CyberWire Daily - SSSCIP and CISA sign memorandum of cooperation. Tailored security services, or just hired guns? Bringing PSOAs to heel. More credential-harvesting.
Episode Date: July 28, 2022SSSCIP and CISA sign a memorandum of cooperation. Are private-sector offensive actors tailored security services, or are they just hired guns? Bringing cyber mercenaries to heel. Malek Ben Salem from ...Accenture on why crisis management is at the heart of ransomware resilience. Our guest is Derek Manky from Fortinet on the World Economic Forum Partnership Against Cybercrime. And more credential-harvesting scams are out in the wild. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/144 Selected reading. United States and Ukraine Expand Cooperation on Cybersecurity (CISA) US, Ukraine sign pact to expand cooperation in cyberspace (The Hill) Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits (Microsoft Security) Continuing the fight against private sector cyberweapons (Microsoft On the Issues) Experts Urge Congress to Pressure Commercial Spyware Vendors (Decipher) Mirroring Actual Landing Pages for Convincing Credential Harvesting (Avanan) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
SSS, CIP, and CISA sign a memorandum of cooperation.
Are private sector offensive actors tailored security services, or are they just hired guns?
Malek Ben-Salem from Accenture on why crisis management is at the heart of ransomware resilience.
Our own Dave Bittner sits down with Derek Mankey from Fortinet to discuss the World Economic Forum partnership against cybercrime.
And more credential harvesting scams are out in the wild.
From the CyberWire studios at DataTribe, I'm Trey Hester with your CyberWire summary for Thursday, July 28, 2022. In another move toward closer U.S.-Ukraine cooperation and cybersecurity, Ukraine's State
Service of Special Communications and Information Protection this week signed a memorandum of
cooperation with its U.S. counterpart, the Cybersecurity and Infrastructure Security Agency. Special Communications and Information Protection this week signed a memorandum of cooperation
with its U.S. counterpart, the Cybersecurity and Infrastructure Security Agency. The memorandum
doesn't initiate cooperation. Rather, it extends and expands the collaboration the two agencies
have already enjoyed. CISA's announcement notes three areas in particular where the two agencies
will work together on shared cybersecurity priorities.
1. Information exchanges and sharing of best practices on cyber incidents.
2. Critical infrastructure security technical exchanges.
And 3. Cybersecurity training and joint exercises.
The SSS-CIP's deputy chairman described the memorandum's significance.
Quote,
This memorandum of cooperation represents an enduring partnership and alignment in defending our shared values through increased real-time information sharing
across agencies and critical sectors
and committed to collaboration in cultivating a resilient partnership.
End quote.
As The Hill observes,
the focus of earlier stories on U.S.-Ukrainian cooperation in cyberspace
had been on U.S. Cyber Command's unspecified activities related to Russia's war against Ukraine, acknowledged last month in some concise remarks by Cyber Command's General Nakasone during an interview with Sky News.
Quote, We've conducted a series of operations across the full spectrum—offensive, defensive, and information operations.
My job is to provide a series of options to the Secretary of Defense and the President.
End quote.
Microsoft late yesterday released a report compiled by the Microsoft Threat Intelligence Center,
the Microsoft Security Response Center, and RiskIQ that describes the activity of a threat group it tracks as NotWeed.
NotWeed is regarded as responsible for SubZero malware,
which it provides to or deploys on behalf of its customers.
The group has also exploited Windows and Adobe Zero Days.
The report explains why Microsoft views this threat actor as particularly egregious.
In brief, it's a private company hiring out cyber attack services.
Quote, PSOAs, which Microsoft also refers to as cyber mercenaries,
sell hacking tools or services through a variety of business models.
Two common models for this type of actor are access as a service and hack for hire.
In access as a service, the actor sells full end-to-end hacking tools
and can be used by the purchaser in operations,
with the PSOA not involved in any targeting or running of the operation. In Hack4Hire,
detailed information is provided to the purchaser to the actor, who then runs the targeted operations.
Based on observed attacks and news reports, MSTIC believes that Knotweed may blend these two models.
They sell the Sub-Zero malware to third parties,
but have also been observed using NotWeed-associated infrastructure in some attacks,
suggesting more direct involvement.
End quote.
The company behind NotWeed and its SubZero tool is Vienna-based outfit DSIRF.
DSIRF's landing page displays a simple quotation.
Quote,
A lie can run around the world before the truth has got its boots on,
end quote,
but without further elaboration.
It's unclear whether that's a sideswipe at researchers
who have characterized the company as a mercenary operation.
