CyberWire Daily - Unpatched instances and vulnerabilities rear their ugly heads. Russian telecom provider targeted in an act of “cyber anarchy.” Alleged crypto heist conspirators face charges.
Episode Date: June 12, 2023Attacks against unpatched versions of Visual Studio and win32k continue. Progress Software patches two MOVEit vulnerabilities. The Cyber Anarchy Squad claims to have taken down a Russian telecommunica...tions provider's infrastructure. RomCom resumes its activity in the Russian interest. Deepen Desai of Zscaler describes Nevada ransomware. Our guest is Clarke Rodgers from Amazon Web services with insights on what CISOs say to each other when no one else is listening?. And the Mt. Gox hacking indictment has been unsealed. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/112 Selected reading. Online muggers make serious moves on unpatched Microsoft bugs (The Register) Analysis of CVE-2023-29336 Win32k Privilege Escalation Vulnerability (with POC) (Numen) MOVEit Transfer and MOVEit Cloud Vulnerability (Progress Software) MDE Affected by Global Data Breach (Minnesota Department of Education) Hackers Use Stolen Student Data Against Minneapolis Schools in Brazen New Threat (The 74) Ofcom statement on MOVEit cyber attack (Ofcom) Ukrainian hackers take down service provider for Russian banks (BleepingComputer) Pro-Ukraine hackers claim to take down Russian internet provider (The Record) Pro-Ukraine Cyber Anarchy Squad claims the hack of the Russian telecom provider Infotel JSC (Security Affairs) RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine (BlackBerry) Mt. Gox's Hackers Are 2 Russian Nationals, U.S. DOJ Alleges in Indictment (CoinDesk) Russian nationals accused of Mt. Gox bitcoin heist, shifting stolen funds to BTC-e (The Record) Russian Nationals Charged With Hacking One Cryptocurrency Exchange and Illicitly Operating Another (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Attacks against unpatched versions of visual studio and win 32k continue progress software
patches to move it vulnerabilities the cyber anarchy squad claims to have taken down a
russian telecommunication providers infrastructure rom-com resumes its activity in the russian
interest deepened aside from z scale it describes nevada ransomware our guest is clark rogers from The Mount Gox Hacking Indictment
has been unsealed.
I'm Dave Bittner with your CyberWire Intel briefing for Monday, June 12, 2023. Threat actors continue to exploit a vulnerability
in Microsoft's Visual Studio installer,
The Register reports.
According to researchers at Varonis,
the flaw can allow an attacker to spoof an extension signature
and effectively impersonate any publisher. Microsoft
patched this vulnerability on April 11th. And according to researchers at Neumann, other
attackers are also exploiting a privilege escalation vulnerability affecting Win32K.
Neumann says that the vulnerability poses a major risk to systems older than Windows 11.
Microsoft issued a patch for this flaw in May,
and we note in full disclosure Microsoft is a CyberWire partner.
In the continuing story of threats to MoveIt and the steps being taken to thwart them,
MoveIt vendor Progress Software released an update to its file transfer software
that patched the previously exposed and exploited
CVE-2023-34-632. Progress also disclosed and fixed a new, yet-to-be-exploited bug.
The new vulnerability, which hasn't yet been assigned to CVE, was discovered during a
proactive investigation conducted in coordination with cybersecurity firm Huntress. Progress advises
users to update their software and explicitly urges users to only update their products through
Progress's blog. The older MoveIt vulnerability continues to be exploited in instances whose
users haven't yet applied the available fixes. On Friday, June 9th, the Minnesota Department of Education, the MDE,
reported that one of its servers was compromised through exploitation
of the earlier move-it vulnerability, CVE-2023-34362,
which the MDE had not yet patched.
MDE explained that 24 files had been accessed,
which compromised approximately 95,000 names of students placed in foster care throughout the state, as well as students qualifying for the pandemic electronic benefits transfer and students in particular college classes and bus routes.
No financial information was exposed.
MDE recommends that affected individuals should monitor their credit reports
and take steps to protect their identity.
The 74 reported that ransomware gang Medusa has claimed responsibility for the breach
and is demanding $1 million in ransom.
