Hacktivism in a hybrid war. Pyongyang's [un]H0lyGh0st. Notes on the C2C market. Rewards for Justice seeks some righteous snitches.
Tre Hester: Anonymous's hacktivism in a hybrid war. Pyongyang's [un]H0lyGh0st. Phishing in the IPFS. Update on the initial access criminal-to-criminal market and its effects on MSPs. Cybergangs move away from malicious macros. Thomas Etheridge from CrowdStrike on managed detection and response. Rick Howard sits down with Art Poghosyan of Britive to discuss DevSecOps and identity management. And Rewards for Justice seeks some righteous snitches.
Tre Hester: From the CyberWire studio at DataTribe, I'm Tre Hester with your CyberWire summary for Friday, July 29, 2022.
Hacktivism and the conduct of war.
Tre Hester: Hacktivists working their mischief against Russian networks have become, the Express reports, an embarrassment to Russia's President Putin, who, like other proud spirits, cannot endure to be mocked. Website Planet has published a long history of Anonymous's engagement against Russia in Moscow's war against Ukraine. The report stresses a few points to bear in mind while assessing hacktivist contributions to any war. There are difficulties of control and management with respect to any hacktivist activity, and Anonymous is particularly difficult to direct. Tweets of official declarations of war against Russia, for example, don't really lend themselves to any interpretation other than an expression of outrage.
Tre Hester: Where there are no officials, it's difficult to see how any declaration of anything could be official. This point isn't idle. One of the foundational principles of international norms of armed conflict is that war should be entered into only by legitimate authority, and that fighting units operate under the effective command of some responsible leadership. While some hacktivist groups seem to operate under state control, and indeed some, like Russia's Killnet, seem little more than front groups for an intelligence service, whereas others, like the now possibly retired Conti, acted as privateers, in conformity at least, with broad state guidelines. It would seem that Anonymous has met neither of these norms. Anonymous has evolved its tactics and techniques. Website Planet lists some of the recent developments. Some of them designed to influence, others to disrupt, and still others to intimidate. The essayist is no apologist for Russia's war of aggression, but he's no fan of hacktivism, either. He cautions prospective hacktivists to look before they leap, especially since that leap may well be into legal trouble just about anywhere in the world.
Update: Pyongyang's [un]H0lyGh0st.
Tre Hester: Digital Shadows has released a report that offers more information on the North Korean ransomware group H0lyGh0st, earlier described by Microsoft on July 14. H0lyGh0st targets small- and medium-sized businesses for financial gain in ransomware attacks and is known to use double extortion, which researchers define as, quote, "combining an encryption of data and services with deliberate data exfiltration," end quote. The group also operates a data leak site for victim's data.
Tre Hester: Operating out of North Korea has its challenges for the group, however. The group will probably have to pay a percentage of their profits to the government. It will, doubtless, find it difficult to communicate and will have difficulty learning new techniques and recruiting new talent. H0lyGh0st is also known to charge a lower ransom than most gangs, asking for ransoms of 1.2 to 5 bitcoin, with the willingness to lower ransoms in negotiations.
Tre Hester: Researchers believe that H0lyGh0st is a North Korea state-linked group, despite privateers and pure criminals being significantly more unlikely in a place where state intelligence does its stealing directly. We asked Digital Shadows about this, and Ivan Righi, senior threat intelligence analyst at Digital Shadows, offered a candid answer. Quote, "the exact relationship between H0lyGh0st and North Korea is also unclear. However, it is highly likely that H0lyGh0st is at least a state-encouraged threat group, meaning that they could be backed or supported by the North Korean government in one way or another. In addition, it is likely that the group has to share its profits with the North Korean government, as it is difficult to believe that the group would be able to operate without any type of supervision or limitations," end quote.
Phishing in the IPFS.
