The CyberWire Daily Podcast 3.1.23
Ep 1770 | 3.1.23

How an attack led to a breach that enabled further social engineering. Forensic visibility in the Google Cloud Platform. Hacktivist auxiliaries. Two 8Ks and a free decryptor.


Dave Bittner: The LastPass data breach built on an earlier attack; forensic visibility and the Google Cloud Platform; an overview of hacktivist auxiliaries in Russia's war against Ukraine. Dish acknowledges sustaining a cyberattack. MKS Instruments discloses a ransomware incident. Carole Theriault has a lesson about ChatGPT and school systems. Ann Johnson from "Afternoon Cyber Tea" speaks with Stacy Hughes from Voya Financial about her journey to being CISO. And Bitdefender releases a decryptor for MortalKombat ransomware.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 1, 2023. 

Attackers in LastPass data breach built on an earlier attack.

Dave Bittner: Password manager LastPass disclosed a second breach of their systems on Monday. A threat actor leveraged information from an August breach to target the home computer of a senior employee. In what the company has called a coordinated second attack, the company's Amazon AWS cloud storage servers were accessed and data was stolen, Bleeping Computer wrote Monday. LastPass has disclosed that the 2022 breach ended on August 12 when the threat actor pivoted from the first incident but was actively engaged in a new series of reconnaissance, enumeration and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022, to October 26, 2022. Naked Security says that the password manager notes that this second incident saw the threat actor take advantage of data made available in the first breach before the systems were reset to enumerate and ultimately exfiltrate data from the cloud storage resources. 

Dave Bittner: LastPass stressed in its disclosure that the data from the first attack requires decryption keys that were not available to the hackers, which is why this threat actor leveraged the stolen data to target one of the four DevOps engineers who had access to the decryption keys needed to access the cloud storage service. The company says that the employee's home computer was targeted via a vulnerable third-party software that allowed for remote execution and the implementation of a keylogger. The keylogger eventually gave way to the engineer's master password, after MFA authenticated, for the corporate vault. LastPass goes on to explain, the threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources and some related critical database backups. So the cycle and the last two attacks was like this - steal data, conduct further reconnaissance, use the stolen data for social engineering and attack again. 

Forensic visibility and the Google Cloud Platform.

Dave Bittner: Mitiga has published research looking at Google Cloud Platform, concluding that the service has a significant forensic security deficiency in Google Cloud Storage that enables a threat actor to exfiltrate in a covert manner. The researchers found that an attacker with access to a GCP storage bucket could steal data without leaving any obvious signs. The problem stems from the fact that GCP uses the same log description for a variety of different actions, including reading files, downloading files, copying files to an external server or reading the metadata of a file. As a result, all of these actions will simply be logged as storage.objects.get. While Google doesn't consider the scenario Mitiga describes to be a vulnerability, Google says it appreciates Mitiga's feedback and has worked with them to develop some recommendations for improvement. 

An overview of hacktivist auxiliaries in Russia's war against Ukraine.

Dave Bittner: GroupSense's Cyber Warfare Report, a look at the first eight months of Russia's war against Ukraine, offers a useful overview of the role hacktivist auxiliaries have played in that war. The report says, interestingly, more hacktivist groups are openly pro-Ukraine than pro-Russia. Russia tends not to report on external cyber activities, so it is not known how effective these groups have been. However, we do know that there are more pro-Ukrainian groups than pro-Russian ones. GroupSense counts 42 hacktivist actors working in the Ukrainian interest as opposed to 36 acting on behalf of Russia. The most prominent of the Ukrainian groups is the IT Army of Ukraine. The auxiliaries' most typical activities have been distributed denial-of-service attacks, but they have also been seen engaged in doxxing and various forms of influence operations. Some of them have assisted with intelligence collection, and, on the Russian side, some hacktivist auxiliaries have deployed wiper malware against Ukrainian targets. Some of the wipers appeared to have been delivered by ransomware gangs, which suggest the source of some of the talent present in the Russian auxiliaries. 

Dish acknowledges sustaining a cyberattack.

