CyberWire Daily - Twitter looks for a leaker. Insider risks. The state of resilience. Russian auxiliaries briefly disrupt a French National Assembly website. Cyber trends in the hybrid war. DPRK hacking, as it is.
Episode Date: March 28, 2023Twitter gets a subpoena for a source-code leaker’s information. The insider risk to data. Russian hacktivist auxiliaries target the French National Assembly. Recent trends in cyberattacks sustained ...by Ukraine. Ben Yelin unpacks the White House executive order on spyware. Mr. Security Answer Person John Pescatore ponders the permanence of ransomware. And Cyberespionage and cybercrime in the interest of Pyongyang’s weapons programs. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/59 Selected reading. GitHub Suspends Repository Containing Leaked Twitter Source Code (SecurityWeek) Twitter takes down source code leaked online, hunts for downloaders (BleepingComputer) Annual Data Exposure Report 2023 (Code 42) Russian Hackers Target French National Assembly Website (Privacy Affairs) Pro-Russian Hacktivists: A Reaction to a Western Response to a Russian Aggression (Radware Blog) Ukraine at D+397: Cyberespionage and battlespace preparation. (CyberWire) APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations (Mandiant) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Twitter gets a subpoena for a source code leaker's information,
the insider risked data.
Russian hacktivist auxiliaries target the French National Assembly.
Recent trends in cyber attacks sustained by Ukraine.
Ben Yellen unpacks the White House executive order on spyware.
Mr. Security Answer person John Pescatori ponders the permanence of ransomware.
And cyber espionage and cybercrime
in the interest of Pyongyang's weapons programs.
From the Cyber Wire studios at Data Tribe,
I'm Dave Bittner with your Cyber Wire summary for Tuesday, March 28th, 2023.
Internal Twitter source code was leaked on GitHub by an unknown actor months ago, according to the New York Times.
GitHub took down the repository on Friday following a DMCA infringement notice from Twitter.
Twitter has also issued a subpoena requesting information on the user who posted the data,
as well as any information on users who have downloaded or shared the source code. The company is asking GitHub for all identifying information
associated with a GitHub username,
Free Speech Enthusiast.
Leaping Computer thinks the alleged leaker's GitHub handle,
Free Speech Enthusiast,
appears to be a reference to Elon Musk
and suggests the individual is or was
a disgruntled Twitter employee,
maybe one of those insider threats we hear about.
Speaking of those zany insiders, Code42 this morning released its 2023 annual data exposure report
discussing the complex nature of addressing insider risk or the threat of someone within an organization
using their access to do harm to the company,
either maliciously or otherwise. Most CISOs who responded see the insider risk as a problem in
their organization. It's also difficult to detect data loss to insiders. Despite the use of multiple
tools to protect against insider threats, 75% of CISOs note that detection of data loss from within
their company is difficult, with 27% saying that it is in fact the most difficult threat
above cloud data exposure and malware, including ransomware.
Immersive Labs this morning released a study titled,
Cyber Leaders Need a More Effective Approach to Building and Proving Resilience.
Cyber leaders need a more effective approach to building and proving resilience.
The study surveyed decision makers in cybersecurity about the state of their organization's cyber resilience.
The responses indicated that 82% of respondents believe they could have mitigated some or all of the damage of the most significant cyber incidents they sustained if they'd been better prepared. Senior leadership is also putting
pressure on cyber teams, as 84% of respondents feel increasing pressure to be prepared for
impending cyber attacks. 72% of those surveyed say that they agree that the threat landscape
has become more challenging. Only 32% of respondents believe that there actually is
an implementable strategy for cyber resilience within their organization.
NoName 05716, a Russian hacktivist auxiliary, claims to have conducted a distributed denial-of-service attack against a website belonging to France's National Assembly.
Privacy Affairs reports that the site went down early yesterday morning
and remained unavailable into the afternoon. The site is now back online. Radware, in the course
of an overview of hacktivism in Russia's war, offered this assessment of the group that's
claimed responsibility, stating, No name 05716 is a pro-Russian threat group known for launching defacement and DDoS attacks against Ukraine and those that directly or indirectly support Ukraine.
The hacktivist group formed in March of 2022 on Telegram and became a notable threat group.
While less media savvy than Killnet, it is considered one of the most active groups and the most prominent threat to Western
organizations. The State Service of Special Communications and Information Protection of
Ukraine yesterday tweeted an appreciation of how Russian cyber attacks have progressed
during Russia's war. Local government has eclipsed the defense industry as the second
most targeted sector. The report states, while central government remains
a major target for Russian hackers, we also record a significant number of attacks on local level
authorities. Security and defense sector used to be ranked second a year ago. CERT-UA is recording
a certain drop in the number of cyber attacks on the security and defense sector and a growing
amount of incidents in the public sector, as well as attacks on the security and defense sector and a growing amount of incidents in the public sector,
as well as attacks on software developers, internet service providers, and commercial companies.
