CyberWire Daily - Some trends in threats and defense. The possibility of cyber war crimes. RSAC innovation showcases are open for application. And common KEVs in the financial sector.
Episode Date: January 10, 2023A look back at ransomware in 2022. Lessons from Russia's war: crooks, hacktivists, and auxiliaries. Cyberattacks as war crimes. The state of SSE adoption. RSA Conference 2023 opens applications for th...e Launch Pad and the Innovation Sandbox. Joe Carrigan looks at online scams targeting military members. Our guest is Richard Caralli from Axio on the State of Ransomware Preparedness. And the most common known exploited vulnerabilities affecting the financial sector. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/6 Selected reading. Ransomware trends: 2022. (CyberWire) State of Ransomware Preparedness Research Study: 2022 (Axio) Kyiv argues Russian cyberattacks could be war crimes (POLITICO) Ukraine official says Russian cyberattacks on its energy network could equate to war crimes (Yahoo) Ukraine war and geopolitics fuelling cybersecurity attacks - EU agency (EU Reporter) Industry-first research from Axis Security finds 65% percent of organizations plan to adopt a Security Service Edge platform within next two years (Axis Security) RSAC Launch Pad is Back! (RSA Conference 2023) The Best in Innovation Programs Starts Here (RSA Conference 2023) Top KEVs in the U.S. Financial Services Sector (LookingGlass) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A look back at ransomware in 2022.
Lessons from Russia's war, crooks, hacktivists, and auxiliaries.
Cyber attacks as war crimes.
The state of SSE adoption.
RSA Conference 2023 opens applications for the launchpad and the innovation sandbox.
Joe Kerrigan looks at online scams targeting military members.
Our guest is Richard Corelli from Axio on the state of ransomware preparedness
and the most common known exploited vulnerabilities affecting the financial sector.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 10th, 2023.
Happy Tuesday, everyone. It's good to have you here along with us.
We are not yet too far into 2023 to take a retrospective look back at 2022.
And ransomware was one of the defining cyber threats organizations faced last year.
Delinea has published its 2022 State of Ransomware report, finding that there's been a sharp decrease in the volume of ransomware attacks, though the average ransom demand has gone up.
D'Elinia found that only 25% of respondents said their organizations were hit by ransomware in 2022, down from 64% in 2021.
The number of victims who paid the ransom also fell from 82% to 68%.
The researchers aren't sure what led to this decline, but they note that it may be due to
the reorganization among major ransomware crews, particularly Conti, that took place during 2022.
It's not all good news, however. Despite the slowdown in attacks,
the researchers found that the average ransom demand has gone up over the past year.
The survey also highlights a discouraging trend. Organizations seem to be taking the ransomware
threat less seriously than they did in 2021. The researchers found that most organizations, a whopping 76%, increased their
security budgets only after they've suffered a ransomware attack. Sure, the burned hand teaches
best, but better not to get burned in the first place. Turning to the effects of Russia's hybrid
war, EU reporter notes that the annual report from the European Union's cybersecurity
agency, ENISA, describes ways in which Russia's war has driven an increase in cyber attacks.
As we've had many occasions to observe, the consequences of those attacks have fallen
short of pre-war expectations. Still, they've shown a kind of convergence, with criminals becoming hacktivists
and hacktivists in turn becoming auxiliaries of the security and intelligence services,
deploying ransomware, website defacements, and distributed denial-of-service attacks
against targets of opportunity in countries deemed hostile to Russia's war.
Operational domain or not, it certainly seems possible that actions in cyberspace
can constitute violations of the laws of armed conflict. Victor Zora, chief digital transformation
officer at the State Service of Special Communication and Information Protection of
Ukraine, told Politico that Ukraine was gathering information on the ways in which Russian cyber attacks have constituted war crimes.
Some of the Russian cyber intelligence work has allegedly been used to support filtration,
that is, the identification of civilians regarded as posing a threat to Russian occupation.
Zora said, Russian troops often use filtration procedures on occupied territories to identify people who support Ukraine, who were engaged in public service or military service, so they capture them, then torture and kill.
