The CyberWire Daily Podcast 2.2.23
Ep 1752 | 2.2.23

Cisco fixes vulnerabilities in ICS appliances. NIST’s anti-phishing guidelines. OneNote exploitation. HeadCrab malware. Recent actions by Russian threat actors. Trends in state-directed cyber ops.


Dave Bittner: Cisco patches a command injection vulnerability. NIST issues anti-phishing guidance. HeadCrab malware's worldwide distribution campaign. The Gamaredon APT is more interested in collection than destruction. Kathleen Smith of looks at hiring trends in the cleared community. Bennett from Signifyd describes a fraud ring that's launched a war on commerce against U.S. merchants. And trends in cyberattacks by state-sponsored actors.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 2, 2023. 

Cisco patches command injection vulnerability.

Dave Bittner: We begin with a note on some patches that have implications for many users and in particular for operators of industrial control systems. Researchers at Trellix discovered and disclosed two vulnerabilities in Cisco appliances, one of which could be used to gain persistent root access to the affected system. The more serious of the two vulnerabilities is CVE-2023-20076, a remote command injection flaw. The researchers first discovered this flaw in a Cisco ISR 4431 router, then found that it also affected a wide range of other Cisco devices. Customers are urged to apply updates as soon as possible. Trellix notes that Cisco was a model partner in this research and disclosure process. 

NIST issues antiphishing guidance.

Dave Bittner: NIST has published a report encouraging the use of phishing-resistant authenticators. According to NIST's special publication DRAFT 800-63-B4, a phishing-resistant authenticator offers the ability of the authentication protocol to detect and prevent disclosure of authentication secrets and valid authenticator outputs to an impostor relying party without reliance on the vigilance of the subscriber. NIST notes that these types of authenticators can only prevent attacks in which the threat actor is trying to log in to something. Users should still be wary of phishing attacks that attempt to install malware or steal sensitive information. 

OneNote used to distribute malware.

Dave Bittner: Proofpoint researchers have observed an increase in the use of Microsoft OneNote documents as a delivery mechanism for malware in email by threat actors. Six campaigns were observed maliciously utilizing OneNote documents in December of last year, with a significant increase to 50 involved campaigns seen last month. Though the December campaign saw a large portion of the victims in the educational sector, Proofpoint emphasizes that the attacks are distributed across a range of sectors with significant variety in messaging. TA577, an initial access broker first observed by Proofpoint in mid-2020 and believed to have connections with a 2021 REvil incident, was observed using this method to distribute Qbot malware in late January, after the gang returned from a monthlong hiatus. 

HeadCrab malware's worldwide distribution campaign.

Dave Bittner: Security firm Aqua Nautilus reports that a threat actor they're calling HeadCrab has been infesting servers around the world since this past September. The researchers describe HeadCrab as a new, elusive and severe threat. The HeadCrab cybercriminals are said to use custom malware that has often passed undetected by both agentless and traditional antivirus approaches. The HeadCrab botnet primarily targets Redis servers, which Aqua Nautilus calls open-source in-memory data structure stores that can be used as a database, cache or message broker that lacks authentication methods. They're intended for use on closed, secured networks rather than the world wide web. HeadCrab is thought to have infested at least 1,200 servers. 

Gamaredon update: the APT is more interested in collection than destruction.

Dave Bittner: Russian deployment of wiper malware in the latter part of January has drawn a great deal of attention, and it was certainly a significant development. But a report by Ukraine's State Cyber Protection Centre of the State Service of Special Communications and Information Protection notes that Gamaredon's recent activity has had a more traditional objective - stating, analyzing the actions performed on the infected host after gaining the opportunity to execute PowerShell commands, we can conclude that the adversaries are focused more on espionage and info-stealing rather than system-destroying activity. Gamaredon, also known as Primitive Bear or, in Ukraine's taxonomy, UAC-0010, is generally associated with Russia's FSB. 

Recovering from gangland's cyberattacks.

Dave Bittner: Killnet's recent wave of distributed denial-of-service attacks against U.S. hospitals seems to have ebbed, as may be seen in the case of ChristianaCare, whose website has returned to normal. Other Russian criminal organizations, notably LockBit, continue to infest targets in the West. The Telegraph reports that LockBit has deployed ransomware against the Ion Group, a provider of software to financial traders. The Telegraph says the incident, which began Tuesday, has thrown the city into chaos. And Ion placed the number of clients affected at 42. According to Bloomberg, the U.S. Treasury Department is a bit more reserved, saying yesterday that the attack poses no systemic risk to the financial sector. 

