CyberWire Daily - PowerDrop’s capabilities are up in the air. A Russian cyberespionage campaign channels their inner 007. A disconnect between law firms and cybersecurity protections.
Episode Date: June 7, 2023A new PowerShell remote access tool targets a US defense contractor. Current Russian cyber operations against Ukraine are honing in on espionage. CISA and its partners have released a Joint Guide to S...ecuring Remote Access Software. A bug has been reported in Visual Studio’s UI. Awais Rashid from University of Bristol discussing Privacy in health apps. Our guest is Jim Lippie of SaaS Alerts with insights on software as a service Application Security. And are there disconnects between cybersecurity and the legal profession? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/109 Selected reading. PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry (Adlumin) UAC-0099: cyberespionage against state organizations and media representatives of Ukraine (CERT-UA#6710) (CERT-UA) Guide to Securing Remote Access Software (Joint Guide) Imposter Syndrome: UI Bug in Visual Studio Lets Attackers Impersonate Publishers (Varonis) Press Release | ILTA and Conversant Group Release First Cybersecurity Benchmarking Survey of the Legal Industry (International Legal Technology Association) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A new PowerShell remote access tool targets a U.S. defense contractor.
Current Russian cyber operations against Ukraine are honing in on espionage.
CISA and its partners have released a joint guide to securing remote access software.
A bug has been reported in Visual Studio's UI.
Awais Rashid from University of Bristol discusses privacy in health apps.
Our guest is Jim Lippe of SAS Alerts with insights on software
as a service application security.
And what are the disconnects
between cybersecurity
and the legal profession?
I'm Dave Bittner
with your CyberWire Intel briefing for Wednesday, June 7th, 2023. PowerDrop is a new malicious PowerShell script
discovered by researchers at AdLumen
to have infected machines at an unspecified U.S. aerospace defense contractor.
The malware uses a combination of Windows PowerShell script
and Windows Management Instrumentation to create a new remote access Trojan. The researchers
write that what separates this malware from others is the fact that it is novel. That is, other code
like this hasn't been witnessed before. The researchers say that it straddles the line
between a basic off-the-shelf threat and the advanced tactics used by advanced persistent threat groups.
Though attribution remains inconclusive, Adluman assesses that based on the target and living off
the land tactics, it's likely that the threat actors are operating on behalf of a nation-state.
Currently, it's unknown whether this incident is part of a larger campaign
targeting multiple organizations. CERT-UA warned
Monday of a Russian cyber campaign that prospects government and media targets for the purpose of
data collection. It uses lone-page malware, a PowerShell script, to stage information stealers
and keyloggers in its targets. The campaign, which has been active in the second half of last year,
is consistent with recent Russian cyber operations
in that its goal is espionage as opposed to either influence or sabotage.
CISA, the FBI, the MS-ISAC, and the Israel National Cyber Directorate
have released a joint guide to securing remote access software.
The guide centers around detecting and preventing the use of legitimate remote access software and
common exploits that could be used against an organization. One of the particular concerns
about this software is that it is used in normal IT tasks. This allows the remote access tools to
be exploited by threat actors who typically remain
undetected by antivirus tools or by endpoint detection and response defenses. Abusing remote
access software doesn't require a threat actor to create a new capability. CISA explains in the
guide that remote access software solves the issue of creating and utilizing custom malware for malicious actors, and that the way remote access products are legitimately used by network
administrators is similar to how malicious rats are used by threat actors. The guide recommends,
among other things, that organizations create a baseline of their normal activity and begin
monitoring for unusual spikes indicative of a
compromise. For prevention and mitigation of this threat, the guide strongly encourages
organizations to implement zero-trust solutions whenever and wherever possible. Adding safeguards
that prevent users from accessing a large number of machines in a short amount of time can also mitigate risk.
Researchers at Varonis discovered a UI bug within Microsoft Visual Studio's extension installer that allows a hacker to spoof an extension signature and effectively impersonate any
publisher. The flaw can be exploited by opening the v6 file as a zip file and adding new characters to the
extension name, which will prevent a digital signature warning from popping up in the
installation prompt. The threat actor can then add a phony digital signature label at the beginning
of the file name. Microsoft fixed this flaw in April, and users are advised to ensure Visual Studio is up to date. And finally, the International
Legal Technology Association, in partnership with the Conversant Group, has released a joint
research report detailing the disconnects between cybersecurity and legal personnel and practices.
The survey benchmarks the cyber practices of law firms worldwide.
Law firms are said to be an ideal target for malicious actors between the storage of extremely sensitive business,
civil, criminal, and personal data of clients
and the potential financial payoff for the hackers.
Due to the sensitive nature of the data that can be lifted,
law firms are said to be significantly more inclined
to give in to the
demands of a threat actor. As of the end of 2021, the report shares that almost a third of law firms
saw a breach, and 36% reported the past presence of malware. A surprisingly low number of law firms,
just over 15%, saw gaps in their cybersecurity protections, despite being a common target.
