CyberWire Daily - The US has a new cyber workforce and education strategy. US hunts disruptive Chinese malware staged in US networks. Malware warnings, and an update on Russia’s hybrid war.
Episode Date: July 31, 2023The US issues a National Cyber Workforce and Education strategy. Hunting Chinese malware staged in US networks. CISA warns of Barracuda backdoor. WikiLoader malware is discovered. P2Pinfect is a malwa...re botnet targeting publicly-accessible Redis servers. Johannes Ullrich from SANS describes attacks against YouTube content creators. Rick Howard previews his conversation with AWS Ciso CJ Moses. And Russia’s SVR continues cyberespionage against Ukrainian and European diplomatic services. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/144 Selected reading. FACT SHEET: Biden-Harris Administration Announces National Cyber Workforce and Education Strategy, Unleashing America’s Cyber Talent (The White House) National Cyber Workforce and Education Strategy: Unleashing America’s Cyber Talent (The White House) The White House releases the US National Cyber Workforce and Education Strategy. (CyberWire) US hunts Chinese malware staged to interfere with US military operations. (CyberWire) U.S. Hunts Chinese Malware That Could Disrupt American Military Operations (New York Times) CISA Releases Malware Analysis Reports on Barracuda Backdoors (Cybersecurity and Infrastructure Security Agency CISA)CISA: New Submarine malware found on hacked Barracuda ESG appliances (BleepingComputer) Out of the Sandbox: WikiLoader Digs Sophisticated Evasion (Proofpoint) Cado Security Labs Encounter Novel Malware, Redis P2Pinfect (Cado Security) P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm (Unit 42) BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware (Recorded Future) BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware (Recorded Future Insikt Group) BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities (The Hacker News) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. issues a national cyber workforce and education strategy, hunting Chinese malware staged in U.S. issues a national cyber workforce and education strategy,
hunting Chinese malware staged in U.S. networks.
CISA warns of a barracuda backdoor.
Wikiloader malware is discovered.
P2P Infect is a malware botnet targeting publicly accessible Redis servers.
Johannes Ulrich from SANS describes attacks against YouTube content creators.
Rick Howard previews his conversation with AWS CISO C.J. Moses. Johannes Ulrich from SANS describes attacks against YouTube content creators.
Rick Howard previews his conversation with AWS CISO CJ Moses.
And Russia's SVR continues cyber espionage against Ukrainian and European diplomatic services. I'm Dave Bittner with your CyberWire Intel briefing for Monday, July White House, through the Office of the National Cyber Director,
released the National Cyber Workforce and Education Strategy early this morning.
The plan builds on the National Cybersecurity Strategy released on March 1st of this year.
It's an ambitious whole-of-nation effort.
A number of agencies have been given specific roles and missions,
and the strategy includes a long and heterogeneous list of private sector partners.
The strategy isn't confined to educating Americans for jobs in the cybersecurity workforce.
One of its objectives is to raise cybersecurity awareness
and basic skills among the population at large.
The motivation for this aspect of the strategy
is the pervasiveness of activity in cyberspace,
in commerce, and other aspects of daily life.
The document charts a course for preparing Americans for today's jobs
and enables everyone to participate fully in our interconnected society.
The strategy represents a mix of the genuinely strategic, large-scale, enduring objectives
with a general approach to achieving them, and the highly specific,
that is, the low-level tactical work particular agencies will undertake to support
the strategy. The strategy outlines three guiding imperatives. First, leveraging adaptable ecosystems
to affect change at scale. Second, enabling the lifelong development of cyber skills.
And last, growing and enhancing the cyber workforce through improving its diversity and inclusion.
It's worth noting that the educational component of the strategy concentrates on regional universities and community colleges,
which have long formed a significant fraction of federally sponsored cybersecurity centers of excellence.
On Saturday, the New York Times, citing unnamed administration officials,
reported that the U.S. was hunting for disruptive Chinese malware that's been quietly staged in U.S.
systems. The Times report is the result of interviews conducted over the past two months.
