CyberWire Daily - Ransomware and DDoS hit diverse sectors. The DDoS is a nuisance, the ransomware more serious.
Episode Date: November 13, 2023Australian ports are recovering from a cyberattack. SysAid is hit by Cl0p user Lace Tempest. Ransomware targets China's largest bank. LockBit doxes Boeing as Boeing hangs tough on paying ransom. Docke...r Engine for DDoS. Rick Howard looks at the SEC’s targeting of SolarWinds’ CISO. And Anonymous Sudan claims attacks on ChatGPT and Cloudflare. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/216 Selected reading. Freight giant DP World recovers from cyber attack, but warns investigation and remediation is 'ongoing' (ABC) DP World port operations in Australia recovering after cyber-attack (The Loadstar) Ransomware attack against China's largest bank. (CyberWire) China's biggest lender ICBC hit by ransomware attack (Reuters) Ransomware attack on ICBC disrupts trades in US Treasury market (Financial Times) Hackers Hit Wall Street Arm of Chinese Banking Giant ICBC (Wall Street Journal) LockBit finally publishes its proof-of-hack as Boeing hangs tough. (CyberWire) SysAid On-Prem Software CVE-2023-47246 Vulnerability (SysAid) Critical Vulnerability: SysAid CVE-2023-47246 (Huntress) SysAid Zero-Day Vulnerability Exploited By Lace Tempest (Rapid7) SysAid vulnerability exploited. (CyberWire) OracleIV - A Dockerised DDoS Botnet (Cado Security) Anonymous Sudan and OpenAI. (CyberWire) Russia-Linked Hackers Claim Credit for OpenAI Outage This Week (Bloomberg) Major ChatGPT Outage Caused by DDoS Attack (SecurityWeek) Anonymous Sudan and Skynet claim Cloudflare DDoS takedown (Cyber Daily) Cloudflare website downed by DDoS attack claimed by Anonymous Sudan (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Australian ports are recovering from a cyber attack.
SysAid is hit by clop user Lace Tempest.
Ransomware targets China's largest bank.
LockBit dockses Boeing as Boeing hangs tough on paying ransom.
Docker engine for DDoS.
Rick Howard looks at the SEC's targeting of SolarWinds' CISO.
And anonymous Sudan claims attacks on chat GPT and Cloudflare.
I'm Dave Bittner with your CyberWire Intel briefing for Monday, November 13th, 2023.
Our first story is about a major attack on a national supply chain.
Australia's National Cyber Security Coordinator announced Saturday that the government was investigating a cyber attack that disrupted
several Australian ports. The coordinator tweeted, DP World Australia has advised it has restricted
access to its Australian port operations in Sydney, Melbourne, Brisbane and Fremantle while it
investigates the incident. This interruption is likely to continue for a number of days
and will impact the movement of goods into and out of the country. DP World Australia is working
with its stakeholders to consider the impacts on its operations at specific ports. DP World began restoring operations at the affected ports Monday,
according to the BBC, and cargo is again moving in Australia.
The precise nature of the attack hasn't been revealed,
but the unspecified cyber incident is, the coordinator said,
a nationally significant cyber incident.
DP World Australia's operational shutdown was preventative, according to The Guardian.
All that was publicly known as of late yesterday is that an unauthorized activity had been detected in DP World Australia's systems.
Bloomberg reports that DP World Australia has said that it has not received a ransom demand, the conversation
recounts informed speculation to the effect that the incident represents sabotage by a foreign
state actor. This story is developing and we'll have more as the information becomes available.
Microsoft's threat intelligence team has warned that Lace Tempest is now exploiting a recently disclosed path traversal
vulnerability affecting on-premise SysAid servers. SysAid issued a patch for the flaw on November 8th.
Lace Tempest is the CLOP ransomware actor that was behind the widespread attacks against the
MoveIt file transfer software earlier this year. CISAID says the threat actor exploited the vulnerability as a zero-day
by uploading a war archive containing a web shell and other payloads
into the web route of the CISAID Tomcat web service.
Rapid7 notes,
post-exploitation behavior included deployment of mesh agent remote administration tooling and GraceWire malware.
Reuters reports that a ransomware attack hit the Industrial and Commercial Bank of China, ICBC, last week, disrupting trades in the U.S. Treasury market.
