CyberWire Daily - What’s now being traded in the C2C markets. CISA would like comments on its software self-attestation form. And in Russia’s hybrid war, are there cyber war crimes, or real hacktivists?
Episode Date: April 28, 2023Cl0p and LockBit exploit PaperCut vulnerability in ransomware campaigns. Infostealer traded in the C2C market. All ads are trying to get your money, but some just take it. CISA requests comment on sof...tware self-attestation form. Our guest is Marcin Kleczynski, CEO of Malwarebytes, sharing thoughts on the current threat landscape, attacks on students and academic institutions. Betsy Carmelite from Booz Allen, discussing themes from the RSAC tied into critical infrastructure resilience. Ukraine argues that cyberattacks against civilian infrastructure should be classified as war crimes. And are there any genuine disinterested hacktivists on Russia's side, or are they all fronts? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/82 Selected reading. Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware (The Hacker News) Microsoft: Clop and LockBit ransomware behind PaperCut server hacks (BleepingComputer) New 'Atomic macOS Stealer' Malware Offered for $1,000 Per Month (SecurityWeek) “Malverposting” — With Over 500K Estimated Infections, Facebook Ads Fuel This Evolving Stealer… (Guardio) Request for Comment on Secure Software Self-Attestation Common Form (CISA) OMB, CISA set to release common form for software self-attestation (FCW) Pro-Russian hacktivism isn’t real, top Ukrainian cyber official says (CyberScoop) Pro-Russian hacktivism isn't real, top Ukrainian cyber official says (CyberScoop) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Plop and LockBit exploit paper cut vulnerability in ransomware campaigns.
InfoStealer traded in the C2C market.
All ads are trying to get your money, but some just take it.
CISA requests comment on software self-attestation form.
Our guest is Marcin Klicinski, CEO of Malwarebytes,
sharing thoughts on the current threat landscape
and attacks on students and academic institutions.
Betsy Carmelite from Booz Allen,
discussing themes from the RSAC
tied into critical infrastructure resilience.
Ukraine argues that cyber attacks
against civilian infrastructure
should be classified as war crimes.
And are there any genuine disinterested hacktivists
on Russia's side, or are they all fronts?
From the Cyber Wire Boston Bureau,
I'm Maria Varmazes with your Cyber Wire summary
for Friday, April 28th, 2023.
Microsoft tweeted Wednesday that they had attributed two campaigns exploiting vulnerabilities on paper cut printers to Klopp and BitLock.
The two vulnerabilities, CVE-2023-27350 and CVE-2023-27351,
were announced in an April 19th post by PaperCut.
The company urged all admins to update their firmware with the latest patch to address them.
Microsoft explained that they traced the infections back to a period
before the vulnerabilities were discovered on April 13th. Microsoft said this, we're monitoring other
attacks also exploiting these vulnerabilities, including intrusions leading to lock bit
deployment. More threat actors could follow suit. It's critical for organizations to follow
Papercut's recommendation to upgrade applications and servers. Bleeping Computer, who's periodically in touch with the CLOP operators,
reports that the CLOP ransomware operation confirmed to Bleeping Computer
that they were behind the attacks on papercut servers,
which they started exploiting on April 13th.
In reply to our questions about the lockbit attacks,
Microsoft said they had nothing further to share.
In any case, the standing advice is still sound.
Look to your systems and apply patches in accordance with vendor instructions.
Security Week reports that researchers at threat intelligence company Sybil have analyzed an
info-stealing malware tracked as Atomic Mac OS Stealer, or AMOS for short. The malware incorporates
an array of data theft capabilities. One of its authors claims on
Telegram that Amos can steal all passwords from the keychain, full system information, and files
from the compromised computer. The malware has been offered to the criminal-to-criminal trade
by subscription on Telegram for $1,000 a month. Amos is also allegedly capable of stealing passwords,
cookies, crypto wallets, and payment information from a
multitude of browsers. The malware is delivered as a DMG file and, when first executed, it displays
a fake prompt to trick the victim into handing over the macOS system password. This is notable
because Security Week highlights that while macOS-based malware may boast many capabilities,
getting it to run on the system can prove difficult.
Their report goes on to say that a Trellix researcher noted an IP address in use by the
malware that could potentially be linked to Raccoon Stealer, a malware used by threat actors
in Ukraine and Russia. One weird trick to get people to click on that link, tell them they'll
be taken to the kind of saucy content we've curiously agreed to call adult, though in truth it's really more accurately described as
adolescent, or so we hear. We never click ourselves. Anyhow, it's not news that threat
actors use clickbait advertisements to infect users' computers with malware. As Guardio reports,
however, the scale at which one threat actor has been conducting these campaigns is pretty
noteworthy. One of those campaigns linked to a one threat actor has been conducting these campaigns is pretty noteworthy.
