CyberWire Daily - Mirai hits the honeypots. Medical device telemetry attacked. More on infostealers in the C2C market. Third-party risk management practices. Cyber skills gaps in the UK. SiegedSec hits NATO sites
Episode Date: July 27, 2023The Mirai botnet afflicts Tomcat. CardioComm services are downed by cyberattack. Uptycs calls infostealers “organization killers" as related security incidents double in a year. Legacy third-party r...isk management practices meet with dissatisfaction. Cyber skill gaps reported in the UK's workforce. Our guest is George Prichici of OPSWAT with a look at a Microsoft Teams vulnerability. Our new Threat Vector segment features a conversation with David Moulton and Michael Sikorski on the potential threats from LLMs and AI. And SiegedSec hits NATO sites. On this first segment of Threat Vector, Michael "Siko" Sikorski, CTO & VP of Engineering for Unit 42, joins host David Moulton to discuss LLMs & AI and the impacts to expect on social engineering, phishing, and more. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/142 Threat Vector links. Palo Alto Networks Unit 42 Selected reading. Tomcat Under Attack: Exploring Mirai Malware and Beyond (Aquasec) CardioComm, a provider of ECG monitoring devices, confirms cyberattack downed its services (TechCrunch) Detecting the Silent Threat: 'Stealers are Organization Killers' (Uptycs) Cyber security skills in the UK labour market 2023 (DSIT) NATO investigates alleged data theft by SiegedSec hackers (BleepingComputer) NATO investigating apparent breach of unclassified information sharing platform (CyberScoop) SiegedSec Compromise NATO (Cyberint) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Mirai botnet afflicts Tomcat.
Cardio comm services are downed by cyber attack.
Uptix calls InfoStealer's organization killers.
Legacy third-party risk management practices meet with dissatisfaction.
Cyber skills gaps are reported in the UK's workforce.
Our guest is George Pritchik of Upswat with a look at Microsoft Teams vulnerabilities.
Our new Threat Vector segment features a conversation with David Moulton and Michael
Sikorsky on the potential threats from LLMs and AI. And SiegedSec hits NATO sites.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, July 27th, 2023. What's turning up in the honeypots nowadays?
Well, Mirai, among other things.
Aqua has published an analysis of Mirai malware attacks observed in its Apache Tomcat honeypots.
The researchers found that threat actors are actively seeking misconfigurations
on Tomcat servers, specifically misconfigurations in the Tomcat web application manager.
The researchers say, in our case, the host was infected with Mirai, and based on our analysis
of previous attacks and research, it appears that the threat actor intends to use this malware
as a base for further attacks.
These attacks could range from relatively low-impact campaigns
like crypto mining to more severe DDoS attacks.
It is important to note that this campaign is still ongoing
and the attacks are continuously evolving and changing
to avoid detection.
Heart Monitoring Technology and Medical medical electrocardiogram provider CardioCom Solutions
experienced a cyber attack that resulted in the disruption of its business systems,
TechCrunch reports.
The company has disclosed that the impact on its business operations
may extend for several days or even longer,
contingent upon the promptness of data restoration
and reestablishment of production server environments.
According to CardioCom, there is currently no indication
that the security breach led to the compromise of customers' health information,
given that their software is designed to operate
within each client's distinct server environment.
The company affirms that it does not gather any patient health information from its clients.
In response to the incident, CardioCom has taken precautionary measures against identity theft, aiming to mitigate potential repercussions on its personnel.
A new report delves into the world of infostealers and their prominent role in the C2C market.
infostealers and their prominent role in the C2C market. According to Uptix, these malicious entities are deemed organization killers due to their ability to provide threat actors with
unauthorized entry into a company's confidential networks through the compromise of employee
credentials. Uptix defines an infostealer as a specific type of malware that is intricately
programmed to infiltrate computer systems
and surreptitiously exfiltrate sensitive information.
The stolen data is then transmitted back to the Threat Actors Command and Control Center,
affording them the means to exploit the acquired information for nefarious purposes
or peddle it on the dark web.
Uptix says in the first quarter of 2023, incidents involving InfoStealers have
more than doubled compared to the same period in the previous year. Health3PT has released a survey
whose results are intended to shine light on the challenges organizations associate
with third-party risk management and how those challenges affect the healthcare sector in particular. The survey found that most companies consider the legacy methods of TPRM ineffective,
with 50% of the covered entities claiming that TPRM is not keeping pace with the volume of
security assessments they receive. They also complain of excessive turnaround times for
fixing issues discovered in the audit process. Business associates, on the other hand, find that customers are
unwilling to accept third-party validated assessments and certifications
in place of proprietary control questionnaires. The business associates
also assess that companies need help in handling the variety of questionnaires
and audits and the resources and time required to meet compliance.
