CyberWire Daily - Victory Day approaches so shields up. Hackivists in the battlespace. Raspberry Robin and a USB worm. A carefully operated credential phishing campaign. Happy Mother’s Day (and stay safe online).

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. An update on the war in Ukraine as Victory Day approaches. Activists in the battle space. Raspberry Robin and a USB worm. A carefully operated credential phishing campaign.

Starting point is 00:02:14 Another ICS security alert from CISA. Dinah Davis from Arctic Wolf on reflection amplification techniques. Carol Terrio examines zero-trust architecture access policies. And happy Mother's Day, but do stay safe online. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 6th, 2022. Monday is Russia's Victory Day holiday and an important informational milestone in the special military operation. As such, it would be prudent to expect an 11th-hour surge in Russian cyber and information

Starting point is 00:03:13 operations. NSA's Rob Joyce, who heads the agency's cybersecurity directorate, expressed reservations about hacktivists taking an active role in warfare, including the present Russian war against Ukraine. Defense News quotes him as saying Wednesday at Vanderbilt University, I will tell you that the idea of the civil vigilantes joining in a nation-state attack is unwise, right? I really think it is. As you pointed out, it's illegal, but it's also unhelpful, because one of the things we talked about is we're trying to get Russia to take account for the ransomware attacks and hacks that come out of Russia and emanate. Security firm Red Canary is following some malicious activity it's calling Raspberry Robin, which distributes a worm that's often installed via USB drive. This activity cluster relies on msiexec.exe

Starting point is 00:04:08 to call out to its infrastructure, often compromised QNAP devices, using HTTP requests that contain a victim's user and device name. Red Canary also observed Raspberry Robin using Tor exit nodes as additional command-and-control infrastructure. Who the threat actor is and what their objectives are remain obscure. Red Canary said, To date, we've observed Raspberry Robin in organizations with ties to technology and manufacturing, though it's not yet clear if there are other links among victims. We have several intelligence gaps around this cluster,

Starting point is 00:04:46 including the operator's objectives. While we don't yet have the full picture, we want to share what we know about this activity cluster so far to enrich collective understanding of this threat and empower defenders to identify this activity. Menlo Labs describes a credential phishing campaign that uses malicious HTML attachments in the course of gaining access to corporate networks. The researchers classify the well-automated operation as a highly evasive adaptive threat able to evade many legacy security tools.

Starting point is 00:05:19 The lures used are carefully tailored to the targets. lures used are carefully tailored to the targets. Researchers at Menlo Labs say, We believe that the initial HTML attachments are created using a kit to automatically generate these HTML payloads. Menlo Labs researchers spent a significant amount of time looking for the kit, but were ultimately unable to locate it. They're interested in hearing from other researchers who may be able to offer insight. CISA has released an industrial control system security advisory affecting Johnson Control's Metasys. This Sunday is Mother's Day in the U.S. and other jurisdictions where the greeting card company's RIT runs, and Trend Micro offers some timely advice on avoiding being scammed in the

Starting point is 00:06:06 course of rendering annual honors to Mater. They flag three scam websites in particular, and point out that they bear the usual marks of fraud, unusual payment methods like wire transfers, an inappropriate curiosity about personal information, misspellings, and non-standard usage no genuine customer reviews and the infallible by this shall ye know the scammer deal that's too good to be true so stay safe online mom would want that for you Do you know the status of your compliance controls right now? Like, right now.

Starting point is 00:06:55 We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.

Starting point is 00:07:39 That's vanta.com slash cyber for a thousand dollars off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. Zero trust remains a hot buzzword in cybersecurity, generating great interest from some and eye rolls from others. Our UK correspondent Carol Terrio takes a closer look at zero trust architecture access policies.

Starting point is 00:08:55 A zero trust architecture is an approach where inherent trust in a network is utterly removed. where inherent trust in a network is utterly removed. So when you design a new system, instead of assuming that the network is a safe hub, you assume that it's hostile. And this makes sense. Just because you're connected to a network, it doesn't mean that you should be able to access everything on that network. You see, it's common in cybersecurity breaches to see an attacker gain a foothold on a network and then move laterally. So for example, they might be

Starting point is 00:09:33 able to get an employee's username and password and use this as a springboard to access sensitive data or vital services, because everyone and everything already on the network has been marked as trusted with access to the rest of the network. In zero-trust architecture, the network is treated as hostile, so every request for data or service access is continually verified against an access policy. So, what of this access policy? According to the National Cybersecurity Center, or the NCSC, zero trust by design relies on a few elements. One is strong authentication. So this is unique, hard to crack passwords, multi-factor authentication, that sort of thing. And then

Starting point is 00:10:26 there's authorization. So once a person has been authenticated, what are they allowed to see and do? A third is device health. So this is looking for unpatched vulnerabilities or seeing if defenses are turned off or not present. And perhaps the most interesting is this fourth one, value of the data being accessed. So if you're looking up the definition of an acronym, this might be considered to be much lower in value than your corporate bank account details. lower in value than your corporate bank account details. So how did zero trust architecture even come about or why are people implementing it? Well, the answer ultimately, says the NCSC, came down to companies choosing zero trust out of necessity, often after an attack. So maybe zero trust is

Starting point is 00:11:28 worth a look. And the NCSC has published guidance on zero trust architecture for organizations. And I would agree it's a great place to start if you're unsure whether it's the right option for your company. Plus, all the information is free. So, you know, why not? This was Carol Theriault for the Cyber Wire. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,

Starting point is 00:12:18 stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Dinah Davis. She is the VP of R&D Operations at Arctic Wolf. Dinah, it is always great to welcome you back to the show. I wanted to touch base with you today on this whole notion of reflection amplification attacks. Sort of get a little base level understanding of what these are all about. Can you help us out here? Yeah.

