CyberWire Daily - Microsoft Exchange zero-days exploited. Supply chain attack reported. New Lazarus activity. Mexican government falls victim to hacktivism. Hacking partial mobilization. Former insider threat.
Episode Date: October 3, 2022Two Microsoft Exchange zero-days exploited in the wild. A supply chain attack, possibly from Chinese intelligence services. There’s new Lazarus activity: bring-your-own-vulnerable-driver. The Mexica...n government falls victim to apparent hacktivism. Flying under partial mobilization’s radar. Betsy Carmelite from Booz Allen Hamilton talks about addressing the cyber workforce skills gap. Our guest Rachel Tobac from SocialProof Security brings a musical approach to security awareness training. How’s your off-boarding program working out? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/190 Selected reading. Microsoft Releases Guidance on Zero-Day Vulnerabilities in Microsoft Exchange Server (CISA) Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server (Microsoft Security Response Center) Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server (GTSC) URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different” (Naked Security) Microsoft confirms two Exchange Server zero days are being used in cyberattacks (The Record by Recorded Future)Microsoft confirms new Exchange zero-days are used in attacks (BleepingComputer) Two Microsoft Exchange zero-days exploited in the wild. (CyberWre) CISA Adds Three Known Exploited Vulnerabilities to Catalog (CISA) Suspected Chinese hackers tampered with widely used customer chat program, researchers say (Reuters) Report: Commercial chat provider hijacked to spread malware in supply chain attack (The Record by Recorded Future) CrowdStrike Falcon Platform Identifies Supply Chain Attack via a Trojanized Comm100 Chat Installer (crowdstrike.com) Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium (WeLiveSecurity) Lazarus & BYOVD: evil to the Windows core (Virus Bulletin) Lazarus hackers abuse Dell driver bug using new FudModule rootkit (BleepingComputer) Mexican government suffers major data hack, president's health issues revealed (Reuters) Mexican president confirms ‘Guacamaya’ hack targeting regional militaries (The Record by Recorded Future) Analysis: Mexico data hack exposes government cybersecurity vulnerability (Reuters) Russians dodging mobilization behind flourishing scam market (BleepingComputer) Honolulu Man Pleads Guilty to Sabotaging Former Employer’s Computer Network (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Two Microsoft Exchange Zero days are exploited in the wild.
A supply chain attack, possibly from Chinese intelligence services.
There's new Lazarus activity.
The Mexican government falls victim to apparent hacktivism.
Flying under partial mobilizations radar.
Betsy Carmelite from Booz Allen Hamilton talks about addressing the cyber workforce skills gap.
Our guest Rachel Toback from Social Proof Security brings a musical approach to security awareness training. Thank you. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 3rd, 2022.
Late Friday, Microsoft disclosed the two zero days afflicted three versions of its widely used exchange server.
Redmond's initial disclosure said, Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040,
is a server-side request forgery vulnerability, and the second one, identified as CVE-2022-41082,
allows remote code execution when PowerShell is accessible to the attacker.
Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities.
In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082.
remotely trigger CVE-2022-41082.
It should be noted that authenticated access to the vulnerable exchange server is necessary to successfully exploit either vulnerability.
Microsoft says,
We are working on an accelerated timeline to release a fix.
Until then, we're providing mitigations and the detections guidance
to help customers protect themselves from these attacks.
Microsoft Security Response Center shared an initial set of mitigations
and tools to evaluate the risk, including indicators of compromise.
Late Sunday, the Microsoft Security Response Center added this caution,
we strongly recommend Exchange Server customers
to disable remote
PowerShell access for non-admin users in your organization. The vulnerabilities were discovered
by Hanoi-based security firm GTSC in the course of security monitoring and incident response services
its SOC team was performing early in August. They shared their discovery with the
Zero Day Initiative and Microsoft, which led to the mitigations Redmond released Friday.
Who's responsible for the observed exploitation isn't clear, but GTSC sees strong circumstantial
evidence that the threat actor or actors behind it are Chinese. The firm said,
we suspect these exploits come from Chinese attack groups based on the web shell code page of 936,
a Microsoft character encoding for simplified Chinese.
Late Friday, the U.S. Cybersecurity and Infrastructure Security Agency added both of these CVEs
to its known exploited vulnerabilities catalog.
In both cases, CISA advises organizations
to apply the mitigations Microsoft has provided.
U.S. federal executive civilian agencies
have until October 21st to take action.
CrowdStrike warns that a suspected Chinese threat actor carried out a supply chain attack
by compromising a popular commercial chat product
distributed by Vancouver-based customer service firm Com100.
The security firm said,
malware is delivered via a signed Com100 installer
that was downloadable from the company's website.
