CyberWire Daily - Lazarus Group seems to have deployed an IE zero day. Electrobras discloses ransomware attack. TrickBot returns. Breaches at security companies. Russo-American get-to-know-you talks.
Episode Date: February 5, 2021Lazarus Group seems to have had an IE zero day. Brazilian power utility discloses a ransomware attack on business systems. TrickBot’s back. Automated attacks are going after web applications. Two se...curity firms report breaches. Patching notes. A look at life in the cleared community. Caleb Barlow from CynergisTek with handling disinformation in our runbooks. And Washington and Moscow hold the usual frank discussions--the Americans, at least, talked about cybersecurity. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/24 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Lazarus Group seems to have had an Internet Explorer zero day.
Brazilian power utilities disclose a ransomware attack on business systems.
Trick bots back.
Automated attacks are going after web applications.
Two security firms report breaches.
We've got some patching notes.
A look at life in the cleared community.
Caleb Barlow from Synergistech on protocols and best practices for handling inbound intel.
And Washington and Moscow hold the usual frank discussions. Carlo from Synergistech on protocols and best practices for handling inbound intel.
And Washington and Moscow hold the usual frank discussions.
The Americans, at least, talked about cybersecurity.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 5th, 2021. An update to the Lazarus Group's social engineering campaign against vulnerability researchers
that Google brought to everyone's attention a week and a half ago.
Bleeping Computer reports that South Korean security firm Enki has found a new wrinkle in the campaign.
MHTML files the Lazarus Group used in communications with prospective victims
carried an Internet Explorer zero-day as a payload.
Microsoft had noticed the use of malicious MHTML files earlier,
but now Enki has confirmed that some of its researchers received approaches that contained them.
The attempts were unsuccessful, Enki says,
but they were able to examine the file and identify the zero-day,
which they characterize as one that abuses
a double free bug in Internet Explorer version 11. The exploit allows the attackers to upload
a list of the running process, screen captures, and network information to their command and
control server. It also drops and executes additional malicious code. Enke says they've
reported the zero day to Microsoft and that
they believe other parties have become aware of the exploit as well. Brazil's Electrobras,
according to Reuters, has disclosed that its nuclear power subsidiary Electonuclear has
sustained a ransomware attack. The word power in the description of a cybersecurity incident is
spooky enough, add nuclear, and the flesh begins to creep. But this incident is said to have
affected only business systems, leaving control systems unaffected and posing no threat to safety.
Electrobras has taken steps to contain the damage to its administrative systems,
suspending, reports say, the use of some unspecified software,
and the authorities have the matter
under investigation.
Since attackers have in the past shown
an ability to pivot from business
networks to control system networks,
any ransomware attack on a power
utility is to be taken seriously.
In this case, Electrobras
seems confident that it's contained
the damage.
Cryptoslogic says it's found that TrickBot is deploying a new reconnaissance module,
MassServe, which uses the MassScan open source tool,
an unreferenced Anchor C2 communication function,
and a list of hard-coded IPs which have previously been associated with Anchor and Bazaar.
Two versions of MassServe are in use,
and the one the attackers select is determined by the version of Windows
the prospective victims are using.
TrickBot's return is another bit of foreseeable dismal news.
TrickBot was clobbered pretty hard back in October
when Microsoft led a consortium to take down its
infrastructure. FS-ISAC, ESET, Lumen's Black Lotus Labs, NTT, and Symantec were the other
companies on board for the whacking. The honorable whackers, and sincerely, bravo to them because
it's a necessary whack, warned at the time that takedowns of this sort don't last forever,
and that they'd be on the lookout for a return.
And of course, TrickBot has returned,
with Menlo's security warning just last week
that they were seeing signs of the revenant malware.
Barracuda Networks yesterday released a report
on automated attacks on web applications,
a problem the security firm sees as a growing one.
Automated attacks, Barracuda explains,
are incidents in which bots work to exploit vulnerabilities in web apps.
Of the attacks Barracuda detected,
almost one in five were fuzzing attacks,
looking for points where applications can be exploited.
Injection attacks came in second at over 12%,
and the researchers say that a lot of those were script
kiddie-level noise, attacks being thrown at an application without reconnaissance to customize
the attacks.
