CyberWire Daily - Five Eyes disrupt FSB’s Snake malware. From DDoS to cryptojacking. Ransomware trends. Yesterday’s Patch Tuesday is in the books.
Episode Date: May 10, 2023The Five Eyes disrupt Russia’s FSB Snake cyberespionage infrastructure. Shifting gears: from DDoS to cryptojacking. Trends in ransomware. Our guest is Steve Benton from Anomali with insights on pote...ntial industry headwinds. Ann Johnson from Afternoon Cyber Tea speaks with Roland Cloutier about risk and resilience in the modern era. And yesterday’s Patch Tuesday is now in the books, including a work-around for a patch from this past March. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/90 Selected reading. Patch Tuesday notes. (The CyberWire) U.S. Agencies and Allies Partner to Identify Russian Snake Malware Infrastructure Worldwide (US National Security Agency) Hunting Russian Intelligence “Snake” Malware (Joint Cybersecurity Advisory) RapperBot DDoS Botnet Expands into Cryptojacking (Fortinet) The State of Ransomware 2023 (Sophos) From One Vulnerability to Another: Outlook Patch Analysis Reveals Important Flaw in Windows API (Akamai) Windows MSHTML Platform Security Feature Bypass Vulnerability (Microsoft) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The five eyes disrupt Russia's FSB snake cyber espionage infrastructure, shifting gears from DDoS to cryptojacking, trends in ransomware.
Our guest is Steve Benton from Anomaly with insights on potential industry headwinds.
Anne Johnson from Afternoon Cyber Tea speaks with Roland Cloutier about risk and resilience in the modern era.
And yesterday's Patch Tuesday is in the books, including a workaround from a patch from this past March.
I'm Dave Bittner with your CyberWire Intel briefing
for Wednesday, May 10th, 2023.
The Five Eyes took down the snake infrastructure that Russia's FSB Security and Intelligence Service has used for espionage and disruptive activity for the past two decades.
Operation Medusa, as the takedown is being called, involved both the technical disruption of snake malware deployments and lawfare as well.
Operation Medusa was the work of an international partnership whose principal members included the United States NSA, FBI, CISA, and Cyber National Mission Force.
Members from the other four I's included the Canadian Cyber Security Center, the United Kingdom National Cyber Security Center, the Australian Cyber Security Center, and the New Zealand National Cybersecurity Center. The joint cybersecurity advisory these agencies issued
describes SNAIC as
the most sophisticated cyber espionage tool
designed and used by Center 16 of Russia's Federal Security Service
for long-term intelligence collection on sensitive targets.
The malware is stealthy,
readily tailored to specific missions and well-engineered.
And that unit, which has commonly been known as TERLA, has been actively collecting intelligence
against targets in some 50 countries for nearly two decades. NATO members have been among the
most common targets, and the FSB collected against many sectors in those countries,
not just government agencies, but businesses, not-for-profits,
universities, and research institutions as well.
You can find technical details about SNAIC, its detection,
and the uses to which the FSB had put it in the Joint Security Advisory the partners issued.
It's worth noting that Operation Medusa had a significant legal dimension and that
it involved waging lawfare as much as it did technical hunting and disruption of a hostile
infrastructure. Indeed, the Justice Department describes Operation Medusa as a court-authorized
operation, and the FBI obtained a Rule 41 warrant to remove Snake from eight infested systems.
Such warrants are uncommon.
The Department of Justice has used them twice in the past, the record reports,
once to disrupt China's Hafnium espionage campaign
and once to dismantle Cyclops Blink, a Russian intelligence service botnet.
So a well done to all involved with Operation Medusa.
A threat actor has decided to shift gears and move from DDoS to cryptojacking. The new
RapperBot campaign is unlike the gang's past activity, FortiGuard Labs reported yesterday.
In the gang's activity from August and December of last year, the Rapperbot hackers were observed launching distributed denial-of-service attacks.
In a campaign active since at least January of this year,
the Rapperbot actors are involved in cryptojacking,
specifically targeting Intel x64 machines running the Linux operating system.
Researchers say they initially observed the threat actors executing
a separate crypto miner alongside the wrapper bot malware, but both have now been combined
into one bot. The malware is regularly seen undergoing updates to better evade detection.
Sophos today released its annual state of ransomware report for 2023,
surveying a variety of cybersecurity
industry experts across 14 countries. 66% of organizations surveyed were hit by ransomware
within the last year, with 36% caused by exploited vulnerabilities. The education sector has seen
much ransomware activity, with about 80% of high and lower education organizations surveyed
reporting being victimized.
