CyberWire Daily - "Pantsdown" firmware vulnerability. ChromeLoader warning. Conti update. Ransomware at SpiceJet. CISA's Known Exploited Vulnerabilities Catalog expands. Kyiv honors Google. Reformed ID thief.
Episode Date: May 26, 2022"Pantsdown" in QCT Baseboard Management Controllers. A warning on ChromeLoader. Conti updates. Ransomware’s effect on SpiceJet. CISA's Known Exploited Vulnerabilities Catalog expands, again. Kyiv ho...nors Google. Josh Ray from Accenture reminds us it’s military appreciation month. Our guest is Melissa Bischoping of Tanium with lessons learned from the American Dental Association ransomware attack. And a poacher turned gamekeeper? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/102 Selected reading. Critical 'Pantsdown' BMC Vulnerability Affects QCT Servers Used in Data Centers (The Hacker News) ChromeLoader: a pushy malvertiser (Red Canary) Conti leaks data stolen during January attack on Oregon county (The Record by Recorded Future) Is the Conti Ransomware Gang Stronger Apart Then Together? (OODA Loop) SpiceJet: Passengers stranded as India airline hit by ransomware attack (BBC News) SpiceJet's woes continue as ransomware attack delays flights (The Loadstar) . SpiceJet's brush with ransomware is a timely reminder to protect yourself against this cyber menace (cnbctv18.com CISA Adds 34 Known Exploited Vulnerabilities to Catalog (CISA) Mykhailo Fedorov presented the first "Peace prize" to Google (Digital Gov)  Notorious Vietnamese hacker turns government cyber agent (France 24) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
QCT Baseboard Management Controllers are caught with their pants down.
A warning on Chrome Loader.
Conti updates.
Ransomware's effect on SpiceJet.
CISA's known Exploited Vulnerabilities Catalog expands again.
Keeve honors Google.
Josh Ray from Accenture reminds us it's Military Appreciation Month.
Our guest is Melissa Bishoping from Tanium with lessons learned from the American Dental Association ransomware attack and a poacher turned gatekeeper.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 26, 2022.
Eclipsium this morning published research into the susceptibility of quanta cloud technology servers to exploitation
via the pants-down baseboard management controller flaw. This vulnerability can provide an attacker
with full control over the server, including the ability to propagate ransomware, stealthily steal
data, or disable the BMC or the server itself. Additionally, by gaining code execution in the BMC,
attackers could steal the BMC credentials,
which could allow the attack to spread to other servers in the same IPMI group.
Patches are expected soon,
and Eclipsium notes that the most recent versions of affected QCT products
have a secure boot capability that should serve to mitigate risk in the meantime.
Eclipsium's executive summary offers some useful reflections
on the business implications of moving to the cloud
and of the security issues one needs to remain aware of in doing so.
Cloud services are still susceptible to firmware issues
that arise in their hardware.
Red Canary researchers describe Chrome Loader, a browser hijacker that modifies browser settings
and redirects victims to advertisement websites.
The malware is hidden inside what appears as a cracked video game or pirated movie or
TV show.
The malware uses PowerShell to inject itself into the browser and adds a
malicious extension to it, which can be seen in PowerShell. And this is how, Red Canary explains,
Chrome Loader was discovered. The PowerShell script allows for other malware to come in
undetected and gain a hold on personal browser information. The Conti ransomware gang may have splintered,
perhaps acting on the old corporate raider or dissident shareholder premise
that a business can unlock value by breaking itself up.
OODA Loop suggests as much with its headline,
Is the Conti ransomware gang stronger apart than together?
But Conti data dumps have continued.
The record reports that the gang, or a part of it, or a reorganizing successor,
has published all of the data it stole during a January attack on the government servers of Linn County, Oregon.
The BBC reports that Indian airline SpiceJet reports that it's been able to restore its affected IT systems and that flights,
whose delays had continued into yesterday, were now operating normally. The Lodestar reports,
however, that passenger complaints continue and that disruption to operations also affected the
airline's freight unit. Disgruntled passengers suggest that corporate communications should play an important
role in incident response. CNBC discusses lessons others might learn from the incident
and notes that even a partially successful ransomware attempt can have a very bad effect
on a business. Feds take note. The U.S. Cybersecurity and Infrastructure Security Agency
yesterday added 34 more vulnerabilities to its known exploited vulnerabilities catalog, bringing the total of new entries for this week to 75.
U.S. federal civilian executive agencies are expected to scan for and fix the vulnerabilities and to report completion by June 15.
port completion by June 15. Things are relatively quiet on the cyber front of Russia's hybrid war in Ukraine, although the Ukrainian government has honored Google's assistance with cybersecurity and
IT generally with Kyiv's first Peace Prize. Ukraine's government has honored Google for
the assistance the company has rendered to Ukraine during Russia's invasion. The award was presented at Davos by Vice Prime Minister and Minister of Digital Transformation
Mikhailo Fedorov when he met with Google's Vice President for Government Affairs and Public Policy
Karan Batai at the World Economic Forum.
