CyberWire Daily - Notes on patches. Dark Pink industrial cyberespionage campaign in Asia. Kinsing cryptojacking. Hacktivist DDoS against Iran. Healthcare cyber risk management. Pokémon NFTs.
Episode Date: January 11, 2023Patch Tuesday. CISA releases two ICS Advisories and makes some additions to its Known Exploited Vulnerabilities Catalog. Dark Pink APT is active against Asian targets. Kinsing cryptojacking targets Ku...bernetes instances. Ukrainian hacktivists conduct DDoS against Iranian sites. Risk exposure and a hospital's experience with ransomware. The Health3PT initiative seeks to manage 3rd-party risk. Tim Starks from the Washington Post’s Cyber 202 on cyber rising to the level of war crime. Our guest is Connie Stack, CEO of Next DLP, on the path to leadership within cyber for women. And phishing with Pokémon NFTs. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/7 Selected reading. The Daily 202 (Latest Cybersecurity 202) Microsoft Releases January 2023 Security Updates (CISA) > Adobe Releases Security Updates for Multiple Products (CISA) Black Box KVM (CISA) Delta Electronics InfraSuite Device Master (CISA) Known Exploited Vulnerabilities Catalog (CISA) Dark Pink (Group-IB) New Dark Pink APT group targets govt and military with custom malware (BleepingComputer) Kinsing cryptojacking. (CyberWire) Ukraine at D+321: "Difficult in places." (CyberWire) Iranian websites impacted by pro-Ukraine DDoS attacks (SC Media) Ransomware attack against SickKids said to be unusual. (CyberWire) Health3PT seeks a uniform approach to healthcare supply chain issues. (CyberWire) Breaking the glass ceiling: My journey to close the leadership gap. (CyberWire, Creating Connections) Pokémon NFTs used as malware vectors. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Patch Tuesday, CISA releases two ICS advisories
and makes some additions to its known exploited vulnerabilities catalog.
Dark Pink APT is active against Asian targets.
Kinsing Crypto Jacking targets Kubernetes instances.
Ukrainian hacktivists conduct DDoS against Iranian sites.
Risk exposure and a hospital's experience with ransomware,
the Health3PT initiative seeks to manage third-party risk,
Tim Starks from the Washington Post's Cyber 202
on cyber rising to the level of war crime.
Our guest is Connie Stack, CEO of NextDLP,
on the path to leadership within cyber for women
and fishing with Pokemon NFTs.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Wednesday, January 11th,
2023. Happy Wednesday, everyone. Great to have you here with us today. Yesterday, of course, was Patch Tuesday, and it was a fairly heavy one.
Prominent among the updates published were those issued by Microsoft,
a total of 98 patches, with one vulnerability fully disclosed
and a second undergoing active exploitation in the wild,
and by Adobe for Acrobat and Reader in design, in copy, and dimension.
Take a look at your systems and update them as appropriate.
A side note, this patch Tuesday brings the curtain down on Windows 7.
If for some reason you're still using it, good luck to you.
You're on your own.
CISA has released two industrial control system advisories yesterday, one for BlackBox KVM, the other for Delta Electronics InfraSuite Device Master.
Apart from the ICS advisories, CISA has also made some additions to its known exploited vulnerabilities catalog. them is a Microsoft Exchange server privilege escalation vulnerability, the other a Microsoft
Windows advanced local procedure call, that is an ALPC privilege escalation vulnerability.
In both cases, U.S. federal executive civilian agencies have until January 31st to check their
systems and apply Microsoft's updates. Group IB reported today that it's observing extensive activity by the
Dark Pink APT. The researchers have been unable to connect it to any previously observed campaigns,
which leads them to conjecture that Dark Pink represents a new threat group.
The report says the confirmed victims include two military bodies in the Philippines and Malaysia,
government agencies in Cambodia, Indonesia and Bosnia and Herzegovina,
and a religious organization in Vietnam.
Dark Pink seems to be a cyber espionage outfit.
Its mission appears to be collection of industrial intelligence.
Group IB emphasizes Dark Pink's sophistication throughout their report.
The threat group's tools, for one thing, are custom-built and not commodity stuff from
the C2C market.
The researchers have noticed only one commonly available bit of malware, power-sploit get-microphone
audio.
