CyberWire Daily - Dispatches from the hybrid war, as auxiliaries on both sides skirmish in cyberspace. An Azure vulnerability patched. Trends in ransomware. And Social Security phishbait.
Episode Date: October 19, 2022Killnet explains its actions against Bulgaria's government. The National Republican Army claims successful attacks on Russian companies. The Director of Germany's BSI is out. A vulnerability in Azure,... disclosed and patched. Trends in ransomware. Carole Theriault has a fresh look at the ransomware question - to pay or not to pay? Tim Eades from Cyber Mentor Fund considers cyber insurance for the small and medium sized businesses. Social Security phishing. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/201 Selected reading. Cyberattack disrupts Bulgarian government websites over ‘betrayal to Russia’ (The Record by Recorded Future) Russians Against Putin: NRA Claims Massive Hack of Russian Government Contractors’ Computers - Kyiv Post - Ukraine's Global Voice (Kyiv Post) Germany fires cybersecurity chief after reports of possible Russia ties (Reuters) German Cybersecurity Chief Sacked Over Alleged Russia Ties (SecurityWeek) German cyber chief suspended following allegation he associated with Russian intelligence (The Record by Recorded Future) FabriXss (CVE-2022-35829): How We Managed to Abuse a Custom Role User Using CSTI and Stored XSS in Azure Fabric Explorer (Orca Security) Ransomware In Q3 2022 (Digital Shadows) Fresh Phish: A New Social Security Phishing Scam Preys Upon Our Biggest Worries (INKY) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Kilnett explains its actions against Bulgaria's government.
The National Republican Army claims successful attacks on Russian companies.
The director of Germany's BSI is out.
A vulnerability in Azure disclosed and patched.
Trends in ransomware.
Kirill Terio has a fresh look at the ransomware question.
To pay or not to pay. Tim Eades from the Cyber Mentor Fund considers cyber insurance for small and medium-sized businesses.
And Social Security, phishing.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 19th, 2022. In its telegram channel, Killnet, the Russian auxiliary threat group,
woofed a justification for its recent run of desultory DDoS attacks against Bulgaria,
stating,
For betraying Russia and supplying weapons to Ukraine,
the Bulgarian government is sentenced to network collapse and shame.
the Bulgarian government is sentenced to network collapse and shame.
The record cites Bulgarian authorities who say they've identified the name and address of one of those who participated in the attacks.
Insofar as shame and network collapse are concerned,
a few Bulgarian sites seem to be running a little slowly,
but there's no real reason for anyone to feel ashamed, at least not
in Bulgaria. The National Republican Army, or NRA, a group of uncertain size and influence,
has told the Kyiv Post that they've successfully compromised large Russian companies engaged in
support of Russia's war as defense contractors. The NRA showed the newspaper screenshots and data that appeared to
confirm their claims, but it's too soon to tell if there's substance to them. In general, the
National Republican Army is a poorly understood group, and its claims should be treated with
caution. The material provided to the Kyiv Post in this case, however, seems to indicate that something happened.
We'll be watching to see if the story has legs.
Arne Schoenbaum has been relieved of his post as head of Germany's BSI, Der Spiegel reports.
Under German labor law, the removal is formally a suspension, the Washington Post writes,
but few expect Mr. Schoenbaum to return to the BSI.
An investigation into his connections with Russia via the Cybersecurity Council of Germany
and his continued contact with the council, a group he helped found, was controversial,
the Post says, because of the foundation membership of Protelion, reported to be a
rebranded German arm of the Russian cybersecurity
firm Infotex, founded by a former KGB agent. Herr Schoenbaum on Monday asked for an investigation
to clear his name. Reuters quotes the Interior Ministry as saying, the dismissal was in response
to news that had permanently damaged the necessary public confidence in the neutrality and impartiality
of his conduct in his office as president of Germany's most important cybersecurity authority.
So, it appears to be, in the first instance, a matter of perception and of the German government's
sensitivity to penetration by Russian intelligence services. Orca released a report today
detailing a vulnerability they discovered
in Azure Service Fabric Explorer.
