The CyberWire Daily Podcast 1.11.23
Ep 1737 | 1.11.23

Notes on patches. Dark Pink industrial cyberespionage campaign in Asia. Kinsing cryptojacking. Hacktivist DDoS against Iran. Healthcare cyber risk management. Pokémon NFTs.


Dave Bittner: Patch Tuesday. CISA releases two ICS advisories and makes some additions to its Known Exploited Vulnerabilities Catalog. Dark Pink APT is active against Asian targets. Kinsing cryptojacking targets Kubernetes instances. Ukrainian hacktivists conduct DDoS against Iranian sites. Risk exposure and a hospital's experience with ransomware. The Health3PT initiative seeks to manage third-party risk. Tim Starks from The Washington Post's Cyber 202 on cyber rising to the level of war crime. Our guest is Connie Stack, CEO of Next DLP, on the path to leadership within cyber for women. And phishing with Pokemon NFTs.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 11, 2023.

Patch Tuesday.

Dave Bittner: Happy Wednesday, everyone. Great to have you here with us today. Yesterday, of course, was Patch Tuesday, and it was a fairly heavy one. Prominent among the updates published were those issued by Microsoft - a total of 98 patches, with one vulnerability fully disclosed and a second undergoing active exploitation in the wild - and by Adobe for Acrobat and Reader, InDesign, InCopy and Dimension. Take a look at your systems and update them as appropriate. A side note - this Patch Tuesday brings the curtain down on Windows 7. If, for some reason, you're still using it, good luck to you. You're on your own. 

CISA releases two ICS Advisories.

Dave Bittner: CISA has released two Industrial Control Systems (ICS) Advisories yesterday, one for Black Box KVM, the other for Delta Electronics InfraSuite Device Master (Update A). Apart from the ICS advisories, CISA has also made some additions to its Known Exploited Vulnerabilities Catalog. One of them is a Microsoft Exchange Server Privilege Escalation Vulnerability, the other a Microsoft Windows Advanced Local Procedure Call - that is, an ALPC - Privilege Escalation Vulnerability. In both cases, U.S. Federal Executive Civilian agencies have until January 31 to check their systems and apply Microsoft's updates. 


Dark Pink APT active against Asian targets.

Dave Bittner: Group-IB reported today that it's observing extensive activity by the Dark Pink APT. The researchers have been unable to connect it to any previously observed campaigns, which leads them to conjecture that Dark Pink represents a new threat group. The report says the confirmed victims include two military bodies in the Philippines and Malaysia, government agencies in Cambodia, Indonesia and Bosnia and Herzegovina and a religious organization in Vietnam. Dark Pink seems to be a cyber espionage outfit. Its mission appears to be collection of industrial intelligence. 

Dave Bittner: Group-IB emphasizes Dark Pink's sophistication throughout their report. The threat group's tools, for one thing, are custom built and not commodity stuff from the C2C market. The researchers have noticed only one commonly available bit of malware, PowerSploit/Get-MicrophoneAudio. The method of gaining initial access is familiar - spear-phishing - but here, too, Dark Pink shows evidence of a good deal of care and attention to detail. In one of their spear-phishing emails, for example, the sender posed as a job seeker and mentioned the job board on which he or she had seen the opportunity listed. This suggests that the operators are doing their homework, scanning for opportunities to render their phish bait all the more plausible. 

Kinsing cryptojacking targets Kubernetes instances.

Dave Bittner: Microsoft describes the initial access techniques used by the Kinsing cryptojacking malware to target Kubernetes instances. Microsoft explains that the two most common tactics used by Kinsing to gain initial access are exploitation of weakly configured PostgreSQL containers and exploiting vulnerable images. Kinsing attackers search for applications with container images that are vulnerable to remote-code execution. Applications that were exploited by this method include PHPUnit, Liferay, WebLogic and WordPress. 

Ukrainian hacktivists conduct DDoS against Iranian sites.