The research shows a significantly more elevated number than that. About three-quarters of those
surveyed also believe they had a leg up on others in their industry in terms of cyber protections,
though the researchers have found this to be unlikely. 65% of respondents also note the
presence of lateral movement defenses, though the researchers have found the to be unlikely. 65% of respondents also note the presence of lateral movement
defenses, though the researchers have found the presence of only two offerings in the market that
include those capabilities, meaning that the understanding by the firms of what true lateral
movement defenses are may be murky at best. So, counselors, there may be some overconfidence here.
So, counselors, there may be some overconfidence here. Beef up your cyber protections or you may find yourself embroiled in legal battles on your own time. Coming up after the break, Awais Rashid from University of Bristol discusses privacy in health apps.
Our guest is Jim Lippe of SAS Alerts with insights on software as a service application security.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7,
365 with Black Cloak. Learn more at blackcloak.io.
Jim Lippe is CEO of cybersecurity firm SAS Alerts, who recently released the firm's annual cybersecurity report.
The research specifically looks at attack attempts on small businesses throughout the year.
using MFA, multi-factor authentication, which is consistent with what CISA cites in terms of what is going on in the enterprise. They say it's 30%. So that is a very low number, both of those,
30% and 32% respectively, based on how important we know MFA is in terms of mitigating risk.
important we know MFA is in terms of mitigating risk. So that was one finding that we found pretty interesting. Another was, you know, last year, the number one attacker, if you will,
in terms of countries that were coming after small, medium-sized businesses around the world was Russia.
You know, that was in the 2022 report. What we found in 2023, or the findings from this past
year based on the Ukrainian conflict, is that those attacks from Russia came way down. And now the number one from this past year,
the number one threat actor country, if you will, is China. They're trying to get into small and
medium-sized businesses the most. And I want to be very clear about the fact that this isn't necessarily nation-state type attacks, right?
But these are where the attacks on small and medium-sized businesses are emanating.
And what are we talking about in terms of volume here that you all are tracking?
Yeah, so we see approximately 50,000 brute force attacks every single day on about 7,500 small businesses that we monitor.
Do you have a sense for what the success rate is?
It's consistent with what we see in terms of overall averages, but it's about 1%.
It's still a big number.
It's a big number when you consider the volume.
Yeah. I know another thing that you all track in the report here is phishing attacks. What are you
all seeing there? They're definitely on the rise. Phishing attacks, social engineering,
there's so much information out there right now on the net that it's really easy at this point for threat actors to gain information
that's publicly available and then use that information in phishing campaigns and social
engineering campaigns to trick unsuspecting end users into sharing information they should not
be sharing. And then obviously leveraging that to gain access to credentials
and then down the line into the environments,
and then they move laterally from there.
We've seen significant uptick in successful attacks recently,
even in the last few months since we released the report
from last year's findings. Well, based on the information that you all have gathered here,
what are your recommendations then for organizations to best protect themselves?
Number one, everyone should be using MFA. Number two, you should be monitoring all of these SaaS applications on an ongoing basis for unusual behavior.
Dave, we're in a needle in a haystack game here.
98% of all the security events that these applications throw off every single day are completely harmless.
It's the 2% that we need to worry about, and they can be difficult to find.
For instance, one of our partners in the Midwest recently uncovered a Chinese spy ring. It was
internal to a company. They never would have known that this was going on if they were not monitoring the user behavior associated with Office 365.
This employee was sharing very sensitive information out of OneDrive and SharePoint, sent to two
specific IP addresses in China.
Once it was downloaded on the other side, it was deleted to essentially destroy the
evidence.
What they didn't realize was that our software actually captures that activity.
And it was that case has been handed over to the authorities.
But that is something that if you're not monitoring for, if you're not looking for it, you're never going to know it. So being more vigilant and monitoring that level
of activity is really, really important on an ongoing basis. Making sure that these applications
are configured to best practice initially, and then again, monitoring those changes on a go-forward
basis, really, really important. And then just overall, just being more vigilant in general.
You know, there's a lot of best practices that people generally don't follow.
You know, instead of a password, have a passphrase.
You know, use password managers.
There's a number of best practices from a general perspective people should be following to mitigate their risk.
That's Jim Lippe from SAS Alerts. And I'm pleased to be joined once again by Professor Awais Rashid.
He is Director of the National Research Center on Privacy, Harm Reduction, and Adversarial Influence Online at University of Bristol.
Dr. Rashid, always a pleasure to welcome you back to the show.
I think like a lot of folks, I have taken full advantage
of the various apps on my mobile device.
And you wanted to address today
some of those health apps
and some of the privacy concerns
that you and your colleagues have been looking into.
What can you share with us today?