Fedorov said,
From February 24th, a new history began not only for Ukraine, but also for the global
community. The world is changing. The old system no longer works. Everyone should express a clear
position whom they support. With this award, we are pleased to emphasize that Google is a great
friend of Ukraine. Literally from the first days of the war, you began to help us on the information
front with many business initiatives and most importantly, humanitarian support for our citizens. He drew particular attention not only to Google and Google-inspired donations to Ukraine,
which have amounted to some $45 million, but also to Google's actions against Russian interests.
Google's Bataille was appreciative and said,
The war in Ukraine and resulting humanitarian crisis is devastating.
From the beginning of the war, we've sought to help however we can.
We've committed over $45 million to humanitarian support
and worked to ensure our tools are being as helpful as they can be,
providing trustworthy information and fighting against cyber attacks.
We're humbled and honored that our work has been recognized with this special Peace Prize from Ukraine's President Volodymyr Zelensky. We will continue to work with the Ukrainian
government to provide more support for as long as we are needed.
And finally, there's a story that hints at the possibility of atonement and redemption after a career in crime, even when the larceny is grand.
And grand it was in this case.
An AFP story published in France 24 tells the story of Go Minh Hieu, a Vietnamese national who was convicted in the U.S. of the theft and sale of personal information.
convicted in the U.S. of the theft and sale of personal information.
Secret Service agent Matt O'Neill, who executed the plan to catch Hu,
told Krebs on Security in 2020,
I don't know of any other cybercriminal who has caused more material financial harm to more Americans than Go.
He served a term of seven years in U.S. prison
and has now returned to Ho Chi Minh City,
where he works on security research and
education. Goh says he hopes to educate Vietnamese on the threat of criminals like the criminal he
used to be. He earned millions illicitly and, of course, lost it. But Goh now lives quietly
and modestly. He conducts, he says, non-political research into cybercrime.
We hope he'll be able to work honestly without undue co-option by his country's regime.
Best of luck to him, and we hope reform works out for him.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The American Dental Association recently found itself the unfortunate victim of a ransomware
attack, one of many organizations that got hit by the Black Basta threat group. The incident
shines a light on the strong possibility of there being secondhand victims. For insights on this,
I spoke with Melissa Bischoping, Director and Endpoint Research Specialist at Tanium.
So, you know, Black Basta really emerged into the field in April of 2022. So relatively a new player by name. The ADA breach
particularly being one of the first high-profile attacks that they've claimed of the dozen or so
that they've done. This is, you know, it's a new name. However, we're seeing a lot of similarities
to Conti. And so I don't trade in speculation or rumors. There are some technical characteristics
and just sort of their style of operations that suggest they may be doing copycat behavior. They
could be another threat actor attempting to sort of eschew attribution or misdirect research,
or they could be a rebrand. We don't entirely know yet, but we do know that some of the tactics and
techniques are very similar. And so therefore, some of the mitigating factors are going to be the same best practices.
Well, let's dig into some of those tactics and techniques, and then we'll touch on some of the things folks should do to mitigate.
What are they up to?
So with this specific blockbuster ransomware, you know, they're going to have the entire attack chain that leads up to the actual execution, right?
They're going to have the entire attack chain that leads up to the actual execution, right?
The execution of the ransomware itself is something that is done once they have administrative privileges on the machine.
And they're going to go through looking to corrupt your ability to restore from backups.
They're also doing a lot of data exfiltration, and that's one of the things I really want to zero in on here. This is an emerging trend that we've seen over 2019, 2020, and still continuing now
into 2022, is the data theft and exfiltration before encryption. You'll hear it referred to
often as the double extortion or triple extortion, or in some cases, quad extortion ransomware,
to be able to maximize their return on investment and their opportunity for profit.
So in terms of protection here, what should folks be doing?
Well, so twofold. One, you know, the same ransomware best practices that we've been
talking about for years still apply. This is your security hygiene, your patch management,
multi-factor authentication, wherever possible, reducing the likelihood of credential reuse. And those are just really good security practices overall. But in addition to protecting yourself,
you also need to be aware of the threat landscape as these double and triple extortion
threat actors may affect businesses that you do business with or that you're a customer of.
So if you're in the market of dental and healthcare and someone like the ADA gets breached,
have you done the proactive hygiene and security that would keep you safe in the event that some
of your data was what was stolen? So, I mean, it really, it's almost a mindset kind of thing of
being sure to think beyond your own organization. Absolutely. I talk to a lot of security leaders
who, when any high-profile, well-connected organization is attacked, they immediately
are asking, am I next? Does this affect me? Do we have systems that are connected?
And so I think it's important to prioritize staying informed when situations like this
happen. There's a lot of speculation, and sometimes it's even well-intended
speculation about what happened or who might be next. But prioritize connecting with the official
channels. And, you know, the incident responders who work on these issues are going to be reaching
out and providing timely information wherever possible. But also sort of do a self-assessment
of what is the likelihood that maybe an employee signed up for a service using their work account that may be connected to this because we're in an adjacent industry.
The bottom line is avoid the speculation and fear-mongering in the fallout of an attack.