The method of gaining initial access is familiar, spearfishing, but here too
Dark Pink shows evidence of a good deal of care and attention to detail. In one of their spearfishing
emails, for example, the sender posed as a job seeker and mentioned the job board on which he or
she had seen the opportunity listed. This suggests that the operators are doing their homework,
scanning for opportunities to render their fish bait all the more plausible.
Microsoft describes the initial access techniques used by the Kinsing cryptojacking malware
to target Kubernetes instances.
Microsoft explains that the two most common tactics used by Kinsing to gain initial access
are exploitation of weakly configured PostgreSQL containers and exploiting vulnerable images.
Kinsing attackers search for applications with container images that are vulnerable to remote code execution.
Applications that were exploited by this method include PHP unit,
Liferay, WebLogic, and WordPress.
Russian hacktivists, with Killnet as a prominent example,
have served as auxiliaries in Russia's hybrid war,
and they've been particularly active against targets in countries friendly to Ukraine.
Russia has far fewer friends and partners internationally, but one of them,
Iran, has now apparently been hit by pro-Ukrainian hacktivists. SC Media reports that DDoS attacks
have affected a number of Iranian websites, including but not limited to sites belonging
to the National Iranian Oil Company and Iran's supreme leader, Ali Khamenei.
The hacktivists who claimed credit, the record reports,
are clear that their operations are a reprisal for Iran's willingness
to supply Russia with Shahed drones used in attacks against Ukrainian cities.
The group, which goes by the hacker name Cybersex,
and that's sex with a C,
said in its Telegram channel.
And just to show off what we can and what we cannot,
Ayatollah Khomeini's personal website went down just for one hour.
As we advised, it's a warning.
If we act, we will act much more rough.
No regrets and no sorries there will be.
Night timer, no harm, just a demo.
Next time we will deface.
Iranians, it is not your war.
Step down and F off.
Because next time there will be oil processing SCADA.
Note the explicit threat to industrial control systems
expressed in that final sentence.
Moody's Investors Service released a comment today on the December attack
against the Hospital for Sick Children in Toronto. While the impact of the attack itself was contained,
the hospital's exposure to risk, along with an apology and alleged remedy from the threat actors,
seems out of the ordinary. The ransomware attack against sick kids took place on December 18th.
The hospital did not pay the ransom, and the overall attack has been contained, more or less,
with 80% of systems back online, and most systems causing delays back to normal. Despite efforts
from the hospital over the last few years to mitigate cyber risk, this attack shows that the hospital was still susceptible to
ransomware. The Health Third Party Trust Initiative and Council was announced today. It brings together
leaders in the healthcare industry to approach third-party cyber risk management. Sheni Sheth,
Deputy CISO for Centura Health, had this to say about the initiative. Managing third-party risk in a
comprehensive and sustainable way requires collaboration between healthcare organizations
and their suppliers to find solutions that are efficient and effective for both sides.
That's why the Health 3PT is so important to Centura Health and our partnerships.
In order for this to work, we need more healthcare organizations to
adopt common standardized processes. The group was formed in the wake of a wave of cyber attacks that
indicate the attraction the healthcare sector has come to have for cyber criminals.
It also recognizes the increased importance supply chain vulnerabilities are assuming here and elsewhere. Finally, have you been out looking for a Charizard?
Heard that there's a Charmander hanging out at the local gym?
Well, by all means, go catch him.
But if you're still young at heart enough to covet Pokemon,
but feel yourself grown too worldly and sophisticated to play with Ash and the gang,
maybe you're tempted to get yourself a Pokemon NFT.
You've heard about these non-fungible tokens, right?
In this case, however, resist the temptation.
Researchers have uncovered a phishing campaign
utilizing a fake Pokemon NFT game
to distribute the NetSupport remote access tool
onto unsuspecting users' devices.
The OnLab Security Emergency Response Center reportedly found at least two phishing pages
offering the installer of a fake Pokemon NFT card game
used to distribute the NetSupport rat onto victim devices, CyberNews reports.
Clicking the Pay on PC button on the phishing page would
download a faux game installer containing, in actuality, the NetSupport RAT, ASEC said.
