casio Issues Apology and Notice Concerning Personal Information Leak Due to Unauthorized Access to Server | CASIO (CASIO Official Website) Human Error: Casio ClassPad Data Breach Impacting 148 Countries (Hackread) Casio data breach 2023 caused worldwide panic (Dataconomy) Casio discloses data breach impacting customers in 149 countries (BleepingComputer) FCC Revives ‘Net Neutrality,’ Proposes New Regulations for Internet Service (Wall Street Journal) FCC begins second quest for net neutrality (TechCrunch) CFPB Proposes Rule to Jumpstart Competition and Accelerate Shift to Open Banking (Consumer Financial Protection Bureau) RagnarLocker ransomware dark web site seized in international sting (TechCrunch) Ragnar Locker ransomware site taken down by FBI, Europol (Record) One of the most destructive ransomware gangs is being taken down by law enforcement (Axios) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Activism and influence operations in the Hamas-Israel war.
An oil rig cyber espionage campaign prospects a Middle Eastern government.
E-mailed bomb threats in the Baltic.
Dark web advertising yields insight into Excel-a-stealer malware.
Hasio discloses a breach of customer data.
The FCC proposes a return to net neutrality. The FCC proposes a return to net neutrality.
The FCC proposes a return to net neutrality,
while the Consumer Financial Protection Bureau proposes data handling rules under Dodd-Frank.
Deepin Desai from Zscaler shares insights on move-it-transfer vulnerabilities.
Our own Simone Petrella speaks with Google's Tatiana Bolton
about the challenges of bridging the cyber talent gap.
And Ragnar Laker has been taken down by international law enforcement.
I'm Dave Bittner with your Cyber Wire Intel briefing for Friday, October 20th, 2023. Cyber operations in the Hamas-Israel war continue to be characterized by a high volume of opportunistic, nuisance-level hacktivism.
Influence operations contend over responsibility for the blast at Al-Ali Hospital in Gaza.
The U.S. intelligence community has concluded tentatively that the explosion seems to have been an accident caused by a malfunctioning rocket fired from Gaza toward Israel by Islamic Jihad.
That was the Israeli position shortly after the incident. airstrike, however, continue to be generally accepted and circulated in Islamist and wider
Arab circles, where they've driven widespread protests this week. Most of the hacktivism in
the conflict has been conducted in the interest of Hamas. Israeli operations by private sector
actors seem to have concentrated on collection and analysis, particularly with respect to identifying and locating hostages taken in the initial Hamas attacks. Haaretz reports that NSO,
Rayzone, and AnyVision have been especially involved in this effort.
Iran's oil rig threat group, also known as APT-34 and by Symantec as Krambus,
conducted an eight-month intrusion campaign against the Middle Eastern government.
The threat hunter team at Symantec reported yesterday that Krambus stole files and passwords
and in one case installed a PowerShell backdoor dubbed PowerExchange
that was used to monitor incoming mails sent from an exchange server
in order to execute commands sent by the attackers in the form of emails
and surreptitiously forwarded results to the attackers.
Which government was targeted, Symantec doesn't say,
but the researchers do note that the Krambus target list has historically included
Saudi Arabia, Israel, the United Arab Emirates,
Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, the United States, and Turkey.
The Baltic Times reports that waves of emailed bomb threats have been arriving in the region.
They appear to represent a coordinated campaign run by Russian operators. Lithuanian Police Commissioner General Renatus Poleza said,
it has been established that the senders of the emails are actively participating in telegram
channels created by Russian-speaking pro-Russian groups and instigating the spreading of emails
threatening to blow up educational establishments. The campaign began last Friday with 900 bomb threats
against Lithuanian kindergartens and schools,
and it continued over the weekend with some 1,500 threats
against educational establishments, municipal buildings,
and other public locations.
The threats were empty. No bombs were found.
Lithuania's Interior Minister Agne Biliate called it a regional attack
since Estonia, Latvia, and Poland had all been affected.
