CyberWire Daily - Squarespace's square off with hijacked domains.
Episode Date: July 16, 2024Some Squarespace users see their domains hijacked. Kaspersky Lab is shutting down US operations. BackPack APKs break malware analysis tools. Hackers use 7zip files to deliver Poco RAT malware. CISA’...s red-teaming reveals security failings at an unnamed federal agency. Microsoft fixes an Outlook bug triggering false security alerts. Switzerland mandates open source software in the public sector. On our Industry Voices segment, N2K’s Rick Howard speaks with Alex Lawrence and Matt Stamper from Sysdig about their 555 Cloud Security Benchmark. Bellingcat sleuths pinpoint an alleged cartel member. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, N2K’s Rick Howard speaks with Alex Lawrence and Matt Stamper from Sysdig about their 555 Cloud Security Benchmark. Learn more about the /555 benchmark. Selected Reading Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks (Krebs on Security) Kaspersky Lab Closing U.S. Division; Laying Off Workers (Zero Day) Beware of BadPack: One Weird Trick Being Used Against Android Devices (Palo Alto Networks Unit 42) New Poco RAT Weaponizing 7zip Files Using Google Drive (GB Hackers) CISA broke into a US federal agency, and no one noticed for a full 5 months (The Register) Organizations Warned of Exploited GeoServer Vulnerability (Security Week) Microsoft finally fixes Outlook alerts bug caused by December updates (Bleeping Computer) New Open Source law in Switzerland (Joinup) Exploring the Skyline: How we Located an Alleged Cartel Member in Dubai (Bellingcat) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Some Squarespace users see their domains hijacked.
Kaspersky Lab is shutting down U.S. operations.
Backpack APKs break malware analysis tools.
Hackers use 7-zip files to deliver PocoRat malware.
CISA's red teaming reveals security failings at an unnamed federal agency.
Microsoft fixes an Outlook bug triggering false security alerts.
Switzerland mandates open source software in the public sector.
On our Industry Voices segment, N2K's Rick Howard speaks with Alex Lawrence and Matt Stamper from Sysdig about their 555 cloud security benchmark.
And Bellingcat sleuths pinpoint an alleged cartel member.
It's Tuesday, July 16th, 2024.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
It is great to have you with us.
Last week, over a dozen organizations using Squarespace had their domains hijacked.
Squarespace, which acquired Google Domains a
year ago, is migrating those domains. Many customers haven't set up new accounts yet,
allowing hackers to exploit this by registering migrated domains using existing email addresses.
The hijacks, occurring between July 9th and July 12th, targeted mainly cryptocurrency businesses.
Attackers redirected domains to phishing sites to steal cryptocurrency.
Security experts from Metamask and Paradigm explained that Squarespace assumed users would log in via social options like Google or Apple, not via email.
Hackers could thus create accounts with unregistered emails, gaining domain access.
Squarespace didn't require email verification, compounding the issue.
This has left domain owners with reduced security and control compared to Google.
A comprehensive guide advises enabling multi-factor authentication,
identifying accessible emails, and securing Google Workspace accounts.
Squarespace has not commented on the incident.
Kaspersky Lab, a Russian cybersecurity firm, is shutting down its U.S. operations
and laying off employees after the U.S. Commerce Department
banned the sale of Kaspersky software starting
July 20. The ban follows national security concerns that Kaspersky or the Russian government
could exploit the software to spy on American customers. Kaspersky confirmed the shutdown,
citing the ban's impact on its U.S. business viability. The closure affects fewer than 50 U.S. employees who will
receive severance packages. The U.S. had previously banned Kaspersky software from federal and military
systems due to security concerns. Despite denying any misuse of its software, Kaspersky faced
allegations of extracting NSA hacking tools from an employee's computer.
U.S. officials stress the ban protects Americans from potential exploitation by foreign adversaries.
New research from Palo Alto Network's Unit 42 looks at APK files used by Android OS.
These are packaged as zip archives containing a critical file named androidmanifest.xml.
