CyberWire Daily - Threat group with novel malware operates in SE Asia. Data theft extortion rises. Key findings of Cisco's Cybersecurity Readiness Index. iPhones no longer welcome in Kremlin. Russian cyber auxiliaries & privateers devote increased attention to healthcare.
Episode Date: March 21, 2023Threat group with novel malware operates in Southeast Asia. Data theft extortion on the rise. Key findings of Cisco's Cybersecurity Readiness Index. iPhones are no longer welcome in the Kremlin. Russi...an cyber auxiliaries and privateers devote increased attention to the healthcare sector. Chris Eng from Veracode shares findings of their Annual Report on the State of Application Security. Johannes Ullrich from SANS Institute discusses scams after the failure of Silicon Valley Bank. And BreachForums seems to be under new management. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/54 Selected reading. NAPLISTENER: more bad dreams from developers of SIESTAGRAPH (Elastic Blog) Unit 42 Ransomware and Extortion Report Highlights: Multi-Extortion Tactics Continue to Rise (Palo Alto Network) Ransomware and extortion trends. (CyberWire) Cisco Cybersecurity Readiness Index (Cisco) A look at resilience: companies' ability to fight off cyberattacks. (CyberWire) Putin to staffers: throw out your iPhones over security (Register) Black Basta, Killnet, LockBit groups targeting healthcare in force (SC Media) After BreachForums arrest, new site administrator says the platform will live on (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Novel malware operates in Southeast Asia.
Data theft extortion is on the rise.
Key findings of Cisco's Cybersecurity Readiness Index.
iPhones are no longer welcome in the Kremlin.
Russian cyber auxiliaries and privateers devote increased attention to the healthcare sector.
Johannes Ulrich from the SANS Technology Institute
tracks the scams following the failure of Silicon Valley Bank.
Our guest is
Chris Ng from Veracode with a look at application security. And breach forums seems to be under new
management. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, March 21st, 2023.
Developers of the SiestaGraph malware family, REF2924,
have been observed shifting their focus from data theft to persistent access,
Elastic reported yesterday.
A new executable, WMDTC.exe, is written in C-sharp and referred to as NAP listener.
The malware is said to evade network-based forms of detection.
NAP listener is capable of processing incoming internet requests,
reading submitted data, decoding data from base64 format, and executing it in memory.
Researchers shared that the REF2924 attacker is reliant on code from open sources and
public repositories. The researchers share the abilities of the found sample, saying that this
unique malware sample contains a C-sharp class called MSEXGHealthD that consists of three methods, main, setRespHeader, and listener. This class
establishes an HTTP request listener that can process incoming requests from the internet
and respond accordingly by filtering malware commands and transparently passing along
legitimate web traffic. Elastic has been tracking this threat actor and has earlier reported that the combination of victimology, members of the Southeast Asian Regional Comprehensive Economic Partnership, and the absence of any obvious monetary motive suggests that the motive is probably collection of diplomatic intelligence.
Palo Alto Network's Unit 42 has published its 2023 ransomware threat report, finding that threat actors have significantly escalated their extortion tactics. By late 2022, threat actors were conducting data theft in 70% of ransomware attacks compared to 40% in 2021.
40% in 2021. Additionally, the use of harassment as an extortion tactic rose from less than 1% in 2021 to 20% in 2022. Unit 42 writes, threat actors call and leave voicemails for corporate
executive leaders and other employees, send emails to personnel, or disclose victims' identities on
a leak site or social media. The purpose of these activities is to make it uncomfortable
for an organization to avoid responding to the threat actors and their demands.
Manufacturing organizations, particularly in the U.S.,
were the most frequent targets for extortion attacks last year.
The researchers think much of this shift in the attacker's preference
is driven by manufacturers' observed tendency to keep older legacy software in operation.
Manufacturers' particular reluctance to tolerate downtime, which is entirely understandable from a business perspective, also in some cases can give attackers additional leverage.
can give attackers additional leverage.
Cisco released their Cybersecurity Readiness Index today,
and it sheds light on organizations' ability to safeguard against cyber threats.