A study conducted by researchers on behalf of the UK Department for Science, Innovation and Technology, D businesses, constituting 50% of the total,
exhibit basic skills gaps in their cybersecurity personnel.
These gaps manifest in the lack of confidence and competence in performing fundamental tasks
outlined in the government-endorsed Cyber Essentials Scheme,
while also lacking support from external cybersecurity providers.
The tasks with the most common skills gaps include configuring firewalls, securely storing
or transferring personal data, and detecting and removing malware.
Moreover, the study finds that 33% of businesses experience more advanced skill gaps in areas
such as forensic analysis, security architecture, and interpreting malicious code.
Interestingly, although the percentages for basic and advanced skill gaps have remained stable,
there's been a steady increase in the proportion of businesses expressing doubt
in their ability to carry out cybersecurity tasks since 2020.
The report highlights additional challenges faced by
businesses in this domain. Specifically, 22 percent of businesses report encountering
applicants who lack the requisite skills for cybersecurity roles, while 49 percent indicate
that their current staff or job applicants fall short of meeting the necessary qualifications.
The study also delves into the preferences of cybersecurity workers,
with 61% expressing an inclination towards being a cyber-generalist.
This career path involves diversifying their work
across multiple specialties within the cybersecurity domain.
In terms of job opportunities,
the report points out a notable increase in cybersecurity role listings with a rate of 5,900 jobs per month in 2022, totaling just over 71,000 job postings for the entire year.
This marks a 33% rise in core cyber job postings compared to the levels observed in 2021.
postings compared to the levels observed in 2021. Additionally, demand for all cyber roles has grown by 30 percent during the same time frame, as noted by the researchers. And finally, a note on the
cyber phase of Russia's hybrid war. Bleeping Computer reports that NATO has confirmed it's
investigating claims that the alliance's Communities of Interest Cooperation Portal
has been compromised by the Russian hacktivist auxiliary SiegedSec.
COI is a collaboration portal used for exchange of unclassified information.
SiegedSec posted some 845 megabytes of allegedly stolen files to a dump site.
The group said in its Telegram channel,
Do you like leaks? Us too. Do you like NATO? We don't. And so we present a leak of hundreds of
documents retrieved from NATO's COI portal intended only for NATO countries and partners.
Security firm CloudSec has published the results of its own investigation,
and they believe the compromise to have been accomplished was stolen credentials, stating,
With low confidence and no direct proof, we assess that the credentials for the compromised
user account may have likely been sourced from Steeler logs.
Sieged SEC has been active since April of 2022. The group said on Telegram,
This is a retaliation against countries of NATO for their
attacks on human rights. We hope this attack will get the message across to each country within NATO.
SiegeSec is not known to have engaged in financially motivated cybercrime such as ransomware,
and it says it's not involved in supporting Russia's war.
The timing of the group's appearance and its target set
render that claim implausible.
Coming up after the break,
George Pritchett from OpsWat
with a look at Microsoft Teams
vulnerabilities. Our new Threat
Vector segment features a conversation
with David Moulton and Michael Sikorsky
on the potential threats from LLMs and AI.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, Thank you. been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
It is my pleasure to introduce our newest recurring segment on the Cyber Wire.
It's called Threat Vector, and it's brought to you by Palo Alto Networks Unit 42
and hosted by David Moulton.
Yeah, I think the biggest concern
when it comes to ChatGPT, the LLM,
everybody having access to this technology
almost suddenly,
is where is it going to impact and benefit the attacker the most?
Welcome to Threat Factor, a segment where Unit 42 shares unique threat intelligence insights,
new threat actor TPTs, and real-world case studies. Unit 42 is a global team of threat intelligence experts, incident responders,
and proactive security consultants dedicated to safeguarding our digital world.
In today's episode, I'm going to talk with Mike Sicko-Sikorsky.
Sicko is a best-selling author and expert in reverse engineering
and the CTO and Vice President of Engineering and Threat Intelligence for Uniforty2.
Sicko, you got that name in college when there were, what, nearly a dozen Mikes on your track team?
Yeah, that's right. There was a lot of us and we needed ways to differentiate. Luckily,
I had a pretty cool name because my last name is Sikorsky and Sicko is kind of natural.
And then I kind of just ran with it into the, I guess that's a little bit of a pun,
ran with it into the hacking culture, right? And having a nickname like Sicko is definitely a good
one to build your street cred. Well, it definitely works and it caught my attention when we first met.
Before the show, I asked you what was top of mind or what should be top of mind for
our audience right now, and you immediately jumped right to AI.