This file holds essential application data. In some cases, attackers tamper with zip headers to prevent analysis, resulting in what are known as badpack APKs. Tools like APKtool and JADEX often fail to extract content from these tampered files.
Palo Alto Network's analysis of their advanced wildfire telemetry from June 2023 to June 2024
identified nearly 9,200 badpack samples. These files pose a significant threat by preventing normal extraction techniques
and hindering security analysis. Badpack APKs alter zip header values,
leading to discrepancies that break analysis tools but not Android runtime.
Researchers suggest reversing these changes for successful analysis.
Tools like APK Inspector can handle such tampered files.
Enhanced detection and protection measures,
including multi-factor authentication and monitoring,
are crucial to countering this threat.
Hackers are using 7-zip files to bypass security measures
and deliver PocoRat malware effectively.
Discovered by Cofence in early 2024,
PocoRat targets Spanish-speaking individuals in the mining industry,
initially through Google Drive-hosted 7-zip archives.
By the second quarter of 2024, it reached four sectors,
with mining still being the main target.
The malware, focused on basic RAT functionality,
uses consistent TTPs and exploits legitimate file hosting services
to bypass secure email gateways.
Poco RAT is distributed via direct Google Drive URLs in emails,
links in HTML files, and links with attached PDFs.
Poco RAT employs Poco C++ libraries, arrives as an
executable, and establishes persistence via registry keys. Despite attempts to evade detection,
it faces average detection rates of 38% for executables and 29% for archives.
and 29% for archives. In 2023, a CISA red team exercise exposed significant security failings at an unnamed federal agency. These silent shield assessments, which simulate long-term
nation-state threats without prior notice, revealed vulnerabilities in the agency's Oracle
Solaris enclave due to an unpatched CVE,
leading to a full compromise.
Despite prompt notification,
the agency delayed patching the vulnerability
and public exploit code emerged,
further jeopardizing security.
The Red team accessed the Windows network
via phishing and identified weak passwords.
They found unsecured admin credentials
and gained access to highly privileged systems
termed a full domain compromise.
The exercise highlighted the agency's inadequate logging
and over-reliance on known indicators of compromise.
CISA emphasized defense-in-depth principles,
recommending network segmentation,
and stressing the need to move
beyond reliance on IOCs. It also called for improved software security, logging, and cooperation with
security information and event management, SIEM, and security orchestration automation and response,
SOAR, providers. In unrelated CISA news, the agency urges federal organizations to patch a critical
geoserver vulnerability due to active exploitation evidence. This flaw allows unauthenticated remote
code execution via unsafe evaluation of XPath expressions. Geoserver, an open source server
for geospatial data, improperly applies XPath evaluation to all feature types.
Federal agencies must identify and patch vulnerable instances by August 5.
Microsoft has resolved an Outlook bug causing incorrect security alerts, identified in February after December updates. Users reported warnings like,
this location may be unsafe when opening ICS calendar files.
These false alerts stemmed from security updates
which prevented NTLM hash theft via crafted files.
Initially fixed in April, the update was rolled back due to issues found in testing.
The bug was finally fixed in the July 9th update.
Users who applied a registry workaround
should reverse it before installing the update.
Switzerland has enacted the Federal Law
on the Use of Electronic Means
for the Fulfillment of Governmental Tasks, or MBAG,
mandating open-source software for public sector bodies.
Championed by Professor Dr. Matthias Sturmer, the law aims to reduce vendor lock-in,
enhance digital transparency, and cut IT costs. Public bodies must disclose the source code of
government-developed software, ensuring transparency and public contribution unless precluded by third-party rights or security concerns.
Article 9 of MBag also allows public bodies to offer related services
at cost-covering remuneration to maintain competitive balance.
Despite initial resistance, persistent lobbying led to the law's adoption,
which advocates say promotes digital sovereignty,
innovation, and collaboration within the public sector. This legislative milestone may serve as
a model for other countries, highlighting OSS benefits like security, cost efficiency,
and increased public trust.