Tre Hester: Trustwave SpiderLabs has released a report detailing phishing attacks that use the InterPlanetary File System. The IPFS is a distributed peer-to-peer file-sharing system used to access and store files, websites, applications and data. IPFS can also locate a file using its content address and not its location. To access content, you need a gateway hostname and a content identifier of the file. IPFS looks to create a decentralized web that looks through a P2P network, where shared files are distributed to other machines acting as nodes, making the content accessible whenever it is needed.
Tre Hester: Phishing attacks that target IPFS configurations are difficult to get rid of once they're in the network, because even if malicious content is removed from one node, it may remain available on another. Researchers note that it's also difficult to detect malicious traffic in a P2P network, making IPFS an ideal platform for phishers. Multiple phishing websites have been observed, impersonating such things as blockchain services and Google services, as well as emails using an abused web-hosting site and mimicking a billing receipt.
Update on the initial access criminal-to-criminal market and its effect on MSPs.
Tre Hester: Huntress reports that following their discovery of a beeper thread communicating a cybercriminal's, quote, "help wanted" ad, they've discovered a tweet by @Intel_by_KELA sharing metrics for a United Kingdom company they're offering up as a potential victim. The tweet highlights the fact the prospective victim has ransomware insurance. Huntress says this tweet, along with earlier related announcements, demonstrates a trend of specialization by initial access brokers. An IAB is a threat actor looking to gain and then sell initial access to organizations. The IABs are pure-play C2C operations. Being an IAB means you have specific skill sets needed to infiltrate and gain access to organizations, and you have the benefit of payment being handled, you hope, out of law enforcement's view. KELA is an IAB that specializes in trading managed service provider access, which makes them a particularly worrisome threat, as a compromised MSP can lead to compromise of the MSP's customers.
Malicious macros may no longer be the royal road to compromise.
Tre Hester: Microsoft's recent announcement about disabling macros by default seems to have already had an effect on criminal behavior. Proofpoint reports that it's seeing a gangland shift away from the attacks based on macros and toward other vectors. Quote, "threat actors are increasingly using container files, such as ISO and RAR, and Windows Shortcut files in campaigns to distribute malware. Proofpoint has observed the use of VBA and XL4 macros decrease approximately 66% from October 2021 through June 2022 based on campaigned data," end quote.
Rewards for Justice seeks some righteous snitches.
Tre Hester: And finally, do you have any dirt you'd care to dish on a rogue oligarch? Well, you'll be nicely compensated. The U.S. has been looking toward the security of the upcoming midterm elections and is obviously interested in keeping Russian influence operators out of the mix. The State Department's Rewards for Justice program tweeted an offer yesterday. Do you work for Yevgeniy Prigozhin and/or Internet Research Agency? Want to earn up to $10 million? Let's chat. Drop us a line on the dark web. Mr. Prigozhin, a Russian oligarch close to President Putin - he ran a catering business favored by the Kremlin, hence his nickname, Putin's chef - is known not only for his connection to the Internet Research Agency troll farm and disinformation shop, but also the proprietor of the Wagner Group, the private military cooperation that supplies Moscow with deniable mercenaries under contract. He's come a long way from laying out the blini in the buffet line. You never know where your career is going to take you, do you?
Tre Hester: Our own Rick Howard sat down with Art Poghosyan of Britive to discuss DevSecOps and identity management.
Rick Howard: I'm joined by Art Poghosyan, the CEO of Britive. Welcome back to the CyberWire, Art.
Art Poghosyan: Glad to be back, Rick.
Rick Howard: A relatively new phrase in the cybersecurity lexicon is something called cloud security posture management, or CSPM. Can you take a swing at describing what that means to our listeners?
Art Poghosyan: Cloud space is real narrow. It's a new and emerging technology space. And now the cloud security posture management-type solutions are there to help security teams to identify potential vulnerabilities, security loopholes, so to speak, that would expose that environment to external attackers and bad actors and so on. So it really helps us put some hygiene around the cloud security environment.
Rick Howard: So these are scanners - like, you know, in the old days we used to have scanners that checked for open ports, you know, around the firewall, those kinds of things. This is the same idea but applied to multi-cloud environments?