The consensus among both government and industry experts is that Volt Typhoon precedes Microsoft's report
by at least a year. Investigation has shown that the Chinese campaign is more widespread than
initially believed, and that the U.S. work to find and eradicate the malware has been in progress
for some time. The infestation extends beyond telecommunication systems and is geographically global,
but there do seem to be higher concentrations of the malware in the vicinity of U.S. military installations.
Observers speculate that China is hedging against any U.S. intervention in a Chinese invasion of Taiwan.
The Times reports that there's disagreement within the administration as to whether the
malware is designed narrowly to cripple U.S. military operations or whether wider spread
disruption of U.S. society would be the goal. In any case, the U.S. government is said to regard
the apparent shift from collection to disruption as both significant and disturbing. The U.S. Cybersecurity and Infrastructure Security Agency
recently released three malware analysis reports
concerning malware variants exploiting the CVE-2023-2668 vulnerability.
This vulnerability affects Barracuda email security gateways
and allows for remote command injection.
According to Bleeping Computer's report,
one of the identified malware strains, named Submarine,
has been attributed to the suspected Chinese threat actor UNC4841.
CISA's analysis provides insights into the characteristics of the malware,
indicating that it is specifically designed for persistence
and lateral propagation. The alert highlights that Submarine operates as a persistent backdoor,
executing with root privileges, and resides within an SQL database on the ESG appliance.
The malware encompasses multiple components, such as a SQL trigger, shell scripts, and a loaded Linux daemon library,
which collectively enable various functionalities, including execution with root privileges, persistence, command and control capabilities, and cleanup.
Additionally, CISA examined artifacts associated with Submarine containing contents from the compromised SQL database.
with Submarine, containing contents from the compromised SQL database. The agency warns that this malware presents a significant threat for lateral movement, emphasizing its potential to
spread within affected systems. Researchers at Proofpoint this morning described a new strain
of commodity malware they've dubbed Wikiloader. The malware has been active since at least December 2022.
Proofpoint calls Wikiloader sophisticated and designed for staging secondary payloads.
It's evasive, and both detection and analysis have proven challenging.
It's positioned in the criminal-to-criminal market as a rental,
one that's used by several threat actors,
and Proofpoint expects Wikiloader to find customers among the initial access brokers.
Cato Security Labs reports a new malware campaign
targeting publicly accessible deployments of the Redis data store.
The malware, P2PInfect, is written in Rust and is designed for botnet creation.
P2PInfect gains initial access by exploiting the Redis replication feature.
The researchers explain,
replication allows instances of Redis to be run in a distributed manner
in what's referred to as a leader-follower topology.
This allows follower nodes to act as exact replicas of the leader,
providing high availability and failover
for the data store. After initial infection, the malware drops a payload which renames
Wget and Cure, probably in an attempt to slow down incident response. As its name suggests,
P2P infect then creates a peer-to-peer botnet in which each infected server serves as a single node.
Cato explains that this allows the entire botnet to gossip with each other without using a centralized C2 server.
It is assumed that commands are issued by propagating signed messages across the network.
The malware also includes a worming feature that works to propagate the
infection to new servers. In researching a version of the malware specifically geared toward Windows,
researchers at Palo Alto Network's Unit 42, who've also looked at P2P Infect, have concluded that a
crypto mining payload was not included in the malware. Unit 42 wrote, there are instances of the word
miner within the malicious toolkit of P2P infect. However, researchers did not find
any definitive evidence that crypto mining operations ever occurred.
Recorded Futures' Insict Group is tracking a cyber espionage campaign against diplomatic
services that Russia's SVR ran between February and June
of this year. The researchers don't have a great deal of direct insight into the target's
environment, but their reasonable conjecture is that the operation has reflected Russia's
continued interest in European governments, especially their diplomats. As is commonly
the case, the attack begins with spear phishing, the fish bait
being such lures as an ambassador's schedule, an invitation to an embassy reception, or in a case
we've seen before, an ad for a used BMW. The message redirects to a compromised domain from
which Blue Bravo, as Recorded Future calls the SVR threat actor, installs malware that gives it persistence in the target's network.
Blue Bravo has cycled through at least three major tools this year.
The one most recently used, the researchers called Graphical Proton,
a loader that's staged in an ISO or zip file.