Coming up after the break, Rick Howard speaks with Alex Lawrence and Matt Stamper from Sysdig about their 555 cloud security benchmark.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
On today's sponsored Industry Voices segment,
our own Rick Howard speaks with Alex Lawrence and Matt Stamper from Sysdig about their 555 cloud security benchmark.
Alex Lawrence is the field CISO at Sysdig,
and Matt Stamper is the co-author of the Cybersecurity Canon Hall of Fame book,
The CISO's Desk Reference Guide. He's also the CEO of Executive Advisors Group and,
as luck would have it, an advisor to Sysdig. I started out by asking Alex about their newly
proposed cloud-native security benchmark called 555. Yeah. In essence, it comes down to speed,
right? One word to describe the whole thing.
Basically, the concept here is that most security models that people are using today follow a number of practices and business concepts around security that are a little bit behind the times, if we're being perfectly honest.
they're built around a on-premises data center where you had kind of a known ingress and egress points.
You could do things a little bit easier.
You controlled a lot more of the environment.
The reality is, as we move to the cloud
and we move to more modern architectures,
you don't really have those same capabilities you used to have.
You have new ones.
You have arguably ones that are maybe a little bit better for your business.
They let you move faster.
They let you automate more. They let you automate more.
They let you do a lot of really interesting things with your infrastructure.
That necessitates a change in the security model, right?
You don't have hours and days to respond to threats,
to make changes, to do investigations.
You have literal minutes, right?
Attacks can be executed in seconds in the cloud.
Ladder movement happens in less than 10 minutes in the cloud. Lateral movement happens in less
than 10 minutes in the cloud. As all these things have changed, we used to go from four hours at the
minimum to maybe a couple of days at the maximum for lateral movement. You don't have that luxury
anymore, right? You have to go significantly faster. And so we produced a benchmark called
555 to help people reconceptualize how they build a good security
model and how they build a good security program. Basically, it just means you have about five
seconds to detect. You've got about five minutes to triage, and you've got about five minutes to
respond. Pretty simple and straightforward. As an example of why we need the 555 benchmark,
the Sysdig Threat Research Team described in their security blog back in 2023
an attack against one specific target that only took the hackers five minutes from initial access
to when they found the crown jewels. Sysdig named the attack Scarlet Eel. And you guys may not know
this, but I'm a huge fan of the first principle intrusion kill chain prevention strategy,
and I was very pleased to see that the cystic analysis
described the attack in terms of the intrusion kill chain, an attack that planted a diversion
in part of the victim's network, a decoy, so to speak. They installed and ran some crypto mining
software that was very loud and noisy so that they could go off in another part of the network
undetected to look for the crown jewels. So, Alex, can you give us an overview of what happened here? Yeah, yeah. They're just a plug for those guys. They're
wonderful. They produce some really great content. If you haven't heard about them before, look them
up. You get a Google Sysdig threat research team, you'll find lots of great articles they put out
there. And they've got a knack for explaining things in a way that makes sense, right? It's not
overly technical, nor is it too generic, right? It
actually gives you some decent value. This attack, Scarlet Eel, is one that's kind of a multi-phased
attack. It's actually not dissimilar from things that we've dealt with in the past in terms of
complexity of attack and misdirection and things like that. But in its essence essence it's an attack that um effectively breaks into your cloud environment
it installs crypto miners um and that really is kind of like the the red canary it's trying to
get you to go look at that and look at the shiny object that you can take care of quickly and
realistically people like to attack crypto miners and go after them as the the security team because
they're easy right it's you can detect one. It's XM rigs running.
This thing's easy to go find.
You can go do something about that.
Reality is it's trying to distract you
from the bigger thing, right?
Lateral movement is always kind of like
the reward in any cyber attack.
It's how do I persist in the environment?
How do I gain more access to the environment?
And so we're going to go get in.
We'll break in via some exploit or some misconfiguration, we'll install a crypto miner,
and then we're going to go hunt for actual important things, right? We're going to look
for access keys, misprovisioned roles, we're going to go try to gain access to other stuff
we can use at a later point in time. So the Scarlet Eel attack is kind of a combination
of multiple TTPs, where they're trying to break in in various ways, throw in some distractions,
and then go get something that's bigger
to escalate privilege, to persist privilege,
to last longer, to be able to go look
for sensitive information, extract,
exfiltrate data, right?
