CyberWire Daily - The Cl0p gang moves its way into US government systems. It’ll take multiple showers to rinse out Shampoo malware. Hybrid war update. Arrests and indictments.
Episode Date: June 16, 2023The US Government discloses exploitations of MOVEit vulnerabilities, and the Department of Energy is targeted by the Cl0p gang. CISA releases an updated advisory for Telerik vulnerabilities affecting ...Government servers. Shampoo malware emerges with multiple persistence mechanisms. How the IT Army of Ukraine can exemplify a cyber auxiliary. Russophone gamers are being targeted with ransomware. An alleged LockBit operator has been arrested. The FBI’s Deputy Assistant Director for cyber Cynthia Kaiser joins us with cybercriminal trends and recent successes. Our guest is Will Markow from Lightcast, speaking with Simone Petrella about data-driven strategic workforce decisions. And a federal grand jury indicts the alleged Discord Papers leaker. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/116 Selected reading. US government hit by Russia's Clop in MOVEit mass attack (The Register) Energy Department among ‘several’ federal agencies hit by MOVEit breach (Federal News Network) Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers (CISA) CVE-2019-18935 Detail (NIST) CVE-2017-9248 Detail (NIST) Cryptographic Weakness (Telerik) Shampoo: A New ChromeLoader Campaign (HP) Cyber attacks on Rotterdam and Groningen websites (World Cargo News) The Dynamics of the Ukrainian IT Army’s Campaign in Russia (Lawfare) Watch: Why early failures in Ukraine's counter-offensive aren't Russian victories (The Telegraph) Russian War Report: Anti-Ukrainian counteroffensive narratives fail to go viral (Atlantic Council) Threat Actor Targets Russian Gaming Community With WannaCry-Imitator (Cyble) Hackers infect Russian-speaking gamers with fake WannaCry ransomware (The Record) Russian national arrested in Arizona, charged for alleged role in LockBit ransomware attacks (CyberScoop) Suspected LockBit ransomware affiliate arrested, charged in US (BleepingComputer) Russian national arrested in US for deploying LockBit ransomware (The Record) Guardsman indicted on charges of disclosing classified national defense information (AP News) Charges Against Alleged Pentagon Leaker Jack Teixeira Explained (Newsweek) Jack Teixeira, Pentagon leaks suspect, indicted by federal grand jury (The Guardian) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. government discloses exploitations of move-it vulnerabilities, and the Department of Energy is targeted by the CLOP gang.
CISA releases an updated advisory for Telerik vulnerabilities affecting government servers.
Shampoo malware emerges with multiple persistence mechanisms.
How the IT army of Ukraine can exemplify a cyber auxiliary.
Rucifone gamers are being targeted with ransomware.
An alleged lock-bit operator has been arrested.
Our guest is Will Marko from Lightcast,
speaking with Simone Petrella about data-driven strategic workforce decisions.
The FBI's Deputy Assistant Director for Cyber, Cynthia Kaiser,
joins us with cyber criminal trends and recent successes.
And a federal grand jury indicts the alleged Discord Papers leaker. I'm Dave Bittner with your CyberWire Intel briefing for Friday, June 16th, 2023.
As Friday begins, so do announcements of compromise. The latest victims are United States government agencies
compromised via the Move-It file transfer vulnerability. U.S. Cybersecurity and
Infrastructure Security Agency Director Jen Easterly disclosed in a press briefing yesterday
that several U.S. government agencies were compromised by the Klopp ransomware gang
via the recently disclosed Move-It file transfer vulnerability, the Register reports.
Easterly said that the agency is working closely with Progress Software and federal partners.
Easterly added,
We are not aware of Klopp actors threatening to extort or release any data stolen from government agencies.
Although we are very concerned about this, we're working on it with urgency.
This is not a campaign like SolarWinds
that presents a systemic risk to our national security
or our nation's network.
She noted that the threat actors are only stealing information
that is specifically stored on your file transfer application
at the precise time that the intrusion occurred.
The U.S. Department of Energy is among
the compromised agencies impacted by the move-it vulnerability. A department spokesperson told the
register that the department took steps for prevention of further exposure and notified CISA.
