CyberWire Daily - Patch Tuesday notes. SVB's and the cybersecurity sector. SVR's APT29 is phishing for access to information. Trends in the Russo-Ukraine cyberwar. LockBit counts coup (says LockBit).
Episode Date: March 15, 2023Patch Tuesday notes. Silicon Valley Bank's collapse and its effects on the cybersecurity sector. SVR's APT29 used a Polish state visit to the US as phishbait. Regularizing hacktivist auxiliaries. Our ...guest is Crane Hassold from Abnormal Security with a look at threats to email. Grayson Milbourne from OpenText Cybersecurity addresses chaos within the supply chain. And LockBit claims to have compromised an aerospace supply chain. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/50 Selected reading. March 2023 Patch Tuesday: Updates and Analysis (CrowdStrike) Microsoft Releases March 2023 Security Updates (Cybersecurity and Infrastructure Security Agency CISA) Adobe Releases Security Updates for Multiple Products (Cybersecurity and Infrastructure Security Agency CISA) Mozilla Releases Security Updates for Firefox 111 and Firefox ESR 102.9 (Cybersecurity and Infrastructure Security Agency CISA) SAP Security Patch Day for March 2023 (Onapsis) March Patch Tuesday review. (CyberWire) What the collapse of Silicon Valley Bank means for cyber and the tech startup ecosystem. (CyberWire) NOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine (BlackBerry) Ukraine Tracks Increased Russian Focus on Cyberespionage (Bank Info Security) Ukraine scrambles to draft cyber law, legalizing its volunteer hacker army (Newsweek) Ransomware Group Claims Theft of Valuable SpaceX Data From Contractor (SecurityWeek) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
We've got notes on Patch Tuesday.
Silicon Valley banks collapse and its effects on the cybersecurity sector. SVR's APT29 Text Cybersecurity addresses chaos within the supply
chain. And LockBit claims to have compromised an aerospace supply chain.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 15th, 2023.
We begin with a quick note about March's Patch Tuesday.
Microsoft issued a total of 80 patches, eight of which it classifies as critical.
One of them, CVE-2023-23-397, is an elevation of privilege bug affecting Microsoft Outlook that's currently being exploited by attackers.
Russia's APT-28, also known as Fancy Bear, that familiar arm of Russia's GRU military
intelligence service, has been exploiting this vulnerability since at least April of last year
to target European government, military, energy, and transportation organizations.
Microsoft credited Ukraine's CERT-UA for the
discovery of the vulnerability. Another actively exploited bug, CVE-2023-24-880,
is a security feature bypass vulnerability that affects Windows' smart screen.
Other vendors also published fixes for vulnerabilities. Adobe issued 106 patches for a variety of its products,
and Mozilla patched 11 security bugs with version 1.11 of its Firefox product.
Moving on from software to financial vulnerabilities,
Friday's highly documented crash of Silicon Valley Bank may have been addressed,
at least in part by government intervention, but its effects aren't over yet.
After a bank run by depositors that drove SVB into insolvency, the FDIC has placed the bank in receivership and is working to find buyers.
This significant institution's failure is expected to cause blowback for big tech,
particularly for the startup ecosystem that surrounds it,
and that includes the cybersecurity sector as well.
Bloomberg explained Thursday before the bank's closure
that it did business with almost half of all U.S. venture capital-backed startups
and 44% of U.S. venture-backed technology and healthcare companies
that went public last year. TechCrunch shared Friday afternoon that Polymath Robotics co-founder
and chief executive Stefan Seltz-Achmacher preemptively transferred about half of his
company's funds out of SVB on Wednesday evening, saying, I saw that article and it was like, I don't know
if I'm freaking out or not, but it's not worth the risk. I was thinking, you know, this is probably
going to be something where everyone makes fun of me for being an early panicky person. And that's
fine because there's no upside to not being an early person to worry that I won't get 3.5% on some of our money for two weeks if I'm wrong.
By mid-Thursday, he had successfully removed about 25% more of the company's remaining funds.
His attempt early Friday to remove the last of the funds held within the bank was still pending.