The results suggest that an alarming number of companies
are not at a strong enough level of protection
against threats posited in cybersecurity today.
The research found that only 15% of global organizations
have what is defined as a mature level of readiness, meaning that they have implementations
in place that are strong enough to defend against current cyber threats. 82% of the survey's
respondents report expectations of a cybersecurity incident against their company in the next one to two years.
Those surveyed also report bearing high costs due to underpreparedness, with 41% of organizations
that reported an incident in the last year disclosing costs of at least half a million
dollars. Some good that comes from this somewhat troubling report is that a majority of respondents, 86%,
shared intentions to increase security budgets by at least 10% over the coming year. Cisco
researchers also shared that reduced complexity and higher implementation of integrated platforms
will lead to more successful and effective security resilience and preparedness.
It is also important for company
leadership to take stock of both strengths and weaknesses within their defenses and develop a
plan to build around the weaknesses. Citing reports in the Russian media outlet Kommersant,
the register says that members of President Putin's staff have been told to get rid of their iPhones,
replacing them with Android devices,
or with phones using either Chinese operating systems or Russia's homegrown Aurora.
The Daily Star says that word around Moscow is that Apple products are particularly susceptible to monitoring by American intelligence services.
It's a security measure, not economic retaliation
against a company based in an unfriendly country,
Russian commenters say.
Users have been told that by the end of the month,
they should either toss their iPhones or give them to the kids.
A review in SC Media tracks the recent trend
on the part of Russophone cyber threat actors to attack the
healthcare sector in countries unsympathetic to Russia's invasion of Ukraine. Prominent among
the groups making the attacks are two criminal ransomware gangs, Lockbit and Black Basta,
this latter generally regarded as a rebranding of the nominally defunct Conti, and the hacktivist auxiliary Killnet.
CISA and the FBI urge threatened organizations to prioritize patch management or network
segmentation of known exploited vulnerabilities, in addition to training users how to recognize
and report phishing attacks and enforcing phishing-resistant multi-factor authentication.
and report phishing attacks and enforcing phishing-resistant multi-factor authentication.
It's good advice at any time and to anyone,
but healthcare organizations might take special interest in it right now.
And finally, following the arrest of alleged Breach Forum's proprietor Pom Pom Puren,
another figure has stepped up to claim ownership of the criminal forum, the record reports.
The forum, well known as a C2C market where stolen data was traded,
is presently still inaccessible, but one Baphomet says he'll be bringing it back online soon,
saying, although I had already suspected it to be the case,
it's now been confirmed that Palm has been arrested.
I think it's safe to assume he won't be coming back, so I'll be taking ownership of the forum.
I have most, if not all, the access necessary to protect BF infrastructure and users.
If Mr. Baphomet is as good as his word, and whom can you trust if you can't trust someone with a demonological hacker name?
Breach forums will return shortly,
staged in new infrastructure,
when Mr. Baphomet reopens the shop,
but hunting FBI. Coming up after the break,
Johannes Ulrich from the SANS Technology Institute
tracks the scams following the failure of Silicon Valley Bank.
Our guest is Chris Ng from Veracode
with a look at application security.
Stay with us. Do you know the status of your compliance controls right now? Like, right now? We know that
real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
Security firm Veracode recently released their 2023 State of Security Software report,
focusing this year on flaw introduction and what it means for an application's life cycle when flaws are introduced. Chris Ng is Chief Research Officer at Veracode.
This time, we decided to look at a couple different angles. We try to not report on
the same thing every time. But in the past, we've looked a lot at flaw accumulation,
like what is the security debt that accumulates in an application over time. And this time,
we took a slightly different angle and we looked at flaw arrival.
What are the patterns associated with when flaws appear in applications,
which is slightly different.
And so one of the surprises for us was that
when you look at applications, you're always adding new code,
you're adding new features, right?
Any website out there, any application is always growing, very rarely shrinking.
And so despite the fact that code bases are growing at, on average, about 40% a year,
we don't see the same rate of flaw introduction, that steady rate that mirrors that 40%.
Instead, what we see is at the beginning, you discover some flaws. About 30% of
applications have some flaws, which may have accumulated up to the point where they did their
first scan. But then over the next year, year and a half, that flaw arrival rate actually decreases.
