Hybrid war and cyber espionage. Ransomware in the produce aisle. Bypassing security filters in a BEC campaign. Identity-based attacks. Avoid pirated software. And what the bots have been scalping.
Unidentified Person: You're listening to the CyberWire network, powered by N2K.
Dave Bittner: Cyberattacks in Russia's war so far and their future prospects. The Lazarus Group may be employing a new backdoor. Clasiopa targets materials research organizations. Ransomware interferes with food production. Evernote is used in a BEC campaign to bypass security filters. Identity-based cyberattacks. Pirated versions of Final Cut Pro deliver crypto miners. Caleb Barlow has thoughts on Twitter, Mudge and lessons learned. Marc van Zadelhoff from "Cyber CEOs Decoded" podcast speaks with Amanda Renteria, CEO of Code for America, about attracting diverse talent. And what have the scalper bots been up to lately?
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 23, 2023.
Cyberattacks in Russia's war so far, and their future prospects.
Dave Bittner: Today marks the end of the first year of Russia's war against Ukraine. That special military operation, as official Russia calls it, has been surprising, especially in its duration and in the stark contrast between Russian and Ukrainian combat performance. It's perhaps been most surprising in the way in which Russian cyber offensives have fallen so far short of expectations. In the course of reviewing five predictions made at the outset of the war, Breaking Defense concludes that cyber has not been the game changer it was widely expected to be.
Dave Bittner: The analysis concludes that the much-discussed and much-feared cyber Pearl Harbor didn't materialize for two main reasons. First, cyber weapons, as Breaking Defense puts it, are generally one-time use. That is, once they're employed, they're blown and not easy to reuse against a prepared and responsive defender. Second, effective defense and resilience have been shown to be possible. The analysis says, even the most obvious and expected use of cyberattacks - the degradation of civilian infrastructure like the electrical grid - has come entirely from kinetic effects. Cyber operations haven't been irrelevant, and skirmishes in cyberspace have marked Russia's war since before its troops crossed the Ukrainian border. But they haven't been decisive and, on the Russian side, at least, haven't been well-integrated into a combined arms effort.
Dave Bittner: It seems unlikely to Breaking Defense that any surprises will develop. They write, and while it is possible that Russia still has some unused capabilities, that seems unlikely, since the Russian strategic situation has become desperate, with no new capabilities becoming evident. That likely means they do not exist.
Dave Bittner: None of this means that Russian operators haven't been trying. Their attempted cyberattacks have maintained a high operational tempo. The Record cites a report by the Netherlands' General Intelligence and Security Service and Military Intelligence and Security Service. That report says that there have been many more attacks than have so far come to light, stating, before and during the war, Russian intelligence and security services engaged in widespread digital espionage, sabotage and influencing against Ukraine and NATO allies. But, again, the attacks have been poorly integrated with other arms, and their effects have been lost in the overwhelming noise of kinetic destruction inflicted by missile and artillery fire, bits and bytes lost in the crack and ammoniacal stench of high explosives.
The Lazarus Group may be employing a new backdoor.
Dave Bittner: Other cyberespionage groups remain active, of course, and active in places other than Ukraine. ESET this morning reports that North Korea's Lazarus Group may be deploying a new backdoor, WinorDLL64, through its Wslink downloader. The researchers write, the WinorDLL64 payload serves as a backdoor that most notably acquires extensive system information, provides means for file manipulation, such as exfiltration, overwriting and removing files, and executes additional commands. Interestingly, it communicates over a connection that was already established by the Wslink loader. The connection to the Lazarus Group is circumstantial but convincing. Its development, environment, behavior and code show overlap with known Lazarus samples, and the victimology is consistent with observed Lazarus targeting.
Clasiopa targets materials research organizations.
Dave Bittner: Symantec describes a previously unobserved threat actor the company calls Clasiopa that targeted a materials research firm in Asia. The threat actor uses a combination of publicly available and custom-made malware tools, including a bespoke remote access Trojan called Atharvan. Clasiopa also may have abused two legitimate software packages in its attacks. Symantec says there's no firm evidence pointing to who might be behind Clasiopa. Some of the threat actor's malware contains references to India and Hinduism, but the researchers believe these are too obvious. They could well be false flags.
Ransomware interferes with food production.
Dave Bittner: Noticed a shortage of prepackaged salads in the produce aisle? You're not alone. A ransomware attack on Dole PLC led the company to interrupt operations at its North American processing plants, CNN Business reports. A February 10 memo from the senior vice president of the company's fresh vegetables division said, Dole Food Company is in the midst of a cyberattack and have subsequently shut down our systems throughout North America. The shutdown affected deliveries of salad kits to food retailers. The specific strain of ransomware involved has not been publicly disclosed.
Evernote used in a BEC campaign to bypass security filters.