A close third, also right around 12%, were bots masquerading as legitimate bots, and
there are such things, like Google bots.
9% of the attacks were engaged in application DDoS.
There's a bit of a silver lining in Barracuda's report.
Users appear to be migrating to newer, updated, and more secure browsers.
The version of Chrome Google released yesterday includes a fix for a vulnerability being actively exploited in the wild, ZDNet reports. In other patching news, SolarWinds has, according to Cyberscoop, released fixes for the two vulnerabilities Trustwave reported this week.
SolarWinds advises users to apply the patches as soon as possible.
One of those automated attacks hit security firm Emsisoft, well known for its work against ransomware.
On Wednesday, one of its test systems was breached.
The company still has the incident under investigation
and is working out the nature and extent of the compromise,
but for now, the data taken appears to consist mostly of technical logs
Emsisoft's endpoint protection system produces in the course of normal operations.
The company said in a disclosure,
quote,
The attack profile indicates
that this was an automated attack
and not specifically targeted at Emsisoft.
Also, our traffic logs indicate
that only parts of the affected database
were accessed and not the entire database.
However, due to technical limitations,
it's impossible to determine exactly
which data rows were accessed, end quote.
Investigation remains in progress.
Airbus security subsidiary StormShield has also disclosed a breach.
In this case, the breach occurred in a technical portal
that StormShield's partners and customers use to manage their support tickets.
They've alerted both the affected parties and French authorities.
The company also found that some of their source code had been accessed by the threat actor.
Investigation is still in progress,
but Storm Shield says that it's found no evidence that any of its code had been altered.
Bravo Bitdefender, who've released a decryptor for Phonics ransomware.
The gang is thought to have shuttered
its operation late last month, but there still may be some recovering victims out there.
And finally, it seems the new U.S. administration has been on the horn to the Kremlin. The U.S.
Secretary of State and his Russian counterpart talked yesterday. Among the matters they discussed was, predictably,
cybersecurity. Secretary Blinken told them to knock off stuff like the SolarWinds mischief.
Foreign Minister Lavrov probably said that they didn't do nothing, or at least that would be the
implication of the silence of Moscow's official press release on the matter. What the press
release did say was, more or less, besides, you're just as bad as us, Yankee.
You're complaining about this Navalny guy? Hey, what about those people who protested the election
of your boss? Huh? Huh? You got your laws and we got ours. What's it all mean? Probably diplomatic
business as usual.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation
isn't a buzzword. It's a
way of life. You'll be solving
customer challenges faster with
agents, winning with purpose, and
showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical
for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io. My guest today is a woman working in the cleared community for Northrop Grumman.
Because of the nature of the work she does, she's requested we not name her, and we respect that request.
She's got valuable insights to share on what it's like balancing a career with a security clearance.
What is it like being in the cleared community? I mean, I think, you know, I grew up in the Fort Meade area, and I remember, you know, a lot of parents of friends of mine, if you asked them what they did for a living, they would just say, I work for the government.
And that was it, right?
And everybody kind of knew not to pursue it any farther than that.
I mean, that comes with the territory, right? I mean, you're limited in
the avenues of conversation at cocktail parties might be limited for you.
Well, you know, actually it's spectacular. I mean, there is absolutely nothing sexy or
interesting if you decide to go to a cocktail party and you say, well, I do math for a living,
because then everyone tells you how they don't know how to balance their own checkbook.
I see. Or they say, oh man, math. Ooh, that sounds difficult. But actually, I find working in
the cleared space somewhat liberating, even at cocktail parties, if only because I have to talk
about things that are not my job. And also, it's a reason for me to ask people what they do if they're really keen on talking
about it. So, you know, it does. I think one of the challenging things about working in this space
is that there is this bifurcation in your life. You have work and you have not work. And I think
that, I mean, I'm very thankful. So my husband understands
the space. He's been in the Air Force now for 18 years. So I'm very fortunate in having a life
partner who understands that I really can't talk about what I do and that there's this,
you know, there's a difference between who I am at home and what I can talk about at home and
then what I do at work. So I think if
people aren't, there's all kinds of reasons why people might not be comfortable with that,
but I find it comfortable and also comforting in some ways. It's nice to be able to leave work at
work some days. And as I like to joke, we're not doing television. So sometimes it's just really good to come home, put work away, and remind yourself why you're doing the things you're doing.
