CyberWire Daily - Patches and exploits. Watching threats develop in the dark web. Spyware vendors added to the US Entity List. WhatsApp risk. And notes from the hybrid war.
Episode Date: July 19, 2023Vulnerabilities are identified and patched in Citrix Netscaler products and Adobe Coldfusion. The banking sector should be monitoring the dark web for leaked credentials and insider threats. Spyware v...endors are added to the US Entity List. WhatsApp accounts may be at risk. Verizon’s Chris Novak shares insights on Log4j from this year’s DBIR. Our guest is Candid Wüest of Acronis discussing the findings of their Year-end Cyberthreats Report. Skirmishes in the cyber phases of Russia's war. And how do you demobilize cyber forces (especially the auxiliaries) once the war is over? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/136 Selected reading. Exploited 0-days, an incomplete fix, and a botched disclosure: Infosec snafu reigns New critical Citrix ADC and Gateway flaw exploited as zero-day (BleepingComputer) Citrix alerts users to critical vulnerability in Citrix ADC and Gateway (Computing) Adobe, Microsoft and Citrix vulnerabilities draw warnings from CISA (Record) Active Exploitation of Multiple Adobe ColdFusion Vulnerabilities (Rapid7) Dark Web Threats Against The Banking Sector › Searchlight Cyber (Searchlight Cyber) WhatsApp Remote Deactivation Warning For 2 Billion Users (Forbes) The United States Adds Foreign Companies to Entity List for Malicious Cyber Activities - United States Department of State (United States Department of State) Commerce Adds Four Entities to Entity List for Trafficking in Cyber Exploits (Bureau of Industry and Security) Russian hackers may be behind 'DDoS' attack on NZ Parliament website (Stuff) Russian medical lab suspends some services after ransomware attack (Record) If you want peace, prepare for… cyberwar - Friends of Europe (Friends of Europe) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Vulnerabilities are identified and patched in Citrix Netscaler products and Adobe ColdFusion.
The banking sector should be monitoring the dark web for leaked credentials and insider threats.
Spyware vendors are added to the U.S. entity list.
WhatsApp accounts may be at risk.
Verizon's Chris Novak shares insights on Log4J from this year's DBIR. Our guest is Candid West from Acronis,
discussing the findings of their year-end cyber threats report,
skirmishes in the cyber phases of Russia's war,
and how do you demobilize cyber forces once the war is over?
I'm Dave Bittner with your CyberWire Intel briefing for Wednesday, July 19th, 2023. According to a recent report from Ars Technica,
Adobe ColdFusion and Citrix Netscaler products have been found to have newly exploited vulnerabilities,
prompting both vendors to urgently address the issue.
The Netscaler ADC and Netscaler Gateway products
are impacted, as well as Adobe's ColdFusion. In response to these vulnerabilities, Adobe and
Citrix have released updates to fix the issues. However, it appears that Adobe's fix for one
specific vulnerability in ColdFusion may not be complete. Research organization Rapid7, who
discovered this vulnerability, reported that the fix provided by Adobe on July 11th is still
susceptible to a modified exploit in the latest version of ColdFusion released on July 14th.
In an interesting twist, cybersecurity research organization Project Discovery accidentally published a zero-day vulnerability for Adobe ColdFusion
before Adobe had a chance to provide the patch.
It seems that Project Discovery misunderstood which vulnerability they were addressing in their blog post.
Once Adobe released a fix for the issue,
Project Discovery took down the initial blog post and republished
it after the Adobe fix was available. The good news is that these vulnerabilities in Adobe Cold
Fusion and Netscaler have now been patched. However, Rapid7 has cautioned that these
vulnerabilities are already being actively exploited in the wild while organizations
are working to update their systems.