The vulnerability has been reported to Microsoft
and the issue was designated CVE-2022-35829.
A patch was released on Patch Tuesday earlier this month.
The vulnerability, known as Fabrics, and that's Fabrics with an X,
was found in Azure Service Fabric Explorer.
Microsoft Azure Service Fabric is described as a distributed systems platform
for packaging, deploying, and managing stateless and stateful distributed applications
and containers on a large scale.
stateless and stateful distributed applications and containers on a large scale.
And Service Fabric Explorer is a tool for inspecting and managing Azure service fabric clusters.
It was determined that a class of user known as deployers,
who have permissions to create new applications via the dashboard,
can use this permission to create a malicious application name and abuse administrator access to perform a range of actions.
Orca reports that this can include what's known as Cluster Node Reset,
which erases all custom settings, such as passwords and security data,
which can be overwritten by the malicious actor
and give them the ability to gain full admin permissions.
actor and give them the ability to gain full admin permissions. If you use Service Fabric Explorer version 8.1.316 or earlier, then in principle you're vulnerable. You should apply Microsoft's
October 2022 update and verify that the Service Fabric Explorer URL ends in index.html instead of old.html.
And of course, we say in full disclosure, Microsoft is a CyberWire partner.
Digital Shadows has released its report on ransomware for the third quarter of 2022.
The researchers found that ransomware decreased as a whole, despite notable attacks on high-profile targets.
as a whole, despite notable attacks on high-profile targets. Overall, LockBit activity decreased this quarter, but the group's share of total activity, its criminal market share, if you will, increased
over that same period from 32 to 35 percent. LockBit 3.0 has been a success for the group,
despite skepticism from other competing threat actors. In September 2022,
a leaked LockBit 3.0 builder was posted on Twitter that was alleged to come from a hacker,
but LockBitSupp claimed the leak was a former developer. Whatever the case may be, it's a
legitimate builder, and Digital Shadows says this could have consequences during the remainder of
this year if other malicious
actors get a hold of that builder and put it to use. There wouldn't be much the LockBit gang could
do to stop this theft of its IP. What are they going to do? Sue? The ransomware gang Conti appears
to have closed up its operations in June 2022. Quarter 3 has seen the after effects of Conti's dissolution,
which include competitions over Conti's market share
and a surge in new ransomware groups.
LockBit was the dominant ransomware family,
but no clear family emerged
to take Conti's position as number two.
BlackBusta, HiveLeaks, and Alfie
account for 9, 8, and 7%
of all ransomware victims this quarter, respectively.
In all, the researchers found that 12 new ransomware data leak sites were created in the third quarter of this year.
One distinction Digital Shadows makes in their report is that between ordinary criminals and politically motivated ransomware.
ordinary criminals and politically motivated ransomware. It's getting harder to tell the difference, especially with the rise of privateering in Russia's hybrid war against Ukraine.
The researchers cite the August 2022 ransomware attack on the Montenegrin government as an example
of the challenge of identifying motives. Russia was initially blamed for the attack, but the use
of Cuba ransomware lent the incident the coloration of ordinary criminal extortion.
The cyberattacks on Albania's government systems, however, were attributed with high confidence to Iran's Ministry of Intelligence and Security.
These were clearly political in nature, with no obvious attempt at monetization.
nature, with no obvious attempt at monetization. Finally, security firm Inkey this morning put out a warning concerning some social engineering it's observed that involves impersonation of the U.S.
Social Security Administration. In its broad outlines, it's a two-step campaign that moves
from phishing to vishing. Inkey states, tagline. It's an image that looks sharp and is readily available online. In the body of the
letter, the sender claims that illegal and fraudulent activities have been associated
with the recipient's social security number, and as a result, their social security number will be
suspended in 24 hours. A phone number is given to resolve this issue. The initial fish bait is
commonplace enough. Your social security number will be
discarded, disabled, canceled, or terminated because it's been involved in fraudulent activity,
is expiring, or has come to attention as suspicious. Sad stuff and connoisseurs of
U.S. federal officialese won't be easily gulled by that PDF letter. Sure, the logo is pretty sharp and sweet,
but the grammar and usage are off.
