CyberWire Daily - The US National Cybersecurity Strategy is out, and we have a preliminary look. CISA red-teams critical infrastructure. A new cryptojacker is out. Russia bans messaging apps. Hacktivist auxiliaries.
Episode Date: March 2, 2023The White House releases its US National Cybersecurity Strategy. Red-teaming critical infrastructure. Redis cryptojacker discovered. Russia bans several messaging apps. Our guest is Kapil Raina from C...rowdStrike with the latest on Threat Hunting. Dinah Davis from Arctic Wolf on the top healthcare industry cyber attacks. And hacktivist auxiliaries continue their nuisance-level activities. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/41 Selected reading. National Cybersecurity Strategy (The White House) FACT SHEET: Biden-Harris Administration Announces National Cybersecurity Strategy (The White House) Biden administration releases new cybersecurity strategy (AP NEWS) White House pushes for mandatory regulations, more offensive cyber action under National Cyber Strategy (The Record from Recorded Future News) Here's why Biden's new cyber strategy is notable (Washington Post) How the U.S. National Cyber Strategy Reaches Beyond Government Agencies (Wall Street Journal) Biden National Cyber Strategy Seeks to Hold Software Firms Liable for Insecurity (Wall Street Journal) CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks (Cybersecurity and Infrastructure Security Agency CISA) CISA red-teamed a 'large critical infrastructure organization' and didn't get caught (The Record from Recorded Future News)Â Redis Miner Leverages Command Line File Hosting Service (Cado Security | Cloud Investigation) Russia bans foreign messaging apps (Computing) U.S. Consulate hacked by "Putin supporters" (Newsweek) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The White House releases its U.S. national cybersecurity strategy,
red-teaming critical infrastructure,
Redis crypto-jacker has been discovered,
Russia bans several messaging apps.
Our guest is Kapil Reina from CrowdStrike with the latest on threat hunting,
Dinah Davis from Arctic Wolf on the top healthcare industry cyber attacks,
and hacktivist auxiliaries continue their nuisance-level activities.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, March 2nd, 2023.
The White House this morning released its long-awaited, much-anticipated national
cybersecurity strategy.
The strategy's intention, the White House explained,
is to secure the full benefits of a safe and secure digital ecosystem for all Americans.
The White House shared that two primary goals of the strategy are to
rebalance the responsibility to defend cyberspace by shifting the burden of cybersecurity away from individuals
and on to specialized organizations in the sector, as well as to realign incentives to favor long-term
investments by balancing threat defense with smart planning and investment. The strategy is planned
to prioritize ease and effectiveness of cybersecurity implementation, quick recovery from incidents,
and reinforcement of digital values in three points highlighted by the administration,
defensibility, resiliency, and values alignment. The strategy has five core tenets,
defend critical infrastructure, disrupt and dismantle threat actors, shape market forces
to drive security and resilience,
invest in a resilient future, and forge international partnerships to pursue shared goals.
The Wall Street Journal makes an interesting point in noting that this strategy has a much wider lens than the government seems to have used in recent years.
Sectors such as oil and gas pipelines, as well as federal agencies, have been brought into
focus on a much smaller scale by the federal government in yesteryear, the journal writes.
The Washington Post makes note of the way the strategy also brings to light the role of U.S.-based
services in foreign cyber attacks. The strategy identifies the ways foreign threat actors exploit U.S.-based cloud infrastructure,
saying, often these services are leased through foreign resellers
who have multiple degrees of separation from their U.S.-based providers,
hindering the ability of those providers to address abuse complaints
or respond to legal process from U.S. authorities.
The Post also notes the strategy's inclusion of four other
initiatives, a potential approach to a federal cybersecurity insurance response in times of
catastrophe, the slow adoption of IPv6, the White House's much-needed legislative assistance,
and early steps in the development of a strategy implementation plan. We'll be attending a press session this afternoon
in which the administration will offer more perspective on the strategy,
and we'll follow the story up tomorrow.
