CyberWire Daily - Swapping cyberattacks in a hybrid war. Privateers or just a side-hustle? US CSRB will investigate Lapsu$ Group. Notes on the cyber underworld.
Episode Date: December 5, 2022Wiper malware hits Russian targets. Microsoft sees an intensification of Russian cyber operations against Ukraine. State policy, privateering, or an APT side-hustle? The US Cyber Safety Review Board w...ill investigate the Lapsu$ Group. Rackspace works to remediate a security incident. The Schoolyard Bully Trojan harvests credentials. Grayson Milbourne of OpenText Security Solutions on attacks on common open source dev libraries. Rick Howard looks at CISO career paths. And trends in ransomware: cybercrime succeeds when the gang runs like a business. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/231 Selected reading. CryWiper: fake ransomware (Kaspersky). CryWiper data wiper targets Russian courts and mayors' offices (Computing) Never-before-seen malware is nuking data in Russia’s courts and mayors’ offices (Ars Technica) Russian regions attacked by new wiper posing as ransomware (Cybernews) Preparing for a Russian cyber offensive against Ukraine this winter (Microsoft On the Issues) Russia coordinating Ukraine hacks with missiles, could increasingly target European allies, Microsoft warns (POLITICO) Russia Is Boosting Its Cyber Attacks on Ukraine, Allies, Microsoft Says (Bloomberg.com) Hackers linked to Chinese government stole millions in Covid benefits (NBC News) Cyber Safety Review Board to Conduct Second Review on Lapsus$ (US Department of Homeland Security) Rackspace: Ongoing Exchange outage caused by security incident (BleepingComputer) Schoolyard Bully Trojan Facebook Credential Stealer (Zimperium) The Professionalization of Ransomware: How Gangs Are Becoming Like Businesses (LookingGlass Cyber Solutions Inc.) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Wiper malware hits Russian targets.
Microsoft sees an intensification of Russian cyber operations against Ukraine.
State policy, privateering, or an APT side hustle?
The U.S. Cyber Safety Review Board will investigate the Lapsus Group.
Rackspace works to remediate a security incident.
The schoolyard bully Trojan harvests credentials.
Grayson Milbourne of Open Text Security Solutions
on attacks on common open source dev libraries.
Rick Howard looks at CISO career paths
and trends in ransomware.
Cybercrime succeeds when the gang runs like a business.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 5th, 2022.
Kaspersky has described a newly observed wiper, CryWiper, a pseudo-ransomware trojan the researchers think is designed to destroy data.
It seems unlikely in their judgment that CryWiper is being deployed for financial gain.
Although it displays a ransom
demand with the customary Bitcoin wallet address, files overwritten by CryWiper are permanently
unrecoverable. It focuses on databases, archives, and user documents, not on the victim's operating
system. Kaspersky said in its Friday notice that so far it had observed CryWiper in use only against targets in Russia.
Ars Technica says that CryWiper seems to have affected mostly judicial courts and mayoral offices.
No one is offering attribution, but the selection of targets would seem circumstantially to point to Ukrainian cyber operations.
Microsoft published an appreciation of Russian cyber operations on Saturday.
It begins with a familiar assessment of Russian forces' conventional combat failure,
stating,
In the wake of Russian battlefield losses to Ukraine this fall,
Moscow has intensified its multi-pronged hybrid technology approach
to pressure the sources of Kiev's military and political support, domestic and foreign.
The report notes the combination of missile strikes,
intensified information operations,
and the extension of cyber attacks to targets outside Ukraine proper, notably Poland.
So Microsoft predicts two lines of coordinated attack, neither of which involves
conventional ground combat, missile strikes, while the munitions stocks last, and cyber attacks.
In both cases, the targets are infrastructure. The GRU Cyber Operations Unit Microsoft tracks
as Iridium is likely to play a significant role in the next phases of the hybrid
war. The group has a strong track record of attacks against civilian infrastructure and has
also shown an indifference to the effects of its operations on others than the primary targets.
Indeed, the effect of NotPetya on companies, especially logistics companies, in 2017 suggests that those effects were not so much
unintended collateral damage as they were welcome side benefits. Deployment of wiper malware during
the present war has had mixed results and has in general fallen short of what Russian commanders
might have wished, but it represents an ongoing threat. The group's recent deployment
of prestige ransomware against targets outside Ukraine suggests a continued willingness to hit
countries that support Ukraine's cause. Microsoft says it intends to follow an approach built around
what it calls the four Ds, detect, disrupt, defense and Deter. These are inherently cooperative activities,
and Microsoft says it will be working with their customers in support of democracies.
It's unclear what authorities were in play,
but NBC News reports that a U.S. Secret Service investigation
has attributed a wave of COVID relief fund fraud to APT41,
a threat actor that customarily works on behalf of the Chinese government.
The fraud was very widespread and a great deal was stolen,
but whether the APT was stealing under orders, was privateering,
or was simply permitted to enjoy a profit from a side hustle is unclear.
