CyberWire Daily - Reddit sees bad luck as a BlackCat attack crosses their path. The C2C market is more mystical nowadays. Hacktivist auxiliaries and false flags in the hybrid war.
Episode Date: June 20, 2023The BlackCat gang crosses Reddit’s path, threatening to leak stolen data. Mystic Stealer malware evades and creates a feedback loop in the C2C market. RDStealer is a new cyberespionage tool, seen in... the wild. The United States offers a reward for information on the Cl0p ransomware gang. KillNet, REvil, and Anonymous Sudan form a "DARKNET Parliament" and “sanction” the European banking system. The British Government commits £25 million in cybersecurity aid to Ukraine. Ben Yelin explains cyber disclosure rules proposed by the SEC. Rick Howard speaks with Nancy Wang of AWS about the importance of backups and restores. And what researchers are turning up in cloud honeypots. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/117 Selected reading. Reddit: Hackers demand $4.5 million and API policy changes (Computing) Mystic Stealer – Evolving “stealth” Malware (Cyfirma) Mystic Stealer: The New Kid on the Block (Zscaler) Unpacking RDStealer: An Exfiltration Malware Targeting RDP Workloads (Bitdefender) MOVEit Transfer and MOVEit Cloud Vulnerability (Progress Software) CVE-2023-35708 Detail (NIST) U.S. Energy Dept gets two ransom notices as MOVEit hack claims more victims (Reuters) US govt offers $10 million bounty for info on Clop ransomware (BleepingComputer) Ransomware Group Starts Naming Victims of MOVEit Zero-Day Attacks (SecurityWeek) A bear in wolf’s clothing: Insights into the infrastructure used by Anonymous Sudan to attack Australian organisations (CyberCX) Anonymous Sudan: Religious Hacktivists or Russian Front Group? (Trustwave) UK to give Ukraine major boost to mount counteroffensive (UK Government) 2023 Honeypotting in the Cloud Report: Attackers Discover and Weaponize Exposed Cloud Assets and Secrets in Minutes (Orca Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Black Cat Gang crosses Reddit's path, threatening to leak stolen data.
Mystic Stealer malware evades and creates a feedback loop in the C2C market.
RD Stealer is a new cyber espionage tool seen in the wild.
The United States offers a reward for information on the Klopp ransomware gang.
Killnet, R-Evil, and Anonymous Sudan form a darknet parliament and sanction the European banking system.
Sudan form a dark net parliament and sanction the European banking system.
The British government commits 25 million pounds in cybersecurity aid to Ukraine.
Ben Yellen explains cyber disclosure rules proposed by the SEC.
Rick Howard speaks with Nancy Wong from AWS about the importance of backups and restores.
And what researchers are turning up in cloud honeypots. I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, June 20th, 2023. The Alf V ransomware gang, also known as Black Cat,
is threatening to release 80 gigabytes of stolen data
unless Reddit repeals its unpopular API rate hikes and pays the attackers $4.5 million.
Computing reports that the data was taken in February and that AlfV gained access to
the sensitive information by successfully phishing for employee credentials.
A new InfoStealer has added some mysticism to the C2C market.
MysticStealer is a new InfoStealer gaining traction in the cyber threat landscape.
As researchers at Cypherma explain, the InfoStealer saw recommendations from forum veterans who got to test it and provide feedback, which the threat actors incorporated into the Stealer.
test it, and provide feedback, which the threat actors incorporated into the Steeler.
Mystic Steeler's unknown developers assist with the installation process on the customer's Linux server,
then hand over complete control of the command and control panel.
One of the more dangerous aspects of Mystic Steeler is the community feedback from customers.
This allows the developers to make the tool more efficient and effective.
Researchers at Zscaler report that the Steeler is capable of lifting capture history and auto-fill data, bookmarks, cookies, and stored credentials from nearly 40 different web browsers amidst
lifted credentials and stolen data from crypto wallets. Bitdefender this morning shared their discovery
of a new custom malware strain known as RD Stealer,
which uses DLL sideloading for the purpose of cyber espionage.
The researchers say that sideloading,
or the practice of downloading an application or program
via unofficial software distribution channels,
allows the threat actor to monitor incoming remote desktop protocol connections
with client drive mapping enabled.
The LogUtil backdoor then infects the victim's device and lifts sensitive data.
Both RD Steeler and LogUtil are written in the Go programming language,
which has the capability of infecting multiple operating systems. Researchers have identified cases impacting both Linux and ESXi. The threat actor,
active since at least 2020, is believed to be based in China, although that has yet to be
confirmed. The use of custom malware by the hackers has been observed since late 2021 or early 2022.
Malware by the hackers has been observed since late 2021 or early 2022.
