CyberWire Daily - LockBit gets an upgrade. CosmicStrand UEFI firmware rootkit. Treating thieves like white hats? Most-impersonated brands. AV-Test's Twitter account is hijacked. The cyber phase of a hybrid war.
Episode Date: July 26, 2022LockBit gets an upgrade. CosmicStrand firmware rootkit is out in a new and improved version. Are thieves being treated like white hats? AV-Test's Twitter account is hijacked. Joe Carrigan considers th...e mental health effects of the online scam economy. Mr. Security Answer Person John Pescatore ponders the cybersecurity talent gap. And ongoing speculation on the cyber phase of the hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/142 Selected reading. LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities (Trend Micro) CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit (Securelist) Crypto Firms Make Thieving Hackers an Offer: Keep a Little, Give Back the Rest (Wall Street Journal) Phishers’ Favorites Top 25, H1 2022: Microsoft Is the Most Impersonated Brand in Phishing Attacks (Vade Secure) Testing times for AV-Test as Twitter account hijacked by NFT spammers (Graham Cluley) Ukraine fall-out and new ransomware tactics elevate cyber risks (Strategic Risk Europe) Ed’s note: The Ukrainian-Russian cyber war no one speaks about (Smart Energy) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Lockabit gets an upgrade.
Cosmic's trammed firmware rootkit is out in a new and improved version.
Are thieves being treated like white hats?
AVTest's Twitter account is hijacked.
Joe Kerrigan considers the mental health effects of the online scam economy.
Mr. Security Answer person John Pescatori ponders the cybersecurity talent gap.
And ongoing speculation on the cyber phase of the hybrid war.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 26, 2022. Researchers at Trend Micro discussed the most recent version of the familiar LockBit ransomware.
LockBit 3.0, also known as Lock Bit Black, appeared late last month,
coincidentally alongside the release of the gang's new dump site and bug bounty program.
It seems that version 3 has borrowed some code from the Black Matter ransomware strain,
hence the alternative name Lock Bit Black.
The ransomware checks languages on the machines it targets, and it
avoids executing on those it detects set for, generally, the Russian neck of the woods. The
exclusions suggest privateering. Trend Micro concludes,
With the release of this latest variant and the launch of LockBit's Bug Bounty program,
which rewards its affiliates, we expect the LockBit ransomware group
to be even more active in the coming days. We advise organizations and end-users to be wary of
this new variant, especially since the Bug Bounty program might help the operators in making their
ransomware an even more formidable one. The researchers summarize three best practices
for mitigating the risk of ransomware.
First, follow the 3-2-1 rule, that is, store three backup copies in two different formats
and keep one of those backups off-site.
Second, be alert for social engineering.
And third, keep software up-to-date with regular patching.
Researchers at Kaspersky have identified a new UEFI, that's Unified
Extensible Firmware Interface firmware rootkit. They're calling Cosmic Strand an updated version
of a rootkit Kihu 360 discussed in 2017. Cosmic Strand appears in Gigabyte or Asus motherboard
firmware images, and while Kaspersky hasn't been able to determine how the infection occurs,
they think it likely that a common vulnerability in the H81 chipset is being exploited.
The rootkit can be used to deploy a range of malicious payloads.
The victimology is interesting, and the attacker's motives are difficult to discern.
Kaspersky wrote,
we were able to identify victims of Cosmic Strand in China, Vietnam, Iran, and Russia.
A point of interest is that all the victims in our user base appear to be private individuals,
and we were unable to tie them to any organization or even industry vertical.
Attribution is unclear, although signs point to Chinese or at least Chinese-speaking authorship.
Cosmic Strand offers an attacker the prospect of great persistence and extraordinary stealth,
and it prompts some disturbing speculation from Kaspersky about the unknown unknowns that may still be out there.
Kaspersky says, The most striking aspect of this report is that this UEFI implant
seems to have been used in the wild since the end of 2016,
long before UEFI attacks started being publicly described.
This discovery begs a final question.
If this is what the attackers were using back then, what are they using today?