The outlet says that a preliminary review of the gang's dark web leak site by the 74 suggests
the compromised files include a significant volume of sensitive documents,
including information related to student sexual violence allegations, finances, and student discipline, among others.
And over in the UK, the regulatory body Ofcom this morning disclosed that it too had been affected by exploitation of this vulnerability.
Ofcom said,
A limited amount of information about certain employees we regulate, some of it confidential, along with personal data of 412 Ofcom employees was downloaded during the attack.
Investigation and remediation are in progress.
If you're a MoveIt user, do consult Progress Software's blog.
The Cyber Anarchy Squad, which represents itself as a hacktivist organization
dedicated to supporting Ukraine and defending itself against Russia,
claimed to have successfully hit the Russian telecommunications provider
Infotel JSC last Thursday evening. Infotel JSC confirmed that its systems had indeed come under
attack, bleeping computer reports, saying that restoration work is currently underway.
Additional deadlines for completing the work will be announced. We hope for your understanding and further cooperation.
For its part, the cyber-anarchy squad crowed about their destruction of Infotel JSC's infrastructure, the record reports.
Infotel JSC has a number of clients in the financial sector, including Russia's Central Bank.
Russia's central bank. Connectivity between the central bank and other financial service and e-commerce businesses depends to a significant extent on the telco's infrastructure, and the
cyber-anarchy squad claims that its attack has rendered it difficult and in some cases impossible
for banks to conduct routine transactions. The attack coincided with the opening of Ukraine's counter-offensive and, according to Security Affairs, included website defacements celebrating Ukraine's attack.
There are no obvious indications, however, that the cyber attack was a closely coordinated combat support operation.
It seems rather to have been malevolent exuberance directed towards Russia.
to have been malevolent exuberance directed towards Russia.
BlackBerry researchers find that the operators of the RomCom remote access Trojan have recently stepped up their activity against Ukrainian politicians, among other targets.
The particular politicians targeted are working closely with Western governments
and at least one U.S. organization involved in delivering relief to
Ukrainian refugees with a goal of information collection. Blackberry writes that the threat
actor behind the rom-com rat appears to be actively interested in what Western countries
are doing to support Ukraine, what Ukraine is doing, and who the refugees are receiving help
from in the United States. And finally, two Russian nationals were
charged with the 2014 hack of the Mt. Gox cryptocurrency exchange, described by Coinbase
as one of the biggest cryptocurrency heists in crypto history. An indictment from 2019 was
unsealed last Friday, detailing how the two hackers stole upwards of 647,000 bitcoins from
the exchange between 2011 and 2017. Once the funds were lifted, they were then laundered.
Both alleged conspirators are being charged with conspiracy to commit money laundering,
while one of them also faces a charge for operating an unlicensed money services
business. And here in America, they're regarded as innocent until proven guilty.
So they got that going for them.
Coming up after the break, Deepen Desai of Zscaler describes Nevada ransomware.
Our guest is Clark Rogers from Amazon Web Services
with insights on what CISOs say to each other when no one else is listening.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The AWS Reinforce Conference is taking place this week in Anaheim, California,
and the CyberWire is happy to be a media partner for the event.
In anticipation of the conference, I spoke with Clark Rogers,
Enterprise Security Strategist at Amazon Web Services,
about a series of special events they host for CISOs,
a gathering they call CISO Circles.
The CISO role has evolved over the years.
My background, I'm a former CISO myself in the insurance and financial services industries,
and have been at AWS now for about six and a half years,
and have had the opportunity to meet with over 750 customers, a large percentage of those being CISOs.
And as I've seen the CISO role evolve over the years, it used to be the sort of firefighter
security professional, right? So something bad happens, here's the security person who's going
to go take care of it, right? There wasn't a lot of strategy behind it. There wasn't
much programmatic thought around the security and compliance role in an organization. It's just we needed that function.
not as a have-to-have, but a must-have as far as enabling the business to go faster,
take more risks, really leaning into security as a strategic advantage.
So as that role has evolved, the education around security tooling and best practices and the top 10 lists of what you should and should not do as a security professional.
