The CyberWire Daily Podcast 9.13.22
Ep 1661 | 9.13.22

Apple patches. Reviewing the cyber phase of a hybrid war. ShadowPad’s return. Phishing from the Static Expressway. Medical device threats. Security trends. Charming Kitten’s social engineering.


Dave Bittner: Apple patches its software. Reviewing the cyber phase of a hybrid war. The return of the ShadowPad alumni. Phishing from the Static Expressway. The state of cloud security. Overconfidence comes at a cost. Ann Johnson of "Afternoon Cyber Tea" speaks with Dr. Josephine Wolff from The Fletcher School about cyber insurance. My conversation with FBI special agents Tom Sobocinski and Tom Breeden. And Charming Kitten and groupthink in social engineering.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Tuesday, September 13, 2022.

Apple patches its software.

Dave Bittner: We begin with a quick note about some patches from Apple. Late yesterday, Cupertino released eight patches affecting iOS, MacOS, tvOS, and watchOS. The iOS 15.7 update, or the alternative upgrade to iOS 16, would be particularly important since they address a zero-day flaw, CVE-2022-32917. 

Reviewing the cyber phase of a hybrid war.

Dave Bittner: Six months into Russia's war against Ukraine, CyberCube has reviewed Russian cyber operations. While their effect has fallen far short of prewar fears, those fears based largely on memory of Russian cyberattacks against Ukraine's power grid in 2015 and 2016, some trends have emerged that are likely to continue through the end of the war and beyond. The close relationship between Russian intelligence services and the criminal gangs they use effectively as privateers has come into sharper relief. The advantage of using such gangs is not only the capacity the criminals contribute but also the degree of deniability they bring with them. They've been deployed against economic targets, but the selection of those targets is designed to stay below a level that might provoke massive, perhaps even kinetic retaliation. CyberCube writes, Russian ransomware gangs are focusing on large targets that fall just under the critical infrastructure threshold. The intention is to work economic damage as a way of retaliating against, and perhaps dissuading, governments that have provided Ukraine with material and diplomatic support. CyberCube states, Russia is using criminal ransomware gangs to undermine the U.S. economy while also avoiding direct war with the U.S. European energy companies are also increasingly being targeted for their strategic value. Russia is targeting governments in Europe that are assisting in Ukraine's defense. 

Dave Bittner: Among the more striking Russian successes in what has generally been an underwhelming performance in cyberspace were early campaigns that deployed wipers against targets in Ukraine and adjacent areas of Eastern Europe. CyberCube states, there has been a dramatic rise in the normalization of wiper malware being used as a weapon in this war. Russia has advanced its long-term project of internet isolation. This has been in part by design, driven by a perceived Russian need to control information domestically and in part by necessity as Western technology firms withdrew from the Russian market. In any case, an isolated Russian sovereign internet is thought likely to provide a more secure safe haven for the criminal gangs Russia tolerates and uses - whether it will provide as convenient a line of departure for criminal operations. While Russian cyber operations have not had the devastating effects widely predicted during the run up to the war, they've nonetheless affected the calculations of the insurance market. CyberCube observes, in response to this pattern of increased cyberactivity, insurers and brokers need to take proactive measures to manage their exposures. Lloyd's recently introduced a requirement that all standalone cyberattack policies must exclude liability for losses arising from state-backed attacks. 

Dave Bittner: The clarity the war clauses will introduce may prove beneficial to the insurance market. CyberCube believes this mandate will help reduce uncertainty and enable more insurers to participate with confidence, based on a clearer understanding of what is covered and what is excluded. 

The return of the (ShadowPad) alumni.

Dave Bittner: The Symantec Threat Hunter Team has released a report detailing new espionage activity targeting governments and public entities. Attackers formerly connected with ShadowPad, a remote access Trojan, have been leveraging legitimate software packages in order to load their malware payloads, known as DLL side-loading. The attacks have been seen since 2021, with the intent for the threat actors to gather intelligence. There's no attribution yet, but the target's selection is suggestive. The current campaign appears to be almost exclusively focused on government or public entities, including head of government and the prime minister's office, government institutions linked to finance, government-owned aerospace and defense companies, state-owned telecom companies, state-owned IT organizations and state-owned media companies. The targets are Asian states. While Symantec is reticent about attribution, the Record points out that the tactics, techniques and procedures have a great deal in common with those used by Chinese intelligence services in earlier campaigns. 

Phishing from the Static Expressway.

