The CyberWire Daily Podcast 3.2.23
Ep 1771 | 3.2.23

The US National Cybersecurity Strategy is out. Red-teaming critical infrastructure. Redis cryptojacker discovered. Roskomnadzor has banned several messaging apps. And hacktivist auxiliaries continue their nuisance-level activities.


Dave Bittner: The White House releases its U.S. National Cybersecurity Strategy. Red-teaming critical infrastructure. Redis cryptojacker has been discovered. Russia bans several messaging apps. Our guest is Kapil Raina from CrowdStrike with the latest on threat hunting. Dinah Davis from Arctic Wolf on the top health care industry cyberattacks. And hacktivist auxiliaries continue their nuisance-level activities.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 2, 2023. 

The US National Cybersecurity Strategy is out.

Dave Bittner: The White House this morning released its long-awaited, much-anticipated National Cybersecurity Strategy. The strategy's intention, the White House explained, is to secure the full benefits of a safe and secure digital ecosystem for all Americans. The White House shared that two primary goals of the strategy are to rebalance the responsibility to defend cyberspace by shifting the burden of cybersecurity away from individuals and onto specialized organizations in the sector, as well as to realign incentives to favor long-term investments by balancing threat defense with smart planning and investment. 

Dave Bittner: The strategy is planned to prioritize ease and effectiveness of cybersecurity implementation, quick recovery from incidents and reinforcement of digital values in three points highlighted by the administration - defensibility, resiliency and values alignment. The strategy has five core tenets - defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals. 

Dave Bittner: The Wall Street Journal makes an interesting point in noting that this strategy has a much wider lens than the government seems to have used in recent years. Sectors such as oil and gas pipelines as well as federal agencies have been brought into focus on a much smaller scale by the federal government in yesteryear, the Journal writes. 

Dave Bittner: The Washington Post makes note of the way the strategy also brings to light the role of U.S.-based services in foreign cyberattacks. The strategy identifies the ways foreign threat actors exploit U.S.-based cloud infrastructure, saying, often, these services are leased through foreign resellers who have multiple degrees of separation from their U.S.-based providers, hindering the ability of those providers to address abuse complaints or respond to legal process from U.S. authorities. 

Dave Bittner: The Post also notes the strategy's inclusion of four other initiatives - a potential approach to a federal cybersecurity insurance response in times of catastrophe, the slow adoption of IPv6, the White House's much-needed legislative assistance and early steps in the development of a strategy implementation plan. We'll be attending a press session this afternoon in which the administration will offer more perspective on the strategy, and we'll follow the story up tomorrow. 

Red-teaming critical infrastructure.

Dave Bittner: CISA has published the findings of a red team assessment the agency carried out against a large critical infrastructure organization last year. The operation, conducted at the request of the organization, lasted three months. The red team was able to gain access to two workstations via spear-phishing attacks. The team was also able to move laterally within the network but were unable to gain access to the organization's sensitive business systems after running up against multifactor authentication measures and time constraints. However, CISA believes that by using Secure Shell session socket files, they could have accessed any hosts available to the users whose workstations were compromised. 

Redis cryptojacker discovered.

Dave Bittner: Cryptojacking is back. Of course, it's never really been away, but there's a new threat actor giving the technique a bit of a surge. Cado Security researchers shared in a blog this morning their discovery of a campaign targeting insecure Redis deployments for cryptojacking. The campaign leverages open-source command line file transfer service, which has seen activity since at least 2014. The service, however, didn't see any malware distribution until researchers noticed it early this year. The Cado team suspects that the move to the file transfer service may represent an attempt to evade detection. 

Roskomnadzor has banned several messaging apps.

