Some trends in threats and defense. The possibility of cyber war crimes. RSAC innovation showcases are open for application. And common KEVs in the financial sector.
Dave Bittner: A look back at ransomware in 2022. Lessons from Russia's war - crooks, hacktivists and auxiliaries. Cyberattacks as war crimes. The state of SSE adoption. RSA Conference 2023 opens applications for the Launch Pad and the Innovation Sandbox. Joe Carrigan looks at online scams targeting military members. Our guest is Richard Caralli from Axio on the state of ransomware preparedness. And the most common known exploited vulnerabilities affecting the financial sector.
Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 10, 2023.
A look back at ransomware in 2022.
Dave Bittner: Happy Tuesday, everyone. It's good to have you here along with us. We are not yet too far into 2023 to take a retrospective look back at 2022, and ransomware was one of the defining cyber threats organizations faced last year. Delinea has published its 2022 State of Ransomware report, finding that there's been a sharp decrease in the volume of ransomware attacks, though the average ransom demand has gone up. Delinea found that only 25% of respondents said their organizations were hit by ransomware in 2022, down from 64% in 2021. The number of victims who paid the ransom also fell from 82% to 68%. The researchers aren't sure what led to this decline, but they note that it may be due to the reorganization among major ransomware crews, particularly Conti, that took place during 2022.
Dave Bittner: It's not all good news, however. Despite the slowdown in attacks, the researchers found that the average ransom demand has gone up over the past year. The survey also highlights a discouraging trend. Organizations seem to be taking the ransomware threat less seriously than they did in 2021. The researchers found that most organizations, a whopping 76%, increase their security budgets only after they've suffered a ransomware attack. Sure, the burned hand teaches best, but better not to get burned in the first place.
Lessons from Russia's war: is cyberspace best understood as an operational domain?
Dave Bittner: Turning to the effects of Russia's hybrid war, EU Reporter notes that the annual report from the European Union Cybersecurity Agency, ENISA, describes ways in which Russia's war has driven an increase in cyber attacks. As we've had many occasions to observe, the consequences of those attacks have fallen short of pre-war expectations. Still, they have shown a kind of convergence, with criminals becoming hacktivists and hacktivists in turn becoming auxiliaries of the security and intelligence services, deploying ransomware, website defacements and distributed denial of service attacks against targets of opportunity in countries deemed hostile to Russia's war.
Cyberattacks as war crimes.
Dave Bittner: Operational domain or not, it certainly seems possible that actions in cyberspace can constitute violations of the laws of armed conflict. Victor Zhora, chief digital transformation officer at the State Service of Special Communication and Information Protection of Ukraine, told Politico that Ukraine was gathering information on the ways in which Russian cyberattacks have constituted war crimes. Some of the Russian cyber intelligence work has allegedly been used to support filtration - that is, the identification of civilians regarded as posing a threat to Russian occupation. Zhora said Russian troops often use filtration procedures on occupied territories to identify people who support Ukraine, who were engaged in public service or military service, so they capture them, then torture and kill. So in this case, cyber ops would be a crime in furtherance of another more lethal crime.
Dave Bittner: Some cyber activities, including even the spread of disinformation, may themselves qualify as war crimes. Disinformation seems a stretch, except perhaps in so far as it might be held to constitute incitement or serve as an element of conspiracy. But disabling cyberattacks against civilian critical infrastructure might be an easier case. For any of these actions to amount to war crimes - and there is a strong case that they may - they would have to amount to violations of the laws of armed conflict. The core principles on which that law are based include discrimination, sometimes distinction, proportionality, minimization of suffering and military necessity. The Russian cyber operations Ukraine has under investigation could constitute violations of any or all of these principles. Ukrainian authorities are referring the digital evidence they've collected to the International Criminal Court with a view to eventual prosecution of the Russian personnel and officials responsible.
The state of SSE adoption.