One of those campaigns linked to a Vietnamese threat actor has been ongoing for months now,
gaining more traction lately using resilient deployment techniques
and is estimated to surpass 500,000 infections worldwide so far.
The campaign uses Facebook ads distributed from business accounts depicting free adult content,
venerable
clickbait, to get users to download a zip file of the alleged images. The images are actually
executable files, and they take the user to a website while, in the background, the stealer
will silently deploy, execute, and gain persistency to periodically exfiltrate your sessions' cookies,
accounts, crypto wallets, and more. The threat actor uses commercially available hard disk manufacturers to avoid detection.
Guardia reports that this campaign alone reached 500,000 deployments in three months.
With the opportunity to effortlessly distribute millions of copies a day
with the power of social networks advertisement infrastructure,
the damage that these threat actors can do in just a few hours without detection is overwhelming.
So that ad that had your attention may immediately thereafter have your crypto wallet.
The U.S. Cybersecurity and Infrastructure Agency, or CISA, yesterday released a request for comment on a drafted self-attestation form for federal government software providers.
self-attestation form for federal government software providers. The Secure Software Development Attestation Common Form was a combined effort between CISA and the OMB, or the Office of
Management and Budget, and is based on a National Institute of Standards and Technology, or NIST,
Secure Software Development Framework, or SSDF. Lots of acronyms there. Speaking of acronyms,
the FCW explained on Tuesday that the form is intended for software vendors
to prove that their products are secure to the standards of federal government customers,
with the government's ultimate goal being to work towards securing the supply chain.
This follows a 2021 executive order on improving cybersecurity throughout the United States
and a later memo that same year from OMB
requiring federal agencies to acquire self-attestation forms from vendors
with a looming September deadline.
Public comment on the form will be accepted through June 26, 2023
via a comment box on the regulations.gov website,
so go take a look and let CISA know what you think.
Speaking at RSAC this week, Ilya Vidiuk, Ukraine's head of the Department of Cyber Information Security
in the Security Service of Ukraine, urged that cyber attacks against civilian infrastructure
should be treated as war crimes.
InfoSecurity magazine quotes him as saying this,
I do believe that military commanders that are in
charge of special forces and special services, like the Russian GRU or SVR, who are responsible
for cyber attacks on civilian infrastructure, should also be convicted as war criminals.
Such attacks would presumably violate one or more of the principles that underlie the laws
of armed conflict, proportionality, discrimination, and military necessity.
underlie the laws of armed conflict, proportionality, discrimination, and military necessity.
Vidiuk also presented the case, the CyberScoop reports, that there are no genuine hacktivists working in the interest of Russia. More than 90% of all cyber attacks targeting Ukraine are either
conducted by special services or by state-sponsored groups, Vidiuk said. I do believe that there is no so-called hacktivism in Russia at all.
Now, he described a brief wave of pre-war Russian arrests of cyber criminals as effectively
an intimidation campaign. Work for the security organs or face the consequences.
The arrests of some rival members in the weeks before the war were an example of that kind of
strong arm recruitment. Noting that the prosecutions had all stalled by May,
Vidiuk added this,
Recruiting auxiliaries to work as fronts for Russian security
and intelligence services would not have been particularly difficult.
The ties between the organs and the underworld
have been close for a long
time. And a final note on the most prominent Russian hacktivist auxiliary,
Killnet. This week, the group announced that it would henceforth act as a private military
hacking corporation, a kind of a Wagner Group for cyberspace. It's just now announced,
presumably for the benefit of prospective customers, that it would be unavailable for
72 hours
while it reorganizes.
We wonder if, like so many other corporate reorganizations,
it will be accompanied by consultants,
off-sites, team-building exercises, and the like.
So consider Kill Milk,
which is the nom-de-hack of the guy in charge.
Is this guy going to test as an ENTP on the Myers-Briggs?
Or our money this guy tests out as a JERK.
But that's just us.
Lead by example, Mr. Milk.
Coming up, our guest is Marcin Klicinski, CEO of Malwarebytes,
sharing thoughts on the current threat landscape and attacks on students and academic institutions. Betsy Carmelite from Booz Allen discussing themes from the conference
tied into critical infrastructure resilience.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you
know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Marcin Klozinski is CEO at Malwarebytes.
I caught up with him at the RSA conference for his insights on the threat landscape and the trade show itself.
So here we are at RSA conference.
And I'm curious, as we come into this year, as we're making our way around the show floor and meeting with all the different people we're meeting,
what is your sense of where we stand?
Like, where do we find ourselves at this moment?
Well, every time I walk into RSA every year,
the stress level just feels like it's emanating from the room.
So I feel like that's where we're at again this year.
Threats have gotten worse.
You know, complexity has gotten worse.
Everything's gotten worse.