The U.S. Cyber Safety Review Board, established in February of
this year, has announced that it's undertaking an investigation of the Lapsus Group, the international
extortion gang, many of whose members are teenagers. The Lapsus Group has had an impact on organizations
far out of proportion to its perceived skills and resources. This represents the Cyber Safety Review Board's
second investigation since its founding. The first, completed in July, was an examination
of the Log4J family of vulnerabilities. Late Friday afternoon, cloud service provider
Rackspace disclosed that its customers were experiencing difficulties with the company's hosted exchange
environments. On Saturday, the company explained, on Friday, December 2, 2022, we became aware of
an issue impacting our hosted exchange environment. We proactively powered down and disconnected the
hosted exchange environment while we triaged to understand the extent and the severity of the
impact. After further analysis, we have determined that this is a security incident.
Through yesterday, Rackspace was contacting customers
and advising them on workarounds available to restore alternative services,
but they remained unsure when the hosted exchange environments might return to normal.
Early this morning, the company advised customers
to restore email service by moving to Microsoft 365. The exact nature of the security incident
is unclear, but Bleeping Computer shares some informed outsider speculation that suspects it
might have involved exploitation of the proxy not-shell vulnerability discovered in September and addressed by Microsoft last month.
A Shodan search by researcher Kevin Beaumont is said to have indicated
that Rackspace was running a vulnerable Microsoft Exchange server build.
Mobile security firm Zimperium has discovered an Android threat, the Schoolyard Bully Trojan.
The Trojan has been active since 2018
and primarily targets vietnamese readers the trojan has the ability to steal credentials
from the facebook accounts of victims including email phone number password id and name schoolyard
bully disguises itself as a reading or educational app, IT World Canada reports.
The malware also uses JavaScript injections to show phishing pages designed to look like a Facebook login screen so that the victim's credentials can be stolen.
these details by using WebView to open a legitimate Facebook login page inside the app and injecting malicious JavaScript to extract the user inputs. Vietnamese readers are the primary
target of the Trojan, but the malware has been seen victimizing over 300,000 people
in 71 different countries. Zimperium, however, acknowledges that infected applications
still exist in some third-party app stores. The bullies look a lot like those involved with
Flytrap, Zimperium reports. Flytrap involved Vietnamese threat actors creating and spreading
applications. While this trojan targets Vietnamese readers, but despite the geographical coincidence,
the researchers discovered enough differences between the code samples for them to conclude
that in all probability there's no direct connection between flytrap and schoolyard bully.
And finally, Looking Glass this morning published a report on attacks by organized ransomware gangs during the first half of 2022, finding that these
groups continue to grow increasingly professionalized. The researchers also point out the similarities
between ransomware gangs and legitimate technology businesses, stating,
Groups have started to incorporate business practices such as finance departments,
human resources, and even naming employees of
the month. These are not the loosely affiliated groups of the past. Rather, they are highly
professionalized organizations with quarterly revenue targets and even customer service teams.
The top players are the most organized. Looking Glass notes that the majority of targeted
ransomware attacks in the first half of 2022 were launched by the top 15 most active gangs.
To mention just the top three, the leaders during the period covered by the report were Lockbit, Conti, and Alfie.
After the break, Grayson Milbourne from OpenText Security Solutions on attacks on common open source dev libraries.
Rick Howard looks at CISO career paths.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
In our ERC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your
executives and their families at home. Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And it's always my pleasure to welcome back to the show the CyberWire's own Rick Howard.
He is our chief security officer and also our chief analyst.
Rick, welcome back.
Hey, Dave.
So on our CyberWire Slack channels this week, you have been making some noises.
And by making noises, I mean running around with your hair on fire about some sort of all hands on deck at the CyberWire hash table.
So what's going on here, my friend?
For the CSO Perspectives podcast,
we put a call out to our collection of subject matter experts,
you know, a little over 30 in all at this point.
You know, these are CISOs, CIOs, CEOs, and board members
to see if they had any thoughts or advice about how cybersecurity newbies could become CISOs sometime in their career.
And, oh, my God, Dave, almost half of them responded with really good advice.
So, you know, we had our hands full.
Yeah.
Well, I mean, it's my experience that if you get more than one CISO in a room and ask them a question, you're going to get a lot of answers.
Was there any kind of consensus that formed after talking to all these experts at your hash table?
Well, you're right about that.
If there is a trait that we can assign to most CISOs is that we all have opinions about how things should get done.
All right.
And we all think we're right.
So, including me.
All right.
So, and advice for newbies on how to become CISO was no different.
But I will tell you that a consensus did emerge.
And I think your listeners who aren't CISOs will be surprised to learn what that top advice was.
And I think that is what they call in the business a teaser.
So you will have to subscribe to CyberWire Pro to find out. You can find out
all about that over on the CyberWire webpage. You've outed me, Dave. You've totally outed me.
Every week, you unvault an older episode of the CSO Perspectives archives,
and you make that available to the public. What do you have in store for us this week?
Yeah, so CSO Perspective is all about
cybersecurity first principle strategies and tactics. And this episode is from the Rick the
Toolman series and talks about zero trust as a first principle strategy, but more specifically,
the zero trust tactic of vulnerability management. I think a lot of folks would say that vulnerability
management is kind of the meat and potatoes of cybersecurity.
