CyberWire Daily - Dispatches from a hybrid war. CISA releases its election cybersecurity toolkit. Post-incident disruption at NHS is expected to last at least three weeks. Cisco discloses a security incident.
Episode Date: August 11, 2022KillMilk says his crew downed Lockheed Martin's website. Industroyer2, and what became of it. CISA releases its election cybersecurity toolkit. Post-incident disruption at Britain’s NHS. Carl Wright... of AttackIQ shares strategies for CISOs to successfully prepare for the next attack. Dr. Christopher Pierson from Blackcloak joins us from Black Hat. And Cisco seems to have thwarted a security incident. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/154 Selected reading. Russian hacking group claims attack on Lockheed Martin (SiliconANGLE HIMARS-Maker Lockheed Martin "confident" against Russian hackers (Newsweek) Industroyer2: How Ukraine avoided another blackout attack (SearchSecurity) Researchers Look Inside Russian Malware Targeting Ukrainian Power Grid (PCMAG) CISA Releases Toolkit of Free Cybersecurity Resources for Election Community (CISA) Cybersecurity Toolkit to Protect Elections (CISA) NHS staff told to plan for three weeks of disruption following cyberattack (Computing) Major NHS IT outage to last for three weeks (The Independent) Exclusive: NHS chiefs fear cyber attackers have accessed patient data (Health Service Journal) Cisco Event Response: Corporate Network Security Incident (Cisco) Cisco Talos shares insights related to recent cyber attack on Cisco (Cisco Talos) Cisco confirms May attack by Yanluowang ransomware group (The Record by Recorded Future) Cisco Hit by Cyberattack From Hacker Linked to Lapsus$ Gang (Bloomberg) Cisco's own network compromised by gang with Lapsus$ links (Register) Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Killmilk says his crew downed Lockheed Martin's website in Destroyer 2 and what became of it.
CISA releases its election cybersecurity toolkit post-incident disruption at Britain's NHS.
Carl Wright from Attack IQ shares strategies for CISOs to successively prepare for that next attack.
Dr. Christopher Pearson from Black Cloak joins us from Black Hat.
And Cisco seems to have thwarted a security incident.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire
summary for Thursday, August 11th, 2022.
Killnet's founder, who goes by the hacker name KillMilk, says his group took down Lockheed Martin's website,
but the site looked fine to us early this morning. Mr. Milk also says they've obtained
personal information on Lockheed Martin employees, which they may dump at some time of their choosing,
but so far there are no signs of such data having been published, according to reports from Silicon Angle and Flashpoint researchers.
Lockheed Martin told Newsweek that it's aware of the threat,
but said,
We remain confident in the integrity of our robust,
multi-layered information systems and data security.
A presentation ESET researchers delivered at Black Hat yesterday
outlined what they saw of Russia's deployment of
Indestroyer 2 against Ukraine during the present war. TechTarget quotes ESET's Robert Lepofsky as
saying, our analysis found that threat was bigger than expected. It was a new version of Indestroyer,
something which we hadn't seen in the last five years. Hard coding in the malware suggested to researchers
that it had been prepared well in advance of its use,
and thus was no wartime improvisation.
Indestroyer 2 was specifically designed to disable circuit breaker protections.
The upgraded attack could have left about 2 million Ukrainians without electrical power,
had it been successfully deployed,
but as it was,
the attempt was blocked. Lepofsky said, the attack was thwarted thanks to prompt response by the defenders at the targeted energy company and the work of CERT-UA and our assistants.
His colleague Anton Cheropanov told the conference that the attack was coordinated
with a wiper attack using caddy wiper,
intended to make recovery and remediation more difficult.
Cheropanov also said that while the threat was real, it shouldn't be exaggerated either.
He remarked,
The threat shouldn't be hyped, but also should not be downplayed or underestimated.
These threats are serious, but they can be thwarted by proper security measures.
ESET noted that a number of private companies, not just ESET,
have rendered valuable assistance to Ukraine during Russia's hybrid war.
