CyberWire Daily - Microsoft releases results of investigation into cloud email compromise. A buggy booking service. Adversary emulation for OT networks. Identity protection trends. Notes from the hybrid war.
Episode Date: September 7, 2023Microsoft releases results of their investigation into cloud email compromise. A vulnerability affects a resort booking service. Adversary emulation for OT networks. Identity protection and identity a...ttack surfaces. Sanctioning privateers (with a bonus on vacation ideas). Rob Boyce from Accenture Security tracks new trends in ransomware. Our Threat Vector segment features Mastering IR Sniping A Deliberate Approach to Cybersecurity Investigations with Chris Brewer. And Estonia warns of ongoing cyber threats. On this segment of Threat Vector, Chris Brewer, a Director at Unit 42 and expert in digital forensics and incident response, joins host David Moulton discussing Mastering IR Sniping: A Deliberate Approach to Cybersecurity Investigations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/171 Threat Vector links. Sniper Incident Response from Cactus Con on GitHub Sniper Incident Response presentation by Chris Brewer on YouTube Selected reading. Results of Major Technical Investigations for Storm-0558 Key Acquisition (Microsoft Security Response Center) Check-Out With Extra Charges - Vulnerabilities in Hotel Booking Engine Explained (Bitdefender) Deep Dive into Supply Chain Compromise: Hospitality's Hidden Risks (Bitdefender) MITRE and CISA release Caldera for OT attack emulation (Security Affairs) MITRE Caldera for OT now available as extension to open-source platform (Help Net Security) Silverfort and Osterman Research Report Exposes Critical Gaps in Identity Threat Protection (Silverfort) United States and United Kingdom Sanction Additional Members of the Russia-Based Trickbot Cybercrime Gang (US Department of the Treasury) Estonian PM: cyberspace is Ukraine war frontline (Euromaidan Press) Cyberwar and Conventional Warfare in Ukraine (19FortyFive) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Microsoft releases results of their investigation into cloud email compromise.
A vulnerability affects a resort booking service.
Adversary emulation for OT networks.
Identity protection and identity attack surfaces.
Sanctioning privateers.
Rob Boyce from Accenture Security tracks new trends in ransomware.
Our Threat Vector segment features mastering IR sniping.
A deliberate approach to
cybersecurity investigations with Chris Brewer, and Estonia warns of ongoing cyber threats.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, September 7th, 2023.
Microsoft has published the results of its investigation into how a Chinese threat actor
was able to obtain a Microsoft account consumer key, which it used to forge tokens to access
OWA and Outlook.com. Redmond's investigators found that the threat actor, tracked as Storm0558,
found that the threat actor, tracked as Storm 0558, compromised a Microsoft engineer's corporate account, which had access to the crash dump containing the key. The company said,
Due to log retention policies, we don't have logs with specific evidence of this exfiltration by
this actor, but this was the most probable mechanism by which the actor acquired the key.
The report outlines how the incident apparently unfolded.
Microsoft states,
Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process.
The crash dumps, which redact sensitive information information should not include the signing key.
In this case, a race condition allowed the key to be present in the crash dump.
This issue has been corrected.
The key material's presence in the crash dump was not detected by our systems.
This issue has been corrected.
We found that this crash dump, believed at the time not to contain key material,
We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the Internet-connected corporate network.
This is consistent with our standard debugging processes.
Our credential scanning methods did not detect its presence.
This issue has been corrected.
Storm 0558 is a Chinese cyber espionage actor.
The crash dump incident saw it compromise cloud-based Outlook email systems used by at least 25 organizations,
including several U.S. government agencies, the State Department among them.
In full disclosure, we note that Microsoft is a CyberWire partner.
In full disclosure, we note that Microsoft is a CyberWire partner.
Researchers at Bitdefender have discovered a series of vulnerabilities affecting the IRM Next Generation Online Booking Engine built by Resort Data Processing, Inc.
The researchers say that their investigation began in November of last year when they began looking into indicators of suspicious activity on a server owned by a U.S. resort. Files from Resort Data Processing's booking engine were apparently
improperly accessed by an unauthorized third party. The web shell components they found,
a micro backdoor variant, and what they characterize as a malicious IIS native module
with backdoor functionalities called XModule,
which was specifically designed for e-skimming, that's theft of credit card information and passwords,
by injecting malicious code in a JavaScript file used by Resort Data Processing's IRMNG booking engine.
