CyberWire Daily - Hacktivism in two hybrid wars (with an excursus on gastropods).
Episode Date: November 1, 2023The Hamas-Israel war continues to be marked by hacktivism. Arid Viper's exploitation of Arabic speaker's Android devices. Iran shows improved cyberespionage capabilities. A URL shortener in the C2C ma...rket. Taking down the Mozi botnet. Ransomware in healthcare. Two are Russians arrested on treason charges, accused of hacking for Ukraine. In our sponsored Industry Voices segment, Anna Belak from Sysdig shares a new threat framework for the cloud. Rick Howard previews his new online course on cyber security first principles. And no, Russia hasn’t really replaced its currency with Arctic Ocean gastropods. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/209 Selected reading. ‘Hacktivists’ join the front lines in Israel-Hamas war (C4ISRNet) The global cyber divide between Gaza and Israel - IT-Online (IT-Online) Arid Viper disguising mobile spyware as updates for non-malicious Android applications (Cisco Talos Blog) In Cyberattacks, Iran Shows Signs of Improved Hacking Capabilities (New York Times) FBI ‘keeping a close eye’ on Iranian hackers as Israel-Hamas war intensifies (Record) Why Iran Is Gambling on Hamas (Foreign Affairs) To Aid and Abet: Prolific Puma Helps Cybercriminals Evade Detection (Infoblox Blog) Who killed Mozi? Finally putting the IoT zombie botnet in its grave (ESET) The State of Ransomware in Healthcare 2023 (Sophos) Russian security service detains two hackers allegedly working for Ukraine (Record) Pro-Ukraine group says it breached Russian card payment system (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Hamas-Israel war continues to be marked by hacktivism,
arid vipers' exploitation of Arabic speakers' Android devices.
Iran shows improved cyber espionage capabilities, a URL shortener in the C2C market, taking down the Mosey botnet, ransomware and healthcare.
Two Russians are arrested on treason charges accused of hacking for Ukraine.
on treason charges accused of hacking for Ukraine.
In our Industry Voices segment, Anna Belik,
Director of the Office of Cybersecurity Strategy at Sysdig,
shares a new threat framework for the cloud.
Rick Howard previews his new online course on cybersecurity first principles.
And no, Russia hasn't really replaced its currency
with Arctic Ocean Gastropods.
I'm Dave Bittner with your CyberWire Intel briefing for Wednesday, November 1st, 2023. We begin with a look at some of the cyber activity surrounding the war between Hamas and Israel.
Activists on both sides continue nuisance-level engagement with targets in Israel and Gaza.
C4ISR.net writes, such attacks are relatively unsophisticated and have little consequence
on national security operations, experts said. While a vandalized website can disconcert the
public, it likely does not sidetrack military operations. The outlines of the cyber phases of the current war remain unclear,
but IT Online has a useful table of known hacktivist groups on both sides,
with their allegiance and specialties listed.
They're geographically widely scattered.
A few of them, like Anonymous Sudan, which is a Russian front group, are state-run.
But so far, this war is unusual for
the prominence of true hacktivists. Cisco Talos yesterday published a report on recent activity
by Arid Viper, the espionage group based in Gaza and generally held to be affiliated with Hamas.
The campaign socially engineers its targets to install malicious software, masquerading as an update for the otherwise legitimate dating app, Skipped.
There's enough overlap in code with Skipped to suggest, according to Talos, that the Arid Viper operators are either linked to Skipped's developer or somehow gained illicit access to the shared project's database.
elicit access to the shared project's database. Once installed, the spyware disables security notifications, collects and exfiltrates a wide range of sensitive information,
and establishes a backdoor for installation of other malware on the device.
Despite Arid Viper's association with Hamas, Cisco Talos is agnostic as to whether the
cyber espionage campaign is related to the current war with Israel.
The operation seems to precede last month's Hamas attack by some months.
The researchers say it was active during 2022.
