CyberWire Daily - Interpol scores against BEC, online fraud, and money laundering. Developments in C2C markets. Versioning vulnerability. Cyber war and cyber escalation.
Episode Date: June 16, 2022Interpol coordinates international enforcement action against scammers. A new version of IceXLoader is observed. Exploiting versioning limits to render files inaccessible. Reflections on the first lar...ge-scale hybrid war. Kelly Shortridge from Fastly on why behavioral science and economics matters for InfoSec. Patrick Orzechowski from DeepWatch on Russian IoCs and critical infrastructure. And the possibility of cyber escalation in Russia’s hybrid war against Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/116 Selected reading. Hundreds arrested and millions seized in global INTERPOL operation against social engineering scams (Interpol) New IceXLoader 3.0 – Developers Warm Up to Nim (Fortinet Blog) Proofpoint Discovers Potentially Dangerous Microsoft Office 365 Functionality that can Ransom Files Stored on SharePoint and OneDrive (Proofpoint) Russia’s cyber fog in the Ukraine war (GIS Reports) Russia Might Try Reckless Cyber Attacks as Ukraine War Drags On, US Warns (Defense One) Cyber Attacks in Times of Conflict (CyberPeace Institute) Vladimir Putin’s Ukraine invasion is the world’s first full-scale cyberwar (Atlantic Council) Why Russia has refrained from a major cyber-attack against the West (Cyber Security Hub) In modern war, we have as much to fear from cyber weapons as kinetics (Computing) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Interpol coordinates international enforcement action against scammers.
A new version of ICE X-Loader is observed, exploiting versioning limits to render files inaccessible.
Reflections on the first large-scale hybrid war.
Kelly Shortridge from Fastly on why behavioral science and economics matter for InfoSec.
Patrick Orzakowski from DeepWatch on Russian IOCs and critical infrastructure.
And the possibility of cyber escalation in Russia's hybrid war against Ukraine.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Thursday, June 16th, 2022.
Interpol has announced that its Operation First Light 2022, directed against telecommunication fraud, business email
compromise, and the money laundering associated with them, has yielded a significant haul.
Results are still coming in, but so far, Interpol says, the operation's tally is 1,770 locations
raided worldwide, some 3,000 suspects identified, some 2,000 operators, fraudsters, and money launderers arrested, some 4,000 bank accounts frozen, and some 50 million U.S. dollars worth of illicit funds intercepted.
Law enforcement organizations in 76 countries were involved, a remarkably large cooperative effort.
countries were involved, a remarkably large cooperative effort. Four countries conducted the raids, China, Singapore, Papua New Guinea, and Portugal. The crimes involved were varied,
ranging from human trafficking to Ponzi schemes built around bogus job ads.
So bravo Interpol, and bravo to its cooperating partners.
Researchers at Fortinet describe a new version of IceX Loader
being hawked in criminal-to-criminal markets. The researchers say IceX Loader is a commercial
malware used to download and deploy additional malware on infected machines. The latest version
is written in NIM, a relatively new language utilized by threat actors the past two years,
most notably by the Nimza Loader variant of Bazaar Loader used by the TrickBot group.
The new version is more evasive and difficult to detect than its predecessors,
and of course, successful infection exposes the victims to deployment of other, more damaging malware.
Proofpoint researchers have discovered a Microsoft 365 functionality
that allows ransomware to encrypt SharePoint and OneDrive files
and make them unrecoverable without backups or a decryption key.
Researchers explain that threat actors can gain access to a user account
through compromising or hijacking credentials,
then can lower versioning
limits on files on OneDrive and SharePoint down to something as low as 1, encrypt the files twice,
and if they feel so inclined, can exfiltrate the unencrypted files and ask for a ransom.
Another option for encrypting the files doesn't involve changing the versioning settings.
Another option for encrypting the files doesn't involve changing the versioning settings. The default version limit is 500, so a file can be edited 501 times,
rendering the original unrestorable because, as the 501st version, it exceeds that limitation by 1.
The malicious actor could then encrypt the files after each of the 501 edits,
and increasing the version limit post-attack cannot restore the file.
Proofpoint disclosed this information to Microsoft,
which explained, first, that the versioning settings configuration workflow is working as intended,
and second, that older versions of files can be recovered and restored for 14 days
by using Microsoft support. While the versioning
settings configuration functionality is working as designed, Proofpoint says that it can still
be abused by malicious actors. The researchers also reported difficulty recovering older versions
of some files through Microsoft support. In full disclosure, Microsoft is a CyberWire partner.
Microsoft support. In full disclosure, Microsoft is a CyberWire partner.