Things are oddly centered,
and it's signed by someone with an implausible title.
Still, if you're elderly, worried about your finances,
and unaccustomed to the ways of the government,
you might be tempted to bite.
But please don't.
If someone tells you that your social security number
is about to be suspended,
and if they email you with the news, that's two strikes against them.
The Social Security Administration doesn't suspend numbers like that,
and they communicate with account holders by good old-fashioned U.S. mail,
not these newfangled PDFs we keep hearing about from the kids.
At any rate, stay safe out there.
Coming up after the break, Carol Terrio has a fresh look at the ransomware question.
Tim Eades from Cyber Mentor Fund considers cyber insurance for small and medium-sized businesses.
Stay with us. Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Since ransomware became a thing,
the question has been to pay or not to pay.
Our CyberWire UK correspondent, Carol Terrio,
takes a fresh look at that question.
When it comes to ransomware, there is one big question that divides even those au fait with cybersecurity, to pay or not to pay. And there
are so many things to consider. Will the ransomware baddies delete or return the data access and
effectively be honorable people? Will customers and partners and press make a stink if we pay or don't pay?
Or what data have they nabbed and how vital is it to our business and its supporters?
A recent report from Coveware had some interesting insights. So one, the median ransomware payment made by a victim decreased to $36,000 and change. And this is a 50% decrease
from the previous quarter. That's huge. And it's going to be fascinating to see if this trend
continues. I also wonder if ransomware is perhaps being affected by inflation, as in victims simply cannot afford the prices of
your to have their data returned.
Two, second finding was that the ransomware report says that there is an encouraging trend
amongst large organizations refusing to consider negotiations when ransomware groups demand
impossibly high ransom amounts.
And a third point is that we shouldn't trust these miscreants.
During the second quarter of 2022,
Coveware says that they continue to see evidence
that threat actors do not honor their word
as it relates to destroying exfiltrated data.
So even though they promise they will, they are not.
And they say, quote,
To add to this, the UK's National Cyber Security Centre and the Information Commissioner's Office issued a joint letter recently urging the legal community in the UK to closely evaluate the guidance provided to victims of data exfiltration extortion.
In other words, paying up does not mean that everything returns to normal.
And I can't help but wonder whether cyber insurance has a part to play here as well.
I have heard from a number of experts that cyber insurance
policies have changed dramatically in the last, say, five years. And maybe in early instances
where they promise to pay a ransom in order to get data back, they may be much more complicated
wording to decrease the chances of them having to pay. All I'm saying is read your policy very carefully.
And if you're listening to me talk here and you're thinking,
yeah, yeah, I have had a policy for five years and I read it when I got it,
might I recommend that you ask to see the most recent version of the policy
so that you can read it at your leisure and make sure that everything is up to scratch.
Because it ain't great thinking you're covered for something and finding out that, in fact, you're not,
especially when it comes to ransomware.
This was Carol Theriault for The Cyber Wire. And I'm pleased to be joined once again by Tim Eades.
He is the CEO at vArmor, also the co-founder of the Cyber Mentor Fund.
Tim, always a pleasure to welcome you back.
Great to be here, Dave.
I wanted to get your insights today on where we stand with cyber insurance.
I mean, it's certainly been an area where we've seen some change over the past few years,
I suspect it's safe to say.
What are you seeing from your point of view?
Yeah, cyber insurance market, particularly in the SMB side,
is going to reach like $30 billion by 2030.
I mean, just it's a giant market.
It's also going to be incredibly disruptive to the cyber industry.
But let's just walk through a scenario.
Dave and Tim are going to start up a pizzeria, right?
We're going to run a pizzeria.
It sounds great.
It's going to do great Italian pizzas.
And what's going to happen is we have employees,
and we're going to have workers' comp.
