CyberWire Daily - Traffers and the threat to credentials. WiFi protocol flaw. Cross-chain bridge attacks. A shift in Russian cyber operations. Piracy is patriotic.
Episode Date: March 29, 2023Traffers and the threat to credentials. A newly discovered WiFi protocol flaw. Cross-chain bridge attacks. A shift in Russian cyber operations. Ann Johnson from Afternoon Cyber Tea chats with EY princ...ipal Adam Malone. Our guest is Toni Buhrke from Mimecast with a look at the State of Email Security. And is piracy patriotic? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/60 Selected reading. Traffers and the growing threat against credentials (Outpost24 blog)Â WiFi protocol flaw allows attackers to hijack network traffic (BleepingComputer)Â Cross-chain bridge attacks. (CyberWire) Â 2023 Annual State of Email Security Report (Cofense) From Ukraine to the whole of Europe:cyber conflict reaches a turning point (Thales Group)Â Russia Ramps Up Cyberattacks On Ukraine Allies: Analysts (Barron's)Â Pro-Russian hackers shift focus from Ukraine to EU countries (Radio Sweden)Â Russian hackers attack Slovak governmental websites after country supplies Mig-29s to Ukraine (Ukrainska Pravda) Ukraine's Defense Ministry says Russia is encouraging online piracy (The Jerusalem Post) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Traffers and the threat to credentials.
A newly discovered Wi-Fi protocol flaw.
Cross-chain bridge attacks.
A shift in Russian cyber operations.
Anne Johnson from Afternoon Cyber T chats with EY principal Adam Malone.
Our guest is Tony Burke from Mimecast with a look at the state of email security.
And is piracy patriotic?
From the Cyber Wire studios at Data Tribe,
I'm Dave Bittner with your Cyber Wire summary for Wednesday, March 29th, 2023. Outpost 24's Kraken Labs describes how Traffers fit into the criminal ecosystem. Traffers are cyber criminal gangs focused on stealing and selling credentials.
The criminals hide info-stealing malware in cracked software products
and distribute it via social engineering.
The researchers explain,
To spread the malware as far and wide as possible,
they have formed an industry-like structure of product and service providers,
as well as dedicated marketplaces,
in the form of telegram channels to facilitate the sale of those credentials. Bleeping Computer reports that
researchers from Northeastern University and IMEC Distranet have discovered a flaw in the IEEE 802.11
Wi-Fi protocol standard that can allow an attacker to access Wi-Fi frames in plain text.
The researchers were able to exploit a flaw in the Wi-Fi protocol's power-saving features,
which queues frames that are sent to sleeping devices. The researchers state that an attacker
can override and control the security context of frames that are yet to be queued. This exploits a design flaw in hotspot-like networks
and allows the attacker to force an access point to encrypt yet-to-be-queued frames
using an adversary chosen key, thereby bypassing Wi-Fi encryption entirely.
Our attacks have a widespread impact as they affect various devices and operating systems, Linux, FreeBSD, iOS, and Android,
and because they can be used to hijack TCP connections or intercept client and web traffic.
Moody's Investors Service has released a report detailing cross-chain bridge attacks
and the need for blockchains to institute more security against such threats.
Cross-chain bridges, or a set of computer codes that enables the transfer of assets,
data, or information between two different blockchains, are open to a number of vulnerabilities.
The report says that attacks on cross-chain bridges last year saw losses of upwards of
$2 billion. Half of the 10 most profitable cyber
thefts ever were observed against cross-chain bridges, with last year's attack on the Ronin
bridge a prime example, seeing losses of upwards of $600 million. Most bridges have a centralized
architecture that creates a single target point that can be exploited, but attacks have also been
seen making use of operational weaknesses. Barron's reviews industry consensus that Russia's cyber war
on Ukraine largely failed, and Moscow is increasingly targeting Kyiv's European allies.
Talos' cyber threat intelligence team is the latest industry source to discern a change in Russian cyber operations.
Ukraine, having proved a hard target and cyber attacks there having been largely supplanted by kinetic strikes,
Russian operators are increasingly focused on hitting Western Europe.
Talis says the third quarter of 2022 marked a turning point in cyber attacks related to the conflict in Ukraine, with a clear transition from a cyber war focused on Ukraine and Russia to a high-intensity hybrid cyber war across Europe.
The cyber war is targeting Poland and the Baltic and Nordic countries in particular, with an increasing focus on critical national infrastructure in sectors including aviation, energy, health care, banking, and public services.
So, the Baltic and Nordic countries, along with Poland, have been singled out for special attention,
as have smaller states who are candidates for full EU integration, such as Montenegro and Moldova.
Much of the heavy lifting against Western Europe
seems to have been delegated to hacktivist auxiliaries.
Talas says,
from targeted destruction campaigns to guerrilla cyber harassment,
pro-Russian hacktivists are using DDoS attacks
to make servers temporarily inaccessible and disrupt services.