And there are stories about AI everywhere right now, no matter where I look.
What should our audience think and care about right now when it comes to AI?
look. What should our audience think and care about right now when it comes to AI?
Yeah, I think the biggest concern when it comes to chat GPT, the LOM, everybody having access to this technology almost suddenly is where is it going to impact and benefit the attacker the most?
And that's with social engineering. We've all seen this technology used for, hey, write a song in the style of this artist.
And, you know, with the lyrics to my friend or family member, and it comes out perfectly sounding like them.
You can imagine now the attacker has the ability to do that same thing, but say, hey, write an email and sound like this person.
And if you think about it, we respond to upwards of 1,000 incident response engagements a year in Unit 42.
And the number one way that the attacker gets in is still through phishing.
And now we've just lowered the bar for them to be able to craft better phishing attacks.
So the days of them being caught due to broken English
or unable to communicate
properly to someone is gone. So they won't be getting caught as much, which means phishing
attacks is probably going to go up. So Mike, you talked about lowering the bar from social
engineering. Let's flip it around. A lot of people are using chat GPT or different AI tools.
And I'm wondering, does that create a security vulnerability for
enterprises today? Yeah, I think companies need to be hyper aware of how their users and employees
are using this technology. Do they understand that whatever they type in that product, it's not a
private conversation and there's a huge risk to data leakage, right? If you're having it rewrite
sensitive emails for you so you sound
more clearly, yes, the LLM is going to do a great job of rephrasing. But if you have information in
there, it can create huge risk to an entity. And so corporations need to quickly roll out
policies surrounding this technology. So in about a month, Black Hat's going to happen.
And I'm wondering, what would you tell our listeners to look for when they're at Black Hat?
I think it's one of those things where I think pretty much every vendor is probably going to say the term AI when you're out there.
So you're going to be getting a hit with a lot of that, a lot of talk of that.
I think it's about realizing what are science projects that some of these businesses have rolled out, technologies being rolled out, that don't really provide a ton of benefit.
Instead, I would look to say, who's been on the AI journey for a long time and actually have other things outside of the LLM more recent wave to show for, right?
For example, here at Palo Alto, we've been on a journey of AI for a really long time. Early days of malware detection, malware family identification using AI, and then more
recently is how do you automate the SOC, right? You're getting flooded with tremendous amounts of
alerts, and we've been investing for a long period of time of how to use AI to go from a whole pile of alerts just to a set
of incidents that you could actually make it through. So I think it's about trying to maybe
peel things back a little bit and figure out, you know, which technologies are maybe implemented
and, you know, just using an LLM really quickly and to get something out for Black Hat versus,
you know, which ones have actually, you know, are going to have an impact in your life in a larger scale.
So, Mike, thanks for joining me today on Threat Vector and sharing your insights about how AI is changing cybersecurity.
We will be back in two weeks with a look at the top threats and trends seen by the Unit 42 Threat Intelligence team.
In the meantime, stay secure, stay vigilant, and goodbye for now.
That's Threat Vector, hosted by David Moulton and brought to you by Palo Alto Networks Unit 42.
Recently, a member of the U.S. Navy's Red Team released a tool called TeamsFisher, which exploits an unresolved security problem
in Microsoft Teams. It's a known vulnerability, enabling hackers to send harmful files or
programs to unsuspecting users. George Pritchage is vice president of products for application
security at OpsWatt, and he joins us with insights on the issue.
Definitely there was a vulnerability that was identified by Jamstack
last month.
The entire idea there that
the vulnerability was based on
either insecure
data object reference.
The logic is pretty
simple. I'm able to go
and more or less, if you want, almost
impersonate or get access
to someone's organization, upload the file.
And that can be a malicious file in an org
that I don't have permission to do that.
So that is definitely a huge security risk from my perspective.
Now, I know that Microsoft pushed back.
There needs to be a social engineering involved
to actually be able to exploit that one.
But still, the fact that they're able to bypass,
which was unfortunately just a client-side verification, it's still a huge problem.
Yeah, can we talk about that sort of blend there between the social engineering and the
technical vulnerability? I mean, it strikes me that that's not that unusual. Lots of vulnerabilities
have a social engineering component.
I think it's a bit naive to say that,
hey, this is not a high risk because there needs to be additional social engineering components, right?
At the end of the day, there's a new malicious file that's bypassing
all your security measures that you're trying to put in place
to avoid those files reaching your SharePoint organization, let's say,
and you're ending up with a malicious file in your SharePoint organization, let's say, and you're ending up with a malicious file in your SharePoint organization,
the failure end user is going to go and access that file or not.
You're kind of like late already.