Searchlight Cyber has released a report on dark web threats against the banking sector. It details dark web activity targeting financial institutions. The report finds that the vast
majority of activity is centered around initial access brokers who sell access to criminal
third parties. As Searchlight explains,
they don't orchestrate attacks themselves, but their specialization in gaining network access
is relied on by other cybercriminals who either don't have the skills to gain access or prefer
to focus their resources further down the attack chain, where profits are higher. In return,
initial access brokers can generate
consistent returns while taking on a relatively low-risk portion of the attack.
Insider threats also pose a risk to financial institutions. The insiders could be contractors,
employees of third-party organizations, or even employees in the bank itself.
Searchlight provides examples of insiders being recruited for malicious attacks
and even requesting assistance from cyber criminals on how to conduct such an attack.
Both insiders and initial access brokers could compromise supply chains.
Banks are usually massive organizations providing services to various industries and companies.
usually massive organizations providing services to various industries and companies. Searchlight Cyber recommends that all bank cybersecurity teams monitor the dark web for such threats.
Security researcher Jake Moore tweeted that it appears to be possible to deactivate any
WhatsApp account by simply emailing the company. If a user emails the phrase lost slash stolen, please deactivate my
account along with the account's phone number. The service will temporarily deactivate the account.
Moore found that the request can be sent from any email address. The account can be reactivated if
the user logs back in within 30 days, but Moore points out that someone could write a script
that continually emails deactivation requests.
Forbes notes that WhatsApp appears to have suspended
the automated deactivation of accounts
and is now requiring users to send a phone bill
to verify their ownership of the account.
The U.S. Commerce Department's Bureau of Industry and Security has added four
organizations to the entity list for their role in trafficking in commercial spyware.
Intellexa SA, based in Greece, Citrox Holdings in Hungary, and their related subsidiaries,
Intellexa Limited in Ireland, and Citrox AD in North Macedonia.
The designation, which the State Department explained,
was based on a determination that the companies engaged in trafficking in cyber exploits
used to gain access to information systems,
threatening the privacy and security of individuals and organizations worldwide,
prohibits U.S. organizations from doing most forms of business with the
companies. Skirmishing continues in the cyber phases of Russia's hybrid war against Ukraine,
and it remains the nuisance-level stuff we've grown to expect from the auxiliaries and opportunists.
A Russian medical laboratory has suspended services as it recovers from a ransomware attack.
laboratory has suspended services as it recovers from a ransomware attack. It's unclear, according to the record, whether the attack was politically or financially motivated. Either is possible,
as is an admixture of the two motivations. Should it prove to be an attack in the Ukrainian interest,
it would be difficult to justify as a legitimate operation. Medical facilities and organizations are under most circumstances
prohibited targets under international norms of armed conflict.
On the Russian side, the Russian hacktivist auxiliary No Name 5-7
is said to have claimed responsibility for DDoS attacks
against New Zealand's Parliament and Law Commission.
And the Russian cyber-auxiliary groups UserSec
and Anonymous Russia have announced a DDoS campaign against airports in the UK.
Both groups announced the attack simultaneously on Telegram, stating that Anonymous Russia is
uniting for an attack on airports in Great Britain. In our sights is the sleeping international UK airport,
Birmingham. God save Russia. Anonymous Russia also posted a link to check.host.net,
which showed the airport's front page as being down. At the time of writing, however,
the Birmingham site seems to be up and available. And finally, what do you do with soldiers once the war is over?
Sure, most just want to go home, but some have trouble readjusting.
Friends of Europe thinks that whatever the outcome of Russia's war proves to be,
when it's over, it will be difficult to know what to do with the cyber operators on both sides.
Many of them have been loosely controlled, and there's no
precedent for standing down what amounts to a cyber army. The Friends of Europe point out,
textbook peacemaking relies on the so-called DDR methodology, demobilization, disarmament,
and repatriation. Incomplete DDR is often the fastest road to endless and nasty violence.
For failing to demobilize elite Navy commandos, Mexico has been plagued with the Zetas,
who have turned out to become the backbone of drug rings.
For failing to repatriate, Eastern Congo has been an open-air nightmare for the past 30 years.