Stay informed through the official communications and then proactively educate your employees about fallout social engineering tactics and do some proactive password resets as
well. You know, whenever we talk about ransomware, of course, lateral movement is a concern.
What things would you like to highlight when it comes to that?
Sure. I sort of touched on this in one of my earlier statements. You may have something as
simple as shared logins, or you may have credentials that have been reused. And while those systems
aren't traditional lateral movement, if your employees are reusing those credentials, that
offers now a potential for them to move into your environment because you've given them that
access. So, avoid creating that connection wherever possible. In addition, some systems
may have a direct connection. Again, let's abstract it from the ADA specifically, but if an organization gets breached that you have payment systems connected to or that you share databases with, you need to be aware of where that connection exists and have that well documented and monitored for security.
What are the take-homes here?
What are the take-homes here?
I mean, when you look at the situation here, how the ADA got hit and this particular ransomware group, what's the message you'd like people to take away from this?
Absolutely.
So in the wake of these kind of attacks, people say, well, what can we do to prevent this?
How can we stop this next time?
What do we do?
There's never going to be a silver bullet to 100% prevention of things like ransomware
attacks. So
much like the medical industry and the dental industry, you can do some really great preventative
measures that are, you know, we have researched these and we know that they're effective in
preventing cavities, just like we know that there's certain things you can do that will
prevent your exposure to ransomware attacks. However, you need to be layering that with improving your time to detect
and respond and creating efficiency for your teams to be able to contain that blast radius and reduce
the damage. So, you know, with every ransomware headline, the same fears emerge. It's important
to note, though, that doing credential hygiene, asset visibility, you know, patch management,
all of these are highly effective at reducing your blast radius
and giving you time to go improve your detection and remediation skills.
That's Melissa Bishoping from Tanium.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And joining me once again is Josh Ray.
He is Managing Director and Global Cyber Defense Lead at Accenture Security.
Josh, always great to welcome you back to the show.
We are winding down Military Appreciation Month here, the month of May.
I know this is a topic that's kind of near and dear to your heart,
making sure that we're reaching out and including folks, former military folks,
providing those opportunities for them in the cybersecurity world.
Yeah, David, it is a topic that is near and dear to my heart. And, you know, every year, approximately 200,000 men and women leave U.S. military service and return to life as civilians. And many of these veterans have years of professional training and real world experience and, you know, IT and cybersecurity.
cybersecurity. And, you know, they are leaving service, you know, with these valuable cybersecurity skills that are very much in demand. And then veterans from all military branches and career
fields, they bring a wealth of skills and attributes to the table, as you know, and these
characteristics, you know, can include, you know, strong leadership and teamwork, high degree of integrity. And also, I think,
especially in this field, maintaining composure under pressure is key.
Is there a bit of a culture shock that folks sometimes have when they're coming out of the
military and heading into private industry? And as employers, are there things that we can do to
help that transition? Yeah, that there is definitely a decalcification effect that, that occurs,
you know, anytime you're looking to transition from say public sector or, you know, a branch
of the military. So, you know, I reached out to a lot of our vets that work at Accenture Security, and we kind of distilled things down to four ways to kind of get started in this career in cybersecurity.
And first is really around finding your new mission and niche.
So familiarizing yourself with the many positions within the cybersecurity field.
familiarizing yourself with the many positions within the cybersecurity field, right? So don't just limit yourself maybe to what you have direct experience in, and that might be a good foot in
the door, but you can visit places like the National Institute for Cybersecurity Careers
and Studies to learn more about different career paths. We also recommend, you know, even though
certification is not always just a single thing that you need to get a job,
it helps make yourself a little bit more recognized to employers
and helps kind of get past that first stage of review of, say, a resume.
It makes you a little bit more marketable,
and it also will help expanding your skill set by maybe rounding yourself out.
So getting that certification is useful.
The next two are really around just finding a mentor and building your brand.
So finding a mentor that can help guide your search.
Don't be afraid to use your network, your existing network. I mean, the military network is
extremely powerful and friends and associates to really help you meet people that are already
working in the cybersecurity field. And then lastly, it's really around building your brand,
right? You need to be able to speak to recruiters who maybe don't have military experience and explain your qualifications and your experience in a way that is relevant and kind of very specific to not only the jobs that you might be interested in, but people that don't have that jargon or understanding of, you know, of that military lingo.
I'd say the last thing is about really just finding the right company, right? With the right
values that's important to you personally and has a mission. And I think, you know, being a vet and,
and, you know, still wanting to be of service to kind of a new, a new set of stakeholders is
incredibly important to many of us. And there is a way to do that within the commercial sector.
But, you know, it's really about finding the right company that aligns to,
you know, your own kind of personal ambitions
and something that's going to further your career in that light.
All right. Well, good advice as always.
Josh Ray, thanks for joining us. And that's the Cyber Wire. For links to all of
today's stories, check out our daily briefing at thecyberwire.com. The Cyber Wire podcast is
proudly produced in Maryland out of the startup studios
of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin, Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio,
Ben Yellen, Nick Bilecki, Gina Johnson, Bennett Moe, Chris
Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.