CyberWire Daily - How an attack led to a breach that enabled further social engineering. Forensic visibility in the Google Cloud Platform. Hacktivist auxiliaries. Two 8Ks and a free decryptor.
Episode Date: March 1, 2023The LastPass data breach built on an earlier attack. Forensic visibility and the Google Cloud Platform. An overview of hacktivist auxiliaries in Russia's war against Ukraine. Dish acknowledges sustain...ing a cyberattack. MKS Instruments discloses a ransomware incident. Carole Theriault has a lesson about ChatGPT and school systems. Ann Johnson from Afternoon Cyber Tea speaks with Stacy Hughes from Voya Financial about her journey to being CISO. And Bitdefender releases a decryptor for MortalKombat ransomware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/40 Selected reading. LastPass sustains a second data breach. (CyberWire) Incident 2 – Additional details of the attack (LastPass Support) LastPass Says DevOps Engineer Home Computer Hacked (SecurityWeek) LastPass: Keylogger on home PC led to cracked corporate password vault (Naked Security) LastPass data was stolen by hacking an employee’s home computer (The Verge) LastPass says employee’s home computer was hacked and corporate vault taken (Ars Technica) LastPass is in Big Trouble (Gizmodo) LastPass: DevOps engineer hacked to steal password vault data in 2022 breach (BleepingComputer) The LastPass security breach is still going from bad to worse (Cybersecurity Connect) Mitiga on forensic visibility and the Google Cloud Platform. (CyberWire) Mitiga Security Advisory: Insufficient Forensic Visibility in GCP Storage (Mitiga) Google Cloud Platform Exfiltration: A Threat Hunting Guide (Mitiga) The Cyber Warfare Report (GroupSense) Dish Network confirms ransomware attack behind multi-day outage (BleepingComputer) DISH tells SEC that ransomware attack caused outages; personal info may have been stolen (The Record from Recorded Future News) Ransomware attack on chip supplier causes delays for semiconductor groups (Financial Times) Bitdefender Releases Decryptor for MortalKombat Ransomware (Bitdefender Labs) Victims of MortalKombat ransomware can now decrypt their locked files for free (The Record from Recorded Future News) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The LastPass data breach built on an earlier attack.
Forensic visibility and the Google Cloud platform.
An overview of hacktivist auxiliaries in Russia's war against Ukraine.
Dish acknowledges sustaining a cyber attack.
MKS Instruments discloses a ransomware incident.
Carol Terrio has a lesson about chat GPT and school systems.
Anne Johnson from Afternoon Cyber T speaks with Stacey Hughes from Voya Financial about her
journey to being a CISO. And Bitdefender releases a decryptor for Mortal Kombat ransomware.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 1st, 2023.
Thank you. employee. In what the company has called a coordinated second attack, the company's Amazon AWS cloud storage servers were accessed and data was stolen, Bleeping Computer wrote Monday.
LastPass has disclosed that the 2022 breach ended on August 12th when the threat actor pivoted from
the first incident but was actively engaged in a new series of reconnaissance,
enumeration, and exfiltration activities aligned to the cloud storage environment
spanning from August 12, 2022 to October 26, 2022. Naked Security says that the password manager
notes that this second incident saw the threat actor take advantage of data made available in
the first breach before the systems were reset to enumerate and ultimately exfiltrate data from the
cloud storage resources. LastPass stressed in its disclosure that the data from the first attack
requires decryption keys that were not available to the hackers, which is why this threat actor leveraged the stolen data
to target one of the four DevOps engineers
who had access to the decryption keys
needed to access the cloud storage service.
The company says that the employee's home computer
was targeted via a vulnerable third-party software
that allowed for remote execution
and the implementation of a keylogger.
The keylogger eventually gave way to the engineer's master password
after MFA authenticated for the corporate vault.
LastPass goes on to explain,
the threat actor then exported the native corporate vault entries
and content of shared folders,
which contained encrypted secure notes with access and decryption
keys needed to access the AWS S3 LastPass production backups, other cloud-based storage
resources, and some related critical database backups. So, the cycle in the last two attacks
was like this. Steal data, conduct further reconnaissance, use the stolen data for social
engineering, and attack again. Mitiga has published research looking at Google Cloud Platform,
concluding that the service has a significant forensic security deficiency in Google Cloud
storage that enables a threat actor to exfiltrate in a covert manner. The researchers found that an
attacker with access to a GCP storage bucket could steal data without leaving any obvious signs.
The problem stems from the fact that GCP uses the same log description for a variety of different
actions, including reading files, downloading files, copying files to an external server, or reading the metadata of a file.
As a result, all of these actions will simply be logged as storage.objects.get.
