CyberWire Daily - Notes on the hybrid war. Criminal gang hits travel and hospitality sectors. Additions to CISA's Known Exploited Vulnerabilities Catalog. CISA issues five ICS security advisories.
Episode Date: August 19, 2022Killnet claims a DDoS campaign against Estonia. The head of GCHQ calls Russian cyber operations a failure. US Cyber Command concludes its "hunt forward" mission in cooperation with Croatia. A criminal... gang targets the travel and hospitality sectors. Thomas Pace of NetRise shares insights on firmware vulnerabilities. Daniel Floyd from BlackCloak on Quantifying the Business Need for Digital Executive Protection. CISA issues five ICS security advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/160 Selected reading. Estonia says it repelled major cyber attack after removing Soviet monuments (Reuters) There’s a chance regular people didn’t even notice: expert on Russian cyber attack (TVP World) Estonia says it repelled a major cyberattack claimed by Russian hackers. (New York Times) The head of GCHQ says Vladimir Putin is losing the information war in Ukraine (The Economist) Cyber Command deployed 'hunt forward' defenders to Croatia to help secure systems (The Record by Recorded Future) U.S. Cyber Command completes defensive cyber mission in Croatia (CyberScoop) You Can’t Audit Me: APT29 Continues Targeting Microsoft 365 (Mandiant) Reservations Requested: TA558 Targets Hospitality and Travel (Proofpoint) Cybercrime Group TA558 Ramps Up Email Attacks Against Hotels (Decipher) CISA Adds Seven Known Exploited Vulnerabilities to Catalog (CISA) Siemens Linux-based Products (Update G) (CISA) Siemens Industrial Products LLDP (Update B) (CISA) Siemens OpenSSL Affected Industrial Products (CISA) Mitsubishi Electric MELSEC Q and L Series (CISA) Mitsubishi Electric GT SoftGOT2000 (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Killnet claims a DDoS campaign against Estonia.
The head of GCHQ calls Russian cyber operations a failure.
U.S. Cyber Command concludes its Hunt Forward mission in cooperation with Croatia.
A criminal gang targets the travel and hospitality sectors.
Thomas Pace of NetRise shares insights on firmware vulnerabilities.
Daniel Floyd from Black Cloak on quantifying the business need for digital executive protection.
And CISA issues five ICS security advisories.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 19th, 2022.
In retaliation for Estonia's removal of a Soviet-era war memorial, a T-34 tank, from a park in Narva this week.
A large distributed denial-of-service incident
was conducted Wednesday
by the Russian hacktivist front group Killnet, Reuters reports.
The effects were negligible,
with some brief and minor exceptions.
Websites remained fully available throughout the day.
The attack has gone largely unnoticed in Estonia, according to reports.
The incident is reminiscent of a 2007 cyber riot conducted by Russian operators against Estonia
in response to the relocation of another war memorial from a public square in Tallinn to a cemetery.
That 2007 incident has come to be regarded as the first clear case of a cyber war waged by one country against another's infrastructure.
An op-ed in The Economist by GCHQ director Sir Jeremy Fleming characterizes Russian offensive cyber operations in the present war as a failure, stating, We have seen the Russian state try to align and coordinate cyber capabilities
alongside more traditional facets of military power.
To date, this hybrid intent has not succeeded.
The impact has been less than we, and they, expected.
Fleming attributes the lack of Russian success in its cyber campaigns
to effective Ukrainian defensive efforts assisted by international allies,
stating,
sustained pressure against a very capable adversary, this team of industry, intelligence,
security agencies, and in some cases citizens, has worked side by side to warn, respond,
and remediate. And he teases an allusion to extensive British operational support of Ukraine in cyberspace, saying, an important component of our response to this situation may involve the UK's National Cyber Force,
a partnership between GCHQ and the Ministry of Defence.
This builds out from our world-class cyber defence and resilience to deliver offensive cyber capabilities.
I won't go into detail about NCF activity.
Stealth and ambiguity are key attributes of cyber operations.
This secret and important work is conducted in accordance with international law and domestic legislation. It is authorized by
ministers and scrutinized by judicial commissioners. It is this ethical, proportionate and legal
approach that sets us apart from our adversaries and from Russia's use of cyber capabilities in this war.
The U.S. Cyber National Mission Force, an element of Cyber Command,
has concluded what it characterizes as a successful hunt-forward mission
in conjunction with Croatia, CyberScoop reports.
U.S. Cyber Command did not explicitly connect the operation with Russia's war against Ukraine,
but as the record points out, the command has said that it was giving priority in its hunt-forward operations to threats linked to Russia,
and other recent deployments to Eastern Europe have been avowedly conducted for defense against Russian cyber operations.