She said at a news conference,
This is an attempt to create a certain panic, to destabilize the situation in a sense,
and to burden institutions, especially law enforcement, with an additional load.
We're all familiar with distributed denial of service when a website or service is choked with traffic. The bomb threats
aren't DDoS in this sense, but consider them a denial of service with an S, services in the
plural campaign. When investigators and first responders are chasing false alarms, they're not able to handle real threats.
And kids aren't learning if their school day is one long fire drill.
Fortinet is tracking a new commodity info stealer called Excella Stealer that emerged on underground markets in August 2023.
August 2023. Fortinet says, Excelastealer is a largely open-source info stealer with paid customizations available from the threat actor. It is written in Python, although it pulls resources
from other languages like JavaScript where needed. It can steal sensitive information from a Windows-based
host. Criminal customers in the C2C market can pay a monthly subscription of $20 to use
Excelastealer, or they can spend a one-time fee of $120 for lifetime use.
Viper Security Group's third quarter 2023 email threat report has found that threat actors are
increasingly hiding malicious links in Google Drive and other cloud storage services.
Viper states,
Google Drive is a convenient centralized location for hiding malware and a great watering hole for unsuspecting users.
Cyber criminals can stuff docks full of malicious links and click to download malware
that otherwise wouldn't make it through traditional email protection solutions. PDFs and QR codes are showing up a lot in malicious spam. Viper says,
PDFs as a mal-spam delivery tool have more than quadrupled since the first quarter of this year.
Notably, the researchers state that QR code-based phishing emails accounted for a full 10% of the total phishing emails they received this quarter.
Japanese electronics company Casio has disclosed a data breach of personal information belonging to customers in 149 countries.
The breach affected ClassPad, Casio's education web application, and involved nearly 92,000 items belonging to customers,
including individuals and just over 1,100 educational institution customers.
The exposed data included customer names, email addresses, purchasing information,
and service usage information. The company notes that it doesn't retain credit card data.
information. The company notes that it doesn't retain credit card data.
This week has seen a couple of regulatory developments. The U.S. Federal Communications Commission is moving toward a return to net neutrality. The Wall Street Journal characterizes
the proposed regulation as treating Internet service providers like utilities. The regulations
would prevent carriers, for example, from giving
favorable treatment to some content providers. Yesterday, the U.S. Consumer Financial Protection
Bureau proposed a rule that would affect how financial institutions handle their customers'
data. The CFPB is an independent agency responsible to the Federal Reserve. The personal financial data
rights rule would give consumers more control over the data they share with institutions,
and it would impose certain restrictions on how those institutions handle the data.
It would, in particular, prevent firms from misusing or wrongfully monetizing the sensitive
personal financial data. The authority for the proposed rule is
Section 1033 of Dodd-Frank. The rule is open for comment until December 29th.
And finally, there's been a notable law enforcement success. The Ragnar Lager ransomware
operations negotiation and data leak sites were seized yesterday by an international group of law
enforcement agencies, Bleeping Computer Reports. A spokesperson for Europol told TechCrunch that
the agencies will officially announce the takedown later today based on the takedown notice posted to
the seized websites. The operation involved law enforcement entities from the U.S., Germany, France, Italy, Japan, Spain, the Netherlands, the Czech Republic, and Latvia.
Sleeping Computer notes that Ragnar Lager wasn't part of a ransomware-as-a-service operation,
but was a private gang that would recruit outside help to breach networks.
So, bravo to all the agencies involved in the takedown. It probably represents a knockdown and not a knockout for Ragnar Lager, but nonetheless, well done. And three cheers for international law enforcement cooperation.
Coming up after the break, Deepan Desai from Zscaler shares insights on move-it transfer vulnerabilities. Our own Simone Petrella speaks with Google's Tatiana Bolton about the challenges of bridging the cyber talent gap.
