CyberWire Daily - FBI Investigates a network incident. Developments in cybercrime. DDoS against German airports. US forms a Disruptive Technology Strike Force. CISA releases 15 ICS advisories.
Episode Date: February 17, 2023The FBI is investigating incidents on its networks. Frebniis backdoors Microsoft servers. ProxyShell vulnerabilities are used to install a cryptominer. Havoc's post-exploitation framework. Atlassian d...iscloses a data breach. German airports sustain a cyber incident. An Aspen Institute report concludes that cyber assistance benefits Ukraine. US announces "Disruptive Technology Strike Force." Robert M. Lee from Dragos on the value of capture the flag events. Our guests are Commander Brandon Campbell of US Navy Cyber Defense Operations Command and Captain Steve Correia, Commanding Officer of Naval Network Warfare Command. And CISA releases fifteen ICS advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/33 Selected reading. Exclusive: FBI says it has 'contained' cyber incident on bureau's computer network (CNN) Frebniis: New Malware Abuses Microsoft IIS Feature to Establish Backdoor (Symantec, by Broadcom Software) ProxyShellMiner Campaign Creating Dangerous Backdoors (Morphisec) Attacks with novel Havoc post-exploitation framework identified (SC Media) Atlassian says recent data leak stems from third-party vendor hack (BleepingComputer) German airport websites down in possible hacker attack (Deutsche Welle) The Cyber Defense Assistance Imperative – Lessons from Ukraine (Aspen Institute) U.S. launches 'disruptive technology' strike force to target national security threats (Reuters) Justice Department to Increase Scrutiny of Technology Exports, Investments (Wall Street Journal) ICS-CERT Advisories (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The FBI is investigating incidents on its networks.
Frebnis backdoors Microsoft servers.
Proxy shell vulnerabilities are used to install a crypto miner.
Havoc's post-exploitation framework.
Atlassian discloses a breach.
German airports sustain a cyber incident.
An Aspen Institute report concludes that cyber assistance benefits Ukraine.
The U.S. announces disruptive technology strike force. Robert M. Lee from Dragos on the value of
capture the flag events. Our guests are Commander Brandon Campbell of U.S. Navy Cyber Defense
Operations Command and Captain Steve Correa, Commanding Officer of Naval Network Warfare
Command. And CISA releases 15 ICS advisories.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary
for Friday, February 17, 2023. U.S. FBI has contained and is investigating an incident that affected systems the Bureau uses
to investigate child sexual exploitation. The FBI has been tight-lipped, saying only,
this is an isolated incident that has been contained. As this is an ongoing investigation,
the FBI does not have further comment to provide at this time.
Symantec has spotted a new strain of malware called Frebness
that's being deployed against targets in Taiwan.
Frebness abuses a troubleshooting feature
of Microsoft's Internet Information Services
to install a backdoor.
Symantec explains,
The technique used by Frebness involves injecting malicious code
into the memory of a DLL file related to an IIS feature used to troubleshoot and analyze failed web page requests.
This allows the malware to stealthily monitor all HTTP requests and recognize specially formatted HTTP requests sent by the attacker, allowing for remote code execution.
HTTP request sent by the attacker, allowing for remote code execution. In order to use this technique, an attacker needs to gain access to the Windows system running the IIS server by some
other means. In this particular case, it is unclear how this access was achieved. Symantec adds that
Frebness can be used to proxy commands to systems in a network that aren't accessible from the internet.
The researchers conclude no files or suspicious processes will be running on the system,
making Frebnis a relatively unique and rare type of HTTP backdoor seen in the wild.
Morphosec is tracking a stealthy malware campaign that's distributing new proxy shell miner crypto miners.
Proxy shell miner exploits the proxy shell vulnerabilities in Microsoft Exchange Server,
which Microsoft issued patches for in 2021. The malware uses the vulnerabilities to gain initial access, then installs the crypto miner. The researchers note that while crypto miners
are often viewed as a
somewhat benign form of malware, the access gained by attackers can be used to launch more damaging
attacks. Zscaler observed the Havoc framework being deployed against a government organization
last month, and the security firm has published a detailed analysis of how the framework operates.
the security firm has published a detailed analysis of how the framework operates.