So the app market has, of course,
exploded for a while now,
but even more so,
especially, I would expect, in some part,
due to the pandemic, for sure, personal health is very much on everyone's mind, be it from,
you know, apps that allow you to track your exercise or, you know, physical activity,
to also apps that provide support for mental health and well-being.
But that naturally begs the question as to what information these apps collect,
what are their data privacy practices, and are the permissions that are being collected,
are they suitable for the task at hand?
So there are a number of pieces of work that we've been doing. For example, we did an analysis of 27 top-ranked mental health apps from the Google Play Store,
and we noted, which has been a finding elsewhere in the field as well,
that often unnecessary permissions are requested,
which are not necessarily required for the app to provide its functionality.
We also found other issues, for example, in secure cryptographic implementations.
We also found that, for example, personal data and credentials were actually being leaked
through logs and web requests.
And the latter is not necessarily an adversarial thing.
It's just really implementation practices in itself.
And in other cases, for example, we've also looked at developers, for example, asking
for permissions, especially linked to, for example, fitness-related applications.
And again, there are interesting issues there because often certain permissions are very
complicated and developers don't fully understand them.
So they would request these permissions when they are not necessarily required for the task at hand.
So this creates an interesting problem in itself that we are increasingly reliant on these apps.
We utilize them a lot, but there are significant privacy considerations
around the data that has been collected.
We've seen some reports lately,
really sobering reports of some of these apps.
I've seen some trying to help people with things like addiction,
but then sharing private information about the users for advertising.
It seems to me like there's a real betrayal of trust here.
How do we come at that?
How do we bridge that gap?
So that's really exactly where the problem lies, right?
Because it's who are the third parties
with whom the data is being shared?
Who are the advertisers potentially
with whom the data is shared?
And there are multiple issues here.
I think one is as to what the user is actually signing up to
in the first instance.
And we all know the problems with very, very complicated privacy policies,
which are often presented in legal jargon and so on.
But increasingly, for example, on both the Apple iOS and on Android,
you have permissions, dynamic permissions,
where the app, as you install it or as you utilize it,
asks you to grant particular permissions or deny those particular permissions.
However, a lot of the times users are not really very, very clear
as to whether these permissions are necessarily needed.
And then if the data is being collected, what is it being used for?
Transparency is very, very important.
How do we provide it is much harder.
Transparency can be provided, or we can claim that we provide transparency through very
complicated privacy policies, and we will agree that's not necessarily a good way of
doing it.
We can also say, well, we provide transparency through the permissions, asking for permissions
as they are needed, which is great. However, if as a user, I don't really understand what that
permission is asking me to do, it may or may not be needed. And what are the ramifications for that?
And I think there is a sort of a bigger challenge here as to how do we actually communicate to users?
What is it that the app is asking for?
And what are the implications?
And that is non-trivial.
Do you suppose that perhaps it's time to increase the regulatory burden on some of these companies?
I mean, to say to them, listen, we gave you a shot at self-regulating yourselves, and that hasn't exactly gone very well.
So we're going to put some rules in place here.
Yeah, so this is a live debate.
This is a live debate in the UK.
So for instance, there is the online harms bill
that is going through Parliament at the moment
that is talking about the responsibility
that sits on large service providers, for example, as to what happens on their platforms and through the apps that they are also providing.
There is also other calls for, for example, voluntary codes of practice around making things clear.
Regulation does have a place.
But the challenge with regulation always tends to be
is that it responds to what's the here and now. And things in the technology sector suddenly move
very, very fast. And I think it's a question of how do we actually provide a regulatory
environment which actually responds to those kind of changing technological landscapes.
And that in itself is, again, a real challenge.
But the biggest thing is evidence and making policy on the basis of evidence in itself.
And that is something certainly that we do within the Reference Centre, of which I'm
the director, that we aim to provide evidence on the basis of which, for example, some of the debates that are around the online harms bill in the UK are being shaped.
But I would also emphasize the role here isn't for just one party.
Regulators have a role to play.
Organizations who are building these apps, they have a role to play.
Developers who are, you know, actually doing the work on the ground. They have a role to play.
Platform providers have a role to play.
For example, Google, Apple, those kind of organizations.
And of course, we cannot say that users have no role to play
because as a user, I want to be able to decide
what information I give.
But at the moment, that balance isn't there
in the sense that a lot of the times users feel
that they either have to give all the permissions
or they don't really know and they're unsure
and they give all the permissions
or they often have this feeling of helplessness.
They go, oh, I have to because I want to use the service,
for example, or use the app.
And that balance isn't right.
So we have to make sure that all these different stakeholders
come together and do something about it.
All right.
Well, interesting work you all are doing there on this.
Dr. Weiss-Rashid, thanks so much for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure
we're delivering the information and insights
that help keep you a step ahead
in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. Thank you. Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by Rachel Gelfand.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.