CyberWire Daily - Update on Chinese cyberespionage incident. ICS vulnerabilities. USB attacks. New KEVs. Updates from Russia's hybrid war, as hacktivists swap DDoS attacks and observers draw lessons learned.
Episode Date: July 14, 2023Developments in the case of China's cyberespionage against government Exchange users. Industrial controller vulnerabilities pose a risk to critical infrastructure. USB attacks have risen three-fold in... the first half of 2023. CISA adds two vulnerabilities to its Known Exploited Vulnerabilities Catalog. Ghostwriter's continued activity focuses on Poland and Ukraine. Hacktivist auxiliaries swap DDoS attacks. Awais Rashid from University of Bristol shares insights on threat modeling. Our guest is Chris Cochran from Huntress on the challenges small and medium sized businesses face with cyber security. And lessons learned from cyber warfare in Russia's war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/133 Selected reading. UK says it's working with Microsoft to understand impact of Chinese email hack (Reuters) What we know (and don’t know) about the government email breach (Washington Post) Yet Another MS CVE: Don’t Get Caught In The Storm! (Cynet) China Hacking Was Undetectable for Some Who Had Less Expensive Microsoft Services (Wall Street Journal) Security flaws in Honeywell devices could be used to disrupt critical industries (TechCrunch) APT Exploit Targeting Rockwell Automation Flaws Threatens Critical Infrastructure (SecurityWeek) Rockwell Automation ControlLogix Bugs Expose Industrial Systems to Remote Attacks (The Hacker News) USB drive malware attacks spiking again in first half of 2023 (BleepingComputer) CISA Adds Two Known Vulnerabilities to Catalog (Cybersecurity and Infrastructure Security Agency CISA) Malicious campaigns target government, military and civilian entities in Ukraine, Poland (Cisco Talos Blog) Belarus-linked hacks on Ukraine, Poland began at least a year ago, report says (Record) Crowdsourced Cyber Warfare: Russia and Ukraine Launch Fresh DDoS Offensives (CEPA). Cyber Operations during the Russo-Ukrainian War (CSIS) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Developments in the case of China's cyber espionage against government exchange users.
Industrial controller vulnerabilities pose a risk to critical infrastructure.
USB attacks have risen threefold in the first half of 2023.
CISA adds two vulnerabilities to its known exploited vulnerabilities catalog.
Ghostwriters' continued activity focuses on Poland and Ukraine.
Activist auxiliaries swap DDoS attacks.
Awais Rashid from the University of Bristol shares insights on threat modeling.
Our guest is Chris Cochran from Huntress on the challenges small and medium-sized businesses face with cybersecurity
and lessons learned from cyber warfare in Russia's war.
I'm Dave Bittner with your CyberWire Intel briefing for Friday, July 14th, 2023. The Washington Post reports that the U.S. government is still investigating how a Chinese APT carried out attacks against U.S. State and Commerce Department email accounts.
Specifically, the government is trying to determine how the threat actor obtained the Microsoft account consumer signing keys used to gain access.
Microsoft hasn't disclosed any vulnerabilities related to the attack.
Adam Myers, Senior Vice President of Intelligence at CrowdStrike,
wonders if the attack involved a Microsoft insider,
since the hackers would have needed a more powerful internal key controlled by Microsoft in order to create consumer signing keys.
Jason Kitka, Chief Information Security Officer at Automox, stated,
This attack used a stolen key that Microsoft's design failed to properly validate.
attack used a stolen key that Microsoft's design failed to properly validate. The inability to do proper validation for authentication is a habit, not an anomaly. The cyber espionage wasn't
necessarily confined to American targets. The UK's National Security Center is also working
with Microsoft to determine the impact of the hacks, according to Reuters. In full disclosure, we note that Microsoft is a CyberWire partner.
Researchers at Armis discovered nine vulnerabilities
affecting Honeywell's Experian distributed control system products,
TechCrunch reports.
An attacker with network access could exploit the flaws
to remotely run unauthorized code on both the Honeywell server and controllers.
Curtis Simpson, CISO at Armis, told TechCrunch,
Worst-case scenarios you can think of from a business perspective are complete outages and a lack of availability.
But there's worse scenarios than that, including safety issues that can impact human lives.
Honeywell issued patches
for the flaws last month. Honeywell spokesperson Caitlin E. Leopold said in a comment to TechCrunch,
we have been working with Armis on this issue as part of a responsible disclosure process.
We have released patches to resolve the vulnerability and notified impacted customers.
There are no known exploits of this vulnerability
at this time. Experion C300 owners should continue to isolate and monitor their process control
network and apply available patches as soon as possible. Mandiant reports that USB attacks have
risen threefold in the first half of 2023. Their report details two new USB attack campaigns,
the Sogu malware infection that targets industries across the globe
and the Snowy Drive infection
that seems to target oil and gas companies across Asia.
