CyberWire Daily - Hybrid war and cyber espionage. Ransomware in the produce aisle. Bypassing security filters in a BEC campaign. Identity-based attacks. Avoid pirated software. And what the bots have been scalping.
Episode Date: February 23, 2023Cyberattacks in Russia's war so far, and their future prospects. The Lazarus Group may be employing a new backdoor. Clasiopa targets materials research organizations. Ransomware interferes with food p...roduction. Evernote is used in a BEC campaign to bypass security filters. Identity-based cyberattacks. Pirated versions of Final Cut Pro deliver cryptominers. Caleb Barlow has thoughts on Twitter, Mudge, and lessons learned. Marc Van Zadelhoff from Cyber CEOs Decoded podcast speaks with Amanda Renteria, CEO of Code for America, about attracting diverse talent. And what have the scalperbots been up to, lately. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/36 Selected reading. A year into Ukraine, looking back at 5 prewar predictions (Breaking Defense) Dutch intelligence: Many cyberattacks by Russia are not yet public knowledge (The Record from Recorded Future News) WinorDLL64: A backdoor from the vast Lazarus arsenal? (WeLiveSecurity) Clasiopa: New Group Targets Materials Research (Symantec) Cyberattack on food giant Dole temporarily shuts down North America production, company memo says (CNN Business) Business Email Compromise Scam Leads to Credential Harvesting Evernote Page (Avanan) The 2023 State of Identity Security Report (Oort) Beware of macOS cryptojacking malware. (Jamf Threat Labs)Â Quarterly Index: Top 5 Scalper Bot Targets of Q4 2022 (Netacea) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cyber attacks in Russia's war so far and their future prospects.
The Lazarus Group may be employing a new backdoor.
Plasiopa targets materials research organizations.
Ransomware interferes with food production.
Evernote is used in a BEC campaign to bypass security filters.
Identity-based cyberattacks.
Pirated versions of Final Cut Pro deliver crypto miners.
Hala Barlow has thoughts on Twitter, Mudge, and lessons learned.
Mark Van Zadelhoff from Cyber CEO's Decoded podcast
speaks with Amanda Renteria, CEO of Code for America,
about attracting diverse talent.
And what have the scalper bots been up to lately?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 23rd, 2023. Today marks the end of the first year of Russia's war against Ukraine. That special military operation, as official Russia calls it, has been surprising, especially in its duration
and in the stark contrast between Russian and Ukrainian combat performance. It's perhaps been
most surprising in the way in which Russian cyber offensives have fallen so far short of
expectations. In the course of reviewing five predictions made at the outset of the war,
In the course of reviewing five predictions made at the outset of the war,
Breaking Defense concludes that cyber has not been the game changer it was widely expected to be.
The analysis concludes that the much-discussed and much-feared cyber Pearl Harbor didn't materialize for two main reasons.
First, cyber weapons, as Breaking Defense puts it, are generally one-time use.
That is, once they're employed, they're blown, and not easy to reuse against a prepared and responsive defender.
Second, effective defense and resilience have been shown to be possible.
The analysis says, even the most obvious and expected use of cyber attacks,
the degradation of civilian infrastructure like the electrical grid, has come entirely from kinetic effects.
Cyber operations haven't been irrelevant, and skirmishes in cyberspace have marked Russia's war since before its troops crossed the Ukrainian border.
But they haven't been decisive, and on the Russian side at least, haven't been well integrated into a
combined arms effort. It seems unlikely to breaking defense that any surprises will develop,
they write, and while it is possible that Russia still has some unused capabilities,
that seems unlikely since the Russian strategic situation has become desperate
with no new capabilities becoming evident.
That likely means they do not exist. None of this means that Russian operators haven't been trying.
Their attempted cyber attacks have maintained a high operational tempo. The record cites a report
by the Netherlands General Intelligence and Security Service and Military Intelligence and
Security Service, that report
says that there have been many more attacks than have so far come to light, stating,
Before and during the war, Russian intelligence and security services engaged in widespread
digital espionage, sabotage, and influencing against Ukraine and NATO allies. But again,
the attacks have been poorly integrated with other
arms, and their effects have been lost in the overwhelming noise of kinetic destruction
inflicted by missile and artillery fire, bits and bytes lost in the crack and
ammoniacal stench of high explosives. Other cyber espionage groups remain active, of course, and active in places other than Ukraine.
ESET this morning reports that North Korea's Lazarus Group may be deploying a new backdoor, WinRDLL64, through its a backdoor that most notably acquires extensive system information,
provides means for file manipulation such as exfiltration, overwriting and removing files,
and executes additional commands. Interestingly, it communicates over a connection that was already
established by the Wislink loader. The connection to the Lazarus group is circumstantial but convincing.
Its development environment, behavior, and code show overlap with known Lazarus samples,
and the victimology is consistent with observed Lazarus targeting.