Dave Bittner: Axis Security has published its 2023 Security Service Edge Adoption Report this morning. They found that 65% of organizations plan to implement an SSE platform within the next two years, and 43% seek to implement one before the end of 2023. Additionally, 67% of respondents plan to start their SASE strategy with a SSE platform rather than wide area network edge services. The researchers also found that the top two legacy solutions that enterprise security teams will look to replace with SSE will be VPN concentrators, SSL inspection services and DDoS, with data loss prevention being a very close fourth place.
RSA Conference 2023 opens applications for the Launch Pad and the Innovation Sandbox.
Dave Bittner: The RSA Conference will be here before you know it in San Francisco between the 24 and 27 of April. And it returns with two of its well-known showcases for young, innovative companies. The Launch Pad will highlight three potential breakthrough inventions, and the Innovation Sandbox will give 10 startups a chance to pitch themselves. These are always interesting, and the innovators that are on display usually go on to make a mark for good on the cybersecurity sector. Both programs opened for applications today. And the conference will continue to accept them through February 10. If you think you've got a genuinely disruptive innovation to share, by all means, apply. You'll find full instructions online at rsaconference.com.
Most common Known Exploited Vulnerabilities in the financial sector.
Dave Bittner: And finally, LookingGlass Cyber released a blog today explaining the most prevalent known exploited vulnerabilities present in the U.S. financial sector in November of last year. Over half of the vulnerabilities detected by LookingGlass in November 2022 were found affecting insurance, with approximately a quarter composed of credit intermediaries and a third resulting from third-party service providers. The most commonly observed known exploited vulnerabilities in the U.S. financial services sector was CVE-2015-1635. The 7-year-old remote code execution vulnerability is said to impact Windows and is still common in critical infrastructure today. If it's known, it can be mitigated. So by all means, get patching.
Dave Bittner: Coming up after the break, Joe Carrigan looks at online scams targeting military members. Our guest is Richard Caralli from Axio on the state of ransomware preparedness.
Dave Bittner: Rich Caralli is senior cybersecurity advisor at Axio, where he and his colleagues recently released their 2022 State of Ransomware Preparedness report. I spoke with Richard Caralli about some of the highlights from the report.
Richard Caralli: A lot of times these reports are produced from survey data, but this is data that's coming from organizations that have the intent to improve. So I think that makes the data even more important because we know that the intent is to, you know, actually use the results of the data to have something actionable at the end. What we found in this year's study was very similar to the study we did in 2021. And that was seven key issues focused around things like privilege access management, the lack of basic cyber hygiene, exposure to supply chain and third-party risk, monitoring and defending networks, ransomware incident management and vulnerability management. Interestingly, in the 2022 report, we also - in terms of training and awareness, what we were seeing was not as high a degree of organizations doing phishing tests on their employees.
Dave Bittner: So to what degree are you finding that organizations are staying on top of this, or is there still a lot of catching up to be done?
Richard Caralli: Well, there was some improvement generally from 2021. For example, we saw better email filtering and phishing reporting processes in place, better controls over domain controllers and domain administrator coaches. And we're seeing higher rates of data backed up in offline storage and encryption, which, you know, is a primary defense to ransomware. So some of those basic practices do seem to show some improvement from 2021 to 2022.
Dave Bittner: Are we seeing organizations being nimble in their response to some of the pivots we've seen from the ransomware actors? You know, we've seen a shift away from encryption to, you know, data extortion from some of these players.
Richard Caralli: Yeah, I don't think we really can look to what kinds of ransomware vectors organizations are trying to protect against generally in this data. But the thing that I think we were really seeing is that - and this was kind of a discouraging outcome of the 2021 report - is that it still comes down to a lot of fundamental basic practices not being in place. So if you look at the ransomware preparedness assessment, it's really made up of 65 foundational practices that would contribute to building a strong ransomware-ready environment. And if you're seeing deficiencies in these basic practices, you pretty much sense that, you know, regardless of the intent of the ransomware actor, the organization is likely going to suffer some impact from a ransomware intrusion. So it's sort of coming back down to the basics again. And it was a little surprising that there wasn't a lot of movement in these 65 practices from 2021 to 2022, especially in light of, as you said, many of these high-profile ransomware attacks.