The lock-bit ransomware gang is believed to be behind the attack, although the gang itself hasn't claimed
responsibility. A U.S. Treasury spokesperson told Reuters, we are aware of the cybersecurity issue
and are in regular contact with key financial sector participants, in addition to federal
regulators. We continue to monitor the situation. ICBC said in a notice on its website that the
bank is progressing its recovery efforts
with the support of its professional team of information security experts. Reuters says the
hack left the bank's U.S. broker-dealer, ICBC Financial Services, temporarily owing BNY Mellon
$9 billion, an amount many times larger than its net capital. The brokerage received a
cash injection from its Chinese parent to pay back BNY. Boeing sustained a ransomware attack
by the Lockheed gang with a November 2nd deadline to pay up or face the release of stolen data.
Boeing reported that its parts and distribution units were affected.
The aerospace company told the Register they're currently investigating the situation
in collaboration with law enforcement and regulatory bodies.
Despite the breach, Boeing maintains that the incident has not compromised
the safety of its aircraft or flight operations.
Dark Reading reported late last week that this actually showed
some uncharacteristic circumspection on the part of a ransomware operator. Such criminal gangs are
usually quick to publish proof of hack. Reuters reports that LockBit escalated to doxing on
November 10th, releasing files they claim were taken in the attack. Computing wrote this morning that the
leaked files appear to contain some financial data and that Boeing has refused to pay the ransom,
effectively calling LockBit's bluff. Researchers at Cato Security describe Oracle 4, a DDoS
botnet agent that's targeting publicly exposed instances of the Docker Engine API.
Attackers are exploiting this misconfiguration to deliver a malicious Docker container
containing malware written in Python and compiled as an ELF executable.
The researchers point out that the Oracle 4 issue highlights ongoing security risks where attackers exploit misconfigured
Docker engine APIs to gain initial access for various malicious activities. The nature of
containerization allows these attacks to operate consistently across different system setups.
Although Oracle 4 is not a direct supply chain attack, it raises concerns about the presence
of harmful container images in Docker's library, a problem thattivist auxiliary seems to cover itself with a fig leaf of pro-Palestinian commitment.
Bloomberg reports that Anonymous Sudan claimed responsibility for DDoS attacks that intermittently interrupted OpenAI's chat GPT last week.
Despite its name, Anonymous Sudan is a Russian hacktivist auxiliary. The group cited OpenAI's Israeli
investments as justification for the operation, posing as a more or less Islamist group instead
of the Kremlin front it is. Anonymous Sudan offered an explanation in its Telegram channel
for its attack on OpenAI, stating that the group targeted OpenAI and ChatGPT because of OpenAI's collaborations
with Israel and investments in the country, as well as meetings with Israeli officials,
as reported by Reuters. They also noted the use of AI in military and intelligence applications
by Israel, asserting that it contributes to the oppression of Palestinians. They pointed out that as an American company, OpenAI is a target,
and they claimed that ChatGPT shows a bias toward Israel in its responses,
which they believe needs to be corrected.
The group also claimed responsibility for DDoS attacks against Cloudflare.
Cyber Daily quotes Anonymous Sudan's Telegram channel as stating,
Cloudflare is strongly downed by Skynet, Godzilla Botnet, Anonymous Sudan.
Skynet is a DDoS for hire operation.
Cloudflare quickly restored normal operations.
The incidents are further evidence of how irresistible nuisance DDoS attacks are to hacktivists and those who pose as
hacktivists. They're an irritating, low-hanging fruit for those who have little need for art
and small interest in science.
Coming up after the break, Rick Howard looks at the SEC's targeting of SolarWinds CISO.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And it is always my pleasure to welcome back to the show Rick Howard.
He is the CyberWire's chief security officer and also our chief analyst.
Rick, welcome back.
Hey, Dave.
So the news came by over the past week or so that the SEC was going after SolarWinds in an SEC filing,
specifically Tim Brown, who is their CISO.
I know, Tim Brown.
I am gobsmacked that this is going on, right?
So go ahead.
I'm sorry.
No, no, no.
Well, so why I want to talk to you specifically is, of course,
you are our chief security officer here at the Cyber Wire and N2K.
Before that, you were chief security officer at Palo Alto Networks.
What I like to tease you is that is a big job with a capital B and a capital J.
So I think you have a good perspective on someone having the responsibility for security at a large organization like this.
So I just want to check in with you on what your take is on this move by the SEC.
Well, I think first to get your heads around this, because
it's very complicated, right? And a completely new thing that the SEC is doing. But I think it
might help to just kind of figure out how we got here. So you remember, you know, it was back in
2019, around that time frame that the Dark Halo attack campaign compromised the SolarWinds network and poisoned their SolarWinds Orion product.
And this is one of those supply chain cases that came out during those times.
And there has been a number of them since.
But this is kind of like the big one that put a spotlight on that particular attack vector.