Starting point is 00:13:13 So they're basically two different types of attacks combined together to make a super attack. Not so super if you're on the receiving end of it, right? Very not super if you're on the receiving end of it, right? No, very not super if you're on the receiving end of it. So basically it's a technique that's going to allow attackers to both like magnify the amount of malicious traffic they can generate and obscure where it came from. So, and this is most commonly used in a DDoS or like a distributed denial service attack where you're trying to just overwhelm the victim with packets. So the reflection attack basically is,

Starting point is 00:13:57 the goal of that is to obscure the source of an attack. So what they do is they start sending a whole bunch of packets to a server, and they spoof where it's coming from. So they change the IP address of where it's coming from to something else so that it doesn't look like it's coming from them. And when we send mail, we put the to address and the return sender address on a piece of mail right and we as we assume that you're actually sending it from the return uh return address right yeah instead what happens if you wanted to like if i wanted to like just make your house full of mail i could i could send mail from all different places to a fake address and have the return address be your house and all of this bad mail gets returned to your house and you then get flooded with bags of mail of the like miracle on 64th street kind of,

Starting point is 00:15:10 you know, visualization there where Santa got all these, all this mail, right? Right. Right. And so it could have come from all over. You don't know, you don't know where this came from. They can't track it. The return address says your house. So it got sent back to your house. This is what they do with the IP address. Right. So they send a request into a random server. OK, somewhere, anywhere and say, I would like I would like access to this. And it pings back to the return address that you have put in, which is not actually yours and starts flooding that return address. Okay. So that's a reflection attack. Basically it's obscuring the ability to see where that came from because the return IP address is, is not the one it's supposed to be. It's the one that

Starting point is 00:15:59 you're actually trying to attack. Right. Right. Okay. Makes sense. Okay. So then you have an amplification attack, right? So what this is, is trying to either send way more messages than possible or with each message sending huge messages. Okay. So it's trying to amplify how much gets sent to the victim's address or servers and stuff like that, right? So yeah, you're generating a high volume of packets to overwhelm the target site. So how do they do this? Basically, they send requests to those servers using their nice little reflection technique that's going to result in a large number of replies or multiple replies. And this is often called the trigger packet. So we're sending this one and then it's like, wait, what do we do with this?

Starting point is 00:16:52 And maybe there's a vulnerability that then causes it to send 50 messages from that one message. Like, oh, we have to check all these things because of this message that just came in. So not only are we spoofing it, but we're amplifying the attack by calling sites and things like that that are going to make either the packets really, really, really big or send lots and lots and lots of packets. So attackers go looking for CVEs that can help them generate these amplifications they're looking for. And they combine those two together to create a amplification reflection attack. And the interesting thing that I saw, the reason how I got into checking this out at all, was that in March 2022, attackers were able to leverage a vulnerability tracked as CVE-2022-26143. You know that one, right?

Starting point is 00:17:48 Yeah, it just rolls right off the tongue. Yeah. And it was in a driver used by Mitel Devices, okay? And so by using that CVE, they were able to get an amplification attack where the ratio was about 4.3 billion packets to one. I'm sorry, billion with a B? Yes, billion with a B. Wow. Yeah. So that's what I saw. I saw that headline and I'm like, wow, this is interesting. Dave's going to want to know about this. And then I did some research, but I found that incredible, incredible. So I'd never really thought of looking at vulnerabilities before for just trying to DDoS people, like vulnerabilities that help you flood somebody else's sites, basically.

Starting point is 00:18:34 Yeah, yeah. All right. Well, interesting stuff for sure. And as you say, I mean, this is primarily focused on DDoS attacks. All right. Well, Dinah Davis, thanks for joining us. And that's The Cyber Wire.

Starting point is 00:19:00 For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday in my conversation with Tushar Richibadas from Barracuda. We're going to be discussing their findings detailed in their report, Threat Spotlight, Attacks on Log-for-Shell Vulnerabilities. That's Research Saturday. Check it out. That's Research Saturday. Check it out. Thanks for listening. We'll see you back here next week. Thank you. where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.

Starting point is 00:20:30 Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

CyberWire Daily - Victory Day approaches so shields up. Hackivists in the battlespace. Raspberry Robin and a USB worm. A carefully operated credential phishing campaign. Happy Mother’s Day (and stay safe online).

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.