All those things that we try to prevent and stop
in the cybersecurity world.
So it's generally just kind of a good model of attack
to study in general
because it kind of gives you that multi-pronged approach.
You can dive into a number of aspects of it.
So it's a fun one.
Matt, let me bring you in here.
First, the Scarlet Eel attack campaign is an example of one particular security strategy working, the aforementioned intrusion kill chain prevention strategy.
The potential victims had some holes in their prevention controls across the kill chain. But when the hackers got to the part on the attack path where they had to escalate privilege to get to the crown jewels, they didn't have a way to do that.
This is the kill chain strategy working, right?
The victim broke the kill chain by ensuring privilege escalation didn't happen.
I think you're right.
If you look at what are the conditions precedent that would allow a threat actor to succeed, if you know what those conditions precedent are, and you go through and you start implementing controls or telemetry to help reduce the likelihood of those occurring, and Z requires these conditions to be in place, you now can instruct
your infrastructure and operations team, your cloud security teams, to be able to put in those
controls and validate that telemetry and visibility. Can I riff off what Matt just said there real
quick, Rick? If I kind of expose my age and talk about 20-ish some years ago when I first started
getting into security, I heard a really fascinating talk
about a threat model for an organization called the assumption of a breach. So they were a large
organization. They basically said, we can't ever assume we're not breached, right? There's never a
state in which we don't have something going on in our environment. And so they built their entire
security model around that concept. And it stuck with me 20-some years later that this organization basically designed a program that wasn't just preventative and it wasn't just detective.
It was this kind of blend of everything.
I think right now, like Matt was just saying, people focus a lot on configuration.
They focus a lot on setup.
configuration. They focus a lot on setup. They focus a lot on trying to make sure that they've done their due diligence that when they go into production, they're not going to have something
easy to exploit. The organization I was speaking of had a really novel kind of implementation of
that concept. And kind of what I was getting at was they had a really wonderful blend of both
detective and preventative controls. And so they had spent their time doing their due diligence to make sure that they had a good posture on how they configure their assets.
So that when they went into production, they were doing the things required, but not overly so.
If you're running like a bicycle, you put your helmet on and then you went for a bike ride.
You didn't just go for a bike ride without protective gear.
They did basic stuff.
But they didn't just go for a bike ride without protective gear. They did basic stuff. But they
didn't go overboard. They didn't put on elbow pads and knee pads and a full body airbag and
all the other stuff. They did what made sense. They didn't encumber themselves in their program
because they knew they were always breached. And so it was a matter of how much preventative
made sense. And then how can I really build robust detective controls?
So if I know that there's always something going on,
what can I put in place?
And what can I do to know when there is a live issue?
So Matt, let me bring this back around to the 555 benchmark.
Putting on your CISO hat,
how do you think about this 555 strategy?
I mean, how do you measure something like that?
And how do you hold vendors accountable to the standard?
Yeah, I think, Rick, to your point, my first reaction when I read the framework is, oh, crap.
You know, our incident response procedures, our incident response plans fundamentally are not up to these temporal
challenges in modern cloud environments. You know, we're still responding in largely manual ways,
doing a lot of manual triage, very kind of cumbersome, laborious type work, trying to
understand what a threat actor is doing. And the epiphany that I had is essentially where I used
to think about things like, what is it that we don't see
that we should see? Why don't we see it? Now it's, what are the things that we're not doing timely
enough that we should be doing in kind of machine or real time and how that might impact our incident
response programs? And so I think one of the critical things is when you put the 555 framework
in play within your own organization,
when you start looking at your tabletop exercises,
when you start looking at your telemetry, ask those tough temporal questions.
You know, would we be able to detect this in the timeframes necessary
to kind of preclude a level of damage or a level of impact?
And if we're not able to detect and respond in those very aggressive timeframes,
what is it that we're not doing
that we need to start doing?
