Hertzbleed, a troublesome feature of processors. Cyberespionage and hybrid war. Patch Tuesday notes. Software bills of materials. Wannabe cybercrooks and criminal publicity stunts.
Dave Bittner: The Hertzbleed side-channel issue affects Intel and AMD processors. An Iranian spearphishing campaign prospected former Israeli officials. We got Patch Tuesday notes. A look at software bills of materials. Russia routes occupied Ukraine's internet traffic through Russia. Intercepts in the hybrid war - the odd and the ugly. Deepen Desai from Zscaler joins us with the latest numbers on ransomware. Rob Boyce from Accenture Security looks at cyber invisibility. And finally, criminal wannabes and criminal publicity stunts.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 15, 2022.
Hertzbleed side-channel issue affects Intel and AMD processors.
Dave Bittner: Researchers from the University of Texas at Austin, the University of Illinois Urbana-Champaign, and the University of Washington describe Hertzbleed, so-called from the measure of frequency, hertz, and also a punning allusion to the earlier Heartbleed vulnerability. The researchers characterize Hertzbleed as a new family of side-channel attacks - frequency side channels. Under the right circumstances, an attacker could extract encryption keys via remote timing. Hertzbleed is a difficult issue to address since, as the researchers point out, it's not really a bug but a feature of how the processors function. Intel has issued workarounds to mitigate the risk of exploitation.
Iranian spearphishing campaign prospected former Israeli officials.
Dave Bittner: Check Point describes a complicated spearphishing campaign that prospected former Israeli officials and some American targets as well. It used personae and subjects tailored to the targets' interests, and it employed URL shorteners to further obfuscate the social engineering. The threat actor used a legitimate service, NameCheap's validation.com identity verification service, to lend further credibility to their approach. Check Point attributes the campaign to the Phosphorus APT, long associated with Tehran's intelligence and security services.
Patch Tuesday notes.
Dave Bittner: Yesterday was Patch Tuesday. Microsoft issued fifty-five patches, including one that addressed the widely exploited Follina vulnerability. Adobe and SAP also patched their products. And today, Wednesday, marked the long-anticipated retirement of Internet Explorer. Microsoft has ended support for its once widely used browser.
Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency yesterday released three industrial control system security advisories, covering devices from Johnson Controls, Meridian and Mitsubishi Electric. Other ICS issues were also addressed. SecurityWeek reports that Siemens and Schneider Electric between them patched eighty-three vulnerabilities in their products. Siemens addressed fifty-nine vulnerabilities in fourteen advisories, and Schneider Electric fixed 24 vulnerabilities covered in eight advisories.
A look at software bills of materials.
Dave Bittner: Google reports a considerable increase in efforts to adopt software bills of materials - SBOMs. SBOMs list all of the components, libraries and modules needed to build a piece of software. The National Institute of Standards and Technology - that's NIST - released its Secure Software Development Framework, requiring that SBOM information be available for software, which gave an additional boost to the use of SBOMs. Google emphasizes, however, that SBOMs need to be used and mapped onto known vulnerabilities to highlight what could pose a threat. They offer an example from a Kubernetes SBOM. They mapped it against the Open Source Vulnerabilities database and found that version 1.21.3 of Kubernetes contains the CVE-2020-26160 vulnerability. The usage of the SBOM in this case allows consumers using this version of Kubernetes to be aware of and address the vulnerability and remediate the issues. A future with widespread SBOM adoption will allow for more user awareness of the components and risks found in the software they consume regularly.
Russia routes occupied Ukraine's Internet traffic through Russia.
Dave Bittner: Control of media and communications continues to advance as a matter of occupation policy in those areas of Ukraine that Russia controls. WIRED describes how internet traffic in particular has received close Russian attention. In some vicinities in Ukraine, internet service providers have been forced to reconfigure to connect through Miranda Media, a Russian operation. Mobile networks are receiving comparable attention, with hitherto unknown companies now providing mobile service in those areas. The integration of the occupied regions' internet and telecommunications into Russia has been used to disseminate Russian disinformation and propaganda. It's also part of an ongoing campaign of Russification that's extended to such matters as financial services and nominal citizenship, imposing the ruble as the local currency and issuing Russian passports to civilians who remain in the occupied regions.
Intercepts in the hybrid war: the odd and the ugly.
