Patch Tuesday notes. SVB's and the cybersecurity sector. SVR's APT29 is phishing for access to information. Trends in the Russo-Ukraine cyberwar. LockBit counts coup (says LockBit).

Dave Bittner: We've got notes on Patch Tuesday; Silicon Valley Bank's collapse and its effects on the cybersecurity sector. SVR's APT29 used a Polish state visit to the U.S. as phishbait; regularizing hacktivist auxiliaries. Our guest is Crane Hassold from Abnormal Security, with a look at threats to email. Grayson Milbourne from OpenText Cybersecurity addresses chaos within the supply chain. And LockBit claims to have compromised an aerospace supply chain.

Dave Bittner: From the CyberWire Studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 15, 2023. 

Patch Tuesday notes.

Dave Bittner: We begin with a quick note about March's Patch Tuesday. Microsoft issued a total of 80 patches, eight of which it classifies as critical. One of them, CVE-2023-23397 is an elevation-of-privilege bug affecting Microsoft Outlook that's currently being exploited by attackers. Russia's APT28, also known as Fancy Bear, that familiar arm of Russia's GRU military intelligence service, has been exploiting this vulnerability since at least April of last year to target European government, military, energy and transportation organizations. Microsoft credited Ukraine's CERT-UA for the discovery of the vulnerability. Another actively exploited bug, CVE-2023-24880, is a security feature bypass vulnerability that affects Windows SmartScreen. Other vendors also published fixes for vulnerabilities. Adobe issued 106 patches for a variety of its products. And Mozilla patched 11 security bugs with version 111 of its Firefox product. 

SVB's collapse and its effects on the cybersecurity sector.

Dave Bittner: Moving on from software to financial vulnerabilities, Friday's highly documented crash of Silicon Valley Bank may have been addressed, at least in part by government intervention, but its effects aren't over yet. After a bank run by depositors that drove SVB into insolvency, the FDIC has placed the bank in receivership and is working to find buyers. This significant institution's failure is expected to cause blowback for big tech, particularly for the startup ecosystem that surrounds it, and that includes the cybersecurity sector as well. 

Dave Bittner: Bloomberg explained Thursday, before the bank's closure, that it did business with almost half of all U.S. venture capital-backed startups and 44% of U.S. venture-backed technology and health care companies that went public last year. TechCrunch shared Friday afternoon that Polymath Robotics co-founder and chief executive Stefan Seltz-Axmacher preemptively transferred about half of his company's funds out of SVB on Wednesday evening, saying, I saw that article and it was like - I don't know if I'm freaking out or not, but it's not worth the risk. I was thinking, you know, this is probably going to be something where everyone makes fun of me for being an early, panicky person, and that's fine because there's no upside to not being an early person to worry that I won't get 3.5% on some of our money for two weeks if I'm wrong. By mid-Thursday, he had successfully removed about 25% more of the company's remaining funds. His attempt early Friday to remove the last of the funds held within the bank was still pending. 

Dave Bittner: Since then, the FDIC has said it would fully protect all deposits at the failed bank, including those that exceeded the normal $250,000 limit. But concerns remain that the caution Silicon Valley Bank's failure has prompted may make it more difficult for startups to secure investment. In any case, as companies recover access to their funds, the situation is stabilizing, but we can expect consideration in Washington and elsewhere of revisions to banking regulations. 

SVR's APT29 used Polish state visit to the US as phishbait.

Dave Bittner: BlackBerry has been monitoring a campaign by Russia's SVR. The researchers say the new NOBELIUM campaign BlackBerry observed creates lures targeted at those with interest in the Ministry of Foreign Affairs of Poland's recent visit to the U.S. and abuses the legitimate electronic system for official document exchange in the EU called LegisWrite. It partially overlaps with a previous campaign discovered by researchers in October 2022. NOBELIUM is the name under which Microsoft and others track APT29, also known as Cozy Bear. Campaign's objective appears to be cyberespionage, accomplished by penetration of European diplomatic organizations interested in aid to Ukraine. As BlackBerry notes, APT29's approach to gaining access to its targets involves routine phishing, but its actions on the objective, once it's in, are determined, clever and persistent. BlackBerry says its operators are known to be stealthy, extremely patient, and skilled in utilizing innovative intrusion techniques that abuse Microsoft technologies and services. 