Developers introduce fewer flaws, not zero, but it goes down to like the 20% range, after which, you know,
you get to that one, one and a half year mark, and then it starts steadily rising again to where,
you know, after you, if you look all the way out to like the five year mark, it's back above that
30% again. So we've kind of labeled this in the report as honeymoon phase, where there's just this 12 to 18 month period where fewer flaws are introduced before it kind of goes back to what we expect, which is like applications, code base grows, you introduce more flaws, right?
Nobody's perfect.
That was very interesting for us to see that it didn't correlate with the code base growth.
Any insights as to why that might be?
Yeah, it's a good question as to why this is happening.
We have the data that we can see what's happening,
and we have to kind of make guesses
about why that's happening.
One of the reasons, I think,
is that you have a certain amount of turnover
with developers on a team.
As the application gets more mature,
as some developers move on to other projects,
they may take some institutional knowledge with them
about how that code base works.
Also, as the functionality grows, as new features grow,
let's say you're adding new integrations to the application.
These are things that increase the surface area,
they increase the connections and the code base,
and these are all things that somebody new
that may join the project,
they may not know how everything fits together,
and so they may end up introducing some flaws
because they don't know about security measures
that are in place or the ones that they need to take or so on.
But there are any number of reasons that I think this could happen.
Software is complex, and that's kind of my initial guesses
as to why we might be seeing that pattern.
Yeah. You know, I guess it's safe to say that not all flaws are created equal.
Is there any information that you were tracking here
as to the severity of flaws?
Yeah, we look at not only the different flaw categories, but also as applications are introducing new flaws, are they flaws that are important ones?
Are they in the OWASP top 10, which is the most common categories that affect web applications? Or are they in the CWB
top 25, which is another taxonomy there? And when you look at, are they introducing high severity
flaws? Those are actually a lot less prevalent than flaws in general, which is what you would
hope, right? It tells you that developers and development teams are at least focusing on
the right things. It's hard to
kind of prevent everything from creeping in, but at least there's some effort being paid to make
sure that developers understand about the ones that are going to be the most impactful, the most
security impacting to their applications. So yeah, that's a good trend. Yeah. Well, based on the
information that you all have gathered here, what are your recommendations then for folks who are in this world day to day? Any words of wisdom?
influence that rate. So you start with like a base rate of about 27%. We found that there's about a 27% chance that an application will introduce one or more new flaws every month.
But there are factors that can bump that number up or down. So they can make it less likely that
you would introduce new flaws. And if you did introduce new flaws,
you could even reduce the number of flaws that you would introduce.
And so those factors really hinged around automation.
If you were scanning via the API,
using the APIs and automation
rather than relying on a human
to remember to do a scan and go upload it and so on,
you actually reduced the probability of new flaws
and the volume of new flaws.
If your developers were taking trainings,
interactive trainings,
so if on your application team
you had at least 10 trainings completed,
that actually reduced the probability
that new flaws would be introduced.
And so these are additive also.
So if you're doing multiple of these good behaviors,
you're putting yourself in a much, much better position.
So we did see, and we've seen this before,
but we've never looked at it in terms of flow introduction.
We've looked at it more in terms of security debt.
But all these factors around,
and these are things you see in DevOps a lot, right?
Automation, building these good practices
into the tool chain
so that they just become a matter of hygiene
as opposed to something that you have to remember to do.
So all this automation and training does pay off
and it results in fewer flaws coming to the application,
which means fewer flaws that you have to deal with later.
So those are things that we would recommend
that people get on top of.
That's Chris Ng from Veracode.
And joining me once again is Johannes Solrich. He is the Dean of Research at the SANS Technology Institute
and also the host of the ICS Stormcast podcast.
Johannes, it's always great to welcome you back.
Thanks for being and having me here.
Well, I want to touch base with you today
on some research that you shared with us recently.
You all are tracking some of the fallout
from the Silicon Valley bank run and implosion and the cybersecurity aspects of that.
What can you share with us today?
