CyberWire Daily - Vigilance isn’t purely receptive. Without criticism, it will become blind with detail.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Nation states exploit the WinRAR vulnerability. Criminals leak more stolen 23andMe data. QR codes as a risk. NSA and partners offer anti-phishing guidance.

Starting point is 00:02:12 A Ukrainian hacktivist auxiliary takes down Trigona privateers. Hacktivism and influence operations remain the major cyber features of the Hamas-Israeli war. On today's Threat Vactor, David Moulton speaks with Kate Nonheim, Cyber Risk Management Director at Unit 42, about the new cybersecurity regulations introduced by the SEC. Our own Rick Howard talks with Jen Miller Osborne and Adam Pennington about the 10th anniversary of ATT&CKCON and the epistemology of open source intelligence. Tweets, TikToks, Instagrams. They're not necessarily ground truth.

Starting point is 00:02:58 I'm Dave Bittner with your CyberWire Intel briefing for Thursday, October 19th, 2023. Google's threat analysis group warns that several government-backed threat actors are exploiting a vulnerability in WinRAR that was patched on August 2nd. The flaw allows attackers to execute arbitrary code when a user attempts to view a benign file, such as an ordinary PNG file, within a zip archive. Tag says Russia's Sandworm and APT28 threat actors, both attributed to the GRU, have been making use of the flaw, along with China's APT40, also known as Island Dreams. The threat actors use phishing emails to deliver malicious zip archives containing the exploit. Malwarebytes describes an ongoing malvertising campaign that's using several improved techniques to evade detection. The campaign impersonates the website for Notepad++, a text editor for Windows. The researchers say the threat actors are successfully applying evasion techniques that bypass ad verification checks and allow them to target certain types of victims. With a reliable malware

Starting point is 00:04:25 delivery chain in hand, malicious actors can focus on improving their decoy pages and craft custom malware payloads. Malvertising can be insidious. Who doesn't basically trust ads, after all? Some of them we like a lot. Our sponsors, for example. Or the Dr. Rick ads for insurance companies. Sure, sometimes ads can be irritating, but they're so much a part of the background that we take them for granted. As Dorothy Sayers used to say years ago, it pays to advertise. And some of the ads she wrote in the 1920s are still in use today.

Starting point is 00:05:03 A cybercriminal using the name Gollum has dumped more data stolen from 23andMe onto breach forums. TechCrunch reports that the company is investigating the authenticity of the claimed leak, which Gollum says includes data from the wealthiest people living in the U.S. and Western Europe. 23andMe says its systems weren't compromised with malware or left open through a security lapse, but rather that the attackers gained access through credential stuffing. Slashnet outlines QR code phishing, or quishing, as some people insist on calling it, noting that users should treat QR codes with the same wariness they'd use when clicking a regular URL. Slash next cautions. Traditional security filters, including Microsoft SafeLinks

Starting point is 00:05:53 and other URL rewriting solutions, often focus on URLs. By using QR codes instead, attackers can sidestep these filters, making their phishing attempts more likely to succeed. Slashnet adds, QR codes are used in various contexts, such as marketing campaigns, ticketing systems, and contactless payments. This wide range of applications provides hackers with numerous opportunities to exploit QR codes for their malicious purposes. And the malice lies in the destination, not the journey. There are many roads to security perdition, and some of them are paved with QR codes. The U.S. National Security Agency and its partners have issued a report outlining guidance to protect against evolving phishing attacks.

Starting point is 00:06:41 The Cybersecurity Information She sheet offers some actionable recommendations small and medium-sized businesses should be able to turn to good use. Read the whole thing at NSA.gov and search for how to protect against evolving phishing attacks. GuidePoint Security's research and intelligence team has released a report looking at ransomware trends in the third quarter of 2023, finding a 15% increase in ransomware attacks compared to the second quarter of 2023, and an 83% year-over-year increase in publicly posted ransomware victims. The surge in posts lends itself to different interpretations. It might be that there's more

Starting point is 00:07:23 ransomware out there, of course, but it might also mean that more crooks are posting victims because the victims aren't as ready to pay up as they used to be. By the way, before we leave the topic of cybercrime, we're sometimes asked what to do if you've learned of an attack. We recommend contacting the FBI. If you've got a tip about cybercrime or about some malfeasance in cyber matters, let the Bureau know about it. Blow the whistle to the FBI at tips.fbi.gov. Turning now to the world's two major hybrid wars.