Bleeping Computers says that among its most interesting capabilities, Havoc is cross-platform and it bypasses Microsoft Defender on up-to-date Windows 11 devices using sleep obfuscation,
return address stack spoofing, and indirect syscalls. It's worth noting that, like Cobalt
Strike and other similar tools,
Havoc is intended to be used by penetration testers. Like most pen testing tools, however,
it can be abused by threat actors. In what appears to be a case of stolen credentials,
Atlassian says that unauthorized parties obtained access to sensitive corporate information, including employee records.
CyberScoop reports that the SiegdSec criminal group
claims it's begun leaking the stolen data.
The gang said earlier this week,
we are leaking thousands of employee records
as well as a few building floor plans.
These employee records contain email addresses,
phone numbers, names, and lots more. According to
Bleeping Computer, the criminals obtained the data via Envoy, a third-party app Atlassian uses
to manage its offices. Neither Envoy nor Atlassian were hacked, in the sense of having malware
deployed against them or by having their systems compromised by attackers using technical means.
It appears that an Atlassian employee's Envoy credentials were obtained and then used to access the app.
Atlassian and Envoy are cooperating on their response to the incident.
Reuters reports that German airports have sustained an unspecified cyber incident
believed to be a distributed denial-of-service attack.
There is little information available and no attribution yet,
but Deutsche Welle points out that the attack bears a strong resemblance
to an earlier DDoS attack the Russian auxiliaries of Kilnet mounted against German airports.
A study by the Aspen Institute concludes that international assistance rendered to Ukraine
for its cybersecurity has blunted the effects of Russian cyber offensives.
The institute looked at the record compiled by the Cyber Defense Assistance Collaborative for Ukraine, which has given four kinds of assistance, intelligence analysis, support and sharing, licenses, tactical services and advising.
The report says cyber defense assistance in Ukraine is working.
The Ukrainian government and Ukrainian critical infrastructure organizations
have better defended themselves and achieved higher levels of resiliency
due to the efforts of SEDAC and many others.
The report concludes, however, that SEDAC's work is not yet done and that Ukraine
will require support through the next phases of Russia's war. U.S. Deputy Attorney General Lisa
Monaco yesterday announced the formation of a Disruptive Technology Strike Force,
an interagency collaboration between the U.S. Department of Justice and Commerce.
Its aim will be to deny hostile governments tactical advantage
through the acquisition, use, and abuse of disruptive technology,
innovations that are fueling the next generation of military and national security capabilities.
CyberScoop reports that the new strike force is intended as an evolutionary development
of the Committee on Foreign Investment in the U.S.,
the mechanism that's hitherto been used to protect U.S. technology from hostile foreign poaching.
The disruptive technology strike force is expected to bring enforcement out of the
brick-and-mortar period in which CFI-US was drafted and into the present age of cyber espionage.
was drafted and into the present age of cyber espionage. CISA yesterday released 15 industrial control system advisories. They cover systems by Siemens, SubIoT, Delta Electronics, and BD Alaris.
Operators, check your systems and, as always, apply updates per vendor instructions.
And finally, Monday is the U.S. federal holiday of President's Day,
and the Cyber Wire won't be publishing on the 20th.
We'll be back as usual on Tuesday.
To those of you who also observe the holiday,
on behalf of all of us at N2K Networks,
enjoy the long weekend.
And for those of you who are outside of the U.S.,
enjoy the regular weekend.
We'll see you again on Tuesday.
Coming up after the break, Robert M. Lee from Dragos on the value of Capture the Flag events.
Our guests are Commander Brandon Campbell of the U.S. Navy Cyber Defense Operations Command and Captain Steve Correa, Commanding Officer of Naval Network Warfare Command.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The mission statement of the United States Navy is to recruit, train, equip, and organize to deliver combat-ready naval forces to win conflicts and wars while maintaining security and deterrence through sustained forward presence.
In today's world, achieving that mission means the U.S. Navy must maintain a high level of cybersecurity in order to protect its data, networks, and systems
from malicious actors. My guests today are two distinguished naval officers on the front lines
of that critical mission. Commander Brandon Campbell is Operations Director at Navy Cyber
Defense Operations Command. Captain Steve Carrera is Commanding officer of Naval Network Warfare Command.
Commander Campbell leads off our conversation.
And I'm the operations director at Navy Cyber Defense Operations Command.