Graphical Proton exploits legitimate services,
especially Microsoft OneDrive for
delivery to the target. And so, the cyber activity in Russia's hybrid war seems to have contracted to
familiar espionage with a big side helping of disinformation.
Coming up after the break,
Johannes Ulrich from SANS describes attacks against YouTube content creators.
Rick Howard previews his conversation with AWS CISO CJ Moses.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And it is always my pleasure to welcome back to the show Rick Howard.
He is the CyberWire's Chief Security Officer, also our Chief Analyst,
and he is the host of the CSO Perspectives podcast.
Rick, over this summer, you have been quite busy.
Of course, you've done a little bit of vacation time.
You've done some internal N2K cybersecurity work,
but you've also been doing some company travel.
You went out to California and spoke at the annual Google Sales Conference.
You keynoted at the Rocky Mountain Information Security Conference in Denver.
And then you went back out to Anaheim, California, and you covered the AWS reInvent conference to see what the latest developments were in AWS security.
And now you're back, and you're releasing a new episode of the CSO Perspectives podcast.
So, first of all, welcome back.
And second, what do you have in store for us in this new season of CSO Perspectives?
Well, thanks, Dave.
It's great to be back in the saddle again.
And for this episode of CSO Perspectives, I'm taking advantage of that opportunity I got while attending the AWS reInvent conference.
Besides the trip that our mutual producer, Jen Iben, and I made to Disneyland for one magical evening,
and we should do an entire show just to talk about that escapade.
I have stories, Dave.
I'm just saying.
All right.
I got to sit down with the AWS CISO, C.J. Moses.
Now, C.J. got his start in the U.S. Air Force back in the late 1990s, working for the Office
of Special Investigations as a computer crime investigator, chasing hackers around the world
back when the internet was still the wild, wild west.
He worked for the FBI and MITRE doing cyber stuff as a civilian.
And then in 2010, he took a job at Amazon and worked his way up the ladder
and eventually became the AWS CISO two years ago.
And Dave, you know, I get to talk to a lot of CISOs in this job, but CJ is a special case.
If AWS was its own company and not owned by Amazon, it would be a Fortune 500 company in its own right with $58.7 billion in revenue in 2022, slightly below Morgan Stanley and slightly above Tesla.
Morgan Stanley, and slightly above, Tesla. So, CJ, you know, obviously has a huge job not only protecting the internal AWS environments, but also protecting all the environments that most of us
as customers use while deploying the service. And of course, he spends a lot of time thinking
about strategy and tactics. And since I just published a book on cybersecurity strategies
and tactics, we had a rollicking conversation about what that means at AWS.
Can you give us an example?
Well, in my book, I include an entire chapter on resiliency as a strategy and the tactics you might need to pursue that strategy.
But CJ's great insight is that traditional resiliency is about ensuring that your data and systems are always
available. If there's an availability issue, you can't get to those resources for whatever reason.
They exist. There's just some technical issue preventing access. But CJ says that durability
is a more important adjective for resiliency. It means that without durability, not only can you
not get to your data and systems,
they are no longer there.
You'll never be able to get access because they're gone.
And I wish I had that little bit of insight when I wrote that chapter in my book. That is some really interesting ideas.
You know, it reminds me of what a friend of mine used to describe.
He was a commercial insurance agent, and he would often invoke the vision of a, he called it
a wily coyote smoking hole in the ground.
I love the metaphor.
Well, before I let you go, what is the phrase of the day over on your WordNotes podcast
this week?
Well, you're going to laugh, Dave, but this week's phrase is Apple's iCloud keychain.
And before we did the episode, I thought I knew what that was.
But it turns out I didn't.
You know, did you know that Apple considers that a password manager similar to LastPass and 1Password?
I didn't know that.
Okay, I guess I should have known that.
But how did that pass me by?
I don't know. So anybody in the audience, if you're like me, download this
episode and get some edumacation because I definitely did not know that. Yeah, it's an
interesting thing. I think there's a lot of functionality built into iCloud Keychain that's
kind of hidden and people just don't know about it. And I don't know if that's Apple not doing
a great job of promoting it or what, But I'll be looking forward to tuning in
and finding out what you have to say about it.
As always, Rick Howard, thanks for joining us.
Thank you, sir.