Dave Bittner: Do you have any insights onto why folks are still lagging here? Is this a matter of resources?
Richard Caralli: So we don't have exact data on why we're still seeing this problem, but it's pretty easy to guess that it's likely resource shortages. It's likely built around the fact that some of the toolsets, for example, in privileged access management - they are big investments. They take a significant time to implement, and there's a high learning curve. So some of these basic things are just - have high hurdles to overcome. And one of the things I think that is really starting to show some concern - at least, you know, in our circle - is that, as we go into 2023 and there's this potential for an economic downturn, if and such research shortages and budget shortages and those sort of constraints are already showing in the data that we're seeing, how will it affect already-deficient control environments? It's going to further strain resources and budgets. And, you know, if you're lacking in fundamentals, you may not have the resources to get those to a place where, you know, they're purposeful and actionable, let alone to prepare for new attack vectors that may come down the pipe. And I think that is prevalent, I think - a prevalent problem, in fact, in two areas - the privileged access management and supply chain third-party risk.
Dave Bittner: Yeah, that's interesting. So based on the information that you all have gathered here, what are your recommendations? What are the actionable items here on the checklist?
Richard Caralli: We really recommend that organizations go back to the basics when it comes to securing and controlling privilege credentials. And, again, if there is an economic downturn, you're going to want to do more with less. So you may cut some of the corners around, you know, having one staff person do many things in the organization, which means controlling and securing these credentials might come secondary to efficiency. So that's one of the areas that, you know, we really think organizations should put some emphasis on. And by the way, that was our top issue in 2021 as well.
Richard Caralli: I think the second one really is the supply chain issue, reducing exposure to supply chain risk, which is going to be tricky because if you think about an economic downturn and having less staffing and less labor cost, you're more likely to start outsourcing more things, which could make the problem worse. And, you know, the other problem we're seeing and, I think, is going to become more of an issue going forward is the organizational perimeter is much harder to define and control now because there is so much reliance in cloud services and external partners to the organization. And when you start to see that happening, this is why you're seeing more calls for zero trust models. But zero-trust models are a significant undertaking and surely will suffer some setbacks in an economic downturn. You know, for example, we only saw 42% of organizations even monitoring third-party access. Now, that was an increase from 2021, where we saw about 34%, but it's still not at levels where it's going to be sufficient.
Dave Bittner: That's Rich Caralli from Axio. You can find a link to the report Richard Caralli discussed in today's selected reading section of the show notes.
Dave Bittner: And joining me once again is Joe Carrigan. He is from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: More importantly than either of those professional positions, Joe is my co-host over on the "Hacking Humans" podcast. We were talking about this over on "Hacking Humans."
Joe Carrigan: Yes.
Dave Bittner: This is a scam targeting folks who are new to our U.S. military.
Joe Carrigan: Right.
Dave Bittner: What's going on here?
Joe Carrigan: So this is coming from military.com. It's a story by Drew Lawrence.
Dave Bittner: Yeah.
Joe Carrigan: And imagine, Dave, that you're a new recruit in the Army.
Dave Bittner: OK.
Joe Carrigan: So you get into the Army, and you show up at basic training. And you're maybe two or three weeks into it, and you get a phone call. And during the course of that phone call, someone says, I'm with the DFAS, the Defense Finance Accounting Services. And I'm an NCO, by the way. I'm a non-commissioned officer with the Defense Finance Accounting Agency...
Dave Bittner: OK.
Joe Carrigan: ...Service. And there was a problem with your last military pay. There's a problem with your military pay, and I want to get you the money that you're entitled to. So I need you to send me some money via Cash App, Venmo, PayPal, Zelle or Apple Pay, and then we'll get this resolved and worked out.
Dave Bittner: Now, hold on a minute, cowboy.
Joe Carrigan: Hey.
Dave Bittner: (Laughter).
Joe Carrigan: Did you hear what I said? I'm an NCO. You're a recruit.
Dave Bittner: Oh.
