Albania reports more Iranian cyberattacks. RaidForums has a new successor. A look at threat actor reconnaissance in the contemporary Internet.
Dave Bittner: Albania reports additional cyberattacks from Iran over the weekend. RaidForums has a new successor. A look at threat actor reconnaissance in the contemporary internet. Kinetic strikes hit Ukraine's infrastructure. Rick Howard calculates risk with classic mathematical theorems. Tim Eades from the Cyber Mentor Fund on the dynamic nature of the attack surface. And a look into the cyber phase of the hybrid war.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Monday, September 12, 2022.
Albania reports more Iranian cyberattacks
]Dave Bittner: Albania reports that it sustained additional cyberattacks from Iran over the weekend, evidently in response to Tirana severing of relations with Tehran over earlier cyber incidents. In the most recent attacks, CNN reports that the Total Information Management System, used for border control, was taken offline. As the outlines of Iranian attacks against Albania's government networks becomes clearer, the U.S. Treasury Department announced sanctions against Iran's Ministry of Intelligence and Security and its Minister of Intelligence in response to their involvement in cyberattacks attacks on the NATO country. The Minister of Intelligence is singled out for his role in directing several networks of cyberthreat actors involved in cyber-espionage and ransomware attacks in support of Iran's political goals. Iran condemned the U.S. action, Al Arabiya reports, with the Foreign Ministry saying, America's immediate support for the false accusation of the Albanian government shows that the designer of this scenario is not the latter but the American government.
Dave Bittner: Microsoft described Iran's campaign against Albania in a report published last Thursday, stating, Microsoft assessed with high confidence that on July 15, 2022, actors sponsored by the Iranian government conducted a destructive cyberattack against the Albanian government, disrupting government websites and public services. At the same time and in addition to the destructive cyberattack, MSTIC assesses that a separate Iranian state-sponsored actor leaked sensitive information that had been exfiltrated months earlier. Various websites and social media outlets were used to leak this information.
Dave Bittner: Security firm KELA released a report today describing BreachForums, also known as Breached, a cybercrime forum that's risen in response to the closure and seizure of RaidForums. The site, launched by the threat actor whose hacker name is pompompurin, offers database leaks, login credentials, adult content and hacking tools. Breached launched only a few weeks after RaidForums was closed and has quickly risen to become the new platform for database exchange, with 82,000 registered users, which continues to increase. Besides that, the forum is active with monthly posts and with participation by known actors from RaidForums. KELA states, Breached is not only the successor of RaidForums but in a very short timeframe has become a promising data leak marketplace. The increasing number of users, monthly posts on the forum and the fact that known actors from RaidForums have chosen to join the platform shows pompompurin’s popularity and influence. It also seems that ransomware operators are allowed to post, which expands the possibilities for a wide range of cybercriminals. KELA believes that the forum will continue gaining popularity in the next months and could become bigger and even more sophisticated than RaidForums.
A look at threat actor reconnaissance in the contemporary Internet.
Dave Bittner: Security firm Censys has published a report on the state of the internet, finding that 88% of internet-connected risks are caused by misconfigurations or accidental exposures. The report states, identification of misconfigurations and exposures can be among the first observations a threat actor makes when performing initial reconnaissance on an organization. Good security hygiene that addresses misconfigurations and exposures may not be as exciting as a zero day, but it's a critical piece of defense in depth for any security program. One of the questions the report asks is, how are organizations responding to vulnerability disclosures? It suggests that there have in general been three kinds of responses. First, near immediate upgrading - systems vulnerable to Log4j, for example, acted quickly based on the widespread coverage of the vulnerability. By March 2022, Censys observed only 36% of potential vulnerable services were left unpatched. Second, upgrading only after the vulnerability is being actively and widely exploited - while the GitLab vulnerability was being exploited, the remediation process acted slower than others until researchers discovered a botnet composed of thousands of compromised GitLab servers participating in DDoS campaigns. And last, near immediate response by taking the vulnerable instance off the internet entirely - rather than upgrading, users chose to remove assets entirely from the internet after Confluence's vulnerability became public between June 2021 and March 2022.
Attacks on infrastructure (but these are kinetic strikes, not cyberattacks).