Dave Bittner: Avanan researchers report today that they have discovered hackers exploiting the Facebook Ads manager for credential harvesting campaigns. The attackers have been seen sending phishing emails, posing as Facebook and threatening to disable a victim's account for being reported or violating their terms of use and providing what appears to be a Facebook link through which the victim can appeal to rectify the situation. The link is actually a lead generation form from the hackers Facebook Ads manager, which is used to steal credit card numbers and other information. Avanan explains that this method is effective because of what they call the static expressway - hackers using legitimate sites appearing on static allow lists to bypass filtering and make themselves more likely to reach the end target. 

FBI warns of threats to medical devices.

Dave Bittner: The FBI has issued an advisory that warns of a growing risk to medical devices posed by a combination of unpatched software and increasing threat actor attention. The bureau states, in addition to outdated software, many medical devices also exhibit the following additional vulnerabilities - devices used with the manufacturer's default configuration are often easily exploitable by cyberthreat actors, devices with customized software require special upgrading and patching procedures, delaying the implementation of vulnerability patching, devices not initially designed with security in mind due to a presumption of not being exposed to security threats. 

The state of cloud security. 

Dave Bittner: There are two reports out today on significant security trends. First, Snyk released its State of Cloud Security report, detailing risks and challenges that have arisen with the adoption of the cloud. Eighty percent of respondents say they suffered a cloud security incident. Startups and the public sector have been most affected at 89 and 88%, respectively. Forty-one percent of respondents say that cloud-native services make security more complicated, but 49% see deployment as faster with improved cloud security. 

Overconfidence comes at a cost.

Dave Bittner: Second, Kroll has released their 2022 edition of the report "Cyber Risk and CFOs: Over-Confidence is Costly." Reportedly, 87% of CFOs are confident in the cybersecurity capabilities of their company, but 4 out of 10 have never had briefings from information security leadership before. In contrast, 66% of CISOs believe that their company was vulnerable to an attack, with 82% of CISOs saying that the organizations in their industry were vulnerable. Seventy-one percent of CFOs saw more than $5 million in financial losses from a cybersecurity attack that occurred in the past 18 months, with 82% reporting a loss in valuation of 5% or more in that same time period. 

Charming Kitten and group-think in social engineering.

Dave Bittner: And finally, Proofpoint researchers today described a phishing campaign operated by the Iranian Threat Group TA453, also known as Charming Kitten, PHOSPHORUS or APT42. Associated with Iran's Islamic Revolutionary Guard Corps, the threat group is using a range of impersonated persona, including the policy think tanks Chatham House, the Pew Research Center and the Foreign Policy Research Institute, as well as the scientific journal Nature, to lend credibility to its phishing attacks. It's not simple spoofing, however. TA453 includes more than one persona in the phishing email thread. Proofpoint calls it multi-persona impersonation, and the use of more than one seemingly plausible persona may lend credibility to the approach. After all, if both Nature and Pew are on it, it's got to be legitimate, right? You're pretty sure you've heard of them. The approach can be expensive for the attacker in terms of resources expended. They have to burn spoofed accounts more rapidly. But apparently, they judge it worthwhile. Targets of the campaign have been persons and organizations involved with nuclear security, especially in the Middle East. 

Dave Bittner: Coming up after the break, Ann Johnson from "Afternoon Cyber Tea" speaks with Dr. Josephine Wolff from The Fletcher School about cyber insurance. And my conversation with FBI special agents Tom Sobocinski and Tom Breeden. Stay with us. 

Dave Bittner: The U.S. FBI is actively engaged in outreach with businesses of all sizes across the nation, bringing their resources and expertise to bear to help defend against cyberthreats. I recently met Thomas J. Sobocinski, special agent in charge of the FBI Baltimore Field Office, and Supervisor Special Agent Tom Breeden, who heads up cyber operations at the Baltimore Field Office. Special Agent in Charge Sobocinski speaks first. 

Tom Sobocinski: The FBI - obviously, we have been around for over 100 years now and have a really robust background in investigations and collaboration, both with our federal law enforcement partners and state partners, but also with corporations. So using those skills, we were and are continuing to leverage that now in the cyber realm. And I think that it is obviously growing and will continue to grow. And things like this podcast allow us to have that conversation with a wider audience. 

Dave Bittner: Tom Breeden, in terms of the actual cyber part of the mission, that specialty, where do you plug in to that? 

Tom Breeden: From the cyber point of view, you know, I think there is sometimes a hesitation - you think only the FBI as violent crime or counterterrorism. But we really believe strongly that we have a huge role to play with any organization's cybersecurity program. And particularly from everything from providing a threat picture of actors, but also, if there's been some activity on the network, that aberration, that strange activity on the network - we believe that we can help any organization provide context to that threat activity and in essence beef up their cybersecurity program in general. 