Symantec describes a previously unobserved threat actor the company calls Classiopa
that targeted a materials research
firm in Asia. The threat actor uses a combination of publicly available and custom-made malware
tools, including a bespoke remote-access Trojan called Athervan. Classiopa also may have abused
two legitimate software packages in its attacks. Symantec says there's no firm evidence pointing
to who might be behind Classiopa. Some of the threat actor's malware contains references to
India and Hinduism, but the researchers believe these are too obvious. They could well be false
flags. Noticed a shortage of pre-packaged salads in the produce aisle? You're not alone. A ransomware attack on
Dole PLC led the company to interrupt operations at its North American processing plants,
CNN Business reports. A February 10th memo from the senior vice president of the company's
fresh vegetables division said, Dole Food Company is in the midst of a cyber attack
and have subsequently shut down our systems throughout North America.
The shutdown affected deliveries of salad kits to food retailers.
The specific strain of ransomware involved has not been publicly disclosed.
Avanon warned today that attackers are abusing the note-taking app Evernote to host malicious links they're distributing in a business
email compromise scam. Avanon researchers observed an attack in which an account belonging to the
president of an organization was compromised. The attackers used the account to send phishing
emails with a link to an Evernote page purporting to contain a secure message. The Evernote page hosted a link to a credential harvesting phishing site.
Identity and Access Management Platform provider ORT this morning released
their 2023 State of Identity Security Report,
which details prevalent identity attacks that occurred in 2022,
the weaknesses in multi-factor authentication,
and related issues in the IAM
industry. Researchers referenced this month's attack on Reddit, where attackers were capable
of getting both a password and one-time password from the victim, as well as attacks from cyber
criminal gang Octopus. Octopus targeted Twilio and are suspected of having targeted Coinbase.
Such incidents have motivated a push from the security community toward phishing resistance MFA,
as the use of the strong second factors has only accounted for 1.8% of all logins.
Just over 40% of organizations observed had a weak MFA or none at all,
showing a lot of holes for attackers to potentially exploit.
On average, just under a quarter of a company's accounts are dormant, and these often have fewer
activity monitors and controls in place. Oort found, for example, that in August 2022, password
guessing attacks by threat group APT29 targeted dormant mailboxes. The cyber criminals guessed
the password of an account that had not been set up correctly. Research from the last two months
of 2022 also showed an average of just over 500 attack attempts against inactive accounts.
Researchers at Jamf have discovered a new family of macOS crypto mining malware.
The malware is evasive and can sometimes pass security measures on machines running macOS Ventura.
The malware is delivered via a malicious version of Final Cut Pro, which has been modified to install the XM rig miner in the background.
The researchers discovered the software being offered on Pirate
Bay. Since crypto mining requires a significant amount of processing power, Jamf says it is likely
that the ongoing advancements in Apple ARM processors will make macOS devices even more
attractive targets for cryptojacking. Want to reduce this risk and others like it?
for cryptojacking. Want to reduce this risk and others like it? Stay away from pirated software.
Natassia yesterday released their quarterly index, top five scalper bot targets of the fourth quarter of 2022, detailing the most scalped items. The research found that PlayStation 5
consoles came in at number 5,
but the resale value of the consoles diminished in the C2C markets as Sony was able to begin replenishing their stock,
thus reducing supply-side pressure on prices.
Nike Dunk Low Panda sneakers topped the list,
followed by two different Air Jordan sneaker pairs.
And, lover, yes, you there, wearing a cardigan and on your white horse.
Yes, you. Are you ready for it?
You knew this all too well, but in an unsurprising fourth place,
we have the highly publicized Taylor Swift Eras Tour tickets,
resold at exorbitant prices.
Some have been seen as high as $31,000.
So who didn't make the top five?
Well, given the chip shortages late last year, some favorites didn't even place or show.
While NVIDIA 40 series graphics cards, as well as Apple's iPhone 14 Pro Max,
were the target of much scalping by dips when there weren't so many chips.
These didn't find their way into the top five. Not yet, anyway.
Coming up after the break, Kayla Barlow has thoughts on Twitter,
Mudge, and lessons learned. Mark Van Zadelhoff from Cyber CEO's Decoded podcast speaks with Amanda Renteria,
CEO of Code for America, about attracting diverse talent.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
Mark Van Zedelhoff is host of the Cyber CEOs Decoded podcast, part of N2K's Cyber Wire Network.
Today, we're featuring a segment from a recent interview Mark did with Amanda Renteria, CEO of Code for America.
Amanda, welcome to the show.
Thanks for having me.
Amanda is the first Mexican-American woman from a small town to be accepted to Stanford University, where you were on the basketball team there.
Earned a BA in economics and political science with honors.
After undergrad, you spent four years in the private sector in Los Angeles as an investment
analyst.
