CyberWire Daily - Hacktivism in a hybrid war. Pyongyang's [un]H0lyGh0st. Notes on the C2C market. Rewards for Justice seeks some righteous snitches.
Episode Date: July 29, 2022Anonymous's hacktivism in a hybrid war. Pyongyang's [un]H0lyGh0st. Phishing in the IPFS. Update on the initial access criminal-to-criminal market and its effect on MSPs. Cyber gangs move away from mal...icious macros. Thomas Etheridge from CrowdStrike on managed detection and response. Rick Howard sits down with Art Poghosyan from Britive to discuss DevSecOps and Identity Management. And Rewards for Justice seeks some righteous snitches. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/145 Selected reading. Putin 'embarrassed' as hackers launch cyber war on Russian President over Ukraine invasion (Express.co.uk) Is Anonymous Rewriting the Rules of Cyberwarfare? Timeline of Their Attacks Against the Russian Government (Website Planet) HolyGhost’s Bargain Basement Approach To Ransomware (Digital Shadows) IPFS: The New Hotbed of Phishing (Trustwave) Threat Advisory: Hackers Are Selling Access to MSPs (Huntress) We’re currently monitoring a situation that entails a hacker selling access to an MSP with access to 50+ customers, totaling 1,000+ servers. Experts warn of hacker claiming access to 50 U.S. companies through breached MSP (The Record by Recorded Future) How Threat Actors Are Adapting to a Post-Macro World (Proofpoint) Rewards for Justice – Reward Offer for Information on Russian Interference in U.S. Elections (United States Department of State) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Anonymous' hacktivism in a hybrid war. Pyongyang's unholy ghost. Fishing in the IPFS. Thank you. and response. Rick Howard sits down with Art Pagosian of Bridev to discuss dev sec ops and
identity management. And Rewards for Justice seeks some righteous snitches.
From the CyberWire studio at DataTribe, I'm Trey Hester with your CyberWire summary for Friday,
July 29, 2022.
Activists working their mischief against Russian networks have become, the Express reports,
an embarrassment to Russia's President Putin, who, like other proud spirits, cannot endure to be mocked. Website Planet has
published a long history of Anonymous's engagement against Russia in Moscow's war against Ukraine.
The report stresses a few points to bear in mind while assessing hacktivist contributions to any
war. There are difficulties of control and management with respect to any hacktivist activity, and anonymous is particularly difficult to direct. Tweets of
official declarations of war against Russia, for example, don't really lend themselves to
any interpretation other than an expression of outrage. Where there are no officials,
it's difficult to see how any declaration of anything could be official. This point is an idol.
One of the foundational principles of international norms of armed conflict
is that war should be entered into only by legitimate authority,
and that fighting units operate under the effective command of some responsible leadership.
While some hacktivist groups seem to operate under state control,
and indeed some like Russia's kill net seem little more than front groups for an intelligence service, whereas others, like the now possibly retired Conti,
acted as privateers in conformity at least with broad state guidelines. It would seem that
Anonymous has met neither of these norms. Anonymous has evolved its tactics and techniques.
Website Planet lists some of the recent developments, some of them designed to influence,
others to disrupt, and still others to intimidate.
The essayist is no apologist for Russia's war of aggression, but he's no fan of hacktivism either.
He cautions prospective hacktivists to look before they leap, especially since that leap may well be into legal trouble just about anywhere in the world.
Digital Shadows has released a report that offers more information on the North Korean ransomware group, Holy Ghost, earlier described by Microsoft on July 14th.
Holy Ghost targets small and medium-sized businesses for financial gain in ransomware attacks, and is known to use double extortion, which researchers define as, quote, combining an encryption of data and services with deliberate data exfiltration, end quote.
The group also operates a data leak site for victims' data.
Operating out of North Korea has its challenges for the group, however.
The group will probably have to pay a percentage of their profits to the government.
It will doubtless find it difficult to communicate and will have difficulty learning new techniques and recruiting new talent.
Holy Ghost is also known to charge a lower ransom than most gangs,
asking for ransoms of 1.2 to 5 Bitcoin,
with a willingness to lower ransoms in negotiations.
Researchers believe that Holy Ghost is a North Korea state-linked group,
despite privateers and pure criminals being significantly more unlikely in a place
where state intelligence does its stealing directly.