Dave Bittner: The two gangs present an interesting contrast. Killnet has, from its inception, positioned itself as a patriotic hacktivist group working in the Russian interest, and it's behaved accordingly. LockBit, on the other hand, while Russophone and based in Russia, declared its neutrality at the outset of the war against Ukraine. They are, the gang says, apolitical criminals. 

Dave Bittner: Nonetheless, LockBit attacks targets outside of Russia and for the most part in countries Russia regards as hostile. It also seems to have inherited some of the code and personnel Conti left behind when it retired its brand, and Conti made no mystery about its own sympathies. It was solidly in the Russian camp. It's probably best to make a distinction. Killnet is an auxiliary of the Russian organs. LockBit is a tolerated privateer, permitted to operate as long as its crimes are consistent with Russian interests. Of the two, it's fair to say that LockBit has by far been the more dangerous and damaging threat actor. 

Trends in cyberattacks by state-sponsored actors.

Dave Bittner: And finally, a CSO Online article authored by Microsoft Security yesterday takes a deep dive into the prevalent nation-state threat trends identified in this year's edition of their Digital Defense Report. In full disclosure, we note that Microsoft is a CyberWire partner. Geopolitically motivated actors, essentially threat actors who are run directly by state services or on behalf of state interests, have a history of exploiting the software supply chain. But it now appears that their focus has shifted to IT services in the supply chain. 

Dave Bittner: The widespread use of cloud solutions and managed service providers makes them an attractive target for malicious actors. While these are as often as not themselves the end targets, their connections to customers in sectors like government, policy and critical infrastructure can be compelling. According to the research, 53% of nation-state attacks in the past year preyed on the IT sector, NGOs, think tanks and the education sector. The researchers cite the Russian-affiliated group NOBELIUM, who fixated on cloud providers and MSPs as a means to reach government customers in the West, as a prime instance that fits the bill. Lebanon-affiliated POLONIUM, which received support from the Islamic Republic of Iran as it worked against IT supply chains connected to Israeli defense and legal organizations, is another example. 

Dave Bittner: Nation-state actors increasingly exploit zero-days. Microsoft notes that, on average, 14 days passed between the public disclosure of a vulnerability and the appearance of an exploit in the wild. These exploits are also pervasive due to the potential for reuse by multiple actors within the limited time frame for exploitation. And of course, there are always plenty of laggards who are slow to patch. 

Dave Bittner: Also, cyber mercenaries are growing in importance. They're a particular danger to dissidents, human rights defenders, journalists, civil society advocates and other private citizens by providing advanced surveillance as a service capabilities, Microsoft says. Governments, their auxiliaries and privateers - they can all play in the criminal-to-criminal markets just the way the conventional criminal gangs do. 

Dave Bittner: Coming up after the break, Kathleen Smith from looks at hiring trends in the cleared community. Bennett from Signifyd describes the fraud ring that's launched a war on commerce against U.S. merchants. Stay with us. 

Dave Bittner: Researchers at security firm Signifyd have been tracking online fraud targeting retailers, which peaked over the recent holiday season. It's a big operation. Signifyd estimates that the group made off with around $660 million last November alone. For details on the operation, I spoke with the chief customer officer at Signifyd, a gent who simply goes by the name Bennett. 

Bennett: A couple of things that really made us drawn to this were that it was targeting kind of our e-commerce merchants, the, you know, kind of our bread and butter where we started, and using very focused, deliberate and broad-based attacks that are at the - call it very boring $200 average order value. Think AirPods - right? - from that perspective, something that people want to buy for the holidays, you want to receive as a gift. You as a consumer are shopping for a deal online. You're like, man, you know, inflation's really high. I want to try to get a good deal. I find a site that has good reviews. They have a 25% off on the latest model. Apple's not offering any discounts directly on that model. How can this be? But the reviews are so good. All right. I, as a consumer, am going to buy that. 

Bennett: The fraudsters take that order. They go use stolen financial information. They buy that from a legitimate retailer with that stolen financial information from an irrelevant third-party member, who's going to file the charge back eventually, and then the original consumer who wants that 25% off receives actual AirPods and the fraudsters pocket the profit from that. So it's actually very sophisticated in a triangulation perspective, and there's some nuances, and it gets even more complex. But that's ultimately what we were able to deduce was happening here. 

Dave Bittner: And who ultimately loses out here? I mean, is it the merchants that the fraudsters are buying the product from that eventually get that chargeback? 

