CyberWire Daily - Vulnerabilities newly exploited in the wild. A new cyberespionage campaign. Trends in the C2C marketplace. Hacktivists, other auxiliaries, and the laws of armed conflict.
Episode Date: February 22, 2023CISA adds three entries to its Known Exploited Vulnerabilities Catalog. "Hydrochasma" is a new cyberespionage threat actor. IBM claims the biggest effect of cyberattacks in 2022 was extortion. Social ...network hijacking in the C2C market. A credential theft campaign against data centers. LockBit claims an attack on a water utility in Portugal. Tim Starks from the Washington Post describes calls to focus on harmonizing cyber regulations. Our guest is Luke Vander Linden, host of the RH-ISAC Podcast. Disrupting Mr. Putin's speech, online, and what the hybrid war suggests about the future of cyber auxiliaries. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/35 Selected reading. CISA Adds Three Known Exploited Vulnerabilities to Catalog (CISA) Hydrochasma: Previously Unknown Group Targets Medical and Shipping Organizations in Asia (Symantec) IBM Security X-Force Threat Intelligence Index 2023 (IBM) S1deload Stealer – Exploring the Economics of Social Network Account Hijacking (Bitdefender Labs) Cyber Attacks on Data Center Organizations (Resecurity) Hackers Scored Data Center Logins for Some of the World's Biggest Companies (Bloomberg) LockBit gang takes credit for attack on water utility in Portugal (The Record from Recorded Future News) Ukraine Suffered More Data-Wiping Malware Last Year Than Anywhere, Ever (WIRED) Ukrainian hackers claim disruption of Russian TV websites during Putin speech (The Record from Recorded Future News) Ukraine's volunteer cyber army could be model for other nations: experts (Newsweek) Ukraine's largest charity wants to raise $1.3 million for ‘cyber offensive’ (The Record from Recorded Future News) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA adds three entries to its known exploited vulnerabilities catalog.
Hydrochasma is a new cyber espionage threat actor.
IBM claims the biggest effect of cyber attacks in 2022 was extortion.
Social network hijacking in the C2C market.
A credential theft campaign against data centers.
LockBit claims an attack on a water utility in Portugal.
Tim Starks from the Washington Post describes calls to focus on harmonizing cyber regulations.
Our guest is Luke Vanderlinden, host of the RHI-SAC podcast.
And disrupting Mr. Putin's speech online and what the hybrid war suggests about the future of cyber auxiliaries.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, February 22nd, 2023. We start off with a quick note from CISA. They've added three entries to their known
exploited vulnerabilities catalog, covering products from IBM and Mitel. The U.S. federal executive civilian agencies have until March 14th to inspect their systems
and, as always, apply updates per vendor instructions.
Other users, of course, should consider doing likewise.
Entry into CISA's catalog means that the vulnerability is undergoing active exploitation in the wild.
Researchers from Symantec wrote this morning about an observed campaign that the vulnerability is undergoing active exploitation in the wild.
Researchers from Symantec wrote this morning about an observed campaign that's probably intended to gather intelligence from shipping companies
and medical laboratories in Asia.
Symantec is calling it HydroKasma.
The researchers have observed activity from the HydroKasma threat actor
dating back to October of 2022.
The threat actor isn't linked to any other known campaigns, and data was not seen to be exfiltrated by researchers.
But the tools observed to be in use indicated to the researchers that the goal may be intelligence collection. The industry's Hydrochasma prospects appear to be associated with COVID-19
vaccines and treatments, which is an interesting choice of targets. The initial attack vector is
a phishing email baited with an attached document. The file name is in the native tongue of the
victim's organization and has been seen to represent itself as a freight company qualification document and alternatively as a faux resume.
Following the initial lure documents, Fast Reverse Proxy,
which researchers describe as a tool that can expose a local server that is sitting behind a NAC or firewall to the Internet,
drops a legitimate Microsoft Edge update file that also adds Meterpreter for
remote access. The researchers say HydroKasma seeks to achieve persistent and stealthy access
to victim machines, as well as an effort to escalate privileges and spread laterally across
victim networks. IBM has published its X-Force Threat Intelligence Index for 2023, finding that the most common impact of cyberattacks during 2022 was extortion.
More than a quarter of attacks IBM observed resulted in attempted extortion.
Most of these incidents involved data theft via ransomware or business email compromise attacks.
X-Force notes that attackers are finding new ways
to turn up the heat in extortion attacks.
The researchers also note that the average time
to complete a ransomware attack
has decreased dramatically over the past several years.
In 2019, threat actors would usually spend
more than two months setting up their attacks.
By 2021, they could achieve their goal
in just under four days. The report stresses that misconfigured or vulnerable domain controllers
can open the door to ransomware. Bitdefender this morning released a report on Sideload Stealer,
and that's sideload with a one instead of an I because... because... which they call a global campaign that targets Facebook and YouTube accounts.