The installer was signed on
September 26, 2022, using a valid Com100 Network Corporation certificate. It's not yet clear how
many entities downloaded the malicious installer, but Reuters says a person familiar with the matter
cited a dozen known victims, although the actual figure could be
much higher. CrowdStrike adds that the Trojanized file was identified at organizations in the
industrial, healthcare, technology, manufacturing, insurance, and telecommunications sectors in North
America and Europe. The record notes that Com100 says it has more than 15,000 customers across 51 countries.
Researchers at ESET say that North Korea's Lazarus Group used Amazon-themed spearfishing documents
to target an employee of an aerospace company in the Netherlands and a political journalist in Belgium.
The goal of the campaign, which occurred last autumn, was data theft.
The researchers noted that the attackers exploited a vulnerability in Dell DBU-TIL drivers,
which was patched in May 2021.
Bleeping Computer notes that the threat actor utilized a bring-your-own-vulnerable-driver technique,
utilized a bring-your-own-vulnerable-driver technique, stating,
A BYOVD attack is when threat actors load legitimate signed drivers in windows that also contain known vulnerabilities.
As the kernel drivers are signed, windows will allow the driver to be installed in the operating system.
However, the threat actors can now exploit the driver's vulnerabilities
to launch commands with colonel-level privileges.
Reuters reports that the Mexican government has fallen victim to a cyber attack.
The data compromised belonged to the defense ministry and included information about the president's health condition. Other information contained in the hack included information about criminals,
transcripts of communications,
and information monitoring the U.S. ambassador to Mexico.
It may have been a hacktivist action.
The group has been identified as Guacamaya or Macaw in Spanish.
The record by Recorded Future reports
that Guacamaya is an environmental
collective and documents released were stolen from a few different agencies with several other
Latin American countries. Guacamaya is reported to have used proxy shell to gain access to the
military systems. The partial mobilization recently announced in Russia continues to be both
unpopular and apparently capricious, and these features of the call-up have found expression
in cyberspace. There seems to be a thriving online black market in goods and services
designed to help Russian men avoid being called to the colors. Bleeping Computer says that the items on offer include fabricated exemptions,
promises to alter official databases to keep the customer's name out of call-up sweeps,
and gray SIM cards to help evade government surveillance.
Some of the offers are legitimate in the sense that they deliver on their promises
to helping the customer
evade Russian law, but others are, as might have been foreseen, simple scams that leave the buyer
as vulnerable to conscription as he was before, only marginally poorer. And finally, the U.S.
Attorney's Office for the District of Hawaii announced on September 28th
that a Honolulu man pleaded guilty to sabotaging his former employer's computer network.
KCK Umetsu Sr. will be sentenced in January.
He'd worked on the IT staff of a financial service company for about two years,
and after leaving the company, he used credentials he'd retained to
access his former employee's systems to redirect its web traffic to other sites, effectively
crippling both its websites and its email. His goal was to get himself rehired at a higher salary.
U.S. Attorney Claire E. Connors said in the statement,
Umetsu criminally abused the special access privileges given to him by his employer
to disrupt its network operations for personal gain.
Those who compromise the security of a computer network,
whether government, business, or personal, will be investigated and prosecuted,
including technology personnel whose access was granted by the victim.
including technology personnel whose access was granted by the victim.
So, when thinking about that off-boarding program, HR, and job seekers,
a pro tip, stop me before I hack again, is not a good entry under professional goals. Coming up after the break, Betsy Carmelite from Booz Allen Hamilton talks about addressing the cyber workforce skills gap.
Our guest, Rachel Toback from Social Proof Security, brings a musical approach to security awareness training.
Stay with us. is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's Vanta.com slash cyber for a
thousand dollars off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Thought it was something from the bottom stairs. What you just heard is the latest in cybersecurity training.
Rachel Toback is CEO of Social Proof Security and a well-known leader in the area of social engineering.
She recently happened upon a bit of a revelation when it came to making security training engaging and memorable.
So in 2021, there was a TikTok challenge. I'm not sure if you're on TikTok, Dave, but there was a TikTok challenge. I am not.
And everybody on TikTok was making sea shanty videos. And I am a very active, passive user
of TikTok, meaning I just lurk and watch everything. I don't really make any of my own content on there. But I was like, hey, maybe I can make a sea shanty for information security
topics. How about I go ahead and try that? And as you know, Dave, I asked you if you would be
comfortable mixing that and participating and singing on that. And you did such a fantastic
job. We were able to put out just the best, awesome product with the community.
I mean, we had, I think, 15 different people
who lend their voices, thoughts, ideas, mixing to the project,
and it got over 100,000 views immediately.
And we had, I think there were like 50 different companies
that reached out and they were like,
hey, can we use this in our security awareness training? And I was like, sure, why not? It's free. Yeah, just use it with your company
and let me know what they think. And a bunch of those companies got back to me and were like,
for whatever reason, that worked better than everything else we've tried. So
can you make more songs? And I was like, sure. Okay. So that basically birthed the idea of
making the training videos as music videos and spoken content.