Dave Bittner: CyberScoop reports that the Belarusian Cyber-Partisans, a dissident group opposed to the continued rule of President Lukashenka, has released what it says are telephone conversations between the Russian embassy and Russian consulate that suggests the Moscow-Minsk alliance is less fraternal than its publicly represented to be. The Cyber-Partisans call their interception campaign Operation Heat Wave. Cyber-Partisans suggest that the recordings were made by the Belarusian government itself, an unbrotherly gesture in the Cyber-Partisans' view. In any case, the content of the calls they've released is remarkably anodyne - discussion of setting up a new facility, calls from people asking about their COVID vaccination certificates, inquiries about immigration, a request for advice on how to get a tow truck to Kursk, and so on. There's some mild bureaucratic buck-passing, but on the whole, the staff in the embassy and consulate seem patient and conscientious enough. Cyber-Partisans say they've got more coming, but if they're hoping for a greater effect, they should look for scandal, vilification, double-dealing and so on. The material they've released so far doesn't at all show the Russian diplomatic staff in a bad light. We don't know, but so far at least, they seem nice.
Dave Bittner: Far from anodyne, however, is another recording of an intercepted call collected and released by Ukraine's SBU, the Security Service of Ukraine. The call, which the SBU says was between two Russian intelligence officers, discusses using Ukrainian detainees to clear mines and unexploded ordnance from Mariupol. The Telegraph reports that the number of prisoners Russian forces have taken in the region is unknown but is believed to total roughly 2,000. How they are being used for mine clearance isn't specified, although the two speakers talk about having the detainees dig trenches and sleep in them. But it seems unlikely that prisoners would be issued proper mine-clearing equipment. And in any case, explosive ordnance disposal isn't a job for the untrained and unled. Using prisoners of war in this fashion, whether they're being driven across minefields or simply put to work on military projects, is a violation of the Geneva Conventions. If the recording is authentic, the two speakers are casually alluding to and conducting low-level planning for a war crime. They seem banal, with no screaming and only minimal swearing, but they don't sound nice at all. War criminals never do.
Criminal wannabes and criminal publicity stunts.
Dave Bittner: VICE reports that some guy, either a lower tier hacker or just some kind of wannabe, had posted an ad - since taken down - for what VICE calls crappy ransomware. A picture that accompanied the ad showed the hand of the proprietor on the steering wheel of a BMW holding a blunt. The Beemer is, of course, a symbol of success. The blunt, which VICE sniffs appears to be unlit, symbolizes the transgressive, untouchable, what-the-hell pursuit of pleasure. Anyhoo, it seems kind of dopey to advertise ransomware as a service on Instagram of all places, and the low quality of the offering indicates that there's junk for sale in the C2C market, too. Buyer beware or maybe not. If you're shopping for ransomware, you deserve what you get.
Dave Bittner: And finally, you'll recall that the LockBit ransomware gang said during the run-up to the RSA Conference and with a virtual shower of digital glitter as misdirection to have successfully hit security firm Mandiant. Mandiant at the time said it saw no evidence of an attack and that it was skeptical that anything at all had happened. That early reaction seems to be about right. CPO Magazine reports that the whole business was moonshine, a publicity stunt by LockBit as it hoped to convince people that, no, really, it had nothing to do with the now sanctioned Evil Corp.
Dave Bittner: Researchers from Zscaler's ThreatLabz team recently released findings from their 2022 State of Ransomware Report. Deepen Desai is chief information security officer at Zscaler, and I caught up with him at last week's RSA conference for an overview of the report.
Deepen Desai: Ransomware continues to grow. One of the key trends that we highlighted last year as well was double extortion ransomware. This is where ransomware families are exfiltrating data from your crown jewel assets before they encrypt it. So even if you have a good backup hygiene and you're able to recover, they will hold you accountable by threatening to leak the data, right? So that's the double extortion trend. We saw about 80% growth in ransomware attacks year over year, and majority of these were double extortion ones.
Dave Bittner: Wow.
Deepen Desai: And 8 out of these top 11 ransomware families that contributed to this rise, they were all using ransomware as a service framework. We also looked at different industries that were targeted as a - over the course of last one year. And we saw manufacturing being the hardest hit one.
Dave Bittner: Really?
Deepen Desai: Yeah. One in every five attacks that we saw were targeted towards manufacturing industry. And then healthcare and restaurants and retail - those were the next close ones that we saw as the targets.
Dave Bittner: In terms of the trends, is this continuing along the lines that you have all seen for the last few years, or have there been any adjustments along the way?