The payoff for the criminals is interesting
and shows the complexity that has come to typify the criminal-to-criminal market.
Bitdefender says,
Sideload Stealer steals user credentials,
emulates human behavior to artificially boost videos and other content
engagement, assesses the value of individual accounts, such as identifying corporate social
media admins, mines for Beam cryptocurrency, and propagates the malicious link to the user's
followers. ReSecurity reports a credential theft campaign in progress against major corporate data centers.
The researchers write, based on the observed activity, most probable targets of interest for them remain as follows.
Help desk systems, customer service, ticket management and support portals.
Devices which may be potentially probed remotely, including but not limited to CCTV equipment, watchdogs, and so on,
data center visitors' management systems, email accounts belonging to data center IT staff and
their customers, remote management and device monitoring systems, and integrated lights-out,
or ILO, a proprietary embedded server management or similar related technology,
a proprietary embedded server management or similar related technology such as OpenBMC, FreeIPMI, and iDRAC.
It's unclear who's behind the campaign, but Bloomberg reports on the basis of conversations with Resecurity and some of the affected organizations that the incident has compromised a disturbingly large amount of data.
The LockBit ransomware gang has claimed responsibility
for an attack against a water utility in Portugal.
The record reports that neither water supply nor wastewater services were affected,
but that some customer data may have been exposed.
LockBit has given the utility until March 7th to pay the ransom,
at which point the gang says it will release the stolen data.
The IT army of Ukraine claimed credit for briefly, periodically disrupting online services that
carried President Putin's State of the Nation address. The IT army posted in its Telegram
channel, we launched a DDoS attack on channels showing Putin's address to the Federal Assembly.
The IT Army is the most prominent representative of Ukrainian hacktivists,
operating as a cyber-auxiliary of Ukraine's intelligence and security services.
The Ukrainian government freely acknowledges the support it receives from the IT Army,
but both the government and the IT Army deny that the hacktivist organization
receives orders directly from the government. The contributions of irregulars, privateers,
hacktivists, and auxiliaries of all kinds have made to the cyber phases of Russia's war against
Ukraine have been large and publicly prominent. Newsweek is running a lengthy appreciation of
lessons the present war holds
for the future of cyber auxiliaries like the IT Army. It points out, first, the capabilities that
the private sector, both hacktivist volunteers and security companies, brings to the battle in
cyberspace. The IT Army seems to have provided a template for the sort of rapid wartime augmentation of cyber
capabilities that many in governments and industry have mulled for several years. It also highlights
some of the remaining ambiguities and uncertainties such auxiliaries will inevitably bring with them.
The IT Army is aware of international humanitarian law and the laws of armed conflict, and says it scrupulously
follows them, especially with respect to the norms requiring distinction, that is, proper
discrimination of legitimate targets from protected non-combatant targets. It also says it aims at
the disruption of the Russian economy insofar as that economy supports the war against Ukraine.
of the Russian economy insofar as that economy supports the war against Ukraine.
Some of the ambiguity surrounding cyber auxiliaries follows directly from the ambiguity inherent in the gray zone that cyber operations tend to occupy. Are cyber operations acts of war
when they achieve destructive kinetic effects? Almost certainly. What about wiper attacks?
effects? Almost certainly. What about wiper attacks? Russia has tried these extensively against Ukraine, as Wired notes, to the extent that they've become almost a defining feature
of Moscow's cyber campaigns. Possibly. Are they acts of war when they're merely disruptive?
Perhaps. What about influence operations? Arguably not, although states like Russia are likely to disagree
when they find themselves on the receiving end.
In any case, the cyber phases of the present war
will undoubtedly clarify the application of international law in cyberspace.
coming up after the break tim starks from the washington post describes calls to focus on harmonizing cyber regulations our guest is luke vanderlinden host of the rh isaac podcast stay with
us Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
You are probably familiar with the concept of the ISAC, Information Sharing and Analysis Centers,
member-driven organizations with a mission of information sharing and threat mitigation.
Luke Vanderlinden is Vice President of Membership and Marketing at the Retail and Hospitality ISAC and host of the RH ISAC podcast.
The RH ISAC is a membership organization.
We've been around for 10 years, about 10 years, just under 10 years actually.
And our members are retailers, hospitality companies, really any consumer-facing businesses.
And we work with cybersecurity departments and other allied units within these
members to provide sharing platforms, to provide opportunities for our members to share cyber
threat intelligence, best practices, strategies about how to combat cyber criminals.
What are some of the specific challenges that folks in retail and hospitality
face when it comes to sharing their information?
From the standpoint of our members, I think probably legal departments have the biggest issues
with kind of getting comfortable with their companies and their professionals
talking with other companies and sharing things that might happen at their own companies.