Is that on track?
Well, it's definitely table stakes for any cybersecurity professional, but it is so much more than just patch management, which is complicated enough.
But when you think about it, it's really a cyber threat intelligence task.
It's a DevSecOps task and should somehow automatically feed into your risk
management program. So, it's way more complicated than most people think it is.
Well, before I let you go, what is the word of the day over on your WordNotes podcast?
This is a good one. We're explaining AES. That's Advanced Encryption Standard. And you can make
the case that AES is the glue
that holds most every internet transaction together.
So come look forward.
That'll be a fun little WordNotes episode for everybody.
All right.
Well, you can find out all about all of these things
over on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
Thank you, sir.
And joining me once again is Grayson Milbourne.
He is the Security Intelligence Director at OpenText Security Solutions.
Grayson, welcome back to the show.
Hey, Dave. Glad to be here again.
I want to touch base with you about some security concerns that folks are having when it comes to open source development libraries. What sort of things can you share with us today?
Yeah, well, I mean, open source is a fantastic thing. And I love the community and the amount
of peer-reviewed development has, I think, launched
software faster forward probably than any other single community. But the problem with that is
that threat actors always look at how are people using convenience to make their lives better and
how can we disrupt that? And unfortunately, what we started to see are examples of attacks on code repositories.
And so just for example, like in Python, there's a tool called PyPy.
Java or TypeScript has NPM.
But these are basically packet management systems that allow you to install additional libraries to support the type of development that you're looking to do.
So like when you just default install Python, for example,
it comes with the Python library, but it doesn't include so many of the millions of other projects that are out there. And so what we've seen is that attackers are starting to go after
some of these repositories, and they're kind of doing it in a couple of crazy ways. And so
we've seen the idea behind security and open source is that there's a review process and that updates to the code are community approved.
And so what we've seen is we've seen some examples of poisoning of those communities and either the person who reviews it is in on it and you have a peer review from a poison partner.
And so malicious code gets committed and can then be distributed.
And what's dangerous about that is, as a developer, I'm writing some application that's benign, but I need this library, and I don't want to do all that development work, so I grab it.
And all of a sudden, I've now included something in my code that, just by adding that to my code, has trojanized my application.
And so that's a really scary concept
in that I can now unknowingly be distributing malware. And we've actually seen this at scale.
Now, this is a little different from attacking open source libraries. But at the end of,
or the beginning of 2020, we had the SolarWinds attack. And that was, you know, SolarWinds Orion
platform, which is their remote management platform, was Trojanized.
And they didn't realize it, and they distributed this out to all of their customers, delivering a security solution that contained a Trojan.
And so I think the cyber crime community saw the benefit and the cost savings on attacking a trusted vendor and having them distribute your code out to all of your potential targets is a much easier way to break in than, you know, going after all of those targets.
And so I think an extension of that has been these attacks on open source. And so as I mentioned,
one of them is definitely trying to poison legitimate packages. But another one we've
seen is kind of borrowing from a really common technique that we see in the business email
compromise space, as well as the phishing space, and that's typo squatting. And basically hoping that,
you know, as a developer, we all probably type pretty quick, but not with 100% accuracy,
I'll have to say. So, yeah, right? Sometimes I put that E before the L or the S before the T.
And, you know, what we've seen is that there's a lot of these out there that are basically waiting for somebody to type the wrong thing
and inadvertently infect themselves.
So what's to be done here?
I mean, obviously the benefits of open source software are clear,
but how does an open source community protect itself?
So I think this is like a challenge for that open source community
and I think it comes down to having a proper hierarchy of review.
And for, you know, depending on the component that's being modified, I mean, you might need more eyes on it.
You know, I think this is not a problem that's simply solved.
I think some of this is easy to solve, right?
So we look at like typo squatting.
that's simply solved. I think some of this is easy to solve, right? So we look at typosquatting.
Some of these communities have discovered that, hey, somebody put this package here that's two letters off or jumbled up a little bit, and they realize that it's malicious. And so then they
remove it. So I think the communities themselves need to do a better job of vetting the content
within. And really, since we've seen these attacks on GitHub as well, PyPy, NPM, these communities
have already done a lot to now retroactively review and identify and have actually even found
several examples of malicious updates. So, you know, I think there's no silver bullet to the
solution. I think it's one of the costs, perhaps, to having open source development, is that sometimes you have a bad egg out there.
And so it just requires a bit more review.
But that said, I mean, the bugs that you can find in open source are sometimes much worse than bugs you can create in your own development environment and vice versa.
I think it's really more about
ensuring that what you get is what you expect.
And so I think this is another way that
attackers are trying to get in between that level
of trust of, you know, oh,
this is open source, I can trust it.
If somebody has reviewed this, I don't need to.
And whenever there's that kind of leap
of trust, I think
that also creates an opportunity for exploitation
and I think that's what we've seen here. All right. Well, Grayson Milbourne, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your Thank you. regular segment called Security, huh? I join Jason and Brian on their show for a lively discussion of
the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are
listed. The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of
the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity
teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Thank you. Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.