So you honed your skills there.
You went to a small school near me called Harvard Business School, and you focused on public nonprofit management.
And then after graduation, you had the most fascinating career in the public sector.
When I met you, you were working for, I believe, for Senator Feinstein when I met you.
When you first met me, yeah, I might have been for Senator Feinstein.
But you also worked for the city of San Jose, a special consultant, had a lot of experiences.
So walk us through, you got out of HBS, Harvard Business School, today our Code for America,
running this, we're going to spend some time about in a few minutes, but give us the middle
of that sandwich.
Yeah.
So it was interesting because I went to Harvard Business School, not exactly knowing where
my path was going to go, but before I had worked at Goldman Sachs and I'd also went home to teach and coach in my hometown. And so I was trying to figure out
what's the in-between of that, right? And so that's why I went to the city of San Jose and
everyone thought I was crazy when I graduated, but I really got to see some of the inner workings.
And then from city of San Jose, I ended up getting on the Hill, working for Feinstein,
working for Senator Stabenow, our chief of staff, during a really interesting time where the Affordable Care Act passed,
where we had a restructuring of the auto industry. It did lead me to recognize that
how can I help actually expand the perspectives of who is at the table, who's writing laws,
who's thinking about these things. I mean, I still remember the testimony where folks said the internet was a bunch of tubes. And when I looked at my colleagues who are younger in my age,
you know, we're like, what is going on? But anyway, that led me to really explore the politics side.
So both running for Congress, but then also being asked to be Hillary's national political director
in 2016.
Hillary, what was it like working with Hillary? What's that really like?
Yeah, it was an incredible, intense, competitive, just in general,
environment in the world to try and win a presidential election.
So I'll say she's incredibly smart.
And just really, when you think of an executive, and you think of an executive with just a depth
of experience, who wants to lean into a world that looks different, particularly for women,
it was eye-opening. It was eye-opening in a lot of ways. One, the seriousness by which she
brought, because she was at the State Department, she understood this international global world
at a time when we weren't having a discussion about Russia and Ukraine, right? She understood
what was at stake when it came to women. And like, so in some ways I felt like being on that campaign,
I was getting an early view with like a extremely
smart professor who could see, you know, the edges of what we live in today. Those are the best bosses,
right? I mean, you said like three things, you know, encouraging, you know, balance, interested
in you as a person, and then still demanding excellence, right? And I think sometimes you
have a boss that does one or the other, but all three, it's great. So just leadership style, how would you describe your leadership style? What are your core things
that you do? Well, it's funny, you're just coming off of like a week of having my executive team
together in person in the same room, but for the first time ever in two and a half years,
largely because we were built in crisis mode, right? And so in some ways we've gotten really good at reactionary,
but it's very much like basketball team, right?
I mean, I do see it very much as a coach to a team
largely because I call Code for America,
we're a little bit nonprofit,
we're a little bit technology company
and we're a little bit government.
So the truth is no one on my executive team could
actually, on the one hand, we're a team because not everyone's a good three-point shot, right?
Not everyone's a good big man. And so that's my style is it's much more of a coaching,
how are we going to do this kind of style together? Because it's also modeling for our teams
that are very, very, very cross-functional. But I mean, I got to say, we have fun while we do this, and it's hard stuff.
But we as a team, I would say, I'm pretty based on we've got the play, go run.
What are some tips for cyber CEOs or any managers in the cyber space
on how to bring diverse talent into the workforce?
Be intentional.
For us, we have from the very beginning, our executive team
is majority women and people of color. We look at metrics all the time. So every single all staff,
right, we have our metrics of how are things looking. And over the course of time, we've
really moved the needle. But I'll also say I worked on the front lines and we tell those stories
so that not only that you're comfortable
coming into Code for America, and we're still always working on that, but that you see yourself
in not only our mission, but what it could be for someone else and it'd be better than your
experience. As I said before, like if you don't have a good three point shot, right? Like your
team, it hurts the team, right? If you don't have a big man and our work is so spread in these different areas that we need that kind of, yeah, we
just need that kind of involvement.
So Amanda, I'm going to close it out there.
Thank you so much for joining Cyber CEOs Decoded.
Great to see you.
Take care.
That's Mark Van Zadelhoff from the Cyber CEOs Decoded podcast, speaking to his guest,
Amanda Renteria.
You can find the Cyber CEOs Decoded podcast wherever speaking to his guest, Amanda Renteria. You can find the Cyber CEOs Decoded
podcast wherever you get your podcasts. Do check it out.
And I'm pleased to be joined once again by Caleb Barlow.
He is the founder and CEO at Silete.
Caleb, it's always great to welcome you back. I want to touch base with you and get kind of a reality check on some of the things that we're seeing over at Twitter.
Lots of changes over there, and I have no doubt you have some insights here, some perspectives.