But once that hurdle is over, our members typically really enjoy the
collaborative environment, uh, and really enjoy being able to, uh, understand what their fellow
members are going through because chances are either they're are going for it, going through
it right now, went through it, or will be going through it themselves. So, um, you know, as we
say, a rising tide lifts all boats. And so this is the one area where our members can collaborate, and it really, really helps.
And how do you do that?
What's the practical things you put in place to make this possible?
We have a number of platforms, mostly online.
So ways for them to chat instantly with each other, ways to have more substantive, meaningful conversations,
more substantive, meaningful conversations, and also libraries of reports and things like that that are either done by our research department or compiled from the conversations that our
members are having. And then we also have a bunch of events, both virtual and in-person,
where members can either get together with each other and interact face-to-face and collaborate
in that platform as well. So it's really, there's a lot of different opportunities if you're someone who likes
the written word more versus someone who likes talking versus someone who likes being in
person with someone to collaborate.
So how do you describe an ISAC to folks who may not be familiar with it?
You know, that's interesting.
We didn't invent the ISAC model.
We used to say two dozen, but I keep running into more ISACs and ISAUs and things that are similar.
So there's at least three dozen and growing.
And ISAC stands for Information Sharing and Analysis Center.
And originally it was set up, I think during the Clinton era,
as a way for organizations who might otherwise compete to be able to collaborate
on security. And for us, that means cybersecurity. Some organizations, it's physical security.
But there's enabling legislation, and maybe I shouldn't be speaking about this because I'm not
the legal scholar here, but that allows companies that would otherwise not be able to collaborate because
of antitrust rules to be able to collaborate on this one thing.
So when we were founded, we adopted this existing ISAC model and became the ISAC for the sector
and so follow the model.
And there's organizations like the National Association of ISACs for the U.S., the European
Council of ISACs is one that we're getting spun up to kind of bring these organizations that are similar to ours together so we can also
collaborate with what we do. Well, you all have a podcast for the RHI SAC. Tell us about that.
What information are you hoping to share? Yeah, we actually started this podcast about a year
and a half ago, and we originally started it, it was for members only.
And then we decided, look, we're putting all this effort into getting our members to come and talk on it and to kind of curate some content. We might as well make it public, not for the general public,
but for cybersecurity professionals in our sector, because we hoped and thought that the sector could
benefit from it. So about a year ago, we made it public.
And features are kind of a mixed bag of things,
from interviews with employees from our core members
to what we call our associate members or cybersecurity vendors
or professionals that serve our core members.
We talk about everything from ways to improve cybersecurity programs
to challenges, opportunities, best practices, to like a member spotlight where we just talk about everything from ways to improve cybersecurity programs to challenges, opportunities, best practices, to like a member spotlight where we just talk about pulling a member and ask about their career journey and how they got to where they got.
And then we also will feature our own employees.
And I like to say, I'm not blowing smoke here, that this is the smartest group of people I ever worked with.
So we can talk about a lot of what they're working on, some of the trends they're seeing, and then some of the events that
we have, the reports that we publish and other threat intelligence and things like that.
Are there any stories or guests that have stood out to you,
things you'd like to share with our audience? Oh man, there's so many. I haven't been the host
exclusively until now. So I've been involved in probably only about a quarter of the episodes,
but of course I listened to them all. And it's just really fascinating when you hear
someone's outlook on everything from security awareness and how the human aspect of cybersecurity
to some of these, as the threat actors themselves evolve, some of the new ways that they're using things like point-of-sale systems in the physical world to engage in cyber threat activities.
So really, the individual aspects of things, I think the human aspect of the stories is great, but also just seeing what lengths some of these cyber threat actors will go to and how our members and the
good guys have to stay on their toes. That's Luke Vanderlinden from the RH ISAC. The Retail
and Hospitality ISAC podcast is the newest addition to the Cyber Wire network, and you
can find it wherever you get your podcasts.
And joining me once again is Tim Starks.
He is the author of the Cybersecurity 202 at the Washington Post.
Tim, it's always great to welcome you back.
Looking at the 202 this morning and your article about a federal panel saying that we need to be harmonizing our cyber regulations. What's going on here, Tim? Yeah, well, we've seen, and you and I
have talked about this a fair amount, we've seen this kind of, not even kind of, an actual proliferation
of cyber regulations in the United States. That's the sea change of approach from the Biden
administration to push more mandates and say, we expect you to do this, not would you please do
this, which is what we've had. So naturally, there's a lot of discussion about how this is rolling out.
You have many agencies rolling out rules.
TSA has rolled out rules.
For instance, you have organizations like the SEC and FCC who have rolled out rules or talked about rolling out rules.
There's also a patchwork of regulations across the world.
Europe has been doing some things.
Australia has been doing some things. Australia has been doing some things.