By the way, the first victims of that were U.S. think tanks, right? Which was,
I didn't know that until I was looking up all the details here. And then FireEye goes public with,
they've been hacked by that same product poisoning on December 8th, 2020, right? And then
SolarWinds did a SEC filing a couple of weeks after that, right. So fast forward then to 26 July, 2023,
the Securities and Exchange Commission,
they adopted new disclosure rules
around material cyber incidents,
meaning that there's all these special rules.
Now you have to report immediately
if you've determined that your company
has been materially impacted by a cyber event.
Right, if you're a public company.
Yes, yes, if you're a public company. Yes, yes, if you're a public company.
And there's lots of debate about how they structured those rules
and how hard this is going to be going forward.
And we were all kind of just waiting to see
what was going to manifest out of all that.
And then in just the eve of Halloween,
which is great for Tim Brown, I guess.
But they charged Tim with this civil case.
And so I like to string those events together, just kind of get a sense of all that.
So here are some facts that we should just consider while we go through all this.
This is a civil case.
It's not a criminal case, meaning nobody's going to go to jail, right?
But there are court costs and follow-on job opportunities for Tim, okay?
And we're not going to know the results of all that for months, maybe even years.
So that's one big fact.
The second big fact is the current CDO, Sudhakar Ramakrishnan,
he was not the CEO at the time of the incident.
That CEO was Kevin Thompson, but he left and then Sudhakar came in and took over.
So Sudhakar is just kind of, he's kind of manhandling this whole incident after he took over from his predecessor.
Right.
And then Tim was not the CISO at the time of the incident.
He didn't get the CISO title until after, right?
He got promoted into that job.
So apparently the leadership team thought he was doing a good
and gave him the title for it.
And by the way, he's not a director of SolarWinds,
meaning that he's not on the board,
meaning he's not, right?
He doesn't have any fiduciary responsibility
that board members typically have. And he was not an right, he doesn't have any fiduciary responsibility that board members typically have,
and he was not an officer of the company, meaning that he wasn't appointed by the board, you know,
and that's important because directors and officers are protected against bad business decisions they make.
They aren't, right, you know.
Errors into omissions, right?
Yes, that kind of thing, right?
They're not personally liable for reasonable mistakes of judgment, okay, that they make in their day-to-day jobs, as long as they're not doing it in bad faith.
But Tim is just a simple vice president employee.
He doesn't have any of those director and officer protections, like, you know, D&O insurance, directors and officers insurance that would cover court costs and lawyer salaries and
those kinds of things that Mr. Brown is going to have to, you know, shell out as this thing,
you know, wanders through the courts and all that. And so the good news for him though,
is I happen to know through reliable sources that SolarWinds is standing behind Tim Brown
and covering all those legal fees for him because they don't want him to get screwed over by this entire process.
The SolarWinds CEO thinks this is kind of a mistake, right,
what the SEC has done.
I don't know.
So those are the facts that I know.
And what do you think about all that, Dave?
Well, you know, I'm curious because to me this points out something
you and I have talked about before,
which is this notion that CISOs are C-level in name only and don't have the,
in this case, the power, but also the shielding that comes with being at that level. Is that an
accurate assessment? That's exactly right. You know, we get the fancy title, but, you know,
we don't get the office in the corner, you know. So, it's not one of those things, right? But up to this
point, it really hasn't been that big of a deal, right? Because nothing bad has ever happened to us
until now, all right, with, you know, the SEC reaching down and charging Mr. Brown with these
kinds of things, right? So, here's my big hot take, Dave. I'm not a lawyer, and I confess that I haven't read in detail the entire over 100-page civil complaint.
That's something I'll defer to you for a little nighttime reading.
But I don't understand how the SEC could reach into a company like SolarWinds, pass the board, pass the officers, like the two CEOs I was talking about before,
two layers deep in the leadership hierarchy and charge somebody like Tim for repeatedly violating
the anti-fraud disclosure and internal controls provisions of federal securities law. Okay.
How is that his fault? Right? So I'm here to tell you that the CISO in no company ever has ever had the power to make disclosure decisions for the company. Okay. In the best case, the CISO has input to the decision made by the board and the officers. In the worst case, and I would say in most cases, the CISO is not even in the room when those decisions are made, right?
So if the SEC wants to make an example of SolarWinds for the rules changes they made in July this year, by the way, and it's brand new.
By the way, they don't go into effect until the end of this year.
I think they completely missed the mark.
I'm not saying I agree with their aggressiveness, but if you're going to set an example, wouldn't you go after the leaders of the company and not the doers? Okay. Yeah. Well, I don't understand this at all.
