CyberWire Daily - Watch out for abuse of pentesting tools. Cyber attack on Guadeloupe. Ducktail’s evolution. Cybersecurity for ports. ICS security advisories. And stay safe shopping during the holidays.
Episode Date: November 23, 2022Another pentesting tool may soon be abused by threat actors. Cyberattack disrupts Guadeloupe. Ducktail evolves and expands. Warning of the potential disruption cyberattacks might work against European... ports. CISA releases eight industrial control system advisories. Patrick Tiquet, VP of Security and Architecture at Keeper Security, talks about the FedRAMP authorization process. Bryan Vorndran of the FBI Cyber Division with reflections on ransomware. And stay safe on Black Friday (and Cyber Monday, and Panic Saturday, and…you get the picture. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/225 Selected reading. Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice (Proofpoint) Making Cobalt Strike harder for threat actors to abuse (Google Cloud Blog) Guadeloupe government fights 'large-scale' cyberattack (AP NEWS) Vietnam-Based Ducktail Cybercrime Operation Evolving, Expanding (SecurityWeek) Cyber as important as missile defences - ex-NATO general (Reuters) CISA Releases Eight Industrial Control Systems Advisories (CISA) Black Friday and Cyber Monday risks. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Another pen testing tool soon may be abused by threat actors.
Cyber attack disrupts Guadalupe.
DuckTale evolves and expands.
Warning of the potential disruption cyber attacks might work against European ports.
CISA releases eight industrial control system advisories.
Patrick TK, VP of Security and Architecture at Keeper Security, talks about the FedRAMP authorization process.
Brian Vorendren of the FBI Cyber Division with reflections on ransomware.
And stay safe on Black Friday.
And Cyber Monday.
And Panic Saturday.
You get the picture.
From the CyberWire studios at DataTribe, I'm Trey Hester filling in for Dave Bittner with your CyberWire summary for Wednesday, November 23rd, 2022.
We heard yesterday about steps Google was taking to render Cobalt Strike less susceptible to abuse by cybercriminals.
As you know, Cobalt Strike is a legitimate penetration testing toolkit that's been frequently abused by criminals who've used it to move through victims' networks and help stage attack payloads.
Google reduced open-source Yara rules that should make it easier for defenders to detect such abuse. The step should also have the welcome result of returning the tool to its
proper users. Should Cobalt Strike really prove less abusable by the hoods, of course, that leaves
a vacuum. And Proofpoint thinks it has a good idea of what might take its place in the underworld.
The security firm blogged yesterday that another framework, Nighthawk, might fill the void. So far it hasn't, but the possibility seems worth keeping an eye on. Proofpoint explained
their interest, saying, quote, In September 2020, Proofpoint researchers identified delivery of a
penetration testing framework called Nighthawk. Launched in late 2021 by MDSEC, Nighthawk is
similar to other frameworks such as Brute Rattle and Cobalt Strike, and,
like those, could see rapid adoption by threat actors wanting to diversify their methods
and add a relatively unknown framework to their arsenal. This possibility, along with limited
publicly available technical reporting on Nighthawk, spurred Proofpoint researchers into
a technical exploration of the tool and a determination that sharing our findings would be
in the best interest of the cybersecurity community, end quote. Again, Proofpoint says
it's observed no signs of Nighthawk being abused. The report concludes, quote, Nighthawk is a mature
and advanced commercial C2 framework for lawful red team operations that is specifically built
for detection evasion, and it does this well. While Proofpoint researchers are not aware of adoption of Nighthawk in the wild by attributed
threat actors, it would be incorrect and dangerous to assume that this tool will never be appropriated
by threat actors with a variety of intents and purposes.
Historic adoption of tools like Brute Rattle by advanced adversaries, including those aligned
with state interests and engaging in espionage, provides a template for possible future threat landscape developments. End quote.
novel tool or the tool has reached a certain prevalence, end quote. The French Overseas Department of Guadeloupe, a Caribbean island, has been hit by a cyber attack that's disrupted
government services. The AP reports that the authorities are working to restore their systems,
but beyond that, little information is available, beyond an announcement characterizing the incident
as a large-scale attack. Many of the government's sites were accessible this morning,
so recovery may well be in hand.
Researchers at WithSecure, a company formerly known as F-Secure Business,
have told Security Week that they have observed an expansion
and evolution of the cybergang DuckTale.
Probably based in Vietnam, DuckTale targets Facebook business users.
Their principal tool is an information stealer that gives them victims' credentials.
Activity in Telegram channels suggests that DuckTale is beginning to establish an affiliate program.
Reuters has an interview with retired U.S. General Ben Hodges,
who argues that cybersecurity is as important to NATO logistics as missile defense.