The Atlantic Council has an essay by Yuri Shuchiyol, head of Ukraine's State Service of Special Communications and Information Protection. Mr. Shuchiyol discusses Russia's war against
Ukraine as the first cyber war, that is, the first major war in which cyber operations have
been integrated fully into planning and operations. One of its conclusions is that the first major war in which cyber operations have been integrated fully into planning and operations.
One of its conclusions is that the war has rendered obvious what's long been known by close observers of cyber gangs,
the place the Russian cyber underworld occupies in Moscow's order of battle.
Mr. Shichio says,
The current war has confirmed that while Russian hackers often exist outside of official state structures,
they are highly integrated into the country's security apparatus,
and their work is closely coordinated with other military operations.
Much as mercenary military forces such as the Wagner Group
are used by the Kremlin to blur the lines between state and non-state actors,
hackers form an unofficial but important branch of modern Russia's offensive capabilities.
Shachiel also notes that the war has revealed Russian limitations as well as Russian capabilities.
Ukraine's infrastructure has shown significant resilience under Russian cyber attack.
Computing has an essay arguing that in wartime,
nations now have as much to fear from cyber attacks as they do from kinetic attacks.
At first look, this seems to be overstated. After all, cyber attacks become lethal only when they
have kinetic attacks. A ransomware attack, for example, as such, is very far from being an artillery barrage, and a corrupted database isn't the same thing in real life as an artillery preparation.
Unless we become Gnostics who believe the physical world is less real than the information space, you would go that far.
But reading past the headline, that's not the essay's point. Its argument, rather, is that modern
infrastructure is now so inextricably intertwined with and dependent on information technology
that cyber attack can and do have physical kinetic effects. Computing quotes Ian Hill,
director of cybersecurity at BGL Insurance, who said at the magazine's conference last week,
at BGL Insurance, who said at the magazine's conference last week,
The real world and the virtual world have become so interdependent.
Our physical world, certainly in the context of Western society,
has pretty much got to the point of no return.
We are our dependence on technology and technology's dependence on the Internet that the economy cannot exist without them.
If anything happens to the Internet or some connected technology, we've got a real problem.
Observers continue to debate why Russian cyber attacks haven't been more widespread
and more destructive than they proved so far to be.
If Shachiel is correct, as he seems to be,
that Russian cyber operators are about as concerned with abiding by the norms of proportionality and discrimination
embodied in international laws of armed conflict as Russian infantry and artillery have shown themselves to be,
then the apparent restraint Moscow has exhibited seems to require explanation.
An essay in Cybersecurity Hub concludes that a partial explanation can be found in deterrence.
President Putin doesn't want a full war with NATO and has been concerned to avoid attacks
on critical infrastructure that would provoke a kinetic response from the Atlantic Alliance.
If Russia has maintained the complete conquest of Ukraine as its objective,
as many observers think it has. Can deterrence be
expected to hold in cyberspace as the war inevitably escalates on the ground?
An assessment in GIS concludes that it may not. They say Russia's red lines and escalation
strategy could further change in the weeks and months ahead. How the military, political,
and economic aspects evolve and war aims change will influence how the Kremlin decides
to use its cyber capabilities in the conflict.
Speaking this week at Defense One's Tech Summit,
Neil Higgins, the Deputy National Cyber Director
for National Cybersecurity at the White House's Office
of the National Cyber Director, said,
I do think there is a risk that the deeper you get into this conflict
that the Russians will be pressed to resort to more aggressive operations.
If you're acting quickly and desiring a large impact,
there is a risk that you lose control, and that did occur.
It certainly is a risk that we continue to monitor across the government.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Kelly Shortridge is a senior principal at Fastly and co-author of the book Security Chaos Engineering.
I met up with her at the RSA conference for insights on why behavioral science and behavioral economics matter.
The presentation was really diving into how the lizard brain and also philosopheror manage information security. So there are a few great examples. One is questioning folk wisdom, which is maybe a provocative thing
to say at RSA. But for instance, you hear all the time, you know, stock prices are hurt when
a breach happens. Well, if you look at the data, that's not necessarily the case. So be aware that
this is called availability bias, that just because something is familiar and it's repeated often,
that doesn't mean it's true.
It just means there's very good marketing.
But you can also leverage that to your advantage when you're thinking about things like security awareness in your organization or you want to encourage secure behavior.
You need to create those pithy messages.
You need to make sure they're repeated.
You almost need to have the same sort of principles as like a political slogan or marketing slogan.
But we don't always think that way.
Again, we present these kind of like very logical, drawn-out arguments for why security
matters, but really what people need, they just need like quick advice they can remember.
