CyberWire Daily - Taking steps to stop a Chinese APT. Implementing the US National Cybersecurity Strategy. LokiBot is back. Malware masquerading as a proof-of-concept. Swapping cyber ops in a hybrid war.
Episode Date: July 13, 2023CISA and the FBI issue a joint Cybersecurity Advisory on exploitation of Microsoft Exchange Online. Implementing the US National Cybersecurity Strategy. FortiGuard discovers a new LokiBot campaign. Tr...aining code turns out to be malicious in a new proof-of-concept attack discovered on GitHub. Russia resumes its pursuit of a "sovereign Internet." The GRU's offensive cyber tactics. Chris Novak from Verizon discusses business email compromise and the 2023 DBIR. Our guest is Joy Beland of Summit 7 on the role of Managed Service Providers in the supply chain to the Defense Industrial Base. And a probable Ukrainian false-flag operation. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/132 Selected reading. CISA and FBI Release Cybersecurity Advisory on Enhanced Monitoring to Detect APT Activity Targeting Outlook Online (Cybersecurity and Infrastructure Security Agency CISA) Enhanced Monitoring to Detect APT Activity Targeting Outlook Online (Cybersecurity and Infrastructure Security Agency CISA) How a Cloud Flaw Gave Chinese Spies a Key to Microsoft’s Kingdom (WIRED) Chinese hackers breached U.S. and European government email through Microsoft bug (Record) FACT SHEET: Biden-Harris Administration Publishes the National Cybersecurity Strategy Implementation Plan | The White House (The White House) National Cybersecurity Strategy Implementation Plan (White House) LokiBot Campaign Targets Microsoft Office Document Using Vulnerabilities and Macros (Fortinet Blog) New PoC Exploit Found: Fake Proof of Concept with Backdoor Malware (Uptycs) Russia Is Trying to Leave the Internet and Build Its Own (Scientific American) The GRU's Disruptive Playbook (Mandiant) Hack Blamed on Wagner Group Had Another Culprit, Experts Say (Bloomberg) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA and the FBI issue a joint cybersecurity advisory
on exploitation of Microsoft Exchange Online.
Implementing the U.S. national cybersecurity strategy,
FortiGuard discovers a new LokiBot campaign.
Training code turns out to be malicious in a new proof-of-concept attack discovered on GitHub.
Russia resumes its pursuit of a sovereign Internet.
The GRU's offensive cyber tactics.
Chris Novak from Verizon discusses business email compromise and the 2023 DBIR.
Our guest is Joy Beeland of Summit7 on the role of managed service providers in the supply chain to the defense industrial base.
And a probable Ukrainian false flag operation.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, July 13th, 2023. We begin with some follow-up to a cyber espionage campaign that's troubled the U.S. government over the past weeks. Late yesterday, the U.S. Cybersecurity and Infrastructure Security Agency and the FBI
released a joint cybersecurity advisory regarding a Chinese cyber espionage campaign that's targeting
government officials. The advisory urges organizations, especially those operating
critical infrastructure, to step up their monitoring and logging of activity surrounding Microsoft Exchange Online environments.
Microsoft described the campaign in a blog post earlier this week,
noting that the threat actor compromised email accounts at approximately 25 organizations
by using forged authentication tokens to access user email using an acquired Microsoft account consumer signing key. In full
disclosure, we note that Microsoft is a CyberWire partner. The Washington Post reports that the
campaign targeted the U.S. Commerce and State Departments, and an email account belonging to
U.S. Commerce Secretary Gina Raimondo was compromised. The Associated Press notes that the hacks occurred just before
U.S. Secretary of State Anthony Blinken's trip to Beijing last month. The State Department
appears to have been the first agency to recognize the suspicious activity.
The White House this morning published the National Cybersecurity Strategy Implementation
Plan, which provides guidance
on how responsible parties are to put the national strategy into effect. The implementation plan has
five pillars. An accompanying fact sheet listed them as Pillar 1, Defending Critical Infrastructure,
where operators are advised to pay particular attention to CISA's National Cyber Incident Response Plan,
which the agency will update regularly.
Pillar 2, disrupting and dismantling threat actors.
