CyberWire Daily - Hertzbleed, a troublesome feature of processors. Cyberespionage and hybrid war. Patch Tuesday notes. Software bills of materials. Wannabe cybercrooks and criminal publicity stunts.
Episode Date: June 15, 2022The Hertzbleed side-channel issue affects Intel and AMD processors. An Iranian spearphishing campaign prospected former Israeli officials. Patch Tuesday notes. A look at software bills of materials. R...ussia routes occupied Ukraine's Internet traffic through Russia. Intercepts in the hybrid war: the odd and the ugly. Deepen Desai from ZScaler joins us with the latest numbers on ransomware. Rob Boyce from Accenture Security looks at cyber invisibility. And, finally, criminal wannabes and criminal publicity stunts. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/115 Selected reading. A new vulnerability in Intel and AMD CPUs lets hackers steal encryption keys (Ars Technica) Iranian Spear-Phishing Operation Targets Former Israeli and US High-Ranking Officials (Check Point Research) Microsoft June 2022 Patch Tuesday fixes 1 zero-day, 55 flaws (BleepingComputer) Microsoft Releases June 2022 Security Updates (CISA) Windows Updates Patch Actively Exploited 'Follina' Vulnerability (SecurityWeek) Adobe Plugs 46 Security Flaws on Patch Tuesday (SecurityWeek) Citrix Releases Security Updates for Application Delivery Management (CISA) SAP Releases June 2022 Security Updates (CISA) So long, Internet Explorer. The browser retires today (AP NEWS) SBOM in Action: finding vulnerabilities with a Software Bill of Materials (Google Online Security Blog) Russia Is Taking Over Ukraine’s Internet (Wired) Belarusian hacktivist group releases purported Belarusian wiretapped audio of Russian embassy (CyberScoop) Intercepted call: Russian plan to send PoWs out into minefields (The Telegraph) Hacker Advertises ‘Crappy’ Ransomware on Instagram (Vice) LockBit Ransomware Compromise of Mandiant Not Supported by Any Evidence, May Be a PR Move by Cybercrime Gang (CPO Magazine) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Hertzbleed side channel issue affects Intel and AMD processors.
An Iranian spear phishing campaign prospected former Israeli officials.
We got patch Tuesday notes.
A look at software bills of materials.
Russia routes occupied Ukraine's internet traffic through Russia.
Intercepts in the hybrid war.
The odd and the ugly.
Deepen Desai from Zscaler joins us with the latest numbers on ransomware.
Rob Boyce from Accenture Security looks at cyber invisibility.
And finally, criminal wannabes and criminal publicity stunts.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 15th, 2022.
Music Researchers from the University of Texas at Austin, the University of Illinois Urbana-Champaign,
and the University of Washington describe Hertzbleed, so-called from the measure of frequency, Hertz,
and also a punning allusion to the earlier heartbleed vulnerability.
The researchers characterize Hertzbleed as a new family of side
channel attacks, frequency side channels. Under the right circumstances, an attacker could extract
encryption keys via remote timing. Hertzbleed is a difficult issue to address since, as the
researchers point out, it's not really a bug but a feature of how the processors function.
Intel has issued workarounds to mitigate the risk of exploitation. Checkpoint describes a complicated spear phishing
campaign that prospected former Israeli officials and some American targets as well. It used persona
and subjects tailored to the target's interests, and it employed URL shorteners to
further obfuscate the social engineering. The threat actor used a legitimate service,
Namecheap's Validation.com Identity Verification Service, to lend further credibility to their
approach. Checkpoint attributes the campaign to the Phosphorus APT, long associated with Tehran's intelligence and
security services. Yesterday was Patch Tuesday. Microsoft issued 55 patches, including one that
addressed the widely exploited Folina vulnerability. Adobe and SAP also patched their products.
And today, Wednesday, marked the long-anticipated retirement of Internet Explorer.
Microsoft has ended support for its once-widely-used browser.
The U.S. Cybersecurity and Infrastructure Security Agency yesterday released three
industrial control system security advisories covering devices from Johnson Controls,
Meridian, and Mitsubishi Electric.
Other ICS issues were also addressed.
Security Week reports that Siemens and Schneider Electric, between them, patched 83 vulnerabilities in their products.
Siemens addressed 59 vulnerabilities in 14 advisories, and Schneider Electric fixed 24 vulnerabilities covered in 8 advisories.
Google reports a considerable increase in efforts to adopt software bills of materials, SBOMs.
SBOMs list all of the components, libraries, and modules needed to build a piece of software.
The National Institute of Standards and Technology, that's NIST,
released its Secure Software Development Framework, requiring that NIST, released its secure software development framework
requiring that SBOM information be available for software, which gave an additional boost
to the use of SBOMs. Google emphasizes, however, that SBOMs need to be used and mapped onto known
vulnerabilities to highlight what could pose a threat. They offer an example from a Kubernetes SBOM.