Dave Bittner: As Russian forces retreat from the vicinity of Kharkiv, Reuters reports, they have retaliated with attacks against Ukrainian electrical and water utilities in the area. Those attacks were kinetic, conducted by repurposed air defense and anti-shipping missiles as the Russian army runs short on cannon artillery. And they're not the long-feared Russian cyberattacks. Ukrainian authorities denounced the attacks, The New York Times says, as deliberate and cynical. Elsewhere in critical infrastructure, external power having been restored to the Zaporizhzhia nuclear plant, the Ukrainian operators are performing a cold shutdown on the last operating reactor in the complex, according to the AP. That doesn't entirely remove the danger of a nuclear incident, but it does reduce the possible effects of any damage, whether accidental or deliberate.
Update on the cyber phase of the hybrid war.
Dave Bittner: While cyber operations in Russia's war have been eclipsed by kinetic operations, Ukrainian authorities warn that they expect an increase in the tempo of Russian cyberattacks. The Voice of America quotes Deputy Minister of Digital Transformation Georgii Dubynskyi, who told reporters at the Billington Cybersecurity Summit last Friday, "we saw this scenario before. They are trying to find a way how to undermine, how to defeat our energy system and how to make circumstances even more severe for Ukrainians. We are preparing." An increase in cyber operations may represent a form of escalation intended to compensate for widespread battlefield failure. Dubynskyi said, "we cannot compare it with nuclear weapons, but the effectiveness of that is enough." That is, of course, correct. Cyber weapons aren't to be compared with nuclear weapons in terms of their effects. Ukraine also faces an insider threat, and this threat is a familiar one. Dubynskyi said, "the Russians are developing classical operations using not only cyber, not only software, also using some human resources, using some traitors."
Dave Bittner: The effects of Russian cyberattacks continue to be felt in NATO countries that have supported Ukraine. ABC News reports that Macedonia is still recovering from a large cyber campaign Russia mounted as a punitive action for that country's pro-Ukrainian sympathies.
Dave Bittner: A report this morning by CyberCube sees one possible enduring effect of the hybrid war - Russian use of criminal cyber gangs as privateers, coupled with the growing isolation of an increasingly independent Russian internet, may give the gangs a long-term safe harbor from which they operate with even greater impunity than that already afforded to them by Russian toleration. This expectation is already beginning to appear in the calculations insurers are applying to cyber risk. The report states, Russia is using ransomware gangs to undermine the U.S. economy while avoiding direct war with the U.S. European energy companies are being targeted for strategic value. Russian actors are targeting governments outside of Ukraine. This is intended to gather intelligence on Western allies assisting Ukraine's war effort. Ransomware threat actors are today focusing their efforts more on Russia than on other parts of the world. And forward-looking reinsurers are starting to adopt a threat-modeling approach to portfolio risk management. Reinsurers should look across their portfolios for indications that certain companies may be susceptible to different threat actors.
Dave Bittner: After the break, Rick Howard calculates risk with classic mathematical theorems. Tim Eades from the Cyber Mentor Fund on the dynamic nature of the attack surface. Stay with us.
Dave Bittner: And it is always my pleasure to welcome back to the show Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, welcome back.
Rick Howard: Hey, Dave.
Dave Bittner: So on our CyberWire Slack channel this week, you were talking about - and by talking about, I mean going on and on...
Rick Howard: (Laughter).
Dave Bittner: ...About this math theorem. And I have to admit I'm not particularly a math guy. This is one I had never heard about before. It's called Bayes' theorem.
Rick Howard: Yeah, that's right.
Dave Bittner: You seemed to be very excited about it - something that was going to solve all the world's problems.
Rick Howard: (Laughter).
Dave Bittner: So fill us in. What's going on here, my friend?
Rick Howard: Well, maybe not all the world's problems but the one specific pet peeve of mine, maybe, you know? So, you know, Dave, for years, I've been trying to get my head around how to calculate cyber risk for my organization but with enough precision to make some decisions with. And last week on our last show of "CSO Perspectives Pro," we talked about how security professionals like me could use superforecasting techniques from Dr. Tetlock's book of the same name and specifically Fermi estimations, these back-of-the-envelope calculations made by famous Enrico Fermi, one of our greatest physicists. Now...
Dave Bittner: Yeah.