Since then, the FDIC has said it would fully protect all deposits at the failed bank,
including those that exceeded the normal $250,000 limit.
But concerns remain that the caution Silicon Valley Bank's failure has prompted
may make it more difficult for startups to secure investment.
In any case, as companies recover access to their funds, the situation is stabilizing,
but we can expect consideration in Washington and elsewhere of revisions to banking regulations.
BlackBerry has been monitoring a campaign by Russia's SVR, the researchers say.
The new Nobelium campaign, BlackBerry observed, creates lures targeted at those with interest in the
Ministry of Foreign Affairs of Poland's recent visit to the U.S. and abuses the legitimate
electronic system for official document exchange in the EU called LegisRite. It partially overlaps
with a previous campaign discovered by researchers in October 2022. Nobellium is the name under which Microsoft
and others track APT29, also known as Cozy Bear. The campaign's objective appears to be cyber
espionage accomplished by penetration of European diplomatic organizations interested in aid to
Ukraine. As BlackBerry notes, BlackBerry says,
extremely patient and skilled in utilizing innovative intrusion techniques that abuse Microsoft technologies and services.
The State Service of Special Communications and Information Protection of Ukraine reviews trends in Russian cyber activity and notes the continuing close connection between cyber attacks proper and influence operations.
cyberattacks proper, and influence operations.
The report's introduction argues that Russian cyber offenses are conducted by what amounts to an established community.
Temporary fluctuations aside,
the FSB's Gamerodon remains the most persistent of the Russian threat groups.
Episodic lulls in Gamerodon's activity last summer
seem to have been due to a lower operational tempo
during reconnaissance phases of its campaigns. Gamerodon, however, is very far from being the
only player, and a range of state groups and hacktivist auxiliaries have remained active
throughout the war. The GRU's Fancy Bear and the SVR's Cozy Bear to take two other agencies, are also prominently mentioned
in dispatches, nor should their kid brother, Belarus' Ghostwriter, be overlooked either.
These groups organize their operations around general goals and themes without much evidence
of direct command and coordination. Ukraine has also drawn hacktivists to its cause.
ordination. Ukraine has also drawn hacktivists to its cause. Newsweek's Sean Waterman has an account of how Ukraine's government is moving to bring the IT army in particular towards status
as a properly regulated cyber reserve. The motivation for doing so would be to bring
clarity to the volunteer hacktivist status under international law and to provide the sorts of controls over their
activity that the laws of armed conflict suggest are appropriate. The closest model for the kind
of reserve system Ukraine is establishing is found in Estonia. There, the cyber defense unit forms
part of the Estonian Defense League. And finally, Security Week reports that the LockBit ransomware gang claims to have
compromised Maximum Industries, a supplier of components to SpaceX. The prize LockBit claims
to have obtained includes some 3,000 engineering drawings said to be certified by SpaceX engineers.
The text of LockBit's communique makes it clear that the target is SpaceX,
not its supplier. The gang posted an announcement on its dark web page in a more fluent than usual,
but still recognizable dialect of shadow brokerese, stating, I would say we were lucky
if SpaceX contractors were more talkative, but I think this material will find its buyer as soon as possible.
Elon Musk, we will help you sell your drawings to other manufacturers.
Build the ship faster and fly away.
And now about the numbers.
About 3,000 drawings certified by SpaceX engineers.
We will launch the auction in a week.
All available data will be published.
Security Week observes sensibly that ransomware gangs are known to include some whoppers in their claims
and that LockBit's announcement should be regarded with cautious skepticism.
LockBit has given the victims a deadline of March 20th to pay.
Coming up after the break,
Crane Hasselt from Abnormal Security with a look at threats to email.
Grayson Milbourne from Open Text Cybersecurity
addresses chaos within the supply chain.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The folks at Abnormal Security recently released the latest version of their email threat report,
analyzing the trends they've been tracking through the second half of last year. For insights on what they found, I spoke with Crane Hasselt,
Director of Threat Intelligence at Abnormal Security.
When we look at the high-level statistics and the data,
more than a quarter of all BEC attacks, business email compromise attacks,
that we're seeing on a daily basis are actually going to be engaged with,
opened and read by their targets.