And essentially, at NCDOC is what we call it,
we are chartered and responsible for protecting and defending the Navy's global array of networks across 180 networks, to be exact.
And in that responsibility, we protect and defend against malicious cyber activity and advanced persistent threats.
And we do that 24-7, 365.
And then if there's actually an incident or an actual compromise on a Navy network,
we're then also responsible for doing
the risk analysis, assessing it, and then when needed, expelling the adversary from our networks.
Captain Carrera, how about you? Naval Network Warfare Command's mission is to
operate and secure Navy networks and communication systems. So we do that in our ashore enterprise
networks and the ashore portion of our float networks.
And we're also designated under Fleet Cyber Command as the commander of Task Force 1010, which we have tactical control of the commander control communications commands within the Navy.
So I'd love to get the perspective from both of you.
The Navy's network has some uniquely difficult defensive challenges.
When you think about everything that's on your network, you know, from data centers, office buildings, and then, of course, ships and airplanes, and the global distribution of all of that.
And then also you're dealing with many levels of classification.
That's a big problem.
And how do you come at that?
Dave, I'll start first. That's a big problem. And how do you come at that?
Dave, I'll start first. So that's part of the reason why the Navy's taken a more agile approach and we've moved to a more zero-trust approach is because of those complexities.
You know, I think for the longest time we tried to keep the adversary outside the walls of the castle, if you will.
to keep the adversary outside the walls of the castle, if you will. But we've realized over time that that's difficult, if not impossible, in a lot of cases. So we've increasingly adopted a
zero-trust approach where we assume the adversary is inside the castle walls, and we've put controls
in place to guard the data and information systems from those adversaries. To dovetail a little bit on that,
the Department of Defense recently just issued, late last year, its overarching first-ever
zero-trust strategy. And like Captain Correa just said, the very first sentence of that strategy
states that our adversaries are in our network. So that's a huge paradigm shift in how we look at, evaluate, and design resilient networks,
resilient and secure networks.
So in parallel with that, a part of that strategy, the Department of Defense has underlaid and
implemented seven essential pillars for its
zero-trust strategy. And then with each one of those pillars, there are sub-activities, 152 to
be exact, and set a very lofty goal of achieving zero-trust capability strategies and principles
no later than 2027. And the Navy is well on its way and helping pave the way towards those capabilities, aggressively modernizing its IT, as well as implementing cloud-native cyber defense and cybersecurity tools.
So it's been a really exciting time, and I'm really excited to see how the next five years or so, as we modernize and get to 2027, what the changes of our landscape and how we design and secure our networks are
going to look like. You know, there's that old cliche, and forgive me for using it, but, you
know, a battleship doesn't turn on a dime. Do you all feel as though you have the ability to be
nimble, to react to the things that are coming at you with, again, with an organization as large in breadth and depth as the U.S. Navy?
Yeah, I'll take that one, Brandon. It's very perceptive, but in my career, that's generally
been my experience, but I think it's changed recently. And so we, during the pandemic,
because of leadership at the top, Mr. Weiss, Ms. Young's Lou at PO Digital, so our acquisition partners, and operationally on our side, myself and my predecessor, Captain Jody Grady, decided, made a conscious decision to move out quickly on implementing cloud once we had a secure implementation. And we did so in the image of DevOps or Agile.
And our current framework is scaled Agile framework, so safe.
And we are definitely taking a more Agile approach.
And because of that, we're working together with acquisition partners and engineering in a DevOps type of model where we are able to make agile decisions,
make configuration changes
in that DevOps type of approach.
And for me, it's been a revolution,
very much getting away
from the traditional waterfall approach
where we took a long time to write a requirement.
And then the engineers went back
into the engineering spaces
and came out with a product
that wasn't to anyone's satisfaction on the ops world and a little bit dissatisfaction on the engineering world, too.
So we're in a different place right now where we're all working together toward a common goal.
And it's refreshing to see.
Commander Campbell, I'm curious what your pitch is for folks who may be considering a career with the Navy.
We have a lot of listeners who are students coming up.
There are unique challenges there of joining the service, but also some really amazing opportunities.
Yeah, there really are.
And I'm wrapping up my two-decade career here in the next few months.
So I have done some reflection on that personally.
And it is an exciting time,
especially in the cyber field,
the cyber community at large.