The U.S. Cybersecurity and Infrastructure Security Agency yesterday released
Protecting U.S. Elections, a CISA cybersecurity toolkit. Intended as a one-stop catalog of free services and tools
available for state and local election officials
to improve the cybersecurity and resilience of their infrastructure,
the toolkit was developed in conjunction with private and public organizations
working through CISA's Joint Cyber Defense Collaborative.
CISA explains that Protecting U.SS. elections is designed to enable election officials to
assess their risk using an election security risk profile tool developed by CISA and the
U.S. Election Assistance Commission, find tools related to protecting voter information,
websites, email systems, and networks, and protect assets against phishing, ransomware,
and distributed denial of service attacks. In the U.S., we note for international listeners
who may be unfamiliar with the American federal system, the conduct of elections is the
responsibility of state and local governments, not federal authorities. So, CISA properly
couches its description of the toolkit
as a matter of support, not directive or regulation.
Computing reports that staff at Britain's National Health Service have been advised to expect at
least three weeks of disruption following last week's cyber attack. NHS financial and patient
referral systems were affected, and access to certain electronic records have been impaired.
The Independent cites an NHS source who believes remediation could take months.
Health Service Journal writes that the incident involved an attack against a third party,
IT firm Advanced, and that the attackers have made unspecified demands.
This and other aspects of the attack made it likely that it's a case of extortion.
NHS is concerned that some patient data may have been compromised,
but the incident remains under investigation.
And finally, Cisco yesterday disclosed that on May 24th of this year,
it detected a hostile attempt against its corporate network.
The company's Talos Research Group summarized some of its findings during its own internal investigation of the incident.
They've concluded that a Cisco employee's credentials were compromised after an attacker gained control of a personal Google account
where credentials saved in the victim's browser were being synchronized.
The threat actor, which Cisco regards with high confidence as an initial access broker
whose work with at least the UNC-2447 cybercrime gang, Lapsus Threat Actor Group,
and Yanle Wang ransomware operators, used information obtained from that intrusion
to run a sophisticated voice phishing campaign
in which it impersonated trusted organizations with a view to persuading victims to accept
multi-factor authentication push notifications. In this, it enjoyed some success. The attacker
ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.
This led to further exploitation. Cisco says once the attacker had obtained initial access,
they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN.
The attacker then escalated to administrative privileges, allowing them to log in to multiple systems, which alerted our Cisco Security Incident Response Team, who subsequently responded to the incident.
TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impactit,
and added their own backdoor accounts and persistence mechanisms.
Cisco Talo says the incident was consistent with the early stages of a ransomware attack, but they found no evidence of ransomware having been deployed on any of its systems.
Cisco said,
We did not identify any impact to our business as
a result of this incident, including no impact to any Cisco products or services, sensitive customer
data or sensitive employee information, Cisco intellectual property or supply chain operations.
The statement does acknowledge that on August 10th, the bad actors published a list of files from this security incident to the dark web.
The group responsible for this attack seems to have been Yang Luang.
At least Yang Luang contacted Bleeping Computer and offered to show the publication the 2.8 gigabytes of data they claimed to have stolen.
Bleeping Computer says many of the files they saw were non-disclosure agreements, data
dumps, and engineering drawings.
The incident seems not to have spooked the market, seeking alpha reports that Cisco stock
rose this morning in trading, as investors appear to have shrugged off the disclosure. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Carl Wright is Chief Commercial officer at Attack IQ.
I recently spoke with him about the increased pressure many CISOs face
as they work to protect their organizations from the next cyber attack.
Largely, we're kind of doing the same things we did 10 to 15 years ago.
We continue to chase compliance and deploy capabilities
in order to meet and exceed regulatory remit.
At the same time, we're also trying to do things that are smart that aren't necessarily compliant related, but have capabilities that actually from a cyber defensive operational perspective can defend the organization and make sure from a continuity of business operation perspective it could continue to operate. But we have two large chunks of money that are being allocated to
two different things that are not always aligned from my perspective.
And in what way do you think that there's a misalignment there?
Well, I think if we take a look at the fact that the spend on cybersecurity has continued to increase at the same exponential rate that attacks are happening and these breaches that are happening are not the most sophisticated things in the world.
I'm sure we see some interesting things from time to time.
But largely speaking, the number and severity of breaches is going up regardless of how much we're spending.
