An update on cyber operations in Russia’s hybrid war. NPM compromise updates. CISA releases ICS security advisories. Free ransomware decryptors released. Disneyland's Instagram account hijacked.
Dave Bittner: An update on cyber operations in the hybrid war. NPM compromise updates. Free decryptors for AstraLocker and Yashma ransomware. Johannes Ullrich from SANS on attacks against perimeter security devices. Our guest is Sonali Shah from Invicti Security with a look at DevSecOps anxiety. And who's the villain who hijacked the Instagram account of Disneyland?
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 8, 2022.
An update on cyber operations in the hybrid war.
Dave Bittner: Operational pause or not, Russia's hybrid war seems to be as far from any quick resolution as ever. Russia's President Putin said yesterday during a meeting with senior leaders of the Duma that he had no intention of backing down from his own maximalist goals and that Ukraine's only option was to accede to all of Russia's demands. And any Ukrainian hope of battlefield victory is a phantasm because Russia has been pulling its punches so far. He said, everyone should know that, by and large, we haven't started anything yet in earnest.
Dave Bittner: IBM researchers recently discovered that the Trickbot gang has been active against Ukrainian targets since Russia's war began and that it's been acting directly in the Russian interest. So Trickbot and similar gangs have been acting as privateers under state direction. Since Trickbot cut its criminal teeth on financial crime, especially banking Trojans, the financial sector ought to be on particular alert for any spillover from Russian privateering. SC Magazine speaks with various industry experts who advise financial institutions to keep their shields up.
NPM compromise updates.
Dave Bittner: Researchers at ReversingLabs detailed their discovery of a widespread supply chain attack against the NPM repository earlier this week, publishing an update on Wednesday. Though the exact scope of the attack wasn't initially clear, researchers say the packages are potentially used by thousands of mobile and desktop applications and websites. And in one instance, a malicious package had been downloaded over 17,000 times.
Dave Bittner: ReversingLabs called the campaign IconBurst. Their conclusion is that IconBurst represents a major software supply chain attack involving more than two dozen NPM modules used by thousands of downstream applications, as indicated by the package download counts. Application developers should be particularly alert to the problem, which appears to represent an organized, cooperative criminal effort. Analysis of the modules reveals evidence of coordination with malicious modules traceable to a small number of NPM publishers and consistent patterns in supporting infrastructure such as exfiltration domains.
Dave Bittner: ReversingLabs says IconBurst marks a significant escalation in software supply chain attacks. The firm communicated its findings to the NPM security team on July 1 of 2022. Developers, ReversingLabs says, should assess their own exposure to the threat, and the researchers have provided information that should assist them in doing so.
Dave Bittner: There's been another attack on the NPM supply chain, this one described by researchers at Checkmarx. They say Checkmarx's SCS team detected over 1,200 NPM packages released to the registry by over a thousand different user accounts. This was done using automation, which include the ability to bypass NPM 2FA challenge.
Dave Bittner: The operators, whom the researchers call CuteBoi, were using what Checkmarx calls a fake identity-as-a-service provider. They say, looking at the domains with which CuteBoi is creating NPM users, we can deduce that they are using mail.tm, a free service providing disposable email addresses with REST API, enabling programs to open disposable mailboxes and read the received emails sent to them with a simple API call. This way, CuteBoi can easily defeat NPM 2FA challenge when creating a user account.
Dave Bittner: So far, the operation seems to represent an initial experimental phase of a larger campaign. The researchers say this cluster of packages seems to be a part of an attacker experimenting at this point. The researchers think that CuteBoi is preparing a large-scale cryptojacking campaign using XMRig derivatives. Checkmarx has also released information to help users identify the malicious activity. They also warn that further exploitation of NPM can be expected. They say CuteBoi is the second attack group seen this year using automation to launch large-scale attacks on NPM. We expect we will continue to see more of these attacks as the barrier to launch them is getting lower.
CISA releases three ICS security advisories.
Dave Bittner: CISA, the U.S. Cybersecurity and Infrastructure Security Agency, released three Industrial Control Systems Advisories yesterday.
Free decryptors for AstraLocker and Yashma ransomware released.
Dave Bittner: Bravo to Emsisoft. The company has released free decryptors for the AstraLocker and Yashma ransomware strains, BleepingComputer reports. Emsisoft tweeted, the AstraLocker decryptor is for the Babuk-based one using .Astra or .babyk extension, and they released a total of eight keys. The Yashma decryptor is for the Chaos-based one using .AstraLocker or a random extension, and they released a total of three keys. BleepingComputer points out that AstraLocker, itself derived from Babuk Locker, has gained a reputation for being both buggy and effective.
Dave Bittner: The operators of AstraLocker earlier this week released some decryptors as they announced they were exiting the ransomware business, saying that they had decided to turn to cryptomining. They were probably kidding about getting into coin-mining. Not only did they close their announcement with an LOL, but there's also some reason to think they were feeling the approach of law enforcement.