There's a large modernization effort
going on across the Navy.
You know, I've had the unique opportunity
through my career,
through working with SEAL teams
to being deployed on
ships, aircraft, and the whole host, the whole gamut. So it's always exciting. It's always
challenging. There are a lot of educational benefits and opportunities if you just take
advantage of them. So I would encourage anyone out there who's looking for a way to get a little excitement to do a very, very important mission for our Navy and for the national security of our nation.
And really just kind of embrace it and know that it's going to be long.
Sometimes it's going to be hard and challenging, but at the end of it, you absolutely will be better off for it.
And then walk away from the rest of your life
knowing that you've served your nation and you've done something really unique and special.
So yeah, I'm super excited and to what the future holds and especially as this advancing career
in this industry and in the cyber defense and cyber security space and where it's going to go
here in the next five plus years.
You know, Captain Correa, we have quite a few senior members of industry and government who
listen to our show. I'm curious, if you had the opportunity to ask, is there any support or
assistance that you would request from those folks? Actually, Dave, the support has been great
to the approach that we've taken. And Brandon mentioned this earlier.
The leadership has really leaned in on this, and they've put their money where their mouth is because they've really, really supported us on various approaches that we've taken, but also on the common decisions that we've made to secure the network.
And in some cases, we've taken a pretty aggressive approach on security,
which can have impact in some cases,
but we've kind of all worked on that together and finding that right balance.
So I just want to say thank you, actually, to the leadership for the support.
Our thanks to Commander Brandon Campbell,
Operations Director at Navy Cyber
Defense Operations Command, and Captain Steve Carrera, Commanding Officer of Naval Network
Warfare Command. We appreciate them taking the time for us.
We will be publishing an extended special edition of this conversation this coming Monday. Look for it in your CyberWire podcast feed or on our website. And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, it's always a pleasure to welcome you back to the show.
at Dragos. Rob, it's always a pleasure to welcome you back to the show. You and your colleagues there at Dragos had your Dragos Industrial Security Conference back in November of last year,
and that included a capture the flag element. And I wanted to touch on that today,
why you think that's an important thing to include in an event like the one you held, and
what you and the participants get out of it?
Yeah, so capture the flags in general are a fantastic form of training and sort of testing out those skills. Sometimes it's testing, sometimes it's more training. If you look at like the SANS
CTFs as an example, they're their net wars, ones that they run at their conferences.
Level one and level two are very educational. Click on it, get a hint, you'll get
the answer, but it's more teaching you how to do it. Level three is, hey, this is harder,
this is now kind of testing out your skills. And level four or level five is just like,
we're going to kick in your teeth, good luck. It's just kind of that process,
which is both educational and testing, which makes it both fulfilling and challenging,
process, which is both educational and testing, which makes it both fulfilling and challenging,
but people leave with better skills than just sort of the academia or theory of it.
And so in the same mindset, we want to do that, of course, on the industrial control system side.
And when I came into this field, it was impossible. There was no ICS ETFs, even in the government circles, for me to get access to industrial networks that were our own,
to get access to our own industrial networks
was extraordinarily expensive or costly or whatever
to be able to go in there and do anything.
So it was just unaccessible,
which meant it was difficult to bring people in the field
because I could lecture to them,
we could do PowerPoints,
we'd give them a packet capture every now and then
of something with a Raspberry Pi generating Modbus
TCP traffic. But that was about
it, and that's not very realistic.
And so I love the idea
of bringing people into the community. Of course, I want
Dragos to be successful and live our
mission, but the reality is our mission is
for naught if we don't build a community
around us and raise all
boats, if you will. And so we put a lot
of effort and time. We've got some phenomenal people on the staff
that spend a ton of time making these CTFs.
We'll generally run two a year,
one in combination with the SANS ICS team
for their annual summit,
and one at our conference,
the DISC conference that you mentioned.
And it's free, it's accessible,
anybody can access it around the world
and online. There's no cost, no filtering. And we've got millions of dollars worth of control
equipment that we've had to buy just for our own testing and QA purposes and so forth for our
technology product. And so taking those same ranges, setting up actual industrial environments
and emulating adversaries against them and releasing packet captures,
logic files, memory images, all that kind of fun stuff
is just, I think, very, very helpful to the community.