Joe Carrigan: See, that's the first thing that happens - is...
Dave Bittner: I see.
Joe Carrigan: ...They get threatened with this kind of activity. And the guy goes full R. Lee Ermey on them on the phone, I guess.
Dave Bittner: (Laughter) OK. So taking advantage of the fact that this is a new soldier...
Joe Carrigan: New soldier - not really familiar with how things work. You know, we see this actually with new hires as well. We've seen this kind of scam before, where somebody gets a new job on LinkedIn, and immediately, they get a call or something impersonating the company. They start getting scammed there as well. Or if you're trying to do open-source intelligence gathering on a company and you're trying to penetrate a company, you can say - or actually, not - trying to do a phishing attack on a company - you can call into the company, talk to the person who just got hired and say, hey, I see you just got hired recently. I'm from IT. I'm here to help, right? These kind of attacks we've seen many times before. This is the same kind of attack, only now it's happening to Army recruits. And they've put out a - the Army has put out warnings from Fort Benning, Huachuca and West Point. So people at West Point are getting hit with this as well. And that's where the cadets for - the officer cadets go.
Dave Bittner: Yeah, yeah. So really, basically, a social engineering scam here.
Joe Carrigan: It is.
Dave Bittner: And then once you - but unique in that they're using the chain of command, the authority...
Joe Carrigan: The authority of a non-commissioned officer presumably over the enlisted people. I don't know what the relationship is between a recruit at a naval academy - or not naval - the Army academy.
Dave Bittner: Yeah.
Joe Carrigan: I say naval academy because I live in Maryland, Dave. That's - the word academy is usually preceded by naval around here.
Dave Bittner: That's true.
Joe Carrigan: Yeah, but at West Point, it's the Army academy. The Army academy - I'm not sure, but I think they might actually outrank an NCO - that they might actually already be officers.
Dave Bittner: Yeah.
Joe Carrigan: I don't know if that's correct. So it's less likely to work. And in fact, the story says nobody at West Point has been victimized by the scam. But outside of West Point, 74 soldiers have lost $143,000.
Dave Bittner: Wow.
Joe Carrigan: Yep.
Dave Bittner: Wow.
Joe Carrigan: It's a lot of money.
Dave Bittner: So what are the red flags here in terms of folks protecting themselves against this? I mean, I guess the request for money is the big one.
Joe Carrigan: Yeah. Anytime you get an unexpected request for money like this - the big problem here is that these guys are not really familiar with it. Once they start asking questions to the person on the phone, the person tries to intimidate them and is pretty successful at it. I don't know if I would be willing - I don't know. This, you know, every now and then I say, here's a scam that'd work on me. I think this one might have worked on me in my youth because I don't know that I'd be willing to go to my drill instructor or drill sergeant and say, I'm getting this request from this guy. Is this legit? But that's what they should do. They should be doing that immediately. This guy wants me to send him money, saying he's from the accounting service. Is this right?
Joe Carrigan: But what should really be happening here is that the drill - and it is happening, actually - the drill instructors should be informing all the recruits that this is a scam that's going around. They should be aware of it. And if they get these kind of phone calls, just hang up. What's interesting is how they're finding recruits in the Army. I'd like to know how they're getting that information because this seems to me like there's a leak somewhere. Some kind of information that shouldn't be in the hands of these scammers is in the hands of these scammers.
Dave Bittner: Right.
Joe Carrigan: I don't know where that's coming from.
Dave Bittner: Right. Somehow they're aggregating who are the new recruits and...
Joe Carrigan: Right.
Dave Bittner: ...How do we call them?
Joe Carrigan: It's entirely possible they're getting it from open sources.
Dave Bittner: Yeah. Yeah, sure.
Joe Carrigan: And if that's the case, there's nothing you can do about it except educate the recruits. But it's also entirely possible that they're getting it from some inside source.
Dave Bittner: All right. Well, again, this article is from military.com. It's titled "Army Warns of Scam Targeting New Soldiers." Joe Carrigan, thanks for joining us.
Joe Carrigan: My pleasure.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.