The Joint Ransomware Task Force, led by CISA and the FBI, will play a leading role here.
Pillar 3, shaping market forces and driving security and resilience.
This pillar supports in particular the security
of the supply chain. Pillar four, investing in a resilient future. This pillar involves
developing standards that will enable security to keep pace with or even stay ahead of developments
such as quantum computing. And pillar five, forging international partnerships to pursue shared goals.
The State Department will lead the work here.
The White House points out that the guidance is not exhaustive.
Agencies are expected to take actions appropriate to their missions and circumstances.
Researchers at Fortinet's Fortiguards Labs have discovered a malicious campaign by LokiBot that's actively targeting Microsoft Office.
The campaign's first stage has used two Word documents, one with an external link exploiting CVE-2021-4044,
the other with VBA script that executes a macro upon opening and takes advantage of CVE-2022-30-190.
The second stage deploys an injector that utilizes a hard-coded key to decrypt the payload retrieved in stage one. The final stage locates and exfiltrates sensitive information from web browsers,
FTP, email, and various software on the infected machine or system.
FTP email, and various software on the infected machine or system.
FortiGuard recommends that to protect themselves,
users should exercise caution when dealing with any office documents or unknown files,
especially those that contain links to external websites.
It is essential to be vigilant and avoid clicking on suspicious links or opening attachments from untrusted sources.
Additionally, keeping the software and operating systems up to date with the latest security patches
can help mitigate the risk of exploitation by malware.
Uptix has discovered a proof-of-concept that hides a malicious backdoor through which data is stolen.
Proof-of-concepts are used by cybersecurity researchers to understand potential
vulnerabilities and are generally trusted to be the safe options to learn what harmful code can
be used against a network. Uptix writes, in this instance, the POC is a wolf in sheep's clothing,
harboring malicious intent under the guise of a harmless learning tool. Its concealed back door presents
a stealthy, persistent threat. Operating as a downloader, it silently dumps and executes a
Linux bash script, all the while disguising its operations as a kernel-level process.
Although the POC has been removed from GitHub, Uptix believes users who installed it are at high risk of compromise.
The malicious POC copies code from an older legitimate Linux exploit,
but upon further examination of the code,
researchers found malicious code inserted into the program.
This type of tactic is not new,
but this incident should remind researchers to always analyze files downloaded
from the Internet and to do so skeptically. In a renewed push for a protected and controllable
sector of cyberspace, Russia is pursuing a sovereign Internet. But the program faces
difficulties, Scientific American reports. A test last week attempted to disconnect Russia's
internet from the rest of the world. The Kremlin declared the trial a success, but outside observers
conclude to the contrary, that it ended in failure, producing widespread outages among Russian
websites. The sovereign internet isn't a simple or unitary project, but rather a system of technologies, deep packet inspection tools,
figuring prominently among them,
that would give the government greater ability to cut off external,
that is, international connections,
and monitor domestic traffic and content.
There's also an element of self-sufficiency in the program,
as Russia seeks to provide domestic alternatives to hardware and software that would otherwise be provided from foreign sources.
Turning to the hybrid war Russia has been waging against Ukraine, Moscow has responded to Ukraine's counteroffensive with a surge in cyberattacks, CSO Online reports.
The GRU isn't the only Russian service involved,
but it's been a prominent player in these operations. Mandiant has been tracking cyber
operations by Russia's military intelligence service, the GRU, often known in its cyber mode
as Fancy Bear, and its researchers have discerned a common, well-thought-through and repeatable process underlying the GRU's approach.
It sees a five-phase operational style.
First, living on the edge.
Second, living off the land.
Third, going for the GPO.
Fourth, disrupt and deny.
And finally, telegraphing success.
The researchers see the playbook as systematizing some well-established
approaches and combining them into an operational method that's effective, repeatable, and responsive.
It yields for all of its fixed and stereotypical structure a paradoxical agility and adaptability
that render cyber operations a practical combat support capability.
And finally, here's another action in the hybrid war that looks like the waving of a false flag.
The June 29th cyber attack against Russian satellite communications provider Dozer Teleport ZAO
was claimed online by an actor who identified themselves as a member of the Wagner Group.
