CyberWire Daily - Ransomware in Colombia. An accidental data exposure. Cyberespionage hits unpatched systems. An attack on IT systems disrupts industrial production. Bots and bad actors.
Episode Date: September 19, 2023Colombia continues its recovery from last week's cyberattacks. AI training data is accidentally published to GitHub. The cyberespionage techniques of Earth Lusca. Clorox blames product shortages on a ...cyber attack. Cybersecurity incidents in industrial environments. Where the wild bots are. Joe Carrigan looks at top level domain name exploitation. Our guest is Kristen Bell from GuidePoint Security with a look at vulnerability vs. exploitability. And there’s talk of potential Russia-DPRK cooperation in cyberspace. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/179 Selected reading. More than 50 Colombian state, private entities hit by cyberattack -Petro (Reuters) Colombia Mulls Legal Action Against US Firm Targeted In Cyber Attack (Barron's) Microsoft mitigated exposure of internal information in a storage account due to overly-permissive SAS token (Microsoft Security Response Center) Microsoft AI Researchers Expose 38TB of Data, Including Keys, Passwords and Internal Messages (SecurityWeek) Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement (Trend Micro) Chinese hackers have unleashed a never-before-seen Linux backdoor (Ars Technica) The Clorox Company FORM 8-K (US Securities and Exchange Commission) Clorox Warns of Product Shortages Following Cyberattack (Wall Street Journal) Clorox warns of product shortages, profit hit from August cyberattack (The Street) Can't find the right Clorox product? A recent cyberattack is causing some shortages (USA Today) Clorox warns of product shortages after cyberattack (Fox Business) As flu season looms, hackers force a shortage of Clorox products (Fortune) New Research Finds Cyberattacks Against Critical Infrastructure on the Rise, State-affiliated Groups Responsible for Nearly 60% (Business Wire) Death By a Billion Bots (Netacea) Russian and North Korea artillery deal paves the way for dangerous cyberwar alliance (EconoTimes) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Columbia continues its recovery from last week's cyber attacks.
AI training data is accidentally published to GitHub.
The cyber espionage techniques of Earthluska.
Clorox blames product shortages on a cyber attack.
Cyber security incidents in industrial environments where the wild bots are.
Joe Kerrigan looks at top-level domain name exploitation.
Our guest is Kristen Bell from GuidePoint Security
with a look at vulnerability versus exploitability.
And there's talk of potential Russia-DPRK cooperation in cyberspace.
I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, September 19th, 2023.
Reuters reports that Colombia's President Gustavo Petro, in New York for this week's UN general debate,
said that more than 50 government agencies and private companies were affected by a ransomware attack on a widely used internet service provider.
President Petro didn't name the ISP, widely known to be IFX Networks,
didn't name the ISP, widely known to be IFX Networks,
but he did comment that the attack's widespread impact showed the company didn't have the right cybersecurity measures in place,
and he suggested that this placed it in breach of its contracts.
AFP reports that Colombia was considering civil lawsuits
and possibly criminal prosecution of IFX Networks
over what Information and Telecommunications
Minister Mauricio Liscano characterized as failures in security protocols.
Researchers at WIZ yesterday reported having found that Microsoft's AI research team
accidentally exposed 38 terabytes of private data, including secrets, private keys,
passwords, and over 30,000 internal Microsoft Teams messages.
The exposure occurred when a Microsoft employee published a bucket of open-source training
data to a public GitHub repository.
Users could download the training data via an Azure storage URL.
However, this URL granted permissions via an Azure storage URL.
However, this URL granted permissions to the entire storage account,
which included two Microsoft employees' personal computer backups.
Microsoft has fixed the issue and offered a reassuring statement.
No customer data was exposed and no other internal services were put at risk because of this issue.
No customer action is required in response to this issue.
So training data isn't risk-free.
It too can be stolen and abused.
We note in full disclosure that Microsoft is a CyberWire partner. Trend Micro says the China-aligned threat actor Earthluska is using a new Linux backdoor based on the open-source Windows malware Trochilus.
The researchers are calling the Linux variant Sprysox.
The researchers note, the backdoor contains a marker that refers to the backdoor's version number. We have identified two Sprysox payloads that contain two different version numbers,
indicating that the backdoor is still under development.
In addition, we noticed that the implementation
of the interactive shell is likely inspired
from the Linux variant of the Diruspi malware.
Earthluska has been targeting public-facing servers
belonging to government departments that are involved in foreign affairs, technology, and telecommunications.