Disneyland's Instagram account hijacked.
Dave Bittner: The Wall Street Journal reports that the Instagram account of Disneyland Resort was briefly hijacked yesterday morning by someone who identified himself as David DO and proclaimed himself a super hacker. Mr. DO acted with apparently trivial motives. He had some sort of beef with someone called Jerome, according to the independent fan site the Disney Blog, and he wanted to air that through his hack.
Dave Bittner: He was also disgruntled about some Disney employees, saying he was here to bring revenge upon Disneyland. Mr. DO posted a selfie and said he was tired of all these Disney employees mocking me. The Journal says the posts were both profane and racist, and it quotes a Disney representative as saying, "we worked quickly to remove the reprehensible content, secure our accounts, and our security teams are conducting an investigation."
Dave Bittner: We received comments from Arctic Wolf's VP of strategy, Ian McShane, who thinks the incident shows that cybercriminals are often motivated by concerns that are neither monetary nor political. He wrote, many are keen to just inflict reputational damage. High-traffic, high-follower accounts will always be a target for threat actors, both sophisticated and the occasional rogue, low-level amateur. It's not yet known how David DO gained access to the accounts, but McShane noted that compromises of this nature are almost certainly rooted in a phishing or credential stuffing incident. And, of course, the motivation of the attacker needn't be serious or even rational. Just ask Mr. DO, wherever he may be.
Dave Bittner: If you feel as though you and your colleagues in cybersecurity are stretched thin, being asked to do more with less and facing increased anxiety as a result, you're not alone. In a recent report published by Invicti Security focusing on DevSecOps professionals, they found the high expectations placed on security pros sometimes leads to diminishing returns. Sonali Shah is chief product officer at Invicti Security.
Sonali Shah: This is a very stressful job, right? So, you know, 39% of data breaches stem from attacks on web applications. So it's no surprise that that is more and more of a focus for enterprises. And it's - you know, often it's on-the-job training for developers. So, you know, some of the key things that we found is, on average, people were spending four hours a day addressing security issues. That's a lot of time. On top of that time, developers also have to release code based on internal timelines, right?
Sonali Shah: So you can imagine the stress this puts on - it releases - it ends up causing over time. You know, we had 50% of the respondents say they had logged in over weekends or on their own time in the evening to work on security-related issues. One in three blew off, you know, date night or a night out with friends. And in the time of COVID, when it's, I think, hard enough to find dates, like, this is particularly relevant. And then even, you know, once - even after they've spent all the hours remediating issues, there's that anxiety of the next one. So we found 81% of professionals - they're likely to - they're already feeling anxious about the next vulnerability even just after they finished remediating the last one.
Dave Bittner: Is there a sense for the ways in which this is affecting their ability to put out the quality work that is expected of them?
Sonali Shah: Absolutely it is. It is. You know, we found often developers are releasing insecure code. And it's not because they want to. It's because there's pressure to release code. It's because maybe they don't have the training to do so. So that is absolutely happening, and we witness it every day when you hear about the breaches. But what's really interesting is that they, in general, are very proud of their work. So 94% of the respondents said that digital transformation and the move to a remote work model in the recent years has made their role more valuable and rewarding. Eighty-eight percent said they're proud to put cybersecurity professional on a dating profile. And, you know, majority of them felt like they're saving their companies over a million dollars a year by the work they're doing to prevent data breaches. So, you know, it's frustrating, it's draining, but they're proud of the work they're doing.
Dave Bittner: What is the sense of the relationship they have with their companies? In other words, do they feel as though the companies are doing their best to support them, or is there a gap there?
Sonali Shah: There is a gap, and I see that every day when I'm talking to our customers. I think, you know, the gap is not an acknowledgement, right? So security teams know that development teams are overworked. They know that they often don't have enough people, that often they don't have the skills, right? So if you go to - you know, go to university and study coding, you're - often, you'll go through four years and never take a class on how to securely build code. So there's absolutely agreement and acknowledgement that this is a difficult job to do. And in some cases, companies are able to support their developers, so they feel like it's a journey they're taking together. In other cases, it causes friction. And, you know, you see turnover. It's a relatively strong job market. And so what we've seen is that companies that help their developers and help security professionals to weave security into their daily lives - that really helps retain people and improve job satisfaction.
Dave Bittner: I see the benefits of having automation help lift some of the workload off of these people. What about the purely human side of it? You know, that you're checking in on folks, making sure that they're - you know, that people are hanging in there and doing the best they can. It seems - it strikes me, particularly as so many of us have moved to remote work, that's as important as ever.