For failing to properly disarm all belligerents,
nightmare for the past 30 years. For failing to properly disarm all belligerents, former participants of the Yugoslav wars have been fueling European gangs with all sorts of weaponry.
Dismantling conventional forces can be challenging enough, but in principle the necessary steps are
clear enough. But cyber forces are difficult to identify, their tools difficult to locate and disable,
and both the operators and their tools can find ready post-war employment in the cyber underworld.
The end of the war in Ukraine, when it comes, and it will eventually come,
will see a large number of keyboard warriors adrift.
Some of them will readjust, but many others may find themselves more comfortable staying in the
lower bands of the spectrum of conflict.
Coming up after the break, Verizon's Chris Novak shares insights on Log4J from this year's
DBIR.
Our guest is Candide West of Acronis, discussing the findings of their
year-end cyber threats report. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The team at security firm Acronis recently published their cyber threats report for the
year ending in 2022, reporting on the threats they're tracking and the challenges organizations are facing
when dealing with those threats.
Candid West is VP of Research at Acronis,
and he joins us with highlights from the report.
Ransomware is still a big and devastating attack,
which is still happening.
But we also saw over the last few years already
kind of the shift over to data exfiltration.
So nowadays it's more about kind of privacy or data breach and no longer just about the data disruption.
So that's one of the main things that we saw.
And of course, on the other hand, also attacks against authentication like MFA fatigue.
So MFA, multi-factor authentication, on its own is no longer good enough.
And of course, we've seen other mess-ups
like browser syncing passwords
that enable the attackers to get into companies
like Cisco and others.
So those are the things that we have seen
and probably will see for the future as well.
Was there anything in this year's report
that was unusual or surprising?
I mean, being too long for the industry, probably not too much is surprising.
But I still think that it's interesting to see kind of the shift towards,
I would call it living off your infrastructure.
So where attackers actually go off to service providers and manage service providers
and attack them to get into their systems and then use their deployment tools and remote managing tools to deploy their ransomware or other malware.
So that's something that we see more and more, as of course the attackers, they seek the weakest link as well.
And unfortunately, that's sometimes your service provider.
What are we seeing in terms of longer-term trends
as you all look at this year after year?
Does anything stand out?
I mean, we're already four months in,
well, three and a half maybe to be precise for 2023.
So of course, the whole AI with ChatGPT and others
is probably a theme that we have to recognize for this year.
So that's something that we have already seen playing out.
Happy to dive into details on where we see them using ChatGPT and other artificial intelligence models to create phishing and malware and other things.
So that's probably going to keep us busy for this year.
And another topping is the whole cloud and API security, which is, of course, also out there.
And many companies still kind of ignoring it, unfortunately.
What are your recommendations then, based on the information you've gathered here, for organizations to better protect themselves?
Quite funnily, it's actually kind of reducing the complexity.
So something which sounds very basic, right?
of reducing the complexity.
So something which sounds very basic, right?
But unfortunately, we have seen that companies,
no matter if they're small or large,
usually just try to add another point solution to the whole mix.
And we did a survey last year
to ask how many security solutions
are you running in parallel?
And the response was that 22% of the companies
are using more than 10 security solutions in parallel.
So that's security solutions like spam filters,
antivirus, EDR, XDR, and so on.
And of course, that means that most of the times
this will reduce your kind of exposure probably,
but also increase the complexity
and lead to human errors.
Because we all know if there's too many solutions,
they don't really play well to each other.
So there's a high chance that you will make some mistakes.
And unfortunately, those are the ones
that the attackers are using.
So reducing complexity can help you
actually increase your resilience.
And it also saves you some costs because now you don't really have to bother about all the different vendors.
How do you suggest that folks go about doing that?
I mean, it strikes me that everybody is afraid to get rid of that tool, and then the breach happens, and somebody says, well, why did you get rid of that tool?
That one may have been the one that would have stopped the breach. Yeah, it sounds kind of counterintuitive, right? Kind of
reducing some of the tool stains that you have. And yes, it might be scary at the beginning,
but very often you actually already pay for a lot of things which overlap, right? So you might have
some antivirus, you might have some vulnerability assessment, and usually you can only use one of the tools.