The threat actor is primarily interested in countries in Southeast Asia, Central Asia, and the Balkans.
This backdoor is installed by exploiting known vulnerabilities against unpatched systems.
So, there are two lessons observers are drawing.
First, patch. Please patch. And second, Linux needs some love too. It's not all Windows out there.
Cleaning product manufacturer Clorox disclosed in an SEC filing that the cyber attack it sustained
on August 14th has led to ongoing consumer product
availability issues. The company is currently in the process of repairing the affected infrastructure
and reintegrating offline systems. It anticipates starting the transition back to normal automated
order processing around the week of September 25th. While most manufacturing sites have resumed production, the full production
ramp-up will take some time, and the company cannot provide an estimate for when it will
fully normalize operations. Additionally, Clorox acknowledges that the financial and business
impact of the attack is significant, particularly in terms of order processing delays and product
shortages, which will likely have a material impact on its first quarter financial results.
Rockwell Automation has released a report looking at cyber attacks against critical infrastructure,
finding that state-sponsored threat actors are responsible for nearly 60% of these attacks.
Around 33% of these incidents are unintentionally enabled by internal personnel.
The report found that threat actors are most intensely focused on the energy sector,
over three times more than the next most frequently attacked verticals,
critical manufacturing and transportation. Mark Cristiano, Commercial Director of Global
Cybersecurity Services at Rockwell Automation,
explained the implications of the findings.
He said,
Energy, critical manufacturing, water treatment, and nuclear facilities
are among the types of critical infrastructure industries under attack
in the majority of reported incidents.
In particular, these sectors can expect to face an increasingly stringent regulatory
environment. It's already tightening up with respect to disclosure. Cristiano added,
anticipating that stricter regulations and standards for reporting cybersecurity attacks
will become commonplace, the market can expect to gain invaluable insights regarding the nature
and severity of attacks and the defenses necessary to prevent them in the future.
Netacea has published a report looking at bot-fueled attacks against businesses in the U.S. and U.K.,
finding that 72% of respondents suffered attacks originating in China and 66% from Russia.
53% of all bot attacks come from these two countries.
The researchers note that bot attacks from Russia have increased by 82% over the past two years.
The report adds, Vietnam is an outlier as third highest country of origin, with 48% seeing attacks
from here, despite the country accounting for just 2% of the
population of Asia. Russia's immediate interest in cultivating its relationship with North Korea
is the prospect of Pyongyang supplying Russia's army with artillery ammunition,
as expenditures have far exceeded Russian production capability. There are, however, other potential areas of cooperation, notably in cyberspace.
An essay in the Econo Times argues,
both North Korea and Russia are highly capable cyberwar and cyberintelligence nations.
They can disrupt or break key infrastructure and steal sensitive government information.
North Korea's Lazarus group of hackers has been identified through careful process tracing
to be responsible for thefts of cryptocurrency totaling tens of millions of dollars.
This sort of cooperation wouldn't necessarily require much coordination.
Most of North Korea's offensive cyber operations are already directed against countries whose relations with Russia are at least cool, if not downright adversarial.
So sure, Russia wants that 122mm cannon ammunition, even if it is a few decades old, but it might also welcome the Lazarus Group's services as an auxiliary.
Lazarus Group's services as an auxiliary.
So keep an eye out for what Russian television is proudly,
if oddly and a little uneasily,
calling the Moscow-Pyongyang axis.
No, they're really saying axis.
Like, it's a good thing.
Go figure. Coming up after the break, Joe Kerrigan looks at top-level domain name exploitation.
Our guest is Kristen Bell from GuidePoint Security with a look at vulnerability versus exploitability.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Let's take a moment and think about vulnerability versus exploitability. They are not the same things, and the nuance between them should inform an organization's approach to risk assessment.
Kristen Bell is Director of Application Security at GuidePoint Security, and she shares her expertise on the difference between the two.
So I think in general, the consensus kind of is that vulnerabilities in and of themselves may not
be executable, but they could be. So vulnerabilities are all things that could contribute to an attack,
whereas exploitabilities are a subset of that, right? So exploitabilities, to me, is something that you can take that vulnerability and directly execute an attack on either a user or system or whatnot.
Whereas vulnerabilities that fall outside of that category really give maybe a component of attack or may give the attacker more information to craft an attack.
So in terms of folks coming at this and defending themselves, is this a matter of
kind of taking stock at what they have and then deciding which is which?
