CyberWire Daily - Something new, in ransomware. Notes on cyberespionage by the Lazarus Group and Charming Kitten. Security CI/CD operations. FINRA says hold the emojis. Dispatches from the hybrid war’s cyber front.
Episode Date: June 29, 20238base ransomware is overlooked and spiking. GuLoader targets law firms. Akira ransomware for Linux systems targets VMs. Kaspersky tracks the Lazarus group: typos and mistakes indicating an active huma...n operator. Charming Kitten goes spearphishing. Securing continuous integration/continuous delivery operations. No emojis for the SEC, please.Unconfirmed reports say the Wagner Group hacked a Russian satellite communications provider. Our guest is Hanan Hibshi from Carnegie Mellon's picoCTF team. Chris Novak from Verizon discusses their 2023 Data Breach Investigations Report (DBIR). And Anonymous Sudan wants you to know that they’re not just a bunch of deniable Russian crooks–where’s the love, man? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/124 Selected reading. 8Base Ransomware: A Heavy Hitting Player (VMware Security Blog) GuLoader Campaign Targets Law Firms in the US (Morphisec) Akira Ransomware Extends Reach to Linux Platform (Cyble) Andariel’s Mistakes Uncover New Malware in Lazarus Group Campaign (Infosecurity Magazine) Charming Kitten Updates POWERSTAR with an InterPlanetary Twist (Volexity) CISA and NSA Release Joint Guidance on Defending Continuous Integration/Continuous Delivery (CI/CD) Environments | CISA (Cybersecurity and Infrastructure Security Agency CISA) NSA and CISA Best Practices to Secure Cloud Continuous Integration/Continuous Delivery Environments (National Security Agency/Central Security Service) Wall Street Regulators’ New Target: Emojis (Wall Street Journal) Russian satellite telecom Dozor allegedly hit by hackers (Cybernews) Hacking Group Says It Attacked Microsoft for Sudan. Experts Say Russia’s Behind It (Bloomberg) ‘Hactivists’ who targeted Microsoft claim they’re working for Sudan (Fortune) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Eight-base ransomware is overlooked and spiking.
Goo Loader targets law firms.
Akira ransomware for Linux systems targets VMs.
Kaspersky tracks the Lazarus Group.
Charming kitten goes spear phishing.
Securing continuous integration and continuous delivery operations.
No emojis for the SEC, please.
Unconfirmed reports say the Wagner Group hacked a Russian satellite communications provider.
Our guest is Hanan Hibshi from Carnegie Mellon's PICO CTF team. Chris Novak from Verizon discusses
their 2023 data breach investigations report. And Anonymous Sudan wants you to know that they're
not just a bunch of deniable Russian crooks. Where's the love?
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, June 29th, 2023. VMware has published a report looking at the 8BASE ransomware group,
stating,
8BASE is a ransomware group that has been active since March 2022 with a significant spike in activity
in June of 2023. Describing themselves as simple pen testers, their leak site provided victim
details through frequently asked questions and rules sections, as well as multiple ways to
contact them. What is interesting about 8Base's communication style is the use of verbiage
strikingly familiar to another known group, Ransomhouse.
The threat actor primarily targets organizations in the business services, finance, manufacturing, and IT sectors.
Over the past 30 days, 8Base was in the top two most active ransomware gangs.
Morphosec is tracking a goo- loader campaign in the U.S. Its principal focus is law firms with
a secondary interest in health care and investment organizations. The threat actors are using the
malware loader to deliver the Remcos rat. The downloader is distributed via phishing emails,
malicious PDF attachments with icons indicating that the PDFs need to be decrypted.
Morphosec explains, this icon contains an embedded link, which, once clicked, redirects the user to
the final URL by utilizing a popular ad click service called DoubleClick, which is provided
by Google. DoubleClick is widely used in online advertising and offers various capabilities, including the ability to track and gather statistics and metadata information on user clicks.
In this context, it is likely employed by the threat actors to gain insights into the effectiveness of their malicious campaign.
The redirect URL in the chain prompts the user to enter the PIN that was previously sent via email.
Once the PIN is provided, the GOOLOADER VB script is downloaded, marking the next stage
of the attack.
Bleeping Computer writes that a new Linux version of the Akira ransomware is targeting
VMware ESXi virtual machines.
The double extortion attacks were first reported in May of 2023 and have hit
a range of sectors, including education, finance, real estate, and manufacturing.