Well, I mean, it takes more than just having the idea and putting something together on impulse.
I mean, these are fully produced, fully realized videos that you're putting out here.
To what degree was this endeavor everything you thought it would be?
Yeah, well, once I did the sea shanty
and I saw that people liked it
and it helped actually move the needle for companies,
they were saying that it helped them
with people understanding the why
behind a lot of the things that they do,
like requiring you to use multi-factor authentication
or a password manager.
I decided, hey, it seems like music's always been
helpful for people to understand new topics, you know, from everything from Schoolhouse Rock to
this now. I only know what a bill is and how it works because of Schoolhouse Rock. And I remember
that from my childhood. I'm with you. So I studied a little, of how music works on the brain because I have a background
in neuroscience.
That's what I studied in school.
And during my studies, I focused a lot on music, how that works both in the rat lab
and with human subjects.
And I guess the whole music, neuroscience, behaviorism thing started back then when I
was in school, but it's finally been realized now. And it's just wild because I have a background in musical theater from when I was a kid.
Improv. I used to perform improv on weekends before I did hacking full time. So a lot of
things are coming full circle here that I just didn't think would happen in my life.
Well, can you walk us through an example of one of the
videos here, kind of from concept to completion? How did you go through that process?
Sure. Let's see. I guess we'll do the fishing song. So the fishing song, I started out by
thinking, what genre do I want to talk about the topic of fishing for? Because every song has its own genre.
We have a malware ransomware song that we're writing now that's going to be an 80s bop.
And I was thinking, okay, well, for the fishing song, I would like to use the pun of fishing,
like fishing outdoors in a lake and also fishing online. So I thought it just makes sense to do a stadium
country style song. So I reached out to some artists that I know online. I know a lot of
these artists from TikTok because they post their work online. So reaching out to those folks and
saying, hey, this is a project I'm doing. Here's how it works. It's going to be a security awareness
training, but it's going to be music and spoken. But the part you're working on is music.
And gave them all the source material because I don't expect these artists to be an expert in
fishing. And then from there, they'll come up with a high-level acoustic riff. They'll send it back
to me like, what do you think? Something like this sound? And I'll say, yeah, that sounds great. And then they'll record just like a low fidelity, you know, what is the
rhyme scheme? What can it look like within the beat of this song? And then I help them with the
technicality of the lyrics because again, they're not an expert in fishing or whatever song I'm
having them write. So once I help them with the fishing lyrics or what have you, then we record in higher and higher level fidelity until we have the final version of the song.
And we take the final version and we use our production team and we film in the studio.
And we get actors to audition for the part and we come up with all the graphics to explain what fishing is and how to stay safe and come up with the takeaways.
And then people buy the product and
then we customize the takeaways for their company and so on and so forth. And how has the experience
been? I mean, what sort of things have you learned along the way? What I've learned along the way is
it takes a while to write songs. You always got to have one ready to go because people want more
and more content as you go, of course, and that's what we're doing. But it takes months to write songs. So I have to always be writing a song in addition to
always be filming more content and writing more scripts. So it's kind of like an ongoing
process. There's not really breaks. You have to always be working on the next iteration.
And these are not just musical. You're releasing spoken word versions
of each of the topics as well.
That's exactly right.
So when we did the research for the project,
we found about 80% of people watched the music content
and were like, yes, I connect with that.
That helps me remember it better.
I love music content.
And about 20% of the people were like,
I learn a lot better with spoken content.
I do not prefer music.
So we wanted to make both equally so that no matter what type of person is learning from this, because of course it's mandatory at many companies, we want people to be able to learn in the method that works best for them.
So I made all of the spoken content and all of the music-based content equal in my mind.
music-based content equal in my mind. What about for your friendly neighborhood podcast host who also perhaps has a background in musical theater and an interest in music? Might there be a cameo
spot in the future in one of these videos? I'm just thinking hypothetically for someone like
that. Can you envision something like that? Hypothetically for somebody named Dave, yeah,
I think there could be something that could be arranged. Yeah. But only if your name is Dave. Oh, all right. Sorry for all,
what a crazy random happenstance. My name is Dave.
But yeah, I've actually had, that's one of the other big pieces of feedback I have is
my clients or my friends are like, how do I get to be an extra? Or can I sing? Can I sing in the background of
your video? And I've actually, we're working right now with a few different clients. One of my
banking clients is like, how do we find a way for our CISO to be in the background of one of these
videos? And we're not going to tell our users, like our employees, until it's just deployed to
them. And they're like, wait, what is so-and-so doing in the back of your video?
Oh, I love it.