Sonali Shah: You're absolutely right. It's moving from, you know, just development to sort of DevSecOps practices is as much a technology change as it is a culture change. So the automation, integrating all of your products together, making sure you've got accuracy - that's the technology part. The people part of it is making sure people have the resources, developers and security teams have the resources they need. So, you know, that's part of what I was just talking about, the Security Champions program. So if developers know that they've got somebody, one of their own, often, that they can go to for help, that is - that's hugely beneficial - somebody that is, you know, working on their time zone, speaks their language. You know, it's interesting.
Sonali Shah: One of the customers I recently spoke to said that they - you know, they launched a Security Champions program earlier this year, and they were surprised at how many developers wanted to be a part of it. And partially, that's because, you know, having the word security anywhere on your resume is a huge plus because developers are - they understand they need to learn about security, and they want to learn about security. So I think having those support mechanisms is hugely helpful.
Sonali Shah: The other thing, actually, that I've seen very rarely - but I have seen it be very beneficial - is to build security into quarterly business objectives. So instead of just saying, all right, the, you know, quarterly objective for, you know, product engineering is to release this feature on time. If you have in there - it's release it as expected, on time and with no high-severity vulnerabilities - right? - you build it right into there so it just becomes part of the objectives, and then you recognize it. You call it out. So you're rewarding people not just for delivering a new feature but delivering it with high quality, which means it does what it's supposed to do, and it is secure.
Dave Bittner: That's Sonali Shah from Invicti Security. There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews.
Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the "ISC StormCast" podcast. Johannes, always great to welcome you back to the show. You know, I think as we've made our way through the pandemic and there's been this massive move to folks working off-site, there's this notion that perimeter security is a thing of the past. But you want to make the point today - maybe not so fast.
Johannes Ullrich: Correct. And particularly devices that were - you were saying to implement those security controls - like load balancers, firewalls, various proxy systems or such that we are using - probably one of the lines that I repeat the most is, well, you know, why is this connected to the internet in the first place? And that usually refers to not just nuclear power plants and elevators and door controls, but also things like admin interfaces for these perimeter security devices. So you spend a lot of money buying a device like this, protecting your users from attacks, but then you're opening up the management interface that's used to control that device to the world. And sadly, that's then being exploited.
Dave Bittner: And is, I mean, that primarily a matter of convenience for the users to be able to reconfigure things and not have to be, you know, on premises to do so?
Johannes Ullrich: Yeah, that's often the reason because, you know, if it is your VPN concentrator that you're configuring here, you don't want to have to connect to the VPN first because if you're messing up with your configuration, then you can't connect to the VPN anymore. And then, you know, you have to get pants and drive to the office and all that stuff...
Dave Bittner: (Laughter) Right.
Johannes Ullrich: ...To actually get this thing working. And I think that's part of it. Of course, you could still filter by IP address. Another part is, once you deploy them in the cloud, it's really hard to drive to the cloud and restart things. So that's where this sometimes happens. And then also I think the perception that, hey, there's an expensive device that I purchased, the vendor probably took some care here - as they say, don't look behind the curtain. You'll often find a scaffolding of purloined PHP code here in your, you know, tens of thousand-dollar devices that probably hasn't been touched in the last 10 years. And we have seen, like, you know, just the last month F5's BIG-IP uplines again - they sort of have sort of an annual schedule where they come up with a critical unauthenticated remote control - remote code execution vulnerability. Yet again had one - it took two days for a proof of concept to be released. Then, as I sort of put it, took, like, one week from 0-day to Mirai. So in the end, the Mirai bot just took the vulnerability. And, of course, once it's at that point, you can assume every exposed device out there has been probably exploited multiple times.
Dave Bittner: So what are your recommendations then?
Johannes Ullrich: Definitely secure those admin interfaces. Security devices are not inherently secure. It's sad, but that's just a matter of fact. So defense in depth - yes, you know, limiting access to the admin interface to a couple of IP addresses, attackers can bypass that, but it'll maybe take them another week to do that. So you have that first week to actually apply patches and then learn how to patch these devices. It's not always easy to patch these devices. Learn how to do it. Do it directly. Don't just do it when there's an emergency out there 'cause the other problem is vendors release patches, like, on a monthly basis or whatever. You may ignore them because they don't really fix any big security issues, and the last time you applied a patch, it caused some problem. But the issue is if you're waiting too long, then the probability of a problem becomes larger and larger. And also usually the impact of that problem becomes larger and larger because now you have not just one problem. You have, like, 12 problems because you have to deal with every single patch's problem. So really updating regularly, learning how to patch, having some procedure around it so you can sort of press that button kind of when an emergency patch comes around to apply the patch - you don't really have to make it a big deal and spend a lot of time on it.
Dave Bittner: Yeah. All right. Well, good advice, as always. Johannes Ullrich, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Alden Wahlstrom from Mandiant's information operations team. We're discussing their comprehensive overview and analysis of the various information operation activities they've seen while responding to the Russian invasion. That's "Research Saturday." Check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.