Those are all still important.
But more often than not, those are taken care of by security engineering teams or security operations center, whatever the case may be in the particular organization.
And then the CISO, that role is really doing a few things.
The CISO is translating the business needs to the security and development
community. Here's the outcomes that we need to have. The CISO is reporting up, so reporting to
the board and saying, well, here's the risks that face the business. Here's the mitigants that I
have in place. Here's the mitigants that we need to put in place, right, to actually keep pace with what
the business is trying to do. And then it's navigating and really much more of a business
leader in the sense of the social cohesion around building that strong security culture
throughout the organization. And that's where we see CISOs really focusing on these days,
in addition to their traditional sort of protection duties.
Now, you and your colleagues at AWS have taken a role in hosting some events for CISOs to try to
facilitate some of these conversations. Can you describe that for us?
Certainly. The program itself is called the CISO Circles or the AWS CISO Circles.
The program itself is called the CISO Circles or the AWS CISO Circles.
And we started them around November of 2020.
That was prime pandemic time.
So we wanted to make sure that we were developing a curriculum and a reason and building the community for CISOs to sort of get together and quote unquote talk shop.
So not so much the bits and the bytes, but more of what I was talking earlier.
How do I build a strong security culture within my organization?
How do I make sure executives care about it?
What are some best practices on X, Y, and Z?
So we developed these, and it's a global program today,
broken down by region.
We'll typically have anywhere between 10 and 25 customer CISOs under NDA and Chatham House rule to speak freely about their security programs and to engage with one another around what works,
what doesn't, what some of the problems are that are facing them these days,
and ideally some solutions.
And we're really there to facilitate the conversation.
It's what I'll call a sort of no-sell zone.
So even though it's an AWS event, we don't have third parties sponsor it,
so you don't have to listen to a spiel about the latest security tool from Vendor X.
listen to a spiel about the latest security tool from vendor X.
We don't typically talk about AWS services unless it aligns with a topic that the CISOs actually want to talk about.
So if they want to discuss what are some best practices in logging, for example,
we'll make sure that we have an expert to facilitate a discussion around that
from an AWS perspective. Those types of topics tend to come up more often than not. You know, you're deliberate
about making this a safe space for them to have these types of conversations. I'm curious what
sort of things come up when it comes to the challenges of the job itself? As I mentioned earlier, these are all under NDA,
and they're also under Chatham-House rule, which basically says you can learn from each other,
you just can't attribute what someone said during the session, right? So with those rules in place,
the CISOs feel very comfortable to say, you know, I tried either product or process X.
It didn't work.
Or I'm struggling with trying to get developers on board
to care about security.
Does anybody have any tips on how to do this?
There's no way, without that sort of safe space,
would any CISO go in public and say something like that.
This is their peer group.
We purposely mix these up by industry, right? So you're not going to have a room of financial
services professionals together. You'll have a mix of maybe financial services,
media and entertainment, retail, technology. They'll all be in the room together.
And despite their industry differences, we find that they all typically have the same challenges and opportunities within their organization.
So it's around security education.
It's staffing.
Where am I going to find that next or where am I going to train that next great security professional for my team? What are some of you all doing to make sure that you're growing your security teams
and growing the security influence throughout the organization?
How are you aligning security outcomes with business outcomes?
How do you budget?
Again, what are some best tips for reporting to the board?
One example from a CISO circle we had last year that sort of sticks with me, is one of the CISOs recommended that he looked up who was part of his board
and then found out what other boards they were on.
He then reached out to the CISO at that other company,
which actually happened to be a competitor,
and they had a long discussion around how to best present security information
to that particular board member.
And when you have someone say something like that, you sort of look around the room and you see these other CISOs writing down feverishly that, hey, that's a great idea.
That's not something I thought about before.
So it's really great to really be able to facilitate these discussions.
And we just sort of really
stand back and just sort of make sure that the venue is there. We'll emcee it and make sure that
the topics that are covered are covered to the degree that the CISOs want. And then we also do
follow-ups with them to say, what else, what are you interested in? What's top of mind? And what
can we bring to the next CISO circle? That's Clark Rogers from Amazon Web Services.