Dave Bittner: Russia's internet watchdog, Roskomnadzor, has banned nine foreign messaging apps, Computing reports. Roskomnadzor's statement singles out the apps as being foreign-owned and as providing a way for users to communicate directly with one another. The sender determines the recipient of the message with no possibility for public mediation of the content. And this direct, unmediated communication seems to be the more troubling aspect of the services. As Computing points out, other foreign-owned apps like Zoom remain acceptable. Roskomnadzor's statement makes no specific accusation of subversion or direct complicity with anti-Russian forces, as had marked earlier bans on Facebook and Instagram. The apps that fall under the new restrictions include Discord, Microsoft Teams, Skype for Business, Snapchat, Telegram, Threema, Viber, WhatsApp and WeChat. 

Hacktivist auxiliaries continue nuisance-level activities.

Dave Bittner: And finally, to turn specifically to Russia's war against Ukraine, there have been no reports of major cyberattacks in recent days, but hacktivists have remained active. The U.S. consulate in Milan, for example, had its Twitter account hijacked last week on Feb. 27, and the attackers used it to disseminate tweets associating Ukraine's government with Nazis, flags, swastikas and so on, the usual schtick. 

Dave Bittner: The State Department regained control of the account, but Newsweek reports, not before the pro-Russian hacktivist tweets achieved about 140,000 views. Sure, those aren't really even teenage influencer numbers, but the hijacking has to be dealt with in any case. The State Department explained with what must have been the organizational equivalent of a weary sigh that the U.S. remained committed to its support of Ukraine and that, no, Foggy Bottom doesn't think that Kyiv is some kind of nest of Nazis. 

Dave Bittner: Coming up after the break, Dinah Davis from Arctic Wolf on the top health care industry cyberattacks. Our guest is Kapil Raina from CrowdStrike with the latest on threat hunting. Stay with us. 

Dave Bittner: Security firm CrowdStrike recently shared their 2022 Falcon OverWatch Threat Hunting Report, tracking the evolving adversary activity and tradecraft over the past 12 months. Kapil Raina is vice president of zero trust marketing and identity evangelist at CrowdStrike. 

Kapil Raina: Identity and the breach of identity and especially identity-related attacks has become a key element of most adversaries' arsenal. And this could be things like, you know, privilege escalation, lateral movement, things like that. So identity and the breach of identity has become so instrumental in many of the adversary attacks. So we've seen that kind of progress more so over the last year or two and more dramatically. And so that's definitely one key trend that we're definitely seeing. 

Dave Bittner: One of the things that you all highlighted here was that the bad guys are shifting some of their tactics here. You saw - particularly you highlighted phishing. What are you all tracking there? 

Kapil Raina: When we think about phishing, what we've seen is that, again, this is a pattern that's building is sort of targeted phishing is becoming more prevalent, right? So rather than kind of the generic spray and pray, that's definitely a pattern that we've seen again developing not just this last year, but over the last few years. We have definitely seen more sophisticated attacks where the - because they're more targeted, that, for example, the communication within that phishing content is a little bit more crafted. We've also seen now shifts to acknowledging the fact that a number of organizations have, let's say, multifactor authentication. And so kind of factoring that into the attack techniques in terms of essentially tricking someone to try and approve an MFA, for example. 

Dave Bittner: Well, based on the information that you all have gathered here, what are your recommendations for organizations to best defend themselves? 

Kapil Raina: So if you look at - there's a couple of ways to look at it. If you, for example, prescribe to the MITRE ATT&CK framework - right? - that's a great way to look and kind of lay out the tactics and techniques that a typical organization might face. And if you look at sort of a heat map, if you will, of where - for example, where our overwatch team sees many of the threats, you'll see, again, as I alluded to earlier, that identity tends to be a key area. 

Kapil Raina: So if you can address and mitigate identity-related attacks, you can address - you may not be able to stop every single threat, but you can at least mitigate the threat so it doesn't continue. So, for example, you know, protecting your identity infrastructure - this includes things like Active Directory and domain controllers, you know, preventing certain legacy protocols from being used, for example, that could be breached, preventing certain types of access to domain controllers that shouldn't be allowed, you know, looking at behavioral analytics in terms of how things access this infrastructure. 