The hack, which came five days after the Wagner Group stood down from its march on Moscow,
was represented as a contribution to the mutiny.
But the timing seems to have been off.
Some of the activity antedated the Wagnerite action,
and the actual wiper attack occurred after negotiations had brought an end to the incident.
Bloomberg reports that there are more circumstantial signs of Ukrainian involvement in the action.
For example, news of the attack didn't spread until Andriy Baranovich,
a spokesman for a group of Ukrainian hackers named the Ukrainian Cyber Alliance tweeted about it.
The Ukrainian Cyber Alliance is a hacktivist auxiliary working in Kyiv's interest.
If the cyber attack was a false flag operation,
it was well conceived as a contribution to doubt and mistrust in Russia.
Russia. Coming up after the break, Chris Novak from Verizon discusses business email compromise in the 2023 DBIR. Our guest is Joy Beeland of Summit7 on the role of managed service
providers in the supply chain to the defense industrial base. Stay with us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. The Defense Industrial Base has been mandated since 2017 to implement over 100 security controls.
But early on, the DOD asked that these organizations self-attest.
As you might imagine, that led to decidedly mixed results. And so about two years
ago, the CMMC assessment program was introduced, which ultimately will result in certified assessors
going into these organizations in the defense supply chain to assess them for their actual
implementation of those controls. Joy Beeland is vice president of strategic partnership and
cybersecurity education at Summit7, a company that focuses on cybersecurity and compliance for the
DOD. The Department of Defense themselves estimates there's more than 300,000 businesses that this
would impact. And when you look at that, and so there's a handful of primes, and then there's another layer of the major subs right underneath the primes.
But what it really boils down to is 90-some percent of the supply chain are very small businesses.
These are businesses anywhere from, you know, five people, family- owned for 40 years, that they've been making one part that goes on to the
fighter jets. And they've been a provider to the DOD for all of these decades, right? All the way
up to 100 people in their business. But the size of that business is so small that they don't have
their own in-house IT people. They can't afford it. They can't afford to have
somebody really skilled when they're on a manufacturing floor and have them dedicated
to nothing but their computers. So they outsource this and the outsourcing for the IT takes place to
managed service providers or MSPs. And MSPs have never been regulated, ever. It's kind of funny
that as a woman, I can walk in a beauty salon to have my nails done. And I'm assured that there's
some type of training, testing, and health aspects that the state has licensed anybody doing my nails
to be able to meet these certain controls. But as a small business, I can
call Todd, the IT guy, and he has nothing regulating him or licensing him to say that he's qualified to
be managing my computer system. Yeah. So where does that leave the MSPs then? Is there going to be a
certification process? Well, it looks like that. And the
Department of Defense, if they had their way, they are looking at MSPs through a lens of almost the
same criteria as a cloud service provider and being able to assure, give a very large level
of assurance to the government that any of the services that they're providing
are going to meet FedRAMP moderate requirements. And what that would mean is 325 controls, not 110.
So the FedRAMP moderate requirement comes out of NIST 853. And so it's a much higher bar for
managed service providers to meet. And most of those MSPs that are currently
servicing the very small businesses in the defense industrial base have nowhere near the amount of
resources, skills, knowledge, processes even to be able to get through the 110 controls in NIST 800-171,
the 110 controls in NIST 800-171, meeting the same level of cybersecurity that their own clients would be required to meet, so much as the 325 controls in the FedRAMP moderate baseline.
So what's the real-world situation here then? As we ramp up to meet these standards,
what's the impact going to be? Yeah, it's a huge problem,
and there's not enough visibility for what's happening because what we are suspecting is
going to happen is that at a minimum, the NIST 800-171 requirements would be applied to those
managed service providers who have clients in the defense industrial base. And I think that
right now there's about a handful of managed
service providers in the United States that can meet that criteria and are actively focused on it
and working toward it. And that would mean, and you know, those managed service providers currently
heading in that direction, like the one that I'm working for at Summit 7, it's an incredible amount of resources. You basically have to retool
your entire company culture, all of your processes, a huge amount of maturity in your documentation,
change management, vulnerability management. You have to be very careful about the tools that you
use, what other organizations you outsource any of those capabilities to.