Both campaigns use a USB drive for initial infection and propagation
while installing malware that steals sensitive information from the host computer.
SoGoo is the more prevalent USB infection campaign and has spread to various sectors,
including pharmaceutical, IT, energy, communications, and healthcare organizations across North America, Europe, Asia, and Oceania.
care organizations across North America, Europe, Asia, and Oceania.
Mandiant states, while some threat actors targeted specific industries or regions, this campaign appears to be more opportunistic in nature.
This campaign may be part of a long-term collection objective or a later stage follow-up for subjects
of interest to state-sponsored threat actors.
USB campaigns are especially dangerous as they are a method for attacking air-gapped systems,
that is, systems with no connection to the outside Internet.
The most famous example of a USB-based attack was Stuxnet,
which, as Trellix explains, was an infection spread to Iranian nuclear facilities delivered by USB sticks.
CISA has added two vulnerabilities to its known exploited vulnerabilities catalog,
CVE-2023-37-450, Apple Multiple Products WebKit Code Execution Vulnerability,
and CVE-2022-29-303, Solar View Compact Command Injection Vulnerability.
CISA explains,
These types of vulnerabilities are frequent attack vectors for malicious cyber actors
and pose significant risks to the federal enterprise.
Federal civilian executive agencies have until August 3 to apply updates per vendor instructions
or discontinue use of the product if updates are unavailable.
Yesterday, Cisco Talos researchers described the recent activity of a Belarusian threat actor
engaged in cyber espionage between April of 2022 and June of 2023.
Talos says Ukraine's computer emergency response team has attributed the July campaign to the threat actor group UNC-1151
as a part of the Ghostwriter operational activities allegedly linked to the Belarusian government.
The attack begins with a malicious Microsoft Office document, usually either an Excel or PowerPoint file,
which, if opened, delivers an executable downloader and a payload
hidden in an image file.
The final payloads include the Agent Tesla remote access Trojan, Cobalt Strike beacons,
and NJ RAT.
The targets are Ukrainian and Polish military and governmental organizations.
Russian and Ukrainian hacktivist auxiliaries have both recently conducted distributed denial-of-service attacks.
The Center for European Policy Analysis calls it crowdsourced cyberwarfare,
the principal organizers of which have been on the Russian side, no-name 05716,
and on the Ukrainian side, the Ukrainian IT Army.
None of these attacks, SIPA rightly notes, have amounted to much more than a nuisance.
They are, however, easy to mount and require little in the way of technical skill to pull off.
They may represent the upper limits of the crowdsourced approach to organizing a cyber auxiliary.
The Center for Strategic and International Studies
looks at Russia's war against Ukraine so far
and draws some lessons that might inform thinking about cyber warfare in the future.
In sum, the lessons suggest that some of the catastrophic fears
that have surrounded cyber warfare
appear less likely after a year and a half of operational experience.
The study draws three major conclusions.
First, cyber operations will play a supporting rather than a decisive role in major theater wars.
Intelligence collection and operational deception
are likely to be cyber's most prominent contribution once the shooting starts.
Second, war will still be a continuation of politics by other means
and rely on the more tangible effects of violence
than on the exclusive effects of compromising information networks.
As the fight escalates along the spectrum of conflict,
sure, kinetic effects will be preferred
to the uncertain results of cyber operations.
And the merits of cyber operations continue to be their utility as a tool of political warfare
because they facilitate the engagement short of war that leverages covert action, propaganda, and surveillance,
but in a manner that poses a fundamental threat to human liberties.
So disinformation and surveillance in tandem can be expected to be features of
future war.
The study concludes with appropriate policy recommendations, increase public-private partnership,
improve cyber diplomacy and international information sharing, and work to counter cyber-enabled
information operations.
Coming up after the break,
Awais Rashid from the University of Bristol shares insights on threat modeling.
Our guest is Chris Cochran from Huntress
on the challenges small and medium-sized businesses
face with cybersecurity.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Chris Cochran is Advisory CISO and Chief Evangelist at Huntress
and one of the founders and hosts at Hacker Valley Media.
I reached out to Chris for insights on the specific challenges
facing small and medium-sized businesses when it comes to
securing their assets. Back in the day, you could look at small and medium-sized businesses as
being not in the mix when it comes to bigger threats like APT-level threats, but what you're
finding with automation and artificial intelligence is really easy to target at scale. So now you're having the same tactics and techniques
that are going against these big enterprise-level folks
is really coming down to the SMBs that don't have near as much budget,
not near as much personnel.
And honestly, they're just trying to stay afloat
amongst all the ridiculousness that we're dealing with
on a day-to-day basis in cybersecurity.
And what are the specific threats that are being aimed at them?