They mapped it against the Open Source Vulnerabilities database and found that
version 1.21.3 of Kubernetes contains the CVE-2020-26160 vulnerability. The usage of the
SBOM in this case allows consumers using this version of Kubernetes to be aware of and address the vulnerability and remediate the issues.
A future with widespread SBOM adoption will allow for more user awareness of the components and risks found in the software they consume regularly.
Control of media and communications continues to advance as a matter of occupation policy
in those areas of Ukraine that Russia controls.
Wired describes how Internet traffic in particular has received close Russian attention.
In some vicinities in Ukraine, Internet service providers have been forced to reconfigure
to connect through Miranda Media, a Russian operation.
Mobile networks are receiving
comparable attention, with hitherto unknown companies now providing mobile service in those
areas. The integration of the occupied region's internet and telecommunications into Russia
has been used to disseminate Russian disinformation and propaganda. It's also part of an ongoing
campaign of russification that's extended
to such matters as financial services and nominal citizenship, imposing the ruble as the local
currency and issuing Russian passports to civilians who remain in the occupied regions.
CyberScoop reports that the Belarusian CyberPartisans, a dissident group opposed to the continued rule of President Lukashenko,
has released what it says are telephone conversations between the Russian embassy and Russian consulate
that suggest the Moscow-Minsk alliance is less fraternal than it's publicly represented to be.
The CyberPartisans call their interception campaign Operation Heat Wave.
The cyberpartisans suggest that the recordings were made by the Belarusian government itself,
an unbrotherly gesture, in the cyberpartisans' view. In any case, the content of the calls
they've released is remarkably anodyne. Discussion of setting up a new facility,
calls from people asking about their COVID vaccination certificates, inquiries about immigration, a request for advice on how to get a tow truck to Kursk, and so on.
There's some mild bureaucratic buck passing, but on the whole, the staff in the embassy and consulate seem patient and conscientious enough.
consulate seem patient and conscientious enough. Cyberpartisans say they've got more coming,
but if they're hoping for a greater effect, they should look for scandal, vilification,
double-dealing, and so on. The material they've released so far doesn't at all show the Russian diplomatic staff in a bad light. We don't know, but so far at least, they seem nice.
Far from anodyne, however, is another recording of an intercepted
call. Collected and released by Ukraine's SBU, the Security Service of Ukraine, the call,
which the SBU says was between two Russian intelligence officers, discusses using Ukrainian
detainees to clear mines and unexploded ordnance from Maripol. The Telegraph reports that the
number of prisoners Russian forces have taken in the region is unknown, but is believed to total
roughly 2,000. How they are being used for mine clearance isn't specified, although the two
speakers talk about having the detainees dig trenches and sleep in them. But it seems unlikely that prisoners would be issued proper mine-clearing equipment,
and in any case, explosive ordnance disposal isn't a job for the untrained and unled.
Using prisoners of war in this fashion,
whether they're being driven across minefields or simply put to work on military projects,
is a violation of the Geneva Conventions.
If the recording is authentic, the two speakers are casually alluding to simply put to work on military projects, is a violation of the Geneva Conventions.
If the recording is authentic, the two speakers are casually alluding to and conducting low-level planning for a war crime.
They seem banal, with no screaming and only minimal swearing,
but they don't sound nice at all.
War criminals never do.
Vice reports that some guy, either a lower-tier hacker or just some kind of wannabe,
had posted an ad since taken down for what Vice calls crappy ransomware.
A picture that accompanied the ad showed the hand of the proprietor on the steering wheel of a BMW holding a blunt.
The beamer is, of course, a symbol of success. The blunt, which Vice sniffs,
appears to be unlit, symbolizes the transgressive, untouchable, what-the-hell pursuit of pleasure.
Anywho, it seems kind of dopey to advertise ransomware as a service on Instagram, of all
places, and the low quality of the offering indicates that there's junk for sale in the C2C market too.
Buyer beware.
Or maybe not.
If you're shopping for ransomware, you deserve what you get.
And finally, you'll recall that the LockBit ransomware gang said during the run-up to the RSA conference
and with a virtual shower of digital glitter as misdirection
to have successfully hit security firm Mandiant.
Mandiant at the time said it saw no evidence of an attack and that it was skeptical that
anything at all had happened. That early reaction seems to be about right.
CPO Magazine reports that the whole business was moonshine, a publicity stunt by Lockbit as it
hoped to convince people that, no really,
it had nothing to do with the now-sanctioned Evil Corp.
Do you know the status of your compliance controls right now, like right now. We know that real-time visibility is
critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. Learn more at blackcloak.io.
Researchers from Zscaler's Threat Labs team recently released findings from their 2022 State of Ransomware report.