Starting point is 00:07:59 Members of the Ukrainian Cyber Alliance claim to have gained access to servers used by the Trigona ransomware gang, bleeping computer reports that the hacktivists say they exfiltrated all of the data from the threat actors' systems, including source code and database records, and then wiped the servers. The UCA exploited a recently described vulnerability in Atlassian's Confluence data center and server to gain remote access and elevate their privileges to work their damage. A member of the UCA tweeted, Welcome to the world you created for others. Trigona is gone.

Starting point is 00:08:36 They are still sorting through the data they exfiltrated from Trigona, but if they find the files contain decryption keys, they say they intend to make those publicly available for the victims of Trigona attacks to use in recovering their systems. Trigona is a Russian gang that's operated since at least October of 2022, when its emergence was noted and described by the Malware Hunter team. It functions as a privateer, its criminal activity tolerated and protected by the

Starting point is 00:09:06 Russian government as long as its money-making raids avoid Russian targets and hit adversaries of the Russian state. The Ukrainian Cyber Alliance is a hacktivist auxiliary working in the interest of the Ukrainian government. It began forming in 2014, the year Russia invaded and took Crimea, and has since been officially chartered as a non-governmental organization governed by civic duty to Ukraine. The group's tagline is disrupting Russian criminal enterprises, both public and private, since 2014. Everybody needs a tagline. It pays to advertise. ZeroFox has a useful account of the ways in which misinformation, false claims made without malicious intent,

Starting point is 00:09:56 and disinformation, intentional lies told with a political purpose, are unfolding in the Hamas-Israeli war. Some of the disinformation originates from third parties to the conflict. ZeroFox Intel has identified a notable uptick in anti-Palestinian disinformation from seemingly Indian accounts and anti-Israeli disinformation from seemingly pro-Russian accounts. Bloomberg describes a surge in hacktivism related to the war, some of it a genuine grassroots phenomenon, some of it conducted by state-directed auxiliaries and front groups. A significant number of the front groups appear to be run from Iran. An example of competing narratives has been on prominent display with respect to damage to a Gaza hospital. Both sides had accused the other of a strike against the Al-Ali hospital, with Hamas calling it an Israeli airstrike and Israel calling it a malfunctioning rocket

Starting point is 00:10:49 launched toward Israel by Palestinian Islamic Jihad. Evidence increasingly points to the latter. The U.S. National Security Council tweeted its evaluation of the Al-Ali Hospital incident, stating, While we continue to collect information, our current assessments, based on analysis of overhead imagery, intercepts, and open-source information, is that Israel is not responsible for the explosion at the hospital in Gaza yesterday.

Starting point is 00:11:17 And finally, we've seen a lot of attention paid to open-source intelligence in the two ongoing hybrid wars. It's worth remembering the old distinction between intelligence and information. Information is unanalyzed, stuff people say, pictures people show up with. Intelligence is the conclusion drawn, critically and rationally, with various degrees of confidence from that information. There's been a tendency to take open-source information at face value, assuming that the tweeted video of a missile is real, not faked, not pulled from, say, Rainbow Six Siege video game screenshots.

Starting point is 00:11:57 To regard raw, unanalyzed information from social media feeds, videos, and so on as conclusive ground truth is to misunderstand OSINT. An essay in 404 Media argues that familiar, amplified, blue-checked accounts aren't automatically credible, but rather must themselves be subjected to analysis and verification. These sources have contributed greatly to the generation of disinformation and misinformation. So, stay critical, stay safe. Coming up after the break, on today's Threat Vector, David Moulton speaks with Kate Nonheim,

Starting point is 00:12:42 Cyber Risk Management Director at Unit 42, about the new cybersecurity regulations introduced by the SEC. Our own Rick Howard talks with Jen Miller Osborne about the 10th anniversary of ATT&CK Con. Stay with us. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies

Starting point is 00:13:25 like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.