We asked Digital Shadows about this,
and Ivan Raihi, senior threat intelligence analyst at Digital Shadows, offered a candid answer.
Quote, the exact relationship between Holy Ghost and North Korea is also unclear. However,
it is highly likely that Holy Ghost is at least a state-encouraged threat group,
meaning that they could be backed or supported by the North Korean government in one way or another. In addition, it is likely that the group has to share its profits
with the North Korean government, as it is difficult to believe that the group would be
able to operate without any type of supervision or limitations. End quote. Trustwave Spider Labs
has released a report detailing phishing attacks that use the Interplanetary File System.
release to report detailing phishing attacks that use the interplanetary file system.
The IPFS is a distributed peer-to-peer file sharing system used to access and store files,
websites, applications, and data. IPFS can also locate a file using its content address and not its location. To access content, you need a gateway hostname and a content identifier of
the file. IPFS looks to create a decentralized
web that looks through a P2P network where shared files are distributed to other machines acting as
nodes, making the content accessible whenever it is needed. Phishing attacks that target IPFS
configurations are difficult to get rid of once they're in the network, because even if malicious
content is removed from one node, it may remain available on another.
Researchers note that it's also difficult to detect malicious traffic in a P2P network,
making IPFS an ideal platform for phishers.
Multiple phishing websites have been observed impersonating such things as blockchain services and Google services,
as well as emails using an abused web hosting site and mimicking a billing receipt.
as well as emails using an abused web hosting site and mimicking a billing receipt.
Huntress reports that following their discovery of a beeper thread communicating a cyber criminal's, quote, help wanted ad,
they've discovered a tweet by at Intel by Kela sharing metrics for a United Kingdom company they're offering up as a potential victim. The tweet highlights the fact that the prospective victim has ransomware insurance.
The tweet highlights the fact that the prospective victim has ransomware insurance.
Huntress says this tweet, along with earlier related announcements,
demonstrates a trend of specialization by initial access brokers.
An IAB is a threat actor looking to gain and then sell initial access to organizations.
The IABs are pure play C2C operations.
Being an IAB means you have specific skill sets needed to infiltrate and gain access to organizations, and you have the benefit of payment being handled, you hope, out of law
enforcement's view. Kela is an IAB that specializes in trading managed service provider access,
which makes them a particularly worrisome threat as a compromised MSP can lead to compromise of
the MSP's customers.
Microsoft's recent announcement about disabling macros by default seems to have already had an effect on criminal behavior. Proofpoint reports that it's seeing a gangland shift away from the
attacks based on macros and toward other vectors. Quote, threat actors are increasingly using
container files such as ISO and RAR and Windows shortcut files in campaigns
to distribute malware. Proofpoint has observed the use of VBA and XL4 macros decrease approximately
66% from October 2021 through June 2022 based on campaign data, end quote. And finally, do you have
any dirt you'd care to dish on a rogue oligarch? Well, you'll be nicely compensated.
The U.S. has been looking toward the security of the upcoming midterm elections
and is obviously interested in keeping Russian influence operators out of the mix.
The State Department's Rewards for Justice program tweeted an offer yesterday.
Do you work for Yevgeny Prigozhin and or Internet Research Agency?
Want to earn up to $10 million?
Let's chat. Drop us a line on the dark web. Mr. Progozin, a Russian oligarch close to President Putin,
he ran a catering business favored by the Kremlin, hence his nickname, Putin's Chef.
He's known not only for his connection to the Internet Research Agency troll farm
and disinformation shop, but also the proprietor of the Wagner Group,
the private military cooperation that supplies Moscow with deniable mercenaries under contract.
He's come a long way from laying out the Bellini and the buffet line.
You never know where your career is going to take you, do you?
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Our own Rick Howard sat down with Art Pagosian of Bridov to discuss DevSecOps and identity
management. I'm joined by Art Pagosian, the CEO of Bridov.
Welcome back to the CyberWire, Art.
Glad to be back, Rick.
A relatively new phrase in the cybersecurity lexicon is something called cloud security
posture management, or CSPM.
Can you take a swing at describing what that means to our listeners?
Cloud space, as we all know, it's a new and emerging technology space.
And now the cloud security posture management type solutions
are there to help security teams
to identify potential vulnerabilities,
security loopholes, so to speak,
that would expose that environment
to external attackers and bad actors and so on.