Yeah, so basically what happened here is after all this uncertainty on Friday where the big news came out that the Silicon Valley bank is going to be taken over by the government and you may not get your money back. We saw a relatively large number of new domains being registered
that basically used SVB as part of their name,
that acronym for Silicon Valley Bank.
Some of them looked more suspicious than others.
For example, svb-login.com or loginsvb.com
were two domain names that we particularly took a look at.
But then also some domain names that look more like, for example, attracting clients for lawsuits,
or in one case, even svbladeoffgifts.com and things like that.
So some of them are fairly simple money-making schemes,
others probably a little bit more nefarious.
The problem with an event like this SVP takeover is that, of course, over that weekend,
there was an awful lot of uncertainty.
How are you going to communicate with the bank?
How are you going to get your money back?
How much money are you going to get back?
And that is really ripe for fraud.
We did then on Monday also see reports of SVB customers trying to update their account information.
So you may have received an email if you're a customer of a company that used SVB,
but they told you, hey, SVB, as you hear, went under.
We are now using a different bank.
Here are our new bank details.
We haven't seen any abuse of this yet,
but these type of emails, they're essentially
what you usually find with business email compromise.
When a hacker is breaking into an email system,
waiting for the right email,
and then replying with just that kind of information.
So this really allowed for mass business email compromise,
which is actually compromising your business email.
I suppose it's worth mentioning here that in all of this,
there are a lot of people who understandably
would be in a heightened emotional state.
Exactly. So that anti-urgency and once the adrenaline kicks in here, you may not really think as clearly as you're supposed to.
So that really helps the fraudsters as much as it hurts the good people you're trying to defend.
as much as it hurts the good people you're trying to defend.
So what are you recommending here?
I mean, should we be putting filters in place to look for that SVB phrase?
Or how do we protect ourselves from these things?
Well, in part, vendors already have taken care of this.
So at this point, many of these domains,
if you're pulling them up in your browser,
they'll be blocked because they're considered malicious if they are malicious.
The other thing, of course, is just to use it as education for your users.
Train them not to fall for social engineering, to let their guard down and not follow procedure,
for example, for account updates.
It's hardly ever critical if a payment isn't going through
one particular day, if it waits another day or so.
It's better than losing a ton of money to some fraudster
with little recourse to get the money back again.
That's a great point of using something like this high profile
where there's broader knowledge of it
to use it as a teaching moment.
Correct, and that way everybody's already kind of aware of it.
They may have seen some of these emails and such
in their own inbox.
So using it as a teaching moment,
I wouldn't use it as a phishing test,
that may be a little bit too much. But just as part of your awareness newsletter So using it as a teaching moment. I wouldn't use it as a phishing test.
That may be a little bit too much.
But just as part of your awareness newsletter or if you're talking to your accounting staff,
in particular people that may receive
business email compromise style emails,
say, hey, we keep talking about this.
This is just one of these events you have to be aware of
and you have to be careful about.
Talk to us, let us know if you're seeing a suspicious email.
Rather report one too many than not enough.
I'm curious, can you give us some insights?
You and your colleagues there at SANS,
when you're tracking this sort of thing,
what sort of tools are you using to keep an eye
on these domain registrations?
How do you go about that?
We have a couple tools that we use for that.
First of all, for some of the top-level domains,
you can get daily zone files, as they call them,
basically a list of all the registered domains
and figure out which ones are new.
Another tool we find quite helpful
is something called certificate transparency.
Whenever you register a certificate for a domain, for a host name, it's being published in certificate transparency logs.
So we look in those logs because these days, even phishing sites use TLS and register certificates as a result.
Or even if you go to your average registrar, they often set you up with a little parked domain page.
They register automatically in certificate a little parked domain page. They register automatically in a certificate
for that parked domain page.
So that's how we
get the information. We also
make it available, if you don't want to
parse it yourself, via an
API that we offer on the Internet Storms
website. So you can
even go back a couple of years now,
I think, because if you started doing that
and basically search for domain names for simple keywords, just
download the list and do something interesting with it yourself.
Yeah. All right. Well, Johannes Ulrich, thanks so much for joining us.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman. The show was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.