CISA has published the findings of a red team assessment
the agency carried out against a large critical infrastructure organization last year.
The operation, conducted at the request of the organization lasted three
months. The red team was able to gain access to two workstations via spear phishing attacks.
The team was also able to move laterally within the network, but were unable to gain access to
the organization's sensitive business systems after running up against multi-factor authentication measures and time constraints.
However, CISA believes that by using secure shell session socket files,
they could have accessed any hosts available to the users whose workstations were compromised.
Cryptojacking is back.
Of course, it's never really been away, but there's a new threat actor giving the technique a bit of a surge.
Cato security researchers shared in a blog this morning their discovery of a campaign targeting insecure Redis deployments for cryptojacking.
The campaign leverages open source command line file transfer service Transfer.sh, which has seen activity since at least 2014.
which has seen activity since at least 2014. The service, however, didn't see any malware distribution until researchers noticed it early this year. The Cato team suspects that the move
to the file transfer service may represent an attempt to evade detection. Russia's internet
watchdog, Roskomnadzor, has banned nine foreign messaging apps, computing reports.
Raskamnadzor's statement singles out the apps as being foreign-owned
and as providing a way for users to communicate directly with one another.
The sender determines the recipient of the message
with no possibility for public mediation of the content,
and this direct unmediated communication
seems to be the more troubling aspect of the content, and this direct unmediated communication seems to be the more troubling
aspect of the services. As Computing points out, other foreign-owned apps like Zoom remain
acceptable. Razkomnadzor's statement makes no specific accusation of subversion or direct
complicity with anti-Russian forces, as had marked earlier bans on Facebook and Instagram.
forces, as had marked earlier bans on Facebook and Instagram. The apps that fall under the new restrictions include Discord, Microsoft Teams, Skype for Business, Snapchat, Telegram, Threema,
Viber, WhatsApp, and WeChat. And finally, to turn specifically to Russia's war against Ukraine,
there have been no reports of major cyber attacks in recent days, but hacktivists
have remained active. The U.S. consulate in Milan, for example, had its Twitter account hijacked last
week on February 27th, and the attackers used it to disseminate tweets associating Ukraine's
government with Nazis, flags, swastikas, and so on, the usual shtick.
The State Department regained control of the account,
but Newsweek reports,
not before the pro-Russian hacktivist tweets achieved about 140,000 views.
Sure, those aren't really even teenage influencer numbers, but the hijacking has to be dealt with in any case.
The State Department explained,
with what must have been the organizational equivalent of a weary sigh, that the U.S. remained committed to its support
of Ukraine, and that no, Foggy Bottom doesn't think that Kyiv is some kind of nest of Nazis.
Coming up after the break, Dinah Davis from Arctic Wolf on the top healthcare industry cyber attacks. Our guest is Kapil Raina from CrowdStrike with the latest on threat hunting.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. Security firm CrowdStrike recently shared their 2022 Falcon Overwatch threat hunting report,
tracking the evolving adversary activity and tradecraft over the past 12 months.
Kapil Reina is vice president of zero trust marketing and identity evangelist at CrowdStrike.
Identity and the breach of identity, and especially identity-related
attacks, has become a key element of most adversaries' arsenal. And this could be things
like privilege escalation, lateral movement, things like that. So identity and the breach
of identity has become so instrumental in many of the adversary attacks.
So we've seen that kind of progress more so over the last year or two and more dramatically.
And so that's definitely one key trend that we're definitely seeing.
One of the things that you all highlighted here was that the bad guys are shifting some of their tactics here.
You saw, particularly you highlighted fishing.
What are you all tracking there?
When we think about fishing, what we've seen is that, again, this is a pattern that's building, is sort of targeted fishing is becoming more prevalent, right?
more prevalent, right?
So rather than kind of the degenerate spray and pray, that's definitely a pattern that we've seen, again, developing not just this last year, but over the last few years.