Stick around. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Tatiana Bolton is Security Policy Manager at Google and a Senior Advisor on the U.S. Cyberspace Solarium Commission.
Our own N2K President Simone Petrella spoke with Tatiana Bolton
about the challenges of bridging the cyber talent gap.
When you talk about all these amazing initiatives that are happening across the industry, including what Google's doing to increase the pipeline and not only the pipeline
of cyber talent, but even more diverse cyber talent, it always strikes me that it's not
possible to think about that pipeline unless you create room within organizations to allow for
those new candidates to actually come into entry-level
positions and kind of upskill or give a path for those who are there in the companies already.
And I'm curious if there's anything, even just anecdotally, you can share about how
Google thinks about talent in a retention sense. Because if you don't have a way to retain and
pathway people, it's hard to kind of create a world where we can
take that entry-level talent and actually grow them into the roles. Yeah, well, so Google does
a lot. It helps us significantly with growing our expertise. We've got great support to get
training and upskill, try new positions at Google. So those are all, I think, best practices
that Google currently uses.
But I think just generally,
we need to make sure that we are thinking about,
like you're talking about the issue
of people coming in the door
and like some of the requirements.
I think there's a number of things we could do there, right?
We've got bachelor's degree requirements,
CISSP requirements, five
years of experience for entry-level positions. That's just silly. And I think we've been talking
about this for a long time, but it is inherent on the people who are doing the hiring to take
that in and really do strategic assessments of their hiring documents and the position descriptions to determine whether a CISSP
is actually needed for an entry-level position, or if you could actually do better for your
organization as a whole by bringing in more entry-level talent, helping them, mentoring
them.
Obviously, that's a really critical component.
You can't bring on entry-level talent and not help them along, not do the training,
because that presents a number of
issues. But if you're committed to the mentorship and the training piece, if you bring in the
entry-level talent, you can really help a person grow their career and it allows them to grow,
develop as a professional with room for growth, right? So you don't always, I think in DC,
you see this a lot in the federal government, everybody's like a 13, 14, they're senior level policy people, right?
They're senior level technical people. There's very, there's almost very little room at the,
at the beginning. I think we need to address the structural underlying issues, such as those
position descriptions, the fact that managers are, are eager to get, eager to get experienced talent.
The fact that managers are eager to get experienced talent.
So we need to address those types of things to make sure that it's easy or easier for organizations to hire that entry-level person, professional, right?
And make sure the requirements are reasonable.
And then to your point on retention, yeah, absolutely.
I think culture plays a big role in this too.
You've got to have a good culture in order to retain your talent.
You need to give people room for growth.
You have to allow them training.
That helps not only the person,
the professional also helps your organization.
And so I think there's, you know,
with some of those things built in,
you can do a lot of work.
Obviously, CISA has focused on the pay piece,
which is great.
I think it's addressed some of those problems by putting in cyber pay at CISA has focused on the pay piece, which is great. I think it's addressed some of those problems by putting in cyber pay at CISA, making it more enticing to work there.
Obviously, they're competing against large name brands and organizations.
Like Google.
It is amazing to work here.
So, you know, what can I say?
But, you know, NSA also has a great recruitment and retention program, right?
NSA has almost a best in class within the federal government.
They, you know, they allow rotations.
They encourage training, trying new things.
They hire at the entry level.
They grow their talent.
So it is possible, right?
And so, and I think, I think there's pockets of this
excellence across the world. And I think we should take some of those best practices and put them
to work across the ecosystem because CISA has cyber pay, but have they really implemented the
rotational part of what makes NSA hiring so great and retention so great? No. And so I think we need
to, we still have work, we still have work to do and room to grow that. But nothing, you know,
Rome wasn't built in a day. I just hate myself for having said that cliche out loud.
I'll put it on my bingo card. But it's, you know, your point on job descriptions is so salient
because, you know, not to sound overly crass, but the amount of times I've worked with organizations on their job descriptions and frankly, they suck.