So it really helps us put some hygiene
around the cloud security environment. So these are scanners, you know, in the old days we used
to have scanners that check for open ports, you know, around the firewall, those kinds of things.
This is the same idea, but applied to multi-cloud environments? Very similar to, as you mentioned,
the vulnerability scanners for network, for hosts and so on.
The equivalence of servers and so on may not exist in a cloud because cloud technologies offer as a service, so to speak, right?
So we still need to scan the landscape and understand what's visible from outside.
So we're all trying to reduce the attack surface of our data islands.
We have data centers, we have mobile devices, we have multiple cloud deployments.
And the key and essential tactic in that effort is Identity and Access Management, or IAM.
But there's an entire galaxy of terms and phrases associated with that idea.
We have Identity Governance and Administration, IGA, which sounds to me a lot like IAM.
And then we have Privileged Identity Management, PIM, and Privileged Access Management, PAM.
Can you help us distinguish between those terms?
Let's start with IGA and IAM.
Are those the same thing, or is there subtle differences between the two?
Yeah, Rick, this has been one of the things that I always find interesting, how we get really creative with acronyms.
We let the marketing people go wild, and we need to rein them in, I guess.
True. Yeah, yeah, yeah.
The IGA category, Identity Governance Administration, at least from my perspective, does include the identity management. The governance piece introduces the process of regularly reviewing access and certifying
because many organizations are subject to regulatory
and compliance requirements.
Privileged access management is also more about
that subset of identities that require
much higher level of security controls.
Yeah, so when you throw governance into the identity,
government, governance, and administration phrase, that implies that someone's reviewing the policy.
And you mentioned before, there's various types of identities out there, right? There's the people,
and those can be employees, contractors, partners, you know, whoever else you want to get into your
material information workloads. But there's also devices like mobile devices, like laptops and phones.
And like you said, workload identities, I guess more than just applications running,
there are workloads doing a specific thing. So we need to have a policy for all those things.
Is that what we're talking about here? Policy in the context of security controls,
there's multiple ways security controls can be enforced. Policy happens to be one of the ways to enforce controls at a much more scalable and more efficient way.
If the specific identity or access management technology allows that policy-based control enforcement and the ongoing reviews and ability to compare what I have versus what policy I want to have,
kind of, again, goes back to that posture management and identification of the gaps.
It helps understand what my real world looks like versus what my policy tells me I need to have.
And so, of course, when we're trying to follow some sort of zero trust strategy,
we want to make sure that all these accounts, these employees, these contractors, these devices, and now
workloads, they have the minimum privileges that they need to do their job and keep it
that way.
But every once in a while, somebody needs to be privileged to do something important,
change some configuration setting.
And that's what privileged identity management is or privileged access management is to what
is the process we're going to elevate Rick's account privileges so he can make some change in the configuration.
Is that what we're talking about?
It's true.
It's very common in the non-cloud or on-premise world, Rick.
world, Rick, at least from my experience, this is kind of the standard scenario for privilege elevation. And the concept of least privilege enforces the smallest possible scope
without really preventing the admin to do their job. That's the concept of least privilege.
Now, when you bring it to the cloud world, here's what we're seeing that's a lot more of a popular
and more of a common trend. It, especially when you step into the agile development
in the DevOps world, a lot of the users actually,
almost everything they do on a daily basis
could be qualified as a privileged activity.
Like, for example, spinning up AWS resources,
storage resources, computer resources,
Lambda and so on, on a daily basis.
And it's like normal work for them.
When you step into that world,
that occasionally having to step up your access level
to privilege no longer holds true.
It's like your normal level of privilege.
That's why privileges in the cloud
and privileged activity and access in the cloud,
it's kind of a whole different beast
from the security standpoint. Well, it's all good stuff, Art, but we're going to have to leave it there. That's
Art Pagosian, the CEO of BrideF. Thanks for coming on the show. Thank you, Rick.
There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro
and sign up for Interview Selects, where you'll get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant. And joining me once again is Thomas Etheridge.
He's Senior Vice President of Services at CrowdStrike.
Thomas, always great to welcome you back to the show.
I want to touch base with you today on MDR, that's Managed Detection and Response.
What can you share with us today?