Well, you know, Dave, now it's been a few months after the explosive congressional testimony of
Mudge Zatko and, you know, Elon Musk actually now, well, he owns Twitter. So, you know,
let's talk a little bit about what we can learn from this episode. And I think we first have to
acknowledge that this fiasco at
Twitter had the makings of a Hollywood script. You know, we had the world's richest man, at least at
the time, along with a well-known and somewhat controversial security leader alleging very
serious security vulnerabilities at the social network as part of what was a, you know, and I
think this is important to underscore, a legal disclosure of a whistleblower complaint.
But once we get past all the hype, I think there's a couple of things that we really need
to take away and learn from this. So first off, a lot of what was discussed here and later verified,
what of course is also interesting is Elon stepped in, a lot of this stuff got validated versus swept under the rug.
You know, we're past the point where security basics aren't material, you know, and I think
a most simple way to look at this, and of course, the dialogue at Twitter was largely around
identity and access and separation of duties and who had access to all these Twitter accounts.
And of course, it ended up being almost everybody.
But let's put it in the most basic way, right?
If you do not have endpoint protection in place, network segmentation, logging of security
controls, then we're in the realm of negligence, especially if you're a public company.
And now, none of the 52 different breach disclosure laws call that out that simply. But I think one of the things that this really brought to light, especially not so much in the congressional testimony, but what was playing out on LinkedIn is people look at this and go, hey, this just isn't acceptable anymore not to have these kind of security controls in place.
This just isn't acceptable anymore not to have these kind of security controls in place.
Well, and what about we saw the sort of folks fleeing the organization. There were so many high-level people who left Twitter and certainly many who were let go.
But to what degree do you think that was a kind of a reflection that I can't stick around if this is what's going on?
Well, I think this is a really important point in this kind of episode.
Now, you know, there's this importance of standing up when things aren't getting fixed from a cybersecurity perspective versus, you know, just taking the title, being in the role, getting bonused and promoted, and not saying anything.
And what is fascinating about this situation at Twitter is as Mudge stood up and gave his testimony, particularly on LinkedIn, you saw people kind of taking sides.
On one hand, you had people saying, hey, these security vulnerabilities are awful.
This isn't acceptable.
On the other hand, you had people saying, hey, what he's doing isn't acceptable. You know, every CISO steps into a role where there are problems and issues. And part of this is the
job to get it done. But the question I come back on is all those other people that were kind of
running for the gates when this was going down, there were a lot of security people at Twitter.
Where are the internal disclosures? Did these
other people kick and scream? I don't think anyone is expecting everyone to take it to the extreme
that Mudge did and file a whistleblower complaint. But if these alleged vulnerabilities were actually
happening, there should be a whole series of internal disclosures from these security
professionals highlighting the
risk. And I'm sure there were plenty of people in meetings looking at these issues, but if they
didn't take the step of actually saying, no, this isn't acceptable on those internal meetings and
disclosures, and you've got things you have to do for Sarbanes-Oxley every quarter, where is this
stuff? There's a great quote from Martin Luther King.
Not that MLK was in any way focused on cyber with this quote.
I mean, that was clearly before his time.
I'm hanging in here with you, Caleb.
I'm hanging in here.
But I think this really applies, right?
In the end, we will remember not the words of our enemies,
but the silence of our friends, Martin Luther King, right?
Okay.
And I think that really applies here, right?
Where one of the things we can't have is just one person standing up saying,
hey, something's wrong here.
Where is everybody else in their duty to act in this situation?
What about, where's your loyalty, Caleb?
Where's your, you know, move fast and break things?
We don't have time for
those pesky sorts of ethics. Well, I think that's where this dialogue got really interesting in some
of the LinkedIn dialogues. And this is probably one of the most important takeaways that I think
executives need to recognize. Your own employees, contractors, and partners are going to turn you in if you aren't following
security basics.
There are whistleblower provisions now from the SEC and pretty much any party selling
to the government.
Now, although we haven't seen a ton of cases unfold here yet, I mean, there's just not
a lot of case law in place yet.
These laws are in place, and they're likely coming.
law in place yet. These laws are in place and they're likely coming. And although this example had, you know, actors coming right out of central casting, I think we've got to start to look at
this much like the case of how we would look at financial fraud, right? If someone was cooking
the books, there would be a whole bunch of people standing up and saying, hey, this isn't acceptable.
You know, cyber fraud is really right in line with financial fraud, because if you don't
have basic security provisions in place, or worse yet, these security provisions are being
breached, you're committing fraud and this is material.
And do you think that's where we're headed?
I very much do.
But the key here is it's not going to do any good if people are just disclosing these
things. We're going to have to see regulators catch up and actually go in and prosecute some of this.
All right. Well, interesting insights. Caleb Barlow, thanks for joining us. Thank you. I approach can keep your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.