A sponsor and ally of Hamas, Iran, has shown a recent increase in its cyber espionage capabilities.
in its cyber espionage capabilities.
The New York Times reports that Tehran has mounted ongoing cyber espionage campaigns against regional rivals, especially Israel, but also Saudi Arabia and Jordan.
The campaign's primary goal, according to Checkpoint Research, the Times cites,
appears to be espionage with the secondary purpose of battle space preparation
for possible future disabling cyber attacks.
The FBI is on alert for increased Iranian cyber espionage, according to the record.
Infoblox describes Prolific Puma, a threat actor that provides a URL shortening service to cyber criminals.
Infoblox says they create domain names with an RDGA and use these domains
to provide a link shortening service to other malicious actors, helping them evade detection
while they distribute phishing, scams, and malware. The researchers note prolific PUMA has registered
thousands of domains in the US TLD since May 2023. This is remarkable because according to the USTLD nexus requirements
policy, only US citizens or US affiliated businesses are eligible to register domains in it.
Moreover, the USTLD requires transparency. No domain names may be registered privately.
As a result, the email address, name, street address, and phone
number associated with the domain are publicly available. While this might seem a likely deterrent
to crime, it has not been effective. The USTLD is well known for abuse. Why do the crooks like
shortened URLs? It makes it a little tougher for alert users to see where that link is actually going to carry them.
ESET has published an analysis of the August 2023 disruption of the MOSI botnet,
noting that the botnet contained a kill switch that was targeted by an unknown operator.
ESET says,
We spotted the control payload configuration file inside a user datagram protocol message that was missing the typical
encapsulation of BitTorrent's distributed sloppy hash table protocol. The person behind the
takedown sent the control payload eight times, each time instructing the bot to download and
install an update of itself via HTTP. Researchers add that the kill switch was likely added by Mozi's developers themselves,
stating, this leads us to the hypothesis suggesting two potential originators of this takedown,
the Mozi botnet creators or Chinese law enforcement forcing the cooperation of the creators.
The sequential targeting of bots in India and then China suggests that the takedown was carried out deliberately,
with one country targeted first and the other a week later.
Sophos has published a report looking at ransomware in the healthcare industry,
finding that attackers succeeded in encrypting data in nearly three-quarters of attacks.
Sophos says this is the highest rate of encryption in the past three years and a significant increase from the 61% of healthcare organizations
that reported having their data encrypted last year.
In 37% of successful attacks, the criminals also stole data.
Compromised credentials were the most common root cause of ransomware attacks in the sector.
The researchers also found that healthcare
organizations are now taking longer to recover, with 47% recovering in a week compared to 54%
last year. Additionally, the report notes the number of healthcare organizations surveyed that
paid ransom payments declined from 61% last year to 42% this year. This is lower than the cross-sector average of 46%.
Two men in Russia have been arrested on charges of treason in connection with hacking incidents.
They're accused of participating in cyberattacks against Russian targets.
Both men were computer scientists, and both were arrested in Siberia.
The FSB, which has them in custody, hasn't said whether the two men's activities were related.
Both are charged under Article 275 of the Criminal Code of the Russian Federation,
that is, with high treason in the form of providing assistance to a foreign state or foreign organization,
and face sentences upon conviction
of 20 years to life. Kommersant reports that the FSB says both men were working under the direction
of Ukrainian intelligence services. The Record reports that Ukrainian hacktivist auxiliaries
associated with dump forums and the Ukrainian Cyber Alliance, defaced the website of NSPK,
the Russian government-operated paycard system. They also claim to have taken some 30 gigabytes
of data from the system and have posted a screenshot of a folder as evidence of their
success. That, of course, is far from a conclusive proof of hack. NSPK confirmed to TAS that its website has been defaced,
but denied that any data had been compromised.
The bank says that the mere payment system itself was uncompromised.
All user data, says NSPK, are safe.
The defaced website was run by a third-party contractor,
and therefore the attackers had no ability to pivot into sensitive data.