Now, I know you're training your employees not to click on links,
not to open documents and so on,
but definitely there's a level of trust from end users in these collaboration tools, right?
The fact that someone is already messaging you inside your organization,
the fact that file is already accepted on your SharePoint and so on,
that will potentially increase the confidence level, let's say,
and diminish the risk level from any end user when they're trying
to access that one.
I'm not saying they shouldn't verify that one, but I'm pretty sure that a lot of people
are going to actually ignore the
external message warning and so on.
They're going to still open that file.
So just by
accepting a foreign period,
again, the entire idea is not to do
just client-side verifications when you're
checking if someone has a permission
to upload files, and the
Microsoft is allowing that. I think
that's a pretty big mistake from their end. And what do we know about the technical
vulnerability itself, the issue within Microsoft Teams? Well, in a nutshell, it's pretty much
allowing you to say, hey, I want to upload a file to this particular organization, right? Now,
there needs to be a few configurations there to allow content from external sources
to be sent to the organization.
But interesting enough,
that's the default configuration for Microsoft Teams, right?
And again, there are organizations out there
that are a lot more strict
on how they set up their Microsoft Teams account
and all the security configurations on Microsoft Teams.
But I'd like to believe that, or like, unfortunately, I don't think everyone is going through all
the extra efforts.
And Microsoft Teams is a heavily used tool worldwide.
It's not just a matter of like some very, like, let's say, organizations with very large
security teams.
So I'm pretty sure a lot of people are still using it in default mode.
And that means that someone can actually go upload malicious files directly in Microsoft So I'm pretty sure a lot of people are still using it in default mode.
And that means that someone can actually go upload malicious files directly in Microsoft Teams because they can actually easily bypass
a couple of things there.
And it's not just verification of if you're allowed to upload files
in that organization.
It's also to remove some additional banners or messages
that these files are coming from an external, untrusted source.
So the fact that you have all those easily, let's say,
bypassable mechanisms already in place,
that they're just enforcing it from the client, that's very risky.
So what are your recommendations here for folks to best protect themselves?
What are your words of wisdom?
Well, definitely for this particular example,
there are some workarounds in the team.
I think the JumpStack team did a great job explaining how you can actually make sure you're not exposed
and someone cannot actually do that in your organization.
But at the end of the day, again, we're going back to the zero trust, right?
And I think zero trust is a methodology that we should take to heart,
and not just by training our employees and our customers not to click open documents they don't know and so on,
but I think it's also how we can enforce this better, right?
And again, there are things in the Microsoft teams
that JobSec team explain on how they can actually prevent
and not allow fire from external sources and so on.
If that's not fully available,
then maybe you can create that allow list
and which are the external sources,
your, let's say, partners, your collaborators are allowed to send you those files and so on.
But I think there's a step that we need to take forward, right?
And I think this is, again, back to that zero-trust mentality.
It's also the meaning of,
can we actually trust that these collaboration tools
are covering our security end-to-end, right?
Because usually, and you're looking, let's say,
SharePoint being one of the examples, right, with this vulnerability.
SharePoint is actually just storing the file for Teams.
But at the end of the day, it's not doing any model validation.
Like, is this a file malicious or not?
Is there doing any prevention and so on?
It's just storing the file.
And there are so many tools out there. Microsoft Teams is doing the same. Is this link malicious? Is this file malicious and so on it's just storing the file there are so many tools out there microsoft team is doing the same is this link malicious is this file malicious and
so on right and there needs to be a lot more involvement from security teams to be able to
prevent this ahead of time because our day-to-day activities is digital these days right covid
accelerated a lot a lot everyone is sharing files across a lot of,
a huge amount of collaboration tools.
So they need to go and scan those files, sanitize them,
understand what kind of files they're accepting.
That mentality that we need to make sure we're validating,
we're filtering all the traffic that's coming in,
should be applied to also these collaboration tools,
not just on, let's say,
on email and the file output functionality in a portal, right?
And again, this can be from applying file scanning
with, let's say, multi-scanner to have a better detection ratio.
Same guys in the content with content design and reconstruction.
Checking for a lot more advanced features,
like there are hyperlinks to those documents.
What are those hyperlinks? Are they malicious or not?
Check them against your reputation source
or actually just detonate them and figure out what's going on there, so on and so forth. So there's a lot more that
needs to be done to prevent these ones up front, not just to rely on end users, they're going to
be able to resist in a socially driven attack. Regardless how much you're going to trade them,
it's not one person to do that and it's almost game over. That's George Pritchage from OpsWatt.
We note in full disclosure that Microsoft is a CyberWire partner.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world
when it matters most.
Stay in the know.
Download the free CBC News app
or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. Thank you. is Trey Hester, with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.