CyberWire Daily - TA444 and crypto theft on behalf of the Dear Successor. CryptoAPI spoofing vulnerability described. New Python-based malware campaign. User headspace. Tanks vs. hacktivists.
Episode Date: January 25, 2023How do the North Koreans get away with it? They do run their cyber ops like a creepy start-up business. A spoofing vulnerability is discovered in Windows CryptoAPI. Python-based malware is distributed... via phishing. MacOS may have a reputation for threat-resistance, but users shouldn't get cocky. DevSecOps survey results show tension between innovation and security. Russian hacktivist auxiliaries hit German targets. Tim Starks from the Washington Post Cyber 202 shares insights from his interview with Senator Warner. Our guest is Keith McCammon of Red Canary to discuss cyber accessibility. And Private sector support for Ukraine's cyber defense. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/16 Selected reading. TA444: The APT Startup Aimed at Acquisition (of Your Funds) (Proofpoint) Exploiting a Critical Spoofing Vulnerability in Windows CryptoAPI (Akamai) Securonix Security Advisory: Python-Based PY#RATION Attack Campaign Leverages Fernet Encryption and Websockets to Avoid Detection (Securonix) BlackBerry's Inaugural Quarterly Threat Intelligence Report Reveals Threat Actors Launch One Malicious Threat Every Minute (BlackBerry) Global CIO Report Reveals Growing Urgency for Observability and Security to Converge (Dynatrace) Russian 'hacktivists' briefly knock German websites offline (Reuters) How Microsoft is helping Ukraine’s cyberwar against Russia (Computerworld) CISA Releases Two Industrial Control Systems Advisories (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
How do the North Koreans get away with it?
They do run their cyber ops like a creepy startup business.
A spoofing vulnerability is discovered in Windows crypto API.
Python-based malware is distributed via phishing.
Mac OS may have a reputation for threat resistance, but users shouldn't get cocky.
Some DevSecOps survey results show tension between innovation and security.
Russian hacktivist auxiliaries hit German targets.
Tim Starks from the Washington Post Cyber 202
shares insights from his interview with Senator Warner.
Our guest is Keith McCammon of Red Canary to discuss cyber accessibility
and private sector support for Ukraine's cyber defense. From the Cyber Wire studios at Data Tribe,
I'm Dave Bittner with your Cyber Wire summary for Wednesday, January 25th, 2023.
Akamai this morning released research detailing their analysis of a critical spoofing vulnerability,
CVE-2022-34-689,
affecting Windows Crypto API.
The vulnerability allows for malicious actors to feign a genuine entity's identity and perform certain actions.
According to Microsoft, this vulnerability allows for attackers to spoof their identity and perform actions such as authentication or code signing as the targeted certificate. Crypto API is the
primary Windows API handling cryptography, particularly certificates. Akamai says exploitation
has two primary steps. In the first, malicious actors take a legitimate certificate, modify it,
and serve the modified version to the victim. The second phase involves creating a new certificate whose MD5 collides with the modified legitimate certificate
and using the new certificate to spoof the identity of the original certificate's subject.
The vulnerability, though rated critical, was only given a CVSS score of 7.5.
only given a CVSS score of 7.5.
Researchers attribute that rating to the limited scope of vulnerable applications and Windows components in which the vulnerability prerequisites are met.
Securonix describes an attack campaign that's using a Python-based remote access Trojan
dubbed Pyration.
Securonix observed the first version of Pyration in August 2022,
and the malware has been updated several times since. The rat is distributed via phishing emails
written in English containing malicious zip files. The zip files contain LNK files disguised as JPEG
images showing a UK driver's license. The researchers believe the campaign is targeting
users in the UK or other English-speaking countries. After installation, the malware
can carry out a wide variety of malicious activities associated with other rats,
such as keylogging and data theft. BlackBerry has released its quarterly
threat intelligence report for the fourth quarter of 2022,
looking at various threats facing desktop and mobile devices.
The researchers note that while macOS is often viewed as being more secure than other operating systems,
users frequently install malicious or unwanted software on their Apple devices,
stating, during the 90-day reporting period,
the malicious application Dock2Master was the most seen threat on macOS. BlackBerry researchers
noted that a whopping 34% of client organizations using macOS had Dock2Master on their network,
where it was found on 26% of their devices. BlackBerry hasn't forgotten Windows, in case you're wondering,
and their study is no means a hit piece on macOS.
Windows systems have their characteristic threats, too.
BlackBerry found that Redline was the most active info-stealer targeting Windows systems.
The point is, perhaps, that no operating system or the applications built for it can be
proof against incautious users. Caveat clicker, as the Romans would have said if Nero had the
internet. Dynatrace has published a study looking at the challenges of maintaining security during
DevOps processes. The survey of 1,300 CIOs and senior DevOps managers found that over a third
of respondents are forced to sacrifice code security to keep up with the demand for faster
innovation. A few of the other findings they list, 90% of organizations say digital transformation
has accelerated in the past 12 months, 78% deploy software updates into production every 12 hours or less,
and 54% say they do so at least once every two hours.