A lot of ransomware events, because that is really fruitful for cyber attackers.
can get a thousand folks infected with ransomware. It makes making one infection seem dim in comparison, unless you're talking about these big giant whales, as they call it. What that really
means is that if you're looking at someone from a supply chain perspective, it only takes one
intrusion to affect many. And so when you look at that, you could be affecting hundreds, if not thousands of organizations just by one intrusion.
So with the advent of automation and AI, it's really easy for folks to find themselves in a compromised situation when it comes to cybersecurity.
And what does a typical small business do in terms of provisioning themselves?
I mean, what's available and out
there that is within their reach? It really depends on the business. A lot of times you'll
see that they might have a very small IT shop and that IT shop might have the security
responsibilities that a regular team of security practitioners would have. And they don't
necessarily have the training. They don't have the experience to do all the work that they're doing,
but they have to because there is no other choice. They might not have budget for a full-time
security practitioner. They might not have the budget for some of the top tier solutions when
it comes to cybersecurity. And so really they're having to do a lot of work
with very little resources. And what about organizations who say,
okay, I'm going to go with one of the big suppliers here. I'm going to run everything
through Microsoft or everything through Google, and I'm going to let them handle most of the heavy
lifting there. I mean, how far along does that get them? Does that put them ahead
of some people? And is that good enough? I will say that there is a benefit to working with
larger providers, suites of tools, talking about the Googles, the Microsofts, but it isn't going
to be a 100% solution for anyone. I would say that in those instances, you could try to defer some of the responsibility to those folks.
But it's really going to be up to you.
Because when we're looking at things like SaaS adoption, people are bringing in SaaS applications all the time.
And I don't, in my opinion, I don't think that there is just a one clear-cut solution to support all of the operations, whether you're doing migration from on-prem to the cloud,
whether you're dealing with folks working online,
working remotely versus working in the SOC itself
or working in the organization itself.
There are a lot of situations where it is going to be a much more targeted approach.
You can't really just have the
easy button when it comes to small and medium-sized businesses. You really have to look at what are
the high leverage technologies, processes, and individuals I can have in my organization to
combat the threats. How do you recommend people come at that? When someone is starting this
journey, how do they set their priorities,
both for their time and their financial resources as well? I would say when you look at prioritization
of where are you going to put your time and efforts, look at what is most important to you.
As I was talking about crown jewels or critical assets, talk about functionality of your company. If you were to look at the cyber attacks that are
happening today, what would your company be in the news for? Is it the loss of IP? Is it the
loss of information that you're holding? Is it the availability? Are you a company that prides
itself on being available, but now you've gone through a DDoS and that has taken the confidence away from your customers.
Figuring out what is the most important things for your business and then working backwards from there.
So say, OK, if availability is most important to me, I know I need DDoS protection or I know that all of my endpoints have really interesting and specific information that I want to protect.
So maybe you need to look at something like a managed EDR because you need to protect
all of these endpoints at scale. That's what you really need to look at is you need to look at
what are the most important things for my business to do? What do I need to do to continue to operate?
And then how do you protect those things across the board? And of course,
you're going to have to weigh the options against itself because you couldn't over-invest in one
area when you should have been investing in another. But really just weighing out, like,
who are the stakeholders for the security program? What is the most important thing that we could do
today to improve the security posture so that the company can continue to operate? I think it's really challenging for folks. If you're out there
shopping around, you go to a trade show or even talking to folks in the same business, there's so
much fear, uncertainty, and doubt being tossed around. It can really be intimidating. I can empathize with people who are, on the one
hand, kind of afraid to start asking questions because, you know, everyone's put so much fear
in them that they're afraid what's going to be uncovered in their business. One thing that I've
found, you know, through my journey, through my career, is that story is really about taking information and
eliciting or evoking some type of emotional response. And what folks have found in cybersecurity
is that it's much easier to evoke the feeling of fear, uncertainty, and doubt because we're
dealing with threats. When you're dealing with threats, that emotion of fear is an easy one to lean on.
What I think we need to step back and realize
is that when we're using fear,
that doesn't exactly cultivate
the best relationship with anyone.
If you want to bring someone into a situation
where there is a lot of fear or things to be worried about,
what you really want to bring out of them is hope, optimism,
the feeling of togetherness,
the understanding that we are all one team, one fight
in this plight of cybersecurity.
So we're really trying to help each other get to that next level,
protect the stuff that we care about,
the people, the data, the resources that we care about.
And honestly, at the end of the day, to have a much more secure internet that people can enjoy.
That's Chris Cochran from Huntress.
There's a lot more to this conversation.
If you want to hear more, head on over to the CyberWire Pro and sign up for Interview Selects,
where you'll get access to this and many more extended interviews. And I'm pleased to be joined once again by Professor Awais Rashid.