Dave Bittner: Russian hacktivists, with Killnet as a prominent example, have served as auxiliaries in Russia's hybrid war, and they've been particularly active against targets in countries friendly to Ukraine. Russia has far fewer friends and partners internationally. But one of them, Iran, has now apparently been hit by pro-Ukrainian hacktivists. SC Media reports that DDoS attacks have affected a number of Iranian websites, including, but not limited to sites belonging to the National Iranian Oil Company and Iran's Supreme Leader, Ali Khamenei. The hacktivists who claimed credit, the Record reports are clear that their operations are a reprisal for Iran's willingness to supply Russia with Shahed drones used in attacks against Ukrainian cities. 

Dave Bittner: The group, which goes by the hacker name CyberSecs - and that's secs with a C - said in its telegram channel, and just to show off what we can and what we cannot, Ayatollah Khamenei personal website went down, just for one hour. As we adviced (ph), it's a warning. If we act, we will act much more rough. No regrets and no sorries there will be. Night timer, no harm - just a demo. Next time we will deface. Iranians, it is not your war. Step down and eff off 'cause next time there will be oil processing SCADA. Note the explicit threat to industrial control systems expressed in that final sentence. 

Risk exposure and a hospital's experience with ransomware.

Dave Bittner: Moody's Investors Service released a comment today on the December attack against the Hospital for Sick Children in Toronto. While the impact of the attack itself was contained, the hospital's exposure to risk, along with an apology and alleged remedy from the threat actors, seems out of the ordinary. The ransomware attack against SickKids took place on December 18. The hospital did not pay the ransom, and the overall attack has been contained, more or less, with 80% of systems back online and most systems causing delays back to normal. Despite efforts from the hospital over the last few years to mitigate cyber risk, this attack shows that the hospital was still susceptible to ransomware. 

The Health3PT initiative seeks to manage 3rd-party risk.

Dave Bittner: The Health 3rd Party Trust Initiative and Council was announced today. It brings together leaders in the health care industry to approach third-party cyber risk management. Shenny Sheth, Deputy CISO for Centura Health had this to say about the initiative. Managing third-party risk in a comprehensive and sustainable way requires collaboration between health care organizations and their suppliers to find solutions that are efficient and effective for both sides. That's why the Health3PT is so important to Centura Health and our partnerships. In order for this to work, we need more health care organizations to adopt common standardized processes. The group was formed in the wake of a wave of cyberattacks that indicate the attraction the health care sector has come to have for cybercriminals. It also recognizes the increased importance supply chain vulnerabilities are assuming here and elsewhere. 

Phishing with Pokémon NFTs.

Dave Bittner: Finally, have you been out looking for a Charizard? Heard that there's a Charmander hanging out at the local gym? Well, by all means, go catch 'em. But if you're still young-at-heart enough to covet Pokemon, but feel yourself grown too worldly and sophisticated to play with Ash and the gang, maybe you're tempted to get yourself a Pokemon NFT. You've heard about these non-fungible tokens, right? In this case, however, resist the temptation. Researchers have uncovered a phishing campaign utilizing a fake Pokemon NFT game to distribute the NetSupport Remote Access Tool onto unsuspecting users' devices. The AhnLab Security Emergency Response Center reportedly found at least two phishing pages, offering the installer of a fake Pokemon NFT card game used to distribute the NetSupport RAT onto victim devices, CyberNews reports. Clicking the pay-on-PC button on the phishing page would download a faux game installer containing, in actuality, the NetSupport RAT, ASEC said. Neither of the links were reportedly active as of Monday. 

Dave Bittner: The NetSupport RAT is a legitimate tool described in a report by Cyber Security Connect as designed for use by administrators, allowing them to remotely access devices and fix issues. It is a powerful tool that allows for screen recording, remote control, system monitoring, network traffic encryption and much more. However, as Infosecurity magazine reports, ASEC marked the tool as malware because the program was not distributed in a form used for normal purposes, but rather in a form designed for the threat actor to control the infected system. 

Dave Bittner: So sure, you gotta catch 'em all, but come on - this isn't an opportunity to invest in NFTs. You want an NFT? Consider that drawing of the Brooklyn Bridge "Monty Python's" John Cleese was hawking a couple of years ago. Or better yet, enjoy a nice evening at home with family or friends or a good book. That's better than all the Squirtle NFTs in cyberspace. 