Very often, it doesn't really make sense to have overlapping tools because they might even generate some issues for you.
So those are the simple ones to reduce.
It's also very simple to kind of help with the automation if you reduce the complexity.
help with the automation if you reduce the complexity. Because nowadays, nobody has enough resources, probably also not enough expertise in-house, right? So you can either use external
sources and kind of use MDR services or outsource everything to your service providers. Or, of
course, you automate it to be efficient in the things you do. And for that, it definitely helps to reduce it.
So it might sound a bit scary at the beginning,
but once you have a nice plan, it actually all makes sense.
You mentioned AI, and indeed, there's a lot of hype around that right now.
To what degree do you think the hype is overstated,
or should security professionals be concerned?
Yeah, it is definitely kind of the elephant in the room now, being it ChatGPT or any large language models that we have at the moment.
To be honest, I'm not afraid of seeing any Terminator-like ransomware anytime soon.
It has shown that, yes, you can use ChatGPT and others, LLMs, to generate malware, to generate phishing emails and other things.
But the malware which is generated is not that sophisticated.
Very often, it actually doesn't really run.
And we don't expect any of the more sophisticated groups, don't even think about the APT groups, to use it to their advantage.
Because simply, it doesn't really help them too much.
But of course, yes, it will enter or will allow more cyber criminals to enter the field.
So we will see a boost in probably the frequency of attacks and the volumes of attack, which we all know some people still fall for even the simple spam and phishing emails.
So this is something to keep in mind.
But on the detection side, I mean, no matter how it is generated with an AI model,
if you're looking for sophisticated things like behavior heuristics,
you can still detect it, right?
Because in the end, you want to see, does someone encrypt your data?
Does someone steal your Bitcoin wallet?
And those are the things you cannot really hide no matter how much AI you use.
So I think it is slightly overstated,
but of course, on the defender side,
you should definitely use AI.
And it has been used for many, many years already
because it is very easy and helpful
in defining anomalies in your data.
That's Candide West from Acronis.
And it is always my pleasure to welcome back to the show Chris Novak.
He is the Managing Director for Cybersecurity Consulting with Verizon Business.
Chris, welcome back.
You and I have been going through some of the specific elements of this year's Verizon DBIR.
I want to talk about Log4J and sort of the, is it fair to say, the long tail that we're experiencing with that?
Absolutely.
Yeah, thanks, Dave.
And yeah, Log4J is definitely, I don't know if I want to say it's the gift that keeps on giving. I think it has started to kind of peter out a bit in terms of interest, but I think there's a lot of really substantial data that we've gathered on it.
And it attracted just probably by far the most media attention that we've seen around a specific vulnerability in as long as I can remember.
Well, let's dig into some of that data.
What are some of the things you highlight in the report?
Sure.
So I think one of the things that was probably most surprising to us, we actually kind of went back and reworked the data just to make sure it was correct,
was that more than a third of all of the scanning activity to look for log4j vulnerable systems happened within the first 30 days of it becoming publicly known. More than a third in 30 days. And
in fact, the majority of it, the biggest spike in activity occurred within the first 17 days.
And so, you know, there's a number of takeaways that come out of that that I think are worth highlighting.
And that is, one, great to see the defense looking for it.
But obviously, a big portion of that also is the offense.
We know that just about as fast as Log4J became known in the wild as being vulnerable,
we saw exploit code out there looking to take advantage of it.
Is it fair to label that like a threat actor gold rush that, you know, they want to be
the first ones to be able to exploit this on a vulnerable system?
I think, you know, partially, I think part of it is they looked at it as this is a very
target-rich environment.
I think there was a number of things that contributed to it.