Cryptocurrency platforms
who've seen their holdings looted by cyber thieves
are increasingly offering the criminals
who've rivaled the platform's wallets
a reward if they'll return
a substantial fraction of what they've stolen.
According to the Wall Street Journal,
legitimate vulnerability researchers,
white hat bug hunters, are unhappy about their own trade being conflated with that of the criminals.
The payments are a very small fig leaf placed over a ransom payment, which isn't at all the
case with legitimate bug bounties. The sort of crime the cryptocurrency platforms are dealing
with isn't in the first instance extortion,
it's direct theft, and it's difficult to see this particular business strategy as likely to do anything other than stoke the existing bandit economy.
Security firm Vade this morning released a report detailing trends in phishing scams
with particular attention to brand impersonation.
The study found that Microsoft was
the most impersonated brand in the first half of 2022, followed closely by Facebook. Looking at
scams by sector impersonated, financial services were at the top of the leaderboard. One interesting
tidbit researchers found is that phishing is most likely to happen on weekdays,
with most phishing attacks occurring between Monday and Wednesday.
The Magdeburg, Germany-based security testing firm AVTest GmbH said yesterday
that its English-language Twitter account had been hijacked.
As we record this, they don't seem to have returned their account to normal.
How their account was hijacked is unknown, and as Graham Cluley sensibly points out,
it's premature to blame either AVTest, Twitter, or anyone else for negligence.
Who hijacked the account? It's a dog bites man story.
The hijackers appear to be some goons hawking dim-witted non-fungible tokens they call doodles.
And finally, many have noted that Russian cyber offenses haven't had the devastating effects that were expected during the run-up to the invasion of Ukraine.
But it's important to remember that this isn't necessarily for want of trying.
CyberCube's global threat briefing sees substantial cyber
activity, some hacktivism, some state-run, some privateering, on both sides. In their report,
they state, since the start of the war in Ukraine, both sides have been amassing cyber armies and
hacktivists have pooled their efforts to attack Russia. Anonymous has broken into CCTV cameras at the
Kremlin. Meanwhile, Russian hacktivists are striking targets in Eastern Europe.
There are currently more than 70 different cyber threat actors related to the war in Ukraine,
double the number identified at the beginning of March.
Strategic Risk notes CyberCube's observations about how Russian cyber espionage and ransomware activity
have increased and spread at higher than customary rates to target nations sympathetic to Ukraine.
Target selection by ransomware privateers has shown evidence of a great deal of attention being paid to sectors
that may be more vulnerable and overlooked.
may be more vulnerable and overlooked.
CyberCube told Strategic Risk that ransomware gangs are currently targeting lower-profile critical infrastructure operations
and small and medium-sized businesses in healthcare, agriculture, and food supply chains.
Businesses in these industries are among those who can least afford the downtime
associated with ransomware and extortion attacks, and often lack resources
for effective cybersecurity in the face of well-resourced and determined attackers.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. Hi, I'm John Pescatori, Mr. Security Answer Person.
Our question for today?
We all know that first COVID and then Russia's invasion of Ukraine caused massive supply chain problems.
But supply chain problems around hiring security staff predate that by many years.
You'd think by now supply and demand would have long ago addressed this.
How big really is the cybersecurity talent gap?
That's an easy answer for me.
The number of unfilled cybersecurity positions
is somewhere between 39,000 and 3.5 million.
Next question.
Well, I bet you're thinking,
could he narrow that down a bit?
Picky, picky, picky.
Those numbers came from a CyberSeek study on the cybersecurity talent gap.
Cybersecurity is an effort by Burning Glass, CompTIA, and the National Institute of Standards and Technology National Initiative for Cybersecurity Education, NIST, NICE.
So in order to really answer that question, we first need to know two numbers.
How many security professionals are needed?
That is largely subjective. And then how many security professionals are currently employed? This is
quantitative, but it's proven hard to measure, but that's what CyberSeek addressed. So let's
dig into the CyberSeek numbers a bit. I'm going to have to be U.S.-centric here because it's really,
really hard to find numbers outside the U.S. The Cybersecurity Project recently said they found 181,000 job openings for security
analysts in the U.S., but only 142,000 employed security analysts. That's the source of the 39,000
estimate of the shortage. So let's take a statistical look. In an infographic, CyberSeek
says there is one cybersecurity employee for every eight job openings, versus the national average across all jobs of one employee per three openings,
that would say there are about 57,000 people employed in security-related fields,
meaning overall they're saying there are about 200,000 people working in cybersecurity
against about 600,000 openings.