The researchers identified five vulnerabilities affecting the engine.
Three involved the use of hard-coded credentials,
and two were related to the improper neutralization of special elements.
Bitdefender says it attempted to notify the vendor multiple times,
but without receiving a response, which is why they've now published their findings.
They caution that as far as they can determine,
the booking engine remains vulnerable. In a development of interest to the industrial
security space especially, the U.S. Cybersecurity and Infrastructure Security Agency and the MITRE
Corporation have released an OT extension for MITRE's open-source adversary emulation platform Caldera. The MITRE Caldera
team stated, Caldera for OT introduces 29 distinct OT abilities to the hundreds of existing
enterprise-focused abilities already included with Caldera. Nick Sammis, chief engineer at
MITRE Cybersecurity, told the Record, one of the key challenges we're focused on is getting easy-to-use and extensible capabilities
in the hands of those tasked with defending critical infrastructure.
With Caldera for OT, we seek to empower operational stakeholders
to effectively develop and share knowledge, experience, and lessons learned
with the larger OT cybersecurity community.
Silverfort has published a study conducted by Osterman Research
looking at the state of identity security.
The survey found that 83% of respondents have experienced a breach
involving compromised credentials,
half of which occurred within the past 12 months.
The researchers also found that 65% of organizations
haven't thoroughly implemented multi-factor authentication.
They write,
When MFA does not protect the full scope of resources
and access methods under attack,
the elevated security promised by MFA is diminished,
as adversaries can still access resources without the MFA barrier.
Moreover, when a resource has MFA applied to one access method
but lacks MFA in another,
the MFA protection is void
since an adversary will simply use the unprotected method
to access the resource.
Estonian Prime Minister Kajakalas warned
that cyber conflict remained a high risk
and that Russia's war against Ukraine remains a contest of influence.
She called cyberspace a front line in the war.
It's not an isolated front, however, but part of a more general threat to democracies to counter that threat in ways that use their inherent advantage,
which she characterized as openness aided by technology to preserve their position in cyberspace.
The website 1945 describes ways in which cyber operations become increasingly effective when they're collaborative. While there's been some convergence with traditional modes of warfare,
While there's been some convergence with traditional modes of warfare, especially electronic warfare, cyber operations continue to be conducted largely within their own domain.
And again, these operations seem best handled when friendly states and the private sector cooperate.
This seems so far to be the single most important lesson to emerge from the sad story of Russia's war of aggression.
In February, the U.S. and U.K. jointly imposed sanctions on members of Russia's privateering trick-bot gang. We characterize them as privateers because, while they pursue profit,
they do so at the sufferance of the Russian government, and with that government's protection
and encouragement. Their targets are
ones the Kremlin is happy to see disturbed, Western companies for the most part. As the U.S.
Treasury Department put it at the time, the TrickBot Group's preparations in 2020 aligned
them to Russian state objectives and targeting previously conducted by Russian intelligence
services. This included targeting the U.S. government and U.S. companies.
Seven individuals were named in that round of sanctions.
This morning, the two governments added 11 more members of the gang to the list of sanctioned individuals.
They're described as administrators, managers, developers, and coders
who have materially assisted the TrickBot group in
its operations. The sanctions require, as a minimum, that all property and interests in
property of the individuals that are in the United States or in the possession or control of U.S.
persons must be blocked and reported to OFAC, the Treasury Department's Office of Foreign Assets
Control. And the TrickBears will find it more difficult
to do business with foreigners. The Treasury statement explains,
OFAC's regulations generally prohibit all dealings by U.S. persons or within the United States,
including transactions transiting the United States, that involve any property or interests
in property of blocked or designated persons.
So, sad to say, limited access to funds will, among other things,
put a crimp in any plans for the TrickBot gang's holidays abroad.
Coming up after the break, Rob Boyce from Accenture Security tracks new trends in ransomware. Our Threat Vector segment features mastering IR sniping, a deliberate approach to cybersecurity investigations with guest Chris Brewer.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
It's time for our sponsored Threat Vector segment brought to you by Palo Alto Networks.
This week, Chris Brewer, a director at Unit 42 and expert in digital forensics and incident response,
joins Dave Moulton to discuss mastering IR sniping.
Here's their conversation.
conversation. Every contact by a criminal leaves a trace. So if it's physical evidence or digital evidence, anytime the file is touched or interacted with, there's something that's left behind.