Starting point is 00:13:54 Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.

Starting point is 00:14:49 Learn more at blackcloak.io. Welcome to ThreatVector, a segment where Unit 42 shares unique threat intelligence insights, new threat actor TTPs, and real-world case studies. Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of FUT Leadership for Unit 42. In today's episode, I'm going to be talking with Kate Nonheim about the new SEC rules. Kate is a Cyber Risk Management Director at Unit 42 with over 15 years experience in technology solutions delivery and a decade of expertise in cybersecurity.

Starting point is 00:16:01 The information provided on this podcast is not intended to constitute legal advice. All information presented is for general informational purposes only. The information contained may not constitute the most update, legal, or interpretive compliance guidance. Contact your own attorney to obtain advice with respect to any particular legal matter. Kate, thanks for joining me today on Threat Factor. I want to start us off with a really simple question. What is the SEC? I'm really glad you started there, David. So the SEC is essentially the U.S. Securities and Exchange Commission, which is an independent agency that was established in 1934, really after the stock market crash of 1929 and the resulting Great Depression. in Great Depression. It oversees multiple functions related to the securities market, so things like enforcement of laws, regulation, registration of securities, reporting,

Starting point is 00:16:53 investor protection, and rulemaking. The agency helps create a level playing field and ensures transparency and protects the interests of investors. What are SEC rules, Kate? Yes, so SEC final rules are legally binding regulations released to enforce securities laws. Can you explain the rationale between the SEC's decision to introduce cyber regulations at this time? The SEC chair, Gary Gensler, said that currently many public companies provide cybersecurity disclosure to investors. But he said, I think companies and investors alike would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way through helping to ensure that companies disclose material cybersecurity information. How would these

Starting point is 00:17:35 regulations affect reporting and disclosure requirements for publicly traded companies? Yeah, so there's several requirements for publicly traded companies. The first is that the new Form 8K Item 1.05 will require registrants to disclose any cybersecurity incident they determine to be material and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant. This really must be done within four business days of determining that an incident is material. There will be another requirement through new regulation SK item 106, which will require registrants to describe their processes, if any, for assessing, identifying, managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have material

Starting point is 00:18:24 affected or are reasonably likely to material affect the registrant. And then Form 6K will be amended to require foreign private issuers to furnish information on material cybersecurity incidents that they make or are required to make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders. Are there specific industries or sectors that will be more heavily affected by these regulations? Why is that? in industries like manufacturing, finance, professional services, healthcare services, energy, and utilities. And then any publicly traded companies and industries that are not highly regulated or subject to compliance requirements may also be affected because those industries will have to scramble to develop their cyber risk management programs quickly.

Starting point is 00:19:17 What steps should organizations take to ensure compliance with the new cyber regulations and what are the potential consequences of noncompliance? For many publicly traded companies, they'll have to start reporting in December material cybersecurity incidents. So organizations should first devote resources to identifying a playbook for how this is done because cobbling together the appropriate procedures

Starting point is 00:19:39 from separate policies and groups is going to be prohibitive if an incident does occur. Following this organization subject to the rule should immediately perform a gap assessment against the new requirements to understand where they fall, either through a self-assessment or independent assessment. And then when they've identified those gaps, they need to implement corrective actions through a workflow system and set due dates so the remediations are really completed in a timely manner. These corrective actions are likely going to include changes to policy and procedures, process creation, materiality analysis processes, and SEC reporting processes.

Starting point is 00:20:15 And then once the remediations are complete, the company should perform a reassessment to make sure they've closed all the gaps. How do these regulations align with existing cybersecurity standards or frameworks such as NIST or ISO? The new regulations align well with the frameworks at a high level in that both NIST and ISO require risk management programs are in place. For example, NIST maintains the NIST RMF or risk management framework, and that's a comprehensive approach to risk management. But NIST also maintains special publication 853, revision 5, which is security and privacy controls for information systems and organizations.

