The CyberWire Daily Podcast 2.22.23
Ep 1765 | 2.22.23

Vulnerabilities newly exploited in the wild. A new cyberespionage campaign. Trends in the C2C marketplace. Hacktivists, other auxiliaries, and the laws of armed conflict.

Transcript

Dave Bittner: CISA adds three entries to its Known Exploited Vulnerabilities Catalog. Hydrochasma is a new cyber-espionage threat actor. IBM claims the biggest effect of cyberattacks in 2022 was extortion. Social network hijacking in the C2C market. A credential theft campaign against data centers. LockBit claims an attack on a water utility in Portugal. Tim Starks from The Washington Post describes calls to focus on harmonizing cyber regulations. Our guest is Luke Vander Linden, host of the "RH-ISAC Podcast." And disrupting Mr. Putin's speech online and what the hybrid war suggests about the future of cyber auxiliaries.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 22, 2023. 

CISA adds three entries to its Known Exploited Vulnerabilities Catalog.

Dave Bittner: We start off with a quick note from CISA. They've added three entries to their Known Exploited Vulnerabilities Catalog, covering products from IBM and Mitel. The U.S. federal executive civilian agencies have until March 14 to inspect their systems and, as always, apply updates per vendor instructions. Other users, of course, should consider doing likewise. Entry into CISA's catalog means that the vulnerability is undergoing active exploitation in the wild. 

A new threat actor, "Hydrochasma" engages in cyberespionage.

Dave Bittner: Researchers from Symantec wrote this morning about an observed campaign that's probably intended to gather intelligence from shipping companies and medical laboratories in Asia. Symantec is calling it Hydrochasma. The researchers have observed activity from the Hydrochasma threat actor dating back to October of 2022. The threat actor isn't linked to any other known campaigns, and data was not seen to be exfiltrated by researchers, but the tools observed to be in use indicated to the researchers that the goal may be intelligence collection. The industry's Hydrochasma prospects appear to be associated with COVID-19 vaccines and treatments, which is an interesting choice of targets. 

Dave Bittner: The initial attack vector is a phishing email baited with an attached document. The file name is in the native tongue of the victim's organization and has been seen to represent itself as a freight company qualification document and alternatively as a faux resume. Following the initial lure documents, fast reverse proxy, which researchers describe as a tool that can expose a local server that is sitting behind a NAT or firewall to the internet, drops a legitimate Microsoft Edge update file that also adds Meterpreter for remote access. The researchers say Hydrochasma seeks to achieve persistent and stealthy access to victim machines, as well as an effort to escalate privileges and spread laterally across victim networks. 

The biggest effect of cyberattacks in 2022: extortion.

Dave Bittner: IBM has published its X-Force Threat Intelligence Index for 2023, finding that the most common impact of cyberattacks during 2022 was extortion. More than a quarter of attacks IBM observed resulted in attempted extortion. Most of these incidents involve data theft via ransomware or business email compromise attacks. 

Dave Bittner: X-Force notes that attackers are finding new ways to turn up the heat in extortion attacks. The researchers also note that the average time to complete a ransomware attack has decreased dramatically over the past several years. In 2019, threat actors would usually spend more than two months setting up their attacks. By 2021, they could achieve their goal in just under four days. The report stresses that misconfigured or vulnerable domain controllers can open the door to ransomware. 

Social network hijacking in the C2C market.

Dave Bittner: Bitdefender this morning released a report on S1deload Stealer - and that's S1deload with a one instead of an I because, because - which they call a global campaign that targets Facebook and YouTube accounts. The payoff for the criminals is interesting and shows the complexity that has come to typify the criminal-to-criminal market. Bitdefender says S1deload Stealer steals user credentials, emulates human behavior to artificially boost videos and other content engagement, assesses the value of individual accounts, such as identifying corporate social media admins, mines for BEAM cryptocurrency and propagates the malicious link to the user's followers. 

Credential theft campaign against data centers.

Dave Bittner: Resecurity reports a credential theft campaign in progress against major corporate data centers. The researchers write, based on the observed activity, most probable targets of interest for them remain as follows - helpdesk systems, customer service, ticket management and support portals, devices which may be potentially probed remotely, including but not limited to CCTV equipment, watchdogs and so on, data center visitors' management systems, email accounts belonging to data center IT staff and their customers, remote management and device monitoring systems and Integrated Lights-Out or iLO, a proprietary embedded server management or similar related technology, such as OpenBMC, FreeIPMI and iDRAC. 

Dave Bittner: It's unclear who's behind the campaign, but Bloomberg reports on the basis of conversations with Resecurity and some of the affected organizations that the incident has compromised a disturbingly large amount of data. 

