Dispatches from a hybrid war. CISA releases its election cybersecurity toolkit. Post-incident disruption at NHS is expected to last at least three weeks. Cisco discloses a security incident.
Dave Bittner: Killmilk says his crew downed Lockheed Martin's website. Industroyer2 and what became of it. CISA releases its election cybersecurity toolkit. Post-incident disruption at Britain's NHS. Carl Wright from AttackIQ shares strategies for CISOs to successfully prepare for that next attack. Dr. Christopher Pierson from BlackCloak joins us from Black Hat. And Cisco seems to have thwarted a security incident.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 11, 2022.
KillMilk says his crew downed Lockheed Martin's website.
Dave Bittner: Killnet's founder, who goes by the hacker name Killmilk, says his group took down Lockheed Martin's website, but the site looked fine to us early this morning. Mr. Milk also says they've obtained personal information on Lockheed Martin employees, which they may dump at some time of their choosing. But so far, there are no signs of such data having been published, according to reports from SiliconANGLE and Flashpoint researchers. Lockheed Martin told Newsweek that it's aware of the threat, but said, we remain confident in the integrity of our robust, multilayered information systems and data security.
Industroyer2, and what became of it.
Dave Bittner: A presentation ESET researchers delivered at Black Hat yesterday outlined what they saw of Russia's deployment of Industroyer2 against Ukraine during the present war. TechTarget quotes ESET's Robert Lipovsky as saying, our analysis found that threat was bigger than expected. It was a new version of Industroyer - something which we hadn't seen in the last five years. Hard coding in the malware suggested to researchers that it had been prepared well in advance of its use, and thus was no wartime improvisation. Industroyer2 was specifically designed to disable circuit-breaker protections. The upgraded attack could have left about two million Ukrainians without electrical power had it been successfully deployed. But, as it was, the attempt was blocked. Lipovsky said, the attack was thwarted thanks to prompt response by the defenders at the targeted energy company, and the work of CERT-UA and our assistance.
Dave Bittner: His colleague, Anton Cherepanov, told the conference that the attack was coordinated with a wiper attack using CaddyWiper, intended to make recovery and remediation more difficult. Cherepanov also said that, while the threat was real, it shouldn't be exaggerated either. He remarked the threat shouldn't be hyped, but also should not be downplayed or underestimated. These threats are serious, but they can be thwarted by proper security measures. ESET noted that a number of private companies - not just ESET - have rendered valuable assistance to Ukraine during Russia's hybrid war.
CISA releases its election cybersecurity toolkit.
Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency yesterday released "Protecting U.S. Elections: A CISA Cybersecurity Toolkit," intended as a one-stop catalog of free services and tools available for state and local election officials to improve the cybersecurity and resilience of their infrastructure. The toolkit was developed in conjunction with private and public organizations working through CISA's Joint Cyber Defense Collaborative. CISA explains that "Protecting U.S. Elections" is designed to enable election officials to assess their risk using an election security risk profile tool developed by CISA and the U.S. Election Assistance Commission; find tools related to protecting voter information, websites, email systems, and networks; and protect assets against phishing, ransomware, and distributed denial-of-service attacks. In the U.S. - we note for international listeners who may be unfamiliar with the American federal system - the conduct of elections is the responsibility of state and local governments, not federal authorities. So CISA properly couches its description of the toolkit as a matter of support - not directive or regulation.
Post-incident disruption at NHS expected to last at least three weeks.
Dave Bittner: Computing reports that staff at Britain's National Health Service have been advised to expect at least three weeks of disruption following last week's cyberattack. NHS financial and patient referral systems were affected, and access to certain electronic records have been impaired. The Independent cites an NHS source who believes remediation could take months. Health Service Journal writes that the incident involved an attack against a third party, IT Firm Advanced, and that the attackers have made unspecified demands. This and other aspects of the attack made it likely that it's a case of extortion. NHS is concerned that some patient data may have been compromised, but the incident remains under investigation.
Cisco discloses a security incident.
Dave Bittner: And finally, Cisco yesterday disclosed that, on May 24 of this year, it detected a hostile attempt against its corporate network. The company's Talos research group summarized some of its findings during its own internal investigation of the incident. They've concluded that a Cisco employee's credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim's browser were being synchronized. The threat actor, which Cisco regards with high confidence as an initial access broker whose work with at least the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators used information obtained from that intrusion to run a sophisticated voice phishing campaign in which it impersonated trusted organizations, with a view to persuading victims to accept multifactor authentication push notifications.
Dave Bittner: In this, it enjoyed some success. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user. This led to further exploitation. Cisco says, once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. The attacker then escalated to administrative privileges, allowing them to log in to multiple systems, which alerted our Cisco Security Incident Response team, who subsequently responded to the incident. The actor in question dropped a variety of tools, including remote access tools like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, and added their own backdoor accounts and persistence mechanisms.
Dave Bittner: Cisco Talos says the incident was consistent with the early stages of a ransomware attack, but they found no evidence of ransomware having been deployed on any of its systems. Cisco said, we did not identify any impact to our business as a result of this incident, including no impact to any Cisco products or services, sensitive customer data or sensitive employee information, Cisco intellectual property or supply chain operations. The statement does acknowledge that on August 10, the bad actors published a list of files from this security incident to the dark web.