When you can get over 1,000 people at a time signing up and playing,
I think that's good validation as well, that people are responding well.
And what we hope to see is more and more people
kind of cross-training into OT security from IT security.
And we want to see new people in the field
understand that it is accessible
and it is a viable career path to go into.
From your perspective, what goes into setting up
one of these things successfully?
How do you blend the different elements,
the different challenges that people are going to face?
Yeah, some of them. So first and foremost, you've challenges that people are going to face?
Yeah, some of them. So first and foremost, you've got to have the equipment, right? So I always get folks are like, oh, I want to emulate this and just do virtual. And like that can work a lot
with IT networks. But when you're talking with OT, you really want a physical process to be there.
That's what's going to make it a real thing, not just sort of a network protocols. And so we do
have real ranges that we set up. So in our office, as an example,
one of our offices, as an example,
we have a Lego city that's like,
I think it's like 12 feet by six feet,
and it's train and wind turbines
and all sorts of real stuff,
and there's racks of equipment behind it
monitoring and doing the control of.
In another part of the building,
we've got a little gas pipeline.
In another part of the building,
we have a brewery, which is completely just for science and analytics purposes, even
though it would be phenomenal. So those physical processes then have all the control equipment and
networks around them. We have a control engineer on staff that does nothing but maintains all that
equipment, as if you're talking about a normal production environment.
And then our services and intel team will go through
and actually build out the scenarios.
Some of them are going to be an emulation of things
that we've seen in the past.
So emulating Electrum going after Ukraine Electric System
as an example, or emulating maybe, I think this past year we had an emulation of
the Xenotime group going after the Saudi Arabian petrochemical facility
using Trisis and trying to modify and blow up the safety system.
But then we also have just kind of, oh that would be neat, or kind of hard challenges
and release some of the folks in the team, just go get creative
and come up with interesting things.
But none of it's designed to be gotchas.
It's not designed on how hard can we make this.
I mean, we could crank it up pretty high.
It's designed on what skills are realistic
that people should have,
and can we expose those through the CTF.
Now, our CTFs are not hacking,
kind of hacking is an abused word, but like pen test type CTFs are not hacking kind of, hacking is an abused word,
but like pen test type CTFs.
It's not breaking the server.
It's digital forensics, network security
monitoring, kind of like
defensive skill sets, log analysis,
et cetera. And in that way
it also tends to be pretty unique.
There's not many of those.
There's more now, but there's not as many
of those as there are the, let me set up some stuff and go hack it.
I'm going to break into something generally at first sounds sexier.
You spend years doing that and you find out the defense is really, really sexy.
But that, again, makes it something different for folks,
gives them access to equipment and environments
they just have no chance of having access to otherwise.
And again, hopefully just encouraging people to come into the field,
and if not, at least having a better understanding of it.
Being an IT security person at a manufacturing company or data center or whatever,
having a better understanding of what's happening in those control networks
broadens out people's expertise.
And even if they're not going to do the OT security work themselves,
at least they understand it more now and collaborate better inside their companies.
And having this sort of visibility,
as you all are able to observe the folks who are participating here,
as they're banging away on things and trying to solve these,
are there aha moments for you all along the way?
Maybe, but we don't really do that.
Because it's not them banging away,
because we give them the files and the data
and everything else, they take it home with them
and work on it and submit the answers.
As a company strategy in general,
we really try not to hold on to people's data
or insights or monitor people.
We're a giant target, if you think about it,
from almost every state actor out there that wants to do industrial
probably would like to know what we're working on.
So the last thing I want to do is be holding onto people's data or insights.
So we don't really see that.
I'm sure there would be aha moments because there's some just really brilliant people
and really brilliant talent across the world.
But unfortunately, and by design, we don't watch them do it.
Okay, interesting.
All right, well, Robert M. Lee, thanks so much for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your Thank you. building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White, Guru Prakash, Liz Ervin, Rachel Gelfand,
Tim Nodar, Joe Kerrigan, Carol Terrio, Maria Varmatsis, Ben Yellen,
Nick Vilecki, Millie Lardy, Gina Johnson, Bennett Moe,
Catherine Murphy, Janine Daly, Jim Hochite, Chris Russell,
John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, Simone Petrella, and I'm Dave Bittner. Thanks for listening.
We'll see you back here next week. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.