Credential theft and data exfiltration are believed to be this campaign's primary goals.
Progress Software has disclosed and patched a a crafted payload to a Movit transfer application endpoint,
which could result in modification and disclosure of Movit database content.
A proof of concept for the vulnerability was published on June 15th.
CLOP continues its exploitation of MOVIT vulnerabilities
to distribute ransomware.
Ransom demands have begun to arrive at U.S. government agencies
and other victims.
According to Reuters, the U.S. Department of Energy
has received two such notices.
Bleeping Computer reports that the U.S. State Department's
Rewards for Justice program is offering up to $10 million for information tying the Klopp ransomware gang to a foreign government.
Klopp has used MUVIT vulnerabilities to compromise at least two dozen entities,
including some U.S. government agencies, Security Week reports.
Researchers are moved to conclude that Anonymous Sudan is a Russian-run operation
and not the Islamist Patriot Hacktivist Collective it claims to be.
Researchers at CyberCX have released an intelligence update on Anonymous Sudan
after that threat group attacked Australian government organizations.
The researchers point out that they assess with high confidence that
Anonymous Sudan is unlikely to be the simple religious hacktivist group it purports to be,
and that Anonymous Sudan is unlikely to be geographically linked to Sudan. CyberCX assesses
that the threat group uses a substantial paid proxy infrastructure across various countries to conduct its attacks. This supposed
backwater organization has suspiciously significant funding and a complex operational style.
Researchers at Trustwave write that there are clues leading them to believe the gang may be
associated with Killnet in some way. The use of DDoS attacks as their attack vector, alongside observed use of Russian,
as well as primary targeting of nations in support of Ukraine,
are all shared attributes between Anonymous Sudan and Killnet.
Speaking of Killnet, in partnership with REvil and Anonymous Sudan, they announced Wednesday
that they would be attacking European
banking systems. They seem, at least in part, to have kept their promise. This isn't the general
attack on the SWIFT interbank funds transfer system the operators have been threatening,
and it's always difficult to determine the effectiveness of these attacks, but it seems
the hacktivist auxiliaries successfully carried out a DDoS attack
against the European Investment Bank. EIB has confirmed that they are experiencing a cyber
attack which is affecting the status of their website. The hacktivist Triumvirate also claims
to have created a darknet parliament. A communique announced that they are going to impose sanctions on
European banking transfer systems SIPA, IBAN, WIRE, SWIFT, and WISE. Although the groups may
have successfully disrupted the EIB's website, the damage done is probably transitory. The incident
represents another politically motivated nuisance-level attack of the sort that's become commonplace during the current phase of Russia's hybrid war.
His Majesty's government on Sunday announced that it would allocate £25 million
to aid Ukraine's cybersecurity efforts.
Prime Minister Rishi Sunak describes the funding as critical to harden the nation's cyber defense. The new grant
builds on and significantly expands last year's 6.35 million pound tranche of cybersecurity
assistance. And finally, Orca security researchers channel their inner Winnie the Pooh, deploying
honeypots on a variety of environments to measure the movements of bad actors.
This morning, Orca released a report detailing insights into attacker tactics, techniques,
and procedures, as well as the things that attract attackers.
In the 2023 Honeypotting in the Cloud report, the researchers placed honeypots, which are
faux traps intended to lure cybercriminals away from actual threats,
on a variety of environments, including AWS S3 buckets, GitHub, and Docker Hub, among others.
Each of the nine deployed honeypots was said to contain a secret, which in this case was an AWS secret access key.
Key insights from the report include the rapid discovery by threat actors of
vulnerabilities, as these honeypots were discovered within minutes of their deployment.
The usage of the key, however, varies between different environments. The researchers saw
GitHub keys used within two minutes, whereas with S3 buckets, exploitation took upwards of eight
hours. Certain resources and environments
are more attractive to malicious actors. More popular resources can be easy to access and
contain a treasure trove of sensitive information. ORCA researchers don't advise automated protection
solutions, recommending instead tailored strategies for defending each resource against threats.
Coming up after the break, Ben Yellen explains cyber disclosure rules proposed by the SEC.
Rick Howard speaks with Nancy Wong from AWS about the importance of backups and restores.
Stay with us.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. My CyberWire colleague, Rick Howard, was recently
at the AWS Reinforce Conference in Anaheim, California, where he caught up with Nancy Wong,
Director of Engineering and General Manager at Amazon Web Services. They spoke about the
importance of backups and restores. The Cyber Wire is an Amazon Web Services media partner,
and in June 2023, Jen Iben, the Cyber Wire senior producer, and I traveled to the magical world of
Disneyland in Anaheim, California to attend their AWS Reinforce Conference and talk with senior leaders about the
latest developments in securing the Amazon cloud. I got to sit down with Nancy Wong, the General
Manager of Data Protection at AWS. I asked her if there was a single thread from her perspective
that explained the theme of this year's conference. Data resiliency. So as data is the new oil or how it powers businesses, that means as a
digital business today, you're going to have tons of sensitive customer data, sensitive business
information data, or critical data that is important to how your business functions.
