CyberWire Daily - The IT Army of Ukraine claims VTB DDoS. DPRK exploits Internet Explorer vulnerability. New variant of Babuk ransomware reported. Blind spots in air-gapped networks. And, dog and cat hacking.
Episode Date: December 8, 2022The IT Army of Ukraine claims responsibility for DDoS against a Russian bank. North Korea exploits an Internet Explorer vulnerability. A new variant of Babuk ransomware has been reported. Blind spots ...in air-gapped networks. Rob Boyce from Accenture has insights on the most recent ransomware trends. Our guest is Nathan Howe from Zscaler with the latest on Zero Trust. And the hacking of cats and dogs. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/234 Selected reading. IT Army of Ukraine Hit Russian Banking Giant with Crippling DDoS Attack (HackRead)Â Internet Explorer 0-day exploited by North Korean actor APT37 (Google) Morphisec Discovers Brand New Babuk Ransomware Variant in Major Attack (PRWeb) Bypassing air-gapped networks via DNS (Pentera)Â What to Know About an Unlikely Vector for Cyber Threats: Household Pets (Insurance Journal) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The IT army of Ukraine claims responsibility for DDoS attacks against a Russian bank.
North Korea exploits an Internet Explorer vulnerability.
A new variant of Babuk ransomware has been reported.
Blind spots in air-gapped networks.
Rob Boyce from Accenture has insights on the most recent ransomware trends.
Our guest is Nathan Howe from Zscaler with the latest on Zero Trust and the hacking of cats and dogs.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 8th, 2022.
HackRead reports that the IT army of Ukraine, Kiev's hacktivist auxiliary, has claimed credit for the distributed denial of service attack
against the state-owned Russian bank VTB.
The IT army tweeted, in convincing, if not perfect idiomatic English,
VTB could not handle with our attack the whole week long,
so they have to admit it.
However, the problem is not we took them down so long,
but something went wrong newly, and they cannot settle paychecks, remittances, fine, and tax
payments. That is, VTB is unable, says the IT army, to handle routine online transactions.
DDoS attacks in the current war, whether conducted by Russian or Ukrainian operators, have rarely risen
above a nuisance level of severity. Still, any nuisance at all remains a nuisance, even though
it's unlikely VTB will be crippled for very long. Researchers at Google's Threat Analysis Group
report that North Korean threat actor APT-37 exploited a zero-day vulnerability
in Microsoft Internet Explorer
in a phishing campaign
against South Korean targets.
Google writes,
On October 31, 2022,
multiple submitters from South Korea
reported new malware to us
by uploading a Microsoft Office document
to VirusTotal.
The document references
the tragic incident
in the neighborhood of Itaewon in Seoul, South Korea
during Halloween celebrations on October 29, 2022.
This incident was widely reported on,
and the lure takes advantage of widespread public interest in the accident.
Microsoft was quick to patch the issue after Google reported it.
It's noteworthy that Internet Explorer continues to be a target for exploitation by threat actors,
even after Explorer's replacement by Microsoft Edge.
Mitre points out that researchers commonly cover APT37, like other DPRK units,
under the umbrella name Lazarus Group. Some of the operations associated with APT37, like other DPRK units, under the umbrella name Lazarus Group.
Some of the operations associated with APT37 have been Operation Daybreak,
Operation Erebus, Golden Time, Evil New Year, Are You Happy?,
Free Milk, North Korean Human Rights, and Evil New Year 2018.
Whatever they're called, APT37 is bad news, and whatever they're up to, they're up to no
good. Researchers at Morphosec announced today that they've observed a new version of Babook
ransomware in the wild. An infestation was detected at a large manufacturing company,
which Morphosec describes as a multi-billion dollar manufacturing company with more than 10,000 workstations and server devices.
The researchers explain on Morphosec's blog,
the attackers had network access for two full weeks of full reconnaissance prior to launching their attack.
They have compromised the company's domain controller
and used it to distribute ransomware to all devices within
the organization. They think that earlier attribution of the attacks to Wanneran are
mistaken, and they offer three reasons for concluding that in fact the malicious payload
is an upgraded version of Babook. First, the overall execution flow and code structure
correlates to that presented by Babock ransomware.
Second, it uses the same encryption algorithm.
As the researchers put it, one of the most characterizing functions of any ransomware
is the encryption method.
We verified that the payload in our case matches the one in the Babock source code.
And finally, the configuration and usage of the original and variant overlap.