Neither of the links were reportedly active as of Monday. The NetSupport RAT is a legitimate tool
described in a report by Cybersecurity Connect as designed for use by
administrators, allowing them to remotely access devices and fix issues. It is a powerful tool
that allows for screen recording, remote control, system monitoring, network traffic encryption,
and much more. However, as InfoSecurity Magazine reports, ASEC marked the tool as malware because the program was not distributed in a form used for normal purposes,
but rather in a form designed for the threat actor to control the infected system.
So sure, you gotta catch them all,
but come on, this isn't an opportunity to invest in NFTs.
You want an NFT?
Consider that drawing of the Brooklyn Bridge
Monty Python's John Cleese was hawking a couple of years ago.
Or, better yet, enjoy a nice evening at home
with family or friends or a good book.
That's better than all the squirtle NFTs in cyberspace.
After the break, Tim Starks from the Washington Post Cybersecurity 202 on cyber rising to the level of war crime. Our guest is Connie Stack from Next DLP on the path to leadership within cyber for women.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Thank you. being promoted to the C-suite and to leadership positions in their organizations. Connie Stack is CEO at data loss prevention firm NextDLP. I caught up with her for insights on closing that
talent gap. I very typically was the only woman on the executive teams of companies that I worked
with, whether they were, like I said, straight up tech companies like, you know, WordStream or Optus, you know, throughout
my career into, you know, Veracode and then the early days of Digital Guardian. And so you do see
that. And it is, you learn, I think, pretty quickly that you have to have confidence in yourself,
right? And you have to be able to speak out and make yourself heard. Because often you may
find yourself in a room and I found them in both, you know, executive conference rooms, board rooms,
as well as around the table selling cybersecurity services, right? Because typically they're
male dominated as well. And I think you have to learn to be confident and speak your mind and ensure that your voice is heard over many often louder male voices sometimes at the table.
So I think that's one thing that is really critical.
Another thing that is critical, I find, is technical aptitude, right? You have to know, you have to
go deep on the, if you're on the, you know, the sales side, let's say if you're a vendor selling
into cybersecurity or a technology specialist selling into technology buyers, it's really
important that you know and understand the technology. Cybersecurity buyers in particular
are discerning. They want to know the product is
going to deliver on the value proposition. And you have to be able to go a little deeper. And
it doesn't matter what role you're in, by the way, even as a marketer, right? So I grew up,
obviously, on the marketing side with CMO roles being my most common. And even as a marketer,
I challenged myself to dive into the technology and know it deeper than maybe a typical marketer, you know, might know it.
I thought that was, you know, mission critical because you have to be able to articulate not only what the product does, but a little bit of the within your organization. Because I can tell you, when I went down, you know,
to my engineering group, I say down because they were actually on the first floor compared to the
second for me. But when I talk to engineers, I mean, they so respect it. They don't expect you
to have a discussion about the quality of their code or anything, you know, to that extent. But
the very idea that you're interested in the how, right? How it works, not only what it does
is always well-received.
Both, like I said, internally built my credibility,
I think, tenfold.
And then when I went to,
if I was at the seat in a sales situation
or trying to work with an executive from a company
that had our software,
was using our software, I could always talk to it at a level a little deeper than they expected.
And it was always, you know, well, you know, very, very well received. So don't be afraid of
technology, dive in, learn more. And I think that, that, you know, helped me, you know, a lot along
the way, you know, as well. So confidence, deeper technically, and I think finding, you know,
the last thing that I observed, and I was actually fortunate in this department because
I sought out mentors. I sought out people who would help me, you know, grow, you know, my career.
I'm curious for your insights and advice for women out there who find themselves frustrated. You know, I still hear stories about
being asked to take notes or get coffee or going to trade shows and people assuming that they are
not in technical roles, that they're in sales or HR or something like that. Do you have any
insights for navigating the degree to which that is still a reality?
for navigating the degree to which that is still a reality?
Yeah, I think, I mean, it is fair to say,
particularly in the cybersecurity space,
that that is still a reality.
I mean, we've made, you know, vast improvements when I, you know, came into cybersecurity
in like the 2000 and, gosh, 2008 kind of timeline.
I believe the stats literally said 8% women, 92% male. We come up
through marketing, we come up through HR. We, you know, few of us come up from the technical ranks.