And you need to make sure that's protected, starting by knowing where it is in your persistent data platforms, and also what
measures and policies you're taking to protect and secure that data. Well, that feeds right into one
of my first principal cybersecurity strategies. I call it resilience. Before you can make sure you
can survive a catastrophic event, you have to know where your material data and workloads are located
so that you can properly back them up and restore them if needed. AWS has made it pretty easy to back all that stuff up,
and that's phenomenal. But what's still really hard, especially for smaller businesses,
is restoring the material data and essential workloads in a timely manner so that my customers
never even noticed that there was an outage. I don't really want to be good at backups.
What I really want to be good at is restores.
So full disclosure here, Nancy, you know, the CyberWire is an Amazon customer, and we have a rigorous backup plan.
But what I really need is an easy button that allows me to restore everything quickly and efficiently
if there is ever some kind of trouble, you know, like some kind of outage or a ransomware attack, or, you know, me, Rick Howard, fat fingering the configuration and causing the cloud instance
to go up in flames.
Hey, that happens.
I have made many a mistake deleting your resources by mistake.
I've never, ever done that, yeah.
So is that somewhere in the future where I can just hit an Amazon button and the entire
CyberWire instance is recovered and fully
functional somewhere? Is that down, it's on the roadmap
somewhere? It is. So actually today
using AWS Backup, which actually
I think a better name for it could probably be AWS
Backup and Restore, since
the point of backing things up is to
restore them, is today you can
restore at the single resource level.
So you mentioned EC2 instance, we
also backup EBS volumes,
we also support RDS and so on and so forth, all the file and object platforms as well.
And also the ability, as I said, to backup entire CloudFormation stack, but also restore it as a
stack. Now, without sharing what's in the kitchen right now under works, is also a focus on, for example, game day testing.
So you can have the best intentions,
but when, let's say, an event actually occurs,
how do you know that you're compliant?
And more importantly, how can you be sure
that you can bring your business back online
within an allowable framework or timeframe?
And so that really happens with regular testing, right?
So placing emphasis on not just testing
whether something can be restored,
but actually testing the entire drill as a runbook.
And it's really that runbook and that automation,
making sure that you have the steps documented.
Because look, everything may not be just captured
in IT systems.
Some of it might be personnel related as well.
So how can you essentially write that down as a recipe so that later when you're doing, let's say, regular drills
for compliance reasons, or let's say an actual event actually happens, right? You're not doing
it ad hoc and just hoping that everything works. You have a foolproof and tested and validated plan
that it actually works. In the keynotes this week, there was a lot of discussion about zero trust,
and I could sense the ghost of John Kinderwag,
the man who penned the original zero trust white paper over a decade now.
In all of those discussions,
do you want to wrap up our conversation with any last thoughts about zero trust?
Specifically, from a data protection perspective,
I want to work with more customers to define protect surfaces,
which John Kindervag writes a lot about,
which is knowing what you have in your environment
and what's important to protect
and making sure that you are intentional
about the way that you're protecting
and securing those resources
and inherently your customer data.
Excellent.
That's a good wrap up for it.
Thank you very much for coming on the show.
Of course.
Thanks for having me, Rick.
All right.
That's Rick Howard speaking with Nancy Wong from AWS.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Ben, welcome back.
Good to be with you, Dave.
So recently, the U.S. Securities and Exchange Commission, the SEC,
has proposed some rules that would require publicly traded companies to disclose cybersecurity
incidents in public filings within days of their discovery. This has drawn some attention and
criticism and support. Can you unpack this for us? What's going on here, Ben?
Sure. So the SEC, just in its authorization as a commission, has the authority to require public companies to make routine disclosures of facts that are materially relevant to investors.
So this is a way of regulating financial markets.
Investors should be aware of potential risks for their investments.
And in that spirit, the SEC has finalized a proposed rule that would require these companies to disclose cybersecurity incidents in public filings within days after their discovery.
So industry was relatively up in arms.
This has been a fight that's been going on for a couple of years now.
There are really several concerns here. One is compliance is very difficult.
We're talking about particularly smaller publicly traded companies.
Being able to disclose these incidents within days of their discovery
is often extremely burdensome for the companies themselves,
for their staffs,
and just might be an inhibition on their ability to conduct business, particularly if
they're not aware of the attack. If it takes a while for the attack to penetrate their networks,
that's something that could be problematic. There are also national security concerns about
identifying these vulnerabilities. If the SEC has records that XYZ company was a victim of a cyber attack, that could be inviting further attacks by kind of making people aware or potentially bad actors aware of our weaknesses in the private sector.