Art Poghosyan: Very similar to, as you mentioned, the vulnerability scanners for network, for hosts and so on. The equivalent of servers and so on may not exist in the cloud because cloud technologies offer as a service, so to speak, right? So we still need to scan the landscape and understand what's visible from outside.
Rick Howard: So we're all trying to reduce the attack surface of our data islands. We have data centers. We have mobile devices. We have multiple cloud deployments. And a key and essential tactic in that effort is identity and access management, or IAM. But there's an entire galaxy of terms and phrases associated with that idea. We have identity governance and administration, IGA, which sounds to me a lot like IAM. And then we have privileged identity management, PIM, and privileged access management, PAM. Can you help us distinguish between those terms? Let's start with IGA and IAM. Are those the same thing? Are they - is there subtle differences between the two?
Art Poghosyan: Yeah, Rick, this has been one of the things that I always like - I always find interesting how we get really creative with acronyms. And...
Rick Howard: Just to let you know, we let the marketing people go wild, and we need to rein them in, I guess.
Art Poghosyan: True. Yeah, yeah, yeah. The IGA category, identity governance administration, at least from my perspective, does include the identity management. The governance piece introduces the process of regularly reviewing access and certifying because many organizations are subject to regulatory and compliance requirements. Privileged access management is also more about that subset of identities that require a much higher level of security controls.
Rick Howard: Yeah. So when you throw governance into the identity governance and administration phrase, that implies that someone's reviewing the policy. And you mentioned before, there's various types of identities out there. There's the people, and those can be employees, contractors, partners, you know, whoever else you want to get into your material information workloads. But there's also devices like mobile devices, like laptops and phones, and like you said, workload identity. I guess more than just applications running, there are, you know, workloads doing a specific thing. So we need to have a policy for all those things. Is that what we're talking about here?
Art Poghosyan: Policy in the context of security controls, there's multiple ways security controls can be enforced. Policy happens to be one of the ways to enforce controls at a much more scalable and more efficient way. If the specific identity or access management technology allows that policy-based control enforcement and the ongoing reviews and ability to compare what I have versus what policy I want to have - kind of, again, goes back to that posture management and identification of the gaps - it helps understand what my real world looks like versus what my policy tells me I need to have.
Rick Howard: And so, of course, what we're trying to follow is some sort of zero trust strategy. We want to make sure that all these accounts, these employees, these contractors, these devices and now workloads, they have the minimum privileges that they need to do their job and keep it that way. But every once in a while, somebody needs to be privileged to do something important, change some configuration setting. And that's what privileged identity management is or privileged access management is, to what is the process we're going to elevate Rick's account privileges so he can make some change in the configuration. Is that what we're talking about?
Art Poghosyan: It's true. It's very common in the non-cloud or on-premise world, Rick. At least from my experience, this is kind of the standard scenario for privilege elevation. And the concept of least privilege enforces the smallest possible scope without really preventing the admin to do their job. That's the concept of least privileged. Now, when you bring it to the cloud world, here's what we're seeing that's a lot more of a popular and more of a common trend. It's - especially when you step into the agile development in the DevOps world. A lot of the users - actually, almost everything they do on a daily basis could be qualified as a privileged activity - like, for example, spinning up AWS resources, storage resources, computer resources, allotments for one on a daily basis. And it's like normal work for them. When you step into that world that, you know, occasionally having to step up your access level to privilege no longer holds true. It's like your normal level of privilege. That's why privileges in the cloud and privileged activity and access in the cloud is kind of a whole different beast from the security standpoint.
Rick Howard: Well, that's all good stuff Art, but we're going to have to leave it there. That's Art Poghosyan, CEO of Britive. Thanks for coming on the show.
Art Poghosyan: Thank you, Rick.
Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interviews Selects, where you'll get access to this and many more extended interviews.
Dave Bittner: And joining me once again is Thomas Etheridge. He's senior vice president of services at CrowdStrike. Thomas, always great to welcome you back to the show. I want to touch base with you today on MDR. That's managed detection and response. What can you share with us today?