Maybe, but third-party responsibility is no more proof of security than a screenshot of a folder is proof of hack.
Mir, whose name has the double meaning of world and peace,
was established to bucket along as a domestic alternative to Western payment systems like Visa and MasterCard.
Since the invasion of Ukraine, sanctions have left Russians on thin financial services ice,
and Mir is intended to give them a reliably accessible payment method.
It's not much good for foreign travel, unless you're traveling to Belarus, Cuba, or Venezuela,
in which case you might be able to use your charger plate
in Minsk or Havana or Caracas
if you found something you wanted to buy.
The message Dump Forums put on the NSPK site
announces that Russia has left the ruble zone
and has adopted cowrie shells as its currency provisionally
until it can upgrade its currency with sea snails from the Arctic Ocean.
The authors are satirists, of course. Russia's central bank isn't really going on the gastropod
standard. Coming up after the break, Anna Bellick, Director of the Office of Cybersecurity Strategy at Sysdig,
shares a new threat framework for the cloud.
Rick Howard previews his new online course on cybersecurity first principles.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Anna Bellick is Director of the Office of Cybersecurity Strategy at Sysdig.
In this sponsored Industry Voices segment, I speak with her about a new threat framework for the cloud.
To be honest, I think we find them all over the place.
Some folks are just getting started, even though it feels like cloud's been around forever.
Some folks were the pioneers, and so they are actually incredibly mature,
and they're doing very, very complex things at massive scale in cloud.
Our customers tend to veer more to the higher maturity side
because they've been adopting containers
and DevOps and Kubernetes for,
in some cases, almost a decade now.
But we see all kinds of folks
and the migration continues,
sort of probably will continue for the next,
I don't know, decade or two.
And I know you and your colleagues there at Sysdig are advocating for a new mindset when
it comes to cloud security. What exactly are you all pursuing here?
Yeah, so we are into embracing the cloud way of operating in the cloud, which sounds obvious,
but I think one of the biggest mistakes that organizations
make when they move to cloud is they take their on-premise mindset and habits and operating
models with them, and then they try to operate that way in the cloud, which doesn't really
work.
And there's lots of reasons why it doesn't work, but one of them is actually that you're
failing to take advantage of the programmability of the cloud infrastructure.
So you're able to do everything as code, you're able to do a lot of on-demand scaling, for example,
and you're able to create these environments that are basically built for purpose
and then disappear very quickly when they're no longer needed.
That's really powerful, but it creates some interesting problems for security.
So one of the things that Sysdig is the most known for, perhaps, is threat detection in modern environments.
So when you're talking about deploying applications built in containers, for example,
one issue is that those containers live for less than five minutes on average.
So that workload can come and go, and you may have never seen it in any of your legacy tooling.
So we're trying to provide tooling and then help people build process around tooling
that is able to deal with those kinds of scenarios.
Well, you're promoting a new benchmark here. You call it the 555 benchmark.
What exactly does that entail?
Yes, people love benchmarks, of course. Our threat research team is constantly watching
what we call the threat landscape.
So they are seeing what the bad guys are doing in the cloud
because that lets us create the best kind of content,
I mean, detection content, to protect our customers, right?
And so one of the things that we reported
in our most recent threat report
is that the average length of a cloud attack
is about 10 minutes.
So that's 10 minutes from when an attacker
finds your exposed environment,
like from when an attacker finds you
to when they're able to do damage to your systems.
And that's incredibly short, right?