It's kind of like they're pulling a trigger on something that's not going to have any effect,
right? I don't know. What do you, am I completely crazy about that? I don't think so. I mean,
and I'm just speculating here with you that is this their way of sending a message to all the CISOs out there that we're
going to be serious about enforcing these rules? To people who have no authority in disclosing
those things, right? The rules say you have to disclose anything that's material, you know,
it's happened to you in terms of materiality, right? The CISO doesn't make those calls for any
company that I know. What do you think the implications are here? What happens next?
Well, you know, there's a number of things, and these are, you know, I'm going to peer into my
crystal ball here and, you know, think of what might happen. The first one is, I think it just
layers a chilling effect on the CISO position going forward. Why would you take this position
if you're not protected
by the company for these kinds of lawsuits? I mean, holy cow. Yeah. Who needs those headaches?
Who needs that? Okay. CISO job's hard enough, right? Why would you do that? Right. So the second
one is, and I believe this was going on anyway because of the new rules by the SEC, but if the
CISOs aren't having discussions about materiality with their corporate lawyers, okay, about what it is for that particular company and how you convey it to the board and officers, they better get in there post-haste, right?
Because that's going to have some implications down the line, maybe even financial to a lot of CISOs.
Yeah.
And I will say, you know, in my career, those discussions hardly ever happened, right?
But with the new SEC rules, I think they are probably having more and more.
Some practical advice.
So I got this from my buddy, Steve Winterfeld.
He's one of our hash table members, comes on our shows all the time and helps us understand
things.
He says, you should probably have a pretty detailed discussion with your lawyers about privileged communication, right? Because how do you communicate, hey,
we found this new, you know, vulnerability in our system that may, you know, material impact
this later on. How do you communicate that without it being discoverable so that you go to, you know,
have to pay huge fines later on down the road, right? So
one of the ways that some companies are talking about that is figuring out how to make those
conversations privileged so that it doesn't show up in some court document somewhere.
I think that's really good advice. I don't know if it's possible, but I think it's a good thing
to try to pursue. The next one is personal insurance for CISOs, okay, for these kinds of things. You know,
if you don't have DNO insurance like the corporate officers have, maybe you go get it yourselves.
Maybe you negotiate that as part of your package of employment for the company you're taking that
CISO job for, right? So, it is now another thing to consider as part of your compensation package.
Certainly, at the very least, a question to ask.
It should be asking that question, and you should really consider whether or not you
want to go work for that company who doesn't want to protect the CISO.
You know what I'm saying?
Maybe you're the guy they're going to throw under the bus, right?
So, yeah, something to think about.
I have one last one, okay, that may be a ray of, you know, sunshine in this really dark
cloud, but this might mean that the CISO position might finally get elevated to an officer position.
If they're going to have the responsibility for this kind of thing, you might as well
give them the, you know, the title to it.
So, and a lot of CISOs I know have been angling for that for a long time, thought we would
be here by now, and the community is not. So maybe
after all this, that position gets elevated to the next level. Why do you suppose that the position
hasn't been elevated so far? You know, with all of the reliance on cybersecurity that organizations
have in order to function these days, what's holding CISOs back? My hot take on this is that we did this to ourselves, okay? In
the early 90s, we as a group, and I include myself in that, we talked about cybersecurity that it was
so different that nobody can understand it. Only people like us, you know, with the great
hallow title of CISO would understand what's going on. You guys, you business people, stay over there
and we'll handle everything.
Well, we never learned how to talk to the business leaders in terms that they can understand.
We never related cyber risk to business risk.
We talk in terms of vulnerabilities and malware and, you know, those kinds of things.
But we never go to the company and say, you know, boss, because of our current situation,
the business is at risk here.
And the probability of material impact to this organization is a real number that we can calculate.
And we're just now having that discussion in the InfoSec community.
So I think we did it to ourselves, and I don't blame the business leaders for that.
Do you think that most CISOs want to be elevated to that officer level?
I think that before all this happened, yeah. Because, you know, I mean, but...
But be careful what you ask for.
Yeah. Then we're going, oh, wait, I don't want that. Okay. But yeah, it's one of those.
Okay. All right. Fair enough. Well, Rick Howard is the CyberWire's chief security officer,
also our chief analyst here at N2K. Rick, thanks so much for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
client. With TD Direct Investing, new and existing clients could get 1% cash back. Great, that's 1% closer to being part of the 1%. Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31st, 2025.
Visit td.com slash dioffer to learn more.
And that's The Cyber Wire.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
Thank you. Senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Fittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.