So, in this case, cyber-ops would be a crime in furtherance of another more lethal crime.
Some cyber activities, including even the spread of disinformation,
may themselves qualify as war crimes. Disinformation seems a stretch, except perhaps insofar as it
might be held to constitute incitement or serve as an element of conspiracy, but disabling cyber
attacks against civilian critical infrastructure might be an easier case.
For any of these actions to amount to war crimes, and there's a strong case that they may,
they would have to amount to violations of the laws of armed conflict.
The core principles on which that law are based include discrimination, sometimes distinction,
proportionality, minimization of suffering, and military necessity.
The Russian cyber operations Ukraine has under investigation could constitute violations of any or all of these principles.
Ukrainian authorities are referring the digital evidence they've collected to the International Criminal Court
with a view to eventual prosecution of the Russian personnel and officials responsible.
Axis Security has published its 2023 Security Service Edge adoption report this morning.
They found that 65% of organizations plan to implement an SSE platform within the next two years,
and 43% seek to implement one before the end of 2023.
Additionally, 67% of respondents plan to start their SASE strategy with a SSE platform rather
than wide-area network edge services. The researchers also found that the top two legacy
solutions that enterprise security teams will look to replace with SSE will be VPN concentrators, SSL inspection services, and DDoS,
with data loss prevention being a very close fourth place.
The RSA conference will be here before you know it,
in San Francisco between the 24th and 27th of April,
and it returns with two of its well-known showcases
for young, innovative companies.
The launchpad will highlight
three potential breakthrough inventions,
and the innovation sandbox will give 10 startups
a chance to pitch themselves.
These are always interesting,
and the innovators that are on display
usually go on to make a mark for good
on the cybersecurity sector.
Both programs opened
for applications today, and the conference will continue to accept them through February 10th.
If you think you've got a genuinely disruptive innovation to share, by all means apply. You'll
find full instructions online at rsaconference.com. And finally, Looking Glass Cyber released a blog today explaining the most
prevalent known exploited vulnerabilities present in the U.S. financial sector in November of last
year. Over half of the vulnerabilities detected by Looking Glass in November 2022 were found
affecting insurance, with approximately a quarter composed of credit intermediaries and a third resulting from third-party service providers.
The most commonly observed known exploited vulnerabilities in the U.S. financial services sector was CVE-2015-1635.
The seven-year-old remote code execution vulnerability is said to impact Windows and is still common in critical infrastructure today.
If it's known it can be mitigated, so by all means, get patching.
Coming up after the break, Joe Kerrigan looks at online scams targeting military members. Our guest is Richard Corelli from Axio on the state of ransomware preparedness. Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
executives, and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Rich Carelli is Senior Cybersecurity Advisor at Axio,
where he and his colleagues recently released their 2022 State of Ransomware
Preparedness Report. I spoke with Richard Corelli about some of the highlights from the report.
A lot of times, these reports are produced from survey data. But this is data that's coming from
organizations that have an intent to improve. So I think that makes the data even more important because the intent is to actually use the
results of the data to have something actionable at the end.
What we found in this year's study was very similar to
the study we did in 2021, and that was
seven key issues focused around things like
privilege access management,
the lack of basic cyber hygiene,
exposure to supply chain and third-party risk,
monitoring and defending networks,
ransomware incident management,
and vulnerability management.
Interestingly, in the 2022 report,
we also, in terms of training and awareness,
what we were seeing was not as high a degree of organizations doing phishing tests on their employees.
So to what degree are you finding that organizations are staying on top of this, or is there still a lot of catching up to be done?
Well, there was some improvement generally from 2021.
For example, we saw better email filtering and phishing reporting processes in place,
better controls over domain controllers and domain administrator privileges.
And we're seeing higher rates of data backup and offline storage and encryption, which is a primary defense to ransomware.
So some of those basic practices do seem to show some improvement from 2021 to 2022.
Are we seeing organizations being nimble in their response to some of the pivots we've seen from the ransomware actors?
We've seen a shift away from encryption to data extortion from some of these players.