Bleeping Computer explains the evolution, stating,
Over the past few years, ransomware gangs have increasingly created custom Linux encryptors
to encrypt VMware ESXi servers as the enterprise moved to use virtual machines for
servers for improved device management and efficient use of resources. By targeting ESXi
servers, a threat actor can encrypt many servers running as virtual machines in a single run of
the ransomware encryptor. It should be noted that Akira's encryptors lack many of the more advanced
features which would allow automatic shutdown commands prior to encrypting files.
Leaping Computer also assesses that the Linux version of Akira's ransomware
was likely ported from its Windows version
due to the Linux locker skipping certain Windows files and folders.
Cybles Research and Intelligence Lab released a detailed technical report on June 28,
which explained that upon execution, the Akira ransomware loads a predetermined RSA public key
to encrypt files in the system. The encryptor targets a predetermined list of file extensions.
Maybe AI would have done better for the North Korean threat group. Kaspersky's SecureList published a report detailing the Lazarus Group's use of the D-Track malware and Maui ransomware in mid-2022.
While tracking an initial infection, Kaspersky was able to determine that a human operator was actively typing as the commands were riddled with typos and mistakes.
typing as the commands were riddled with typos and mistakes. Kaspersky writes,
it quickly became clear that the commands were run by a human operator, and judging by the amount of mistakes and typos, likely an inexperienced one, the researchers were also able to track a
new remote-access Trojan called Early Rat to a phishing document. The Iranian threat actor
Charming Kitten is launching sophisticated spear phishing attacks
to distribute a new version of its Power Star malware, according to researchers at Veloxity.
Charming Kitten, also known as APT35, often uses social engineering in its cyber espionage campaigns.
The campaigns demonstrate an ability to conduct protracted interactions with the
intended victim before the fishhook is set. Veloxity states, Charming Kitten appears to be
primarily concerned with collecting intelligence by compromising account credentials and subsequently
the email of individuals they successfully spearfish. The group will often extract any
other credentials or access they can and then attempt
to pivot to other systems, such as those accessible via corporate virtual private networks or other
remote access services. The threat actor has, for example, posed as an Israeli reporter and began
communicating with the targeted individual. After several days of conversation, the threat actor
sent the victim a password-protected
document that would install the malware. CISA and the NSA have released a cybersecurity
information sheet outlining advice on securing continuous integration and continuous delivery
environments. The two agencies explain why this is important, stating,
The CICD pipeline is a distinct and separate
attack surface from other segments of the software supply chain. Malicious cyber actors can multiply
impacts several fold by exploiting the source of software deployed to multiple operational
environments. By exploiting a CICD environment, MCAs can gain an entryway into corporate networks and access sensitive data and
services. Post-structuralists call your office. Advice from FINRA, the Financial Industry
Regulatory Authority, via the Wall Street Journal says, if your communication is discoverable or
reportable, lay off the emojis. The idea, as business communication gets more social, more distributed, more informal,
less take a memo and more let me answer this text,
the regulators would like to bring the wink and nod style
of conveying what the journal calls subtextual messages under control.
Of course, it's possible to convey coded subtext in words too, but that normally
requires coordination, whereas the emoji is freer and more suggestive. After all, you just know the
smiling poop emojis gotta mean buy on material non-public information, whereas the black-eyed
ghost with its tongue out means sell. But what about Leetspeak?
If they're deconstructing subtext, trust us, Leetspeak is a lot easier to decode than emojis.
But maybe that's the problem, and we wish you could see the emojis floating around here right now. Heart, smiley face, crab signaling touchdown.
CyberNews reports that the Wagner Group claims to have conducted a destructive cyber attack against Dozer Teleport,
a satellite firm that provides communication services to some elements of the Russian Ministry of Defense.
Discussions of the reported incident should be treated with caution, if not outright skepticism.
They appear to originate with a telegram channel, having few followers and no obvious connection to the
Wagner Group. They've also been amplified by Ukrainian social media accounts, which,
no matter where one's sympathies lie, aren't exactly disinterested parties.
And finally, straight up, Anonymous Sudan is a Russian front. We'd say cat's paw,
except we don't want to be offensive in suggesting that someone's like an animal, because we wouldn't do that. Here's how they explain what they're up to.
A representative of the allegedly anonymous and allegedly Sudanese group told Bloomberg,
everything that is hostile to Islam and all countries that are hostile to Islam are hostile
to Russia. Contra- Anonymous Sudan's denials,
Bloomberg quotes Stockholm-based security firm TruSec to the effect that Anonymous Sudan is a Russian information operation
that aims to use its Islamic credentials to be an advocate
for closer cooperation between Russia and the Islamic world,
always claiming that Russia is the Muslims' friend.
This makes them a useful proxy.