Federal News Network says the two compromised DOE entities are Oak Ridge Associated Universities and the Waste Isolation Pilot Plant in New Mexico.
CISA, with support from the FBI and the Multistate Information Sharing and Analysis Center, the MS-ISAC,
released an updated cybersecurity advisory regarding the Telerik vulnerability.
The original CSA reported indicators of compromise
in a federal civilian executive branch agency.
Multiple threat actors and at least one APT
were able to exploit a vulnerability
in the Progress Telerik user interface.
The updated report shares that forensic analysis
at another FCEB agency
identified more indicators of compromise by an unattributed APT,
which exploited the Telerik RAD control's cryptographic weakness,
which was rated as a critical on the CVSS scale.
The vulnerability, as described by Telerik, can lead to cross-site scripting attacks,
leak of machine key, compromise of the ASP.NET view state,
and arbitrary file uploads and downloads.
The agencies recommend patching all software, prioritizing fixes to the known exploited vulnerabilities catalog.
Researchers say the newly detected persistent malware being called shampoo may take multiple showers to rinse from your
system. HP's Wolf Security reports a newly detected malicious Chrome Loader-like malware
campaign they're calling shampoo. The researchers describe Chrome Loader as a family of Google
Chrome browser extension malware first analyzed in early 2022 by security researchers with the goal of installation
of a malicious extension in Google Chrome used for advertising. The infection chain starts when
a user downloads an ISO file from a malicious website. That, in turn, initiates the download
of a VB script, which eventually downloads the malicious browser extension. After installation, the malware monitors the victim's searches
and injects advertisements in their browser.
The Shampoo malware is very difficult for a user to get rid of
as it's said to have multiple persistence mechanisms.
One such mechanism is a built-in installation script
that repeats every 35 to 75 minutes.
Shampoo differs from a standard Chrome loader by adding some additional counter-security features like encryption
of locally stored files and by its use of VB script instead of an ISO file for initial infection.
Dutch media have attributed last week's distributed denial of service attacks against the websites of the Rotterdam and Groningen seaports to Russian hacktivists, specifically to NoName05716.
Russian targets in loose concert with Ukraine's government, offers an unusually transparent example of offensive cyber operations, hacktivism, and the mobilization of a cyber auxiliary.
Lawfare summarizes some of the key features of the group's performance during Russia's war.
It's demonstrated the ability to conduct sabotage, denial of service, doxing, and defacement.
It crowdsources its operations over Telegram, and its service, doxing, and defacement. It crowdsources its operations
over telegram, and its targeting has been opportunistic but selective.
The transparency of the IT Army's operations and relations with the Ukrainian government is
relative. Kyiv has maintained that the IT Army coordinates only with civilian government agencies,
not military or intelligence services,
but it's clear that some coordination occurs with military and intelligence organizations.
Some of that cooperation is done for deconfliction, some to receive direction, and in a few cases,
for direct combat support. The IT Army of Ukraine also uses its Telegram channel to post news and opinions selected to influence its followers' views of the war.
Russia has also mobilized social media to push its own narratives, most recently the narrative that Ukraine's counteroffensive has failed.
That particular view seems not only false, as well as being in any case grossly premature, but it also appears
to have gained little traction, according to the Atlantic Council's DFR lab monitoring. Some of the
posts that failed to gain significant virality are associated with MrKim.com, to use his screen name.
Mr.com's motivation in serving the Russian agents as a useful idiot is unclear.
Cyble Research and Intelligence Labs this week reported a ransomware campaign
against Russian-speaking gamers playing the first-person shooter multiplayer game Enlisted.
The attackers, who remain unknown for the time being,
use a ransomware they're calling WannaCry 3.0.
It is, however, unrelated to the genuine WannaCry released in 2017.
We close with two bits of news from the courts.
In the first, CyberScoop reports that a 20-year-old Russian national has been arrested on charges of involvement with the Lockbit ransomware gang.
Ruslan Magomedovich Astamirov was taken into custody on Wednesday in Arizona,
according to a criminal complaint. The charges identify the Chechnya native, Mr. Astamirov,
as perpetrating at least five attacks against United States, Asia, Europe, and Africa-based victims between August 2020 and March 2023, the record reports.