DevOps teams spend nearly a third of their time on manual tasks
involving detecting code quality issues and vulnerabilities,
reducing the time spent on innovation.
55% of organizations make trade-offs between quality, security, and user experience
to meet the need for rapid transformation.
And 88% of CIOs say the convergence of observability and security practices
will be critical to building a DevSecOps culture.
And 90% say increasing the use of AIOps will be key to scaling up these practices.
The tension between competing goals is familiar. All managers want it faster, cheaper, and better.
Maybe start the process by picking two. Reuters reports this morning that Kilnett responded
to the German government's decision to supply
Leopard tanks to Ukraine by hitting a range of German sites with distributed denial-of-service
attacks. They were generally brief in duration and amounted to little more than a minor nuisance,
Germany's BSI cybersecurity agency said. Currently, some websites are not accessible.
There are currently no indications of direct effects on the respective service,
and according to the BSI's assessment, these are not expected if the usual protective measures are taken.
So, Killnet's got some script kitties.
The Leopard has a 120mm smoothbore.
Our hybrid warfare desk thinks that the latter is likely to prove more disruptive
than the former. Kiev has often acknowledged the contribution private sector corporations
have made to its cyber defense and IT resiliency over the course of Russia's war. Computer World
has an account of how one company in particular, Microsoft, has helped. The assistance rendered
has been, the piece argues, both principled and the working of enlightened self-interest.
Computer World says, Microsoft isn't just trying to help defend a country under siege from an
aggressive, more powerful neighbor. Russian cyber attacks against Ukraine can also get loose in the
wild and do damage to enterprises and organizations that rely
on Microsoft technology. Russia could also deliberately target private companies with
those attacks. By helping Ukraine, Microsoft also helps its customers, and it happens to be good PR
as well. Russian cyber attacks against Ukraine had gotten loose in the wild even before last
year's invasion, with NotPetya being
the most prominent example. Microsoft has provided both threat intelligence and the sort of hardening
and resiliency that have helped Ukraine keep its networks up and running. Computer World summarizes
the effects, stating, Ukraine has so far defeated Russia in the cyber war. Russia's once feared
hackers threw everything
they had against Ukraine, including trying to shut down the power grid, disable government
networks, and kill satellite communications. They failed every time. In full disclosure,
we note Microsoft is a CyberWire partner. CISA yesterday issued two industrial control system advisories.
As always, users are counseled to apply updates per vendor instructions.
And finally, whether you're in San Jose or Sinanju, it's the same jading story.
As Proofpoint puts it in the study they released this morning about a North Korean APT, TA444,
released this morning about a North Korean APT, TA-444.
A startup is a startup,
whether you're a cool disruptor or an uncool grifter.
North Korean state-run threat actors are distinctive in that they're at least as focused on stealing money
as they are on stealing information.
Proofpoint explains,
TA-444, which overlaps with public activity called APT-38, Blue Norov, Black Alicanto,
Stardust Colima, and Copernicium, is likely tasked with generating revenue for the North Korean
regime. Pyongyang's chronic financial hardship is the function of a failed economy, one kept down
by global odium and international sanctions. So, the regime turns
to cybercrime to help keep itself together, able to buy the expensive stuff that, for example,
a nuclear weapons program needs. Recently, TA-444 has turned its attention to cryptocurrencies,
selecting its victims and shaping its fish bait to suit the victim's probable
susceptibilities. In doing so, the threat actor has been quick and opportunistic,
and opportunistic in a way that, while morally objectionable, is operationally a good thing,
from TA-444's point of view. They're acting like a startup in their focus on success and their
devotion to trying whatever seems likely to work.
Proofpoint sourly observes, while we do not know if the group has ping pong tables or kegs of some
overrated IPA in its workspace, TA444 does mirror the startup culture in its devotion to the dollar
and to the grind. Who knows? All of that stolen altcoin can't be going to
ballistic missile R&D. Your hackers need some R&R, don't they? Proofpoint's got a point here
that they don't need to prove. Ping pong and IPAs don't necessarily make for a healthy organizational
culture. We've always preferred shuffleboard and a nice goes like those at Full Tilt down the block in Baltimore, where our editorial staff hangs out.
Ping-pong and IPAs? Come on, Pyongyang, you're not competing in Barmageddon.
Show some self-respect, Mr. Kim. I mean, you're supposed to be the banner of all victory and glory and not some tacky crypto bro.
Or so we hear.
We note that in this report, Proofpoint is clearly having a lot of fun
and it's worth a look.