In this, Trussek represents informed opinion, so straight up, it's the Russians. At any rate,
Anonymous Sudan has lately taken to calling its opponents dogs in the evident belief that the
characteristic Middle Eastern insult lends them Islamic street cred, but they say they're not Russians.
Coming up after the break, Hanan Hibshi from Carnegie Mellon's PICO CTF team,
Chris Novak from Verizon discusses their 2023 data breach investigations report. Stay with us.
Do you know the status of your compliance controls right now, like right now. We know that real-time visibility is
critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. Learn more at blackcloak.io. Chris, great to have you back. Thanks, Dave. It's a pleasure to be back. So it is that time of year when you and your colleagues at Verizon release the DBIR,
which I think it's fair to say is one of the most anticipated cybersecurity reports of the year.
This is the Data Breach Investigations Report.
Can we start with a little overview here of what prompts the creation of this report every year?
Sure, yeah. So it's, and I
will add that it's definitely one of the most anticipated things on our calendar as well. So
we work all year round to produce it. I tell folks, you know, the moment the DBIR is released,
we are already starting to work on the next one. It's that much goes into it. But the idea really stems from, you know, organizations wanting real
world factual evidence-based data to drive or to help them understand what the threat landscape
looks like, what's working, what's not, what are threat actors doing. And then obviously,
most importantly, everybody wants to make sure that they're not a next statistic in one of our DBIRs.
And so how is it that they can take the learnings from what that research shows and actually apply it to their business?
And one of the things I think we've really strived to do quite substantially was around not having it be a single source of data, right?
Subject to potential bias. Obviously,
any statistical analysis has the potential for bias, and we even call that out in the report.
But we try to source our data from a number of different places, a number of different types of
organizations in order to try to weed out as much of that as possible. Can you give us some insights
as to what makes Verizon in a good position to publish this sort of thing?
What is your unique view of the landscape?
Yeah, so, I mean, we've been doing it now.
This is 16 years in the running.
So I think, you know, one, we were the first to really jump out there and actually say, let's talk about breaches.
In fact, when I think back to the first one, I had the pleasure of being part of the team back in 2008 when we released the first report. And there was a lot of debate as to whether or
not this is even something that should be kind of talked about in a public forum. If anyone really
wanted to see the numbers, it was kind of, I don't know if I want to say kind of talked about in dark
corners of rooms where everyone kind of knew people had breaches, but nobody really spoke
about it. And I think, you know, one, we kind of took that had breaches, but nobody really spoke about it.
And I think, you know, one, we kind of took that first step, which I think was fantastic. And I think also the breadth of capability of our team. So we don't just do the analytics and research,
but our team also does a tremendous amount of incident response projects for organizations
all across the world. It's, you know, hundreds, if not thousands a year, depending on the given year. And so we also have the data science, data analytics background,
as well as, you know, a longstanding incident response background, having done that now for,
you know, well over 20 years. Well, let's dig into some of the statistics here,
the things that you found. what caught your eye here?
So I would say that one, it still continues to show, no surprise here, that we've got a global
problem. I always kind of start with that because a lot of times when I talk to different people in
different countries, you know, everyone kind of tends to think that it's going to be very different.
And this may shock folks, but, you know, we represent 81 countries in the DBIR in terms of where breaches have happened.
And interestingly enough, we still have parts of the world where people will claim there just are not breaches.
And so that's why it's not represented.
So we've got obviously some maturity to do here.
But obviously, 81 countries is a lot of the world represented.
And I think probably a lot of our reader base there as well.
The number of incidents comes in at over 16,000 in the last year.
The number of breaches just shy of 5,200.
I always tell people this is not intended to be a barometer of we're getting better or we're getting worse.
more just to be transparent around the volume of data that makes up the data set to show that ultimately what we draw from it is fairly conclusive.
Other things that are really interesting, ransomware continues to be a giant thorn in
our side, but surprisingly has actually leveled off for the first time at around a quarter
of the cases involve ransomware.
And that was the same as it was last year, which
kind of really surprised us. The other thing I would also call out is the role of the human
factor. In the previous report, we called out the human factor as being involved in about 82%
of all breaches. And this year, I don't know if I want to celebrate this, it's down, but it's only
down to 74%. So I tell people there's a lot of numbers that have changed in the DBIR, and some of them are moving in the right direction.
But it's not like we've gone from 82% to 2%.
We've gone from 82% to 74%, right?
Or ransomware has remained flat.
I think there's a whole host of conversations we can have around the why and what that means.
So what are the takeaways for you and your colleagues here?
When you look at the long-term trends, what's your advice to industry?
I'd say my big advice is focusing on the fundamentals remains to be one of the most important things.