Yeah, I don't think we really can look to
what kinds of ransomware vectors
organizations are trying to protect against
generally in this data.
But the thing that I think we were really seeing is that,
and this was kind of a discouraging outcome of the 2021 report, is that it still comes down to a lot of fundamental basic practices not being in place.
So if you look at the ransomware preparedness assessment, it's really made up of 65 foundational practices that would contribute to building a strong ransomware-ready environment.
And if you're seeing deficiencies in these basic practices, it pretty much says that
regardless of the intent of the ransomware actor, the organization is likely going to
suffer some impact from a ransomware intrusion.
So it's sort of coming back down to the basics again.
And it was a little surprising that there wasn't a lot of movement
in these 65 practices from 2021 to 2022,
especially in light of, as you said,
many of these high-profile ransomware attacks.
Do you have any insights on to why folks are still lagging here?
Is this a matter of resources?
So we don't have exact data on why we're still seeing this problem,
but it's pretty easy to guess that it's likely resource shortages.
guess that it's likely resource shortages.
It's likely built around the fact that some of the tool sets, for example, in privileged access management,
they are big investments. They take a significant
time to implement and there's a high learning curve.
So some of these basic things just have high
hurdles to overcome.
And one of the things I think that is really starting to show some concern, at least in our circle, is that as we go into 2023 and there's this potential for economic downturn,
turn. If, in fact, resource shortages and budget shortages and those sort of constraints are already showing in the data that we're seeing, how will it affect already deficient control
environments? It's going to further strain resources and budgets. And if you're lacking
in the fundamentals, you may not have the resources to get those to a place where, you know, they're purposeful and actionable, let alone to prepare for new attack vectors that may come down the pike.
And I think that is prevalent, I think, a prevalent problem, in fact, in two areas, the privileged access management and supply chain
third-party risk. Yeah, that's interesting. So based on the information that you all have
gathered here, what are your recommendations? What are the actionable items here on the checklist?
We really recommend that organizations go back to the basics when it comes to securing and
controlling privileged credentials.
And again, if there is an economic downturn, you're going to want to do more with less. So you may cut some of the corners around having one staff person do many things in
the organization, which means controlling and securing these credentials might come
secondary to efficiency.
and securing these credentials might come secondary to efficiency.
So that's one of the areas that we really think organizations should put some emphasis on.
And by the way, that was our talk issue in 2021 as well.
I think the second one really is the supply chain issue,
reducing exposure to supply chain risk, which is going to be tricky
because if you think
about an economic downturn and having less staffing and less labor costs, you're more
likely to start outsourcing more things, which could make the problem worse.
And the other problem we're seeing and I think is going to become more of an issue going
forward is the organizational perimeter is much harder to define and control now
because there is so much reliance
in cloud services and external partners
to the organization.
And when you start to see that happening,
this is why you're seeing more calls
for zero trust models.
But zero trust models are a significant undertaking
and surely will suffer some setbacks
in the economic downturn.
You know, for example, we only saw 42% of organizations
even monitoring third-party access.
Now, that was an increase from 2021
where we saw about 34%,
but it's still not at levels
where it's going to be sufficient.
That's Rich Corelli from Axio. You can find a link to the report Richard Corelli discussed
in today's selected reading section of the show notes. And joining me once again is Joe Kerrigan.
He is from Harbor Labs and the Johns Hopkins University Information Security Institute.
Hello, Joe.
Hi, Dave.
More importantly than either of those professional positions, Joe is my co-host over on the Hacking Humans podcast.
We were talking about this over on Hacking Humans.
This is a scam targeting folks who are new to our U.S. military.
Right.
What's going on here?
So this is coming from military.com.
It's a story by Drew Lawrence.
Yeah.
And imagine, Dave, that you're a new recruit in the Army.
Okay. So you get into the Army, and you show up at basic training,
and you're maybe two or three weeks into it, and you get a phone call.
And during the course of that phone call, someone says,
I'm with the DFAS, or the Defense Finance Accounting Services,
and I'm an NCO, by the way.