What about professionally?
Is there a risk of finding yourself in a bit of a bubble because you're limited in who you can talk to, who you can bounce ideas off of. Is that something you
have to be deliberate about of making sure that you, within that community, that you have
enough diversity of thought to still be able to do the things that you need to do?
Yeah, no, I think that's a great question. And I think you do, I don't want to say that you risk
becoming stale, but I think that one of your responsibilities, especially when you participate in what is an insular community, it is your responsibility as part of your professional development to do as much as you can to research outside of that community.
research outside of that community. Because like, so for myself, I came from an academic background where, you know, you're going to conferences, you're having conversations, you're publishing
papers, you're sharing ideas, right? And those papers could be formal peer-reviewed papers or
white papers. And you don't have those same opportunities. The problem space is appreciably
different. And so, you know, I think one of the challenges is you have to find
ways outside of your day-to-day work to stay involved, in my case, in staying up to date on
what are the most advanced methodological techniques, what is considered cutting edge.
And I have to go outside, often outside my work to have those conversations.
It just means that, you know, that when I have to think about methods and think about application, I have to immerse myself in another content area in order to do that exploration.
So it's a little bit of extra legwork, but it's actually something that I don't mind doing.
It's a little bit of extra legwork, but it's actually something that I don't mind doing.
What are your recommendations for folks who are feeling drawn to this area?
You know, those people who are really mission-focused, who feel as though they want to give something back.
Do you have any words of wisdom for them?
You need to know what you bring to the table, and you also need to understand your own limitations. So you need to be able to talk about
what you know and you need to be equally articulate about what you don't know and what you aren't.
It's not that you're not capable of doing it, but understand that there's other people whose
expertise might be more valued. And so understanding your own limits. In the context of cyber, right,
there's a lot of buzzwords there, data science and cyber, and it sounds really sexy and it's, you know, it's new and it's
interesting and everybody wants to do 18,000 things, you know, and so when somebody approaches
you and they say, oh, can you do, right, X, Y, or Z, can you answer these problems? You want to say
yes. You want to say yes. And you want to say, you know, I'll just quickly brush up
on some things or I could learn that. You know what? You can't know everything and it's really
okay to say no. And it's okay to say, you know what? Those are not problems I'm interested in,
but here's where I think I can help you. And I think part of being mission focused
is embracing that. It's not about you, right? It's not about what you bring to the table.
It's about the table that you're sitting at and understand, right, what your contribution is.
Our thanks to our guest and to Northrop Grumman for taking the time for us today.
Be sure to check out the Creating Connections show that will be released this Sunday.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. And I'm pleased to be joined once again by Caleb Barlow.
He is the CEO at Synergist Tech.
Caleb, it's always great to have you back.
I wanted to talk about incident response plans, runbooks,
and how do you successfully implement those if you have to deal with things
like disinformation? Well, Dave, this is the new thing that I'm having a lot of discussions with
clients about is how do I deal with disinformation in my run books? And, you know, it doesn't sound
like something that security professionals would normally have to think about, but just look at
what went down in the election cycle, right? And without getting into all the politics of this, you know, if we look at what CISA had to do and Chris Krebs,
they spent a couple of years preparing plans for what might happen if someone tries to break trust
in the election cycle. And most importantly, how do we deal with this information and ensure
that we can instill trust in that ultimate vote?
Well, the same thing holds true with any critical system.
And we're starting to see more and more examples where a cybersecurity incident is just the catalyst that causes all these disinformation campaigns to take off.
And, you know, we're in a world today where there are legitimate media outlets that help to propagate this. There are illegitimate media outlets that help to propagate off. And we're in a world today where there are legitimate media outlets that help to
propagate this. There are illegitimate media outlets that help to propagate this. And then,
of course, there's the world of social media. So if your company is breached and something
significant happened, the old adage of say nothing until you know what's going on might not be the
best strategy. Maybe you need to get out there early so that you control the message.
Because if you don't, surely someone else will.