The AWS Reinforce Conference is taking place this week in Anaheim, California.
And joining me once again is Deepan Desai.
He is the Global CISO and Head of Security Research and Operations at Zscaler.
Deepan, it is always a pleasure to welcome you back to the show.
I want to talk to you today about Nevada ransomware.
I know this is something you and your colleagues there at Zscaler have had an eye on. What do we need to know about this? Yeah, thank you, Dave. So Zscaler Threat Labs tracks various ransomware families and the goal there is to make sure we add detection
intelligence into our platform, protect our customers, and then also help the community where we collaborate with
certs, ISACs, agencies in order to make sure we do our part in fighting against these ransomware
groups. So as part of that tracking operation, we came across a new variant of Nokoyawa ransomware family.
And this is not the first variant.
We have seen a couple others in the past,
one called Karma and then another called Nemty ransomware.
These are all variants of Nokoyawa.
The original version of Nokoyawa ransomware
was introduced just almost a year back.
It was in Feb 2022, and it was written in C programming language.
They were using file encryption ciphers like elliptical curve cryptography with curve sect 233R1.
233R1, right? And then the most recent variant that I'm about to talk is Nevada ransomware, which was observed in December of 2022. And a unique part of it here is it was advertised in criminal forums as part of a new ransomware as a service affiliate program.
And what sets it apart from any of the previous versions here?
So this specific variant is written in Rust programming language with support for Linux and also 64-bit versions of Windows.
Linux, and also 64-bit versions of Windows.
It does have significant code similarities, though,
with Nokoyawa Ransomware,
including things like debug strings,
command line arguments,
even the encryption algorithm is similar,
but it's written in entirely new language.
And then, as I mentioned,
this is also being offered as Ransomware as a Service affiliate program, which means all the grunt work is already done, right? And you could just subscribe to it, and then you have payload infrastructure ready to target your victim.
The group behind this, though, the NoCoYawaomware group, what we're seeing is there are almost two
parallel code
branches, and each of them
written in different programming
languages, potentially to
confuse researchers, evade
detection, and then also
maybe they're taking a look
at which one is turning out to be
more successful in some of
these campaigns and attacks that
they're launching in the wild.
What are you tracking in terms of proliferation here?
How popular is this?
This one is not very prevalent.
There are many other ransomware groups out there like Klopp, Blackpasta.
Those are much more prevalent than this one, but this is
yet another group which we saw come to the scene in December, has some unique things that we talk
about. And yeah, it's something to keep an eye out for, for future developments as well.
And in terms of preventing yourself from falling victim to this, I suppose the usual rules
apply here?
Yes, the usual rules apply.
You have to be cautious about clicking on those links that arrive.
You know, things like Office Document.
More recently, we're seeing a lot of OneNote documents being leveraged by Quackbots, Emotet groups.
That's the stage one of many of the ransomware attacks that you see out there.
They start with Quackbot.
They will then have post-exploitation tools downloaded, which will then lead to these ransomware families being planted on the victim organization.
Another concerning trend we're seeing in the ransomware threat landscape
is many of these groups, when I say many, we know at least four to five of them
where they're not encrypting the files on the victim's machine.
What they're doing is they will exfiltrate tons and tons of data.
And I'm talking about terabytes of data in many of the victims that we were tracking.
And they will literally work with the victim that, hey, we don't want you guys to be in the
public news and we don't want our group to be in the public news either. It's a bad situation for
both of us. So pay the ransom. We have all the data. We didn't bring down your infrastructure
so that you don't get any kind of negative press, any kind of attention.
So they're all trying to stay under the radar.
And that's definitely concerning because now you will not know how many
attacks are also happening out there.
This basically makes that whole notion
of making sure you have consistent security policy,
the zero trust architecture implementation,
making sure anything that leaves your environment
goes through an inline DLP solution
with SL inspection.
Very, very important
because once they have your data,
they're going to demand ransom. All right. Well, word to the wise.
Deven Desai, thank you for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like
The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector, as well as the critical security teams supporting
the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by Rachel Gelfand.
Our executive editor is Peter Kilpie
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.