Security firm Mandiant reported yesterday on activity it's recently
observed by APT29, the Russian SVR operation commonly referred to as Cozy Bear. Mandiant says,
we have observed APT29 continue to demonstrate exceptional operational security and advanced
tactics targeting Microsoft 365.
We are highlighting several newer TTPs used by APT29 in recent operations.
Among its recent tactics has been the disabling of licenses in Microsoft 365 in ways that disable the important security functions performed for the suite by purview audit.
Once disabled, they begin targeting inboxes for email collection.
The threat actor has also been observed conducting successful password guessing attacks
that have enabled it to take over dormant accounts and exploit the access thereby obtained.
In all of this, Mandian credits APT29 with an unusually high degree of operational security.
credits APT29 with an unusually high degree of operational security. Security researchers at Proofpoint report that TA558, a criminal gang the researchers assess as a financially motivated
small crime threat actor targeting hospitality, hotel, and travel organizations, has increased
the tempo of its operations in 2022, stating,
Since 2018, this group has used consistent tactics, techniques, and procedures to attempt to install a variety of malware,
including LodaRat, VJWorm, and RevengeRat.
Its targets have, for the most part, been in Latin America,
its emails generally written in Portuguese or Spanish.
The report concludes,
TA558 is an active threat actor targeting hospitality, travel, and related industries since 2018.
Activity conducted by this actor could lead to data theft of both corporate and customer data,
as well as potential financial losses.
Organizations, especially those operating in targeted sectors
in Latin America, North America, and Western Europe, should be aware of this actor's tactics,
techniques, and procedures. Proofpoint has, indeed, provided a guide to those tactics,
techniques, and procedures. The U.S. Cybersecurity and Infrastructure Security Agency has made
seven additions to its known exploited
vulnerabilities catalog as sisa reminds in its announcement binding operational directive 22-01
reducing the significant risk of known exploited vulnerabilities establish the known exploited
vulnerabilities catalog as a living list of known cs that carry significant risk to the federal enterprise.
BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date
to protect FCEB networks against active threats.
The newly added vulnerabilities affect SAP, Apple iOS, macOS, Chrome,
Microsoft Active Directory and Windows, and Palo Alto Network's
Pan OS. All of these are undergoing active exploitation in the wild, and U.S. federal
civilian executive branch agencies falling under CISA's oversight are required to check their
enterprise software and apply vendor patches no later than September 9, 2022.
And finally, CISA has also released five industrial control system advisories,
affecting systems from Siemens and Mitsubishi Electric. The list of advisories can be found
on CISA's website. Operators should read and heed.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000
companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Black Cloak is a security firm focused on the unique needs of executives, board members, and high-access employees.
They recently released their latest report titled, Quantifying the Business Need for Digital Executive Protection.
Daniel Floyd is Chief Information Security Officer at Black Cloak. What we've encountered is on the corporate executive side, these home
networks actually resemble more of a small office network, or even in some cases, an enterprise
network. What we've discovered is, you know, home wireless systems that have multiple access points,
you know, 15, 20 access points, wireless LAN controllers,
multiple switches, PoE switches, anything from Cisco to Fortinet routers and VPNs and
firewalls, home theater automation systems from Savant, Crestron, Control 4.
So when you actually look at these types of home setups, they start to resemble
more of a corporate small office or even enterprise office setup. And is this just
from a practical point of view that these folks tend to have larger homes with more gadgets in
them? Yes. It's both the larger homes as you know, if you get into the 10,000 plus square foot home,
you're going to have a need to have a multiple access point system.
And due to that need, you're going to have multiple wireless LAN controllers,
multiple access points, and this is where you get into the more enterprise grade systems.
And then you'll also have potentially IP camera systems,
and this is where you'll see power over Ethernet switches,
HP, Cisco, types of switches like that, that you wouldn't see in a standard home setup for most people. Now, in this executive's,
you know, day-to-day life, their interactions with their company, is it that their home is
kind of out of sight, out of mind in terms of the security folks they have at the office?
Yes, absolutely.
So, you know, one of the things that, you know,
corporate SOCs and security teams struggle with is, you know,
they're specialized in their corporate security.
So they have within the four walls of their security,
your SOC is specialized in the type of equipment that you've purchased, right?
You may be a Cisco shop, you may be a Juniper shop.
Whereas the home networks are really outside the purview
of the security team at the organization.
And these executive home networks are like snowflakes.
No home is the same.
So you have 20 executives, you're going to have 20 different setups.