Ukraine's SSSCIP reports on trends in Russian cyber activity.

Dave Bittner: The State Service of Special Communications and Information Protection of Ukraine reviews trends in Russian cyber activity and notes the continuing close connection between cyberattacks proper and influence operations. The report's introduction argues that Russian cyber offenses are conducted by what amounts to an established community. Temporary fluctuations aside, the FSB's Gamaredon remains the most persistent of the Russian threat groups. Episodic lulls in Gamaredon's activity last summer seem to have been due to a lower operational tempo during reconnaissance phases of its campaigns. Gamaredon, however, is very far from being the only player, and a range of state groups and hacktivist auxiliaries have remained active throughout the war. The GRU's Fancy Bear and the SVR's Cozy Bear, to take two other agencies, are also prominently mentioned in dispatches. Nor should their kid brother, Belarus' GhostWriter, be overlooked either. These groups organize their operations around general goals and themes, without much evidence of direct command and coordination. 

Regularizing hacktivist auxiliaries.

Dave Bittner: Ukraine has also drawn hacktivists to its cause. Newsweek's Shaun Waterman has an account of how Ukraine's government is moving to bring the IT Army, in particular, towards status as a properly regulated cyber reserve. The motivation for doing so would be to bring clarity to the volunteer hacktivists' status under international law and to provide the sorts of controls over their activity that the laws of armed conflict suggest are appropriate. The closest model for the kind of reserve system Ukraine is establishing is found in Estonia. There, the Cyber Defense Unit forms part of the Estonian Defense League. 

LockBit counts coup against an aerospace supply chain.

Dave Bittner: And finally, SecurityWeek reports that the LockBit ransomware gang claims to have compromised Maximum Industries, a supplier of components to SpaceX. The prize LockBit claims to have obtained includes some 3,000 engineering drawings said to be certified by SpaceX engineers. The text of LockBit's communique makes it clear that the target is SpaceX, not its supplier. The gang posted an announcement on its dark web page, in a more fluent than usual but still recognizable dialect of Shadow Brokerese (ph), stating, I would say we were lucky if SpaceX contractors were more talkative. But I think this material will find its buyer as soon as possible. Elon Musk, we will help you sell your drawings to other manufacturers, build the ship faster and fly away. And now about the numbers - about 3,000 drawings certified by SpaceX engineers. We will launch the auction in a week. All available data will be published. 

Dave Bittner: SecurityWeek observes sensibly that ransomware gangs are known to include some whoppers in their claims and that LockBit's announcement should be regarded with cautious skepticism. LockBit has given the victims a deadline of March 20 to pay. 

Dave Bittner: Coming up after the break, Crane Hassold from Abnormal Security with a look at threats to email. Grayson Milbourne from OpenText Cybersecurity addresses chaos within the supply chain. Stay with us. 

Dave Bittner: The folks at Abnormal Security recently released the latest version of their email threat report, analyzing the trends they've been tracking through the second half of last year. For insights on what they found, I spoke with Crane Hassold, director of threat intelligence at Abnormal Security. 

Crane Hassold: When we look at the high-level statistics and the data, you know, more than a quarter of all BEC attacks - business email compromise attacks - that we're seeing on a daily basis are actually going to be engaged with - opened and read by their targets. And we know this because, you know, based on the way that we look at our data, there are a number of organizations where, you know, we're embedded into their defenses but not - you know, not set to do anything with those emails. And so we can see exactly what would happen if these attacks - when these attacks actually get through and bypass their existing defenses. 

Crane Hassold: And so, you know, 28% of those emails - of those BEC attack emails that come through - are actually read. And, astonishingly enough, 15% of those emails that are actually read are eventually responded to by employees, which sort of shows you the overall success rate of BEC attacks. You know, I think a lot of people, you know, look at most business email compromise attacks and - like, who would actually respond to one of these things? But based on the data and what we're seeing, the overall success rate for a BEC campaign is actually, you know, much higher than I think a lot of people expect. 