Coming up after the break, Tim Starks from the Washington Post Cyber 202
shares insights from his interview with Senator Warner. Our guest is Keith McCammon of Red Canary to discuss cyber accessibility.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Many small companies simply don't have the resources to hire dedicated cybersecurity staff.
And while there are many options available for them and plenty of offerings for them to consider, simply don't have the resources to hire dedicated cybersecurity staff.
And while there are many options available for them and plenty of offerings for them to consider,
there's still a significant gap when it comes to cybersecurity accessibility.
Keith McCammon is CSO and co-founder of security firm Red Canary,
and I checked in with him for insights on the cybersecurity haves and have-nots.
We're doing better than we were.
I'm very much an optimist when it comes to accessibility of security solutions.
And I'd say even security of software and platforms is far better than it was when I started doing this 20-some years ago.
Platforms are more secure by default, I think we're starting to understand what works and the
types of controls and changes that have the broadest impact. That said, at the lower end
of the market, the small and mid-enterprise, the cost of some of those solutions still exceeds what
they're willing to or can support paying. So we definitely have some work to do when it comes to particularly like
starting at the smallest enterprises or businesses and moving up right into what we think of as the
traditional enterprise with thousands of employees. And is this primarily an issue of expense here?
We all know cybersecurity people are expensive to hire.
know cybersecurity people are expensive to hire? Expense is one component of it. I think there's two things. Zooming out, the first thing folks have to do is have an understanding of the problems
that they're most likely to face and the fact that they're likely to face them. And so helping
folks to, you know, we say things like threat modeling, and we talk about threat intelligence.
And when you're dealing with a mature enterprise, and you're talking to peers and other information security professionals, those words resonate and they make sense.
That's not something you should expect someone in a small or even some, you know, most mid-sized businesses to understand.
And so one component
is the expense of hiring people. But I'd say if you back up from that, it's just helping to do a
better job, educating folks, helping them understand the threats that they're most likely to face,
where and how those things are most likely to materialize, and the likelihood that those
things are going to happen to them. When we think about things like threat modeling and threat intelligence,
we tend to think of those by default as being very organization-specific.
The one thing that we need to help folks understand
before they start to do that calculus with respect to hiring people
or bringing on board services is just helping them understand
that baseline threat
model that we all share, right?
Ransomware has been a great equalizer there.
And it's pretty fair to say that virtually every business of any meaningful size is now
equally likely to be the target of a ransomware attack.
And so just helping folks understand that, helping to simplify
some of those concepts, helping to educate, I think it's the first step. And then at that point,
folks are in a position to make a well-informed decision in terms of investing, whether that's
people, technology, services. And how do you envision that sort of outreach taking place? How do we reach these folks who need these seeking out this information unless they've already got someone on staff from a technology or security standpoint who's starting to look ahead and really kind of pushing that agenda and helping to kind of drive that understanding.
So it's equal parts good and bad news.
But the prevalence of attacks like ransomware, business email compromise, things like that, just the media coverage of them in
general means that I think there's a baseline level of awareness now in smaller and mid-sized
enterprises that didn't exist before. And that's despite the fact that it's obviously a negative
consequence when those things happen, the fact that we're starting to talk more openly about them is positive. And I think in particular, where that's materializing and how we're reaching
them, sometimes in a roundabout way, the obvious efforts, things like community outreach,
local user groups, information security organizations, particularly those at the
local level, where they're bringing folks together, setting up events, conferences, things like that.
Those are all good mechanisms to get folks who are interested access to the information and the people that can help.
On the business side, I think what we're seeing now, which is also a positive outcome or a silver lining,
also a positive outcome or a silver lining is that boards, CEOs, legal counsel, and folks like that,
they're starting to ask more questions about cybersecurity readiness and whether the business is prepared to detect and respond to the cyber attacks that are most likely. And so that's,
you know, for better or worse, I think that's how those two angles of attack through community outreach, and I'd call it grassroots or bottoms up efforts to educate and share information, coupled with media coverage, things like the impact of ransomware on cyber insurance, and some other like those other activities or those other like that other educational motion or information sharing motion.
That's how we're reaching more of the business folks,
particularly in those small and mid-enterprises than we were before.
That's Keith McCammon from Red Canary.
And joining me once again is Tim Starks.
He is the author of the Cybersecurity 202 at the Washington Post.
Tim, always great to welcome you back.
Always great to be back. Well, you have, I have to say, a really interesting interview in the 202 this morning.
You caught up with Senator Mark Warner.
Yeah, kind of an important fellow in the cybersecurity world,
especially as it pertains to the hell.
You have him co-founding the Senate Cybersecurity Caucus,
which he still leads,
and the Senate Intelligence Committee, which he is the chair of.
So he has both a focus and an interest and a jurisdiction that matters.
Yeah. Well, take us through some of the highlights of the interview here.
What are some of the things that caught your attention?