Saying we expect more from you on the cyber front in terms of what we really need you to do,
not just ask you to do.
So this particular panel, NSTAC,
I just forgot the acronym,
but it's a telecommunications-oriented panel.
National Security Telecommunications Advisory Committee.
I happen to have it in front of me.
There you go. Thank you.
Thank you for backing me up on that
and not leaving me hanging.
There you go.
Anyway, the panel is made up of approximately 30,
if not precisely 30, experts from industry,
organizations like Microsoft, Comcast,
explicit cybersecurity organizations.
And their job is to advise the president
on cyber and related issues.
In this case, they put out a report that says
CISA should, CISA being the Department of Homeland Security's
cyber agency, should create an office
specifically devoted toward harmonizing these regulations
and making sure that they don't conflict with each other
and that they don't cause an undue burden.
There are some other recommendations that are related to that process,
but I think that's the headline bit,
is the idea that this organization thinks that CISA should create its own harmonization office.
And why CISA?
What makes them the agency of choice to ride shotgun on this?
Yeah, they put a good deal of thought into that.
And at the hearing yesterday where they approved this, there was some discussion, should it be at the office of the National Cyber Director
because it's got the White House nexus, it's got the sort of cross-government nexus. Should it be
even Commerce Department? And they settled on CISA because, well, there are a few reasons.
One is that CISA, with one exception, doesn't have any real regulatory authority. So when it's interacting with regulators, it is more in an advisory, technical assistance kind of role.
And that's what they have in mind for this office.
I think that's the main reason, but there were a couple others they also talked about.
That was the main reason.
There's an office that's already kind of doing this, or another committee that's kind of doing some of this already.
It was specifically created in response to the information sharing incident response reporting law that Congress passed last year, knowing that
this was going to be adding a regulatory rule to have a committee that works that out on a smaller
scale. This would be a little bit more across all sectors. CISA has that overall job of protecting
critical infrastructure, but they don't have necessarily assigned specific agencies for which
they do have a certain number of agencies for which they're supposed to, or they're their
lead sector agency. But for the most part, that's farmed out to the particular agencies that
normally have oversight of those things, energy department, electricity, that kind of thing.
Why do you suppose that this committee thinks that CISA not having regulatory power is a feature.
Yeah, I think they think of it as, what's the existing relationship?
And if the existing relationship is they've been serving in that role,
then that allows them to continue serving in that role.
One of the things that you hear about CISA from time to time,
even Janice Durley, the director, has said she doesn't want it to be a regulatory agency.
You do hear a fair amount of worry that CISA, particularly from the right side of the political spectrum, might become too regulatory.
And one of the advantages, the argument goes, of CISA being non-regulatory is that they know that when people are going to come to them for help, the people who are victims are not going to have to be worried about what this will mean for them from a regulatory standpoint later if they ask for SysA's help.
I see. Now, it wasn't just about harmonization here. They had a few other suggestions. What
other things are they looking for? Yeah, they're looking for work on
post-quantum cryptography, which is a big issue. They want CISA and NIST to be prepared for the future of quantum computers
where they're going to make it a lot easier to break encryption, those computers.
When and if they arrive, they want them to go ahead and start planning that,
CISA and NIST in particular, to start working on that.
They also want to ask, they've also asked CISA and the General Services Administration
They also want to ask, they've also asked CISA and the General Services Administration to come agencies, and they want to see that expanded to incorporate other kinds of threats and essentially make that
program more powerful and more ready to combat some of the modern threats.
That's a fairly old program that has gotten updated from time to time, but they had specific
things about talking about wanting to use zero trust
and some of these more modern ideas about cyber
that weren't really as prominent as when CDM was created.
So this advisory panel submits their recommendations.
What sort of timeline are we on for these being considered
and possibly being put into action?
Yeah, it certainly matters
how much the president wants to go along with this.
If you look at the bylaws of the NSTAC, they say that once the report is delivered,
validated recommendations shall be reviewed by interagency to see how they can be carried out.
It's not exactly binding.
However, I think one of the things that gives it a little bit more oomph,
first off, it's the president's own panel.
He's asked these people for advice. I don't think he's going to turn down the majority of it. He might turn
down some of it. The other thing about the panel is that
there was a discussion with the ONCD, the National Cyber Director's Office.
They have been working on a national strategy that is focused on pushing more
regulatory approach to cybersecurity.
And the person who was there, Rob Kanaki, said that this really dovetails with what they had in mind.
Some of what is being put forward, I think you can say, has some real muscle behind it, even if there's no explicit regulatory rulemaking muscle that Instac has.
All right. Well, Tim Starks is the author of
the Cybersecurity 202 at The Washington Post. Tim, thanks so much for joining us. Always happy to be here.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant. Thank you. a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Trey Hester,
with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.