In support of his contention, he cites the disruption worked by NotPetya,
the 2017 Russian pseudo-ransomware campaign against Ukraine that spilled over into the
transportation sector and disrupted port and shipping operations. The major shipping firm
Mersk was particularly affected. The German ports of Hamburg and Bremerhaven are especially
important to NATO. Interference with port operations would have a significant effect on the Atlantic Alliance's ability to sustain operations in Central and Eastern Europe.
NaPetya hasn't been repeated, but it might be regarded as a demonstration of what could be
accomplished by a determined attacker. The U.S. Cybersecurity and Infrastructure
Security Agency yesterday released eight industrial control system advisories.
We know there's a bit of season creep in progress for Black Friday and Cyber Monday,
and all of the days that follow up to the new year. But it's not too soon, so think about taking
some prudent precautions. We've assembled some advice from security experts on staying safe
online during the holiday season. You'll find it online at thecyberwire.com. And do enjoy
Thanksgiving tomorrow. We'll be taking the long weekend off and hope that everyone who's able can do so as well.
The Cyber Wire will return to our regular publication schedule on Monday.
After the break, Patrick T.K. of Keeper Security talks with us about the FedRAMP authorization process.
And Brian Vorendren of the FBI with his reflections on ransomware.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Thank you. for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
FedRAMP is the Federal Risk and Authorization Management Program, and according to the GSA,
Federal Risk and Authorization Management Program, and according to the GSA, it provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and
services. Achieving FedRAMP authorization is not easy, and in fact, the process can be quite daunting.
Is it worth it? To help answer that question, I checked in with Patrick TK, VP of Security and Architecture at Keeper Security, where he and his colleagues recently earned FedRAMP authorization.
FedRAMP is an authorization that is managed by the GSA. There's 17 different control families, everything from access control to personnel security, physical security, auditing.
At the FedRAMP moderate level, there's about 325 controls, I believe, somewhere in that area.
That's kind of deceptive because each control could have up to dozens of control enhancements, which are smaller individual controls that enhance the existing primary control.
FedRAMP stands for Federal Risk Assessment and Management Program.
So at its core, it's a risk assessment framework.
I see.
So take us through what this experience is like. I mean, how did you and your colleagues gear up for going after something like this?
It was a bit of a learning curve.
You know, initially, you know, we've had our SOC 2 report since 2013.
We've been ISO 27001 certified since 2018.
And we had experiences obtaining difficult, rigorous certifications in the past.
We knew that FedRAMP was going to be a bit of a different ballgame.
Previously, we were able to, with a relatively small team, achieve ISO 27001
certification in SOC 2. FedRAMP is set up so that you really need a team of people to achieve it.
I mean, there's things built into it like separation of duties, and there's a lot of just
busy work on a monthly basis. Continuous monitoring, generation of a plan of action and milestones on a 30-day cadence.
So there's a lot of things that we actually had to learn along the way that it wasn't going to be the kind of thing where just a small team can accomplish that.
This is something that is really overarching and reaches and touches on all aspects of a company.
So it really is a commitment.
It sounds like company-wide and also something long-term.
This isn't just get it done and get your checkmark and move on.
There's ongoing stuff that you all have to do.
Correct. So like with ISO 27001, for example,
once you achieve the certification,
there's an annual surveillance audit,
and then you go through the whole certification
after a few years.
With FedRAMP, once you obtain your authorization,
it's really not the end.
It's really the beginning.
Every 30 days, we have to scan our entire system.
Any new vulnerabilities that come up, we rank them by critical, high, medium, low.
And then that determines how quickly we need to mitigate those vulnerabilities and fix
them and patch them.
So it's something that it's constant
and you have to stay ahead of it.
And it's easy to get behind
if you don't patch vulnerabilities within time.
So it's something that really you have to have a team
of probably two to three people just dedicated
and focused on maintaining
and ensuring that the system remains secure.
And having been through this process, what is your advice for other organizations who may be considering it?
Well, when we started it, everyone told us that this would be a multi-year commitment to achieve initial authorization.
Initially, I think we thought, oh, well, you know, maybe we could do it in about six
months. What it turned out to be was it took almost exactly two years to the day to achieve our
final authorization from the day that we started it. So there's, I'd say the first thing you need
to do is get some experienced people in to do a gap assessment of your existing infrastructure and figure out,
okay, what are the things we need to implement? What are the controls we need to implement?
What are the things we need to build or do in order to implement all of the FedRAMP controls?
And then in terms of this opening up opportunities for you all, has that come to pass?
Does it seem like the effort continues to have value?
Yes, yes, absolutely.