Rick Howard: ...We can use those techniques to forecast cyber risk for the business, but it turns out that superforecasting and Fermi estimates are just two legs of the risk forecasting stool. The third leg is this theorem, Thomas Bayes' theorem. And I know you're going to love this. You're going to start rolling your eyes, but...
Dave Bittner: (Laughter).
Rick Howard: He published this thing, or it was published after his death in 1763.
Dave Bittner: So he was a computer guy.
Rick Howard: Yeah. You know, he was way...
Dave Bittner: (Laughter).
Rick Howard: ...Out there there on social media.
Dave Bittner: Right, right. OK.
Rick Howard: So - but it's essentially the mathematical foundation of why superforecasting and Fermi estimates work. Now, you don't have to know how the - math behind this to use the theory, but you should understand how and why it works. So in this episode for "CSO Perspectives Pro," we talk about Bayes' Theorem and its fight for legitimacy for the past 200 years. And mainly what you should listen to us for is we cap it off with how Alan Turing - I've told you before, Dave, he's my all-time computer science hero. He...
Dave Bittner: Yeah.
Rick Howard: ...Used Bayes' Theorem to crack the Enigma codes during World War II. How about that?
Dave Bittner: Oh, all right. Well, that sounds cool.
Rick Howard: (Laughter).
Dave Bittner: So that is on the Pro side. What is going on over at "CSO Perspectives" Public?
Rick Howard: Yeah. In last week's show, I ran the idea of compliance requirements - in other words, official law - through a cybersecurity first principle lens. In this week's show, I talked to one of the cybersecurity giants in the field and a regular here at the CyberWire Hash Table, Tom Quinn, the CISO for T. Rowe Price. You've talked to him, right, Dave?
Dave Bittner: Yeah, sure.
Rick Howard: Yeah. So I asked him to check me on my first principle assertions. And let's just say it was a lively discussion.
Dave Bittner: All right. Well, before I let you go, what is the phrase of the week over on your "Word Notes" podcast?
Rick Howard: Yeah, this is a good one. The phrase this week is a relatively new one in the alphabet soup of cybersecurity. It's called Apple Lockdown Mode. And it's a new feature in a near-future release of Apple operating systems and is intended for a small number of users who believe they are more at risk than the general-purpose internet user for being targeted by cyber advisory groups. And examples might include dissidents, company executives, senior government officials and journalists like Jamal Khashoggi, the Washington Post journalist who was allegedly tracked using the NSO group's Pegasus software by unknown parties and assassinated by them on October 2, 2018. So Apple Lockdown Mode is a response by Apple to protect users like Mr. Khashoggi.
Dave Bittner: All right. Well, we will have to check all of that out. You can find out more about "CSO Perspectives Pro." It is over on our website, thecyberwire.com. Rick Howard, thanks for joining us.
Dave Bittner: And I'm pleased to be joined once again by Tim Eades. He is the CEO at vArmour and co-founder of the Cyber Mentor Fund. Tim, it's always great to welcome you back.
Tim Eades: Dave, absolute pleasure.
Dave Bittner: I want to touch with you today on attack surfaces. And I know some things that you're tracking here in terms of the nature of attack surfaces, how that seems to be fleshing out to be something that's pretty dynamic these days. What can you share with us?
Tim Eades: Yeah. So let's talk about it. So attack surface management got, and are now going to start to position as, exposure management. So exposure management's kind of divided into two - external attack service management. That's been around for a while. There's great companies like CyCognito in that space. Rob does an amazing job running that company. That's the external attack service management. And then you have the internal attack service management. And the internal attack service is incredibly dynamic now and very, very diverse. I mean, you have customers all the way to one side that have legacy mainframes. And then those communications, those applications - they talk, sometimes, all the ways out to the public cloud, with a container or serverless. You know, so you've got public cloud with - you know, after the digital transformation, that's people going through that still. But you've got the legacy. And it's incredibly complicated.
Tim Eades: There's a customer I know, a very large European bank, they have AWS. They have Azure. They have Cisco ACI. They have VMware NSX as a platform. They have Tanium. They have Microsoft with Windows Defender. They have mainframes. This thing is very hard to protect. That attack service is incredibly complicated, highly regulated across the world. And yet, you know, it all starts with understanding, you know, discovering it, actually understanding what is actually communicating. Here's an example. Let's say you're a member of a golf club. And now, if all you're doing is, say, like, there's 400 members of a golf club. Yeah, well, that's interesting, but who do you play golf with and how - who do you know in the golf club?