And joining me once again is Johannes Ullrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
I know something you have had your eye on
are threat actors targeting YouTube content creators.
What's going on here?
Yeah, so what we observed, we have written about like a few months ago, was that relatively
popular YouTube accounts with sometimes millions of followers were compromised and then used
for crypto coin scams.
The scams are all pretty much the same.
They have a fake video of Elon Musk advertising some kind of
giveaway or such to trick people to send them crypto coins. But what you really didn't know is
how did they get access to these accounts? And a little bit of breakthrough came there,
I think it was two months ago or a month ago. Linus Tech Tips, which is one of the big tech YouTube channels,
was compromised by just one of those scams.
They talked a little bit about how it happened.
So this helped us actually to then do some more targeted searches
for the attack, which turned out to be spear phishing.
And they're in particular going after these creators
by basically sending them fairly well-done fake sponsorship offers.
So first of all, they appear to come from companies that are well-known to sponsor many YouTube channels.
Like, for example, in this case that we had NordVPN.
Again, it's not coming actually from NordVPN, it just claims to come from NordVPN. And the attacker went so far as to registering a special domain,
nordvpn-media.com, so a very plausible domain
where a media contact for NordVPN would use that to send email from,
and then it had the usual PDF attachment,
and something that you may expect, some documents, more details about how to get in contact
and what they're willing to pay or what their rules are or whatever.
And that PDF then led to Malware.
There was a link in the PDF.
Once clicked, you download Malware.
They claimed it was additional documentation
about how to sign up for their sponsorship offer,
but it actually contained an infostealer, meaning something that collects credentials.
In particular, then, of course, things like YouTube logins and such.
I see. At the risk of blaming the victim here,
do the folks who've been hit by this, do they have multi-factor authentication enabled?
They do. And that's actually something that Linus
in his post-mortem of the incident talked about.
They do have two-factor authentication enabled,
and you probably do similar things,
but you have your automatic pipeline
that processes your audio,
and then some kind of API key
that's being used to upload the audio.
And that API key, actually in particular with YouTube,
it's not that you can easily limit it to just allow video uploads,
but once they have that API key,
they have full access to your account.
And that, of course, is then used to change passwords
and basically take over the account.
So basically, once they have access to your system,
they're taking advantage of the API
to get to your YouTube channel and its credentials.
Correct.
Often, whatever software you're using to produce the audio,
first time you set it up to connect to YouTube,
you basically set up these API
keys.
Really, the only help is here to keep those systems maybe a little more isolated, where
if you're running some malware on your desktop, it doesn't have access to those API keys.
But that's, of course, a larger production to really set it up correctly and still have
a fast, functional system to actually publish
all of your content.
Is there any sense for how helpful YouTube is being with trying to get these accounts
back?
Well, that's another problem here, that YouTube is not that terribly helpful.
If you're Linus Tech Tips, who is one of their top creators, Yes, they got some help, but I think it even took them half a day,
to get everything straightened out.
If you are a lesser creator
with merely one or two million subscribers,
then you may have a much harder time
to get through to YouTube.
The other problem is that these API keys,
the way they should be done is
that they have very specific permissions
to prevent this complete account takeover
if you are getting a hold of one of those API keys.
But of course, that's always harder to change
than in hindsight.
If you're now limiting these credentials,
then of course all kinds of processes that people set up will break.
In the post-mortem, as you say, from the folks who run Linux Tech Tips,
what changes have they made?
I believe they said that they basically are monitoring those keys more closely.
Another important part here is also, and we always talk about backups,
but one thing the attacker did here was delete all of the videos. more closely. Another important part here is also, and we always talk about backups,
but one thing the attacker did here was delete all of the videos.
So actually, one of the major delays
in getting everything back together
was just the sheer time it takes
to upload all of these videos.
Yeah. All right.
Boy, it's an interesting cautionary tale.
Johannes Ulrich, thanks so much for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatL are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant. happens anywhere, anytime. Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on
and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app
or visit cbcnews.ca
And that's the Cyber Wire.
For links to all of today's stories, check out
our daily briefing at thecyberwire.com
Don't forget to check out
the Grumpy Old Geeks podcast. I joined Jason and Brian on their show for Thank you. N2K.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent
intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your
people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.