And so it's a very expensive and laborious process to meet those requirements.
We think that there's going to be a huge amount of fallout in the managed services industry that they're going to look at this and say, hey, you know, I've been supporting Joe's
airplane parts for 15 years. They're my buddies. I can't afford to do that anymore.
And they're going to have to turn over those clients to the MSPs that are truly capable
of providing those services. But what that means for the small business itself
is that they can no longer afford what they were paying Joe for their IT services. They're going to be looking at the
cost of leveraging a mature MSP and saying to themselves, is it really worth it for me to have
this defense contract? Because they know that they can't do it themselves. It's way over their heads.
They likely have to turn over and refresh a lot of their own technology, their own company culture, their own processes.
And being able to leverage a mature MSP for that is going to cost them twice as much easily.
And they're going to look at that.
And so the question is, you know, how many of our suppliers in the defense industrial base are we willing to lose in order for all of the ecosystem to come up under the mandate of NIST 800-171?
And also, it's necessary.
It's necessary in order for us to protect our intellectual property
and all of the defense-controlled, unclassified information
that is being handled for our national security.
So we're in a situation right now that there isn't a good answer.
And it's really time is of the essence.
And a lot of decisions are being made without the industry understanding what's happening.
A couple of things strike me here.
I mean, first of all, you know, there's that old,
it's practically a cliche now about the, you know, the $500 hammer
that the defense industrial base
needs. And it seems to me like we could be headed in that direction with things that people consider
to be basic bread and butter, IT services, sorts of things that you get through your MSPs.
Suddenly, we're going to be seeing some sticker shock here. The other thing is that I wonder, are we,
to mix metaphors, decreasing our genetic diversity? If only a handful of suppliers are going to be
able to meet this standard, is that a risk as well, that we have a limited number of suppliers
and so there's risk there? Absolutely. I mean, we've already seen this
massive consolidation across the primes. And a huge part of our economy is driven by
those defense contracts. That's where the small business is. It's a large part of the bread and
butter. But the truth is, Dave, as you're saying, table stakes for cybersecurity, the most basic cybersecurity,
a lot of these organizations, including the MSPs that support them, have never properly addressed
cybersecurity for the protection of their own intellectual property. Let's look aside from
those defense contracts and say, look, you've got something that only you can do and you've been doing it
really well for all of these years. If you have a computer in your network anywhere,
you are at risk of having that intellectual property being hemorrhaged, being stolen,
being leveraged by our adversaries. And everybody loses in that scenario, not just our national defense, but
our actual economy. So we're seeing this at scale in every other industry. It's just
finally being pointed out and properly addressed by the defense industrial base,
and it's hugely necessary. At the most basic level, there are 17 controls that are required in order to even have a contract with the DOD.
Those 17 controls, it is astonishing how many organizations still don't even have that much implemented.
So 17 out of the 110.
So this is a wake-up call for everybody, not just the defense industry, but small businesses and the managed
service providers who have been assuring them all along, we've got you covered.
It's time for them to mature as well. That's Joy Beeland from Summit 7. And it is my pleasure to welcome back to the show Chris Novak.
He is the Managing Director for Cybersecurity Consulting at Verizon.
Chris, you and I have been discussing some of the details of the DBIR from your colleagues there at Verizon. Chris, you and I have been discussing some of the details of the DBIR from your
colleagues there at Verizon. And I want to focus today on business email compromise, which is
something you dig into in the report here. What's the news when it comes to BEC?
Yeah, great point there, Dave. So the staggering news there is it actually almost doubled year on year, kind of within the scope of social engineering.
And I think that is really problematic because I don't think we've seen an uptick in many things like that in the previous several years.
So definitely a dramatic rise in business email compromise.
Is it just a matter of it works?
I think that's part of it.
It's what I put in the category of what I call belly button breaches.
And that is the human element plays a big role in these because a lot of it really comes down to tricking people, right?