His charges include conspiracy to transmit ransom demands,
commit wire fraud, and intentionally damage protected computers.
Bleeping Computer highlights the fact that this is the third affiliate of LockBit
charged by the U.S. Department of Justice within the last seven months.
And in the second bit of courthouse news, Massachusetts Air National Guardsman Jack
Teixeira has been indicted on felony charges involving leaks of classified military documents
on Discord. The AP reports that Mr. Teixeira faces six counts of willful retention and transmission
of national defense information.
The investigation into the leak began in April after classified U.S. intelligence was seen
circulating in social media. The former airman's position in the Guard gave him a top-secret
clearance, which allowed him to access sensitive information. Newsweek writes that he was
subsequently identified by investigators
and accused of sharing hundreds of pages of sensitive information on a Discord server.
A conviction could mean 10 years in prison and a $250,000 fine for each count of willful
transmission of classified information. The Guardian quotes U.S. Attorney General
Merrick Garland in the case, who said that Teixeira is charged with sharing information with users on a social media platform he knew were not entitled to receive it.
In doing so, he is alleged to have violated U.S. law and endangered our national security.
Coming up after the break, the FBI's Deputy Assistant Director for Cyber, Cynthia Kaiser, joins us with cyber criminal trends and recent successes.
Our guest is Will Marko from Lightcast, speaking with Simone Petrella about data-driven strategic workforce decisions.
Stay with us. Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
There's a strange mix of forces at play in the cybersecurity workforce.
Many companies are hiring.
Some companies are experiencing layoffs.
And yet, overall, there's still a sense that there are many open positions out there waiting to be filled, which is all to
say it's more important than ever for managers to take an evidence-based approach to hiring and
retention. Will Marco is VP of Applied Research and Talent at Lightcast. My N2K colleague, Simone
Petrella, spoke with him about using data to make strategic workforce decisions. So, you know, we've talked about this in the past
and certainly have very similar viewpoints on how organizations and companies can take a more
strategic perspective on how to think about the cybersecurity workforce shortage, how to actually
identify and make good decisions based on what they need to do. What are some of the common misperceptions that you view your clients,
people that you work with having
about this particular topic?
Great question.
And I think there are a few misperceptions
that are pretty common in the market.
First misperception is that it is just a skills gap.
And I think there definitely is a skills gap in cybersecurity,
and we can talk about that a little bit later.
But I think that there's also an expectations gap,
that a lot of employers don't realize that they are contributing
to some of the hiring challenges that they have
by asking for certain credentials or certifications or skill sets
that may or may not be important in the roles that
they're asking them for. So I'll give you a concrete example, which we see more often than you would
think, is that take a CISSP. This is a certification, which is a great certification, and it has its
place, and it's important for people who are more advanced in their careers to consider getting a
CISSP. But we see a lot of employers asking for a CISSP, which requires
minimum of five years of prior work experience to qualify for a full CISSP, asking for this
credential along with no more than two years of prior work experience, which it's impossible to
have the two. And the hiring managers, it's not their fault. They know what a CISSP is. They know
you have to have five years of work experience, but there's something in the internal process and the communication between the hiring
manager and the HR team building that job requisition that results in a disconnect.
And so I think that one big misperception is that either it's just a skills gap or it's just
an expectations gap or hiring managers
don't know what they're asking for.
The reality is hiring managers know what they're asking for.
The reality is there are people out there who could fill some of these jobs, but there
is a breakdown in communication in that process of building those job requisitions.
So that creates that expectations gap.
That said, I also hear a lot of people saying, oh, wait, there is no skills gap.
What are we talking about?
That's also not true.
There also is a deficit of workers.
When we look across the cybersecurity workforce, we see that we only have about two-thirds
of the workers we need to fill all of the jobs that employers are demanding.
So that effectively means we're stepping onto the cyber battlefield, missing a third of our army. So there's also a talent
shortage. There's also a skills gap. And I think anybody who says it's just one or the other
is contributing to some of the misperceptions in the market and is contributing to some of the
information gaps that are exacerbating some of the talent gaps and the expectation gaps in the market and is contributing to some of the information gaps that are exacerbating
some of the talent gaps and the expectation gaps in the field.
Yeah, I can totally see where that comes into play.