And, you know, it really, in addition to opening up new opportunities and generating a lot of interest from federal agencies,
federal agencies. It also is generated interest from people who are companies who are in the federal space that may not necessarily be a federal agency, but still have the requirements
to meet the federal controls. And I suppose having been through FedRAMP, the next steps
probably aren't quite as daunting as they otherwise would have been.
You've got this experience under your belt.
Yeah, we have our experience under our belt.
We know what to expect now.
I don't think it makes it any less daunting.
In fact, I think if we knew how difficult
the authorization process was going to be,
I think we might have had second thoughts
or hesitated more about pursuing this. But now
that we have achieved this and we have a team that's experienced, it seems less daunting. It's
just we know what to expect. We know the reality of how difficult it is to achieve and maintain
an authorization such as FedRAMP. That's Patrick TK from Keeper Security.
And it is always a pleasure to welcome back to the show FBI Cyber Assistant Director Brian Vordren.
Director Vordren, welcome back.
I want to do a little deep dive today on ransomware and some of the guidance that you share when it comes to that.
What can you share with us today?
Sure. David, it's good to be with you, and I appreciate the question.
And we get this question a lot.
And so I'll go through a few notes here, and I think they're very, very important.
Number one is doing the basics well in a repeatable fashion is probably the most important piece of advice I can give to your listeners. And when we talk about ransomware,
the goal really should be prevention. So well-established cybersecurity
practices, you know, whether that's MFA, password management, effective logging, log management,
vulnerability and patch management, phishing tests, maintaining air-gapped and encrypted
and current backups, these have to be done in a repeatable fashion by the entirety of your
organization. And your organization is only as strong as the weakest link.
And so when we talk about doing the basics well in a repeatable fashion,
that is a very, very important takeaway for your listeners.
Next, I think it's important for organizations to understand that they need to plan well.
You know, that includes business continuity, crisis management,
disaster recovery,
and computer intrusion incident response. It's very important that those plans are not developed and exercised in isolation. They really do need to be exercised at the operational, the executive,
and the board levels. And really the goal of the exercises should be to develop a strategy and to refine decision-making processes, right?
And so there's really four key areas to those exercises. So first is communications protocol,
and that covers both internal and external communications. And the bottom line is that
organizations, as they prepare, should prepare to lose their primary means of communications and move to secondary
communication channels, right? And that's an important part of the exercise. The second goal
is related to ransomware, and it's the pay-no-pay decision. And, you know, the best prepared
organizations have war-gamed this out at an excruciating level of detail, and they understand
that this becomes a math problem for them. If downtime in
their organization at two hours is worth $10 million of revenue, then a $10 million ransom
payment probably is commensurate and a decision that they would make to move forward on. But that
pay-no-pay decision and really, really planning that out in detail is a second important goal.
The third goal is who will the organization share with in the U.S. government and when?
And there's a host of different answers to that.
And from an FBI perspective, we always say the most important thing is to share with
the U.S. government.
And so we never really advocate for the FBI to be the first call.
We advocate for the FBI to be an early call because we have certain authorities and capabilities that may lend support to a victim. But you should think about how you're
going to engage the U.S. government and which part of the U.S. government. And is that engagement
going to come from a CISO, from a CEO, from retained counsel? The best prepared organizations
have really worked through that.
And lastly, what and when will you share with your board of directors?
And so those are just some important goals of those exercises, but these are the messages
that we share when we're asked about lessons learned and how can organizations best prepare
for ransomware.
You mentioned sharing information with the U.S. government.
You mentioned sharing information with the U.S. government. Beyond the FBI, certainly within the next two to three years, every
organization within critical infrastructure sectors will be required to report directly
to CISA through a standardized process.
And the FBI is very, very supportive of that process and has a tremendously close working
relationship with CISA.
We would certainly recommend that the local field office be a close contact
as well.
But then obviously, if an organization is in a regulated industry, they would obviously
need to have close ties to their regulatory agency or their sector risk management agency.
So that really covers the spectrum of who an organization would need to have in their
Rolodex.
You know, as you and your colleagues are helping organizations recover from ransomware,
are there common shortcomings or are there areas that you all see repeatedly where folks have come up short?
You know, I don't really look at it that way, Dave.
I look at it as the basics are tremendously important to execute over and over and over again. So we've seen examples where a phishing email has gone through. We've seen examples of where known common vulnerabilities have not been properly patched or properly remediated. But at the end of the day, I would really cycle back to the list I provided earlier,
right? These basics of cybersecurity, MFA, password management, vulnerability and patch
management, phishing tests, right? Maintaining backups. These are just such important foundational
items to secure a company's future. All right. Well, FBI Cyber Assistant
Director Brian Gordren, thanks so much for joining us.
Thank you, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks. Thank you. Thanks for listening, and happy holidays.
Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's