CyberWire Daily - Phishing for Zimbra credentials. Developments in PlayCrypt and Cuba ransomware. #NoFilter exploitation. Cyber gangs (and some services) threaten security researchers. Anglo-Saxonia update.
Episode Date: August 18, 2023Phishing for Zimbra credentials. PlayCrypt ransomware described. The Cuba ransomware group adopts new tools. #NoFilter. Cyber criminals threaten security researchers. Our guest is Kevin Paige from Upt...ycs with thoughts on the Blackhat conference. Eric Goldstein, Executive Assistant Director at CISA joins us discussing next steps on the Secure by Design journey. And Russian disinformation takes on "Anglo-Saxonia." For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/158 Selected reading. Mass-spreading campaign targeting Zimbra users (We Live Security) PlayCrypt Ransomware Group Wreaks Havoc in Campaign Against Managed Service Providers (Adlumin SaaS Security) Cuba Ransomware Deploys New Tools: Targets Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America (BlackBerry) NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security (The Hacker News) Cyber security researchers become target of criminal hackers (Financial Times) Britain plotting to assassinate pro-Russian leaders in Africa, says Moscow (The Telegraph)Â Ukraine at D+540: Russification and disinformation. (CyberWire)Â Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Phishing for Zimbra credentials?
Play Crypt Ransomware is described.
The Cuba Ransomware group adopts new tools.
Hashtag no filter.
Cyber criminals threaten security researchers.
Our guest is Kevin Page from Uptix with thoughts on the Black Hat conference.
Eric Goldstein, executive assistant director at CISA, joins us discussing next steps on the Secure by Design journey.
And Russian disinformation takes on Anglo-Saxonia.
I'm Dave Bittner with your CyberWire Intel briefing
for Friday, August 18th, 2023.
ESET is tracking a major phishing campaign that's targeting Zimbra account credentials.
Most of the targets are located in Poland, Italy, and Ecuador, but the attackers don't seem to be focused on any
particular sector. The campaign has been running since at least April 2023, targeting a variety of
small and medium businesses and governmental entities. The phishing emails are tailored to
each targeted organization and inform users that
they need to log in to Zimbra to resolve an issue. The researchers note, on several occasions we
observed subsequent waves of phishing emails sent from Zimbra accounts of previously targeted
legitimate companies. It is likely that the attackers were able to compromise the victim's administrator
accounts and created new mailboxes that were then used to send phishing emails to other targets.
Researchers at AdLumen outline a concentrated global campaign involving the Play Ransomware,
also known as PlayCrypt. The campaign is targeting managed service providers used by mid-market enterprises
in the finance, software, legal, and shipping and logistics industries, as well as state,
local, tribal, and territorial entities in the U.S., Australia, the U.K., and Italy.
The threat actors usually gain initial access by abusing remote monitoring and management software.
The researchers state,
PlayCrypt ransomware's code is highly obfuscated and shows strong resistance to typical analysis
techniques. Notably, this ransomware group is the first to employ intermittent encryption,
a technique that partially encrypts files in chunks to evade detection.
BlackBerry has published an analysis of new tools used by
the Cuba ransomware gang. The threat actor conducted attacks in June 2023 against a
critical infrastructure organization in the U.S. and an IT integrator in Latin America.
BlackBerry says the gang deployed a set of malicious tools that overlapped with previous campaigns associated
with this attacker, as well as introducing new ones, including the first observed use of an
exploit for the Veeam vulnerability, CVE-2023-27-532. It's also worth noting that despite the gang's
Cuban branding, the threat actors appear to be based in Russia.
The group seems to be a privateer, making its money by hitting Western Anglophone democratic targets, that is, targets in countries Russia has framed as adversaries.
Deep Instinct describes a privilege escalation technique that abuses the Windows filtering
platform. The researchers built a tool
for mapping remote procedure calls, which allowed them to find ways to manipulate benign services to
perform malicious actions, such as code injection or file encryption. The researchers explain,
all the RPC servers on the system were mapped and methods were marked if the parameters that will be sent to the WIN API are controlled by the RPC client.
The WIN API could be called directly by the RPC method or after several internal calls.
RPC methods were also marked if specific keywords appeared in their name.
in their name. Deep Instinct found that access token duplication can be performed in the kernel using WFP, which makes the attack extremely stealthy. The Financial Times reports on a trend,
cyber threat actors, both criminal and state-directed, menacing security researchers
and journalists who've drawn attention to the group's activities. The threats come from both criminals and state agencies,
but criminal threats, which often extend to researchers' families,
seem to be much more common.
Mandiant's CTO Charles Carmichael told Financial Times,
these are young folks, teenagers, folks in their 20s
that aren't employees of companies that are tasked with hacking,
nor are they members of military or intelligence organizations.