I know we've seen that ourselves in the expectation gap.
What is your recommendation?
How do you propose that we kind of solve that expectation gap?
Since job recs are one of those interesting areas
where it's in the domain of HR, but the hiring managers do it,
how do we improve that process?
So the first thing that you need to do,
which I think you started to touch upon,
is you need to break down silos.
If you're in the cybersecurity world, if you're a
CISO or a cybersecurity manager, you need to view HR as your friend and partner, not your rival,
which I think is the culture in a lot of organizations. HR is also trying to work with
cybersecurity managers to get the best job requisitions out there. And you need to figure
out how can you work together in a more
collaborative fashion. And I tell this to HR folks all the time as well, is that one of the first
things you need to think about when building a job requisition is how is this supporting
the stakeholders that it most needs to support? And how is it driving business value within your
company? So the first thing you need to do, be collaborative.
Second thing you need to do is you really need to define what is it that this person in this role
needs to do, not just at a job title level, but at the underlying skill level. A lot of people
call it skills-based hiring, which is a very amorphous term, and it means a little bit of
one thing to one person, something different to someone else. So sometimes I stay away from that nomenclature,
but it really is a manifestation of skills-based hiring, is understanding and inventorying what
are the skills associated with each role within your team so that you can build your job requisition
around those skills that people need, not just the credentials or degree requirements that people
have used as imperfect proxies for those skills. And once you do that, you can then start to figure
out, okay, which skills are going to be most critical to include in the job requisition when
we're going out and hiring for people versus when we're training those people internally, and which
of those skills are need-to-haves versus nice-to-haves when somebody's walking
through the door?
I'll give you a concrete example of this in practice.
There's a financial services company we worked with that was trying to right-size some of
its job descriptions around the skills, not the credentials, not the certifications that
were most important for proficiency in that role.
And they were able to identify a few things that they could just take
out, like a bachelor's degree requirement, or a certification requirement, or some emerging skills
that were really nice to haves and not need to haves. And by just making a few simple tweaks
to their job descriptions, they were able to reduce the average hiring cost by over $10,000 per hire,
and they were able to expand their candidate pool by over 60%.
So sometimes just making those slight tweaks to the skills you're asking for
and the credentials you're asking for can have huge benefits to companies
when they go out and hire for cybersecurity workers.
That's Will Markow from Lightcast speaking with N2K
President Simone Petrella. You can hear an extended version of this conversation on our website.
I am pleased to welcome back to the show Cynthia Kaiser.
She is Deputy Assistant Director for Cyber at the FBI.
Director Kaiser, it's great to have you back.
I want to touch today on some of the cyber criminal trends that you and your colleagues there at the FBI are tracking.
And you all have had some successes recently as well.
What can you share with us today?
Great. And once again, thanks for having me.
Now, I think most people are tracking how pervasive the cyber criminal threat is.
And I think really the state of cyber crime
is this interconnected, state-protected,
and callous about the impacts of their actions
as long as they continue to make enough money along the way.
And they represent really a loose international network of actors who seek to exploit vulnerabilities, and they're wickedly opportunistic. They once targeted individuals and small businesses,
but in recent years, they've pivoted to these high-value targets, including critical infrastructure,
targets, including critical infrastructure, especially targets that can't afford downtime,
that need to be able to have their operations. So, you know, they're targeting hospitals and schools. I mean, this is just the lowest of low. So when we're looking at, like,
we're looking at this landscape and looking at, you know, how are we going to really tackle this
to have an impact? We don't want to play whack-a-mole.
We want to make sure that we're having this broad impact that tightens the net around cybercriminal actors.
And part of that has been looking at the key services that they're using.
So we know across the cybercriminal ecosystem, there are main groups, entities, services, it's just like an
economy. It's a marketplace. And they need places that help them cash out money or exchange money
or buy tools. And there's not a huge amount of those. We have a lot of different cyber criminals
going to the same places. So what our strategy has been is to look at those places that are facilitators of cybercrime so that we can have a broader impact.
So really focusing on some of those bottlenecks there. Can you give us some examples where you
and your colleagues have had some success? Great. Yeah. So recently we've been able to,
with international partners as well, and our U.S. government partners, take down a number of
key services. That includes ChipMixer, which was a major mixing service for cryptocurrency.