Dave Bittner: Well, help me understand, then, how does that relationship work? If I'm a business, is this a matter of reaching out and introducing myself to my local field office? What's the ideal situation as far as you all are concerned? 

Tom Breeden: There are 56 FBI field offices across the U.S., and there are FBI personnel and U.S. embassies across the U.S. And that's really what we think our strength is, is our ground game, so to speak. Where in the U.S. - I mean, we have cyberspecialists at every field office. And that's in - I mean, everywhere from New York to Maryland to Florida - name it, right? - California, we have agents there that are cyberspecialists. If you can - if a business can develop that relationship before an incident happens, it's only going to strengthen their security posture because when that incident happens, they'll know someone to call, and it won't be like, let me introduce myself. Sometimes there's several layers of legal counsels and cybersecurity teams and firms and in between, and that information can go smoothly when those relationships are already established. 

Tom Breeden: SAC Sobocinski mentioned about how far we've come. I remember when I started work in cyber, we would do what we called victim notifications. And a lot of your listeners have - some of your listeners have had an FBI agent knock on their door or send an email or, hey, I want to talk to you about a threat in your network. And there were times where we responded with very little information, and there were times when we would - unfortunately back, you know, a decade or so ago, we would say, something in your network, we can't really tell you what it is, but can you look and see if you see anything strange? Those are tough times. Those were hard interactions, and - but we really - I think we've learned a lot since then. And one of the feedbacks that we would receive - I remember from some CISOs - will say, I love that you came to my door. You're trying to help. I need context of this threat information. And that's what - when you're working with the FBI, when you're collaborating with us, that's - we're going to work as hard as we can to - so your company can be as strong as it could be. 

Tom Sobocinski: Yeah, I just want to add to that. I mean, I think to - going back to the question - which is when do you want to be reaching out to us? - is it is absolutely before the event. And so we want to have a relationship with you. We want to be providing some of your listeners the information that they need to protect themselves, not to just deal with something negative once it happens. And so it's really important to have that relationship. Now, obviously, we can't do that for everyone at the same level. So there are certain industries that are really important to us - obviously clear defense contractors for obvious reasons, but then also other critical infrastructure entities are really important. And then there's a third piece that is also important, which is industries that are developing that may be vulnerable to other foreign actors. And that's a piece that is - you know, changes minute by minute. 

Tom Sobocinski: And so, you know, clear defense contractor - obviously, that's classified information. They're storing in a certain way they know to protect this. But there are also industries that are creating new and really exciting products, software, things in certain industries that could ultimately be used in a classified environment. They just don't know it yet. And so it's important for us to have the relationships with them so that they know in advance how they can protect this information. I mean, it's pretty clear that this is a growing problem, number one, and it's an expensive problem. It's an expensive problem if you are a victim, but it's also an expensive problem to keep yourself from becoming a victim. And there are ways that we, the FBI, can help you do that. That is now part of our mission. It's what I have Tom and his team doing on a daily basis, not just the reaction to that problem. 

Dave Bittner: What about - you know, I'm thinking about that CISO who wants to have the proactive relationship with you all, needs to make that case with the various powers that be within the organization, you know, particularly legal. You know, you go anywhere on the internet, and they say, don't talk to the police. Well, you guys are the police, you know? And so how do you assure people that while you're helping out, you know, you're not going to be rifling through a filing cabinet? - you know, the people's worst nightmares about opening up a can of worms. 

Tom Breeden: Yeah. So I would say give us a chance for a dialogue first off. And we can come in as a one-way street, you receiving all the information. That's no problem at the beginning. And if you like what you see, then maybe there's something there that you're missing in your picture, and you think, I'd like to learn more about that. And so it starts with trust, Dave. I mean, we're under no illusions. This badge - it means a lot of things to to a lot of different organizations and different people. So we understand that there is certain viewpoints in that. But my response to that would say, give us a chance to have a discussion. And I believe that what you'll find - the strengths we bring to bear is not something you're going to get from even a cybersecurity company, I would argue, because the bureau will have some of that. But it'll have elements - we'll bring something to the table that, really, no other organization in the in the world can really bring. So I would say try and find out - I guess would be my response. Yeah. 

Tom Sobocinski: I would also add - I mean, let's use a very basic analogy - but a bank robbery. So if a bank robbery happens, the FBI is going to come. You're going to want the FBI to come. And we're going to investigate the robbery. We're not going to investigate your bank - your records. We're not going to go through other areas of your business that aren't affected by that robbery. And so I think for companies to recognize that we have a really focused mission and that if you are that victim, we are here to help you. And I think the one thing that I would say is the sooner you do that and you get through the layers of legal and other issues within your company when you are a victim, the more we're going to be able to do for you. There are still things that we - I mean, obviously, we can't go into the details of, but there are absolutely techniques and things that the FBI can bring to your company to potentially reduce the vulnerability that you face, whether it's financial or with intellectual property. 