Dave Bittner: After the break, Tim Starks from The Washington Post's Cybersecurity 202 on cyber rising to the level of war crime. Our guest is Connie Stack from Next DLP on the path to leadership within cyber for women. Stick around. 

Dave Bittner: According to Cybersecurity Ventures, women hold about a quarter of the jobs in cybersecurity these days, and those numbers are trending, albeit slowly, in the right direction. Along with that, more women are being promoted to the C-suite and to leadership positions in their organizations. Connie Stack is CEO at data loss prevention firm Next DLP. I caught up with her for insights on closing that talent gap. 

Connie Stack: I very typically was the only woman on the executive teams of companies that I worked with, whether they were, like I said, straight-up tech companies, like, you know, WordStream or Optus, you know, throughout my career into, you know, Veracode and then the early days of Digital Guardian. And so you do see that. And it is - you learn, I think pretty quickly, that you have to have confidence in yourself, right? And you have to be able to speak out and make yourself heard 'cause often you may find yourself in a room - and I found them in both, you know, executive conference rooms, board rooms, as well as around the table selling cybersecurity services - right? - because typically they're male-dominated as well. And I think you have to learn to be confident and speak your mind and, you know, ensure that your voice is heard over, you know, many, you know, often, you know, louder male voices, sometimes, at the table. So I think that's one thing that is really critical. 

Connie Stack: Another thing that is critical, I find, is technical aptitude, right? You have to know. You have to go deep on the - if you're on the - you know, the sales side - let's say, if you're a vendor selling into cybersecurity or a technology specialist selling into technology buyers, it's really important that you know and understand the technology. Cybersecurity buyers, in particular, are discerning. They want to know the product is going to deliver on the value proposition, and you have to be able to go a little deeper. And it doesn't matter what role you're in, by the way, even as a marketer, right? It's like, well, obviously on the marketing side, with CMO roles being my most common. And even as a marketer, I challenged myself to dive into the technology and know it deeper than maybe a typical marketer, you know, might know it. I thought that was, you know, mission critical because you have to be able to articulate not only what the product does, but a little bit of the how as well. 

Connie Stack: And that will gain you a lot of credibility within your organization because, I can tell you, when I went down, you know, to my engineering group - I say down because they were actually on the first floor, compared to the second for me. But when I talked to engineers, I mean, they so respected - they don't expect you to have a discussion about the quality of their code or anything, you know, to that extent. But the very idea that you're interested in the how - right? - how it works - not only the, you know, what it does - is always well received. Well, it, like I said, internally, built my credibility, I think, tenfold. And then, when I went to - you know, if I was at the - in a sales situation or trying to work with an executive from a company that had our software and was using our software, I could always talk to it at a level a little deeper than they expected. And it was always, you know, well - you know, very well received. 

Connie Stack: So don't be afraid of technology. Dive in. Learn more. And I think that that, you know, helped me, you know, a lot along the way, you know, as well. So confidence, deeper technically and I think finding - you know, the last thing that I observed - and I was actually fortunate in this department because I sought out mentors. I sought out people who would help me, you know, grow my career. 

Dave Bittner: I'm curious for your insights and advice for women out there who find themselves frustrated. You know, I still hear stories about being asked to take notes or get coffee or going to trade shows and people assuming that they are not in technical roles - that they're in sales or HR or something like that. Do you have any insights for navigating the degree to which that is still a reality? 

Connie Stack: Yeah, I think - I mean, it is fair to say, particularly in the cybersecurity space, that that is still a reality. I mean, we've made, you know, vast improvements. When I, you know, came into cybersecurity in, like, the 2008 kind of timeline, I believe the stats literally said 8% women, 92% male. We come up through marketing. We come up through HR. We - you know, few of us come up from the technical ranks. 

Connie Stack: Now, there are wonderful exceptions. And when Mo Rosen came to Digital Guardian, he bought Deb Danielson as our CTO. She's an incredibly talented woman, you know, on the technology side of the house, so it was great to see that. And frankly, I think, generally speaking, you know, most of the men that I've had - you know, that I've had the fortune of working with and collaborating with, you know, throughout my career in cybersecurity - listen, some of them - you know, whatever - I was in marketing, so it wasn't a mistake to put me there. But I actually - we had females in our, you know, engineering team as well. We had females that worked in our managed service who were threat hunters, threat researchers and, you know, instant responders and that sort of thing. And they might have made a mistake once. They didn't make it twice. And it wasn't because, you know, - it was just like, oh, thank you for correcting me, you know? And you move forward. And they really didn't make that - you know, that thing a big deal. 