So I think some of the things that caught my attention the most were certainly his focus on healthcare
caught my attention the most were certainly his focus on healthcare and his concern about ransomware attackers going after the healthcare sector and finding the healthcare information.
We're talking about the very private information that, you know, were to be posted online would
be pretty bad for the organizations they took it from. And it being valuable. It's something that
you can reuse in attacks. So he's very concerned about that.
One of the interesting elements of that was that he talked about this a little bit in a report where there's just so many agencies that touch healthcare cyber, 16 in all.
And he said nobody's in charge, which was an interesting thing, I thought, for him to say,
considering we have the National Cyber Director, we have Anne, you know, Ann Neuberger at the NSC who does this, we have Jen Easterly, we have the FBI,
we have, I mean, there's just so many people who are involved. And what he was saying was
that even with all of that, it still is not clear who is really in charge. And that's
something that we've heard from people on and off. And it sounds kind of wonky and like,
oh, it's just moving the boxes, it's personnel stuff. But I think it's important in the cyber world in particular, because if you
talk to the private sector, one of the things they say most often is, when I get attacked,
I don't know how to go to. And there is an answer from the administration. And it's a coherent
answer. But it's a complicated answer. It's not an easy, this is the person. It's for this,
you need to go to this person for this, you need to go to this person. So that was interesting to me. Another highlight
was that he seems very interested in exploring some of the things you and I have talked about
a little bit before. The whole national security cyber threat overlap where rules of war come into
play. One of the things that we've discussed is the NATO Article 5 rule,
which says if an attack on one member is an attack on all,
therefore you can provide a collective response.
That has not been invoked very often.
It's only been invoked once that we know of,
and it has not been invoked for cyber.
So he's talked about wanting to address that and explore that.
It's a very complicated and difficult topic to address. So that's interesting. He kind of made news in every piece of the
question I asked him. So we could talk about what he said about TikTok. We could talk about what he
said about the cyber incident response law. Yeah, let's start with TikTok here. I think he had some
interesting things to say. Yeah, he's been one of the Democrats who's been pushing the notion of a
potential full ban on TikTok, or at least a ban on using it in the government, exploring ways to
limit it. He has been one of the leading voices on the Democratic side for that. First off, he's not
as concerned anymore about the privacy point. And I think that's a valid thing to back off of.
It's not that there aren't privacy concerns about TikTok. It's not that there aren't privacy concerns that people should have or not have about the China ownership.
But in a lot of ways, the privacy piece of what's potentially upsetting about TikTok is not a lot different than the piece for Facebook or Twitter or any other social media platform.
He was saying that he, and this is something that we've actually seen from a number of TikTok critics, they're moving in this direction.
They're concerned about the way TikTok controls messaging.
And, you know, the fact that if China owns it and they're sending one message to China and another message to the U.S., that's something that he's not so sure that the committee on foreign investment in the United
States, which is this multi-agency committee that decides what happens when someone from
another country tries to put a significant investment in a U.S. company, he's not sure
that that's equipped to handle some of these national security slash cyber concerns like
TikTok, like Huawei, like Kaspersky was another one he mentioned.
So if he's looking
at a mechanism that is different than CFIUS, which we've had for a very long time in this country,
that could be a very interesting policy development too. Yeah. Real quick, what did he have to say
about the cyber incident notification law? Yeah, he was one of the first people who put out the
idea that we needed, you know, this is after SolarWinds was such a big, big deal. He was one of the first people to put out the idea that we really need to have
a way for companies to be mandated to report when they get hit by a major hack. And he had put some
very strict terms on this. He was thinking of like 24 hours. He was including companies that weren't
just companies that got hit, but companies that were incident response companies that were helping those companies.
And a lot of that got cut, even though, again, he was one of the originators of the idea.
And he indicated his disappointment with that and how that worked out.
Another thing he said was that he did not like the amount of time that it would be required to enact that into law.
The law was passed in early 2022,
and there is an approximately three-year period of rulemaking
that actually will make it go into effect.
And he mentioned he was concerned that it might string out for longer than that.
If you follow the federal government,
occasionally they don't meet their deadlines on things like this.
So I think that's what he was getting at.
He said he didn't want this to last five years,
and he talked about maybe we can see that by going back and revisiting this.
I don't know if there's going to be enough momentum for him to do that,
but it's an interesting thing that we should keep an eye on
because, as he said, if there's another big major...
He actually used holy heck. I don't know if that's a Virginianism.
But he said if there's another holy heck moment like that, like a solar winds or like
a colonial pipeline, he's not sure that people are going to be happy with this thing still being
gestating. Yeah. Well, it's an interesting interview and I do recommend folks check it
out. It's over at the Cybersecurity 202 at the Washington Post. Tim Starks,
thanks so much for taking the time for us today. Always, always. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatL are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.