While Google doesn't consider the scenario Mitiga describes to be a vulnerability,
Google says it appreciates Mitiga's feedback and has worked with them to develop some
recommendations for improvement. GroupSense's cyber warfare report, a look at the first eight
months of Russia's war against Ukraine, offers a useful overview of the role hacktivist auxiliaries
have played in that war. The report says, interestingly, more hacktivist groups are openly pro-Ukraine than
pro-Russia. Russia tends not to report on external cyber activities, so it is not known how effective
these groups have been. However, we do know that there are more pro-Ukrainian groups than pro-Russian
ones. Group Sense counts 42 hacktivist actors working in the Ukrainian interest, as opposed to
36 acting on behalf of Russia. The most prominent of the Ukrainian groups is the IT Army of Ukraine.
The auxiliary's most typical activities have been distributed denial-of-service attacks,
but they've also been seen engaged in doxing and various forms of influence operations.
Some of them have assisted with intelligence collection, and on the Russian side,
some hacktivist auxiliaries have deployed wiper malware against Ukrainian targets.
Some of the wipers appear to have been delivered by ransomware gangs,
which suggests the source of some of the talent present in the Russian auxiliaries.
which suggests the source of some of the talent present in the Russian auxiliaries.
The Verge reports that it's obtained an internal Dish Network email advising employees that it was investigating a cybersecurity incident and that Dish is aware that certain data was extracted.
Official confirmation came from the company late yesterday when a Form 8K filed with the U.S. Securities and Exchange
Commission disclosed that the IT issues were indeed caused by a cyber attack. The 8K reads in
part, on February 23, 2023, Dish Network Corporation announced on its earnings call
that the corporation had experienced a network outage that affected internal servers and IT telephony. The corporation
immediately activated its incident response and business continuity plans designed to contain,
assess, and remediate the situation. The services of cybersecurity experts and outside advisors were
retained to assist in the evaluation of the situation. The corporation has determined that the outage was due to a cybersecurity incident
and notified appropriate law enforcement authorities.
The filing further identified the incident as a ransomware attack.
DISH continues to maintain the same advisory on its homepage.
It's displayed since the incident came to light.
We are experiencing a system issue that our teams are working hard to resolve.
But now, the nature of that system issue is a bit more clear.
MKS Instruments, by their own description,
a Massachusetts-based supplier of instruments, systems, subsystems,
and process control solutions that measure, monitor, deliver, analyze,
power, and control critical parameters that measure, monitor, deliver, analyze, power, and control
critical parameters of advanced manufacturing processes, has filed a Form 8-K with the U.S.
Securities and Exchange Commission disclosing a ransomware attack and describing the attack's
consequences. John T.C. Lee, President and Chief Executive Officer of MKS, said,
We are well into the recovery phase of our manufacturing and service operations following
the ransomware incident identified on February 3rd, and we expect these operations will be
restored over the coming weeks. I'm very thankful for our dedicated employees who have worked
tirelessly to help bring interrupted systems back online.
Since the ransomware will have a material impact on the
company's first quarter results, and it's still unclear what that impact will be, MKS is delaying
its first quarter guidance. Nonetheless, the company currently estimates the impact from the
incident on first quarter revenue to be at least $200 million, out of revenue expected to amount to about $1
billion. And finally, bravo Bitdefender for releasing a universal decryptor for Mortal
Kombat ransomware. Mortal Kombat is a strain of ransomware related to Zorast. It was first
observed in January of this year, active against victims in the U.S., the U.K., Turkey, and the Philippines.
The malware's only connection to the eponymous Mortal Kombat game
is its threat to change victims' wallpaper to display a Mortal Kombat image.
It's not spread by the game.
If you've been affected, there's now a pre-decryptor available.
Visit Bitdefender's blog if you need it.
Coming up after the break,
Carol Terrio has a lesson about chat GPT and school systems.
Anne Johnson from Afternoon Cyber Tea
speaks with Stacey Hughes from Voya Financial about her journey to being CISO.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Microsoft's Anne Johnson is host of the Afternoon Cyber Tea podcast,
and in a recent episode, she spoke with Stacey Hughes from Voya Financial
about Stacey's
journey to being a CISO. Here's a segment from that conversation. On today's episode of Afternoon
Cyber Tea, I am joined by Voya Financial's Senior Vice President and Chief Information Security
Officer, Stacey Hughes. At Voya, Stacey is responsible for advancing the enterprise vision,
strategy, and roadmap for their industry-leading cybersecurity program.
She has more than 20 years of experience leading complex IT initiatives within Fortune 500 financial technology organizations,
most recently as the CISO of Global Payments, where she also held leadership positions across governance, compliance, accounting, and the audit function.
Welcome to Afternoon Cyber Tea, Stacey. I am absolutely thrilled to have you on the program
today. Thanks, Anne. I'm so excited to be here. So when we think then about leaders and businesses
in the financial sector, you see this broad spectrum of risks and attacks. From your seat
as an enterprise financial sector CISO, can you tell
me some of the trends you're seeing? Are the risks evolving? Are the risks staying the same?