Bennett: That's exactly correct. So in a card-not-present environment, the onus for protecting against fraudulent financial instruments usually falls on the retailer, depending on the payment instrument type, and that's definitely the case with credit card payments. 

Dave Bittner: Now, your report points out the success of this group, and as you said, they're inching up near a billion dollars of volume here. You know, that's a lot. What do you suppose is the reason for their success here? 

Bennett: Yeah. So to put this into context, we estimate that the attempts are over 3 1/2 billion at this point. So if you're thinking about a success rate, you know, call it 20% success rate - right? - in terms of getting through - across all of e-commerce. Our clients, thankfully, we were able to blunt some of that, but the reason that they've been successful is they're targeting these items that retailers want to sell, and they're targeting items, ranges and very clearly, obviously, gifting type activities ahead of the holidays on order values that normally do not receive scrutiny. So if you think about a retailer that maybe has an average order value of 500 bucks - right? - for example, so maybe a, you know, consumer electronics provider - someone who has - is buying a cart of $100, $150, $200 - that's below your median. It's below your average. It's below your hottest items. 

Bennett: If you have one of the, you know, more, you know, antiquated systems in place where you have human beings taking a look at orders, those human experts are going to be focusing on your big-ticket items, 'cause that's historically where fraud has been more prevalent in the United States. So I think that's a big reason of success, is that the fraudsters reverse-engineered the kind of basic elements of defense that are - that have been deployed in e-commerce, and then there's a whole level of sophistication once they found any measure of kind of pushback or the ability to deflect the attacks. But I think at its root, it's - they seem to really understand how the retailers have been protecting themselves and saying, OK, well, if you built a fence around this or you've put a lock key on this piece, I'll just go around to the other side door. 

Dave Bittner: So what are the red flags for the retailers themselves? Are there any things that they can, you know, have their radar up for? 

Bennett: Yes, absolutely. So the key things to be looking at are high purchase velocity. And so that means, for example, let's say, for example, like, where we're talking about a - you know, a top of the line, you know, gadget that people want to get, it's very normal for there to be higher purchase velocity, more orders related to that ahead of the holidays. So again, the fraudsters kind of know that, and the key to looking at and determining if you have an issue is are there many types of people with the same names, with the same emails, with the same IPs? You need to take a look at kind of a holistic graph of the types of orders that are coming in and say, gosh, we didn't used to get so many orders going to Portland, but now the Portland orders are up 10,000%. Portland is a known reshipper hub, for example, so there's all kinds of things like that where you can slice and dice the data regardless of the type of systems you have and say, OK, all right, this piece of my business has really dramatically changed. Let's take a look at that. As soon as the fraudsters developed any sense that the retailers were pushing back and blocking their orders, they would kind of up-level the agents on their side that were, you know, targeting that site. And they'd start little things like address manipulation or they change things like purposely trying to confuse and bypass the security systems that would come in place. 

Bennett: So I think one other - stepping back a little bit. The United States has not really faced a kind of brute force, broad-based attack like this, where there are human beings that are trained on what to do in let's call it a call center - right? - that have been organized and trained on, hey, this particular site will allow you to address manipulate kind of the delivery address in a way that will confuse its fraud systems and allow the order to go through. Here are the 10 ways that you should try that. Go through this playbook. And just as a customer service agent, you know, might legitimately have a playbook and a flowchart to go through that is - that has been built by people who know what they're doing and then given to an army of human beings and said, OK, when you encounter this resistance, go to Flow Chart 2B and execute this playbook, OK. Report back on whether or not they're successful or not. OK. Rinse and repeat. 

Bennett: So I think that the key is as soon as the retailers identify kind of this, you know, larger amount of orders with kind of any abnormal elements related to them, followed by chargebacks, you need to raise the kind of the gates up and really start paying more attention to those orders. The fraudsters seem very focused, because they are ultimately selling it to end consumers, on particular products that are selling very well. So we've seen a lot of people who may not have the most sophisticated defenses be somewhat helpful in deflecting this attack by targeting their highest, you know, value items. That's the exact dangerous thing to do when you're trying to make sales. So there's obviously a balancing act there, but that's kind of the success that we've seen. 

Dave Bittner: Bennett is chief customer officer at Signifyd. You can hear an extended version of this interview on this week's episode of the "Hacking Humans" podcast. 

Dave Bittner: And joining me once again is Kathleen Smith. She is the chief outreach officer at Kathleen, it's always great to welcome you back. I want to touch today on some of the trends that you are seeing in your specific area. Of course, that's working with folks who have clearances and are looking for employment there. What are some of the things that you're tracking as we make our way into 2023 here? 