It's a bunch of folks with no rules of engagement.
They have an unlimited amount of free time.
They really push the envelope.
They bring a lot of pain to individuals and make it feel very real.
It can be more than simple harassment.
Some of the crooks have engaged in swatting,
a particularly malign action in which they spoof a call to police
reporting, falsely, that an active shooter is holed up at their victim's address.
The criminals hope the police will respond to the bogus emergency with a SWAT team,
which necessarily brings with it fear, humiliation,
and the real possibility of misapplied
deadly force. There are, however, occasions in which governments, especially the Russian government,
have been involved in the menacing. German authorities are, for example, investigating
the apparent poisoning of a dissident Russian journalist in Munich last autumn. The Guardian reports that the victim
was at the time a reporter for the now-closed Novaya Gazeta. Her coverage of the special
military operation was unwelcome in Moscow. According to The Telegraph, Russian military
and diplomatic sources amplified by state-controlled media say that Britain's MI6 has assembled a team of Ukrainian Nazis
and dispatched them, possibly aboard a grain ship now transiting the Black Sea,
to kill Africans sympathetic to Russia.
The sources said,
The goal of the Ukrainian unit that has been trained by British intelligence
is to carry out acts of sabotage on key infrastructure in Africa
and assassinate the African leaders who favor cooperation with Russia.
The story of Ukrainian Nazi hit squads dispatched by MI6
to trouble African dreams of national self-realization
is implausible, to say the least,
but it's consistent with Russian propagandists' increasing attempts to frame Russia's war as a purely defensive operation,
with the aggression all coming from Anglo-Saxonia, that is, from the Americans and the British.
London and Washington, Russian pundits argue, have been at war with Moscow continuously since 1945.
It's all a continuation of the Great Patriotic War, which increasingly sounds as if the British
and the Americans were on the side of the Axis. And now they're using Ukrainian Nazis, slaves,
zombies, take your pick as the terms are slung around freely and interchangeably,
to prosecute a war against Russia, which stands alone as a bulwark of civilization against the
soulless leaders of Anglo-Saxonia. Or, actually, they're not entirely alone. Pyongyang's dear,
respected Marshal Kim, outstanding leader of the Juche Revolution and the only and unique successor and leader of that Juche Revolution,
the peerlessly great man lettered in basketball at his high school in Switzerland and so on,
has pronounced North Korea's firm solidarity with the cause of Russia.
The pundits on Russian state TV have been pleased to point that out
because, well, you've got to have some kind of angle.
It's not as if this time around the Royal Navy is convoying shiploads of American Lend-Lease.
Keep the Red Army in the field.
Maybe they can truck some ammo over the border from North Korea instead.
Coming up after the break, our guest Kevin Page from Uptix has thoughts on the Black Hat Conference.
Eric Goldstein, Executive Assistant Director at CISA, joins us to discuss next steps on the Secure by Design journey.
Stay with us. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. folks have had a few days now to settle in and recover from black hat and defcon
hacker summer camp as it's sometimes called i checked in with kevin page
ciso of security firm upticks for his take on this year's festivities in las vegas
i think that the tone and the content was pretty interesting.
I think that I'm seeing Black Hat be very much like RSA.
It almost felt like I was at RSA at Black Hat this year.
So the tone was really focused on, I think,
a lot of smaller companies getting more mature in their capabilities,
which was great to see.
It was great to see some of these companies really taking a look at consolidation. I think that was good. And I think there's also a little bit of sadness. There was a lot of security professionals
that happen to be out of work right now. So there was a lot of people looking for work and a lot of
people looking for great people that were available on the market. So that was also an interesting
tone and lots of interesting conversations about both of those topics. What's going on in the security world? Why are companies
letting go of security team members when our threats are not going down and vulnerabilities
aren't getting less? So why would companies start to lay off some of their security people?
And lots of talks about, I think, consolidation as well. So lots of talks about like, hey,
I have a 20-person security team and I have 32 security products.
What can we do to make this better and more efficient in the long term?
So from a theme perspective, I definitely felt a lot of those types of capabilities that were going on at Black Hat this year.
It was definitely feeling a lot like RSA.
So very, very corporate, which is I've been coming to Black Cat
for a long, long, long time.
And this was probably the first year
that I felt like I had to wonder,
am I at RSA or am I at Black Cat?
And then I would walk downstairs and be like,
oh, I'm definitely Black Cat.
This is Vegas.
I mean, is that shift a good thing, a bad thing?
Is it an inevitable thing?
As someone who's been attending these for a long time,
how do you feel about that?
I feel it's an inevitable thing, I think,
because people, I think corporate wants to have their kind of corporate events
with people all across security,
from venture capitalists to cybersecurity startups
to enterprise security companies.