Dave Bittner: For that CISO who wants to start that relationship, what's your advice? What's the best way to get started? 

Tom Breeden: Yeah, call your local FBI office. If you're in Maryland or Delaware, it's call the local office here. We're here. And we will get you connected to a cybersecurity investigator. And the same throughout the whole U.S. Call your local office, and I think you'll be - it will add to your program, and I think you will - it'll help with your business. 

Dave Bittner: That's Supervisor Special Agent Tom Breeden from the FBI's field office in Baltimore, joined by Tom Sobocinski, special agent in charge of the Baltimore field office. There's more to our conversation, and we will be dropping an extended "Special Edition" of this interview in your CyberWire podcast feed. You can also find the full interview on our website, 

Dave Bittner: Microsoft's Ann Johnson is host of the "Afternoon Cyber Tea" podcast right here on the CyberWire Network. And in a recent episode, she spoke with Dr. Josephine Wolff, associate professor of cybersecurity policy with The Fletcher School. They talked about cyber insurance past, present and future. Here's Ann Johnson. 

Ann Johnson: Could you give us a brief history on how the cyber insurance industry has changed and evolved since its initial inception? And what were the initial goals and motivations of cyber insurance providers then, and how was that changed or stayed the same over time? 

Josephine Wolff: Absolutely. So I think one of the things that's often surprising to people is how long cyber insurance has been around, that we've, you know, gone almost 2 1/2 decades now with varieties of these policies available for purchase. But you're absolutely right - they've changed an enormous amount over that time, which isn't surprising when we look at sort of how the cyberthreat landscape has shifted. So if you rewind all the way back to 1997, when sort of the first cyber-focused policy is offered, there's a lot of fear around Y2K. There's a lot of fear around sort of - what if all of the computers suddenly crash, either because of malware or because we haven't prepared well enough for this changeover in dates? As a few more companies, I would say, especially in, like, retail, start to buy these policies, those concerns are heightened somewhat by states in the United States starting to pass these data breach notification laws. 

Josephine Wolff: And so that begins sort of 2003, 2004. We start to see more and more states getting interested in that, led by California. And those laws start to make companies more concerned about these breaches of personal information of their customers because now they know they're going to have to report those breaches. They're not going to just be able to sort of sweep it under the rug or not tell anybody about it. And as soon as you start reporting them, you run the risk that your customers are going to file lawsuits. And now, sort of - I would say starting around 2015 to 2017, we start to see increases in ransomware. We start to see a lot of concern about sort of infrastructure being compromised and operations being shut down by cyberattacks. There's much more interest in - how are we going to pay extortion-related costs? How are we going to compensate for lost business during outages related to cyberattacks? And you've seen these cyber insurance policies really expand. 

Ann Johnson: Can you talk about the differences between how cyber insurers think about those type of, you know, similar catastrophic events and talk about if there are any fundamental similarities between a cyber insurance policy and what our listeners or consumers would think about their personal insurance policies? 

Josephine Wolff: It's a great question, and there definitely are similarities, right? You think about something like car insurance - that's a new technology or what was at one point a new technology, and it's continuing to evolve - that we're trying to manage risk around. You think about flood or other natural disasters insurance. You're talking about these really large-scale, difficult-to-predict events related to certain types of cyberattacks as well. But there are also, I think, some really kind of crucial differences. And a big one that I would say spans almost all of those types of insurance you just mentioned is that we know a lot more about when these incidents happen - when we're talking about car accidents, when we're talking about floods, when we're talking about people dying with life insurance or things like that, right? It's very rare that you have a lot of car accidents that just go completely unreported, and nobody is aware that they've happened. 

Josephine Wolff: And so the big difference that you sort of start from, if you're an insurer, is you don't have great data around cyber-risk, right? You've got slightly better data around breaches of personal information because states have been requiring reporting of that for a long time, but when it comes to something like ransomware, which really kind of takes insurers by surprise in 2019, 2020, when those rates start spiking, you're working from a very incomplete data set of sort of which are the ransomware attacks that make the news that people either choose to disclose or have to disclose for some reason. And that sort of inability to collect consistent and complete data is a huge obstacle if you are trying to do the kind of actuarial underwriting. 

Dave Bittner: The podcast is "Afternoon Cyber Tea" with Ann Johnson. You can find more right here on the CyberWire network at 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.