Deepen Desai: Yeah. Manufacturing is, unfortunately, No. 1 second year in a row. There were a few changes. We saw the attacks against health care go down previous year, but they are again up. We also saw - another trend, actually, that I would call out is as the government started going after these ransomware families - right? - there's a trend that we are calling ransomware rebranding. So the same family, they are coming back into operations using a new name. And there are several examples of that that we have seen. I mean, if I were to name a few, GandCrab was renamed to REvil, right? REvil was gone after, and they're coming back. DarkSide, which attacked Colonial Pipeline, they came back as BlackMatter, right? And there are many such examples that you will see in our report where the goal of the ransomware operators is to make it easy for the victims to pay ransom as well, because once there's a government crackdown, you know, they will ban those organizations, and there is no way for the victim to pay a ransom as well. And then they're also trying to get away from the law enforcement pressure on that gang because now they're a different name, different group that was not associated with a high-profile attack like, say, Colonial Pipeline.
Dave Bittner: Are you tracking anything in terms of consolidation or the continued professionalization of these groups? Are there some that are rising to become the dominant players?
Deepen Desai: There are several players. In fact, more new players come out as they see how much success a lot of these guys are enjoying, right? So not so much on the consolidation side, but there are specific groups that are more sophisticated than the others. Like, we're seeing trends about leveraging supply chain vector, for instance, right? And this is not the traditional downstream supply chain attack where they're popping a software vendor and then trying to push malicious updates. This is where they carefully go after third-party vendors that you may rely on. So one of the example that we called out in the report is where they went after a company called Quanta Computers. And they popped the network. They stole a lot of information from there, and they apparently had access to Apple's MacBook blueprints and some of the other computer...
Dave Bittner: Oh, yes. I remember that. Yeah.
Deepen Desai: ...Sensitive information as well. So if you as an organization have a very strong security posture, but you still rely on third parties who are not at the same level, they will go after them, and then they will ask for ransom from you as well. So that is another trend that we're seeing in some of the gangs. Another recent example that I will call out - and this is public information as well - where Aon financial insurance company got hit. This is a second one - major one, right? We saw one last year as well. So what they're doing when they hit this insurance companies is they will look at all the organizations that have good cyber insurance with them, right? And that is a target list, right? These are the companies that, if you go after, they won't hesitate to pay ransom because they're covered by these insurance agencies. So using that supply chain in order to come up with what their target should look like and then demand ransom. That's another trend that we're seeing growing among these sophisticated gangs.
Dave Bittner: What's your advice for organizations, then? I suspect most organizations are somewhere down that ransomware mitigation path. There are probably very few who haven't done something. But in terms of upping their game in that maturity level, any words of wisdom?
Deepen Desai: Yeah, so prioritize your zero trust journey. Everyone, like you said, is already embarked on that, but prioritize. If you haven't started, you need to get started as soon as possible. My suggestion is focus on your crown jewel assets first.
Dave Bittner: Yeah.
Deepen Desai: Have your zero trust model centered around that so you're protecting that first, and then extend it to broader assets. So that's one. The other is employee security awareness is still one of the most important ones. If you look at the recent DBIR report, a vast majority of the attack still starts with a human element - right? - where...
Dave Bittner: Right.
Deepen Desai: ...There was a phishing attack or credential stolen and threat actor gets in. So that's that prevent compromise phase. So in addition to having your zero trust security stack, you also should focus on training your employees, making sure you have policies in place that provides training at the time the incident is happening. Right? And I can give you an example. So the way our platform is designed, it's a proxy architecture. So you are visiting a site. It was looking legitimate in the email that arrived to you. You clicked on the link.
Dave Bittner: Right.
Deepen Desai: At the time you're about to visit that site, you will see a caution page from the platform that says this is not what you think it is. It's a suspicious destination. Do not enter your credentials. Do not download anything from here. So that's an element that provides education at the time of the incident rather than after the fact, right? So having something like that as part of your security policies is also extremely effective.
Dave Bittner: That's Deepen Desai from Zscaler.
Dave Bittner: Rob Boyce is managing director and global lead for cyber crisis and incident response at Accenture Security. At last week's RSA conference, he led a presentation titled "Cyber Invisibility: Developing A Security Incident Notification Regime." I caught up with Rob Boyce at the conference for an overview.