In some cases. So I've, I had a client, a very large, you know, kind of name brand
company that decided to really make that differentiation more so than I've
ever seen in any other environment. And they really put all the prioritization on remediation
of anything that was exploitable and everything else that they felt wasn't kind of sat in a
holding tank. The problem with that is that if you ask
people very specifically around specific vulnerabilities, which ones are exploitable or
not, you may get some banter back and forth and some debate, right? So there are different schools
of thought about what makes something exploitable versus what doesn't. And that's why I say that
very high level definition is pretty generic. So it's a slippery slope to kind of go down that path. I really prefer that
people look more at risk, right? What kind of risk does this particular vulnerability pose to the
application? If it's obviously exploitable, so like SQL injection or cross-site scripting, right?
Then yeah, absolutely, that's
going to impact the severity level of that vulnerability. Those exploitable vulnerabilities
are going to have a higher severity rating than the less exploitable kinds of vulnerabilities.
What about the vulnerabilities? I mean, is it fair to say that over time,
things can change their status? You know, is it fair to say that over time, things can change
their status? You know, something that's just a vulnerability over time as processes change
within an organization, they may become exploitable. That's what we have always said as an
industry, right? That as people got smarter, you know, when I first started in AppSec so many years
ago, people were still finding the very simplistic
SQL injection attacks and vulnerabilities within applications. And now we don't see that as much,
right? Those SQL injection attacks that are exploitable, they take much more education
on the behalf of the attacker. So we also, back in the day when there were a lot of low
hanging fruit like that, we kind of talked about the, the exploitability factor being different,
and that also impacted the severity level. So if you had to have a very skilled attacker,
so say like cross-site request forgery, then the severity level might, and the risk level
might be a little bit lower just based on the fact that you have to have a very experienced targeted attack with a very experienced attacker versus a script kitty who can find or one equals one in an application in a login form. time as people have sort of taken AppSec a little bit more seriously and shored up some of that,
those sort of easier attacks, the exploitability factor is impacted by how skilled does somebody
have to be to form that attack? And will attackers get better? We've seen that they have, right?
They have been able to increase what they're doing. We're seeing it through
open source vulnerabilities now like log4j. We're seeing them find different kinds of attack
vectors that maybe we weren't paying as much attention to before. So yes, I think that we
need to always be evaluating and re-evaluating what's out there as far as the attack surface
and the vulnerabilities that we're finding to see how the impact changes
over time. What are your recommendations for folks setting the amount of risk they assign
to various vulnerabilities and exploitabilities? How should they come out that and set their
priorities? So I think, like I said, it's twofold. They should have vulnerability severity levels that are mapped to their
organizational risk profile in general, right? So some people say in retail may bump up certain
kinds of vulnerabilities from highs to criticals. Most consulting companies I've seen don't risk
things or call out criticals. They call out highs because critical can be so objective from
organization to organization. So we tend to not get into those kinds of debates, but we encourage
clients to level up to critical on things that for their risk organization, they want to see
addressed first and foremost based on their business vertical or whatever might be the case
if their healthcare organization or
have PCI requirements and those sorts of things. But you take that. So once they've established
and sort of gone through the vulnerabilities, made sure that the severity levels are appropriate for
their organization, then they also need to look at the risk profiles of their application portfolio so that they can say, okay, now if we have a high-risk application, a high or critical in those cases needs an SLA that's a shorter time period than, say, a medium-risk or a low-risk application.
So a low-risk application may have a 30-day window to fix a higher critical, whereas a high-risk
application may have three to five days. And that really does help with not burdening developers
and giving them sort of guidance on where they should spend their time and how they should
fix their issues. That's Kristen Bell from GuidePoint Security.
And joining me once again is Joe Kerrigan.
He is from the Johns Hopkins University Information Security Institute and also my co-host
over on the Hacking Humans podcast. Hey, Joe. Hi, Dave. So, when I think of domain names for
the top-level domains for organizations in the United States, I generally think of.com as being
the default. That's right. And I think I'm right in thinking that overall.
I think so, too.
So there's an interesting article that came by from Brian Krebs over at Krebs on Security
about the.us top-level domain being used in a lot of phishing scams.
So what's going on here, Joe?
Every country or most countries, I don't know of a country that doesn't have this,
but they all get a two-letter top-level domain,
a country code TLD,
CCTLD.
Yeah.
Is what that's called.
And then it's up to the country
how they want to manage it.