Kapil Raina: So that's one example. Another example is looking at the credentials themselves. Since many of these attacks eventually compromise a legitimate credential, then the question is, OK, has an adversary taken over a legitimate credential? Right? So has someone taken over, for example, Dave's access to your system? And so there we recommend looking at real-time information about credentials, how they're used, where they're used, whether they're for human credentials or even for other applications like service accounts there as well. 

Kapil Raina: So for example, we've seen typically - our own research has shown typically, an organization will have anywhere from - I would say about 25% or so of their accounts would be considered stale accounts. These are accounts that were given a certain set of privileges and permissions but were not actually accessed over typically anywhere from 30 to 90 days. And why that's important is because over time, that creates a bigger attack vector that you're not watching - and so really tightening those controls, looking at real-time analysis. 

Kapil Raina: The other area also to ensure that you really look at as we've kind of looked at all these different attacks is about 25% or so of attacks - you know, entry points or attacks into an organization will come from an unmanaged system. These are systems, for example, from your supply chain network or contractor where you physically can't touch that device. And so in that case, again, typically if a supplier or contractor is working within your environment, you're giving them a credential - so looking at identity-based analysis of how that credential is being used and then giving a risk score around it so you can real-time intercept potential risky behavior even if that system is not managed, which is super critical, especially in this day and age. 

Kapil Raina: And the last thing I would tell you is identity is not restricted to just, you know, endpoint, for example, but it's also something that we'll see in cloud as well. If you look at the cloud environments and the attacks there, there's a number of challenges that, you know, you would have on prem, if you have on cloud. So, for example, Microsoft - there was a recent disclosure that Microsoft AD Azure, Active Directory Azure, system had a number of issues. So, you know, looking at cloud holistically, as you do, for example, endpoint or anything else is super important. And then the final thing is if you're using IT infrastructure, it's always best to have it protected by a vendor that really - or organization that focuses on security. 

Dave Bittner: That's Kapil Raina from CrowdStrike. 

Dave Bittner: And joining me once again is Dinah Davis. She is the VP of R&D operations at Arctic Wolf. Dinah, it's great to have you back. I saw you and your colleagues over there at Arctic Wolf recently published a report just tracking some of the attacks on health care industry representatives there. Can we go through some of the ones here that caught your attention? 

Dinah Davis: Yeah. Yeah. So it's, like, the top-12 health care industry attacks of all time, right? So I thought we would go through the top four because, you know... 

Dave Bittner: OK. 

Dinah Davis: ...Those are going to be the most interesting, really. 

Dave Bittner: Right. Right. 

Dinah Davis: But... 

Dave Bittner: In the time we have... 

Dinah Davis: In the time we have, I thought, maybe not 12. 

Dave Bittner: Yeah. 

Dinah Davis: Yeah. So the average cost of a health care breach in the US is $10.1 million. And that number, that amount has already increased 41% in just two years. Right? And... 

Dave Bittner: Wow. 

Dinah Davis: From what we're seeing, the health care industry has the highest average cost of a breach 12 years running. So out of all the breaches that happen, it tends to be the most negatively impactful on health care organizations. So if we take... 

Dave Bittner: Wow. 

Dinah Davis: ...A look here at the top four, we can see how they kind of get attacked, the cost of that, how many people were affected, that kind of thing. So the top four - so we're going in, like, David Letterman order here, starting at... 

Dave Bittner: No. 4. 

Dinah Davis: Starting at No. 4 was the Excellus Health Plan, Inc. And it was a malware attack, and it cost $17.3 million, with 10 million people affected. So basically, they released names, date of birth, social insurance, all of that kind of stuff. And although the affected data was encrypted, the hackers gained access to the administrative controls, making that encryption moot. So... 

Dave Bittner: Wow. 

Dinah Davis: Not cool on that. 

Dave Bittner: Yeah. 