Rob Boyce: Well, it's definitely an emerging topic right now that's gaining a lot of importance around the mandatory notification process for cyber incidents. And so we're seeing a lot of uptick, especially after the Colonial Pipeline, of course, and the U.S. and Department of Homeland Security now is a lot more interested in seeing how we can, you know, capture the intelligence around those types of events and then leverage it for the protection of other critical infrastructure providers. So we're seeing a lot there. It's really interesting, and we're seeing a very similar thing in the U.S. and in the SCC, trying to bring more transparency for shareholders of public traded companies. And they, you know, obviously believe that going through a mandatory notification is going to provide those shareholders more insight into aspects of the organization's cyber threat roster.
Dave Bittner: How is industry responding to this?
Rob Boyce: So if we deal with critical - well, maybe divide the two.
Dave Bittner: OK.
Rob Boyce: I think these two, especially as it pertains to the U.S., are the two main ones that we're seeing - again, the SCC and CISA. We'll talk about critical infrastructure first. I think critical infrastructure is seemingly reacting positive about it. Like, I think they understand the importance of being able to notify. But there's still a lot of items that need to be determined. For example, we still haven't decided what is a covered entity, right? We know that the 16 categories of critical infrastructure providers and operators, but is it going to apply equally to them out of the gate or is it going to be over time? So that still needs to be determined. So I think once that starts to gain a little bit more clarity, we may have a different perception. But right now, there seems to be - there's not a lot of pushback. We'll say that.
Dave Bittner: Yeah, yeah.
Rob Boyce: Right? The SCC site for publicly traded companies is a little bit different. And there's, I would say, a little bit more work to be done there. I think, again, the benefits of having notifications are somewhat obvious, but when we're talking about publicly traded companies, there's also a lot of challenges potentially with them. For - so there's more concerns with organizations right now as it pertains to that because if you think about - if you were to notify within - I think right now that the recommendation for an SCC regulation is four days - and as a person who deals with these incidents on a daily basis, in the first four days, we don't really know a lot. And so the information that we have is going to be pretty incomplete of what the true impact may be. It may be misleading in either the side of we don't have enough information or we don't know the information. So it could be perceived that if we're sharing that transparently for the purpose of shareholders, how are those shareholders going to react to that information? They may be acting without having a full picture of the information, right?
Dave Bittner: Right. Right.
Rob Boyce: So it's going to be really interesting, and so there's definitely a little bit more pushback on that side.
Dave Bittner: Is there any sense to what degree the enforcement regime is going to be rigid?
Rob Boyce: Yeah. Well, what - at least for the ones that I've read for the CISA, for the new law that was passed, there are going to be mandatory notifications, so they will have to notify. There are criteria that have yet to be established. So once those are established, if you fall within that criteria, you will have to notify. If you don't notify and they find out, they can subpoena for evidence. So that is a process that has already been established as part of that.
Dave Bittner: So what are your recommendations? I mean, when you're out and about consulting with your clients, how are you preparing them to be on board with this?
Rob Boyce: Yeah. Well, it's going to happen, so we may as well start assuming that this is going to be the new process that will be coming down in the future. I mean, we are talking years to get there right now, but let's start taking a look at, you know, our incident response playbooks, our crisis response playbooks. How do we work in these notification processes? How do we start making sure that - as these criteria for what a material incident is and a covered entity is, how do we make sure that we're building in those notification processes when those applicable criteria do apply? There's also going to be potentially new rules around preservation of evidence, so I think that will be interesting, and that's something that a lot of organizations have not had to deal with previously.
Dave Bittner: Right.
Rob Boyce: So how does that impact their standard processes, and what would they have to do a little bit differently? So there's a few things that, you know, just will change, and you may as well start planning for it now because all signs point to - this is happening.
Dave Bittner: I would imagine, too, there are a lot of organizations crossing their fingers and hoping that they aren't the test case.
Rob Boyce: Correct. Yeah.
Dave Bittner: Yeah (laughter).
Rob Boyce: Yeah, yeah. Well, and I think - I don't think that CISA will be able to apply this equally to all critical infrastructure out of the gate, so they will have to pick and choose. And, you know, I think we'll probably see them focus more on those portions of critical infrastructure that are the most important for us, so - but, I mean, I don't know.
Dave Bittner: Yeah.
Rob Boyce: But this is all going to be figured out within the next - they have 24 months, I think, to be able to decide what is the definition of material incident, who are the covered entities and a few other things, and then I think they have 18 more months to roll it out after that. So we're talking about...
Dave Bittner: Wow.
Rob Boyce: ...Twenty-four plus, you know...
Dave Bittner: Yeah.
Rob Boyce: ...That many months to get to a resolution. Well, that's the maximum.
Dave Bittner: That's Rob Boyce from Accenture Security.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.