Dave Bittner: The Verge reports that it's obtained an internal DISH Network email advising employees that it was investigating a cybersecurity incident and that Dish is aware that certain data was extracted. Official confirmation came from the company late yesterday when a Form 8-K filed with the U.S. Securities and Exchange Commission disclosed that the IT issues were indeed caused by a cyberattack. The 8-K reads in part, on February 23, 2023, DISH Network Corporation announced on its earnings call that the corporation had experienced a network outage that affected internal servers and IT telephony. The corporation immediately activated its incident response and business continuity plans designed to contain, assess and remediate the situation. The services of cybersecurity experts and outside advisers were retained to assist in the evaluation of the situation. The corporation has determined that the outage was due to a cybersecurity incident and notified appropriate law enforcement authorities. The filing further identified the incident as a ransomware attack. DISH continues to maintain the same advisory on its homepage it's displayed since the incident came to light. We are experiencing a system issue that our teams are working hard to resolve. But now, the nature of that system issue is a bit more clear. 

MKS Instruments' 8K discloses ransomware incident.

Dave Bittner: MKS Instruments, by their own description, a Massachusetts-based supplier of instruments, systems, subsystems and process control solutions that measure, monitor, deliver, analyze, power and control critical parameters of advanced manufacturing processes, has filed a Form 8K with the U.S. Securities and Exchange Commission disclosing a ransomware attack and describing the attack's consequences. John T.C. Lee, president and chief executive officer of MKS, said we are well into the recovery phase of our manufacturing and service operations following the ransomware incident identified on February 3, and we expect these operations will be restored over the coming weeks. I'm very thankful for our dedicated employees who have worked tirelessly to help bring interrupted systems back online. Since the ransomware will have a material impact on the company's first-quarter results, and it's still unclear what that impact will be, MKS is delaying its first-quarter guidance. Nonetheless, the company currently estimates the impact from the incident on first-quarter revenue to be at least $200 million out of revenue expected to amount to about $1 billion. 


Bitdefender releases a decyptor for MortalKombat ransomware.

Dave Bittner: And finally, bravo, Bitdefender, for releasing a universal decryptor for MortalKombat ransomware. MortalKombat is a strain of ransomware related to Xorist. It was first observed in January of this year, active against victims in the U.S., the U.K., Turkey and the Philippines. The malware's only connection to the eponymous Mortal Kombat game is its threat to change victims' wallpaper to display a Mortal Kombat image. It's not spread by the game. If you've been affected, there's now a free decryptor available. Visit Bitdefender's blog if you need it. 

Dave Bittner: Coming up after the break, Carole Theriault has a lesson about ChatGPT and school systems. Ann Johnson from "Afternoon Cyber Tea" speaks with Stacy Hughes from Voya Financial about her journey to being CISO. Stay with us. 

Dave Bittner: Microsoft's Ann Johnson is host of the "Afternoon Cyber Tea" podcast. And in a recent episode, she spoke with Stacy Hughes from Voya Financial about Stacy's journey to being a CISO. Here's a segment from that conversation. 

Ann Johnson: On today's episode of Afternoon Cyber Tea, I am joined by Voya Financial Senior Vice President and Chief Information Security Officer Stacy Hughes. At Voya, Stacy is responsible for advancing the enterprise vision, strategy and roadmap for their industry-leading cybersecurity program. She has more than 20 years of experience leading complex IT initiatives within Fortune 500 financial technology organizations, most recently as the CISO of Global Payments, where she also held leadership positions across governance, compliance, accounting and the audit function. Welcome to "Afternoon Cyber Tea," Stacy. I am absolutely thrilled to have you on the program today. 

Stacy Hughes: Thanks, Ann. I'm so excited to be here. 

Ann Johnson: So when we think, then, about leaders and businesses in the financial sector, you see this broad spectrum of risks and attacks. From your seat as an enterprise financial sector CISO, can you tell me some of the trends you're seeing? Are the risks evolving? Are the risks staying the same? And same with the attacks - right? - do you see the attacks evolving? Or is it pretty much the same just on repeat? 

Stacy Hughes: We continue to see some of the same trends that have been in place over the past few years - for example, social engineering, phishing, ransomware, keeping in front of vulnerabilities, for example. However, I am starting to see, and I think the industry is starting to see as well, risks with different technologies. Over time, as we've continued, you know, cloud digital data transformations as well as artificial intelligence, for example, and more recently ChatGPT, we also need to be able to utilize those technologies in our environments and be able to do that in a secure way that makes sure we meet compliance requirements in privacy as well, too. And that's being able to help our businesses innovate and move forward. 