Kathleen Smith: Well, obviously, the biggest topic is remote work. We have seen that the pandemic really did change work across the board - commercial and in the government cleared space. I was happy to see that we had set up a foundation almost 10 years ago when the CIO of the TSA, Casey Coleman, now over at Salesforce, had really talked about setting up workplaces within the government agencies to be more set up for telework, more set up for remote work. And then technology caught up. And we were able to have more secured laptops, secured phones and personal devices. 

Kathleen Smith: And then all of a sudden, the pandemic happened. And we needed those tools to be able to complete supporting the mission. Conversations happened very quickly in those first few weeks of the pandemic. What work needed to be done in a SCIF? What work can be done remotely? How did each agency respond? How did each government contractor respond to their customer needs? Who had the relationships to be able to have those really very quick conversations? And then this sort of panned out. We saw people not wanting to return to work. We saw people who decided to leave the security cleared community and take other work. 

Kathleen Smith: But it also started the employers thinking about how they could maintain their talent and recruit better talent by offering them these new options. So when we've done our interviews on security cleared jobs, who's hiring and how, we always talked to the recruiters on, do you have remote work? Do you have hybrid work? How did you set that up? And there are now, you know, specific titles as far as the kind of work there is. There is work that has to be done onsite. There is no question. And it is in every single job description, this is an onsite, in-person job. Then there are jobs that are hybrid that say you can work two or three days remotely and then two days a week you have to be onsite. Then there's other work that is remote, but you have to be within 2 hours of your employer's facility because you have to come in once a month or twice a month for face-to-face meetings. So we've seen that a lot as well. And then there is remote work. 

Kathleen Smith: But, you know, I was just talking to somebody who said, you know, this is amazing. We've seen this in two years go from no remote work, no hybrid work to we have flexible options depending on the security clearance level, depending on which project hereon. So that's obviously the big news that's going to continue shaking up the security cleared market as far as recruiting is concerned. I think the other thing that the pandemic brought was understanding that a work-life balance is more than just being able to pick up your kids from soccer, that it means understanding doing this work to support the mission does have a certain amount of stress to it and that government contractor employers really have to look at the stress level and the overall mental health of their employees. Are they making sure that they're supporting their career options? Are they making sure that they're supporting their life situations, as I said, more than just being able to get off at 3 o'clock to be able to go pick up someone at, you know, soccer or basketball? That is a difficult sort of balance that has to be played because once you get into a certain amount of mental health issues, you then do put your security clearance in jeopardy. So it's really talking more about, how do you support your employees? How do you make sure that they understand that, you know, you're there for them? And that really goes into the culture of the company. And it's been really great to see since the pandemic that a lot of the government contract employers are really looking at that. I have a few more other issues, but it looks like you might have a question or two. 

Dave Bittner: Well, I wanted to follow up on that notion of who can come in and, you know, what needs to actually be done inside of a skiff. Was there a reevaluation process there where some of the government organizations or contractors took a fresh look at this and said, you know, have we just been - just by default, saying all this stuff needs to happen to the skiff because everybody comes in every day? We have the skiff here. We might as well do it. Was there a fresh look at that, you know, to say, this is our new reality? 

Kathleen Smith: Definitely. It was definitely a fresh look because, you know, when you think about a secured facility, it had a certain person capacity. Well, we were all talking about having to have social distancing. So if you had a facility that could accommodate a hundred people, by certain health standards during the first few months of the pandemic, you had to have only 30 people in there. So it was more of a logistics situation than anything else. And then it was a quick scan down to, OK, what needs to be done face-to-face? What needs to be done on certain networks? Is there a certain amount of this work that can be done that's just admin and paperwork that can be done someplace else? 

Kathleen Smith: But I think it really - everyone came together. So that's one of the really great things about working, supporting the mission. At the end of the day, you all are working toward the same goal, making sure that work gets done to support the mission. And I think everything else fell from that. I think that, as I said, with the mental health issues, it was just all of a sudden, everyone was trying to do really important work, trying to do meetings but also have their kids on their computers and things like that. So a certain amount of stress was happening. And I think... 

Dave Bittner: Right. 

Kathleen Smith: ...Employers... 

Dave Bittner: The pandemic itself. 

Kathleen Smith: Yeah (laughter), it was definitely the pandemic itself. So I think that those two issues, remote work and mental health, really came out of COVID as - I don't want to say they're benefits. Maybe we should say they're silver linings that we now can look at work very differently within the government contracting space. 

Dave Bittner: All right. Well, Kathleen Smith, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.