Dave Bittner: Avanan warned today that attackers are abusing the note-taking app Evernote to host malicious links they're distributing in a business email compromise scam. Avanan researchers observed an attack in which an account belonging to the president of an organization was compromised. The attackers used the account to send phishing emails with a link to an Evernote page purporting to contain a secure message. The Evernote page hosted a link to a credential-harvesting phishing site.
Dave Bittner: Identity and access management platform provider Oort this morning released their 2023 State of Identity Security report, which details prevalent identity attacks that occurred in 2022, the weaknesses in multifactor authentication and related issues in the IAM industry. Researchers reference this month's attack on Reddit, where attackers were capable of getting both a password and one-time password from the victim, as well as attacks from cybercriminal gang 0ktapus. 0ktapus targeted Twilio and are suspected of having targeted Coinbase. Such incidents have motivated a push from the security community toward phishing-resistant MFA, as the use of these strong second factors has only accounted for 1.8% of all logins. Just over 40% of organizations observed had a weak MFA or none at all, showing a lot of holes for attackers to potentially exploit.
Dave Bittner: On average, just under a quarter of a company's accounts are dormant, and these often have fewer activity monitors and controls in place. Oort found, for example, that in August 2022, password-guessing attacks by threat group APT29 targeted dormant mailboxes. The cybercriminals guessed the password of an account that had not been set up correctly. Research from the last two months of 2022 also showed an average of just over 500 attack attempts against inactive accounts.
Pirated versions of Final Cut Pro deliver cryptominers.
Dave Bittner: Researchers at Jamf have discovered a new family of macOS crypto-mining malware. The malware is evasive and can sometimes pass security measures on machines running macOS Ventura. The malware is delivered via a malicious version of Final Cut Pro which has been modified to install the XMRig miner in the background. The researchers discovered the software being offered on Pirate Bay. Since crypto mining requires a significant amount of processing power, Jamf says, it is likely that the ongoing advancements in Apple ARM processors will make macOS devices even more attractive targets for cryptojacking. Want to reduce this risk and others like it? Stay away from pirated software.
State of the scalperbots.
Dave Bittner: Netacea yesterday released their “Quarterly Index: Top 5 Scalper Bot Targets of Q4 2022”, detailing the most-scalped items. The research found that PlayStation 5 consoles came in at No. 5, but the resale value of the consoles diminished in the C2C markets, as Sony was able to begin replenishing their stock, thus reducing supply-side pressure on prices. Nike Dunk Low Panda sneakers topped the list, followed by two different Air Jordans sneaker pairs.
Dave Bittner: And, "Lover," yes, you there wearing a "Cardigan" and on your "White Horse," yes, you - are you "Ready for It?" You knew this "All Too Well," but in an unsurprising fourth place, we have the highly publicized Taylor Swift Eras Tour tickets, resold at exorbitant prices. Some have been seen as high as $31,000.
Dave Bittner: So who didn't make the top five? Well, given the chip shortages late last year, some favorites didn't even place or show. While NVIDIA 40-series graphics cards, as well as Apple's iPhone 14 Pro Max, were the target of much scalping by dips when there weren't so many chips, these didn't find their way into the top five - not yet, anyway.
Dave Bittner: Coming up after the break, Caleb Barlow has thoughts on Twitter, Mudge and lessons learned. Marc van Zadelhoff from "Cyber CEOs Decoded" podcast speaks with Amanda Renteria, CEO of Code for America, about attracting diverse talent. Stay with us.
Dave Bittner: Marc van Zadelhoff is host of the "Cyber CEOs Decoded" podcast, part of N2K's CyberWire network. Today, we're featuring a segment from a recent interview Marc did with Amanda Renteria, CEO of Code for America.
Marc Van Zadelhoff: Amanda, welcome to the show.
Amanda Renteria: Thanks for having me.
Marc Van Zadelhoff: Amanda is the first Mexican American woman from a small town to be accepted to Stanford University, where you did - you were on the basketball team there, earned a BA in economics and political science with honors. After undergrad, you spent four years in the private sector in Los Angeles as an investment analyst. So you honed your skills there. You went to a small school near me called Harvard Business School, and you focused on public nonprofit management. And then after graduation, you had the most fascinating career in the public sector. When I met you - you were working for - I believe, for Sen. Feinstein when I met you.
Amanda Renteria: When you first met me, yeah, might have been for Sen. Feinstein. Yeah.
Marc Van Zadelhoff: But you also worked for the city of San Jose as special consultant, had a lot of experiences. So walk us through - you know, you got out of HBS, Harvard Business School. Today, you're at Code for America, running this - which we're going to spend some time about in a few minutes. But give us the middle of that sandwich.