Well, let's take a look at the recent example
of the SolarWinds bridge, right?
So, you know, likely nation state actor,
likely attributed to Russia.
And within a few days, you actually have, in this case,
even the president of the United States
arguing with his own administration, well, maybe it's China, right? I mean, that's just not helpful in this
kind of dialogue. Now, again, let me extract this back out of the politics, just using the politics
as the example. What would happen if, let's say, your company allegedly had a breach that caused
somebody to die or cause some horrible implication,
right? That may or may not be true. The opportunity for runaway in that dialogue is significant in
this new world. And you've got to have a way to be in front of that. So what does that mean?
Well, cybersecurity professionals really need to get to know crisis communicators,
how to build things called
holding statements where, you know, you can kind of hold the press dialogue with an early statement
on what's going on, add more details to it. You've got to know your media outlets, use your employees
to help push out social media messages versus what we see in most cases is employees pushing out,
you know, the picture of the ransomware screen. Hey, this just happened at work.
What does this mean?
Hmm.
What about internally?
How do you get everybody on the same page there?
Because they're going to be seeing inbound stuff.
They're going to be seeing all the rumors and all that stuff online.
Well, this is probably the most critical thing is making sure you have a known pathway for internal communications. And also, you know, we've talked about this before on the Cyber Wire, I like to see a commander's intent as well. So when something occurs, your employees know, hey, there's a cybersecurity incident going on, I know immediately what to do. And that is not post pictures of what's happening on social media, right? That's
defer people to my communications team. That's to make sure that when we speak externally,
we speak with one voice and that one voice had better be transparent.
Is this something, well, you and I always talk about, you know, you got to plan for this stuff
ahead of time. The worst possible situation is to be reactive when you're in the heat of the moment
and everything's emotional.
You know, you gotta practice this stuff ahead of time.
How does an organization know
when they're able to handle something like this internally
versus where, hey, we gotta get some help from outside?
Well, I mean, I think the answer to that is simple.
You need to get some help from the outside.
I mean, not to sound flippant in my response to that, Dave, but this is a defined
swim lane. You know, people that are good at crisis communications, it is an art form. And
unfortunately, it is not your VP of marketing, right? Right. So, yeah, get some help from the
outside. And that doesn't mean you've got to go spend hundreds of thousands of dollars on a retainer with some big expensive firm.
But it does mean that you've got to think about it in your run books.
You've got to build these best practices and you've got to have exercised them ahead of time.
And I suppose, I mean, build that relationship ahead of time where you've already established trust with these folks before you're presented with
the smoking hole in the ground, right? Well, that's exactly right. Because one of the biggest
problems in most breach responses is executive decision-making. You're up against a human
adversary. They can pivot, they can jog. And here's what I've often said to people, right?
Is you want to always consider what is your adversary's likely next move and what is your
adversary's likely worst move. what is your adversary's likely
worst move. And that should inform your decision-making. And what I'm saying now is add
one more thing to that, which is what is the market perceptions likely to be out of this?
And how do you get in front of that story? You know, so, so what is the dialogue that you want
out there about this breach? You know, let's take a recent example,
Dave, of the SolarWinds breach, right? I mean, I think all the parties there have been very
transparent. As quickly as they knew information, it's gotten out. And this is obviously a very
devastating breach. But imagine if the SolarWinds breach, if we were getting that in drips and
drabs over three months because those executives involved weren't being transparent. This would
be a whole other realm of crisis.
Well, it's important stuff for sure.
Caleb Barlow, thanks so much for joining us.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Anticipation. Listen for us on your Alexa smart speaker too. Looking ahead to next week, Rick Howard examines AWS through
the first principles lens. Colonel Stephen Hamilton from the Army Cyber Institute joins
us on Tuesday. On Wednesday, we look at quantifying cyber risk with Saket Modi from Safe Security.
Chris Cochran from Hacker Valley Studios is my guest next Thursday
with details on his special
titled, We Are Here, Black Excellence
in Cyber. And next
Friday, it's David Barzalai from
Karamba Security on why
IoT security matters more than
ever. Lots to look forward to.
We hope you'll join us.
The Cyber Wire podcast is proudly produced
in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Guru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.
Thank you.