Starting point is 00:20:50 ISO 27001 and 27002 also have nods to risk management, such as requirements for information security risk assessments and treatments, as well as general risk management requirements. Kate, looking ahead, what trends or developments in cybersecurity regulation should we be watching out for in the near future? I'm really interested to see what comes of the push for harmonization of cybersecurity frameworks. Due to an increasingly crowded field of laws and regulations with respect to cybersecurity standards, on July 19, 2023, the Office of the National Cyber Director, or ONCD, released a request for information, or RFI, asking for public comment on opportunities for and challenges to harmonizing federal cybersecurity regulations. An effort to harmonize competing requirements and assessments is long overdue, so this focus has the potential to be really beneficial. I'm very interested to see what comes along with that. And this SEC rule is just one of a number of efforts in the U.S. and around the globe where

Starting point is 00:21:42 policymakers are expecting to do more on their cybersecurity posture. Many of these recent regulatory efforts and proposals focus on two similar buckets, cyber incident reporting and cyber risk management plan. Hey, thanks for joining me today on Threat Vector. This conversation has been a great reminder of how integral security has become for every organization. If you're interested in going deeper on this topic, join the Uni42 experts on November 9th for a webinar on the proposed SEC rules. A link will be in the show notes. The title of that webinar is The Ransomware Landscape, Threats Driving the SEC Rule and

Starting point is 00:22:21 Other Regulations. We'll be back on the Cyber Wire in two weeks. In the meantime, stay secure, stay vigilant. Goodbye for now. We hope you enjoyed this week's Threat Vector segment. We're hoping to gather some insights from you, our audience, and how you'd like to shape future Threat Vector segments. Would you take three minutes or so to help us out?

Starting point is 00:22:44 There's a link on today's show notes to our brief survey. shape future threat vector segments. Would you take three minutes or so to help us out? There's a link on today's show notes to our brief survey. Please share your thoughts. Rick Howard recently got together with Jen Miller Osborne, Senior Principal Research Scientist at NetWitness, and Adam Pennington, the current lead for MITRE ATT&CK. Here's their conversation. Anyone that has ever heard me talk knows that I'm a gigantic fan of the MITRE ATT&CK framework. It features prominently in my book, Cybersecurity First Principles, a reboot of Strategy and Tactics, and I always dedicate a slide or two to the subject whenever I'm giving a presentation to a security crowd.

Starting point is 00:23:36 Well, MITRE is hosting ATT&CKCON 4.0 at their company headquarters in McLean, Virginia on 24 and 25 October, and to celebrate the 10-year anniversary of releasing the ATT&CK framework to the masses, they are bringing back most of the original team to give their perspective on why they created it, how it connects to the Lockheed Martin kill chain model and the Department of Defense's diamond model, how the InfoSec community has adopted it as the de facto repository for open source intelligence, and what the future might hold for the framework in the next 10 years.

Starting point is 00:24:10 I sat down with Jen Miller-Osborne, who just recently stepped down as the Palo Alto Network's Deputy Intelligence Director for Unit 42, and Adam Pennington, the current lead for MITRE ATT&CK. I started by asking Jen how she got started with MITRE ATT&CK back in the day. It was just a natural fit for my skills. It was a technical analysis project that also needed some language skills. As someone who was a Mandarin translator previously for the government, I had a lot of the skills to kind of dive in. And I found what we were doing and the data that we had absolutely fascinating.