And same with the attacks, right? Do you see the attacks evolving or is it pretty much the same
just on repeat? We continue to see some of the same trends that have been in place over the past few years. For example, social engineering, phishing, ransomware,
keeping in front of vulnerabilities, for example. However, I am starting to see, and I think the
industry is starting to see as well, risks with different technologies. Over time, as we've
continued, you know, cloud digital data transformations, as well as artificial intelligence, for example, and more recently, chat GPT, we also need to be able to utilize those technologies in our environments.
And be able to do that in a secure way that makes sure we meet compliance requirements and privacy as well, too.
And that's being able to help our businesses innovate and move forward.
However, I do see with those great technologies, we also see that the threat actors take advantage of those new capabilities and technologies as well.
And they're developing new tactics, techniques, and practices against organizations.
And as cyber professionals, it's really going back to some of the basics from an organization perspective
in making sure that we've as an industry very good security
awareness with our employees, as well as very good cyber hygiene. And to drill on that a little
further at Voya, our customers really entrust us with their savings. And we really view that
as an honor and a privilege, which is why we take security so seriously to make sure we're protecting the most valuable assets and uphold our customers' trust.
Stacey, I've heard you talk about the art and the science of cybersecurity, and that concept really resonated with me.
Can you explain what you mean by that to your listeners? And what do you view as cybersecurity art?
Yes.
So the science involves utilizing existing use cases and established frameworks that
are currently in place, such as MITRE TAC.
And that can help you to really system what you're looking at from overall threat modeling.
from overall threat modeling. And the art of it requires really partnering with our business, with application owners, and our development teams to really fully understand how applications work
and determine what is unusual behavior. And really the partnering of the art and the science is what is utilized by teams
to really help develop risk-based alerting
to find that needle in a haystack.
And for example, if I were to log in
from an unusual location,
it may be normal activity for me,
but it could also be a threat actor
or I'm working remotely today from somewhere else other
than my home. However, for example, if I log in to a new application that I historically have not
utilized before, then that could be defined as potential unusual activity. So it's really the
art and the science works together to help provide a very good perspective on the threat
landscape and alerting. You can hear more of this discussion on the Afternoon Cyber T podcast.
That's part of the Cyber Wire podcast network, available wherever you get your podcasts. ChatGPT has been all the rage, as you know,
if you've been listening to just about any news source lately.
Our UK correspondent, Carol Theriault,
has been digging into ChatGPT and school systems.
She files this report. It's probably not really a surprise, but ChatGPT, released in late November
2022, has already sent many educators into a panic. I mean, students are using it to write
their assignments, passing off AI-generated
essays and problem sets as their own, writes the New York Times. Teachers and school administrators
have been scrambling to catch students using the tool to cheat, but they're fretting about the
havoc ChatGPT could wreak on their lesson plans. And recently, professors at the University of Pennsylvania released a research paper called Would ChatGPT3 Get a Wharton MBA?
And they documented in the paper how ChatGPT wrote and passed the final exam of the operations management module of an MBA degree.
Apparently the bot did an amazing job.
Not only are the answers correct, but the
explanations are excellent, said one of the profs. ChatGPT is even being credited as a co-author on
a handful of papers. Some publishers of scientific journals are banning or restricting contributors'
use of an advanced AI-driven chatbot amid concerns that it could pepper academic literature with flawed and
even fabricated research. And of course, school systems are starting to freak out about plagiarism.
In the United States, public schools in New York and Seattle have decided to block chat GPT from
their devices and Wi-Fi networks. In France, the prestigious Science Poe University in Paris
has also just announced a strict ban on its use.
But really, let's think about this. Are these outright bans going to work?
I remember being a kid facing a test I had failed to study for.
I used to write some of the answers on my eraser and then, well, erase the evidence.
But the institutional panic is, to me at least, expected.
How can you identify plagiarism if the tool you use can provide unique answers every single time? And whilst this technological marvel is not bulletproof, it certainly doesn't get every answer right.
going to impress us when we least expect it. What I'm trying to say is that surely we need to figure out a way to ensure that this tool can be used in a way that benefits the student, for example.
I mean, the ultimate goal for education is surely not just to pass a written test, but how else can
you measure what a student has absorbed? I don't want some Yahoo who flew through medical school
by cutting and pasting to advise me on a procedure or
anything really. And I'm sure I'm not alone there. So what can be done? Perhaps a revival in oral
exams where a student effectively has to prove knowledge through a discussion with an educator.
I mean, maybe the future is not all about complete automation and AI control,
but a partnership where we need to figure out how to use these tools we develop
to learn more efficiently and effectively.
And I'm telling you, ChatGPT has just completed its very first PUA.
It was impressive.
Just you wait to the next.
This was Carol Theriault for the Cyber Wire.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you.