So, for example, TV,
I can't remember
what actual country it is.
I know it's a small series
of islands in the Pacific.
But what they've decided to do
is they're just going to sell all their domains.
Right.
So you can buy a.tv domain for like 45 bucks.
Yeah.
And they get a portion of that.
And I imagine that goes right to the government as a stream of revenue.
Sure.
There are also.uk, where the UK has decided, no, we're not going to use.com.
We're going to use.co.uk.
So every website in the UK
has to be registered under one of our domains. Yeah. Well, the US has something similar. We have
the.us domain. That's our, here in America, that's our ccTLD. Right. And there is something
called the US Nexus requirement, which is a requirement that theoretically limits registrations to parties with some kind of stake in the United States.
Okay.
Now, I looked at these regulations, Dave.
They're all five pages long.
Okay.
And there are three classes of registrants.
One is an individual who is either a citizen or a permanent resident of the
United States. Another is a company that's in the United States. And the third is a foreign company
that has a legitimate business within the United States. Okay. Well, it would seem that these
requirements are not being properly enforced because according to this article, between May 1st of 2022 and April
30th of this year, the Interisle Consulting Group found 30,000 phishing domains registered with.us.
Huh.
30,000.
Okay.
That means somebody is not applying these Nexus requirements. Now, the Krebs article points out
that this is managed by GoDaddy,
but if you go to about.us
and you do a domain name search
and you want to buy a domain,
there's a bunch of different services under there
that you can buy a domain through.
It's not just GoDaddy.
GoDaddy is the first one.
I don't know if GoDaddy has some principle,
you know, first among equals kind of thing,
you know, going on there or if they're in
charge of things or whatever. But it's clear that somebody is not enforcing these nexus requirements.
Is it a kind of a self-attestation kind of thing? Yeah. If you're a citizen, that's essentially what
it is. You just have to say that you're a citizen or a permanent resident. There's nothing in there
that describes in the requirements that describes
what that attestation must look like.
I could probably scroll on a piece of paper,
take a picture of it and email it in.
I'm reminded of benchwarmers where the guy says,
can I see your birth certificate?
And he shows him a picture and says, I'm 12.
Right, right, right.
But it's that kind of thing.
It's pretty easy to get one of these domains
and people are abusing it.
Yeah.
And the.us gives people a false sense of security.
Right.
There is a guy by the name of Dean Marks, who is the emeritus executive director of the Coalition for Online Accountability.
Their organization has been critical.
And they note that a lot of other people in the EU don't have this problem.
People like Hungary and New Zealand and Finland, proof of identity or evidence of incorporation
is required. So you probably have to give them some kind of photo ID to register one of these
names. Even doing something as simple as that would probably cut down on the number of bad
actors registering.us domains. Now you have to do an extra step. Now I have to, you know, come up with some fake documents.
Probably easy to find,
but it's more work.
Right.
And these guys are,
they're like me.
They're all lazy.
Right?
So,
they're going to do
the least amount of work possible.
They're just going to go out
and try to get some kind of
lookalike domain
or something else.
Yeah.
Real quick before I let you go.
Yes.
We've seen some hurricanes
making landfall here in the U.S.
and with that always comes scammers not that far behind.
That's right. I've said this before. I think I'm hacking humans, but I envision the scammers
sitting in their little scam offices, running their scam businesses. And on the wall, there's
the big calendar of scams. And right now we're in hurricane season. So that's one of the things
that you're going to be sending out emails about. CISA has a warning about hurricane-related scams on their
webpage, and they recommend you check out the Federal Trade Commission's Stay Alert to Disaster
Related Scams page, and Before Giving to a Charity, which I think tells you how to go through
and vet a charity. Right, right. Which is always a good idea, regardless of why you're giving money.
Yeah, good thing to share with your loved ones, right?
Yep.
All right.
Well, Joe Kerrigan, thanks so much for joining us.
It's my pleasure, Dave.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. This episode is brought to you by RBC Student Banking.
Here's an RBC student offer that turns a feel-good moment into a feel-great moment.
Students, get $100 when you open a no-monthly fee RBC Advantage Banking account
and we'll give another $100 to a charity of your choice.
This great perk and more only at RBC.
Visit rbc.com slash get 100, give 100.
Conditions apply.
Ends January 31st, 2025.
Complete offer eligibility criteria by March 31st, 2025.
Choose one of five eligible charities.
Up to $500,000 in total contributions.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. Thank you. Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.