And so that means we're probably
not doing something right. We're certainly not very efficient and we're not focusing those
resources on areas that can really impede or interdict our adversaries, whether they're
crimes to the kids or nation states, from achieving their objectives.
Are there particular areas that you feel as though, you know, recently where
CISOs are coming up a bit short? Are there any blind spots or places that need more attention
than they're getting? You know, it's easy to point the finger at the CISO because obviously
they're in charge and, you know, they have to hire and fire and train and equip, you know,
teams of people that are below them. But this is a team sport and it's a big
problem. But if we just kind of single out the CISO for a second, I think what we have to try
to figure out is when we look at the CIO side of the house over the last 20 years, we use words
like transformation. We use words like elastic and fluid and all these different initiatives
that the CIO side of the house takes in order
to help the organization make money or save lives, or in the case of government, Department
of Defense, prosecute war.
And these technologies are bringing great capabilities to the organizations to do those
things that are their business objectives.
But at the same time, this rapid adoption of emergent technology has created a large surface area and different challenges for security organizations to try to defend.
And the reason I bring up the word transformation here is because what is it that security operations and security operators and the CISOs, the leader of that, what are they doing that's transformative?
What are they doing that's transformative?
We can point to the CIO side of the house and look at a myriad of initiatives over the last 15 years, a lot around automation, as an example, to transform the environment.
Cloud-first strategies to rapidly move things to not just to address the risks that we're
seeing yesterday and today, but to address future risks that we don't even know about
over the next five years? A lot of that, in my personal opinion, is about how we respond
to new emergent things that are happening and how do we take care
of our people in such a way that they're not always firefighting? Because we go from one
major incident to log 4J to the next one to the next one. The operational tempo for these security
teams is tough. And I think this is where transformation and innovation can help these
organizations in the CISO.
I'm curious, in your experience, the organizations who are getting it right, who are being successful here, is there a common thread there?
Well, there is.
It starts with architecture and threat modeling.
And not every organization can do that because there is a capability maturity model of capabilities you have to have to have that discussion.
The reality is, you know, in our rush to consume emerging technology, we are just deploying stuff.
of companies, just a tremendous amount of pain and suffering over the last few years,
is something as simple as leaving an S3 bucket exposed or leaving, in Azure terms, a blob exposed where the app center doesn't have to do anything sophisticated in order to steal
all your data.
And that is an architectural failure.
That is just a failure of thinking about things from a systems-based perspective and focusing on configuration management and configuration control.
And when you take a look at the breadth of breaches that have been happening over the last couple of years, most of these are the result of poor cyber hygiene, poor execution of deploying and owning and operating those things that you've already purchased that could have interdicted the adversary had you focused on making sure they're properly configured.
That's Carl Wright from Attack IQ.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And it is my pleasure to welcome back to the show Dr. Christopher Pearson.
He is the founder and CEO of Black Cloak.
Chris, great to have you back on the show.
Dave, always a pleasure.
Well, I have to say I am excited to have you back here today.
You are kind of helping us out here being our person on the street at Black Hat this year.
Can we start off with a little just high-level stuff? I mean, for folks who have not enjoyed this conference, how do you describe it? You know, Black Hat's changed a lot over the years. I mean,
this is the 25th anniversary of Black Hat. It's kind of this, this week is the, you know, summer camp for cybersecurity warriors, so to speak. So everybody, you know, coming in off the long, hard summer, grabbing in some personal time before, some professional time before they go off on vacation and school starts and all the rest. But really, it's a coming together. It's a grouping. It's a community. And it is fully packed. I don't know what the actual audience
attendees might be this year, but probably up in the 20,000 area.
So fully packed conference. They had 111
countries represented. So this is a global
effort at education, coming together, understanding
different products and services, listening,
and really collaborating with one another. But massive throngs of people have arrived at the
Mandalay Bay in Las Vegas, and just about every other hotel here is kind of packed with
black hat attendees as well, events spread out all over, and of course, the huge sprawling
as well, events spread out all over, and of course, the huge sprawling mecca of a conference room floor as well.
Well, as you walk around there and take everything in, what sort of things have caught your eye?
So, you know, what's interesting is when you walk around the floor, there's definitely
kind of two areas, so to speak.