Just over three-quarters of the ransomware attacks of those surveyed
resulted in the encryption of data,
and in 30% of these cases, data was also stolen.
Just under half of those that had their data encrypted
paid the ransom, with larger organizations significantly
more likely to pay. The average ransom demand of $1.54 million in 2023 nearly doubles that of
2022's figure of $812,000. The average cost of recovery is even higher than the ransom demands at $1.82 million.
This is another trend study that confirms the prominent place ransomware now places in the underworld and the pervasive threat it's become to organizations of all sizes in all sectors.
A quick note about Patch Tuesday, which this month fell yesterday.
Companies addressed a large number of vulnerabilities.
Microsoft has fixed 40 security vulnerabilities. Mozilla released two patches, one for Firefox
1.13 and another for Firefox ESR 102.11. Adobe has patched 14 vulnerabilities in Substance 3D
Painter, and Onassis released a blog detailing the SAP Patch Day patches.
Do take a glance at the updates.
You can find a summary on our website.
And go and do as CISA always advises.
Apply updates per vendor instructions.
One final coda for Patch Tuesday.
Researchers at Akamai have discovered a critical vulnerability
in an Internet Explorer component.
This vulnerability tricks an Outlook client into connecting with the attacker's server,
allowing the attacker to crack the victim's password offline or use it in a relay attack.
Russian threat actors have been seen using this exploit for over a year,
targeting the European government, transportation, energy, and military
sectors. Importantly, this attack is classified as a no-click attack, which means that the victim
doesn't have to interact with the malware by clicking a link or downloading a file.
It works by sending a reminder email to the victim with a custom sound notification
containing a path to the attacker's server.
Akamai informed Microsoft of this vulnerability, and Microsoft released an update in the March
Patch Tuesday to fix the problem, but Akamai has since determined that there are workarounds that
could get past the patch. Microsoft addressed those remaining issues in yesterday's Patch Tuesday.
Sometimes, you need a second swing.
Coming up after the break, Steve Benton from Anomaly has insights on potential industry headwinds.
Anne Johnson from Afternoon Cyber Tea speaks with Roland Cloutier about risk
and resilience in the modern era. Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Steve Benton is Vice President of Threat Research at Anomaly.
I spoke with him at the RSA conference about the potential headwinds the industry is facing
with economic uncertainty on the horizon and the threat of potential layoffs.
What is he seeing from leaders with tough decisions to make?
Well, I think they're making a lot of choices, choices about what tooling do we need to bring
into our enterprise, but also what tooling to be no longer require because they're having to manage a budget.
So they're really trying to understand how do I increase my grip
on the security posture of my organization?
What tool sets are actually going to assist me with that?
What tool sets will compensate
and provide amplifying controls?
But I can't afford to run everything.
So I'm going to have to hunker down
into something smaller.
So how do I figure that one out?
Well, it needs to be threat-informed.
It needs to be intelligence-informed.
So you need to be thinking about what are the attackers
and their likely objectives for my organization
and how are they likely to come at me?
And therefore, what are the set of overlapping
and compensating controls that are going to help me most with that.
And if you've assessed that in terms of a risk,
then you can act upon that.
And so what you're looking to do, if you like,
is if you imagine like a hype cycle,
you're trying to say, okay, I've got my tools
that are absolutely hitting that sweet spot.
Am I getting the maximum out of those tools?
And I'll come back to that in a moment.
And then I've got tools that, you know what,
we've had for a while.
Security team might love them, you know,
but they may have to let go
because it's not really giving us what we need.
And what it's giving me is cost,
but also overhead in terms of spending time
with my analysts looking after those tools
and utilizing them.
So we need to stop that, exit that,
to make the time for the top of the hill.
And then there may be some tools that I time for the top of the hill and then there
may be some tools that i've just bought but the adoption isn't there i haven't brought it up to
the top of the slope so that's actually a failing control because it isn't implemented correctly
that's kind of the the challenge the the organization has is to create that now if
you turn that end into a narrative that you have with your senior leaders, they now see you as running an efficient business
because you're taking those things into consideration.
And that's really important
because now you become investable
as a part of the business.
You're seen as part of the business.
Because the other thing that's happened
over the last sort of five years
is cyber threat is more than just
a data leak type issue.
It's more than a brand and reputation piece.
Fundamentally, if you suffer a cyber incident,
more than likely it will stop the business
because your business is fundamentally dependent
on its digital footprint,
whether that's for its employees,
how they interact with the organization,
whether it's how you organize
or interface with your marketplace. Indeed, how they interact with the organization, whether it's how you organize or interface with your marketplace,
indeed, you know, how you interact with your supply chain.