One home may have a Cisco wireless system setup with HP switches.
The next home could be Fortinet.
The next home could be SonicWall.
The next home could be Ubiquiti.
You're never going to see the same home setup
unless the security team at the organization set that up.
It's literally going to be a snowflake per home,
which makes it
difficult for the security team to have the skill sets to secure these homes or even have the
permission to secure these homes. And then in addition to the different types of setups you see,
you have the privacy concerns. You know, where do you draw the line in the sand from
what the security team at the organization should be doing at the office versus what access they should have at the individual's homes.
Yeah, that was actually going to be my next question, which is, you know, is there a cultural issue here as well that, you know, the security folks don't want to, they don't want to mess with the boss's house, right?
Absolutely. Yes. Yeah, there's absolutely the privacy implications of it, both for the executive, but also for the security team.
It could be a very uncomfortable situation
for the security team to have to physically access the device,
physically access the home,
come across something that's more privacy-related
that they shouldn't have.
It can really become a very awkward, sticky situation.
Teenage kids.
Yes, exactly.
The home network is a totally different paradigm.
The things that you can block and prohibit
on a corporate network because it's owned by the company
is totally different than what's going to be at a home network.
The home network is going to be wide open.
You're not going to be able to deploy URL filtering.
There's no Zscaler.
There's no, you know, really shouldn't be, you know,
installing Palo Alto firewalls at everyone's home.
Right.
Unless you do some type of network segmentation.
And that can get real complicated, real messy over time.
How much of a real world threat is this?
I mean, in terms of the things that you all are tracking,
are the executives' homes a target?
Absolutely.
So what we've discovered is, you know, almost 20, a little over 20% of the executive homes have open ports.
This can lead to, as I mentioned before, security cameras, VPNs, routers, firewalls.
And if you actually go back a few years,
there was a breach that occurred
at a major social media company,
which I won't name,
that actually occurred via this exact same attack vector.
It actually was an executive,
it was a security site reliability engineer,
was working from home, and there was an attacker
that discovered his home IP address.
And a lot of these home IP addresses are available
on data broker sites.
And you can actually Google an individual or executive's name
and through a number of different ways,
through OSINT, actually determine
what their public IP address is.
This threat actor was able to compromise a device
that was running at this social media employee's home
that he was then able to pivot from the privately owned device
into a work computer that contained the SSH keys to access the remote access
environment at the company. Well, so based on the information that you all have gathered here,
what are your recommendations? How should folks come at this? So some of the strategies to reduce
the risk at the executive's homes are, you homes are kind of the same strategies that you would deploy at your corporate office.
Starting with asset management.
What are the devices that are at the home?
What types of devices are at the home?
You can't secure what you don't know.
So taking an inventory of these types of devices.
Then the same strategies that you would deploy at the corporate office, you deploy at the
home, ensuring the devices are patched, make sure they're not end of life, making sure
they still have support, making sure there's no misconfigurations or default credentials
on these devices, things of that nature.
One of the other things that we found very effective, a very low cost, high fidelity,
low false positive rate is to deploy a honeypot or deception-like device at the home. We've
discovered that as honeypots can act as a early warning radar or early warning trigger system,
if someone does gain a foothold into the network, one of the first things they're
going to do is enumeration and attempt to pivot. And if you set up a nice juicy target, such as a
honeypot, it's a very effective way to detect an intruder in the network. That's Daniel Floyd
from Black Cloak. There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro
and sign up for Interview Selects,
where you'll get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. Thomas Pace is co-founder and CEO at NetRise,
where they focus on the security of firmware
and things like ICS, IoT, and medical devices.
We kicked off our conversation with a look toward the skies,
considering the security of satellites. Satellites have, or any kind of space devices,
including the associated infrastructure to support them, such as like ground stations and the radar,
any of the other kind of supporting infrastructure required, have
kind of been ignored for a reason that I guess I don't totally understand.
They are just devices like anything else.
And so having appropriate visibility into the software components that are present on
these devices that are obviously serving incredibly
critical functions in the world, in our society, for the military, et cetera, is paramount. And
that has basically, that's really been lacking. You know, earlier in my career, back in the,
I suppose around the early 2000s or so, I was working in television and I remember having a
conversation with a satellite engineer. And this was really during the transition from analog to digital.
And I remember asking him, you know, what keeps someone from stepping on another person's satellite transmission?
And he said, courtesy.
And that was it.
I remember my jaw kind of hitting the floor.
I mean, have we progressed much past that?