Connie Stack: I do - you know, I've heard those stories, too, Dave, about - horror stories, really. And, you know, I'm fortunate because I didn't have those myself. And I wouldn't want anybody putting themselves into a situation where they, you know, stay in an unhappy work environment, right? They don't. I mean, if people are generally malicious and not willing to allow you to be confident, not willing to mentor and guide you, not willing to invite you to the table, then honestly, it might be time to look for a different opportunity where those, you know, three kind of standards can be met. 'Cause I do know there are a tremendous amount of companies out there - specifically in cybersecurity - that do invite and welcome women. And they're long over those, you know, old tropes about - you know, girls can't code sort of foolishness. I mean, it's - that's, I think, well behind the most professional security organizations that exist in the world today. 

Dave Bittner: Connie Stack is CEO at data loss prevention firm Next DLP. Be sure to check out our Creating Connections newsletter on the CyberWire website, where Connie Stack has an article, "Breaking the Glass Ceiling: My Journey to Close the Leadership Gap." 

Dave Bittner: And it is always my pleasure to welcome back to the show Tim Starks. He is the author of The Cybersecurity 202 over at The Washington Post. Tim, always great to welcome you back to the show. 

Tim Starks: Yeah, always great to be back. I missed you over the break. 

Dave Bittner: (Laughter) Happy break to you as well. It is good to be back. Before we jump into our main topic today, just real quick - as you and I are recording this this morning, we had this incident with the FAA basically shutting down airspace in the U.S. - speculation as to whether this could be a cyberattack - what are you hearing there at The Washington Post? 

Tim Starks: All signs point to it not being a cyberattack. That's the word from senior officials - you know, that the president has been briefed on this and has been told that it is not a cyberattack. One of the things that happens any time there's a major outage of something somewhere, a lot of people jump to the idea that it's a cyberattack. And one way that's encouraging - because it's good that people are cognizant of the threat. In other ways, it's an overreaction that can be a little hysterical and can cause people to start assuming things that they shouldn't. And then, of course, you know, sometimes they'll think it's not a cyberattack and find out later, yeah, actually, it was. 

Tim Starks: You know, this sector in general is one that the Biden administration has been paying attention to lately vis a vis cybersecurity. You know, air carriers are on the list of industries that they're regulating or looking to regulate further than they have. And, you know, you can see, when something like this happens, why they would be concerned. Even if this wasn't a cyberattack, if you see that a cyberattack could do something like this, then you can see why it would become a priority. 

Dave Bittner: Right. You're right. It's perhaps a test run of some of the potential effects of a cyberattack if it were indeed an attack. 

Tim Starks: Exactly. 

Dave Bittner: Yeah. Well, let's talk today about your writing over on The Cybersecurity 202 addressing this notion of whether cyberattacks in Ukraine could possibly be considered war crimes. What can you share with us here? 

Tim Starks: Yes. So over the last few months, Ukraine's leadership has been gathering data and sending data to the International Criminal Court, asking them to investigate these incidents as war crimes. The incidents in particular they talk about are attacks on critical infrastructure that are joint attacks in some cases, with physical attacks on things like the power grid. Obviously, Ukraine has been a victim of one of the biggest cyber incidents ever. If you go back to 2014, 2015, 2016 - I think it's 2015 to 2016, to be specific - where the power grid was taken out by Russians, their argument is - and it's an argument that's shared by some other legal scholars who have also asked the International Criminal Court to take this up - is that this is affecting civilians. 

Tim Starks: And the sort of best-case argument that that anybody made to me for this story was, if you were to knock out the power in Ukraine in the winter, how could you describe that as anything other than inhumane? You can try to make the argument, if you're Russia, that this was targeting a legitimate military target and not going after civilians. The way war crimes work and how the court evaluates them is that they have to be proportionate. They can't - you have to be really showing that you're targeting a military asset where there is some harm done to civilians. And in this case, it doesn't look like that. 