Now there are wonderful exceptions. And when Mo Rosen came to Digital Guardian, he bought Deb
Danielson as our CTO. She was an incredibly talented woman, you know, on the technology
side of the house. So it was great to see that. And frankly, I think generally speaking,
most of the men that I've had the fortune of working with
and collaborating with throughout my career in cybersecurity,
some of them, whatever, I was in marketing,
so it wasn't a mistake to put me there.
But actually, we had females in our engineering you know, engineering team as well. We
had females that worked in our managed service who were threat hunters, threat researchers,
and, you know, instant responders and that sort of thing. And they may have made the mistake once,
they didn't make it twice. And it wasn't because, you know, it was just like, oh,
thank you for correcting me, you know, and you move forward and they really didn't make that,
you know, that thing a big deal. I do, you know,
I've heard those stories too, Dave, about horror stories really. And, you know, I, I'm unfortunate
because I didn't have those myself and I wouldn't want anybody putting them in themselves into a
situation where they, you know, stay in an unhappy work environment, right? They don't. I mean,
if people are generally malicious and not willing to allow you to be confident, not willing to mentor and guide you,
not willing to invite you to the table, then honestly, it might be time to look for a different
opportunity where those, you know, three kind of standards can be met. Because I do know there are
a tremendous amount of companies out there, specifically in cybersecurity, that do invite
and welcome women. And they're long over those old tropes about girls can't code sort of foolishness.
I mean, that's, I think, well behind the most professional security organizations that exist
in the world today. Connie Stack is CEO at data loss prevention firm NextDLP. Be sure to check
out our Creating Connections newsletter
on the CyberWire website,
where Connie Stack has an article,
Breaking the Glass Ceiling,
My Journey to Close the Leadership Gap.
And it is always my pleasure to welcome back to the show Tim Starks.
He is the author of the Cybersecurity 202 over at the Washington Post.
Tim, always great to welcome you back to the show.
Yeah, always great to be back. I missed you over the break.
Happy break to you as well. It is good to be back.
Before we jump into our main topic today, just real quick, as you and I are recording this, this morning, we had this
incident with the FAA basically shutting down airspace in the U.S., speculation as to whether
this could be a cyber attack. What are you hearing there at the Washington Post? All signs point to
it not being a cyber attack. That's the word from senior officials, you know there at the Washington Post? All signs point to it not being a cyber attack.
That's the word from senior officials, you know, that the president has been briefed on this and has been told that it is not a cyber attack.
One of the things that happens anytime there's a major outage of something somewhere, a lot of people jump to the idea that it's a cyber attack.
In one way, that's encouraging because it's good that people are cognizant of the threat.
In other ways, it's an overreaction that can be a little hysterical and can cause people to start assuming things that they shouldn't.
And then, of course, sometimes they'll think it's not a cyber attack and find out later, yeah, actually it was.
The sector in general is one that the Biden administration has been paying attention to lately vis-a-vis cybersecurity.
Air carriers are on the list of industries that they're regulating or looking to regulate further than they have.
And you can see when something like this happens, why they would be concerned,
even if this wasn't a cyber attack, if you see that a cyber attack could do something like this,
then you can see why it would become a priority.
Right, you're right. It's perhaps a test run of some of the potential effects of a cyber attack could do something like this, then you can see why it would become a priority. Right, you're right.
It's perhaps a test run of some of the potential effects of a cyber attack, if it were indeed an attack.
Exactly.
Yeah.
Well, let's talk today about your writing over on the Cybersecurity 202, addressing this notion of whether cyber attacks in Ukraine could possibly be considered war crimes.
What can you share with us here?
Yes. So over the last few months, Ukraine's leadership has been gathering data
and sending data to the International Criminal Court,
asking them to investigate these incidents as war crimes.
The incidents in particular they talk about are attacks on critical infrastructure
that are joint attacks in some cases with attacks, on things like the power grid.
Obviously, Ukraine has been a victim of one of the biggest cyber incidents ever,
if you go back to 2014, 2015, 2016.
I think it's 2015 and 2016 to be specific,
where the power grid was taken out by Russians.
Their argument is, and it's an argument that's shared by some other legal scholars
who have also asked the International Criminal Court to take this up, is that this is affecting civilians.
And the sort of best case argument that anybody made to me for the story was, if you were to knock out the power in Ukraine in the winter, how could you describe that as anything other than inhumane?