Amanda Renteria: Yeah. So it was interesting 'cause I went to Harvard Business School not exactly knowing where my path was going to go. But before, I had worked at Goldman Sachs. And I'd also went home to teach and coach in my hometown. And so I was trying to figure out what's the in-between of that, right? And so that's why I went to the city of San Jose. And everyone thought I was crazy when I graduated. But I really got to see some of the inner workings. And then from city of San Jose, I ended up getting on the Hill, working for Feinstein, working for Sen. Stabenow as her chief of staff during a really interesting time where the Affordable Care Act passed, where we had a restructuring of the auto industry.
Amanda Renteria: It did lead me to recognize that - how can I help actually expand the perspectives of who is at the table, who's writing laws, who's thinking about these things? I mean, I still remember the testimony where folks said the internet was a, you know, bunch of tubes. And when I looked at my colleagues who are younger and my age, you know, we're like, what is going on? Like - but anyway, that led me to really explore the politics side - so both running for Congress, but then also being asked to be Hillary's national political director in 2016.
Marc Van Zadelhoff: Hillary - what was it like working with Hillary? What's that really like?
Amanda Renteria: Yeah. It was a incredible, intense, competitive, just in general, you know, environment in the world to try and win a presidential election. So I'll say she's incredibly smart and just really - when you think of an executive and you think of executive with just a depth of experience who wants to lean into a world that looks different, particularly for women - it was eye-opening. It was eye-opening in a lot of ways - one, the seriousness by which she brought - 'cause she was at the State Department - she understood this international, global world at a time when we weren't having a discussion about Russia and Ukraine, right? She understood what was at stake when it came to women. And, like - so in some ways, I felt like being on that campaign, I was getting an early view with, like, a extremely smart professor who could see, you know, the edges of what we live in today.
Marc Van Zadelhoff: Those are the best bosses, right? I mean, you said, like, three things - you know, encouraging, you know, balance, interested in you as a person and then still demanding excellence, right? And I think sometimes, you have a boss that does one or the other. But all three - it's great. So just leadership style - how would you describe your leadership style? What are your core things that you do?
Amanda Renteria: Well, it's funny. We're just coming off of, like, a week of having my executive team together, in person, in the same room but for the first time ever in 2 1/2 years, largely because we were built in crisis mode, right? And so in some ways, we've gotten really good at reactionary. But it's very much like a basketball team, right? I mean, I do see it very much as a coach to a team, largely because - I call Code for America - we're a little bit nonprofit. We're a little bit technology company. And we're a little bit government.
Amanda Renteria: So the truth is no one on my executive team could actually - on the one hand, we're a team because not everyone's a good three-point shot, right? Not everyone's a good big man. And so that's my style - is it's much more of a coaching, how are we going to do this? - kind of style together because it's also modeling for our teams that are very, very, very cross-functional. But I mean, I got to say, we have fun while we do this. And it's hard stuff. But we, as a team, I would say - I'm pretty based on, we've got the play. Go run.
Marc Van Zadelhoff: What are some tips for cyber CEOs or any managers in the cyber space on how to bring diverse talent into the workforce?
Amanda Renteria: Be intentional. For us, we have, from the very beginning - our executive team is majority women and people of color. We look at metrics all the time. So every single all-staff - right? - we have our metrics of, how are things looking? And over the course of time, we've really moved the needle. But I'll also say, I worked on the front lines. And we tell those stories so that not only that you're comfortable coming into Code for America - and we're still always working on that - but that you see yourself in not only our mission but what it could be for someone else and it be better than your experience. As I said before, like, if you don't have a good three-point shot - right? - like, your team - it hurts the team - right? - if you don't have the big man. And our work is so spread in these different areas that we need that kind of - yeah, we just need that kind of involvement.
Marc Van Zadelhoff: So, Amanda, I'm going to close it out there. Thank you so much for joining "Cyber CEOs Decoded."
Amanda Renteria: Great to see you. Take care.
Dave Bittner: That's Marc van Zadelhoff from the "Cyber CEOs Decoded" podcast, speaking to his guest, Amanda Renteria. You can find the "Cyber CEOs Decoded" podcast wherever you get your podcasts. Do check it out.
Dave Bittner: And I'm pleased to be joined once again by Caleb Barlow. He is the founder and CEO at Cylete. Caleb, it's always great to welcome you back. I want to touch base with you and get kind of a reality check on some of the things that we're seeing over at Twitter. Lots of changes over there. And I have no doubt you have some insights here, some perspectives.
Caleb Barlow: Well, you know, Dave, now it's been a few months after the explosive congressional testimony of Mudge Zatko. And, you know, Elon Musk actually now - well, he owns Twitter.
Dave Bittner: Yeah.