We have definitely seen more sophisticated attacks where the, because they're more targeted,
that, for example, the communication within that phishing content is a little bit more
crafted.
within that phishing content is a little bit more crafted.
We've also seen now shifts to acknowledging the fact that a number of organizations have, let's say,
multi-factor authentication.
And so kind of factoring that into the attack techniques
in terms of essentially tricking someone
to try and approve an MFA, for example.
Well, based on the information that you all have gathered here,
what are your recommendations for organizations to best defend themselves?
So if you look at, you know, there's a couple ways to look at it. If you, for example,
prescribe to the MITRE ATT&CK framework, right, that's a great way to look and kind of lay out
the tactics, techniques that a typical organization might face. And if you look at sort of a heat map,
if you will, of where, for example, where our Overwatch team
sees many of the threats, you'll see, again,
as I alluded to earlier, that identity tends to be
a key, key area.
So if you can address and mitigate identity-related attacks,
you can address, you may not be able to stop
every single threat, but you can at least mitigate
threats that doesn't continue.
So, for example, protecting your identity infrastructure.
This includes things like Active Directory and domain controllers.
Preventing certain legacy protocols from being used, for example, that could be breached.
Preventing certain types of access to domain controllers that shouldn't be allowed.
Looking at behavioral analytics in terms of how things access this infrastructure.
So that's one example.
Another example is looking at the credentials themselves.
Since many of these attacks eventually compromise a legitimate credential,
then the question is, okay, has an adversary taken over a legitimate credential?
Has someone taken over, for example, Dave's access
to your system? And so there we recommend looking at real-time information about credentials,
how they're used, where they're used, whether they're for human credentials or even for
other applications like service accounts there as well. So for example, we've seen typically
our own research has shown
typically an organization will have anywhere from, I would say about 25% or so of their accounts,
or what we consider stale accounts. These are accounts that were given a certain set of
privileges and permissions, but were not actually accessed over typically anywhere from 30 to 90
days.
And why that's important is because over time that creates a bigger attack factor that you're not watching.
And so really tightening those controls, looking at real-time analysis.
The other area also to ensure that you really look at,
as we've kind of looked at all these different attacks,
to look at, as we kind of looked at all these different attacks, is about 25% or so of attacks,
you know, entry points or attacks into an organization will come from an unmanned system.
These are systems, for example, from your supply chain network or contractor, where you physically can't touch that device. And so in that case, again, typically, if a supplier or contractor
is working within your environment, you're giving them a credential.
So looking at identity-based analysis of how that credential is being used and then giving it the risk score around it so you can real-time intercept potential risky behavior, even if that system is not managed, which is super critical, especially in this day and age.
which is super critical, especially in this day and age.
And the last thing I would tell you is identity is not restricted to just, you know, endpoint, for example,
but it's also something that we'll see in cloud as well.
If you look at the cloud environments and the attacks there,
there's a number of challenges that, you know, you would have on-prem that you have in cloud.
So, for example, Microsoft, there was a recent disclosure that Microsoft AD Azure,
Active Directory Azure system had a number of issues. So, you know, looking at cloud holistically as you do, for example, endpoint or anything else is super important. And then the final thing is,
if you're using IT infrastructure, it's always best to have it protected by a vendor that really,
or organization that focuses on security. That's Kapil Reina from CrowdStrike.
And joining me once again is Dinah Davis.
She is the VP of R&D Operations at Arctic Wolf.
Dinah, it's great to have you back.
I saw you and your colleagues over there at Arctic Wolf recently published a report just tracking some of the attacks on healthcare industry representatives there.
Can we go through some of the ones here that caught your attention?
Yeah, yeah.
So it's like the top 12 healthcare industry attacks of all time, right?
So I thought we would go through the top four because, you know,
those are going to be the most interesting, really.
Right, right.
In the time we have.
In the time we have, I thought maybe not 12.
Yeah. Yeah.