Tim Eades: So let's give you an example. I'm a member of a golf club. There's 400 members, but I probably only communicate to eight. So, OK, so if you were trying to understand me and my - how to protect me, you need to understand who I have relationships with, who I communicate with - not the whole 400 but the who I am communicating with? And how do I restrict and control the communications - I only communicate to those eight or so people that I do? So if you think of the attack service as very broad, just eight - just that 400, then you have to look at the applications. In this case, in this scenario, in this analogy, it's Tim. Tim talks to eight people. How do I understand that he's only communicating to eight, not the 400, and how does he make sure that he only communicates to the eight, not to the 400?
Dave Bittner: Well, I mean, to stretch the analogy, perhaps to the breaking point, I mean, how do you deal with the fact that, you know, Bob might be the guy who doesn't replace his divots? And how does word get around about that to let Bob know that's not acceptable?
Tim Eades: Yeah, exactly. Then you have - it's a great analogy. Yeah, then you have bad behaviors. Then you have attempted communications that fail. Then you have, you know, people sneaking onto the side of the golf course and breaking in and playing golf who are not members. But you do have to understand your service. You - the - if you like the grounds and the members and what they are doing and what they should do, and then controlling at a granular level what you really want to have happen so that the rules are obeyed to. But it's a complicated thing, right? You do have masses of regulations. The attack surface is crazy open. And, you know, as you start to move into these macro-economic headwinds, you know, what happens - our budgets are tight. People are looking at these budgets, and they're like, what can I not do?
Dave Bittner: Well, the people who are successful - what are they doing? How are they getting a handle on all of this?
Tim Eades: That's a great question. I think the people that are successful are really looking at how to make more value of the things that they've already bought. If you think about it, over the last, you know, certainly 18 years of security, you've just got an enormous range of security products. But over the last five years in particular, you know, APIs have really come up. You can make more leverage of the APIs from your infrastructure and make more use of the things that you've already bought and get some visibility - get some discovery going on.
Tim Eades: Mapping it to policy is difficult. You know, it's because it's so fragmented, but you can do it. But the people that are leaders in this world are making more use of the things that they've got by leveraging the APIs or the tools that they've already bought and then building that into things like graph databases so that you can actually see how things are connected. So five years ago, maybe eight years ago, graph databases were only used by, you know, high-end banking and people predicting the weather and things like that. But if you could suck all this knowledge out, viral APAs - APIs and now, you know, graph databases, you know - CrowdStrike does a bunch of this - you know, you actually start to understand what is actually happening. That's a very efficient way of doing it, and it's great to make more use of the stuff that you've already bought.
Dave Bittner: Is this a bit of a - I don't know - a philosophical shift for some folks to - are we saying that, you know, heading towards simplicity rather than complexity is the direction to go?
Tim Eades: For sure, head towards simplicity where possible and avoid complexity. Complexity brings, obviously, insecurity. What's interesting is you start to march towards a cloud, right? You know, clouds don't generally create markets. They consolidate them. You know, and if you look at people like Wiz and some of the Oracles of the world as they start to combine cloud native security products and capabilities with your application performance management tools like Datadog and others - yeah, you start to consolidate some of the capabilities. You start to make it more simple, more intuitive to use. But the challenge remains that I've still got this legacy technology - these legacy data centers, and I still have to protect them because the applications on the public cloud will talk towards them, you know, because the applications talk horizontally, not vertically. So what's interesting is, yeah, absolutely do have the simplicity when you can. Suck the knowledge out of the infrastructure that you've already bought. Build maps. Build, you know, dependency and resiliency maps. As you get to more simple, you can combine some capabilities. But know that, you know, it's not going to be a short road to get rid of your data center and your legacy applications. That's for sure.
Dave Bittner: Yeah, all right. Well, interesting insights, as always. Tim Eades, thanks for joining us.
Dave Bittner: And that's The CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, HAH! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks, where all the fine podcasts are listed.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.