There's the larger, more established companies where you see, quite honestly, very much some of the same.
So I would say that the same booth from RSA, the same types of materials and collateral from RSA, not necessarily any massive advances.
Now, RSA this year, in all fairness, was in June, where it's usually in February and March.
So the amount of time to develop or to do new things might have been smaller than in prior years,
but still it felt like a lot of the same.
Now, there were some different changes there
on the big company side
in terms of some different acquisitions
that were announced in that time period
or prospectively being announced.
So you see how there's definitely some abilities
that are being merged in with larger vendors, larger power plays out there.
The second area was really interesting this year is the Innovation City that they have.
I don't know exactly how many booths they have, but it's row upon row upon row.
In that area, you see a lot of interesting, well-positioned companies tackling some interesting problems in some
different areas. Sometimes it might be some different looks on automation or on SOAR or on
education, but you see some definite advances there. And what I will tell you is that area
in those columns, in those rows, are jam-packed. People are seeking out Innovation City, seeking out those areas,
and actually really having some meaningful conversations in with the different vendors there.
Now, that's where you and your Black Cloak colleagues have been set up there.
How has the traffic been?
Has there been a positive experience for you all so far?
Oh, it's been phenomenal.
It's been fantastic.
Number one, seeing old friends,
seeing old teams, having people come. There were a lot of people that didn't join everyone at RSA
this year. And so it's the first time that we've seen a lot of good friends, a lot of CISOs,
a lot of clients. But yeah, the Black Cloak booth has been absolutely popping. A lot of people
there. A lot of people digging in for a second time or a third time. So really, really great stuff. And just a great community. Quite honestly, a great community of Boots around us. Some really great friends next to us from many years past. So I know that our team's having a lot of good fun there as well.
How about off of the show floor? Those meetings, those dinners, all of that community stuff?
That's hopping as well, huh?
It is.
It is.
I think probably one of the biggest takeaways is community here.
People are clamoring to see, to chat, to sync with one another in person.
The needs for that is so incredibly high. And that is the same as it relates to the VC community, the investing
community, the cybersecurity community, the vendors, as well as the users, the actual security
operations teams, the CISOs and their teams. We even have a good number of CSOs, chief security
officers, that are kind of blending that digital and physical together there. So I think that that
sense of community is really, really high here
at Black Hat. And whereas I think there was a little more trepidation during the June period
of time, people are full-fledged here, probably a big surge a week or two beforehand. And the
halls are packed, the restaurants are packed, the parties are packed. And so it's a lot of fun with
everyone. So it seems as though, I mean, despite
the warnings of a potential economic downturn on the horizon, the spirits are high. I think
spirits are absolutely high. I think that they're high because of a few different things. First,
the fact that, you know, this is a problem in cybersecurity and protecting data and privacy
and trust and information. This is a problem that everyone is 100% locked into.
And so they're excited about it.
They're excited about solving it.
I think there are some, right, some little bit of trepidation about recession,
little trepidation of some of those different cutbacks that we've seen in different areas.
But when you take a look at the big problem that is out there,
companies are not going to be able to cut back on these areas.
They are all cybersecurity companies, the ones and zeros that are running each and every company that you can think of.
It's just there. It's there to stay.
The threats are increasing.
The geopolitical threats are increasing.
And even, I mean, big theme this year, a lot of different talks on information, disinformation, misinformation.
All of those things are things that this group of people are grappling with.
So a lot of positivity in terms of let's get in, let's get together, let's get ahead and solve this.
All right. Dr. Christopher Pearson is the founder and CEO of Black Cloak.
Chris, thanks so much for joining us.
Thanks, Dave.
Clear your schedule for you time
with a handcrafted
espresso beverage
from Starbucks.
Savor the new
small and mighty Cortado.
Cozy up with the familiar
flavors of pistachio
or shake up your mood
with an iced brown sugar
oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brendan Karp, Eliana White,
Puru Prakash, Justin Savy, Liz Ervin, Rachel Gelfand, Kim Nodar, Joe Kerrigan, Thanks for listening.
We'll see you back here tomorrow. Thank you. needs AI solutions that are not only ambitious, but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided Thank you.