This would say the U.S. needs 800,000 cybersecurity employees. But let me do a sanity
check on that. The U.S. Census says IT employees are about 3.3 percent of the overall workforce.
Over my years at Gartner, we typically found that there was one IT employee for about every 25
company employees, and that was a
good average across both mid and large businesses.
We then found that there was about one security person for about every 10 to 25 IT employees,
with an average of about one security employee for about every 15 IT employees.
So what, you say?
Well, there are about 8 million IT employees in the U.S., meaning there are already
about 533,000 folks working in cybersecurity versus the 200,000 that CyberSea complies.
That's a big difference, and it even gets worse if you look at other studies.
Bottom line on a quantitative analysis, we don't have the data.
So here's a subjective qualitative analysis. First, full disclosure,
for the past 10 years, I've worked for SANS, the biggest cybersecurity training company out there.
What SANS sees is less a headcount gap than a skills gap. There are a lot of people already
employed in cybersecurity, but not enough of them have the hands-on skills to fill the protect,
detect, defend, respond jobs across the actual technologies
that business are using today, like mobile apps and the cloud and development pipelines
and all the modern software development approaches.
The attackers don't need lots more people with four-year degrees to succeed.
The attackers are using hands-on experience with very small numbers of quote-unquote new
hires.
We need to look at that model for cybersecurity on the defensive
side. That's nice, but I was looking for a number is probably what you're thinking. But I honestly
think there are way too many wild-ass guesses of the overall totals already out there, and I'm not
going to add to it. Here's what I see as a common pattern in well-run security programs. They need
to increase security operations staff by about 10 percent while they're sending their existing SECOOps staffs to about one security training course per year to get those needed skills, especially hands-on skills.
Reducing turnover is also really critical.
I found that security teams that are using open source tools the most have the lowest turnover.
It's kind of a myth that security people just keep jumping for jobs to make a little bit more money.
If they love their job and they're feeling creative, they stay in place. SOC staff that gets to add value to
the tools versus just clicking on sim events all day stay longer. The investment in hands-on
training also helps reduce the turnover number. Bottom line, a skilled employee who's been with
you for five years helps close that employee gap by being ridiculously productive.
Let's close the gap through productivity increases versus trying to throw more bodies at cybersecurity problems. After all, that's what the bad guys are doing.
Mr. Security Answer Person.
Thanks for listening. Don't forget to submit your questions. See you next month.
Mr. Security Answer Person.
Mr. Security Answer Person with John Pescatori airs the last Tuesday of each month right here on the Cyber Wire. Send your questions for Mr. Security Answer Person to questions at thecyberwire.com. Cyber threats are evolving every second,
and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to
partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting story you and I actually spoke about over on Hacking Humans.
Yeah.
This is from the Washington Post, story written by Heather Kelly,
and it's titled,
The Non-Stop Scam Economy is Costing Us More Than Just Money.
Relentless waves of sophisticated phone and online scams are affecting people's mental health.
Really hitting more on the human side of the equation here, Joe.
What caught your eye in this story here?
Well, the story involves the, I don't know, I'm going to say ordeal of a woman named Pamela, who is a cancer
patient. In receiving the treatment for her cancer, she must answer her phone for every time
someone calls. I don't know if anybody out there has ever had a family member or actually gone
through cancer treatment yourself, but it is imperative that you are on time with all these treatments.
Right.
That's what makes them more effective.
So if a doctor is calling you to notify you of something or some care provider or whatever is calling you to tell you about some change,
you should probably answer the phone.
Right.
Right.
Also, you probably don't have everybody's phone number
that's going to contact you for treatment in your phone.
Yeah.
So you're left with the option of just letting the phone calls come through and answering all the phone calls.
Yeah.