Welcome to Threat Factor, a segment where Unit 42 shares unique threat intelligence insights,
new threat actor TPTs, and real-world case studies. Unit 42 is a global team of threat
intelligence experts, incident responders, and proactive security consultants dedicated to
safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for Uni42.
In today's episode, I'm going to be talking with Chris Brewer about IR sniping. Chris is a director in Unit 42
and an expert in digital forensics
and incident response with decades of experience.
Chris, give me the TLDR definition of IR sniping.
Yeah, so it's a targeted, deliberate way
of approaching an investigation.
You can't really go and do one host at a time approach.
It doesn't work.
It works for five, 10 boxes, but when you've got 5,000, 20,000, 30,000, you've got to have
that new methodology.
And that's where IR sniping comes in.
The sniper incident response methodology is taking a targeted, deliberate approach to
an investigation.
Chris, before we get much further into this, I want you to talk about the guiding principles
for this methodology. Yeah, there's some want you to talk about the guiding principles for this methodology.
Yeah, there's some foundations there with the guiding principles.
These have been around for a very long time.
I think it's kind of the core piece of any investigation, if it's computer investigation, crime scene, whatever it happens to be.
And one of the big ones is the Locard Exchange Principle.
Basically, the idea behind that, every contact by a criminal leaves a trace.
So if it's physical evidence or digital evidence,
anytime the file is touched or interacted with,
there's something that's left behind.
The other idea for this one is Occam's Razor.
The simplest explanation is often the right one.
It's really easy to get excited.
It's like, oh, it's China or it's Russia or it's an APT.
Usually it's the simplest explanation there.
And the last one is the Alexiou Principle,
which is probably new to a lot of folks.
But basically that one has four big things.
It's what questions are you trying to answer?
What data do you need to answer that question?
How do you analyze that data?
And then finally, what does that data tell you?
What about IR sniping helps you do your job better,
faster, more effectively?
Yeah, so kind of taking that same approach and understanding that and then focusing on the stuff that the lawyers, that counsel, that the client really care about.
And we can kind of summarize that with just basically four big questions.
So what do they take?
That's the data exfiltration question.
The are they still here question.
That's, hey,
is the bad guy still present inside of your environment? Is the command and control,
the IP addresses, domains? And then the third big question is, where did they go?
What's the lateral movement? What are all the systems that were touched? What all is impacted here? Did they spread out to 10 systems? Are they 500 systems? They hit our routers and switches as
well? It's understanding that where do they go?
And the fourth big question, usually when you're running an investigation, it kind of answers itself.
And that's how did they get in?
So finding patient zero, identifying how they got into the environment.
Christopher, do you say that using IR sniping gives you better results faster in an investigation?
Absolutely.
When we're running a case,
we'll assign work stream leads to look at these questions.
And then it doesn't matter if you're getting 10 hosts today
and you've got 500 the next day.
When you're taking this deliberate approach,
the answers come really fast.
So the nice thing about this methodology as well
is you're constantly doing a QC of your own review
of your own data
because you're repeating the questions, you're repeating the steps
and looking at data again as new stuff comes in.
You presented at CactusCon on IR sniping.
What are some of the things you found the audience reacted to the strongest?
So taking this approach,
most incident response investigations can be solved within about 72 hours.
When you're taking this targeted, deliberate approach, focusing on the stuff that matters, getting rid of all the extra noise, and then focusing on those four big questions.
Chris, tell us where we can find out more about this approach.
CactusCon was a recorded presentation that's out there on YouTube.
If you want to Google it, type it in CactusCon 2023.
It's out there.
I've also got the GitHub link out there as well.
Those are great places.
Or if you want to talk with me on LinkedIn,
I'm always on there as well.
Chris, thanks for sharing
where people can learn more about IR sniping.
We'll make sure that those are linked up in our show notes.
I'm so glad you were able to take time away
from the work you're leading at Unit 42 to talk
with me today on Threat Vector. Join us again on the Cyber Wire Daily in two weeks. In the meantime,
stay secure, stay vigilant. Goodbye for now.
That's David Moulton with Chris Brewer from Palo Alto Networks Unit 42.
And I am pleased to welcome back to the show Robert Boyce.
He is Global Lead for Cyber Resilience and Managing Director at Accenture.
Rob, it's always great to welcome you back.