LockBit claims attack on water utility in Portugal.

Dave Bittner: The LockBit ransomware gang has claimed responsibility for an attack against a water utility in Portugal. The Record reports that neither water supply nor wastewater services were affected but that some customer data may have been exposed. LockBit has given the utility until March 7 to pay the ransom, at which point the gang says it will release the stolen data. 

Disrupting Mr. Putin's speech, online.

Dave Bittner: The IT Army of Ukraine claimed credit for briefly, periodically disrupting online services that carried President Putin's state of the nation address. The IT Army posted in its Telegram channel, we launched a DDoS attack on channels showing Putin's address to the Federal Assembly. The IT Army is the most prominent representative of Ukrainian hacktivists operating as a cyber auxiliary of Ukraine's intelligence and security services. The Ukrainian government freely acknowledges the support it receives from the IT Army, but both the government and the IT Army deny that the hacktivist organization receives orders directly from the government. 

The future of cyber auxiliaries.

Dave Bittner: The contributions of irregulars, privateers, hacktivists and auxiliaries of all kinds have made to the cyber phases of Russia's war against Ukraine have been large and publicly prominent. 

Dave Bittner: Newsweek is running a lengthy appreciation of lessons the present war holds for the future of cyber auxiliaries like the IT Army. It points out first the capabilities that the private sector, both hacktivist volunteers and security companies, brings to the battle in cyberspace. The IT Army seems to have provided a template for the sort of rapid wartime augmentation of cybercapabilities that many in governments and industry have mulled for several years. 

Dave Bittner: It also highlights some of the remaining ambiguities and uncertainties such auxiliaries will inevitably bring with them. The IT Army is aware of international humanitarian law and the laws of armed conflict and says it scrupulously follows them, especially with respect to the norms requiring distinction - that is proper discrimination of legitimate targets from protected noncombatant targets. It also says it aims at the disruption of the Russian economy, insofar as that economy supports the war against Ukraine. 

Dave Bittner: Some of the ambiguity surrounding cyber auxiliaries follows directly from the ambiguity inherent in the gray zone that cyber operations tend to occupy. Are cyber operations acts of war when they achieve destructive kinetic effects? Almost certainly. What about wiper attacks? Russia has tried these extensively against Ukraine, as WIRED notes, to the extent they've become almost a defining feature of Moscow cyber campaigns. Possibly. Are they acts of war when they're merely disruptive? Perhaps. What about influence operations? Arguably not, although states like Russia are likely to disagree when they find themselves on the receiving end. In any case, the cyber phases of the present war will undoubtedly clarify the application of international law in cyberspace. 

Dave Bittner: Coming up after the break, Tim Starks from The Washington Post describes calls to focus on harmonizing cyber regulations. Our guest is Luke Vander Linden, host of the "RH-ISAC Podcast." Stay with us. 

Dave Bittner: You are probably familiar with the concept of the ISAC, information sharing and analysis centers - member-driven organizations with a mission of information sharing and threat mitigation. Luke Vander Linden is vice president of membership and marketing at the Retail & Hospitality ISAC and host of the "RH-ISAC Podcast." 

Luke Vander Linden: The RH-ISAC is a membership organization. We've been around for 10 years - about 10 years - just under 10 years, actually. And our members are retailers, hospitality companies, really any consumer-facing businesses. And we work with cybersecurity departments and other allied units within these members to provide sharing platforms, to provide opportunities for our members to share cyberthreat intelligence, best practices, strategies about how to combat cybercriminals. 

Dave Bittner: What are some of the specific challenges that folks in retail and hospitality face when it comes to sharing their information? 

Luke Vander Linden: From the standpoint of our members, I think probably legal departments have the biggest issues with kind of getting comfortable with their companies and their professionals talking with other companies and sharing things that might happen at their own companies. But once that hurdle is over, our members typically really enjoy the collaborative environment and really enjoy being able to understand what their fellow members are going through because chances are either they're - are going for it - going through it right now, went through it or will be going through it themselves. So, you know, as we say, a rising tide lifts all boats. And so this is the one area where our members can collaborate, and it really, really helps. 

Dave Bittner: And how do you do that? What's the practical things you put in place to make this possible? 

Luke Vander Linden: We have a number of platforms, mostly online - so ways for them to chat instantly with each other, ways to have more substantive, meaningful conversations, and also libraries of reports and things like that that are either done by our research department or compiled from the conversations that our members are having. And then we also have a bunch of events, both virtual and in-person, where members can either get together with each other and interact face to face and collaborate on that platform as well. So it's really - there's a lot of different opportunities, if you're someone who likes the written word more versus someone who likes talking versus someone who likes being in person with someone, to collaborate. 