So we've seen evidence of businesses
that literally stop when they get hit with a cyber attack.
So now this is a business interruption risk,
which means it now has an equal seat at the table,
if you like, up at the C-level.
And so they want to know that you as a CISO have got grip.
What I mean by that is
you've got grip on the relevant threat environment relevant threats that are likely to cause us harm
that you've got grip on our security posture those uh those threats and then fundamentally
then it means you've got grip on assuring the ability of our business to operate and grow
and that completes the cycle of making the CISO an
investable part of the organization and a trusted partner in helping to put the right things in
place to assure the operation and growth of the business. I'm curious because I can understand
or imagine the impulse that a CISO might have of, I don't want to be the person who gets rid of the
tool that in retrospect, the board says, well, why didn't we continue that? That might have stopped
the breach. Do you understand that? I guess it's a fear-based motivation or avoidance.
It is. And your security for years and years has operated on a diet of fear.
Yeah.
But it shouldn't be operating on a diet of fear. It should has operated on a diet of fear. Yeah. But it shouldn't be operating on a diet of fear.
It should be operating on a diet of being informed.
So threat-informed defense is where the game is at
because we do have limited resources.
So we do need to double down on what's important.
And the way to think about it is, you know,
a lot of organizations, they organize their SOCs.
The teams there literally are just going through alerts it's rinse and repeat rinse and repeat rinse repeat and they're almost like a junior soccer team so they like
playing the game and they turn up and they play the match without really thinking about who they're
playing against or who the next match is going to be against now Now when you progress up in soccer and you get into more
professional teams, they analyze their opposition. They prepare for the next match and they think
about who they're going to be playing. And therefore they start to double down on the
right kind of playbooks, but also the right kind of overlapping and compensating and amplifying
controls. And that's really motivating actually for the SOC team because now they're
actually thinking about the game they're in. And that narrative can be taken up then to the
C-level and they feel part of the team as well. And it's hugely motivating, but also demoralizing
for the attackers because they're now playing against a professional team.
In terms of the folks making those presentations to the board
and winnowing down the number of tools that they're using and justifying that,
I would imagine that that's something that all the various leaders
of the various parts of a business are also doing.
Does the cyber group get more scrutiny than some of the others?
Is cyber just a bit more mysterious to the board members?
Or where do you suppose that stands?
Yes, Cyber is mysterious to the board members
because it doesn't directly deliver the output of the business.
It protects the business's ability to operate.
So it's a little bit like it's a semi-black box
that don't really understand why we have all this stuff.
And what does it do?
And they go to the SOC and they're pleased when they see the big map of the world semi-black box, they don't really understand why we have all this stuff, and what does it do?
And they go to the SOC, and they're pleased,
and they see the big map of the world and things flashing around it,
because it gives them a kind of assurance
that, ah, we have command.
Ping, ping, ping.
Yes.
But they don't really know, you know,
what the utility is and all the various aspects for it.
And that's where I think it's important
for a modern CISO to be talking about threat,
to be talking about not just individual threats and indicators,
but actually proper attack chains and motivations
and how actors operate,
and give them a character,
give them a story that can be told.
Because then, you know, the business leaders understand
who's out there that's wishing to come at them
and for what reason and how that would happen.
But we've got it, right?
We've got the security posture under control.
We're monitoring it.
So it's in a dynamic way.
We can shift into heightened awareness
when we have something important happening in the business.
Maybe it's end of year.
Maybe there's a new product launch.
Maybe you're entering a new market.
We've done the risk assessment.
We've got the controls in place.
I'm giving you the assurance
that we have eliminated as much of the uncertainty about that next move, that next phase of growth from a cyber risk perspective. We have created cyber resilience in our operation.
That's Steve Benton from Anomaly. Microsoft's Anne Johnson is the host of the afternoon Cyber Tea podcast
right here on the Cyber Wire podcast network.
She recently spoke with Roland Cloutier about risk and resilience in the modern era.
Here's a segment from that conversation.
Today, I am thrilled to be joined by Roland Cloutier, who is currently principal at the Business Protection Group, which is an executive cybersecurity advisory firm.