I just want to take a couple minutes and touch base with you on some of the things that you and your colleagues there at Accenture are tracking when it comes to ransomware.
Thank you, David. It's always fun being here.
comes to ransomware. Yeah, thank you, David. It's always fun being here. So I think, as you know,
and we've talked about on the show before, we do a quarterly ransomware trends. And I think we're going to have to now rename ransomware trends, quite honestly, because we're not seeing a big
uptick in ransomware in particular anymore. What we are seeing, of course, is a huge uptick in data
theft and extortion. So that's really the
trend that we're seeing now. And what I think is really interesting here, and I think one of the
most successful groups we've seen, I would say in the last two months, CLOP, I'm sure everyone's
heard of them and move it by now. They had a very different approach to this, which I thought was really fascinating.
They seemed to play this as strictly a volume game.
They created either their own exploits or used known exploits that had very recently been discovered
and essentially tried to exploit as many organizations globally as they could,
as quickly as they could to gain
initial foothold. So where we've seen ransomware threat groups in the past try and really use more
slower techniques around phishing and other things, these guys were 100% vulnerability-driven
to be able to just open up access to as many organizations as they could.
Once they did that, of course, then they ran the data exfiltration
and extortion campaign.
We estimate that they have exploited
over 500 victims in a six-week period
and that they have made
between $80 and $100 million estimated in payments
in this short amount of time.
So as you can imagine, when you have 500 victims in such a short amount of time,
it's probably a bit chaotic for them as well
in how they're actually trying to collect.
So there's really no pressure to pay.
I mean, this is strictly a volume game,
getting as many as they can, trying to find maybe,
is there one or two big fish, one or two whales in that pool
that they can capitalize on.
We've seen some big companies mentioned in their leak site.
What is the current best practice if an organization finds themselves victim of something like
Klopp?
You fell victim to the move at vulnerability and Klopp took advantage of that and now they're
threatening to post your stuff.
Where do we stand now in terms of the best way to approach this?
There's no really one right answer, honestly.
I think organizations are really,
I don't want to say unprepared to make this decision,
but I often do see that,
because I think that a lot of organizations
put so much time into creating
incident response playbooks, meaning very tactically, how do we respond to different
events and not enough time thinking about the business implications of that, meaning,
you know, what decisions do we need to make at an executive level? Should we be the victim of
a ransom demand or an extortion demand? And so I really still find that a lot of organizations
are playing it by ear.
And they're making that decision
based on the sensitivity of the data.
So it's been very interesting to see.
I mean, clearly people are paying
because this is a very viable business
for these organizations.
But I just don't think there's been enough focus
put on executive preparation in these types of scenarios.
An organization like Flop, to what degree do they let the victim know what they have?
And what I'm getting at here is, is the victim able to do a calculation of what is the potential material impact to my business based on what we know
they've taken? You are able to download the victim files so you can take a look at them. Typically,
they get posted a little after the demands have been met or not met, typically not met.
And there is the ability to look at it afterwards. And I think as we've talked about in some of our previous recordings,
that data is now becoming really, really valuable
for other threat actors to make secondary
and tertiary attacks,
just understanding the client environment better.
So there's still value in,
even if you're not going to pay
and your data gets posted,
even if you don't think it's important,
it could still be super important to help enable threat actors to make higher fidelity secondary and tertiary
attacks. So that's something, a trend that we've talked about before on the show, and it's going
to continue, especially now as we're seeing this high volume of victim disclosures. Often though,
threat actors will give you clues on what the data could be.
And so then you can go and do your data is and the value of that
data by system is quite a bit more complex than most people actually understand.
Yeah. All right. Well, Rob Boyce is Global Lead for Cyber Resilience and Managing Director at
Accenture. Rob, thanks so much for joining us. Of course, Dave. My pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
This episode is brought to you by RBC Student Banking.
Here's an RBC student offer that turns a feel-good moment into a feel-great moment.
Students, get $100 when you open a no-monthly-fee RBC Advantage banking account
and we'll give another $100 to a charity of your choice.
This great perk and more, only at RBC.
Visit rbc.com slash get 100, give 100.
Conditions apply.
Ends January 31st, 2025.
Complete offer eligibility criteria by March 31st, 2025.
Choose one of five eligible charities.
Up to $500,000 in total contributions.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. We'd love to know what you think of this podcast. You can email us at
cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and
insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire are part of the daily intelligence
routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you.