Dave Bittner: So how do you describe an ISAC to folks who may not be familiar with it? 

Luke Vander Linden: You know, it's - that's interesting, too. We didn't invent the ISAC model. There's - we used to say two dozen, but I keep running into more ISACs and ISAOs and things that are similar. So there's at least three dozen and growing. And ISAC - ISAC stands for Information Sharing and Analysis Center. And it's really - originally, it was set up, I think, during the Clinton era as a way for organizations who might otherwise compete to be able to collaborate on security. And for us, that means cybersecurity. Some organizations, it's physical security. But it - there's enabling legislation. And I can - maybe I shouldn't be speaking about this 'cause I'm not the legal scholar here, but - that allows companies that would otherwise not be able to collaborate because of antitrust rules to be able to collaborate on this one thing. 

Luke Vander Linden: So we - when we were founded, we adopted this existing ISAC model and became the ISAC for the sector, and so followed the model. And there's organizations, like the national association of ISACs for the U.S., the European Council of ISACs is one that we're getting spun up, to kind of bring these organizations that are similar to ours together so we can also collaborate with what we do. 

Dave Bittner: Well, you all have a podcast for the RH-ISAC. Tell us about that. What information are you hoping to share? 

Luke Vander Linden: Yeah, we actually started this podcast about a year and a half ago. And we originally started it - it was for members only. And then we decided, look; we're putting all this effort into getting our members to come and talk on it and to kind of curate some content. We might as well make it public - not for the general public, but for cybersecurity professionals in our sector 'cause we hoped and thought that the sector could benefit from it. So about a year ago, we made it public. 

Luke Vander Linden: And features are kind of a mixed bag of things, from interviews with employees, from our core members, to what we call our associate members or cybersecurity vendors or professionals that serve our core members. We talk about everything from ways to improve cybersecurity programs to challenges, opportunities, best practices to, like, a member spotlight where we just talk about - pull in a member and ask about their career journey and how they got to where they got. And then we also will feature our own employees. And, you know, I like to say I'm not blowing smoke here, that this is the smartest group of people I ever worked with. So we can talk about a lot of what they're working on, some of the trends they're seeing, and then some of the events that we have, the reports that we publish and other threat intelligence and things like that. 

Dave Bittner: Are there any stories or guests that have stood out to you, things you'd like to share with our audience? 

Luke Vander Linden: Oh, man, there's so many. I haven't been the host exclusively until now, so I've been involved in probably only about a quarter of the episodes. But, of course, I listen to them all. And it's just really fascinating when you hear someone's outlook on everything from security awareness and how - the human aspect of cybersecurity to some of these - you know, as the threat actors themselves evolve, some of the new ways that they're using things like point-of-sale systems and the physical world to engage in cyberthreat activities. So really, you know, the individual aspects of things - I think the human aspect of the stories is great, but also just seeing what lengths some of these cyberthreat actors will go to and how our members and the good guys have to stay on their toes. 

Dave Bittner: That's Luke Vander Linden from the RH-ISAC. The "Retail & Hospitality ISAC Podcast" is the newest addition to the CyberWire network, and you can find it wherever you get your podcasts. 

Dave Bittner: And joining me once again is Tim Starks. He is the author of The Cybersecurity 202 at The Washington Post. Tim, it's always great to welcome you back. Looking at The 202 this morning and your article about a federal panel saying that we need to be harmonizing our cyber regulations. What's going on here, Tim? 

Tim Starks: Yeah. Well, we've seen - and you and I have talked about this a fair amount. We've seen this kind of - not even kind of - an actual proliferation of cyber regulations in the United States. That's the sea change of approach from the Biden administration to be - to push more mandates and say, we expect you to do this, not, would you please do this? - which is what we've had. 

Tim Starks: So naturally, there's a lot of discussion about how this is rolling out. I mean, you have many agencies rolling out rules. TSA has rolled out rules, for instance. You have organizations like the FCC and - you know, FCC, who have rolled out rules or talked about rolling out rules. And there's also a patchwork of regulations across the world. Europe has been doing some things. Australia has been doing some things, saying, we expect more from you on the cyber front in terms of what we really need you to do, not just ask you to do. 

Tim Starks: So this particular panel, NSTAC - I just forgot the acronym, but it's a telecommunications-oriented panel. 

Dave Bittner: National Security Telecommunications Advisory Committee. I happen to have it in front of me. 

Tim Starks: There you go. Thank you. Thank you for being - backing me up on that and not leaving me hanging. 

Dave Bittner: There you go. 