You're going to have workers' comp, and you're going to have workers comp. You're going to have
workers comp, and you're going to have cyber insurance. They're going to come hand in hand,
and it's not going to be an option. And your policy will be set up to your turnaround, and
you'll go, OK, well, how do I get my policy for breach insurance and everything under control?
Well, I need to have single sign-on turned on. I need to have an endpoint technology.
I need to have authentication
and a whole bunch of different stuff.
And if you have that, I'll get a better policy.
And Dave and Tim's Pizzeria
will have a great, secure enterprise
because it has been forced to adopt
and forced to implement
and tested that it has been implemented
core technologies to lock down Dave and Tim's pizzeria.
And so what's going to happen is it's going to force, particularly at the SMB level,
dramatic adoption and standardization of security technologies.
The challenge for it is that no one will care about the brand.
They won't care whether it's Symantec or McAfee or anybody else on the
consumer side or the SMB side. It will be a tick in the box that says, OK, my insurance provider
says I've got to have workers' comp. And I've got to have workers' comp. I've also got to have
cyber insurance. OK, I need these four or five technologies. And then I'm fine. I'll get a better policy, and I'll buy them. And I won't
care about the brand, but it will be mass adoption. And so the people at the large insurance companies
or the Zurich or whatever are looking at the growth of the overall insurance market and saying,
OK, let's go put a bet into cyber insurance because it's the fastest growing category.
It's a massive, massive opportunity,
which will make all these small businesses in particular way more secure,
which is a great thing,
but it will consolidate some of the technologies
where they won't care about the brand so much.
Yeah, I can't help wondering about the insurance companies
and how they're going to position themselves, you themselves, particularly as we've seen with ransomware and the costs going up.
How are they going to run those numbers and make it so that it works for those small and medium-sized businesses to even be able to afford this stuff?
Volume.
Volume. volume. I mean, when you turn around and you run an actuary table against not 100,000 businesses,
not even 5 million businesses, against 50 million businesses, you can aggregate your price,
and then you aggregate the risk, and then you bring the policy down. The volume in this market
is staggering. I mean, I'll give you an example. I think you have a decent guess that
in North America, there's about 25 million small businesses with under 30 employees.
This is an enormous number. Then you go to India. I mean, the numbers here are staggering.
And so that's how, when you get volume, and also you get competition in this market,
those two things will drive a better
price down for everybody. How do we make it so that those small and medium-sized business owners
see the value in this? Or is it just destined to be a checkbox? Well, I would love to say they see
the value. I do think they will see some value because there will be some attacks that are
prevented. It is a tick box scenario. There is no doubt. And that's
what it's going to drive it to be. I mean, these people are not highly sought after targets, but
it will be a tick box scenario that whether you're a small doctor surgery, whether a small dentist,
whatever it may be, or Dave and Tim's pizzeria, you know, it's going to be a tick box. And I'm
okay with that. You know, I'm okay with that. Over the last, you know, it's going to be a tick box. And I'm okay with that.
You know, I'm okay with that. Over the last, you know, 20 years that I've been in cyber,
you know, it's always been a bed and mice trap.
What I want to do now is get cyber insurance everywhere,
just as popular and just as adopted as workers come,
and get the technologies to secure it.
And that's okay, right?
As long as it's, like you said earlier,
like it's done competitively priced
because the volume of the competition, I think it'd be fine.
And in the same way that your commercial insurance person
comes and takes a little walk around
to make sure you've got sprinklers and fire extinguishers
and you're not blocking the exit doors,
somebody will be checking your multi-factor authentication. Somebody will be checking your multi-factor authentication.
Somebody will be checking your multi-factor authentication.
They'll do a quick scan.
Do you have multi-factor authentication turned on?
Are you using an endpoint or the normal stuff?
And you guys go, yeah, yeah, yeah, you'll be fine.
It's exactly the model you just described.
All right.
Well, interesting insights as always.
Tim Eades, thanks for joining us.
Thanks, Dave.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Haru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Maria
Varmatsis, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Catherine Murphy, Janine
Daly, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data
workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.