And, you know, a lot of defenders in that room,
and that's what we're proud of, you know, being in that room. Where are you all focused this year
in terms of coming at the threat and taking your place in the community? Yeah, so Malwarebytes
really focused on really simplifying security for a lot of folks. A lot of SMBs, MSPs that are
overwhelmed, underwater in terms of resourcing.
We Malwarebytes just really want to give them the tools
to be successful and be able to protect themselves
or their customers.
What are the stories that you're hearing from folks
in terms of the specific pain points they're experiencing?
Every year, ransomware is just a common thread.
We're seeing smaller and smaller businesses,
education, hospitals continue to be affected by ransomware.
And this is really causing real life issues, right?
We're now talking about students' mental health
being exposed online, patients' records being locked.
Every year, it seems the stakes are getting bigger.
And this year does not fail to surprise us again.
Yeah.
You know, we're seeing economic headwinds,
and that is finally sort of hitting the folks in cyber.
We've seen some layoffs.
And of course, every year,
folks have to submit their budgets
to the boards and the powers that be.
Yep.
What are your insights
on how people go about prioritizing
the things that they present, the things they buy? Yeah, well, security is a necessity, right? It's
a conversation in the boardroom and you don't want to be the company in the news or, you know,
more importantly, you don't want your data stolen, your business affected. But every year is a
challenge to go get the budget that you need for people, for technology.
And over the years, I've seen many tools, products that are marketed well, you know,
booths at RSA, but sit on the shelf. And I think, you know, over the years, people continue to buy things, don't necessarily implement them. As we face economic headwinds, security will always be
necessary, but not as much of it. I think using the tools that you're
in your arsenal effectively, more effectively, is really the name of the game.
Do you have recommendations for how people set those priorities as they look at their
security stack? What do I keep? What am I making use of? What am I not? Or is that usually pretty
self-evident for folks?
Well, both, right? I think there are some things where
you just look at it and we haven't really used this in a year
and it's not really delivering value
or we can consolidate it with another vendor.
But it's an exercise that you
kind of have to go through every year to see what
are we using? What is deployed? What could be deployed?
What is implemented well?
What can replace a person
or better said, fill a need where we,
you know, we can't hire that person or can't find that person. So I think it's an exercise every
year to just, well, justify all the technology and things you've implemented really.
In terms of longer term trends, as you walk around the show floor here,
where do you think we're going as you look towards the horizon?
More marketing.
Well, that's certainly the easy message to get here right now. Yeah, there's yet another,
you know, buzzword somewhere on some booth that will be, you know, predominant next year.
Look, I think security is really hard and we as vendors make it even harder by throwing out all these marketing terms and first there's MDR, now it's XDR,
what's next, right?
EDR and so on.
I do think as an industry,
we need to get better around
just simplifying security for our customers
and buzzwords and hand waving and all that.
I just think that really creates a lot of confusion.
It's one of my pet peeves at RSA is walking around and just seeing some of the messaging,
knowing what the product and the company do versus what is on the actual banner and such.
So my best advice to folks is always get a demo and really understand the value that
this could provide.
And are you solving a security need or did you get drawn in by pretty good marketing
messaging on the banners?
Yeah.
How about the human side of it as well?
I mean, the folks who are making these decisions,
running these products and implementing them every day,
they're facing real stress.
How do you feel about that side of it
and how we're attending to their emotional needs?
Yeah, I'm very empathetic because,
you know, I obviously am in security. I'm a CEO of a security company at the same time,
know that we have people that haven't worked in security their entire life, accountants and,
you know, HR folks and so on. And so their needs are, you know, as with every other company,
like you've got to protect them. They don't know security. We continue to fish them. So I am,
you know, empathetic because I understand the problem set.
I also work with, you know, thousands of customers,
very small businesses up to kind of medium enterprises.
And every day is a challenge.
It's like, well, I have to do this all by myself
because I don't have the staff
and I don't have the money for the staff.
So like really every day we wake up,
it's like, how do we make this simpler?
And I think the industry as a whole needs to embrace that mentality. That's Marcin Klasinski, CEO at Malwarebytes.
And it is always my pleasure to welcome back to the show Betsy Carmelite.
She is a principal in cyber defense operations at Booz Allen.
Betsy, great to see you here in person at the RSA conference.
Likewise, Dave. This is really fun.
We have a specific topic we want to touch on here today, and that is critical
infrastructure and resilience. I know that is something that you and your colleagues have been
focused on lately. What can you share with us here? Yeah, so the theme of this year's RSA
conference has been stronger together. And if I've heard one thing throughout all these panels, it's this theme of
understanding how to be resilient. And cyber resiliency, among others with partnerships,
has very much played out in a lot of the panels and discussions that I have observed and
my colleagues and I are having here at RSA. So when we're talking about resilience when it comes to critical infrastructure,
I mean, there's a lot of players that that notion touches.