So that's a simple example of kind of how you can see on each side of the equation this stuff
matters. Is there a fundamental issue here that the lizard brain takes priority over the more rational side of the brain. So it
screams the loudest and the quickest. It does, yes. And this is why it's actually useful, again,
to kind of harness the lizard brain almost against itself. So there's a paper I'm actually working on
with Josiah Dijkstra, which is around opportunity cost, which can be very elaborate. You have to
think about here are all of the alternative options.
Let's say it's spending six hours of your time.
What are all the things you can do with it?
Turns out it's a lot.
That's way too much thinky-thinky, right?
The lizard brain's like,
I don't want to deal with all that.
However, you can create this heuristic of like,
okay, but what if I did nothing?
This becomes very powerful in information security.
So consider application security testing,
one of those tools.
Use that heuristic, what we call the null baseline.
Like, what happens if we did nothing?
Maybe you would be releasing software to production faster.
Maybe your developers would be less cranky.
Maybe that's good for the organization.
So you start to kind of uncover these hidden potential benefits
or hidden costs of actually pursuing something security-wise.
You can make sure that you're not introducing
unintended consequences in your organization.
Because then Lizardbrain's brains like security is the most important.
Like clearly this is my priority.
So like everyone else, you know, that doesn't care about security,
clearly they're wrong and irrational and can you believe them?
But instead it's almost like you're harnessing this new lizard brain tactic of like,
okay, but let me just really quickly consider what if I did none of this instead
in order to almost trick yourself into being more of a velociraptor.
What about the threat actors, the bad folks out there who are intentionally trying to
trip that lizard brain side, who are trying to get you into an emotional state and not
think rationally?
How do we train people to be aware of that and be able to counter it?
We don't.
As a security industry,
we have to start designing, again,
tools and workflows and procedures that try to help.
We can't expect users to be experts.
We can't expect them to have their thinky-thinky hat
on all the time
because we don't have it on all the time either.
And frankly, if you're looking,
most people are dealing with external emails constantly.
And now we're saying,
okay, 95% of the time when you click on this link
from an external sender,
it's going to be totally fine. But now you have to slow yourself down and maybe
read, you know, 20% fewer emails every day just for security. They're going to get fired probably
because they're not going to be as productive. You can't ask them to do that. And training only
goes so far. And I think if we were exposed to more training outside of security ourselves,
we would realize like, oh yeah, I totally forgot that training message at some point.
So I think the answer is we don't. And frankly, the attackers are just using the same tricks you
see in advertising and marketing. You know, like click now, the sale will end soon. Like all of
those behavioral tricks to get you to like buy more and buy faster. That's just what attackers
are using. So until we get rid of all that, it's almost like whatever training we do is just going
to be undone by the general commerce. And, you know, even business emails. How many times have you
had your boss say like, you need to finish this by end of day. You need to like click and view
this thing and review it for me. And attacker can just leverage that. So you're now saying like,
okay, you got to train something that has to completely override again, commerce, business
culture, all that. I don't think it's going to work. In general, would you say that the folks
who are developing these tools, the developers in general, are they more lizard brain or velociraptor dominant?
Every human is more lizard brain dominant.
That's just how we're designed as a species.
That's part of the reason why we love, you know, like sweet and salty snacks and like immediate rewards and, you know, all the stuff, the shiny stuff we see at the conference, right?
all the stuff, the shiny stuff we see at the conference, right?
I think the key thing,
there's this kind of unfortunate feedback loop in the industry where people designing security tools
have to satisfy the requirements of their customers.
So that's the security teams.
Security teams still have their lizard brain mindset of like,
oh my gosh, everything's a threat, we're vulnerable,
we have to protect it at all costs.
And as I say, they don't really care
if the money printer stops going like,
they're fine if it shuts down if it means it's secure. It's obviously the business disagrees,
but that means that if you're developing tool and you want to succeed for the most part,
you have to cater to those requirements. And then of course the customers see more of the chatter
about like eliminate all threats, like prevent everything, which is not, again, that's lizard
brain sort of framing. So this kind of symbiosis around,
okay, stop everything at all costs
and don't think about how to make things easy,
fast, and simple for users.
Just have those really annoying bolt-ons for everyone else.
Save yourself some work up front,
even though maybe down the line during the incident
it's going to be extra messy.
It's really unfortunate.
Of course, I know we're talking more about the talk today,
but my co-author Aaron Reinhart and I are trying to change that with security chaos engineering and start to hopefully make more of that philosopher and longer term, thinky, thinky, more automatic through a set of kind of principles and practices.