Tim Starks: On the other hand, you know, there are concerns about whether this is something that would be a priority for the ICC. I have not heard back from them on whether they're taking this up. The group of legal scholars that approached them and said, hey, you know, we would like you to take a look at this, have said that the ICC told them privately, we are going to take this under consideration. You know, some of the people I talked to were also confident that they were looking at it. 

Tim Starks: Others - you know, the concern, of course, is that, with a lot of very vile things happening on the ground in Ukraine that are much more evidently - you know, there's not much of a standard to prove it. Did it happen or did it not? And if it happened, it's clearly a war crime - things like torturing children. I mean, you can't - if that happened, then that's - maybe some people wonder that they would focus on those kinds of things over a cyberattack, where it would be a little more difficult, potentially, to argue that it was a war crime. Or perhaps there will be difficulties in the expertise at ICC. You know, a lot of people aren't sure what kind of expertise they have on that subject right now, although they could potentially - someone told me - contract it out. 

Dave Bittner: I'm curious on your take on this because it's been my observation - my understanding - that there's been kind of a reticence, a hesitance, for organizations to draw clear lines in the sand when it comes to some of these diplomatic issues in the cyber realm in particularly (ph). Like, they almost want to keep some of these lines fuzzy at this stage of the game. Is this an area where that kind of thing applies, in your view? 

Tim Starks: It's potentially - I think the difference between this and what I think you're mostly talking about right now, which is NATO - NATO has explicitly said they want the line to be vague on when Article 5 might be invoked - Article 5 being the rule that says an attack against a NATO nation is an attack against all the NATO nations, and they can all take... 

Dave Bittner: Right. 

Tim Starks: ...Collective self-defense. And so far as I know, I think that's only been invoked even once successfully. So I think that they've been very explicit on the NATO side of things. I think there's a chance that that might the thinking of the ICC. That's a little speculative on my part. There's a pretty broad consensus that these rules do apply to cyberattacks. You know, if you go back to when some of these international agreements and treaties were being written and debated, there would be an enumeration of specific kinds of attacks, but they were always more focused on the consequences of what the weapons would do. 

Tim Starks: And so in this case, you know, the legal scholarship on this is that various laws of war - not just war crimes, but other sort of international humanitarian laws - that a cyberattack could definitely qualify as one of these kinds of crimes. I think, at least for the ICC, it looks like it's more a question of - is this the time we decide to do it? And, you know, if you look at the world conflicts we've had, where there was even a possibility that there could be cyber involved - you know, one of my colleagues wrote a book that I really love. We weren't colleagues at the time, but Shane Harris wrote a book called - I believe it's called "@War," where he talked about the first cyber war, which was, you know, the U.S. using tools to degrade communications in Iraq. That wasn't like this so much. I mean, it wasn't the kind of cyberattacks that are - have become a regular, integrated part of the warfare that we've seen in Ukraine, where civilians have definitely been affected. So I think that's more the debate, but it's entirely possible that they would prefer to keep this vague, like you said. 

Dave Bittner: I think it's a really interesting point you bring up, though, that it's possible that, given the broad spectrum of potential war crimes here, that maybe the cyber ones wouldn't move to the head of the line. There are other much more horrible things that would require their attention. 

Tim Starks: Yeah, I think maybe the case would be different if you could show the demonstrable harm. For instance, you know, the company that said it was attacked by Russians - the big Ukrainian energy conglomerate, DTEK, has not said that they were successfully hacked, that I know of. They said they were targeted in an attack. I think if they were able to demonstrate that this harmed civilians - not just that it had the potential to harm civilians - maybe things would be different. You know, the law's the law on this. You know, you can get in trouble for attempted murder the same way you can get in trouble for murder. But I think - when you're looking at clear evidence of war crimes, I think it is probably easier to demonstrate it when it has actually happened as opposed to the potential for it to have happened. 

Dave Bittner: Tim Starks is the author of The Cybersecurity 202 over at The Washington Post. Tim Starks, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.