Like for reference, we know that Mandiant reports
a dwell time of about 16 days,
which means it's how long the attacker
is in your environment, typically on-premise, until you discover them. And there are all kinds
of other data points that are on the range of minutes, hours, days, or sometimes weeks and
months for how long attackers hang around. So in cloud, they don't hang around much. They come in,
they do a bunch of things, and then they're out in 10 minutes having potentially stolen something or taken something down or caused some other kinds of damage. Well, let's unpack this 5.5.5. What
does that represent? Yeah, so 5.5.5 is inspired by the 10-minute time frame because what we're
seeing basically is attackers are accelerating what they're doing in part because they leverage
the benefits of cloud that I mentioned earlier, right. They use a ton of automation. They use scripting. They actually leverage the cloud services and
abuse the cloud services. And they abuse things like CloudFormation or Terraform that we all use
for building cloud infrastructure. So 555 basically says that if you are able to detect all of the
necessary signals within five seconds, if you're able to detect all of the necessary signals within five seconds,
if you're able to correlate them to each other so that you can triage what's really going on,
because one signal is usually not enough information,
in security you need a lot of context to know that something is really scary
rather than just some mundane admin activity,
and then five minutes to begin incident response.
This sounds to me like a high
velocity operation here.
Are we talking about leaning on a good
bit of automation?
Yes, exactly. Automation is going to play a key
role. Obviously, you can't automate everything.
Our argument is that
the cloud allows you to automate a lot.
You have access to
a lot of API-based infrastructure now.
You have access to a lot of modern tools that are built around version-controlled systems and the DevOps workflows.
And so you are able to actually, for example, describe your entire infrastructure, applications, workloads, everything, configuration around them in code.
And then you can store that code in a repository.
You can very quickly deploy that or redeploy that,
should it come down, in case there's an incident.
So on the one hand, things like downtime
that were a huge concern when we were responding to incidents
on-premise can be less of a concern because it's much
more straightforward to bring an environment back, and you're much more
likely to actually get it back in the same state that it was originally running in.
I will say that when we talk about incident response and automation of incident
response, a lot of people recoil in horror because there's always the fear that you're
going to irreparably break something. And many elements of that process have to be manual,
right? You have to go and call certain people into the room. You have to have these conversations
because you could have potentially huge business impacts with what you're doing.
But the point is that if you automate away the simple stuff, the stuff
that is definitely automatable, there's no reason
why crypto miners should be running in AWS instances or any cloud instances.
Because why? It's ridiculous. So if you automate away the simple stuff,
then it gives you a lot more time and breathing room to deal with the more complex
manual stuff that will always be there.
it gives you a lot more time and breathing room to deal with the more complex manual stuff that will always be there. So for organizations that find themselves in regulatory regimes,
and I'm thinking of, you know, particularly we've seen increased scrutiny from the SEC,
for example, how does this align with those realities? That's a great question. It's a very
timely question and it kind of made our work on this framework all the more relevant sort of on accident.
And yeah, so the SEC has, they've actually been speaking about this for a while, but they published their disclosures about incident response, that you have to disclose a material incident within four days.
And we know that four days in the grand scheme of how long it usually takes folks to identify that they've been breached is just very short, right?
Like I think the IBM report numbers are on the order of 200-some days is how long it usually
takes.
So four days is very fast.
Basically, from where we sit, I don't know how you can disclose a material breach within
four days if you don't have an incident response team that is able to react on the timescales
that we're talking about.
So again, 10 minutes sounds fast, but when you've got to tell the SEC in four days, 10
minutes seems like it's not that fast after all.
That's Anna Bellick, Director of the Office of Cybersecurity Strategy at Sysdig.
It is always my pleasure to welcome back to the show Rick Howard.
He is the CyberWire's Chief Security Officer, also our Chief Analyst.
Rick, welcome back.
Hey, Dave.
So you have been doing the CSO Perspectives podcast now for a little over three years,
and I was doing some quick back-of-the-envelope math. That's 14 seasons, 124 episodes. You're catching up on me, Rick, when it comes to
content. You've been mostly concentrating on this notion of cybersecurity first principles,
and I've been talking to you about that idea before you joined
the Cyber Wire, but for the uninitiated, what are we talking about here with first principles?
Well, I've been doing this cybersecurity thing for a long time, some 30 years now.