They are part of Russia's strategy to engage in information warfare as a way to wear down public and private services. They are part of Russia's strategy to engage in information warfare
as a way to wear down public and private organizations. Among the auxiliaries Talis
calls out are Anonymous Russia, Hillnet, and Russian hacking teams. The report suggests that
they've sought to pattern some of their activities after operations by the opposing Ukrainian IT army. The Russian groups represent a
wide range of skill levels and are often, although not invariably, associated with cybercriminal
gangs. Their control by the state ranges from direct command through inspiration to simpatico
political alignment with Russian war objectives, and their most common tactic by far has been DDoS.
Some of the attacks against countries that support the cause of Ukraine are directly tied to current
events. Slovakia's decision to transfer 13 MiG-29 fighters to Ukraine, for example, was immediately
followed by an anonymous Russia DDoS attack against a range of Slovak government sites, Ukrainian Pravda
reports. And finally, did you know that piracy is patriotic? Well, at least in some places it
seems to be. Ukraine's defense ministry said this week that Russia has declared online piracy
patriotic, stating, the word pirate is now rehabilitated in Russia.
Deputy Chairman of the Security Council Medvedev and Putin spokesman Peskov
urged Russians to download Western movies, music, and programs from pirate sites.
No need to be shy, just add the skull and bones to the tricolor.
Kyiv, of course, is just taking an opportunistic,
albeit understandable, swing at Moscow, but they're not really exaggerating either.
TASS reported back in December that piracy in Russia was likely to increase, alas, under the
pressure of Western sanctions. Like the special military operation itself, that's to be regretted,
but after all, it was forced on Russia by the aggressive posture of the collective West.
One of the more popular movies in Russia right now we hear on the street is The Batman,
and it's probably one of the most illegally streamed.
Apparently, there are only so many times you can watch Battleship Potemkin.
there are only so many times you can watch Battleship Potemkin.
Anywho, enjoy the Batman,
and imagine St. Petersburg as Gotham on the Neva.
Coming up after the break,
Anne Johnson from Afternoon Cyber Tea chats with EY principal Adam Malone.
Our guest is Tony Burke from Mimecast with a look at the state of email security. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365 with
Black Cloak.
Learn more at blackcloak.io.
Microsoft's Anne Johnson is the host of the Afternoon Cyber Tea podcast.
And in their most recent episode, she sat down with EY principal Adam Malone.
Here's Anne Johnson. On today's episode of Afternoon Cyber Tea, I am joined by Adam Malone,
principal at EY. Adam currently leads the private equity sector within EY's cyber consulting
practice. He has also led EY's globally recognized threat resiliency capability.
And prior to joining the private sector, Adam was a supervisory special
agent for the FBI, where he led teams investigating cybercrime, acts of terrorism, and cyber-enabled
economic espionage by nation states. He has also spent time as a senior systems engineer for BAE
Systems, and he's a veteran of the U.S. Air Force. Welcome to Afternoon Cyber T, Adam. I am absolutely
thrilled to have you on today. Thanks, Anne. It's great to be here, and I really appreciate the opportunity to talk to your listeners.
I know your time in the FBI, you were involved in several high-profile cyber investigations and a lot of events.
When you were leading these investigations, were there any surprising trends you were seeing again and again?
And are you still seeing the same type of trends today?
I think the answer to both of those questions is yes.
I think the first observation that I had is it really all comes down to people
at the end of the day. And so, you know, people always played a pivotal role in either preventing
a crime occurring or advancing a crime, sometimes intentionally or unintentionally.
But that was a big piece of it. You know, I think today we still hear about the threat of business
email compromise. And that's been the most significant financial technology-enabled crime, I think, over the past two decades.
And it was a big thing then, right?
And that really relies on people preying on our comfort with one another and our communication skills and sometimes our willingness to bend process, to ease our actions.
And so that was a big thing that I saw a lot in the FBI
from my early career to my later career.
I think the other piece, you know,
we've seen a lot about what's happened with malware
and how it became very prevalent.
And sometimes it kind of shifted to being less prevalent
when we went to thinking about
how attackers use technology against us.
Do you see people who who actually end up unintentionally
and they're actually victimized by cyber criminals
into doing criminal type activities themselves?
You know, I think yes is part of an answer there,
especially when you look at the economic ecosystem
of cyber crime, right?
At the end of the day, cyber is about,
cyber crime at least is about economics and power, whether it's a criminal group or a nation state.
While there are great, we'll use the term hackers, there are great hackers out there that are great at breaking the control, getting a piece of malicious code into a system, for example, to steal credit card numbers off of a PCI network.
They still have to cash that money out.
They got to take it from digital to hard currency.
And where we used to see a lot of interesting, let's call it unintentional crime that was
committed was in people preying on, or in criminals preying on, you know, regular people
that are trying to, you know, make it in life and advance their careers.
So one of the things I'm seeing today in cyber trends is this need for business and cyber leaders
to be more aware and proactive
in mitigating against all of the geopolitical events
we're seeing around the world.