The improvements the attackers made to Babook are designed to evade much present scanning
and detection technology, Morphosec thinks.
The new version of the ransomware implements side-loading, executes within legitimate applications,
and implements reflective loading functionality to hide the
rest of the execution steps. Security firm Pentera has published a report showing how
attackers can use DNS tunneling to communicate with air-gapped networks. Organizations often
use air-gapped networks to isolate their sensitive assets. Theoretically, these networks should be entirely
cut off from the outside Internet. Pantera explains, however, while air-gapped networks
may not have direct access to the Internet, they still often require DNS services in order to
resolve a company's internal DNS records. Many organizations often make the mistake of thinking
that by routing communication over an
internal DNS server, they are preventing a potential breach. However, they are still
susceptible as the internal DNS server can still connect with a public DNS server.
If an attacker gains the owner rights to a root record within the organization,
they can create a name server that can communicate
with the air-gapped network over DNS. This isn't trivial since DNS traffic is usually sent over
UDP and the attacker has no control over the flow or sequence of data transmission.
These obstacles can be overcome, however. For example, if the payload is compressed before sending and decompressed
after it's received, the attacker can verify whether the data has been corrupted. And finally,
all this stuff about air gaps has us thinking, what about species gaps? What about Fluffy,
Fido, or Flipper? Are they hackable? Or if not they themselves,
are the chips they carry in their collars or under their fur perhaps in some fashion vulnerable?
Could malware jump the species gap?
Or to put it another way,
does your dog's accessibility online
increase your attack surface?
Our dog desk informs us
that dogs do indeed communicate with one another.
The barking is obvious. It usually means,
Hey, hey, hey, hey!
So is the howling, which reliably translates to,
I hear you and I'm here too.
Woo-hoo! Woo-hoo-hoo!
More complicated messages are usually carried out by deposits of scent.
Missives like, Queenie loves Rex, or Jimbo ate the whole thing all by deposits of scent, missives like Queenie Loves Rex
or Jimbo Ate the Whole Thing All by His Own Self
or Take It From Me Straight,
The Raccoons Are Still Down the Storm Drain.
Anywho, because this is the kind of thing
actuaries think about,
Insurance Journal explains
a threat that we confess hadn't really occurred to us
but which they've convinced us is real.
They call it an unlikely vector for
cyber threats, household pets. A study by Kaspersky and O'People concluded, according to the survey,
half of the devices used for pets have access to the internet, which makes them vulnerable to cyber
attacks. Cat and dog trackers can allow attackers to manipulate information about the pet's location
or even steal its owner's personal data.
The study also found that the penetration of technologies and digital devices related
to pets isn't limited to trackers either.
Other popular tools cited by respondents were web cameras for watching pets, smartphones
and tablets with games designed for pets,
digital toys, automatic feeders or water dispensers, and more.
So, when you tell Rover to fetch, the cyber hoods may be fetching your data.
Bad hacker. Bad. Bad.
Coming up after the break, Rob Boyce from Accenture has insights on the most recent ransomware trends.
Our guest is Nathan Howe from Zscaler with the latest on Zero Trust.
Stick around. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, Thank you. off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Looking back at 2022, I think it's safe to say that zero trust was certainly one of the hot topics in information security.
Zscaler recently published their State of Zero Trust Transformation Report, taking stock of where things stand.
Joining us to unpack the report is Nathan Howe, Vice President of Emerging Technologies at Zscaler.
In its simplest way, the best thing that we can say is that zero trust is where we don't allow anything to happen,
no communication, no sharing information,
nothing at all between an initiator,
so anything creating, initiating a connection,
a destination, without going through the appropriate controls.
So we see those controls being verifying the initiator,
so who's actually connecting, what are they doing,
where are they going, applying controls about how risky they are,
what are they carrying with them, are they doing anything malicious,
are they trying to download anything malicious,
are they exfiltrating anything that's important,
and finally applying controls.
And that control could be allow, block, steer, a number of things.
But the goal of this is to ensure that no initiator gets to any destination
without going through that approval first.
So it doesn't matter what network they're on, where they are,
any initiator, whether it be human, workload, thing,
talking to anywhere else is able to connect only if it goes through that verification,
that control and that policy enforcement. Otherwise, nothing happens.
Do you have any sense for as organizations start this journey, as they head down that path,
is it what they thought it would be? Is it more or less than they thought they were getting
themselves into?