The ability to bring those together in events, I think, is great.
I think RSA is much smaller venues, much smaller capabilities.
And I think that Black Hat's maybe a little bit more centrally located
than San Francisco, even if there are a lot of startups
and venture capital that are focused on security in the Bay Area.
This kind of more corporate move to Black Hat, you kind of saw it coming over the years
as Black Hat got more corporate and DEF CON got a little bit less corporate, but still
a lot more corporate than it used to be.
I think it's kind of inevitable.
So it'll be interesting to see what happens with RSA and Black Hat in the future because
people aren't going to want to go to two conferences that are the exact same thing. So we'll see what happens with RSA and Black Hat in the future because people aren't going to want to go
to two conferences that are the exact same thing. So we'll see what happens in the future.
As someone who's in a leadership position, as CISO at Uptix, as you are, how do you plan out
your time to make the maximum use of the amount of time you have there at a conference like this? So yeah, I focus on a couple of different things.
First thing I focus on is meeting up with people I've worked with in the past,
other CISOs, making sure that we're getting great collaboration
and passing stories along, helping each other out.
So for me, my first priority is making sure that that's happening.
So that's my main priority when I'm going to these events.
It's just kind of my stage.
I haven't gone to these for a long time and made a lot of friends at other places that I've worked.
And also just coming to this event.
So that's probably priority number one.
Priority number two is I like to think of myself as kind of an innovative security executive,
always looking for something
that's modern, something that's helping solve a problem that I
have today, something that's associated with my roadmap.
So I'm looking at lots of the cybersecurity companies, not just
in the vendor hall, but the ones that are around the
vendor hall. There's a lot of young, innovative companies that
are not paying for a booth inside of the venue.
So I'm definitely having lots of conversations
with startups around the venue as well,
kind of looking for more efficient,
more operationally efficient ways
to help me solve some of the problems that I have
is a key priority.
And then key priority number three
is definitely meeting with everybody.
Venture capital, other larger security company vendors,
and just trying to stay in the loop
and hopefully ahead of the curve
on a lot of the different types of security issues
that lots of people see coming,
lots of innovative ways to solve problems
that we see coming.
That's kind of, I think, a big focus area.
So those are my three things that I focus on when I come to these types of events to,
you know, spend my time on.
And, you know, this week when you're back home and you've got some time to reflect on
the information that you've gathered, what is this week like for you?
Do you spend a lot of time reflecting on it?
I do spend a lot of time reflecting on it? I do spend a lot of time reflecting.
It's probably one of the key things is that once you've kind of, you know,
dealt with the glamour of Vegas and dealt with, you know,
all of the tens of thousands of people that you've interfaced with,
you know, throughout the week, you know,
now it's time to figure out, you know, like what's really going on really going on. What was the most valuable use of my
time when I was there? What did I get out of it? And how can I make sure that we can use and learn
from the information I learned from others, whether it was my friends, other CISOs, Venture
Capital, some of the other enterprise security vendors? Where's the trend? What are people doing? Why are they going there?
Very, very, very interesting to be able to do that and then see what we can do to be able to help Uptix,
see what I can do to help some of the other more junior security people in the industry that I mentor.
Where can we use this information to help security as a whole and myself continue to move forward?
Was there anything unexpected or surprising?
Did you have any aha moments while you were there that you didn't call for?
I didn't have a ton of aha moments this year.
Definitely one of the aha moments was the discussion about many of the really good security
professionals that are out of work right now.
So that was maybe not
directly tied to it. But because we had so many security leaders and executives together having
conversations, I think that was something that came out. And it was definitely a moment of saying,
like, hey, why is this happening? Probably the other one is lots of discussions about
tool consolidations, like lots of people saying, you know, talking to vendors or
talking to another vendor, and we're having conversations saying, like, I can't, like, I can't
have another tool in my tool belt, you know, like, I have too many, and I'm not using them all
effectively, like I have too many tools. So lots of discussions around too many tools in security
for security teams to be able to handle effectively. So I think from an aha moment, I've heard bits and pieces of those at other times,
but those two were my two kind of aha moments.
Like, wow, every place I go,
we're talking about these two topics.
And I found it very interesting
that those topics were everywhere.
I don't think I had a conversation
in the three days I was at Black Hat
that didn't touch on those two topics. That's Kevin Page, Chief Information Security Officer at Uptix.
And it is always my pleasure to welcome back to the show Eric Goldstein.
He is Executive Assistant Director at CISA.
Eric, great to have you back.
I want to touch base today on this whole notion of secure by design,
which I know is a focus of you and your colleagues there at CISA.
Where do we stand and where are we going with this?