Yeah, yeah.
So I think in the past, we've really focused on cyber defense,
and that's certainly the field that I work in.
But the theme of cyber resiliency is really the sense of being able to withstand
and recover from a cyber attack or incident.
And the acknowledgement of the fact
that you will be attacked,
you've likely been compromised or will be compromised
is really at the core of anticipating
how you do withstand an attack and recover.
Also zero trust plays into this. You and I have talked a lot about zero with stand and attack and recover. Also, zero trust plays
into this. You and I have talked a lot about zero trust in the past and already. But yeah,
this is really the lens through which I've attended these sessions, listened and observed,
and really focused on critical infrastructure resiliency too. And what are you seeing this
year at the conference in terms of the attention that this topic is receiving?
I have to start with Ukraine. Some of the discussions with our Ukrainian counterparts who are here, talking about their roles as they are going through an ongoing conflict with Russia
and how the speakers, whether it's across the U.S. government, private industry, vendors, how they're talking about holding up Ukraine as a model of cyber resiliency.
Ukraine's infrastructure in the day-to-day war, but also when it comes to U.S., what we're anticipating with our adversaries, what are we going to learn and continue to uphold that example
of Ukraine as a model? And what are some of the specific things that are being discussed when it comes to that? Yeah, so we heard that the Ukrainian lessons in resilience
made their way into the national cybersecurity strategy.
There was a lot of time to consider what was going on in Ukraine.
It's been under attack since at least 2014
when the annexation of Crimea occurred,
if not longer before that. And it's really been a
testing ground for cyber capabilities. So taking the lessons of how the Russians turned their tools
on Ukraine, and often before unleashing them on the US, and let's talk about how APT28 has
affected us in our election infrastructure.
So taking those lessons learned, and it's very interesting that that made it into our own national cybersecurity strategy.
Also, we're seeing from Ukraine the private industry and U.S. government and partner support in the cybersecurity space was a psychological game changer for Ukraine to kind of
sustain, understand that they're supported by the international community and really buoyed its
ability to react to both kinetic and cyber attacks on the Ukrainian power grid, for example. They
were able to understand and anticipate a kinetic attack because they saw their telecoms infrastructure under a cyber attack the day before a TV tower went down in a physical attack.
And so moving beyond what's going on in Ukraine, I mean, how does that inform how we approach these things here stateside? Yeah, so if we're looking at resiliency
and using that as an example, but also our day-to-day, you know, as our own uplift
and enhancements occur across our own cybersecurity organizations, private industry,
across our own cybersecurity organizations, private industry,
trust and communication has been a theme.
Not surprising, but that's really, you know,
building the trust, maintaining the trust.
We saw private companies reaching out to the Ukrainian government. How can we help you with our data, with our cybersecurity tools?
The FBI reaching out to companies and calling in
requests to help Ukraine, informing U.S. companies if they were unknowingly supporting Russian
activities via their infrastructure. So as we look forward toward the horizon,
where do you suppose we're headed here? More immediately, and another kind of geopolitical view on this that's kind of on
everybody's minds, is this really positions the U.S. to consider the range of potential attacks
that might result from a China-Taiwan scenario. And so, you know, what can we pay attention to
with how Ukraine has shown its resiliency? But also, let's be aware, China is paying attention
to U.S. reactions to Russia and how our assistance is playing out in cyberspace. So
it's very encouraging in knowing that our larger partnership across, again, public, private,
government, industry, they're all watching this as well and taking the notes to see what could happen probably in a China, Taiwan scenario as well.
Yeah, yeah.
As they say, interesting times, right?
Yeah.
And there are a couple of other interesting pieces that have come out of the cybersecurity strategy, the national cybersecurity strategy, but really enabling organizations to figure out how tactically they're going to shift their day-to-day
operations. And in the longer view for their strategic thinking, themes like secure by design,
secure by default, holding the industry accountable for taking the burden off the victim for the attack and attack outcomes.
We know that the U.S. is looking into legislation right now with mandatory reporting for breach notification.
We heard the encouragement for the open comments on that legislation and that document right now coming out from CISA,
the information that comes from victims informs the threat.
And the result of those investigations then informs cyber operations.
So partnership and encouraging victims to come forward is really at the core of that trust and communication.
And that's really what builds resilience.
All right.
Well, Betsy Carmelite, interesting insights as always.
Thank you so much for joining us.
Thanks, Dave.
Great to be here in person with you.
Cyber threats are evolving every second Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay
abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe.
We're there co-building the next generation of cybersecurity teams and
technology. Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Guru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Millie Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janine Daly, Jim Hoscheit, I'm Maria Varmaazes.
Thanks for listening. Thank you. needs AI solutions that are not only ambitious, but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.