You can try to make the argument, you're Russia that this was targeting a legitimate
military target, not going after civilians. The way war crimes work and how the court evaluates
them is that they have to be proportionate. You have to be really showing that you're targeting
a military asset where there is some harm done to civilians. And in this case, it doesn't look
like that. On the other hand, there are concerns about whether this is something that would be a priority for the ICC. I have not heard back from them on whether they're
taking this up. The group of legal scholars that approached them and said, hey, you know, we would
like you to take a look at this, have said that the ICC told them privately, we are going to take
this under consideration. You know, some of the people I talked to were also confident that they were looking at it. Others, you know, the concern of course, is that with a lot of very
vile things happening on the ground in Ukraine that are much more evidently cyber, you know,
there's not much, there's not much of a standard to prove it. Did it happen or did it not? And if
it happened, it's clearly a war crime, things like torturing children. I mean, you can't,
if that happened, then that's maybe's maybe some people wonder that they would focus on those kinds of things over a cyber
attack where it would be a little more difficult potentially to argue that it was a war crime or
perhaps there will be difficulties in the expertise at ICC. I mean, a lot of people aren't sure what
kind of expertise they have on that subject right now, although they could potentially,
some tell me, contract it out. I'm curious on your take on this, because it's been my
observation, my understanding that there's been kind of a reticence, a hesitance for
organizations to draw clear lines in the sand when it comes to some of these diplomatic issues
in the cyber realm in particularly. Like they almost want to to some of these diplomatic issues in the cyber realm in particularly?
Like they almost want to keep some of these lines fuzzy at this stage of the game. Is this an area
where that kind of thing applies in your view? It's potentially. I think the difference between
this and what I think you're mostly talking about right now, which is NATO. NATO has explicitly said they want the line to be vague
on when Article 5 might be invoked.
Article 5 being the rule that says an attack against a NATO nation
is an attack against all the NATO nations,
and they can all take collective self-defense.
And so far as I know, I think that's only been invoked even once successfully.
So I think that they've been very explicit on the NATO side of things.
I think there's a chance that that might be the thinking of the ICC.
That's a little speculative on my part.
There's a pretty broad consensus that these rules do apply to cyber attacks.
You know, if you go back to when some of these international agreements and treaties were being written and debated, there would be an enumeration of specific kinds of attacks.
But they were always more focused on the consequences of what the weapons would do. And so in this case, you know, the legal scholarship
on this is that various laws of war, not just war crimes, but other sort of international
humanitarian laws, that a cyber attack could definitely qualify as one of these kinds of
crimes. I think at least for the ICC, it looks like it's more a question of, is this the time we decide to do it and i you know if you if you look at the world conflicts
we've had where there was even a possibility that there could be cyber involved you know my one of
my colleagues wrote a book that i really love uh we weren't colleagues at the time but shane harris
i wrote a book called uh it's called at war where he talked about the first cyber war which was you
know the u.s uh using tools to degrade communications in Iraq.
That wasn't like this so much.
It wasn't the kind of cyber attacks that have become a regular integrated part of the
warfare that we've seen in Ukraine, where civilians have definitely been affected.
So I think that's more the debate, but it's entirely possible that they would prefer to
keep this vague, like you said.
I think it's a really interesting point you bring up, though, that it's possible that given the broad spectrum of potential war crimes here, that maybe the cyber ones wouldn't move to the head of the line.
There are other much more horrible things that would require their attention.
Yeah, I think maybe the case would be different if you could show the demonstrable harm.
For instance, the company that said it was attacked by Russians,
the big Ukrainian energy conglomerate, DTEK,
has not said that they were successfully hacked, that I know of.
They said they were targeted in an attack.
I think if they were able to demonstrate that this harmed civilians,
not just that it had the potential to harm civilians, maybe things would be different.
The law is the law on this.
You can get in trouble for attempting murder the same way you can get in trouble for murder.
But I think when you're looking at clear evidence of war crimes, I think it is probably easier to demonstrate it when it has actually happened as opposed to the potential for it to have happened.
Tim Starks is the author of the Cybersecurity 202 over at the Washington Post.
Tim Starks, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. Thank you. 2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Ivan. Our mixer is Trey Hester
with original music by Elliot Peltzman. The show was written by John Petrick. Our executive editor
is Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com