Deepan Desai is Chief Information Security Officer at Zscaler, and I caught up with him at last week's RSA conference for an overview of the report.
Ransomware continues to grow.
One of the key trends that we highlighted last year as well was double extortion ransomware.
This is where ransomware families are exfiltrating data from your crown jewel assets before they're encrypted. So even if you have a good backup hygiene
and you're able to recover,
they will hold you accountable
by threatening to leak the data.
So that's the double extortion trend.
We saw about 80% growth in ransomware attacks
year over year,
and the majority of these were double extortion ones.
And eight out of these top 11 ransomware families
that contributed to this rise,
they were all using ransomware as a service framework.
We also looked at different industries
that were targeted over the course of last one year.
And we saw manufacturing being the hardest hit one.
In fact, one in every five attacks that we saw manufacturing being the hardest hit one. In fact, one in every five attacks that we saw were targeted towards manufacturing industry.
And then healthcare and restaurants and retail, those were the next close ones that we saw as the targets.
In terms of the trends, is this continuing along the lines that you have all seen for the last few years?
Or have there been any adjustments along the way?
Yeah, manufacturing is unfortunately number one, second year in a row.
There were a few changes.
We saw the attacks against healthcare go down previous year, but they are again up.
down previous year, but they are again up.
We also saw another trend actually that I would call out is as the government started going after these ransomware families,
there's a trend that we are calling ransomware rebranding.
So the same family, they're coming back into operations
using a new name.
And there are several examples of that that we have seen.
I mean, if I were to name a few, Grand Crab was renamed to Revil, right? Revil was gone after and then they're coming back.
Darkside, which attacked Colonial Pipeline, they came back as Black Matter, right? And there are
many such examples that you will see in our report where the goal of the ransomware operators is to make it easy for the victims to pay ransom
as well because once there's a government crackdown, they will ban those organizations.
There is no way for the victim to pay ransom as well. And then they're also trying to get away
from the law enforcement pressure on that gang because now they're a different name, different group
that was not associated with a high-profile attack
like, say, Colonial Pipeline.
Are you tracking anything in terms of consolidation
or the continued professionalization of these groups?
Are there some that are rising to become the dominant players?
There are several players.
In fact, more new players come out
as they see how much success
a lot of these guys are enjoying.
Not so much on the consolidation side,
but there are specific groups
that are more sophisticated than the others.
We're seeing trends about leveraging
supply chain vector, for instance.
And this is not the traditional downstream supply chain attack
where they're popping a software vendor
and then trying to push malicious updates.
This is where they carefully go after third-party vendors
that you may rely on.
So one of the examples that we called out in the report
is where they went after a company called Qantas Computers
and they popped the network,
they stole a lot of information from there
and they apparently had access to Apple's MacBook blueprints
and some of the other computer sensitive information as well.
So if you as an organization have a very strong security posture
but you still rely on third parties who are not at the same level,
they will go after them and then they will ask for ransom from you as well.
That is another trend that we're seeing in some of the gangs.
Another recent example that I will call out,
and this is public information as well,
where Aon Financial Insurance Company got hit.
This is a second one, major one.
We saw one last year as well.
So what they're doing when they hit these insurance companies
is they will look at all the organizations
that have a good cyber insurance with them.
And that is a target list.
These are the companies that if we go after,
they won't hesitate to pay ransom
because they're covered by these insurance agencies.
So using that supply chain in order to come up
with what their target should look like
and then demand ransom,
that's another trend that we're seeing growing
among these sophisticated gangs.
What's your advice for organizations then?
I suspect most organizations are somewhere down
that ransomware mitigation path.
There are probably very few who haven't done something.
But in terms of upping their game in that maturity level,
any words of wisdom?
Yeah, so prioritize your zero trust journey.
Everyone, like you said, is already embarked on that.
But prioritize.
If you haven't started,
you need to get started as soon as possible.
My suggestion is focus on your crown jewel assets first.
Have your zero trust model centered around that
so you're protecting that first
and then extend it to broader assets.
So that's one.
The other is employee security awareness
is still one of the most
important ones. If you look at the recent DBIR report, a vast majority of the attack still starts
with the human element, right? Where there was a phishing attack or credential stolen and threat
actor gets in. So that's that prevent compromise phase. So in addition to having your zero trust security stack,
you also should focus on training your employees,
making sure you have policies in place
that provides training at the time
the incident is happening.
And I can give you an example.
So the way our platform is designed,
it's a proxy architecture.
Say you are visiting a site,
it was looking legitimate in the email that arrived
to you, you clicked on the link. At the time you're about to visit that site, you will see a
caution page from the platform that says, this is not what you think it is. It's a suspicious
destination. Do not enter your credentials. Do not download anything from here. So that's an
element that provides education at the time of the incident rather than after the fact, right?