I think the biggest thing is everyone opens the zero trust door
and gets hit with that kind of metaphoric fire hose of information.
I tend to ask the question of many enterprises when I meet with them is,
do you know what applications, do you know what services you have internally?
Do you know what they are? Do you have a list? And more often than not, the answer is a laugh, like a sheepish laugh going, um,
we really shouldn't talk about that. And I think that's where Zero Trust starts our conversation
off and says, well, Zero Trust is a granularity thing. It's about understanding the specifics
and creating the specifics around those, those initiators and destinations. If you don't know
what you have, then how can you do that? And I think people overlook the things they've already done historically
to be able to achieve these things.
So a good example I always like to point out is that
every single company has some sort of role definition.
So you know that Mary is in accounting,
you know that Bob's in finance, and you know that Jerry's in security.
That is a simple simple step
to begin that granular path because you have some sort of path to be able to define a role or a
control around it's not going to be perfect but it's a starting point and the hardest part of
this is as you to your question was they don't necessarily know where to act when they get this
thing started because it's too much coming at them, but they should feel empowered.
They already have information to take those steps forward
to make those initial zero trust paths
and then start taking advantage of that
whether it be going to the cloud or whatever else.
But it gives them that step forward.
So they need not to be scared of that huge amount
of torrent of information
and focus on where they can affect changes quickly.
It's a really interesting thing that you bring up.
And it makes me think about that notion about
not letting the perfect be the enemy of the good
and how this plays into, we call it zero trust,
not almost zero trust, right? And so the absolute implied
in the name itself, I wonder, is that helpful as a mindset or is it more aspirational than a reality?
Fantastic statement. You're right. It's very much a definitive name that it is zero. You start from
zero. And I think that because it is challenging what has been the status quo for so many years
of that interaction, the network being this magical path of everything being connected,
it can also be quite, yeah, I think, shocking to people to be able to move.
And I think you're right, the naming could be perhaps not perfect.
I think if we looked at it at its crux of what we're talking about here,
it's almost going back to the early days of mainframes
where you were allocated a very specific slot
with a very specific set of permissions
to run your very specific process and nothing else.
And when you finished, you let the next person come in
with their punch cards or whatever it was.
And it was very, very, very controlled.
And I think that's where we're getting to that point.
But in the internet world where everybody's device is connected to a thousand
things at once, how can you possibly provide all of those controls in parallel? And for that matter
of visibility, it becomes, I think, a bit inundating for the company. So yeah, perhaps
it's worthwhile saying, let's talk about granular control or granular trust, maybe not zero trust,
So let's talk about granular control or granular trust, maybe not zero trust, but yeah, that's the buzzword.
Yeah. So based on the information you've gathered here, what are your recommendations?
I think the biggest one is to not be afraid.
This is a big challenge for enterprises, and we've seen that when we look at the geo breakdowns, that they certainly want to enable this. They want to get moving on zero trust,
but there's 90 plus percent that have a plan
to actually execute against zero trust,
but around 20% are actually doing it.
As I mentioned before,
not to be scared of what you have and leverage,
for example, probably one of the best implementations
of zero trust controls.
The very first one is to say,
get the user or the initiator,
in this case, we'll focus on the humans, get them off the shared network where the destination
application is. And unfortunately, we had a global event a few years ago that allowed us to have
every single person off the network where the actual applications were. And I think that in
itself is an opportunity to look at where we can actually affect change.
And whilst many of us certainly follow the path for zero trust or remote access, zero trust, and others went down the VPN path, and that's fine.
But the goal really should be to look at that and think, well, hold on, if everyone's actually off the network, What can I take advantage of? And I always quote one of my CIOs
that I spoke to about this. They said, during the pandemic, they used the measurement of dust.
They actually went through buildings and to see how much dust was on the tables and on the
routing equipment. And that dust indicated just how little that office was used. Therefore,
they could A, recuperate the cost by shutting down the site, removing all the legacy
network infrastructure that was not being used. Now, of course, it's not a perfect measure, but it
was a great example of making a decisive action and taking a decisive action off the incident
and saying, where can they find business value? So my advice to enterprises is not to be
intimidated by this, but to look where you can take advantage of those decisive cuts in moments
like people being off the network
and take advantage of that
to get business optimization and save some money.
Because as we head into the economic situation
that we are facing,
we need to be able to focus
and put our time, energy, and of course money
in the areas that matter the most.