Stacy Hughes: However, I do see - with those great technologies, we also see that the threat actors take advantage of those new capabilities and technologies as well. And they're developing new tactics, techniques and practices against organizations. And as cyber professionals, it's really going back to some of the basics from an organization perspective in making sure that we've got, as an industry, very good security awareness with our employees as well as very good cyber hygiene. And to drill on that a little further, at Voya, our customers really entrust us with their savings. And we really view that as an honor and a privilege, which is why we take security so seriously - to make sure we're protecting the most valuable assets and uphold our customers' trust. 

Ann Johnson: Stacy, I've heard you talk about the art and the science of cybersecurity, and that concept really resonated with me. Can you explain what you mean by that to your listeners? And what do you view as cybersecurity art? 

Stacy Hughes: Yeah. So the science involves utilizing existing use cases and established frameworks that are currently in place, such as MITRE ATT&CK, and that can help you to really assist in what you're looking at from overall threat modeling. And the art of it requires really partnering with our business, with application owners and our development teams to really fully understand how applications work and determine what is unusual behavior. And, really, the partnering of the art and the science is what is utilized by teams to really help develop risk-based alerting to find that needle in a haystack. 

Stacy Hughes: And for example, if I were to log in from an unusual location, it may be normal activity for me, but it could also be a threat actor. Or I'm working remotely today from somewhere else other than my home. However, for example, if I log in to a new application that I historically have not utilized before, then that could be defined as potential unusual activity. So it's - really, the art and the science works together to help provide a very good perspective on the threat landscape and alerting. 

Dave Bittner: You can hear more of this discussion on the "Afternoon Cyber Tea" podcast. That's part of the CyberWire Podcast Network, available wherever you get your podcasts. 

Dave Bittner: ChatGPT has been all the rage, as you know if you've been listening to just about any news source lately. Our U.K. correspondent Carole Theriault has been digging into ChatGPT and school systems. She files this report. 

Carole Theriault: It's probably not really a surprise, but ChatGPT, released in late November 2022, has already sent many educators into a panic. I mean, students are using it to write their assignments, passing off AI-generated essays and problem sets as their own, writes The New York Times. Teachers and school administrators have been scrambling to catch students using the tool to cheat, but they're fretting about the havoc ChatGPT could wreak on their lesson plans. And recently professors at the University of Pennsylvania released a research paper called "Would GPT-3 Get a Wharton MBA?" And they documented in the paper how ChatGPT wrote and passed the final exam of the operations management module of an MBA degree. Apparently the bot did an amazing job. Not only are the answers correct, but the explanations are excellent, said one of the profs. 

Carole Theriault: ChatGPT is even being credited as a co-author on a handful of papers. Some publishers of scientific journals are banning or restricting contributors' use of an advanced AI-driven chatbot amid concerns that it could pepper academic literature with flawed and even fabricated research. And, of course, school systems are starting to freak out about plagiarism. In the United States, public schools in New York and Seattle have decided to block ChatGPT from their devices and Wi-Fi networks. In France, the prestigious Sciences Po University in Paris has also just announced a strict ban on its use. 

Carole Theriault: But really, let's think about this. Are these outright bans going to work? I remember being a kid facing a test I had failed to study for. I used to write some of the answers on my eraser and then, well, erase the evidence. But the institutional panic is, to me at least, expected. How can you identify plagiarism if a tool you use can provide unique answers every single time? And whilst this technological marvel is not bulletproof, it certainly doesn't get every answer right. Like a child, it is growing up fast and, I am sure, is going to impress us when we least expect it. 

Carole Theriault: What I'm trying to say is that surely we need to figure out a way to ensure that this tool can be used in a way that benefits the student, for example. I mean, the ultimate goal for education is surely not just to pass a written test, but how else can you measure what a student has absorbed? I don't want some yahoo who flew through medical school by cutting and pasting to advise me on a procedure or anything, really. And I'm sure I'm not alone there. So what can be done - perhaps a revival in oral exams where a student effectively has to prove knowledge through a discussion with an educator? I mean, maybe the future is not all about complete automation and AI control but a partnership where we need to figure out how to use these tools we develop to learn more efficiently and effectively. And I'm telling you, ChatGPT has just completed its very first pirouette. It was impressive. Just you wait to the next. This was Carole Theriault for the CyberWire. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.