Yeah, we have some fun little Easter egg moments that not everybody will get,
but it's meaningful to some of the clients
who are first movers with us.
Yeah, well, I have to say,
I am predisposed to love this,
but I like it for a lot of different reasons.
I wish you all the success with this
and congratulations on the launch.
Rachel Toback, thanks for joining us.
Thank you, Dave.
And joining me once again is Betsy Carmelite.
She's a principal at Booz Allen Hamilton and also their Federal Attack Surface Reduction Lead.
Betsy, it's always great to welcome you back to the show.
I want to touch today on this ongoing situation with the skills gap in the cyber workforce
and the degree to which that is a real thing, to which it's a perceived
thing. I'm curious for your take on it. Yeah, thanks, Dave. I always want to do some stage
setting first. Cybersecurity is really about outpacing the adversary, so investigating it,
learning from it, and then getting ahead of it. And being very realistic, this is an incredibly complex
environment to work in, as well as a fascinating one. This is really a collective problem for the
government and the private sector, addressing the skills gap issue. So I think it's definitely
beyond perceived and a reality. In today's one battle space environment, groupthink is really not going to solve the
problems we face as a nation and with our economy to tackle this problem. The rapidly increasing
shortage of cyber workers poses a true risk for the cybersecurity of the nation.
And so where do you suppose we find ourselves? What's the reality that you're seeing on the ground?
America's cyber workforce really needs people with extremely varied experiences, perspectives, and approaches to help in this fight against the so-called bad actors.
It's not just that cyber threats are growing at an exponential rate and that cyber crime is really
extremely lucrative. Really, it's understanding how we can bring different mindsets for different
specialized skills into that fight, as well as to advance the workforce. And secondly,
no single organization or approach can tackle that problem alone.
We need to be equipped and also equip the workforce with skill sets to match the diversity of that threat.
And that's where we hit on the risk of, you know, without specialized cyber talent, organizations and our data are at risk.
What are some of the specific recommendations then? I mean,
some of the things that can really move the needle here. I think, and the way that we're looking at this within our cyber workforce, we must evolve and managers and leaders need to be really explicit
and intentional about asking our colleagues to evolve. It can be such a challenge
just to hire the workforce. And once you have the team or skills, you can sit back and think
they know what they need to do. But you really need to take on an approach. And this is maybe
not unique to this industry alone, but you really need to ask our talent to continuously learn,
this industry alone, but you really need to ask our talent to continuously learn,
dig in, and help them with the how. How do they do that? So we believe that you need to create more entryways into the workforce for new talent. We're exploring university partnerships,
feeding the talent pipeline. Military and military veteran partnerships target key populations that have skills-based training
and really need you need to identify the potential or aptitude to learn
we also like to recommend fostering a culture of mobility and collaboration
that drives perpetual learning at Booz Allen we really want people to experience different
clients and missions cultivate diverse skill sets and we can't people to experience different clients and missions, cultivate diverse skill sets.
And we can't fill these positions today with skill sets of five years ago. It's a constant
skill building approach. After hiring, we need to work on upskilling, training, facilitating
venues where people can bring their ideas and thought leadership. What about diversity itself?
I mean, I know that's been a focus for you and your colleagues as well.
Yeah, so I think you can approach diversity
with diversity of the demographic of the workforce,
but also diversity of skills and the functional skills
that you need to bring into cybersecurity.
So there's a prevailing attitude in cybersecurity that you can't perform a role without prior
experience. But that really creates a catch-22, and particularly for underrepresented groups.
So for instance, women reportedly compromise roughly one quarter of the cyber security workforce
yet they may not apply for jobs if they don't feel that they already have
100 percent or they meet 100 percent of the posted requirements rather than saying hey i
meet 50 percent of the requirements requirements i'll go for it um so so that's an issue, encouraging and really identifying the potential within a resume.
It's important to identify skills in someone that have the potential to transfer to the multitude
of other cyber disciplines. And some of the best cyber intel analysts that I've hired
have law degrees. The critical thinking that is taught
and that they love lends well to data collection, processing, and analysis. For my own personal
experience, I'm also a Russian linguist. I learned to disassemble words, look for patterns, look for
structures, and that skill conveys so well to puzzling out an Intel problem, in addition to the obvious need for cyber linguists
in the field. And I think we must challenge ourselves to consider candidates who bring
that wider range of experiences and to recognize the strengths of other backgrounds to the field.
You can be a successful cyber professional and have a background in computer science or data science or engineering,
or you can come into the field with a psychology degree, political science, linguistics, law.
And in our success, we see at Booz Allen is to bring together those diverse skills
under one team of cyber mission focused analysts.
All right. Well, interesting insights as always. Betsy Carmelite,
thanks for joining us. Thanks, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Thank you. to a regular segment called Security, huh? I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot P listening. We'll see you back here tomorrow. John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you.