Starting point is 00:24:52 It's still one of my favorite things that I've ever worked on. Oh, I will always miss it. Well, let's paint the picture, Adam, right? So before MITRE ATT&CK framework, what were we all doing as Intel analysts that prompted us to build something like the framework? What were we all doing before? So we had high-level models that we were using pretty effectively and looking at sort of the overall threat pictures. So we had things like the diamond model, if we were looking to do attributions,

Starting point is 00:25:25 sort of pulling together the different aspects of an adversary, or the cyber kill chain, if we were looking for things like gap analysis, sort of for the high level stages for an attack. But we were doing a series of red and blue team exercises internally. I think it's back before we were really using the word purple teaming, where there was this need to be able to get into a bit more granularity. So telling a red team, do this kill chain step or do this point of the diamond model. It's not enough detail for a red team to really even sort of form a plan. It's something they can model their work to, but it's not sort of, you know, a great use case for some of those existing models.

Starting point is 00:26:14 And so, as Jen said, we had this great data source. We had a bunch of insight from honeypots into specific behaviors that mostly state actors had been doing over periods of time. I had worked with Jen on the analysis of that data, and then they were able to take it and start extracting out those finer-grained techniques, what became techniques in attack, in order to describe those much more close-in behaviors. Do you remember the adversary campaign, the initial one that you started with? Is it still around or is it an old one that no one remembers anymore? It is still around.

Starting point is 00:26:55 It does not have the same name anymore, but the actors are still around. Every now and then we'll see a blast from the past with some of the malware that we discovered in name over the course of the last nine years at Unit 42. And we won't have seen it for years. Then they'll be, oh, look, it's back. Do you remember the name we used to call it? Scarlet Mimic. Scarlet Mimic. I remember those guys. Yeah, I totally remember them. Adam, coming back to you, we all forget that back before you guys standardized the language, both English language and machine readable language, right, that most of the security vendors on the planet had their own version of how to describe things.

Starting point is 00:27:35 So, you know, security vendor A would be talking about one adversary campaign. Security vendor B might be talking about the same group or the same campaign strategy or techniques, but nobody knew because they all used different language. They all had different names for it. And so it took the community a gigantic amount of effort just to figure out what was going on. So this is the big innovation, right, for MITRE ATT&CK. It allows us to all speak the same language.

Starting point is 00:28:03 I think getting it out there was probably the biggest innovation. And that, you know, so there were other people that were doing work, looking at categorizing these threats, doing their own internal pieces where they were, you know, coming up with names for behaviors. And so, you know, Jen and her team created the original TTP sheet, you know, the original Excel spreadsheet all the way back in 2013. So this year we're celebrating the 10th anniversary. It's your fault, Jen, that we still use spreadsheets to track adversaries. To be fair, Blake was equally culpable on the spreadsheet thing, but everything's a spreadsheet.

Starting point is 00:28:50 thing but i everything's a spreadsheet it's so crazy to me that's yeah how insane it went over 10 years given how hard we had to fight it has been a fun ride i don't think any of us predicted i just the the intelligence driven nature where it came from from real data at the beginning we've said that out in public in the past most people actually don't catch it that you know it was was from this real real honeypot data where jen was doing the the really hard analysis on these uh very long reports getting into every single activity that these actors were doing some of those reports are pretty insane that were the precursor to Attack. And it's just, I'm absolutely thrilled to have the four original creators coming back to join us next month. Blake Strom was the original lead, and then the creators along with Blake were Jen

Starting point is 00:29:38 Miller Osborne, Eric Sheasley, and Brad Crawford. And then moderating the panel is going to be somebody who came into MITRE right around the TAC's original public release, Katie Nichols. I'm super excited about the 10th anniversary panel that Jen's going to be a part of as one of those creators. You know, I'm just going to be part of a TACCon where I get to step back, sit in the audience, and just enjoy. That's Rick Howard speaking with Jen Miller Osborne and Adam Pennington. Cyber threats are evolving every second,

Starting point is 00:30:27 and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.

Starting point is 00:31:16 We'd love to know what you think of this podcast. You can email us at cyberwire at n2K.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team

Starting point is 00:31:57 while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilby and I'm Dave Bittner. Thanks for listening.

Starting point is 00:32:17 We'll see you back here tomorrow. Thank you. AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

CyberWire Daily - Vigilance isn’t purely receptive. Without criticism, it will become blind with detail.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.