Tim Starks: Anyway, the panel is made up of approximately 30, if not precisely 30, experts from industry organizations like Microsoft, Comcast, explicit cybersecurity organizations. And their job is to advise the president on cyber and related issues. In this case, they put out a report that says CISA should - CISA being the Department of Homeland Security's cyber agency - should put out - should create an office specifically devoted toward harmonizing these regulations and making sure that they don't conflict with each other and that they don't cause an undue burden. There are some other recommendations that are related to that process, but I think that's the headline bit. 

Dave Bittner: Right. 

Tim Starks: Is the idea that this organization thinks that CISA should create its own harmonization office. 

Dave Bittner: And why CISA? What makes them the agency of choice to ride shotgun on this? 

Tim Starks: Yeah, they put a good deal of thought into that. And at the hearing yesterday where they approved this, there was some discussion. Should it be at the Office of the National Cyber Director because it's got the White House nexus, it's got this sort of cross-government nexus? Should it be, even, Commerce Department? And they settled on CISA because - well, there are a few reasons. 

Tim Starks: One is that CISA, with one exception, doesn't have any real regulatory authority. So when it's interacting with regulators, it is more an advisory, technical assistance kind of role. And that's what they have in mind for this office. I think that's the main reason, but there were a couple of other they also talked about. That was the main reason. 

Tim Starks: There's an office that's already kind of doing this or another committee that's kind of doing some of this already. It was specifically created in response to the information sharing, incident response reporting law that Congress passed last year, knowing that this was going to be adding a regulatory rule that - to have a committee that works that out on a smaller scale. This would be a little bit more across all sectors. CISA has that overall job of protecting critical infrastructure, but they don't have necessarily assigned specific agencies for which - they do have a certain number of agencies for which they're supposed to - where they're the lead sector agency. But for the most part, that's farmed out to the particular agencies that normally have oversight of those things - Energy Department, electricity - that kind of thing. 

Dave Bittner: Why do you suppose that this committee thinks that CISA not having regulatory power is a feature? 

Tim Starks: Yeah, I think they think of it as, what's the existing relationship? And if the existing relationship is they've been serving in that role, then that allows them to continue serving in that role. And one of the things that you hear about CISA from time to time - even Jen Easterly the director has said she doesn't want it to be a regulatory agency. You do hear a fair amount of worry that CISA, particularly from the right side of the political spectrum, might become too regulatory. And one of the advantages the argument goes of CISA being nonregulatory is that they know that when people are going to come to them for help, the people who are victims are not going to have to be worried about what this will mean for them from a regulatory standpoint later from - if they've asked for CISA's help. 

Dave Bittner: I see. Now, it wasn't just about harmonization here. They had a few other suggestions. What other things are they looking for? 

Tim Starks: Yeah. They're looking for work on post-quantum cryptography, which is a big issue. They want CISA and NIST to be prepared for the future of quantum computers where they're going to make it a lot easier to break encryption - those computers. When and if they arrive, they want them to go ahead and start planning that, CISA and NIST, in particular to start working on that. They also want to ask - they've also asked CISA and the General Services Administration to come up with some language for when they are - for the buying and procurement of technology, what the government's preferences are on how secure those should be. 

Tim Starks: And another major recommendation was there's this program called Continuous Diagnostics and Monitoring that CISA is in charge of that's kind of - well, it's like it sounds. It is continuously being on the lookout for threats to federal agencies, and they want to see that expanded to incorporate other kinds of threats and, essentially, make that program more powerful and more ready to combat some of the modern threats. That's a fairly old program that has gotten updated from time to time. But they had specific things about talking about wanting to use zero trust and some of these more modern ideas about cyber that weren't really as prominent as when CDM was created. 

Dave Bittner: So this advisory panel submits their recommendations. What sort of timeline are we on for these being considered and possibly being put into action? 

Tim Starks: Yeah. It certainly matters how much the president wants to go along with this. If you look at their - the bylaws of the NSTAC, they say that - you know, that once the report is delivered, validated recommendations shall be reviewed by interagency to see how they can be carried out. It's not exactly binding. However, I think one of the things that gives it a little bit more oomph - first off, it's the president's own panel. He's - you know, he's turned to these - he's asked these people for advice. I don't think he's going to turn down the majority of it. He might turn down some of it. The other thing about the panel is that there was a discussion with the ONCD, the national cyber director's office. They had been working on a national strategy that is focused on pushing more regulatory approach to cybersecurity. And the person that was there, Rob Knake, said that this really dovetails with what they had in mind. Some of what is being put forward, I think you can say, has some real muscle behind it, even if there's no explicit regulatory rule-making muscle that NSTAC has. 

Dave Bittner: All right. Well, Tim Starks is the author of The Cybersecurity 202 at The Washington Post. Tim, thanks so much for joining us. 

Tim Starks: Always happy to be here. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.