It's the belly buttons and seats that are falling victim.
buttons and seats that are falling victim. It's not a vulnerable application or a system where you can say, hey, the problem is just push a patch out to everything. In a lot of these cases,
and I hate to say the problem, but it's usually with the underlying humans. It's the individuals
are either not well-educated on what these types of threats look like, or the organization doesn't have the right
processes and controls in place such that when a human makes a mistake, there's no layered backup
behind it, right? When we look at what a business email compromise is, it is almost 100% around
tricking a person to give up information or to wire money in some unauthorized fashion. And that's why I call it
kind of the belly button breaches is that's really where almost all of these events happen.
Yeah, it's a really good point. I mean, I think about how on the one hand, you know, we tell
people you got to train your employees to not click on the links. But on the other hand, no
one's business should be structured in such a way that an employee clicking on a link can bring down the business.
Absolutely right.
And it's interesting because when I talk with a lot of organizations, and this affects organizations of all sizes, the ones that I think are most unfortunate are, I mean, not that it's good for anybody, but your small to medium-sized businesses where the loss can be really substantial to them.
size businesses where the loss can be really substantial to them. You know, I've worked with a number of organizations over the years, and my team has done countless business email compromise,
you know, incident response events. And to see an organization, for example, that, you know,
literally, you'll have like a small business or medium business owner in tears saying, you know,
I weathered COVID, which I didn't think that my business would survive. And then I got hit with a business email compromise and lost everything. And it makes it really real. You know, for a large
organization, you know, they wire a million dollars, five million dollars, ten million
dollars to the wrong bank account. No one's excited about that. But they can probably weather that.
Small businesses, medium businesses, that's obviously much more catastrophic. They may not
even have, you know, some kind of insurance coverage that would backstop that. But what I tell people is the key thing to consider here is process. What is the process to backstop the human? financial, if you want to go move $10 million, there's probably not one person who can click
the button and say, send $10 million, and it just goes, right? I know within our own organization,
if I want to move even just a small amount of money or pay a vendor, you know, I initiate the
payment transaction, and then there is some litany of approvers and reviewers that need to make sure
that it is sound before any money changes hands. And I think that process component is something that for some organizations,
especially those that maybe are slightly lower down on the maturity curve,
really need to look at because that's something that's a relatively easy and,
I'd say, kind of low-cost step.
It doesn't require fancy technology, but it's a good way to catch these.
doesn't require fancy technology, but it's a good way to catch these.
Speaking of technology, what sort of things do you recommend for folks to shore up the security of their email systems themselves?
Yeah, so I think, you know, first and foremost goes without saying multi-factor authentication,
you know, and I'm a big proponent of looking at things like either number matching, multi-factor authentication, or using things like a YubiKey or something along those lines in order to be able to best prevent your credentials from being social engineered and then being able to be reused in any one of these nefarious purposes.
these nefarious purposes. And, you know, it's funny because I, maybe not funny is the right word, but I presented the DBI to a lot of people. And one of the questions I got the other day was,
we've talked about multi-factor authentication for what seems like, you know, two decades now,
are there really still organizations out there that don't have it? And, you know, I would bet
right now there's probably, you know, hundreds, thousands, tens of thousands, maybe of listeners
that are probably going, hmm, yep, I still have spots in my org that don't have it, right?
So I think it's a bigger problem than most people realize.
You see it when you log into your bank.
You might see it when you log into your Gmail.
But there's still a lot of people who still don't have it everywhere in all the sensitive parts of their organization.
Yeah, and I think incorrectly think that maybe they're too small to be interesting.
And certainly the data in the DBIR proves that to not be the case.
You're absolutely right.
And in fact, that's probably a really good point to make.
And I try to make this whenever I can, is that it doesn't matter the size of the organization.
There's probably always someone bigger than you.
There's probably always someone that you'd say might be more of an interesting target.
But keep in mind, the threat actors really don't care.
There's a handful of threat actors out there that are looking for notoriety, and they're
going after specific targets for specific reasons.
But by and large, what the data shows us is that they're largely opportunistic, and they're
going after whoever they can get something from. Yeah. All right. Well, Chris Novak is Managing Director for Cybersecurity
Consulting with Verizon. Chris, thanks so much for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and
insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire are part of the daily intelligence
routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Ivan.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.