Prior to the Business Protection Group, Roland was the global chief security officer at ByteDance and TikTok, one of the world's largest leading media, social,
and online technology companies. And prior to ByteDance and TikTok, Roland held chief security
and security leadership roles at ADP, EMC, Paradigm Technology, and more. Roland has also held roles
in law enforcement and is a veteran of the U.S. Air Force. With over 25 years of experience in the
military, law enforcement, and commercial
sector, Roland is one of today's leading experts in corporate and enterprise security, cyber defense
program development, and business operations protection. Welcome to Afternoon Cyber Tea,
Roland. And always great to be having a little chat with you over tea. Thanks for having me.
So look, the world has changed a lot since then, right? It's gotten more treacherous over the years.
Right now, I'm giving a talk with Nadab Zafrir from Team 8 on geopolitical resilience at RSA, which is happening right after we're recording this.
And we're putting out a call to leaders that they have to think about how they're going to plan for geopolitical resilience as well as cyber resilience and these inevitable global events and the issues we're having.
I love your take on this. How do you think leaders and organizations are in need today to build
capabilities to ensure success amidst this challenging global environment? And what role
does the cyber team play in building these capabilities? It is such a multi-level question,
and not that I've lived this for the last few years, but I'll give you my take on it. So I think foundational, bottom line, basics, where
chief security officers, chief information security officers, EIEIOs, however you want
to look at them, they have to understand business resiliency and really that three-legged stool.
The business continuity and business impact analysis and how your business works.
They have to be business leaders.
They have to understand
the difference between disaster recovery
and continuity of operations
or old school, you know,
government folks like you and I
kind of cogs.
And then that third component
is crisis management.
And not just cyber incident,
IR, crisis management.
I'm talking about business impacting events that require strategic and tactical senior level capabilities to manage through, you know, crisis problems for the entirety of the business. Understand what has to be in place in order for that organization to operate.
And what are the critical functions that impact the normal operations of business?
You're in a great spot.
You know, when I talk to your peers, they're talking a lot about technology, right?
They're starting to talk more about operations because they have to.
They're talking about business resilience and operational resilience because they have to. But I'd love to get your advice, but a lot of the companies I talk to,
right, and probably even people you talk to are more mature organizations. They're more mature
on their journey. So can we go to companies that are early around their journey? They don't have
the most mature security programs. They don't have the biggest budgets. They don't have the most
people. What fundamental decisions do they need to make right now or what discussion should they be having?
In the context of geopolitical issues or in the context broadly of being able to support the business itself?
Yeah, and I think that's a great clarification. I would love to talk about how they support the business, but then how do they support the business in dynamically changing times, right? What are like the must-haves that they should be doing right now?
All right, I'm going to take you in the way back, Machine, because I still think it's fundamentally
important. As you know, Anne, I don't call security, security all the time. I often call it
business operations protection, because I really believe that's what we're there for. Whether you
work in a business or an agency, you're there for the assurance and continuity of operations and the protection of what they take to market.
And so if we can take a step back and do something as simple as what most MBAs would call Michael
Porter's value chain, but do a value chain assessment of the business. If you can sit down and understand how your business develops product,
takes product to market, makes money, and services and keeps clients in the context
of how your company operates, then you've gone a long way. Because, you know, we always say you
can't protect what you can't see. How can you protect the business what you don't understand?
I mean, just because you can protect the data center or a cloud compute infrastructure or a messaging platform or, or, or, it doesn't mean you understand it.
And it's the same with a business. CEOs, CPOs, CDOs, all the folks that are required to protect some level of operation in some way
or meet regulatory requirements, they need to start understanding that they need to assess
how their responsibilities goes across the entirety of the business and what they should
really be looking at. And the good thing that pops out of that is that not only do you know
how to protect your business, or you know what's critical to the operations of your organization, like a critical access protection program,
but you also understand how your business operates. And you can actually educate often
your company on how their company operates. You know, like, you know, if those two third parties
go away, we can't do revenue rec, nor can we deliver cloud compute services here.
Like those are big aha moments.
I've had aha moments in my life, Ann, where we've lost literally like a smoking hole in
the ground of a data center in Europe.
And, you know, I show up a couple of days after this, it's still smoldering.
And we're in the middle of a DR process and realizing that we didn't even understand
the extent on which continents
that that one data center impacted.
And CISO is a good way to start
is get in front of their business
by helping map out their business.
And this is one of the most basic things
any chief security officer should be doing day one.
You can hear more of Ann Johnson's conversation
with Roland Cloutier on our website, thecyberwire.com.
Cyber threats are evolving every second and staying ahead is more than just a challenge. Thank you. give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement
agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter. Learn more at
n2k.com. This episode was produced by Liz Ervin and senior producer
Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show
was written by John Petrick. Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.