What's your take on this trend
and what are you hearing when you talk to your customers?
That's a great question.
You know, I think never has it been more apparent
than in today's global economy,
kind of starting with the supply chain,
right? It's everywhere, right? And we could see from some of the recent Russian and Ukrainian
conflicts that there are businesses that had suppliers, maybe digital suppliers, maybe they
were coders, you know, they were in the agricultural industry that they relied on to make their
businesses run. Luckily, we've gotten smarter over the past several years, but we still have a ways to go. Understanding where your supply chain is, where it shifts,
and how those geopolitical events or conflicts can impact them is huge.
That's Anne Johnson from the Afternoon Cyber Tea Podcast.
You can find that on our website or wherever you find your podcasts.
The folks at Mimecast recently published their 2023 State of Email report,
tracking trends in that most ubiquitous of online interaction tools. Tony Burke is Director of Sales Engineering at Mimecast, and I caught up with her for
details from the report.
Not only is it in heavy use, but it remains the top vector for attack surface. And, you
know, there's a reason for that. A lot of cyber criminals know that the
utilization of email has gone up, especially since COVID. And it provides them really with
the most digital doors and windows to get them a way to climb into an organization.
And in the survey, we found that a lot of our participants, 75% to be
exact, say that they've seen email-based threats increase over the last year. And those threats
are becoming increasingly more sophisticated in nature. And they say that that's one of their
biggest challenges. And three quarters of them feel that an email-borne attack is going
to have serious consequences for their org in the coming year. And then you couple that with the fact
that some of the email solutions that they're leveraging, like Microsoft 365 and Google
Workspace, they have good security. But with the type of threats that we're seeing and the frequency
of those attacks, businesses need great security. threats that we're seeing and the frequency of those attacks,
businesses need great security. And that was reflected in the survey. 94% of the people we
surveyed said that the security provided by Microsoft and Google is too thin. So the reality
is in a world where half of the malicious email attachments are Microsoft 365 files,
we really need to have an additional layer of protection for our email applications. So I don't really
see email going away as our number one attack vector for some time. And what are you all tracking
in terms of people responding to this threat? Are they budgeting for this? How are they responding? Well, the good news that I think
when we look at the industry as a whole, we've really beaten the drum to get the attention of
the C-suite and boards on the challenges that we're facing in the trenches, right?
But the boards now and the executives are really focused on other priorities right now too, like our economy and the impact of that to their business. So what we see a lot of companies doing
now that we have this attention is really putting together a better case for cyber resiliency as a
whole. Now, unfortunately, the cases that we're presenting to the boards and the C-suite aren't always turning into budget dollars, right?
Two-thirds of our respondents said that their organization's cybersecurity budget is less than it should be.
And that's similar to what we found last year.
So some companies are responding by going through and leveraging cyber insurance, but
cyber insurance rates have been rising as more and more claims have been filed.
And so the insurance companies are putting a lot more scrutiny on organizations' cyber
hygiene during the underwriting process.
So whether they go the cyber insurance route or they decide to build a better cyber hygiene program,
that's really up to the organization to decide because we see more of the enterprise companies going the path of really shoring up their cyber hygiene,
whereas some of the small to medium-sized businesses are still relying upon cyber insurance to fill that gap.
sized businesses are still relying upon cyber insurance to fill that gap.
Well, based on the information that you all have gathered here, what are your recommendations then?
How do organizations do a better job protecting themselves from these email threats?
Well, to avoid getting phished, which as I mentioned is so pervasive now based upon the
survey respondents, we need to do a better job of training the users, right?
Phishing attacks rely on false pretenses, social engineering, anything that they can to deceive employees.
But what we've shown in the survey, that ongoing and engaging awareness training can teach them to spot those sort of threats and avoid them right at the source.
to spot those sort of threats and avoid them right at the source. Employees are the front line of defense and we really need to do a better job of training them and making them more aware
of their responsibility to protect the organization and themselves. Another recommendation I would have
is that spoofing is a problem. DMARC is the answer. So nearly every company getting spoofed, I think it was around 90%, and we're seeing
an increase over this year over year.
But what I'm not seeing is them taking advantage of DMARC.
And DMARC is a robust, cost-effective protocol that helps ferret out bogus emails.
And companies need to realize that protecting a brand is hard. It's
hard to be proactive, but repairing a brand that's been damaged is even harder. So that makes
successfully implementing a proven solution like DMARC a no-brainer and something that we should
really be focused on as an industry. And last but not least, a cyber insurance policy doesn't replace your own cyber preparedness
plan. It may make financial sense to insure against cyber risk, but even the best cyber
insurance can only compensate for what happens after a breach, right? It doesn't help prevent
it from occurring in the first place. So C-level executives and their staff need to own their
cyber preparedness plans, make them robust, and fight the increase in cyber insurance costs that
are going to continue to go up as more and more breaches occur. So focus on your cyber preparedness
plan, and that would be the best way to address the overall risk. That's Tony Burke from Mimecast.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to