And that was used by multiple different sets of actors, not just multiple ransomware actors,
multiple nation state actors as well. We've had targets against the backend of major ransomware variants.
And I call that a key service because in the ransomware ecosystem, it's an affiliate model.
So people are going and they're an affiliate and they're going to say they deploy four different types of ransomware.
So they go find the developers, they take that developer, and everyone shares the profit.
If we can ensure that kind of back end is either monitored, we provide decryption keys, or then we just take it down, that provides us an ability to hamper those cyber criminal operations.
that provides us an ability to hamper those cybercriminal operations.
I'm curious, as you all are monitoring the communications of these actors on those online dark web forums that we hear about,
do you see your efforts being described there?
Is it a factor of discouragement?
Are they talking about the types of things that you all are up to to try to thwart them?
I hope so.
That's kind of the point.
Fair enough.
I mean, we want cyber criminals to know that we're over their shoulder. We're watching what they're doing, and we're waiting for the opportune time to be able to take down their operations, to hamper them, to ensure that we're
keeping America safe. And how about partnering with industry here? What part do they have to play
in keeping those lines of communication open? Such a huge part. So I think there's so many
different levels of industry that we partner with. So there's the targeted entities or victims. So the businesses that
are being targeted by cyber criminals, partnering with them and ensuring that we're able to share
information. So if they're targeted, they don't get compromised or help provide them not only
remediation advice or just peace of mind after an incident, but justice.
Like justice for the crimes that perpetuated against them.
So that partnership is so critical and so key. that companies may have, may be working with so that they can ensure that they're doing everything
that they need to do from their own end to manage service providers. There's so many different
levels of industry that are important for us to partner with in terms of being able to help.
Because in the end, like for over a hundred years, we've been a victim-centered organization.
the end, like for over a hundred years, we've been a victim-centered organization. And so our partnership, either at the operational partnership level, so how do we work with industry to help
mitigate this to the, we're actually supporting, you know, we're supporting these victims or
we're stopping people from becoming victims. That's just the most important thing to FBI.
You mentioned international partners as well. Can we touch on that? I mean, to what degree does the FBI take a role of global leadership here?
The FBI is a global leader in cybercrime investigations and imposing risks and consequences on those cyber actors. And we take that role really seriously. We have over 16 cyber assistant legal attachés who are deployed across the world and embassies
across the world. And those assistant legal attachés do a few things. One is capacity build.
And that's not necessarily like, you know, general cybersecurity advice. That's how do you run a
cyber criminal investigation? And then they also facilitate those operations. So we don't care if we arrest
them in the U.S. or bring them back to the U.S. We care that these cyber criminals are offline.
So if it is more advantageous or easier to be able to ensure that another country's able to
provide these consequences, we're there. We're there to be those partners. And then finally,
we've also, in a few instances, been able to deploy to our international partners. And I
think Albania is a great example of that, where when the Albanian government was attacked by
Iranian cyber actors, the FBI was there within days to help them. Within, I think, a little over
a week, we were sent an entire cyber action team, the same kind of team, technical team we might send to assist a U.S. victim.
Because they're an ally and they asked and we answered.
And we know that cyber threats have no borders, so we can't keep it contained to the U.S.
The help we give our allies helps American citizens as well.
Cynthia Kaiser is Deputy Assistant Director for
Cyber at the FBI. Cynthia, thank you so much for joining us. Thank you.
Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire for Friday, June 16th.
We'd like to remind you all that this coming Monday is the U.S. federal holiday of Juneteenth,
and we won't run our daily podcast then.
We'll be back as usual on Tuesday.
In the meantime, enjoy Juneteenth.
Be sure to check out this weekend's Research Saturday
and my conversation with Johannes Ulrich from the SANS Technology Institute.
We're discussing machine learning risks, attacks against Apache NiFi.
That's Research Saturday. Check it out.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at
cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and
insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the
daily intelligence routine of many of the most influential leaders and operators in the public
and private sector, as well as the critical security teams supporting the Fortune 500 and
many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce
Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by Rachel Gelfand.
Our executive editor is Peter Kilpie
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here
next week. Thank you. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.