So the average cost of a healthcare breach in the US is $10.1 million.
And that number, that amount has already increased 41% in just two years, right?
And from what we're seeing, the healthcare industry has the highest average cost of a
breach 12 years running.
So out of all the breaches that happen, it tends to be the most negatively impactful on healthcare organizations. So if we take a look here at the top four, we can see
how they kind of get attacked, the cost of that, how many people are affected, that kind of thing.
So the top four, so we're going in like David Letterman order here.
Starting at number four,
starting at number four was the Excellus Health Plan Incorporated.
And it was a malware attack and it cost $17.3 million
with 10 million people affected.
with 10 million people affected.
So basically they released names,
date of birth, social insurance,
all of that kind of stuff.
And although the affected data was encrypted,
the hackers gained access to the administrative controls making that encryption moot.
So not cool.
Not cool on that.
Yeah.
Number three, Primera Blue Cross.
So this was a phishing attack.
You know, quite common that we see that.
It costs quite a bit more than the last one.
$74 million with 11 million people affected.
Right?
And so this was a phishing email to a Primera employee.
The email included a link to download a document,
and that document contained malware.
So once the document was clicked,
hackers were able to access the services,
and even worse, the breach wasn't detected for eight
months. Wow. Yeah, so not cool. Not cool. All right, number two, American Medical Collection
Agency. So it's actually like, this is a company that collects money on behalf of medical
businesses and stuff like that.
Right.
These are the folks they send after you
if you do not or cannot pay your bill.
Yeah.
So they're fun people.
Okay.
But anyway, it was hacked through the online payment portal
that they used.
It cost $21 million, and then it affected 21 million people. So this one affected
more people, cost a little less, but affected more people than the Primera Blue Cross.
So there was some vulnerability in the webpage itself?
Yeah. In the third party, it's supply chain attack essentially. In the third party is supply chain attack, essentially, in the third party tool they were using
to do the payments and make the payments happen.
Yeah, so there was an issue
with the third party payment tool that they were using
to collect the payments,
and that was able to be hacked.
So they have since changed providers.
They have a lot more strict rules around it, but definitely not cool.
Okay, finally, the number one, the number one, the number one. Okay. Anthem. So this was also
a phishing slash malware attack. It cost $115 million and 78 million people were affected. Basically, the attackers accessed a corporate
database with a phishing email and stole nearly 79 million records containing patient and employee
data. It's the largest healthcare industry cyber attack in history i think that one actually
happened like in 2012 as well i don't have the information in front of me but it happened a
while ago so um hopefully that means you know a lot of these organizations are getting smarter
have are paying more attention to what they what they need to do to keep their patients' data safe. I mean, we even just recently saw SickKids Toronto get attacked.
Right.
And interestingly, there, the attackers gave the decryption key back for free,
probably not out of the goodness of their heart, though, probably more because that was drawing a
little too much attention to attack, you know attack this really important hospital for sick children,
most of whom have cancer.
It's pretty evil, but nice to see they gave it back anyway.
But yeah, I think a lot of companies are putting a lot more effort into their defenses.
It's such an interesting thing, isn't it?
I mean, on the one hand, you would hope that there were some kind of set of norms
where these were not organizations that would get hit for the reasons you just described.
These are life and death situations here.
But the flip side of that is that these are the folks who,
their mission is about as critical as it gets.
So they have to get up and running as quickly as possible.
They're more likely to pay that ransom or whatever it is to get things going.
And what a terrible tension there that exists between those two things.
Agreed.
Yeah.
All right.
Well, interesting stuff.
Dinah Davis, thanks so much for joining us. Cyber threats are evolving every second and staying ahead is more than just a
challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Ivan.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby and I'm Dave Bittner.
I'll be on vacation for the next week or so and Trey Hester will be behind the mic.
I hope you'll give him your kind attention.
I'll see you back here in about a week.
Thanks for listening. Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data
workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.