And by being granular, at least to some level of granularity,
you can cut some things out and it's a good place to start.
That's Nathan Howell from Zscaler.
And joining me once again is Robert Boyce.
He is Global Lead for Cyber Resilience and an Advisory Board Member at Accenture.
Rob, it's always great to welcome you back to the show.
I know you and your colleagues there have been tracking some trends when it comes to ransomware.
I wanted to check in with you.
What's the latest? Yeah, thanks, Dave. And thanks for having me back.
I feel like we're perpetually tracking ransomware trends at this stage in the cyber criminal lifecycle. But yeah, we are actually seeing a few interesting shifts. So I have a couple of
interesting bullets here that we can go
through and share. You know, I think this year in ransomware, not only have we seen more than ever,
but it's been a really interesting year of, you know, shakeups, to be honest. So, you know,
we saw a number of arrests near the beginning of the year, which I think slowed down a lot of the
ransomware for a short period of time. Of course, it is now built all back up. You know, we've seen the
governments fighting back with different sanctions around the world. And funny enough, we've even
seen the Russia-Ukraine conflict cause a lot of shifts in the ransomware game for a lot of the
ransomware gangs. So, you know, a couple of the things that stand out to me that we're, you know,
that we're tracking is we've seen, you know seen a couple of trends geographically, I would say.
So in Europe, we're starting to see a lot more focus on energy production.
And I think this is not uncommon considering Europe is so heavily reliant on some of the energy that's coming out of Russia.
And so I think, as I said earlier,
I think that Russia-Ukraine conflict may be impacting a component of that.
In Latin America, we've seen a lot of government ministries being targeted,
which we find interesting.
And in North America, we're seeing an uptick in the medical field,
medical industry, as well as critical infrastructure,
which is also fascinating.
When you look at the back and forth, you know, this ongoing cat and mouse, does it seem like
anybody's gaining ground or losing ground, or is it pretty much tit for tat still?
I find that there's a lot of money to be made in the ransomware game still. So we're still seeing,
there's a lot of money to be made in the ransomware game still. So we're still seeing, you know, the, the, just, I think the,
the sheer amount that's being a sheer amount of currency or money that's going
through this, this attack vector is,
is still really promoting that this is a viable business, right?
So we're seeing a lot of new emerging threat actors get into the game as well.
And in alignment with that one
interesting we've actually started to see is a couple of the really popular ransomware i'll say
well-known ransomware gangs like conti and lapsus um have disbanded right and i think we we have a
couple of hypotheses for that i think you know part of that could be just due to the government
sanctions that were put in place so you know once a ransomware gang gets put on the sanction list,
they're not going to be able to get paid,
or the likelihood of them being paid is much, much, much reduced.
And so rebranding themselves is something that we're seeing a lot,
seeing happen quite often now.
And I do think, as I said earlier,
that Russia-Ukraine conflict has been divisive for some ransomware
gangs, where some may fall on the Russia side, some may support the Ukraine side. And we're
starting to see that separation happen a little bit too. And we're seeing those gangs start to
affiliate themselves with one side or the other. Not in all cases, but in some cases, we're seeing
that as well. What is your sense in terms of the breadth of the ransomware ecosystem?
And specifically, I'm thinking about the low level, what I almost describe as nuisance level
ransomware operators. When ransomware first began, that's where things were. Now, the big ticket
ransomware operators are the ones who get all the headlines. But are there still people down at that lower level who are making a living, you know, $500 at a time?
Yeah, 100%.
And again, I think the whole ransomware as a service really helps enable that ecosystem.
So we're seeing a lot of the initial attack vectors or the initial access, I would say, being bought now.
So it's so easy to buy access that you don't even need to be sophisticated enough to do a
targeted spear phishing attack in some cases to try and get credentials. You can just buy them.
And so that's helping enable a lot of the, I would say, lesser skilled or lower level,
as you were saying, ransomware threat actors be successful.
And then, of course, the tools that are available.
We've seen tools from groups like Lockpit be leaked.
Those are, of course, now being able to be used by more than just the affiliates of that ransomware group.
So it's just there's a lot of different ways to enable those lower level threat actors to be successful.
All right. Well, interesting to track the trends over time for sure.
Rob Boyce, thanks for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily
briefing at thecyberwire.com. The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar,
Joe Kerrigan, Carol Terrio, Maria Vermatzis, Ben Yellen, Nick Vilecki, Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.