The company describes itself as an Austria-based company
with offices in Vienna and Liechtenstein,
providing mission-tailored services in the fields of information research, forensics, as well as a data-driven intelligence to multinational
corporations in technology, retail, energy, and the financial sectors. They stress that they offer
fundamental research, quote, our tightly integrated team provides sophisticated intelligence products
which are individually tailored to each client,
end quote. Exploiting zero days would seem at the very least to be taking an expansive view
of business intelligence. Microsoft explains their attribution, quote, multiple news reports
have linked DSIRF to the development and attempted sale of a malware tool set called SubZero.
MSTIC found the SubZero malware being deployed through
a variety of methods, including zero-day exploits in Windows and Adobe Reader in 2021 and 2022.
As part of our investigation into the utility of this malware, Microsoft's communication with
SubZero victims revealed they have not commissioned any red-teaming or penetration testing and
confirmed it was an unauthorized malicious activity. Observed victims to date include law firms, banks, and strategic
consultancies in countries such as Austria, the United Kingdom, and Panama. It's important to note
that the identification of targets in a country doesn't necessarily mean that a DSIRF customer
resides in the same country, as international targeting is common, end quote.
In conjunction with the technical report of NotWeed, Microsoft also issued a statement,
quote, continuing to fight against private sector cyber weapons, end quote, that places NotWeed and
DSIRF into the context of what Redmond sees as a larger problem, the emergence of PSOAs,
as a larger problem, the emergence of PSOAs, that is, private sector offensive actors.
It views companies like DSIRF, NSO Group, and Kandaroo as threats that deserve legislative attention. The Permanent Select Committee on Intelligence of the U.S. House of Representatives
held hearings on the matter yesterday. Microsoft's statement to the committee urged that the U.S.
work to advance global norms that would protect human rights and privacy from the wanton use of commercially produced surveillance tools that have enabled
governments around the world to exceed their technical capabilities or legal authorities.
Representatives of Google and the University of Toronto's Citizen Lab testified in person
and, according to Decipher, their testimony was at least as critical of the PSOA's as was
Microsoft's written statement.
And finally, this morning security firm Avedon released a report detailing a specific attack used by cybercriminals, mimicking a landing page in order to get your credentials.
Researchers report that threat actors are sending phishing emails that appear to be from the victim's organization that say that their password is due to expire and include a link to keep or update the password. The link sends the victim to a reCAPTCHA form and then sends them
to a perfectly mirrored login screen with their company email pre-populated in order to make it
look more convincing. The attack is much like that of the phishing-as-a-service subscription group
SpamEgi, but defers in that it targets Google domains. This may signify that the
activity Avanon describes is from a different group. Many of the facets of this attack, including
a mirrored login screen, the pre-populated email address, and the email that appears to be from the
victim's organization, makes this scam pretty convincing. But when they look more closely,
wary users will see that the URL doesn't match.
This sort of attack has been seen before. Vigilant users should be on the lookout.
Do you know the status of your compliance controls right now? Like, right now?
of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. Economic Forum's Center for Cybersecurity, an effort that includes experts from private
cybersecurity companies like Fortinet, as well as law enforcement agencies, service and platform
providers, global corporations, and non-profit alliances. An initial result of those efforts
is the Atlas Project, created to better understand the cybercriminal ecosystem,
how to disrupt it, and how to mitigate the negative impact of cyberattacks.
Here's Derek Menke.
What makes this valuable with the World Economic Forum
and the Center for Cybersecurity is it really brings all of this together.
It stitches this together, if you will, under one hood
to concentrate a lot of all of those good efforts that are happening out there,
specifically on cybercrime, specifically on disruption, which, as I'm sure you're well
aware from a lot of the conversations that you and I and other peers in the industry have had,
is the lion's share of activity that we see out there.
Can you give us an idea of how it works from a practical point
of view, the interactions you have with the World Economic Forum and the types of things that they
rely on you to contribute? Yeah, absolutely. So we were a founding partner of the Center for
Cybersecurity in 2019, which is a platform with various projects underneath it,
all aimed towards further enhancing cybersecurity.
Specifically, where we're contributing, me and my team from FortiGuard Labs,
is on the partnership against cybercrime.
And so this journey really started in 2020, the beginning of 2020.
And we all, when I say we, by the way, there's over 40 members initially in the Partnership Against Cybercrime. So it's a really good, already a good
core group that we had between public and private sector. And just to give you an idea, that's,
if you look at the makeup of that, it's a diverse group.
We were talking about law enforcement globally.
We're talking about policymakers.
We're talking about intelligence organizations.
But we're also talking about, of course, security experts on the private sector as well, too.