And it's because people are busy.
Hiring manager is busy.
We take one off the shelf and we kind of repurpose it.
At the end of the day, even though it might take extra effort to get them right, what I hear you saying and what I kind of see myself is you have to know where you want to go with those roles before you can create a path or an opening for someone to get into them.
Right. I think this speaks to the need to develop a workforce strategy within your organization. If you're an organization that's struggling to get cyber talent, which many of them are, you need to think about it strategically. You need to
sit down and it should be an executive level exercise. This is, I think, one of the areas
where it goes wrong. There's not executive level review and investment into the cyber workforce.
And that is the level at which this needs to be done. With that, you can
do an assessment. Are these the right people? Where are we going in five years? Where do we
want to be in 10 years? And what does that workforce look like that gets us there? Because
it's not necessarily the workforce you have today. And, you know, obviously technology changes,
the, you know, the times change. A pandemic happens. Who predicted that one?
So obviously, and it's a hard task for companies.
I'm not going to lie.
It's not, you have to almost look into a crystal ball and do some data analysis.
CyberSeek.org, plug for them.
Amazing work.
They have great data points broken out by sector, broken out by
levels of hiring. So definitely a place to look as a resource as you're trying to do some of this
review and analysis for your organizations. Also one point, because I mentioned emerging
technologies, AI, I think also is definitely a place that will have an impact on the cyber workforce, as it will, I think, on most of the workforce.
At Google, obviously, we've been working on and developing AI technologies for more than a decade already.
But I think now there's a really big focus on it, and we are moving ahead boldly but responsibly.
But we see opportunities in the workforce space, right?
For example, how AI can be used in a safe manner. We actually just put out the AI Safe Principles,
S-A-I-F, so you can take a look at those. But they talk about how you can actually use the AI
to secure your networks and how it can help the defender, right? What defender doesn't have issues
identifying, prioritizing, and addressing the insane number of vulnerabilities that exist and
applying patches in a prioritized manner, right? What if we could figure out a way how AI can help
that, right? So there's some of this toil that a lot of people experience and leads to burnout in the industry that we can also think creatively about how we can apply AI to help that.
So, you know, I think there's a lot of opportunity.
And I think we're already looking at how to apply these things.
So there's stuff out there.
At DEF CON, for example, we just did an AI red team, right?
And so we're looking at like, not just talking about the, you know, the defense of the past,
but what it looks like in the future, training those professionals to think about AI, making
sure they're engaged, making sure they're aware of the technology, how to work with
it, how to address and then utilize the technology to best effect.
And, you know, obviously, from my perspective, to defend our networks and systems.
That's Tatiana Bolton, Security Policy Manager at Google, speaking with N2K President Simone Petrella. There's a lot more to this conversation. If you want to hear more, head on over to the
CyberWire Pro and sign up for interview selects, where you'll get access to this and many more
extended interviews.
And it is always my pleasure to welcome back to the show Deepan Desai.
He is the Global CISO and Head of Security Research and Operations at Zscaler.
Deepan, it's great to welcome you back.
It seems as though day after day we hear about more and more organizations who have been hit by this move-it-file-transfer vulnerability.
And I know this is something you and your colleagues have had your eye on.
What sort of things can you share with us
about the research you all have been doing?
Thank you, Dave.
So the vulnerability that we're talking about over here
is impacting move-it transfer application.
And the specific one that has caused a lot of damage
is the SQL injection vulnerability
that results in ThreadActor being able to execute
additional commands and steal sensitive information.
This vulnerability upon successful exploitation
could allow an unauthenticated user or an attacker
to gain access to the moveit transfer database.
So this is where they are able to infer information
about the internals of the database,
alter or delete the elements,
or even steal information that resides in the database.
The type of databases is where
you guys will see the breadth of coverage
across various organizations.
So the type of databases include MySQL,
Microsoft SQL Server, Azure SQL.