Dave Bittner: Wow. What do you suppose the root cause of this is? I mean, I guess what I'm curious is, you know, to what degree is it the fact that employees are having these emails put in front of them at all, that they're not being filtered out ahead of time, but then also being trained to recognize them and respond in an appropriate way? 

Crane Hassold: I think there are a number of reasons why these attacks are still so successful. You know, one is because they're relying on pure social engineering. You know, they rely on concepts - on behavioral concepts that have been around for literally thousands of years, right? So the same reasons that BEC emails are successful today are the same reason that any scam has been successful for hundreds of years, right? So they prey on trust, fear, anxiety, doubt, making it so that, you know, the email that you're seeing in front of them - whatever you're seeing in front of you is actually from who they say it's supposed to be from. And so, you know, that's - you know, one is just a pure weakness of human behavior. The other side of it is, from, like, a security awareness training perspective, a lot of those exercises are teaching people to not click on links and not open malicious attachments. When - and when you look at a BEC attack, it's nothing more than pure text. It's just nothing more than someone impersonating a trusted individual, trying to get them to do something or send some money that they wouldn't otherwise do. 

Crane Hassold: And then also, when you look at it - you know, when you look at who's actually responding to a lot of these, you know, a lot of it has to do with what someone's job actually is, right? So, you know, what we can see is more than three-quarters of sales specialists - so if a salesperson receives a BEC email and they open it, three-quarters of the time, they're going to respond to it. And the reason for that is that's what their job is, right? So they are trained to respond to incoming requests, no matter who they're from because, you know, that's how they make sales. And what's also really interesting is the employees that have the highest read percentage rates - so ones that are going to be actually opening the BEC emails - are actually the ones that are the most targeted. So accounts payable specialists, for example - 36% of the time they receive a BEC email, they're going to open it. Thirty-one percent of the time a - an HR specialist receives a BEC email, they're going to open it, again, because that's what they do on a daily basis. They receive requests from internal or external people and they're - you know, they try to follow up with those requests. 

Dave Bittner: One of the things that caught my eye in the report was the degree to which a really low level of employees report attacks to the security team. 

Crane Hassold: Yeah. So based on our data, we see that only 2% of actual malicious emails are reported to their internal security teams, which I think is much lower than I think you would expect it to be. But even going further than that, of the emails that are actually reported to a security team, 84% of them are actually completely legitimate emails or just spam. So they're not actual - actually malicious in any way, shape or form. And what that shows you is you're essentially - you have these internal security teams - these SOCs - that are receiving a bunch of, you know, false positives that are just making them spin their wheels. They're doing a lot of triage and review of messages that they shouldn't be looking at to begin with. And again, that goes back to a lot of the security awareness training that we've been teaching people to report anything that looks suspicious. Well, now, you know, since we've conditioned employees to do that, now they're reporting anything that they don't like or that they think could have a sliver of a chance of being malicious. And that causes, you know, our internal security teams to really be wasting a lot of time looking at false positive messages. 

Dave Bittner: Well, based on the information you've gathered here, what's your practical advice for folks to do a better job with this? 

Crane Hassold: Yeah, I mean, you know, as I mentioned, I think one of the biggest things when it comes to preventing these types of attacks and making sure that an organization is insulated from becoming the victim of a BEC attack is essentially to prevent the attacks from getting to the employees to begin with. You know, as we've seen with the data in this report, if a - if one of these - if a BEC attack reaches its destination, you know, there is a relatively, you know, large percentage of these employees that are going to engage with the attack. And so to prevent that from even becoming a possibility, making sure that organizations have email defenses in place that are equipped to detect and block these types of social engineering attacks from reaching employees' inboxes. And that means, you know, relying on things like behavioral analytics, making sure that an email defense is looking at the - looking at a message in a more holistic manner, understanding the relationships between senders and receivers, the context and content of the emails, instead of just relying on static indicators to hopefully block those previously known bad artifacts. 

Dave Bittner: That's Crane Hassold from Abnormal Security. 