And we know this because, you know,
based on the way that we look at our data,
there are a number of organizations
where, you know, we're embedded into their defenses,
but not, you know, not set to do anything with those emails.
And so we can see exactly what would happen
if these attacks,
when these attacks actually get through and bypass their existing defenses.
And so, you know, 20% of those emails, of those BEC attack emails that come through are actually read. And astonishingly enough, 15% of those emails that are actually read
are eventually responded to by employees, which sort of shows you the overall success rate
of B2C attacks.
I think a lot of people look at
most business email compromise attacks
and who would actually respond to one of these things.
But based on the data and what we're seeing,
the overall success rate for a B2C campaign
is actually much higher than I think a lot of people expect.
Wow.
What do you suppose the root cause of this is?
I mean, I guess what I'm curious is,
to what degree is it the fact that the employees
are having these emails put in front of them at all,
that they're not being filtered out ahead of time,
but then also being trained to recognize them
and respond in an appropriate way?
I think there are a number of reasons
why these attacks are still so successful.
One is because they're relying on pure social engineering.
They rely on concepts, on behavioral concepts
that have been around for literally thousands of years.
So the same reasons that BEC emails are successful today
are the same reason that any scam
has been successful for hundreds of years, right? So they
prey on trust, fear, anxiety, doubt, making it so that, you know, the email that you're seeing in
front of them, whatever you're seeing in front of you, is actually from who they say it's supposed
to be from. And so, you know, that's, you know, one is just a pure weakness of human behavior.
The other side of it is from a security awareness training perspective,
a lot of those exercises are teaching people to not click on links
and not open malicious attachments.
And when you look at a BEC attack, it's nothing more than pure text.
It's just nothing more than someone impersonating a trusted individual,
trying to get them to do something or send some money that they wouldn't otherwise do. And then also when you look at it,
you know, when you look at who's actually responding to a lot of these, you know, a lot of
it has to do with what someone's job actually is, right? So, you know, what we can see is more than
three quarters of sales specialists. So if a salesperson receives a BEC email
and they open it,
three-quarters of the time,
they're going to respond to it.
And the reason for that is
that's what their job is, right?
So they are trained to respond
to incoming requests,
no matter who they're from,
because that's how they make sales.
And what's also really interesting
is the employees that have
the highest red percentage
rates, so the ones that are going to be actually opening the BEC emails, are actually the ones that
are the most targeted. So accounts payable specialists, for example, 36% of the time they
receive a BEC email, they're going to open it. 31% of the time an HR specialist receives a BEC email,
they're going to open it.
Again, because that's what they do on a daily basis.
They receive requests from internal or external people, and they try to follow up with those requests.
One of the things that caught my eye in the report was the degree to which a really low level of employees report attacks to their security team.
Yeah, so based on our data,
we see that only 2% of actual malicious emails
are reported to their internal security teams,
which I think is much lower
than I think you would expect it to be.
But even going further than that,
of the emails that are actually reported to a security
team, 84% of them are actually completely legitimate emails or just spam. So they're not
actually malicious in any way, shape, or form. And what that shows you is you're essentially,
you have these internal security teams, these SOCs, that are receiving a bunch of false positives
that are just making them spin their wheels.
They're doing a lot of triage and review of messages
that they shouldn't be looking at to begin with.
And again, that goes back to a lot of the security awareness training
that we've been teaching people to report anything that looks suspicious.
Well, now, since we've conditioned employees to do that,
now they're reporting anything that they suspicious, well, now, you know, since we've conditioned employees to do that, now they're reporting anything that they don't like or that they think could have a sliver of
a chance of being malicious. And that causes, you know, our internal security teams to really be
wasting a lot of time looking at false positive messages.
Well, based on the information you've gathered here, what's your practical advice for folks to do a better job with this?
Yeah, I mean, as I mentioned, I think one of the biggest things when it comes to preventing these types of attacks and making sure that an organization is insulated from becoming the victim of a BEC attack is essentially to prevent the attacks from getting to the employees to begin with. As we've seen with the data in this report,
if a BBC attack reaches its destination,
there is a relatively large percentage of these employees
that are going to engage with the attacks.