Dave Bittner: The group responsible for this attack seems to have been Yanluowang. At least Yanluowang contacted BleepingComputer and offered to show the publication the 2.8 GB of data they claimed to have stolen. BleepingComputer says many of the files they saw were non-disclosure agreements, data dumps and engineering drawings. The incident seems not to have spooked the market. Seeking Alpha reports that Cisco stock rose this morning and trading as investors appear to have shrugged off the disclosure.
Dave Bittner: Carl Wright is chief commercial officer at AttackIQ. I recently spoke with him about the increased pressure many CISOs face as they work to protect their organizations from the next cyberattack.
Carl Wright: Largely, we're kind of doing the same things we did 10 to 15 years ago. We continue to chase compliance and deploy capabilities in order to meet and exceed regulatory remit. At the same time, we're, you know, also trying to do things that are smart, that aren't necessarily compliant-related, but have capabilities that actually from a cyberdefensive operational perspective, can defend the organization and make sure, from a company or business operation perspective, it can continue to operate. But we have, you know, two large chunks of money that are being allocated to two different things that are not always aligned from my perspective.
Dave Bittner: And in what way do you think that there's a misalignment there?
Carl Wright: Well, I think, you know, if we take a look at the fact that the spend on cybersecurity has continued to increase that same exponential rate, that attacks that are happening and these breaches that are happening are, you know, not the most sophisticated things in the world. Sure, we see some interesting things from time to time, but largely speaking, the number and severity of breaches is going up regardless of how much we're spending. And so that means we're probably not doing something right or certainly not very efficient. And we're not focusing those resources on areas that can, you know, really impede or interdict, you know, our adversaries, whether they're crime syndicates or nation-states, from achieving their objectives.
Dave Bittner: Are there particular areas that you feel as though, you know, recently, where CISOs are coming up a bit short? Are there any blind spots or, you know, places that need more attention than they're getting?
Carl Wright: You know, it's easy to point the finger at the CISO because obviously they're in charge and, you know, they have to hire and fire and train and equip, you know, teams of people that are below them. But this is a team sport, and it's a big problem. But, you know, if we just kind of single out the CISO for a second, I think what we have to try to figure out is, you know, when we look at the CIO side of the house over the last 20 years, we use words like transformation. We use words like elastic and fluid. And, you know, all these different initiatives that the CIO side of the house takes in order to help, you know, the organization make money or save lives or, in the case of government - Department of Defense - prosecute war. And these technologies are bringing great capabilities to the organizations to do those things that are their business objectives. But at the same time, this rapid adoption of emergent technology has created a large surface area and different challenges for, you know, security organizations to try to defend. And the reason I bring up the word transformation here is because what is it that security operations and security operator - and the CISA is the leader of that - what are they doing that's transformative?
Carl Wright: I mean, we can point to the CIO side of the house and look at a myriad of initiatives over the last 15 years - a lot around automation, as an example - to transform the environment - cloud-first strategies to rapidly move things to the cloud for all the benefits that that provides. But it's hard to point at the security organization and say, you know, what are we doing that's so transformative that's going to futureproof what we're doing today - not just to address the risks that we're seeing yesterday and today, but to address, you know, future risks that we don't even know about over the next five years. And a lot of that, you know, in my personal opinion, is about how we respond to, you know, new, emergent things that are happening? And how do we take care of our people in such a way that they're not always firefighting? Because, you know, we go from one major incident to Log4j, to the next one, to the next one. The operational tempo for these security teams is tough. And I think this is where transformation and innovation can help these organizations and the CISO.
Dave Bittner: I'm curious. You know, in your experience, the organizations who are getting it right - who are being successful here - is there a common thread there?
Carl Wright: Well, there is. It starts with architecture and threat modeling. And not every organization can do that because there is a capability maturity model of capabilities that you have to have to have that discussion. The reality is, you know, in our rush to consume emerging technology, we are just deploying stuff. And, you know, a good example of a classic failure that's really caused a lot of companies just a tremendous amount of pain and suffering over the last few years is something as simple as leaving an S3 bucket exposed or leaving, in Azure terms, a Blob exposed, where an adversary doesn't have to do anything sophisticated in order to steal all your data. And that is an architectural failure. That is just a failure of thinking about things from a systems-based perspective and focusing on configuration management and configuration control. And when you take a look at the breadth of kind of breaches that have been happening over the last couple years, most of these are the result of poor cyber hygiene - poor execution of deploying and owning and operating those things that you've already purchased that could have interdicted the adversary had you focused on making sure they're properly configured.
Dave Bittner: That's Carl Wright from AttackIQ.
Dave Bittner: And it is my pleasure to welcome back to the show Dr. Christopher Pierson. He is the founder and CEO of BlackCloak. Chris, great to have you back on the show.
Christopher Pierson: Dave, always a pleasure.