And the way that we started this to contribute was in 2020, we started, of course, this was at the start of the pandemic. So we actually held a series of virtual workshops, many of them throughout 2020, basically brainstorming, getting all these organizations together, thinking, what can we do?
What's our focus point?
What are the recommendations if we're going to all team up together to disrupt cybercrime?
And that actually led to the release of a report at the end of 2020.
It's the Partnership Against Cybercrime Report.
There were six principles and recommendations that were released
from that report at the end of 2020.
And that led us into, of course, 2021,
looking at how do we actually implement some of these recommendations? Where can we start
and do a proof of concept, which is really what led us to the creation of Atlas.
I see. So it seems to me like this really could function as a conduit for different organizations
who in your day-to-day lives may be competitors with each other. This is an opportunity for you all to sort of set that aside and do something for the common good.
Absolutely.
And that's why I have a lot of passion.
And that's what that's in this.
And I'm quite excited about it.
And it's exactly like you say.
This is putting this all under one hood, making it a neutral space and an environment for all of these
organizations to work together.
We've proved that this can be done in the private sector with the Cyber Threat Alliance,
as an example, where we have competitors working in the space to better, you know, to share
threat intelligence.
But those, of course, are technical indicators, right?
In this case, we're talking about a broader scope, looking at, again, attribution, looking at things like crypto wallets, looking at all these different disruption points, not just infrastructure, but also the who's who and mapping that ecosystem.
And so, yeah, it's absolutely a great environment.
It's been a great journey so far.
And as I said, we're just really beginning at this point.
That's Derek Menke
from Fortinet.
Cyber threats are evolving
every second,
and staying ahead
is more than just a challenge.
It's a necessity.
That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Malek Ben-Salem.
She is the Technology Research Director for Security at Accenture.
Malek, it is always great to welcome you back to the show.
You know, ransomware stays in the news and seems as though no signs of abating. I want to touch base with you today about crisis management
in the face of ransomware and your recommendations there.
Yeah.
So as you know, and as you mentioned, Dave,
ransomware continues to be a problem.
We know that year over year, it has doubled in size.
So over 107% increase year over year in ransomware and extortion attacks.
Particularly in the US, 47% of ransomware attacks
are actually for organizations based in the United States.
So this is a problem.
for organizations based in the United States.
So this is a problem.
And our research has indicated that the way we're dealing with this is probably, it can be improved, just to say the least.
So we're still dealing with ransomware as a technology or a security problem.
technology or a security problem. However, I think the right approach is to really involve the business people, potentially the board, as we respond to these attacks to understand what's
the impact of the attack. You know, what can we do? What ransomware can be paid or not, right? Those decisions. But also, how do we communicate
to the stakeholders? And that's key. Today, that's not part of the crisis management
preparation or response at this point. Is this a situation where you'd go about it the same way
that an organization would plan for, say, something like a hurricane,
a natural disaster?
I think that's what's happening today is that the existing recovery strategies that are
attuned to traditional business continuity plans are no longer enough, right?
We need business leaders to understand and prepare for ransomware's implications across the whole
organization. The response should be treated as a business risk, but it has to prioritize
the effective crisis management across the enterprise. I think that will be key.
So in terms of what to do or how can businesses improve their ransomware response,
I think business preparedness is key.
Knowing the moving parts that make the business profitable,
the critical processes, their underpinnings,
the downstream dependencies across every area of the organization, and what the organization's priorities are
in the event of an attack, right?
That's key.
Defining an agile communication strategy that considers the complexity of the attack, includes not just the technical perspective, but the business perspective as well, is important.
And then also getting the CEO on board with the testing and validation of attack prevention mechanisms, right?
Perhaps even with the tabletop exercises,
getting those executives included in the simulations
as organizations test their defenses and introduce the risk
and the adrenaline of a real-life attack scenario to them will be key as organizations
prepare for these ransomware attacks. Yeah, I think that's a really interesting point. I mean,
the whole notion of trying to get people in something close to an authentic emotional state,
because I think it's so easy to overlook that when we're sort of coldly calculating,
planning out how we would respond. I think it's important to remember that
people are going to be wound up. Oh, yeah, absolutely. And understanding
who are the key decision makers, right? And perhaps are there certain thresholds
for cases where maybe technology folks can make the decision versus other thresholds where you need the business to make the decision.
And who are those key decision makers is important in the preparation process.
Yeah, absolutely.
All right. Well, Malik Ben Salem, thanks so much for joining us. Thank you. proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliot
Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabey, Liz Ervin, Rachel Gelfand,
Tim Nodar, Joe Kerrigan, Karol Terrio, Ben Yellen, Nick Falecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Trey Hester, filling in for Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.