There's also been a shift toward espionage as opposed to disruption. The report says,
This year, we record an increased number of attacks aimed at espionage with a focus on
maintaining continued access to target organizations.
Applications for data collection and remote access to user devices prevail among the malware spread by Russian hackers. We see this as a clear sign that Russia is gearing up for a long war.
Through their hackers, they try to get any information that might be useful for conventional
warfare against our country, from military draft
data to weapon logistics secrets. With that said, infrastructure remains a favored target set.
This is consistent with both espionage and battle space preparation. Civil infrastructure remains a
major target for Russian hackers. This morning, Mandiant released a study describing the recent activities
of APT43, a familiar North Korean threat actor that conducts cybercrime to fund its cyber
espionage efforts. APT43 is also tracked as Kim Sook-hee or Thallium. Mandiant says the threat
actor uses aggressive social engineering tactics combined with moderately sophisticated technical capabilities
to target South Korean and U.S.-based government organizations,
academics, and think tanks
focused on Korean Peninsula geopolitical issues.
While the group targets a wide range of organizations and industries,
Mandiant believes APT43's primary goal
is to advance North Korea's weapons program.
Stating, the group is primarily interested in information developed and stored within the U.S.
military and government, defense industrial base, and research and security policies developed by
U.S.-based academia and think tanks focused on nuclear security policy and non-proliferation.
and think tanks focused on nuclear security policy and non-proliferation.
APT43 also conducts cryptocurrency theft to fund its own operations.
In one instance, the threat actor used a phony Android app to target Chinese users seeking cryptocurrency loans.
The group uses hash rental and cloud mining services to launder the stolen funds.
So, not a true APT side hustle as one sometimes sees,
because it's all done in the interest of the respected General Secretary, his own self,
the symbol of strength of the state and the banner of all victor and glory,
or more specifically to his nuclear weapons program.
It's a state revenue initiative.
more specifically to his nuclear weapons program.
It's a state revenue initiative.
If it were a real APT side hustle,
the exfiltrated Alt-Mula would be going into the cold wallets of some guys and gals out Sinanju way.
Coming up after the break,
Ben Yellen unpacks the White House executive order on spyware.
Mr. Security Answer Person John Pescatori ponders the permanence of ransomware.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak. Person. Mr. Security Answer. Person.
Hi, I'm John Pescatori, Mr. Security Answer Person. Our question for today's episode,
I saw a few news items quoting reports that said ransomware payments in 2022 went down 40%.
Assuming those reports are accurate, does that mean the world has gotten better at avoiding ransomware?
Or just gotten better at recovering from ransomware and not needing to pay the ransom?
Or something else?
Let's take your question piece by piece.
First, just as I'm pretty sure there is no global deer committee that decides each season which type of landscaping of mine the deer will eat this year, there is no global cyber bad guy steering committee that says,
Breachers against healthcare are sold last year, let's do ransomware against energy companies this year.
Most of the damaging attacks that get press coverage or launched by criminals will take advantage of whatever vulnerabilities they find.
It is like car theft.
Year to year, the most stolen model may be different,
but the most common enablement of theft each year is unlock cars with the keys inside.
As far as how much victims paid their attackers to get their data back,
even the research reports note how shaky their estimates are.
Even if those numbers could be made reasonably accurate, and they can't,
would that information really change your defense strategy?
We'll come back to that.
Let me give you my guess at why ransom payment volume might be down.
The biggest is the collapse
of the virtual quote-unquote currency ecosystem
from two perspectives.
The first is rapid deflation in value of those coins,
and two, the ease of law
enforcement in monitoring the exchanges, which have to be used to get real currency, since virtual
currency is pretty useless to the bad guys. The attack may still succeed, but making money got
harder. Now, we did see many enterprises use successful ransomware incidents to finally
upgrade their backup and recovery processes.
But the criminals quickly switched to, fine, you won't pay us to give you a decryption key, so we will just release the data.
If you're storing gym bags full of cash in your car and leaving the keys in the ignition, oh, you'll get your car back, no problem.
To continue this somewhat tortured analogy, ransomware was kind of like your check engine light coming on, and when you checked the codes, there were two warnings.
Code 3324, make sure critical data is backed up, but also code 0001, pull over immediately and stop using reusable passwords,
which is like the example of the bad instructions for defusing a bomb. Cut the red wire after cutting the blue wire.
Reusable passwords are the keys left in the ignition.
The bad news about reports saying ransomware payments are going down is
it may cause publicity that leads to the reduction in the push of moving to multi-factor authentication.
So on that point, take a look at the Identity Theft Resource Center 2022 Identity Theft Report.