Dinah Davis: No. 3, Premera Blue Cross. So this was a phishing attack - you know, quite common that we see that. It cost quite a bit more than the last one - $74 million with... 

Dave Bittner: Wow. 

Dinah Davis: ...Eleven million people affected. Right? And so this was a phishing email to a Premera employee. The email included a link to the download - to download a document, and that document contained malware. So once the document was clicked, hackers were able to access the services. And even worse, the breach wasn't detected for eight months. 

Dave Bittner: Wow. 

Dinah Davis: Yeah. So not cool. Not cool. All right, No. 2... 

Dave Bittner: (Laughter). 

Dinah Davis: ...American Medical Collection Agency. So it's actually like (laughter) - this is a company that collects money on behalf of medical businesses and stuff like that. 

Dave Bittner: Right. These are the folks they send after you... 

Dinah Davis: Yeah. 

Dave Bittner: ...If you if you don't - if you do not or cannot pay your bill. 

Dinah Davis: Yeah. So they're, you know... 

Dave Bittner: Yeah. 

Dinah Davis: ...Fun people. OK, but anyway... 

Dave Bittner: (Laughter). 

Dinah Davis: Anyway, it was hacked through the online payment portal that they used. It cost $21 million. And then it affected 21 million people. So this one affected more people - cost a little less, but affected more people than the Premera Blue Cross. 

Dave Bittner: So there was some vulnerability in the webpage itself? 

Dinah Davis: Yeah, in the third-party supply chain attack, essentially. 

Dave Bittner: Ah. 

Dinah Davis: In the third-party tool they were using to do, like the payments and make the payments happen. Yeah, so there was an issue with the third-party payment tool that they were using to collect the payments, and that was able to be hacked. So they have since changed providers. They have a lot more strict rules around it, but definitely not cool. OK, finally, the No. 1 one - (singing) the No. 1, the No. 1. 

Dave Bittner: (Laughter). 

Dinah Davis: OK, Anthem. So this was also a phishing/malware attack. It cost $115 million. 

Dave Bittner: Wow. 

Dinah Davis: And 78 million people were affected. Basically, the attackers accessed a corporate database with a phishing email and stole nearly 79 million records containing patient and employee data. It's the largest health care industry cyberattack in history. I think that one actually happened, like, in 2012 as well. I don't have the information in front of me, but it happened a while ago. So hopefully that means, you know, a lot of these organizations are getting smarter, are paying more attention to what they need to do to keep their patients' data safe. I mean, we even just recently saw SickKids Toronto get attacked. 

Dave Bittner: Right. 

Dinah Davis: And interestingly there, the attackers gave the decryption key back for free - probably not out of the goodness of their heart, though... 

Dave Bittner: (Laughter). 

Dinah Davis: ...Probably more because that was drawing a little too much attention to attack, you know, this really important hospital for sick children, most of whom have cancer. It's pretty evil. But nice to see they gave it back anyway. But, yeah... 

Dave Bittner: Yeah. 

Dinah Davis: ...You know, I think things are - you know, a lot of companies are putting a lot more effort into their defenses. 

Dave Bittner: It's such an interesting thing, isn't it? I mean on the one hand you would hope that there were some kind of set of norms where these were not organizations that would get hit for the reasons you just described, you know? These are life-and-death situations here. But the flip side of that is that these are the folks who - their mission is about as critical as it gets. So they have to get up and running as quickly as possible. They're more likely to pay that ransom... 

Dinah Davis: That's exactly it. 

Dave Bittner: ... Or, you know, whatever it is to get things going. And what a terrible tension there that exists between those two things. 

Dinah Davis: Agreed. 

Dave Bittner: Yeah. All right. Well, interesting stuff. Dinah Davis, thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. I'll be on vacation for the next week or so, and Tre Hester will be behind the mic. I hope you'll give him your kind attention. I'll see you back here in about a week. Thanks for listening.