Thomas Etheridge: Thanks, Dave. It's great to be back. Managed detection and response, MDR, is a term that's been around for a couple of years now. The way CrowdStrike looks at that, it's really about focusing on outcomes. Organizations need and in some cases require the ability to be able to get visibility across all their endpoint estate, identify, see incidents in real time when they're happening and be able to remediate those incidents quickly enough so that a small incident doesn't become a big breach. And that is what MDR's designed to focus in on. It's managing your endpoints, detecting and responding to incidents when they occur and then remediating those incidents so that a small incident doesn't become a big one.
Dave Bittner: You know, particularly for those small- and medium-sized businesses, is this something that's approachable for them? Can they achieve something with this?
Thomas Etheridge: The answer is absolutely. MDR really is designed in many cases to help supplement and offset the gaps that many smaller organizations are struggling with in terms of staffing and skills to be able to respond quickly enough and detect and remediate incidents fast enough so that they don't become a big problem. And MDR capabilities, if brought to the market properly, that are focused on outcomes and delivering results to organizations, those things can help in a big way fill some of those skill and resourcing gaps.
Dave Bittner: Can you help me understand, you know, what exactly MDR does do, but then also, you know, some of the things that it doesn't do?
Thomas Etheridge: So MDR, from a CrowdStrike perspective, really is focused around providing for deployment, wide scale of leading EDR capability that provides for rich visibility across all the endpoints in an environment, a team of folks that operate 24/7/365 to threat-hunt on that environment, identify any incidents of hands-on keyboard activity as well as any malicious code or nuisance code that's operating in the environment that may have been deployed there through a phishing click, as an example, and be able to remediate those incidents and those small inconsistencies in an environment faster than a threat actor can take advantage of them to carry out their trade, move laterally and potentially deploy ransomware. So it's really about delivering end-to-end security monitoring, deployment and management and remediation capability. What it's typically not designed to do is to do what typical managed service providers might offer in terms of systems remediation, where you're doing a full-disk reimaging - you know, redeploying infrastructure - really what most MDR service providers, including Falcon, CrowdStrike's MDR, is around doing surgical remediation. So we keep business up and running, operational, with the least amount of disruption as possible. That's done through the tooling and the technology and the excellent skills of the people that sit in the MDR.
Dave Bittner: What about some of the other expenses that a business faces? You know, we're looking at growing costs for things like cyber insurance. Does MDR help ease some of the pressure there?
Thomas Etheridge: It absolutely does, Dave. We've seen a huge adoption rate and great feedback from insurance carriers with the adoption of MDR for organizations. They've been bitten from this outbreak in prolific ransomware across the globe, and they're also savvy to the fact that threat actors are moving with a lot of ease through the use of stolen credentials as well as through stealthy tactics to remain persistent in an organization's environment. MDR capabilities allow for organizations to move faster and to deliver the kind of remediation capabilities that prevent threats from escalating quickly in an environment, and those are the things that, from an insurance perspective, lower that risk.
Dave Bittner: What are your recommendations for an organization that's shopping around for this - that feels as though this is something they want to engage with? What sort of questions should they be asking to make sure they get the best fit for them?
Thomas Etheridge: Well, as I said, I'm a huge fan of outcomes, so I would really be focusing in on questions that discern whether or not your MDR provider is staffing 24/7, 365 days a year; if they're providing threat-hunting capabilities with that MDR - human-based threat-hunting capabilities with a team of folks that know how to discern between legitimate user activity and threat actor activity; and if the remediation capabilities go beyond simply opening up a service ticket or sending an alert to another team that's required to follow up and do the remediation. If your MDR is actually, in a hands-on way, delivering surgical remediation capabilities that are not disruptive to the business and solving that security gap, that is a key element of a successful - and impact MDR capability.
Dave Bittner: All right. Well, Thomas Etheridge, thanks for joining us.
Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Tre Hester: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Tre Hester, filling in for Dave Bittner. Thanks for listening. We'll see you back here next week.