So on that point, take a look at the Identity Theft Resource Center 2022 Identity Theft Report.
The number of breaches was essentially the same in 2022 as 2021, which was a record year.
Use that data to keep the pressure on for making the transition away from reusable passwords. One factor cited in a report by Chainalysis was cyber insurance companies raising the bar and driving enterprises to higher levels of security operations against ransomware to renew cyber insurance policies.
This is another area where there is zero data, but anecdotally, it is hard to find success stories around cyber insurance.
Premiums have definitely gone up, but they've gone up for everyone,
not on some kind of hands-on program of security assessments by the insurance industry.
Plus, quite often the funds spent on cyber insurance could have been used to reduce the likelihood of an attack causing meaningful damage.
Cyber insurance may have played some role in raising the bar, but don't forget about the opportunity costs of paying for coverage.
The short answer is that if the movement towards strong authentication
continues, the keys are being taken out of the ignition. If essential security hygiene is being
achieved, the doors are being locked. Those defensive actions are being done proactively by
some, after their peers are hit by many, and only after direct damage to their own company by too
many. Don't wait to be in that latter group.
Mr. Security Answer Person Thanks for listening.
I'm John Pescatori, Mr. Security Answer Person.
Mr. Security Answer Person
Mr. Security Answer Person with John Pescatori
airs the last Tuesday of each month right here on The Cyber Wire
send your questions for Mr. Security Answer Person
to questions at thecyberwire.com
And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
So we got an executive order from the Biden administration recently
that is cybersecurity related here.
Can you unpack what's going on for us? Sure. So this week, the president signed a new executive
order restricting our government and its agencies from using commercial spyware. As we know,
commercial spyware gives governments the power to hack the mobile phones of private citizens
to extract data and track movements. So there's legitimate law enforcement
purposes for using commercial spyware, which is the reason why many of our federal agencies have
deployed it. It is a valuable counterintelligence tool. It's valuable for criminal investigations.
One thing that's discussed in this article that we're working off of here, a New York Times article,
is that the DEA uses commercial spyware
and some of its narcotics investigations,
and it's very valuable in following leads,
catching criminals, et cetera.
But commercial spyware has been used
in countries all over the world
for less beneficial purposes, to put it mildly,
including spying on dissidents, spying on
journalists. And this doesn't just happen in the third world. It's happened in a variety of EU
countries. It's happened in Mexico. So it's a pretty widespread problem. The main commercial
spyware company is the NSO Group, which developed Pegasus. And Pegasus has been used not only
in foreign countries, but in foreign countries against our own government officials.
An administration estimate is that at least 50 government personnel in at least 10 countries
have been hacked with this spyware, which is a larger number than I think we had previously known. So this executive order would prevent any governmental department or agency from using this,
any type of commercial spyware that would be abused by foreign governments that could target American overseas
or could expose security risks if it were deployed on U.S. government networks.
The order only covers spyware developed by commercial entities.
We can expect, even though we don't have 100% proof,
that our government has built its own spyware tools,
and even with that executive order,
it is free to build those tools and to deploy them.
But this is about avoiding the use of these commercially available spyware technologies.
So what's the motivation here for the Biden administration? Why this executive order and
why now? So that's a great question. There's the obvious benefit of protecting American personnel
from having this type of technology used against us. And those are certainly valid cybersecurity
concerns. But there's also an international relations element to this. The Biden administration
this week is going to be hosting a summit for democracy at the White House. And one of the
messages that they're going to try and emphasize, and they're doing that in the news release on this
executive order, is that our leadership in the United States has a commitment to advancing technology for democracy,
including by countering the misuse of commercial spyware and other surveillance technology.
So I think it's not a coincidence that this executive order was released
while the Biden administration is hosting the Summit for Democracy.
It's a set an example, particularly for other Western democracies, that even though this technology can be useful and beneficial, that an important democratic value and an important facet of international leadership is fighting this type of misuse of commercial spyware.
They were planting an American flag in the ground.
Exactly, exactly. So I do think there is an international relations element to the story.
Is there any pushback here? Do we expect that Congress will be on board?
So far, this doesn't seem to be an issue that has polarized Congress.
I don't think there's a big constituency out there
defending Pegasus or the NSO group. So I don't anticipate there being major pushback from
Congress on this necessarily. There might be internal pushback from individual agencies
if they have been using Pegasus for some type of successful operation, and now that has to be discontinued. I can imagine
some frustration at having this wrench thrown into an investigation. Right, right. You're tying
our hands. Exactly. But from a broader policy level, I don't think that this is something
that's going to raise the ire of members of Congress. Although I should not be in the
political predictions game. You never know what's going to raise the ire of members of Congress.
Right. Absolutely.
All right. Well, Ben Yellen, thank you for bringing us up to date.
Thank you, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Trey Hester,
with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.