So having something like that as part of your security policies is also extremely effective.
That's Deepin Desai from Zscaler.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
Rob Boyce is Managing Director and Global Lead for Cyber Crisis and Incident Response at Accenture Security.
At last week's RSA conference, he led a presentation titled
Cyber Invisibility, Developing a Security Incident Notification Regime.
I caught up with Rob Boyce at the conference for an overview.
Well, it's definitely an emerging topic right now that's gaining a lot of importance
around the mandatory notification process for cyber incidents.
And so we're seeing a lot of uptick,
especially after the colonial pipeline, of course,
in the US and Department of Homeland Security now
is a lot more interested in seeing
how we can capture the intelligence
around those types of events
and then leverage it for the protection
of other critical infrastructure providers.
So we're seeing a lot there.
It's really interesting.
And we're seeing a very similar thing in the US and the SEC trying to gain more transparency for shareholders
of public traded companies. And they obviously believe that going through a mandatory notification
is going to provide those shareholders more insight into aspects of the organization's
cyber threat posture. How is industry responding to this?
So if we deal with critical, we'll maybe divide the two. I think these two, especially as it
pertains to the US, are the two main ones that we're seeing. Again, the SEC and CISA. We'll talk
about critical infrastructure first. I think critical infrastructure is seemingly reacting
positive about it. I think they understand the importance of being able to notify,
but there's still a lot of items that need to be determined.
For example, we still haven't decided
what is a covered entity, right?
We know that the 16 categories
of critical infrastructure providers and operators,
but is it going to apply equally to them out of the gate
or is it going to be over time?
So that still needs to be determined.
So I think once that starts to gain
a little bit more clarity,
we may have a different perception, but right now there seems to be determined. So I think once that starts to gain a little bit more clarity, we may have a different perception.
But right now, there seems to be,
there's not a lot of pushback, we'll say that.
The SEC side for publicly traded companies
is a little bit different.
And there's, I would say,
a little bit more work to be done there.
I think, again, the benefits of having notifications
are somewhat obvious.
But when we're talking about publicly traded companies,
there's also a lot of challenges potentially with that. the benefits of having notifications are somewhat obvious, but when we're talking about publicly traded companies,
there's also a lot of challenges potentially with that.
So there's more concerns with organizations right now as it pertains to that.
Because if you think about,
if you were to notify within,
I think right now the recommendation
for SEC regulations, four days.
And as a person who deals with these incidents
on a daily basis,
in the first four days,
we don't really know a lot.
And so the information that we have
is going to be pretty incomplete
of what the true impact may be.
It may be misleading in either the side
of we don't have enough information
or we don't know the information.
So it could be perceived that
if we're sharing that transparently
for the purpose of shareholders, how are those shareholders going to react to that information?
They may be acting without having a full picture of the information, right?
So it's going to be really interesting.
And so there's definitely a little bit more pushback on that side.
Is there any sense to what degree the enforcement regime is going to be rigid?
regime is going to be rigid? Yeah, well, at least for the ones that I've read for the CISA,
for the new law that was passed, there are going to be mandatory notifications. So they will have to notify. There are criteria that have yet to be established. So once those are established,
if you fall within that criteria, you will have to notify. If you don't notify and they find out, they can subpoena for evidence. So that is a process that has already been
established as part of it. So what are your recommendations when you're out and about
consulting with your clients? How are you preparing them to be on board with this?
Yeah, well, it's going to happen. So we might as well start assuming that this is going to be the
new process that will be coming down in the future.
I mean, we are talking years to get there right now, but let's start taking a look at our incident response playbooks, our crisis response playbooks.
How do we work in these notification processes?
these criteria for what a material incident is and a covered entity is.
How do we make sure that we're building in
those notification processes
when those applicable criteria do apply?
There's also going to be potentially new rules
around preservation of evidence.
So I think that will be interesting.
And that's something that a lot of organizations
have not had to deal with previously.
So how does that impact their standard processes
and what they have to do a little bit
differently? So there's a few things that just will change. And you may as well start planning
for it now because all signs point to this is happening. I would imagine too, there are a lot
of organizations crossing their fingers and hoping that they aren't the test case. Correct. Yeah.
Well, and I think,
I don't think that CISA will be able to apply this equally to all
critical infrastructure out of the gate.
So they will have to pick and choose.
And,
you know,
I think we'll probably see them focus more on those portions of
critical infrastructure.
They're the most important for us.
So,
but I mean,
I don't know,
but this is all going to be figured out when the next day of 24
months,
I think to be able to decide what is the definition of material incident, who are the covered entities, and a few other things.
And then I think they have 18 more months to roll it out after that.
So we're talking about 24 plus that many months to get to a resolution.
But that's the maximum.
That's Rob Boyce from Accenture Security.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin,
Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.