Thanks, Dave. It's great to be back.
Managed Detection and Response, MDR, is a term
that's been around for a couple of years now. The way CrowdStrike looks at that, it's really about
focusing on outcomes. Organizations need, and in some cases require, the ability to be able to
get visibility across all their endpoint estate, identify, see incidents
in real time when they're happening, and be able to remediate those incidents quickly
enough so that a small incident doesn't become a big breach.
And that is what MDR is designed to focus in on.
It's managing your endpoints, detecting and responding to incidents when they occur, and then remediating those incidents so that a small incident doesn't become a big one.
You know, particularly for those small and medium-sized businesses, is this something that's approachable for them?
Can they achieve something with this?
The answer is absolutely.
The answer is absolutely. MDR really is designed in many cases to help supplement and offset the gaps that many smaller organizations are struggling with in terms of staffing and skills to be able to respond quickly enough and detect and remediate incidents fast enough so that they don't become a big problem. And MDR capabilities, if brought to the market properly, that are focused on outcomes
and delivering results to organizations, those things can help in a big way fill some of those
skill and resourcing gaps. Can you help me understand what exactly MDR does do, but then also
some of the things that it doesn't do? So MDR, from a CrowdStrike perspective, really is focused
around providing for deployment, wide scale of leading EDR capability that provides a rich visibility
across all the endpoints in an environment.
A team of folks that operate 24-7, 365
to threat hunt on that environment,
identify any incidents of hands-on keyboard activity
as well as any malicious code or nuisance code that's operating in the environment that may
have been deployed there through a phishing click, as an example, and be able to remediate those
incidents and those small inconsistencies in an environment faster than a threat actor can take
advantage of them to carry out their trade and move laterally and potentially deploy ransomware.
So it's really about delivering end-to-end security monitoring, deployment and management, and remediation capability.
What typical managed service providers might offer in terms of systems remediation where you're doing a full disk re-imaging, you know, redeploying infrastructure.
Really what most MDR service providers, including Falcon, CrowdStrike's MDR, is around doing surgical remediation.
So we keep business up and running, operational with the least amount of disruption as possible.
That's done through the tooling and the technology and the excellent skills of the people that sit in the MDR.
What about some of the other expenses that a business faces?
We're looking at growing costs for things like cyber insurance.
Does MDR help ease some of the pressure there? It absolutely does, Dave. We've seen a huge adoption rate and great feedback from insurance carriers
with the adoption of MDR for organizations. They've been bitten from this outbreak in prolific ransomware across the globe. And they're also savvy to the
fact that threat actors are moving with a lot of ease through the use of stolen credentials,
as well as through stealthy tactics to remain persistent in an organization's environment.
to remain persistent in an organization's environment.
MDR capabilities allow for organizations to move faster and to deliver the kind of remediation capabilities
that prevent threats from escalating quickly in an environment.
And those are the things that, from an insurance perspective, lower that risk.
What are your recommendations for an organization that's shopping around for
this? It feels as though this is something they want to engage with. What sort of questions should
they be asking to make sure they get the best fit for them? Well, as I said, I'm a huge fan of
outcomes. So I would really be focusing in on questions that discern whether or not your MDR provider is staffing 24-7, 365 days a year, if they're
providing threat hunting capabilities with that MDR, human-based threat hunting capabilities with
a team of folks that know how to discern between legitimate user activity and threat actor
activity. And if the remediation capabilities go beyond simply
opening up a service ticket or sending an alert to another team that's required to follow up and
do the remediation, if your MDR is actually in a hands-on way delivering surgical remediation
capabilities that are not disruptive to the business and solving that
security gap, that is a key element of a successful and impact MDR capability.
All right. Well, Thomas Etheridge, thanks for joining us. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out this weekend's episode of Research Saturday,
where Dave Bittner sits down with Israel Barak from Cyber Reason to discuss Operation Cuckoo Bees.
Cyber Reason uncovers massive
Chinese intellectual property theft operation.
That's Research Saturday.
Check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technology.
Our amazing Cyber Wire team is Elliot Peltzman,
Brandon Karf, Eliana White,
Pru Prakash, Justin Sabey, Liz Ervin,
Rachel Gelfand, Tim Nodar,
Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Trey Hester,
filling in for Dave Bittner. Thanks for listening.
See you back here next week. Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.