Dave Bittner: Well, I have to say, I am excited to have you back here today. You are kind of helping us out here, being our person on the street at Black Hat this year. Can we start off with a little just high-level stuff? I mean, for folks who have not enjoyed this conference, how do you describe it?
Christopher Pierson: You know, Black Hat's changed a lot over the years. I mean, this is the 25th anniversary of Black Hat. It's kind of this - this week is the, you know, summer camp for cybersecurity warriors, so to speak. So everybody, you know, coming in off the long, hard summer, grabbing in some personal time before - some professional time before they go off on vacation and school starts and all the rest. But really, it's a coming together. It's a grouping. It's a community. And, you know, it is fully packed. I don't know what the actual audience attendees might be this year, but probably up in the 20,000 area.
Dave Bittner: Wow.
Christopher Pierson: So a fully packed conference - they had 111 countries represented, so this is a global effort at education, coming together, understanding different products and services, listening and really collaborating with one another. But massive throngs of people have arrived at the Mandalay Bay in Las Vegas, and just about, you know, every other hotel here is kind of packed with Black Hat attendees as well. Events spread out all over, and, of course, the huge, sprawling mecca of a conference room floor as well.
Dave Bittner: Well, as you walk around there and take everything in, what sort of things have caught your eye?
Christopher Pierson: So, you know, what's interesting is, when you walk around the floor, there's definitely kind of two areas, so to speak. There's the larger, more established companies where you see, quite honestly, very much some of the same. So I would say that the same booth from RSA - the same types of materials and collateral from RSA - not necessarily any massive advances. Now RSA this year, in all fairness, was in June. So the - where it's usually in February and March. So the amount of time to develop or to do new things might have been smaller than in prior years. But still, it feel - felt like a lot of the same. Now, there were some different changes there on the big company side in terms of some different acquisitions that were announced in that time period or prospectively been announced. So you see how there's definitely some abilities that are being merged in with larger vendors, larger power plays out there.
Christopher Pierson: The second area was really interesting this year is the innovation city that they have. I don't know exactly how many booths they have, but it's row upon row upon row. In that area, you see a lot of interesting, well-positioned companies tackling some interesting problems in some different areas. Sometimes it might be, you know, some different looks on automation or on SOAR or on education, but you see some definite advances there. And what I will tell you is that area and those columns and those rows are jam packed. People are seeking out innovation city, seeking out those areas and actually really having some meaningful conversations in with the different vendors there.
Dave Bittner: Now, that's where you and your BlackCloak colleagues have been set up there. How has the traffic been? Has there been, you know, a positive experience for you all so far?
Christopher Pierson: Oh, it's been phenomenal. It's been fantastic. No. 1, seeing old friends, seeing old teams, having people come - there are a lot of people that didn't join everyone at RSA this year, and so it's the first time that we've seen a lot of good friends, a lot of CISOs, a lot of clients. But yeah, you know, the BlackCloak booth has been absolutely popping. A lot of people there. A lot of people digging in for a second time or a third time. So really, really great stuff. And just a great community. Quite honestly, a great community of booths around us. Some really great friends next to us from many years past. So, you know, I know that the - I know that our team's having a lot of good fun there as well.
Dave Bittner: How about off of the show floor? You know, those meetings, those dinners, all of that community stuff. That's happened as well, huh?
Christopher Pierson: It is. It is. I think probably one of the biggest takeaways is community here. People are clamoring to see, to chat, to sync with one another in person. The needs for that is so incredibly high. And that is the same as it relates to the VC community, the investing community, the cybersecurity community, the vendors, as well as the users, the actual security operations teams, the CISOs and their teams. We even have a good number of CSOs, chief security officers, that are kind of blending that digital and physical together there.
Christopher Pierson: So I think that that sense of community is really, really high here at Black Hat. And whereas I think there was a little more trepidation during the June period of time, people are full fledged here, probably a big surge a week or two beforehand. And the halls are packed, the restaurants are packed, the parties are packed. And so it's a lot of fun with everyone.
Dave Bittner: So it seems as though, I mean, despite the warnings of a potential economic downturn on the horizon, spirits are high.
Christopher Pierson: I think spirits are absolutely high. I think that they're high because of a few different things. First, the fact that, you know, this is a problem in cybersecurity and protecting data and privacy and trusted information. This is a problem that everyone is 100% locked into. And so they're excited about it. They're excited about solving it. I think there are some - right? - some - little bit of trepidation about recession. A little trepidation of some of those different cutbacks that we've seen in different areas. But when you take a look at the big problem that is out there, companies are not going to be able to cut back on these areas.
Christopher Pierson: They are all cybersecurity companies. The ones and zeros that are running each and every company that you can think of, it's just there. It's there to stay. The threats are increasing. The geopolitical threats are increasing. And even, I mean, big theme this year, a lot of different talks on information, disinformation, misinformation - all of those things are things that this group of people are grappling with. So a lot of positivity in terms of let's get in, let's get together, let's get ahead and solve this.
Dave Bittner: All right. Dr. Christopher Pierson is the founder and CEO of BlackCloak. Chris, thanks so much for joining us.
Christopher Pierson: Thanks, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.