Which then results in you getting exposed to, according to this woman, about 20 scam calls a day, including some of them for funeral insurance.
Which I'd like to know how they're
coming through with that, coming up with that information. Is that coincidental or do they
know that she's a cancer patient and they're trying to do this to her? Because that's just
awful that that's happening. Yeah. I think what caught my eye here is just how, um, how relentless these calls are.
And, and, you know, you and I have spoken about how we just don't answer our phones anymore. I
think for a lot of folks, that's the way it's gone, where if someone calls you and they're not
already in your, in your address book, you're just going to let that go to voicemail. Yeah. I have
the Google call screener on my, on my phone that lets lets me do that if it's a new phone call. I can screen the call. I can also,
you use an app, right? Yeah. There's an app called RoboKiller that I use on my iPhone that
I've been quite pleased with. And what it does is it cross-references the incoming call with
its own database of known scam call numbers. So if something matches up, my phone doesn't even ring.
Yeah.
So a couple bucks a month, but for me, it's worth it.
Right.
So that's a paid service.
Yep.
Okay.
Yep.
Yep.
This article points out that the Federal Trade Commission
is attempting to do stuff about this.
There's the stir-shaken program,
which the large carriers
agreed to in 2019, and it's supposed to be rolling out to some of the two, I guess, the rest of the
smaller carriers. Yeah, we'll see how that works. The smaller carriers have been the issue because
they reach out to companies that need to make dialing events here in the United States because the United States is a big market, right?
So there are companies out there that have this business model where they provide voice over IP links to other countries to allow the offshoring of customer service and things of that nature.
Right.
And what happens with that is it's, of course, like I frequently say, a tool is neither good or evil.
It's how you use it.
I can use a hammer to build a house for somebody or I can use a hammer to break into someone's house and rob it.
Nobody blames the hammer.
We should be focusing on the people.
Some people go out and they buy this service from these companies.
And then they're allowed to make these large amounts of volumes of calls.
And I think that what happens behind the scenes is when these companies realize these guys are scammers, they shut them down, right?
But there are other companies out there.
They can move from company to company to company, different providers.
And then when they have worn out their welcome, they just form a new organization.
These are criminal enterprises, right?
They can do this all day long.
This is what they do.
So it's very difficult to stop this
from a regulatory standpoint, I think.
And even if we do regulate this,
at some point in time, there's going to be,
almost immediately, actually, I'll say that,
almost immediately after the regulation is put in place, these guys are going to adapt, almost immediately, actually, I'll say that, almost immediately after the regulation
is put in place, these guys are going to adapt and change their game to continue to be able to
reach out and contact people. Right. One of my biggest concerns with this is that phones, and I
said this over on Hacking Humans too, phones and email are very similar in that if somebody has
your unique identifier, be it an email address or a phone number, that's all they need to get in touch with you and to put something in front of you, barring any technical prevention on your end.
Right?
They just have public access to your ear or to your eyes, depending on what device you're using.
Yeah.
Yeah.
I guess really what sticks out to me here is just the human side of this.
Yeah. What sticks out to me here is just the human side of this, that, you know, I think we've all lived through COVID.
And so, you know, there's an emotional toll that that has taken on a lot of us.
You know, there's a lot of uncertainty in the world for all sorts of different reasons.
And so you have this on top of that.
Just a good reminder that the victims of this, you know, we should be empathetic to them, do what
we can to try to help them and not blame them for falling victim to these sorts of things.
Yeah. And some small way we're all victimized by this. I got a phone call that came right
through the other day. It was someone claiming to be from Amazon. They weren't from Amazon.
Right.
Telling me that I purchased an iPhone.
Right. Right. Yeah. We know that would never happen.
Right. Exactly.
All right. I don't know. Don't say never, Dave. Yeah, we know that would never happen. Right, exactly. I don't know.
Don't say never, Dave.
We'll get you.
I'm really not happy with my Google product.
All right.
All right.
Well, Joe Kerrigan, thanks for joining us.
It's my pleasure.
Thank you. where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Urban, Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White, Haru Prakash, Justin Sebi, Rachel Gelfand,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.