And about five years ago, I started to get this nagging feeling at the back of my neck that maybe
all the best practices that the InfoSec community has collected over the last, say, three decades, and even before that, like, you know, the
CIA triad and malicious tool prevention, incident response, the NIST cybersecurity framework,
and, you know, just compliance in general, haven't really slowed down cyber criminals,
cyber spies, or cyber activiststivists at all.
And I'm not saying that these best practices are not good things to do.
I'm just saying that perhaps as a community, we haven't totally discovered the essence of the problem.
With the CSO Perspectives podcast, I was able to spend some time unearthing the edges of what exactly that might be.
So when you say essence of the problem, is that what a first
principle is? Yeah, the idea of first principles has been around since, you know, the beginning of
scientific thought. I mean, all the way back to Aristotle and Descartes. They wrote about how in
order to solve some mind-numbingly complex problems, you had to reduce it down to its atomic
elements, something that everybody in the field could agree was the thing that we were all trying to solve, and then work your way back from there.
Modern-day big thinkers like, you know, Reed Hastings, who, as the Netflix CEO, revolutionized
how we all consume movies, used first-principle thinking to do it.
And our hero, Elon Musk, is the CEO of SpaceX.
He used first-principle thinking to design reusable spacecraft.
All right.
Well, you started thinking about that.
What was the absolute cybersecurity first principle?
Right.
We explored these ideas on the CSO Perspectives podcast.
And after about two years of that, I realized that we had enough material
and solidified the idea enough that we published a book on the subject.
And I should say the book is called Cybersecurity First Principles.
Very original, Rick.
A reboot of Strategy and Tactics.
So let's get down to brass tacks here.
I mean, what is the absolute cybersecurity first principle?
Jeez, Dave, go right for the spoiler.
Okay, jeez.
principle. Jeez, Dave, go right for the spoiler. Okay, geez. So, in the book, I make the case that this is the atomic first principle that all of us should be pursuing. Here it is. Reduce the
probability of material impact due to a cyber event in the next, say, three to five years.
Okay. Well, the good news for us is that our colleagues over on the N2K training side of the business have just created
a course that is dedicated to this very idea. Yeah, that's right. And we're all very proud of
it. It's an on-demand course featuring me, yours truly, as the instructor. And I make the case as
to why I think that's the absolute first principle and then go over the follow-on strategies that you
might pursue to achieve it. Things like zero trust, automation, resilience, intrusion, kill chain prevention, and risk forecasting.
Well, where can we go get more information about the course?
All right, so this is a kind of a crazy URL, but here it is, www.intuk.com
slash first hyphen principles hyphen preview.
So that wraps up the time.
Maybe just go to the website and search for it.
Yeah, maybe that would be better.
All right.
Well, I am looking forward to checking it out myself here.
I know we've seen lots of folks have had just excellent reviews of the books.
You know, people saying that you really crystallize their thoughts. You know, after decades of being in the books, you know, people saying that you really crystallize their thoughts that,
you know, after decades of being in the industry, this was one of the first times that they've
seen someone sort of encapsulate what they were thinking.
So thank you.
I appreciate you saying that.
I think I did, but, you know, you never know how crazy I might be.
So please read the book and let me know what you think.
Well, I know how crazy you are,
and I'm friends with you anyway. Thank you, David. I appreciate that.
I encourage everyone to, first of all, check out the book. It is a good read.
But then also check out the course. You can do that over at n2k.com.
Rick Howard, thanks so much for joining us. challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. With TD Direct Investing, new and existing clients could get 1% cash back. Great. That's 1% closer to being part of the 1%.
Maybe, but definitely 100% closer
to getting 1% cash back with TD Direct Investing.
Conditions apply.
Offer ends January 31st, 2025.
Visit td.com slash dioffer to learn more.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in
the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like
the Cyber Wire are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector, as well as the critical security teams supporting Thank you. your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and
senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Heltzman.
The show was written by our editorial staff. Our executive editor is Peter Kilby,
and I'm Dave Fittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.