That's Kelly Shortridge from Fastly. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Patrick Orszakowski is co-founder of cybersecurity firm DeepWatch, where he works directly with oil and gas and pipeline operators around the country to detect and respond to threats and attacks. At last week's RSA conference, Patrick's presentation centered on Russian IOCs hitting critical infrastructure in the U.S. during the Ukraine crisis and how this compares to other big attacks like Colonial Pipeline.
We got together to discuss his findings.
The APTs are really living off of the land, and they are using known vulnerabilities mostly.
So, you know, we hear things about zero days and catching behavioral things, which is great.
I mean, those products need to be there to protect EDR and behavior analytics, things like that.
But, you know, these actors are actually using traditional techniques and low-hanging fruit to attack systems of security for some of the traditional businesses, manufacturing businesses, oil and gas.
And they're now realizing that they have to accelerate their patching and accelerate their protection of their systems.
Yeah.
Beyond patching, what are some of the other things
that you're highlighting here in terms of mitigation?
Yeah.
From a detection standpoint versus mitigation,
I would say looking at the infrastructure,
traditional data sources that have been too noisy to look at,
DNS, for example.
If you go back to the SolarWinds attack,
those actors use DNS as the main culprit
for command and control, right?
They kept track of their victims using DGA domains,
subdomains, and their infrastructure
was built around DNS.
So a lot of folks kind of ignore DNS,
even from a forensic standpoint.
I think we need to start looking at that
from an operations standpoint, day-to-day,
week-to-week, month-to-month, to look at that data
because the actors need to use DNS as well
to ride that infrastructure.
Interesting. Okay. What else?
East-west traffic.
So understanding what's going on in a network.
Like I said, traditional firewalling techniques, those types of things.
Actors will figure out what holes are in those internal firewalls as well.
Okay.
You have ICS-OT networks that are separated by data diodes traditionally.
But a lot of those things, like if you look at the water attack in Tampa,
using TeamViewer,
those workstations had special access
to the water control systems.
That's how they got so far in.
So the actors will find ways in,
and those holes that have been open over the years,
you have security turnover,
you have folks who poke holes in firewalls,
it's working, don't touch turnover, you have folks who poke holes in firewalls.
It's working, don't touch it.
Those actors will exploit those holes that are in the systems now
to actually get into those manufacturing and OT systems.
Help me understand, I mean,
to what degree the fact that the nature of this sector
is there's a lot of one-offs.
How much of an issue is that?
Huge.
It's a huge issue because, you know, even same manufacturer like Siemens has 15 different models to do the same thing, right?
So 15 different pieces of firmware that need to be analyzed.
It's a very niche area of security.
You know, OT has their own conference that they just had down in Miami.
And it's kind of been ignored
until the recent colonial
and the recent hacks that have happened.
You have folks like Dragos
doing great things.
Rob Lee was on 60 Minutes, right?
So at least it's getting out there
that this critical infrastructure
needs to be protected.
So I think it is a huge issue that it is specialized,
but we do need more services and products specifically around OT, ICS to protect those things.
You don't have the CrowdStrikes and Sentinel-1s that you can throw on a controller
that's $50,000 that does switching and things like that.
Right, right.
Based on the data that you've gathered here,
what are your recommendations?
What should people be doing to gain some ground?
Yeah, like I said, I would say looking at the infrastructure data
is critically important,
whether that's with a real-time product
like a Splunk or a Sim product, whether that's with a real-time product like a Splunk or a Sim product, whether
that's a long-tail product, some of the ML stuff that we're building at AWS, looks at
that data.
I think, you know, just like we had a layered approach to defense, we need a layered approach
to detection as well now, right?
You have, you know, one hour, one day, one week,
and each one of those detection windows
has a different use case.
So if you're looking at six months worth of data,
and this kind of generated out of the SolarWinds stuff,
it's like, how did we miss this for six months, right?
You need that data.
You have to look at that data as a whole to say,
and start picking out those things that are weird.
Because the
attackers will, like I said, live off the land.
They tend not
to drop malware now. They tend to
use the tools that are built in PowerShell
for example in a Windows environment.
So we need to gather all
that data and analyze it.
So those are the
things that folks can do outside of the
traditional enterprise things of locking it down. I think having visibility into those systems,
whatever data you can get, right? Like I said, you can't throw an endpoint product on a controller,
but you might be able to get all the DNS that's coming out of that network and put it in a single
place. It's going to be a lot of data, but at least you'll have some
visibility into what those systems are doing. That's Patrick Orszakowski from DeepWatch.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabe, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.