We continue to see a lot of organizations sometimes getting really caught up in the advanced and sophisticated technologies that are out there. Not saying
any of those are bad, but if you're missing the fundamentals, that's where we still see a lot of
organizations, large and small, still getting very tripped up. And that's the avenue I tell people
threat actors are looking for the easy in. They don't necessarily want to make their lives any more difficult. They've got hundreds of other organizations to target after you.
And so if they can get in the easy way, that's what they're going to do.
All right. Well, Chris Novak, thanks for joining us. For over 10 years now, Carnegie Mellon University's PICO-CTF has been working to close the cybersecurity talent gap,
introducing the field to students of all ages through its annual Capture the Flag competition and year-round educational platform.
To learn more, I spoke with Hanan Hibshi, an assistant teaching professor at Carnegie
Mellon University. The motivation for this program comes from the need in the nation
for increasing the cybersecurity workforce. We have a deficit in the United States. We have a deficit worldwide. And the research shows
that for any career, actually, if we start early, if we spread awareness, if children in grade
schools learn about some career paths early on, it's most likely that they will choose those paths and find their passion.
So PICO, CTF, PICO comes from the word small, meaning that we're trying to target the younger
population. That does not mean that the competition itself is small or the kind of challenges are not
complicated. They start at the beginning level, but students use a gaming-style platform
where they solve Jeopardy-style challenges
trying to get a flag every time.
And then they win, and they go to the next challenge,
and they win another flag.
And by doing this,
we are actually teaching them lots of things.
We're teaching them how to use complex concepts
like cryptography, reverse engineering, all in this activity mode where they feel like playing more than they're sitting in a traditional classroom. But it's also a good tool for teachers. They can use it as classroom activities, as homeworks, to encourage classes to learn learn about cybersecurity, and to even maybe build
their own curriculum around it.
Now, as you and I are recording this, you all are in the midst of hosting a PICO CTF
at your Pittsburgh campus.
What specifically is going on there?
Well, as I said, PICO is available as a free public platform out there, but it's a lot of work to go ask teachers who are already overwhelmed with their day-to-day duties in their K-12 schools to go and tell them, hey, let's go and find some time to learn this new tool and then introduce cybersecurity in your classroom. for free to support teachers and have local teachers from the Pittsburgh area or our neighboring
states to come and spend a week in person where they meet with us and where we actually
teach them cybersecurity concepts through the platform, have them practice the exercises,
and at the same time, help them create lesson plans by using the platform.
We reach a point where we say, now that we taught you how to use Pico,
we taught you a lot about cybersecurity,
you will learn how to solve those challenges yourself.
How about you look at your own classes that you teach at school?
It could be a CS class, it could be the AP CS classes,
and try to think how would you weave the cybersecurity content within the resources you have.
It doesn't necessarily have to be a new class or something that they just put out there in a student club or something.
It could be actually weaved into the CS curriculum because what I would love as an educator is to have our students think about cybersecurity as they're learning other things in engineering, as they're learning programming, as they're doing their daily lives.
I want them to be thinking about those things.
And what is the age range of students that you all are targeting here?
Well, as early as middle school.
But anybody can play PICO. As I said, the challenges will start from a beginner level and go high up until they reach even further than a grad level. personally wouldn't feel comfortable assigning in a graduate class because not every student
might get it. But I actually get impressed by the high school students from around the nation who
solve those challenges during the competition time. And that speaks for the hidden talents
that we have out there. PICO CTF reached every 50 states. We have representation from different
states and we have representation from different countries around the world. Children in Japan and
India are playing PICO. Children in Canada. And these are middle school and high school students.
Most of our winners have been high school students. They start at middle school, they build
the skills, and then they feel that they're ready for the competition.
But even adult learners are finding a value in PICO. We've heard some anecdotes from people who were able to find some free time and try creating an account there and playing some of those challenges just to enhance their cybersecurity skills.
And why is it important for a university like Carnegie Mellon to take the lead on a program
like this? Because at the end, we can't just stay disconnected from our communities. That's number
one. And number two, we really need to start working with our K through 12 educators. It's unfair that we come and say,
oh, we deal with undergrads and graduate students
and we do research
and we don't care about what happens before that.
Universities have an interest
in betterment of the society,
betterment of the world.
Universities try to provide solutions
and we are trying to address this pipeline issue in every way possible.
While some researchers are trying to work on AI solutions that would maximize productivity and maximize the benefit that we can get from humans,
we also have other directions where we try to increase the pipeline through educational outreach programs.
That's Hanan Hipshi from Carnegie Mellon University.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. Thank you. at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead
in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's
preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people. We make you smarter about your team
while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
The show was written by John Petrit.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. Business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.