I don't think so. I mean, you do have
specific, like there's like government bans in communication channels that I think are
challenging for some people to leverage in some cases. But, you know, it's really the FCC that's
regulating and monitoring this. It seems to happen at DEF CON just about every year where people bring
radio jammers and are talking on channels and frequencies they're not supposed to.
So things like the 911 channels, the emergency response channels, the police scanning channels
that are reserved for specific things, obviously, and they don't want people on there, you know,
screwing around or messing with things or blocking those radio frequencies, things like that.
But yeah, that's just, that stuff's just floating around in space. So being able to listen in or,
or, or, or jam it or add, add your own, whatever it is, isn't that huge of a challenge necessarily.
So what are organizations like yours bringing to bear here?
What are some of the mitigations that you all are proposing?
Yeah, so what we are bringing to bear here is gaining visibility into what is going on
inside of these devices.
People view a lot of these devices,
IoT, ICS, medical devices, embedded systems and vehicles, telecommunications
equipment, and satellites as these mystical black boxes where we don't have any idea what's
going on inside.
The reason we don't know what's going on inside is pretty simple.
No one's looking.
And why is no one looking?
Because it's challenging.
It's not like looking inside of a Windows operating system or a Linux operating system or something like that.
It typically has to be done by evaluating the firmware that is running on these devices.
And firmware is a just much harder thing to extract, analyze and find risks in for a myriad of reasons.
Now, we're very good at doing that.
for a myriad of reasons. Now, we're very good at doing that. So simplifying visibility for very difficult things to gain visibility to is basically what we are doing. So now we can say things like,
okay, we've identified these software components that exist in these devices.
Once we do that, we can say these vulnerabilities exist for these software components,
and then these vulnerabilities can be exploited, or they're being leveraged for ransomware, or we find things like weak credentials,
default credentials. We find things like expired certificates or certificates that have been like,
where the certificate authority has been compromised. We find public keys and the
private keys are both in the same firmware image, which obviously is, I think,
what you would call a worst practice. So things like that. Once we get access into the firmware,
we've extracted that out and can identify the software components, you're basically solving
that problem in the same way you solve a lot of these problems for normal devices. But getting
into them is a really big part of the challenge. And that's what we've done, you know, really, really well across a very wide, heterogeneous,
disparate set of device types.
Yeah.
I mean, I suppose, I mean, you know, there's that old saying, you know, if it ain't broke,
don't fix it.
But that really doesn't apply here because, as you say, you know, vulnerabilities can
be discovered along the way.
So even though something may be sitting there doing its function, it doesn't mean that it's
not essentially a sitting duck.
I mean, that's 100% right.
So we have identified something like it's well over a million what are known as end
day vulnerabilities.
So they're not zero days.
What this means is these are vulnerabilities whereby
like OpenSSL vulnerabilities, as an example, let's say there's vulnerabilities from 10 years ago.
And I go look in that national vulnerability database. And I want to say, what devices have
this vulnerability? There's a 0% chance that every device that has that version of OpenSSL
is in the national vulnerability database. That's not the way it goes.
So what we have figured out is there's countless devices, I mean, countless, that are not even
in the NVD at all.
And so every vulnerability that we find in a software component in a device like that
is basically known as an NDA.
Meaning this is a vulnerability that is known to exist,
but is not known to exist on this device because no one's looked. And that could be because the
device manufacturers don't even have a product security team, which is more common than I would
care to admit. But it's also just because, you know, time to market matters with these devices and the security of them kind of takes
a back seat. But at the same time, we're seeing attacks now. I mean, we've been seeing attacks for
a very long time. A lot of these attacks weren't maybe in the public eye, especially for people
who are working in the darker corners of the government that knew these kinds of things were
happening. But now it's in the mainstream. There was a big firewall manufacturer last year
that literally recommended to their clients
to turn off their firewalls
because a vulnerability was being exploited
that was allowing attackers to launch ransomware attacks
within their environment through their firewall.
So who's watching the watchman, as they say?
There's a bunch of really famous VPN hacks last year that were also being used for the same thing.
Speaking of satellites, there was a large satellite manufacturer that had an issue recently.
But that actually came through VPN vulnerabilities that gained them access to the satellites.
So you can see here that this is not like just saying like, hey, guys, these are risks.
Like there's risks in every single thing we do every single day.
There are actual tangible attacks that have been happening for years against these devices via exploiting the firmware vulnerabilities.
That's Thomas Pace from NetRise.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out
this weekend's Research Saturday
and my conversation with Dick O'Brien from Symantec.
We're discussing the clip miner botnet making operators at least $1.7 million.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karpf, Eliana White,
Pru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Harold Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.
Thank you. you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.