Dave Bittner: And joining me once again is Grayson Milbourne. He is security intelligence director at OpenText Security Solutions. Grayson, it is always great to welcome you back to the show. I want to touch today on kind of where we stand when it comes to the supply chain. Obviously, you know, we all went through the pandemic together and suffered through that. What's your take on where we are today? 

Grayson Milbourne: Well, I think the supply chain is certainly still a very clear target for a lot of cybercriminal activity. And I think it kind of underpins why as to the - you know, the chaos that can be created when disruptions occur. And I'll have to say, I was somewhat pleased to see how we got through the last holiday shopping season. You know, there weren't as many, maybe, big disruptions as I was anticipating or hot product items that, you know, weren't able to be delivered. But what we have sort of seen so far in 2023 is, you know, a continued focus - and most recently, we saw CISA release a bulletin warning about supply chain attacks targeting the food supply industry. And so, you know, a lot of times, we think about supply chain, and it's a really massive thing, really. I mean, almost all goods and services have a moving part to how it, you know, gets from where it was created to the end destination. And so I think this just stuck out to me as, you know, another clever target that also has some really big dollar amounts behind it. So, you know, food shipments at scale can, you know, be hundreds of thousands, if not millions of dollars. And so they represent a - an attractive target for attackers. 

Dave Bittner: Yeah. Certainly, you know, few things more fundamental than food, right? I suppose water (laughter). 

Grayson Milbourne: Yeah. No, absolutely. Yeah. I mean, water is another one. You know, we've seen, unfortunately, several attacks take place. And thankfully, these things are more isolated. But, you know, internet-exposed systems that are responsible for controlling water purification plants. You know, we've seen examples in the past couple of years of these things being attacked. But then thankfully, you know, we've not seen damage come of it. Like, an employee recognizes that, hey, wait a second. You know, this mixture is completely off. What happened here? So I think, you know, understanding just how widespread supply chain really is and - all the way down to food and water. 

Dave Bittner: Yeah. What are your recommendations here? I mean, as - I think it's safe to say that perhaps things are settling down, but we're not completely out of the woods yet. 

Grayson Milbourne: Yeah, this is true. And I think, you know, we're probably not going to be out of the woods with respect to, you know, a focus on attacks that exploit relationships between businesses, which most often supply chain attacks are kind of like that. And I think there's some additional steps that businesses can take to mitigate their risk. You know, one is, you know, being mindful of these larger dollar amount transactions, particularly with, like, newer vendors. And so with supply chain issues, we see, you know, a supplier might run out. And so you're scrambling. And so, you know, you may indeed make a new connection with somebody else who is claiming to have the goods or services you need. And I think those are opportunities that hackers exploit to their advantage. You know, spending a bit more time doing the vetting process to ensure that a new vendor is in fact who they say they are - you know, that can go a long way. 

Grayson Milbourne: And then I think the other thing we see is that there's just, you know, an attack on the communications of how these things work. And so business email compromise definitely targets manufacturing. You know, we see this in our own threat report data year after year in that manufacturing is the No. 1 targeted industry just by, like, the number of infections that they're encountering. But, you know, back to kind of business email compromise, one of the things that often takes place is there's that bait and switch or a hijack of an email thread and - at the very final moments when an account number is modified. And so I think, you know, having a process in place for, like, dual verification - again, you can solve a lot of these risks just through proper process. And so instead of it being like that one last person says, OK, send the email. You know, there can be a second channel that reviews and confirms that the right information is being sent across. 

Dave Bittner: I mean, even to the point of if - I don't know - something's, you know, above a certain dollar amount, maybe that warrants a phone call in addition to an email. 

Grayson Milbourne: Yeah. And I like separating mediums. And so if you get, you know, an email, pick up the phone and talk - right? - or send a text because if one medium is compromised, you know, it could be not who you think on the other end. But if you switch it to a phone call, all of a sudden, you're introducing voice, and you have other layers of familiarity that are difficult to overcome as an attacker. 

Dave Bittner: Yeah. All right. Well, good advice. Grayson Milbourne, thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com This CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.