Thanks so much, David. It's always a pleasure to be on. Just to catch listeners up,
secure by design really is a concept that's now been codified in the national cybersecurity strategy. The idea being that the burden of cybersecurity really has to rest with those
who are most able to bear it, which in many cases is actually not the individual enterprises
who are being victimized by cyber intrusions, but is actually the manufacturers of the products
that every enterprise is relying upon and that we know are exploited at scale by nation
states and by criminal groups.
And so our goal with Secure by Design is to work with the technology community and with partners across the world to really
define what are the attributes of a safe and secure technology product, and then really drive
change across the ecosystem so that technology companies make needed investments to ensure
that their products are fit for purpose wherever they're deployed. In April of this year, we
released our first
white paper on this topic with six other countries from around the world. We released it at the RSA
conference. And the goal of that was to really be a first chapter in this conversation to say,
here are the principles that we think underpin a secure by design culture, principles like
technology companies taking accountability for the security outcomes of their customers, technology companies showing radical transparency in their security programs and gaps therein. towards memory-safe coding languages or making sure that multi-factor authentication is turned on as a default feature,
not an additional expense that you have to enable and pay for yourself.
Over the past few months, we've been getting feedback from companies across sectors,
a lot of the country's largest tech companies, as well as startups and innovators in the space,
as well as other international partners.
And we're now really excited to be working on our next iteration of this work, which
is going to get a bit more specific to say, well, now that we understand generally what
are the characteristics of a safe and secure technology product, how can we actually show
it?
What are the artifacts?
How do we show our work to actually demonstrate that we're making progress towards
this goal? And we're excited to get a bit more specific and applied in making progress towards
this goal. Can you share with us any of the things that we might see as we're looking towards the
future here? Absolutely. I think the next thing that we're really going to see is some work by
CISA and our international partners. And I'll note that we have many more international partners who we expect to be signing on to our next products,
even than the first one. But we're going to be seeing some examples of expectations
that we should be setting of technology manufacturers who are deploying their
products across sectors. One example is, of course, we spent a lot of time in our first product talking
about the challenges of memory-unsafe coding languages. I'll just note for the listeners,
many might have seen a recent document from our partners at MITRE about the most common CWEs
that were released this year. Well, the majority of those are actually the result of memory safety vulnerabilities or
the use of memory unsafe coding languages. And we did some mapping. And what we were able to show
is not only are those the most common CWEs, but they also reflect back to the most known
exploited vulnerabilities that were identified by CISA as being widely exploited by adversaries.
So what does this mean in practice?
It means that not only do we know that the use of memory-unsafe coding languages like C and C++ leads to more vulnerabilities, but those are the vulnerabilities that adversaries
are exploiting to cause harm.
So what do we do about that, right?
That is a major challenge that takes real investment to address both for new products, for new code bases and legacy.
So what we're saying is, well, let's encourage tech manufacturers to at least have a roadmap to say we understand the risk.
We are going to publish CWEs for all of our vulnerabilities to be transparent about the extent to which our vulnerabilities are deriving from this problem,
and we have a roadmap to make progress that we're going to publish and hold ourselves accountable to.
At the end of the day, there is no silver bullet here.
It's really about driving accountability over the long term.
And what sort of feedback are you getting here?
I mean, it strikes me that, you know, SysA, one of the main abilities you have is influence.
You know, you don't necessarily have regulatory oversight or power, but you do have a voice here.
What's the feedback you're getting?
That's exactly right.
You know, one of the most exciting aspects of this work is we have spoken to security and business leaders and major tech manufacturers.
We have spoken to security leaders and business leaders and major tech manufacturers. We have spoken to security leaders
and business leaders at major enterprises. And there is consensus across the board that we as
a country, we as a society, we as an economy need technology that is safe and secure by design and
default. The question is, what does that mean and how do we get there? And so the work we have to
do now is leveraging, for example, the great work that NIST has done in their secure software development framework, the SSDF,
be really clear about what are the most important steps that can be taken to develop a product that
is reasonably secure by design. And then even in the absence of any new regulation, in the absence
of any new shift in liability, let's drive consensus around enterprises who are purchasing these technologies, including
the federal government, about what do we expect. And there's consensus around that direction,
the steps to take. Now we just need to get specific about what it means in practice.
All right. Well, Eric Goldstein is Executive Assistant Director at CISA.
Eric, always a pleasure having you on.
Thanks so much, Dave. And I'll just note, if folks want to learn more, they can go to cisa.gov slash securebydesign.
Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Dmitry Bestyjev from BlackBerry.
We're discussing their work, RomCom Resurfaces, targeting politicians in Ukraine and U.S.-based healthcare providing aid to refugees from Ukraine.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
you can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 Thank you. making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and senior
producer Jennifer Ivan. Our mixer is Trey Hester with original music by Elliot Peltzman. The show
was written by our editorial staff. Our executive editor is Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.