One was, as I spoke with CISOs and security teams all across
the globe when this was happening, the big thing that they all said was, oh my God, I know we have
to have this in our environment. I know it's going to be here. My biggest concern is I don't know
where, because most every security team out there has got a catalog of kind of the macro level
applications and systems that they run, or at least many do. There's obviously still
that are still working on this, but many of them never have gone down to that next level kind of
where we would talk about things like software bill of materials and say kind of, you know,
what are the ingredients that are inside these things in the event we discover that something
is vulnerable? So there was a mad rush, both on the defensive side to just try to figure out
where the heck is this in our environment? And then obviously there was the rush on the defensive side to just try to figure out where the heck is this in our environment?
And then obviously there was the rush on the offensive side by the malicious threat actors going, this is perfect. They're all scurrying around trying to figure out where their vulnerable
systems are. Let's go see if we can find them first. Do you have a certain amount of empathy
for the folks who are out there and still may not be 100% aware that they could have this vulnerability lurking somewhere in their systems?
Oh, I have a lot, yeah.
And I think that there's definitely a good bit of this still out there.
And it's actually interesting when we looked at the data,
we saw that when it first became known, you saw a spike in looking for it.
And then you saw in terms of we've got a lot of data in the report around kind of vulnerability management information. You saw a lot of these vulnerabilities get patched relatively
quickly or addressed in some mitigating way relatively quickly. And you see the number of
vulnerable systems drop, you know, very, very fast. But then interestingly, you see it pick back up
again. And we had to look at it and go, what the heck? Are you telling me that there's people out there who are actively deploying vulnerable systems
with Log4j? And what it ended up being was
lots of organizations scurried to address the problem so quickly in their production
environments, but they forgot to address it in their backup
environments, their DR environments, their gold standard
images. And so as systems naturally
rolled over, restored from backup as part of other procedures, what they were finding was systems
they thought were fixed, as it rolled a backup and restored something, they'd actually be bringing
back vulnerable log4j instances back into their production environments and they'd be rediscovering
them again. And so we kind of saw almost like this decaying sine wave
over time where we'd see it would get knocked down
and it would come up again, get knocked down and come up again.
And each time the peak would get a little bit lower,
but we'd see this kind of phenomenon happen.
And obviously, threat actors going after all of those as well.
We know that the threat actors are out there looking for this.
If I'm trying to defend my system,
can automation be my friend here?
Is there something I can deploy that can be trying to get ahead
of the threat actors and looking for it for my sake?
Yeah, so I think there's a couple of things.
One, there's definitely great technology out there for looking for this.
I know that when we get called in by clients to
help them with exactly these kind of problems, there's a whole host of technology solutions that
can be deployed to look for the vulnerable library. So definitely folks should know that
it does exist. And if they're struggling with it, definitely reach out. It's something worth
discussing because you can find those libraries in the environment. You can identify the vulnerable applications. The other thing also that we've seen a dramatic uptick in is increasing adoption of
software bill of materials. Now, it's by far not perfect, but we're getting closer every day. And
even the U.S. government and others are starting to kind of step in and say, hey, we see the value
in having something like this. And for those who may not be familiar, I kind of say it's almost like, think of it as like
the ingredients list in your food, right?
Everything you buy, you look on the package and it's got a list of ingredients and typically
a list of allergens.
And if you have a particular allergy to something or if there is an ingredient that we know
is dangerous or harmful, it makes it very easy for us to identify whether or not that is in one of our packaged food products. And so we're
kind of starting to see more of an adoption of that as it relates to software packages as well,
because there's so many different developers out there that may source different libraries and
packages from other places. So having visibility into that through something like a software bill of materials
is another great way to kind of understand where that risk might be.
Yeah. All right.
Well, Chris Novak is Managing Director for Cybersecurity Consulting at Verizon.
Chris, thanks so much for joining us. Thank you. thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant.
And that's the cyber wire or links to all of today's stories. Check out our daily briefing
at the cyber wire.com. We'd love to's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
of cybersecurity. We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private
sector, as well as the critical security teams supporting the Fortune 500 and many of the world's
preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you. you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.