And how do we start fast tracking that,
no pun intended, as soon as possible?
We really don't have the luxury of time anymore
when our adversaries are fundamentally automated
using machine speed techniques
and we're responding in a very kind of manual, cumbersome way.
We have to effectively up our games very quickly.
Yeah, I mean, it's very much about people, procedures, and tools, right?
It's those things combining together to have a quick response.
It's kind of operating at the speed of the cloud.
We all have adopted the cloud, and we love the cloud because of automation. But those same automation techniques exist for our adversaries as well. And so if we're
not updating to meet those same concerns, we need to be doing that yesterday or the day before
yesterday. We're coming to the end of this. So I'm going to ask both of you this question. Alex,
let's start with you. What's the big takeaway from this conversation we've just had?
I would be remiss if I didn't make a call out to our 555 framework. We have lots of content
online for this. If you go to sysdig.com slash 555, you will find plenty of information on this
whole framework that we've been talking about today. I'll weigh in on that point. It is a must
read. If you're a CISO and you're not familiar with this framework, caveat enter. You really do need to read this. Takeaway number two for me,
the big thing to kind of focus on here is, again, a security model that looks at your stuff
holistically, right? You can't put all your eggs in one basket. You need to have both a combination
of preventative and detective controls, right?
Blend those things together, because when you do that, you actually have a security model that can achieve this concept of 555.
Even if you're not going for 555 because you're not on the cloud and you're still on-premises, whatever, that's fine.
But think about your model in terms of where attackers are going, right?
Update it, think about the new age era of where attackers are going, right? Update it.
Think about the new age era of stuff.
Work on better response mechanisms.
And if you do nothing else, train your people, right?
Spend your time and your investment and your people and your process,
and you're going to have a better outcome.
Alex, that is great advice.
I would say is bring temporal challenges front and center
when you look at your security program.
Ask those questions.
How quickly can we respond to this type of issue
or this type of a threat technique
or this type of threat actor
that is operating at machine speed?
And I think one of the things that we need to do
is when we start looking at our incident response
and doing playbooks and doing table pop exercises,
bring those timescales and time constraints front and doing table pop exercises. Bring those time scales and time constraints
front and center in them.
It's a great way to validate
whether or not we're literally flat-footed
or we're operating at machine speed
and can keep pace with threat actors
that are doing things that are very novel all the time.
Our thanks to Rick, Alex, and Matt.
You can learn more about the 555 Benchmark
with the link in our show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, our luxury high-rise desk pointed us to research from Netherlands-based investigative journalism group Bellingcat, which revealed how they pinpointed the luxury Dubai residence
of alleged cartel member Janice Kadric in 2023. Bellingcat's sleuths determined Kadric was renting an apartment
owned by Candido Nsui Okomo, the brother-in-law of Equatorial Guinea's president. Kadric's arrest
in Bosnia for alleged organized crime left him under house arrest, but his wife's Instagram posts flaunted her designer outfits against the Dubai skyline.
These posts, showcasing the distinctive pools and landmarks of Burj Khalifi,
the world's largest skyscraper, gave Bellingcat a vital clue.
Bellingcat's team started their investigation by identifying the unique pools
and surrounding skyscrapers
seen in her photos, confirming the location as the Burj Khalifa. Next, they analyzed perspective
angles from the photos to narrow down the floor level, using visible landmarks as reference points.
Creating a 3D model of the famous skyscraper using Blender, an open-source software,
allowed Bellingcat to match the exact views from the Instagram posts.
By tracing perspective lines and finding the eye level,
they pinpointed the floor level with remarkable accuracy.
Their investigation established Kadric as a renter in the Burj Khalifa,
thus exposing a connection to their investigation
into dirty money in Dubai real estate. This geolocation work was a crucial piece of the
puzzle in uncovering financial misdeeds. So next time you're on a digital detective mission,
remember, Instagram, perspective angles, and a 3D model can lead you to the truth.
And if you're up to no good, you may want to remind your loved ones
to cut back on posting pics to social media.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.