He is the director of the National Research Center on Privacy, Harm Reduction, and Adversarial Influence Online at University of Bristol.
Dr. Rashid, always good to have you back.
I want to talk today about threat modeling, but you have kind of an interesting angle to discuss this.
What can you share with us today?
So threat modeling, you know, has been around for some time now.
Those who work in, certainly, software development
would be very, very familiar with something like Stride,
which is a threat modeling approach that helps you analyze
your potential application against a set of six key threats,
which is spoofing, tampering, repudiation, information leakage,
denial of service, and escalation of privileges.
And this is something that we encourage software developers to do when they are designing their
application. But the point that I wanted to come at it was that threat modeling should not be just
a one-off activity. Because suddenly we develop applications, they go out into the world,
We develop applications, they go out into the world, okay, and people use them.
But at the same time, the threat landscape around us changes as well.
So what we may have thought was the original scope of our threats potentially changes over that period of time. We also may add new features to our application, okay?
So the scope of the application changes.
to our application.
So the scope of the application changes.
So as a result, we need to really kind of regularly re-evaluate
if our threat models remain fit for purpose
as the application's features grow,
but also as the threat landscape changes.
And I could, for example,
give you a very specific application
if you think that would be quite interesting, because this is something that we have looked at in a lot of detail.
Yeah, absolutely. Let's dig into it. What can you share with us?
Okay, so I mean, you know, we all use end-to-end encrypted messaging applications.
So, you know, Signal, WhatsApp, and those.
And this is something that we have looked at in a lot of detail. So we looked at the fact that when, for example, these applications were originally designed,
they were designed on the basis that you have your messaging application on your phone,
and you want to secure your communication with another party.
So, for example, you and I speaking to each other, in that case, what the signal protocol, which is also used within WhatsApp in itself, ensures is that people may know, someone may know that you and I have spoken, but they would not know what is the content of the message because we've messaged each other.
But the content of the message is secure.
And this was based on the assumption that the attacker is necessarily remote.
So if the attacker compromises the phone, then of course they can see what is happening.
However, over a period of time, these applications have also added desktop counterparts.
So now you can use WhatsApp on your desktop.
You can also use Signal on your desktop.
So now there are new devices that are now linked to the original device that is using the same connection. So now you have new features added. Okay, so this is the partners, you know, they may have direct access to devices.
In case of, for example, searches by, you know,
a particular law enforcement organization,
depending on where you are in the world,
they may have direct access to devices. And if you are using Signal or WhatsApp desktop
on your corporate machine, which is normally remotely managed,
and the administrators would have direct access to that,
then again, an unscrupulous administrator can have effectively full access to what is the desktop
client. And what we find is that actually the original threat model doesn't work in this case.
So that was based on the assumption that only your phone has to be secure and always in your possession, but now an
unscrupulous actor can potentially leak your messages depending on the type of application
that you are using. This is not applicable across every end-to-end messaging application,
but a number of them fall vulnerable to a number of attacks as a result because the threat model
hasn't changed since they were originally conceived.
It's really an interesting concept. It reminds me of how folks like insurance providers will say
you should check in with your provider from time to time for things like your life insurance or
your homeowner's insurance because things change. Your situation may change.
Your financial situation may change.
Are you recommending a similar kind of thing that people sort of check in with themselves
from time to time and evaluate what's new, what's different?
Oh, absolutely.
So I think, you know, as development teams, you know, should regularly re-evaluate.
And there is two points at which, you know, you have to sort of regularly re-evaluate. And there is two points at which you have to
regularly re-evaluate. If you add new features
like a desktop, then you have to
think about, has this changed now?
Who else can have access to it? Is the
trust boundary that I have,
has it changed? Or
also regularly considering what
new threats are emerging
out there. So actually, it's not our work. There are
others who work in the industry
have said, you should do threat
modeling little and often.
And I think that's really the
key point here, that as we
add things to our applications
or as we understand
what the threats are and they change,
then we have to regularly consider
is our threat model correct and is our
design now providing this appropriately?
So I don't want to necessarily just pick on one,
because we looked at six of these major end-to-end encryption applications.
But for example, if we look at Signal as an example,
someone who has potentially got access to the desktop can actually clone the desktop and compromise forward secrecy.
Okay.
And that creates a serious problem because now someone has actual direct access to the messages that you are sharing.
Of course, that implies that someone has gained physical access to the desktop, but that is not an inconceivable scenario given some of the way threats have changed over this period of time. So these are the kind of examples that you can see.
We see this in some of the other applications as well, and some are better at kind of detecting this than others and so on.
So it's clear that some teams are doing this and others are perhaps doing this less
systematically. All right. Interesting insights for sure. Professor Awais Rashid, thanks for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Michael Clark from Sysdig.
We're discussing Scarleteel 2.0, Fargate, Kubernetes, and crypto.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.