I'm a noncommissioned officer with the Defense Finance Accounting Agency. And I'm an NCO, by the way. I'm a non-commissioned officer with the Defense Finance Accounting Agency. Okay. Service. And there was a problem with your last
military pay. There's a problem with your military pay, and I want to get you the money that you're
entitled to. So I need you to send me some money via Cash App, Venmo, PayPal, Zelle, or Apple Pay.
And then we'll get this resolved and worked out. Now, hold on a minute, cowboy. Hey, did you hear what I said? I'm an NCO.
You're a recruit. Oh. See, that's the first thing that happens is they get threatened with this
kind of activity. The guy goes full Arlie Ermey on them on the phone, I guess. Okay. So, taking
advantage of the fact that this is a new soldier.
New soldier, not really familiar with how things work. We see this actually with new hires as well.
We've seen this kind of scam before where somebody gets a new job on LinkedIn and immediately they
get a call or something impersonating the company,
they start getting scammed there as well.
Or if you're trying to do open source intelligence gathering on a company
and you're trying to penetrate a company,
you can say, or actually not trying to do a phishing attack on a company,
you can call into the company,
talk to the person who just got hired and say,
hey, I see you just got hired recently.
I'm from IT. I'm here to help, right? These kind of attacks we've seen many times before.
This is the same kind of attack, only now it's happening to army recruits. And they've put out a,
the army has put out warnings from Fort Benning, Huachuca, and West Point. So people at West Point
are getting hit with this as well. And that's where the cadets for the officer cadets go.
Yeah, yeah.
So really basically a social engineering scam here.
It is.
And then once you – but unique in that they're using the chain of command,
the authority.
The authority of a noncommissioned officer,
presumably over the enlisted people.
I don't know what the relationship is between a recruit at a Naval Academy or not Naval Academy, the Army Academy.
I say Naval Academy because I live in Maryland, Dave.
The word Academy is usually preceded by Naval around here.
But at West Point, it's the Army Academy.
The Army Academy, I'm not sure, but I think they might actually outrank an NCO,
that they might actually already be officers. I don't know if that's correct. So it's less
likely to work. And in fact, the story says nobody at West Point has been victimized by the scam.
But outside of West Point, 74 soldiers have lost $143,000.
Wow.
Yep.
Wow.
A lot of money.
So what are the red flags here
in terms of folks protecting themselves against this?
I mean, I guess the request for money is the big one.
Yeah, anytime you get an unexpected request for money
like this,
the big problem here is that
these guys are not really familiar with it.
And once they start asking questions
to the person on the phone, the person tries to intimidate them and is pretty successful at it.
I don't know if I would be willing. Every now and then I say, here's a scam that will work on me.
I think this one might've worked on me in my youth because I don't know that I'd be willing
to go to my drill instructor or drill sergeant and say, I'm getting this request from this guy.
Is this legit?
But that's what they should do.
They should be doing that immediately.
This guy wants me to send him money saying he's from the accounting service.
Is this right?
But what should really be happening here is that the drill, and it is happening, actually,
the drill instructors should be informing all the recruits that this is a scam that's going around.
They should be aware of it.
And if they get these kind of phone calls, just hang up.
What's interesting is how they're finding recruits in the Army.
I'd like to know how they're getting that information.
Because this seems to me like there's a leak somewhere.
Some kind of information that shouldn't be in the hands of these scammers
is in the hands of these scammers.
Right.
And I don't know where that's coming from.
Right.
Somehow they're aggregating
who are the new recruits
and how do we call them.
It's entirely possible
they're getting it from open source sources.
Yeah, yeah, sure.
And if that's the case,
there's nothing you can do about it
except educate the recruits.
But it's also entirely possible
that they're getting it from some inside source.
Mm-hmm, mm-hmm. All right. Well, again, this article the recruits, but it's also entirely possible that they're getting it from some inside source.
All right. Well, again, this article is from military.com. It's titled, Army Warns of Scam Targeting New Soldiers. Joe Kerrigan, thanks for joining us.
My pleasure. Thank you. fault-deny approach can keep your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
alerts and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.