And this is where the vulnerability actually allows adversaries
to implant a remote web shell in the victim environment
with access to these databases.
Yeah, I mean, it really seems like at the moment,
this vulnerability is kind of the poster child
for a third-party vulnerability.
So many organizations are finding themselves
being hit here.
Yeah, I mean, this software is heavily used
in several industry verticals,
starting with healthcare.
There are several IT departments,
even in case of financial services, government.
Various global organizations were found to be using it.
Now, the maximum damage that we have seen over here
is where the application was exposed to the internet.
And this is where we saw one of the notorious ransomware gang,
Clop Ransomware Group.
And this actually goes back to one of the trends
that we're noticing, encryption-less ransomware attack.
In this case, the Clop Ransomware gang
just basically targeted any vulnerable systems
with this vulnerability,
installed that web shell, and exfiltrated a large volume of data
from several global organizations.
And then they're demanding ransom from these organizations
with the threat of making that data public if they don't pay the ransom.
But nothing other than exploiting a vulnerable internet exposed server
and then exfiltrating data.
No payload trans.
Well, there was a web shell planted, but no user being targeted,
no asset, no persistence being established in the victim environment,
no recon done.
It's just targeting this high profileprofile application that is vulnerable.
What are the lessons learned here?
I mean, it's easy to look back and kind of armchair quarterback what's going on here.
But what are the takeaways?
Organizations trusted Moveit as a provider, but this could happen to anybody.
Yeah, this could happen to anybody. Yeah, this could happen to anybody.
And the closest one that I would relate this to
is Lock4J, right?
That's where, and it's not more so about the vendor,
but the type of issue getting discovered
and the amount of usage,
both internal and external,
of this specific application
or the module that's actually vulnerable.
That's what the common trend between those two things are.
Now, lessons learned over here,
you really need to reduce your external attack surface.
That's number one thing.
And that's something that I was speaking about
back when Lock4j happened as well.
Number one is if the attacker is not able to do a recon
and target those applications,
you're automatically protected at a stage one.
It still doesn't mean that you don't have to patch it.
You absolutely must prioritize patching these type of vulnerabilities
that target any of your critical applications.
Any application where tier one data,
tier one definition in my opinion is
your employee data, your customer data,
your code base, any sensitive information
that can cause significant brand reputation harm.
You need to prioritize patching.
So that's stage two.
Stage one, reduce your attack surface.
Stage two, prioritize patching. Even if that application is internal, you need to prioritize patching
those applications because what we're seeing in this threat landscape is the multi-stage attacks
where if one of your users falls for an attack, they will use that machine to discover these
type of applications that are vulnerable, even if it's internal.
So that will reduce your blast radius to only your employees that may make a mistake,
but you're still vulnerable to these type of vulnerabilities. And especially when
something like MoveIt or Log4j happens, these threat actors, the first quick thing they will
do is anything that is exposed
to the internet, they will target that. The next thing you will see is they will start weaponizing
payloads that then gets planted on those end user machines. And that's where they will then move
around in the environment, discovering these vulnerable applications and stealing information
in that manner. Yeah, I mean, it really is a cautionary tale here, but I suppose it's good that there are
lessons to be learned here.
Absolutely.
Yeah.
All right.
Well, Deepan Desai is Global CISO and Head of Security Research and Operations at Zscaler.
Deepan, thank you so much for taking the time for us today.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday
and my conversation with Sysdig's Alessandro Brucotta and Michael Clark
for discussing their research, AWS's hidden threat,
AmberSquid, cloud-native cryptojacking operation.
That's Research Saturday.
Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure
we're delivering the information and insights
that help keep you a step ahead
in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the
Cyber Wire are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector, as well as the critical security teams supporting
the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter. Learn more at
n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is
Trey Hester with original music by Elliot Peltzman. The show was written by our editorial staff.
Our executive editor is
Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.
Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.