Caleb Barlow: So, you know, let's talk a little bit about what we can learn from this episode. And I think we first have to acknowledge that this fiasco at Twitter had the makings of a Hollywood script. You know, we had the world's richest man, at least at the time, along with a well-known and somewhat controversial security leader alleging very serious security vulnerabilities at the social network as part of what was a, you know - and I think this is important to underscore - a legal disclosure of a whistleblower complaint. But once we get past all the hype, I think there's a couple of things that we really need to take away and learn from this.
Caleb Barlow: So first off, you know, a lot of what was discussed here and later verified - I mean, what, of course, is also interesting is Elon stepped in. A lot of this stuff got validated versus swept under the rug. You know, we're past the point where security basics aren't material. You know, and I think a most simple way to look at this - and, of course, the dialogue at Twitter was largely around identity and access and separation of duties and who had access to all of these Twitter accounts - that, of course, ended up being almost everybody. But...
Dave Bittner: Yeah.
Caleb Barlow: ...You know, let's put it the most basic way, right? If you do not have endpoint protection in place, network segmentation, logging of security controls, then we're in the realm of negligence, especially if you're a public company. And, now, none of the 52 different breach-disclosure laws call that out that simply, but I think one of the things that this really brought to light, especially - not so much in the - you know, the congressional testimony but what was playing out on LinkedIn - is people look at this and go, hey, this just isn't acceptable anymore not to have these kind of security controls in place.
Dave Bittner: Well, and what about - we saw the sort of, you know, folks fleeing the organization. There were so many high-level people who left Twitter and certainly many who were let go. But to what degree do you think that was kind of a reflection that, I can't stick around if this is what's going on?
Caleb Barlow: Well, I think this is a really important point in this kind of episode. Now, you know, there's this importance of standing up when things aren't getting fixed from a cybersecurity perspective versus, you know, just taking the title, being in the role, getting bonused and promoted and not saying anything. And what is fascinating about this situation at Twitter is as Mudge stood up and gave his testimony, particularly on LinkedIn, you saw people kind of taking sides, right? On one hand, you had people saying, hey, these security vulnerabilities are awful. This isn't acceptable. On the other hand, you had people saying, hey, what he's doing isn't acceptable. You know, every CISO steps into a role where there are problems and issues. And part of this is the job to get it done.
Caleb Barlow: But the question I come back on is all those other people that were kind of running for the gates when this was going down - there were a lot of security people at Twitter. Where are the internal disclosures? You know, did these other people kick and scream? You know, I don't think anyone is expecting everyone to take it to the extreme that Mudge did and file a whistleblower complaint. But if these alleged vulnerabilities were actually happening, there should be a whole series of internal disclosures from these security professionals highlighting the risk.
Caleb Barlow: And I'm sure there are plenty of people in meetings looking at these issues. But if they didn't take the step of actually saying, no, this isn't acceptable on those internal meetings and disclosures - and, you know, you've got things you have to do for Sarbanes Oxley every quarter. Like, where is this stuff? You know, there's a great quote from Martin Luther King, not that MLK was in any way focused on cyber with this quote. I mean, that was clearly before his time.
Dave Bittner: I'm hanging in here with you, Caleb.
Caleb Barlow: OK.
Dave Bittner: I'm hanging in here. (Laughter).
Caleb Barlow: But I think this really applies, right? In the end, we will remember not the words of our enemies but the silence of our friends, Martin Luther King - right?
Dave Bittner: Oh, OK. OK. Yeah.
Caleb Barlow: And I think that really applies here - right? - where one of the things we can't have is just one person standing up, saying, hey, something's wrong here. Where is everybody else and their duty to act in this situation?
Dave Bittner: What about - where's your loyalty, Caleb? Where's your, you know, move fast and break things? We don't - you know, we don't have time for those pesky sorts of ethics.
Caleb Barlow: Well, I think that's where this dialogue got really interesting in some of the LinkedIn dialogues. And this is probably one of the most important takeaways that I think executives need to recognize. You know, your own employees, contractors and partners are going to turn you in if you aren't following security basics. There are whistleblower provisions now from the SEC and pretty much any party selling to the government. Now, although we haven't seen a ton of cases unfold here yet, I mean, there's just not a lot of case law in place yet. These laws are in place, and they're likely coming.
Caleb Barlow: And this example had, you know, actors coming right out of central casting. I think we've got to start to look at this much like the case of how we would look at financial fraud, right? If someone was cooking the books, there would be a whole bunch of people standing up and saying, hey, this isn't acceptable. You know, cyber fraud is really right in line with financial fraud because if you don't have basic security provisions in place or worse yet, these security provisions are being breached, you're committing fraud, and this is material.
Dave Bittner: And do you think that's where we're headed?
Caleb Barlow: I very much do. But the key here is it's not going to do any good if people are just disclosing these things. We're going to have to see regulators catch up and actually go in and prosecute some of these.
Dave Bittner: All right. Well, interesting insights. Caleb Barlow, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup Studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.