Right.
So somebody drained the moat.
So come on into the castle.
Exactly. And then the other concern is there's the separate statute passed by Congress,
the Cyber Incident Reporting for Critical Infrastructure Act,
which requires reports of cybersecurity incidents in critical infrastructure sectors to the federal government.
And so there's an allegation among critics
that that's going to be duplicative of this SEC rule.
In terms of that last problem,
I don't think it's really duplicative
because many operators of critical infrastructure
are not publicly traded companies.
And it still makes sense that they should,
because of the risks of harm to our critical infrastructure,
it still makes sense that they report to the federal government that they've been the victim of a cyber attack.
But that's certainly distinct from what the SEC is trying to regulate here,
where it's a warning to potential investors.
So that's, I think, a very important distinction here.
So that's, I think, a very important distinction here.
It's more of a complement to the critical infrastructure requirements that were passed last year and less of a direct conflict.
I also think the national security risks, the risks of further undermining cybersecurity in the private sector by showing people that these risks exist, I think that's taking a relatively short view when we should
be taking a long view. That we can improve the overall health of our cybersecurity ecosystem
by having better information sharing so that regulators can more efficiently employ existing policy tools, research, etc.
And potentially we can catalyze better cybersecurity behavior
so that companies have some disincentive to make themselves vulnerable to potential cyber risks.
So I think the regulations here are promising and will have a big impact on
these private sector entities that are publicly traded. And I'm very curious to see what the
rollout of this looks like when it's actually put into practice. Yeah, it's interesting to me. I
kind of think of this as being, by putting a time frame on this of being a couple of days, I can imagine an
organization being hot and heavy in the midst of incident response, right? And basically saying to
the regulators, listen, you're asking us to file a report and the building is still on fire.
Right. Let us put the fire out. We are happy to comply, but can we put the fire out first?
out. We are happy to comply, but can we put the fire out first? And I wonder if that's a reasonable approach of saying, coming up with whatever the standard would be in your incident response
lifecycle of the cybersecurity incident response equivalent of, you know, we've got a steaming
pile of rubble here, but the fire is out. Now we can do the report because not all fires are the same.
Yeah, I mean, I can understand why that would be burdensome,
but we do do that in all different types of situations.
I mean, the NTSB is on the scene of a major accident in our transportation infrastructure
before the rubble is cleaned up.
And they're certainly taking records of it. And, you know, they have people on the ground who might be distracting from the cleanup effort there.
So it's not like this is something that's entirely unheard of.
I just think that, yes, while it might be burdensome, the advantages of having this ecosystem where there is information sharing just vastly outweighs the disadvantages
of compliance on the part of some of these companies. That is obviously in the eye of
the beholder. As somebody who is not responsible for cybersecurity at a publicly traded company,
I get that it's easy for me to say. But that would be my initial reaction to these regulations.
Yeah.
So we have a rules proposal here from the SEC.
How do these things typically play out from this point of actually going into force?
Oh man.
Well, I don't want to get into, uh, how the administrative procedure act works and all
of that mumbo jumbo.
Okay.
Um, but generally, uh, rules, there's a 30-day timeline
once the rules have been finalized
before any rule can actually go into effect.
But they have already had their notice and comment period,
so people have had the opportunity to weigh in.
I suspect that once they finalize the regulation,
it goes through proper review from the relevant federal entities like OIRA,
which is the Office of Information and Regulatory Affairs.
Once it goes through the Office of Management and Budget,
then it's published in the Federal Register.
I will say Congress has their chance,
as they have done many times,
to reject this rule if they think it's overstepping its bounds
and if they think the policy is
damaging. There's this thing called the Congressional Review Act, where Congress,
through a simple majority vote in both the House and the Senate, can reject a recently enacted
federal rule, and that would take the rule out of existence. The only problem is that the president
has the power to veto any Congressional Review Act resolution.
I believe those have been the only vetoes so far in Joe Biden's presidency.
Because, of course, why wouldn't the president veto Congress trying to supersede the rules that his own administration has already made?
I see.
But that's certainly something that we could see down the line.
Yeah.
All right.
Interesting development
to keep an eye on for sure.
Ben Yellen, thank you for joining us.
Thank you.
Cyber threats are evolving every second Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant. The Cyber Wire What do you think of this podcast? You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams supporting the Fortune 500 Thank you. your team while making your team smarter. Learn more at n2k.com. This episode was produced by
Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by
Elliot Peltzman. The show was written by Rachel Gelfand. Our executive editor is Peter Kilby
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.