And so to prevent that from even becoming a possibility,
making sure that
organizations have email defenses in place that are equipped to detect and block these types of
social engineering attacks from reaching employees' inboxes. And that means relying on things like
behavioral analytics, making sure that an email defense is looking at a message in a more holistic manner, understanding
the relationships between senders and receivers, the context and content of the emails,
instead of just relying on static indicators to hopefully block those previously known bad
artifacts. That's Crane Hassold from Abnormal Security.
And joining me once again is Grayson Milbourne. He is Security Intelligence Director at Open Tech Security
Solutions. Grayson, it is always great to welcome you back to the show. I want to touch today on
kind of where we stand when it comes to the supply chain. Obviously, you know, we all went through
the pandemic together and suffered through that. What's your take on where we are today?
Well, I think the supply chain is certainly still a very clear target for a lot of cyber criminal activity. And I think it kind of underpins why as to the chaos't as many maybe big disruptions as I was anticipating
or hot product items that weren't able to be delivered. But what we have sort of seen so far
in 2023 is a continued focus. And most recently, we saw CISA release a bulletin warning about
supply chain attacks targeting the food supply industry. And so,
you know, a lot of times we think about supply chain and it's a really massive thing, really.
I mean, almost all goods and services have a moving part to how it, you know, gets from where
it was created to the end destination. And so I think this just stuck out to me as, you know,
another clever target that also has some really big dollar amounts behind it. So, you know,
food shipments at scale can be hundreds of thousands, if not millions of dollars. And so they represent an
attractive target for attackers. Yeah, certainly, you know, a few things more fundamental than food,
right? I suppose water. Yeah, absolutely. Yeah, right. I mean, you know, water is another one.
We've seen, unfortunately, several attacks take place, and thankfully, these things are more isolated. But internet-exposed systems that are responsible for controlling water purification plants, we've seen examples in the past couple. Like an employee recognizes that, hey, wait a second, you know, this mixture is completely off what happened here. So I think, you know, understanding
just how widespread supply chain really is and all the way down to food and water.
Yeah. What are your recommendations here? I mean, as I think it's safe to say that perhaps
things are settling down, but we're not completely out of the woods yet.
Yeah, this is true. And I think, you know think we're probably not going to be out of the woods with respect to
focus on attacks that exploit relationships between businesses, which most often supply
chain attacks are kind of like that. And I think there's some additional steps that businesses can
take to mitigate their risk. One is being mindful of these larger dollar
amount transactions, particularly with newer vendors. And so with supply chain issues, we see
a supplier might run out, and so you're scrambling. And so you may indeed make a new
connection with somebody else who is claiming to have the goods or services you need. And I think
those are opportunities that hackers exploit to their advantage.
Spending a bit more time doing the vetting process
to ensure that a new vendor is in fact who they say they are,
that can go a long way.
And then I think the other thing we see
is that there's just an attack on the communications
of how these things work.
And so business email compromise
definitely targets manufacturing. We see this in our own
threat report data year after year, in that manufacturing is the number one targeted
industry just by the number of infections that they're encountering. But back to business email
compromise, one of the things that often takes place is there's that bait and switch or a hijack
of an email thread. And at the very final moment, it's when an account number is modified.
And so I think having a process in place for dual verification,
again, you can solve a lot of these risks just through proper process.
And so instead of it being like that one last person says,
okay, send the email, there can be a second channel that reviews
and confirms that the right information is being sent across.
I mean, even to the point of if, I don't know, something's above a certain dollar amount,
maybe that warrants a phone call in addition to an email?
Yeah, and I like separating mediums. And so if you get an email, pick up the phone and talk,
right, or send a text. Because if one medium is compromised, it could be not who you think
on the other end. But if you switch it to a phone call, all of a sudden you're introducing voice
and you have other layers of familiarity that are difficult to overcome as an attacker.
Yeah. All right. Well, good advice. Grayson Milbourne, thanks so much for joining us. Thank you. why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.