The CyberWire Daily Podcast 3.21.23
Ep 1784 | 3.21.23

Threat group with novel malware operates in SE Asia. Data theft extortion rises. Key findings of Cisco's Cybersecurity Readiness Index. iPhones no longer welcome in Kremlin. Russian cyber auxiliaries & privateers devote increased attention to healthcare.


Dave Bittner: Novel malware operates in Southeast Asia. Data theft extortion is on the rise. Key findings of Cisco's Cybersecurity Readiness Index. iPhones are no longer welcome in the Kremlin. Russian cyber auxiliaries and privateers devote increased attention to the healthcare sector. Johannes Ullrich from the SANS Technology Institute tracks the scams following the failure of Silicon Valley Bank. Our guest is Chris Eng from Veracode, with a look at application security. And BreachForums seems to be under new management.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 21, 2023.

Threat group with novel malware operates in Southeast Asia.

Dave Bittner: Developers of the Developers of the SIESTAGRAPH malware family, REF2924, have been observed shifting their focus from data theft to persistent access, Elastic reported yesterday. A new executable, Wmdtc.exe, is written in C# and referred to as "NAPLISTENER." The malware is said to evade "network-based forms of detection." NAPLISTENER is capable of processing incoming Internet requests, reading submitted data, decoding data from base 64 format, and executing it in memory. Researchers shared that the REF2924 attacker is reliant on code from open sources and public repositories. The researchers share the abilities of the found sample, saying that "This unique malware sample contains a C# class called MsEXGHealthd that consists of three methods: Main, SetRespHeader, and Listener. This class establishes an HTTP request listener that can process incoming requests from the Internet, and respond accordingly by filtering malware commands and transparently passing along legitimate web traffic."Elastic has been tracking this threat actor, and has earlier reported that the combination of victimology, members of the Southeast Asian Regional Comprehensive Economic Partnership, and the absence of any obvious monetary motive suggests that the motive is probably collection of diplomatic intelligence.

Dave Bittner: Palo Alto Networks' Unit 42 has published its 2023 Ransomware Threat Report, finding that threat actors have significantly escalated their extortion tactics. By late 2022, threat actors were conducting data theft in 70% of ransomware attacks, compared to 40% in 2021. Additionally, the use of harassment as an extortion tactic rose from less than 1% in 2021 to 20% in 2022. Unit 42 writes, "Threat actors call and leave voicemails for corporate executive leaders and other employees, send emails to personnel or disclose victims' identities on a leak site or social media." The purpose of these activities is to make it uncomfortable for an organization to avoid responding to the threat actors and their demands. Manufacturing organizations, particularly in the US, were the most frequent targets for extortion attacks last year. The researchers think much of this shift in the attacker's preference is driven by manufacturers' observed tendency to keep older legacy software in operation. Manufacturers' particular reluctance to tolerate downtime, which is entirely understandable from a business perspective, also in some cases can give attackers additional leverage.

Key findings of Cisco's Cybersecurity Readiness Index.

Dave Bittner: Cisco released their Cybersecurity Readiness Index today, and it sheds light on organizations' ability to safeguard against cyber threats. The results suggest that an alarming number of companies are not at a strong enough level of protection against threats posited in cyber security today. The research found that only 15% of global organizations have what is defined as a "mature" level of readiness, meaning that they have implementations in place that are strong enough to defend against current cyber threats. 82% of the survey's respondents report expectations of a cybersecurity incident against their company in the next one to two years. Those surveyed also report bearing high costs due to underpreparedness, with 41% of organizations that reported an incident in the last year disclosing costs of at least $500,000. Some good that comes from this somewhat troubling report is that a majority of respondents, 86%, shared intentions to increase security budgets by at least 10% over the coming year. Cisco researchers also shared that reduced complexity and higher implementation of integrated platforms will lead to more successful and effective security resilience and preparedness. It is also important for company leadership to take stock of both strengths and weaknesses within their defenses and develop a plan to build around the weaknesses.

iPhones are no longer welcome in the Kremlin.

Dave Bittner: Citing reports in the Russian media outlet Kommersant, the Register says that members of President Putin's staff have been told to get rid of their iPhones, replacing them with Android devices, or with phones using either Chinese operating systems or Russia's homegrown Aurora. The Daily Star says that word around Moscow is that Apple products are particularly susceptible to monitoring by American intelligence services. It's a security measure, not economic retaliation against a company based in an unfriendly country, Russian commenters say. Users have been told that, by the end of the month, they should either toss their iPhones or "give them to the kids."

Russian cyber auxiliaries and privateers devote increased attention to the healthcare sector.

Dave Bittner: A review in SC Media tracks the recent trend on the part of Russophone cyber threat actors to attack the healthcare sector in countries unsympathetic to Russia's invasion of Ukraine. Prominent among the groups making the attacks are two criminal ransomware gangs, LockBit and BlackBasta (this latter generally regarded as a rebranding of the nominally defunct Conti) and the hacktivist auxiliary KillNet. CISA and the FBI urge threatened organizations "to prioritize patch management or network segmentation of known, exploited vulnerabilities, in addition to training users how to recognize and report phishing attacks and enforcing 'phishing-resistant' multi-factor authentication." It's good advice at any time and to anyone, but healthcare organizations might take special interest in it right now.

BreachForums seems to be under new management.

Dave Bittner: And finally, following the arrest of alleged BreachForums proprietor Pompompurin, another figure has stepped up to claim ownership of the criminal forum, the Record reports. The forum, well-known as a C2C market where stolen data was traded, is presently still inaccessible, but one "Baphomet" says he'll be bringing it back online soon. Saying, "Although I had already suspected it to be the case, it's now been confirmed that Pom has been arrested. I think it's safe to assume he won't be coming back, so I'll be taking ownership of the forum. I have most, if not all the access necessary to protect BF infrastructure and users." If Mr. Baphomet is as good as his word (and whom can you trust, if you can't trust someone with a demonological hacker name?) BreachForums will return shortly, staged in new infrastructure when Mr. Baphomet reopens the shop with hunting FBI.

Dave Bittner: Coming up after the break, Yohannes Ullrich from the SANS Technology Institute, tracks the scams following the failure of Silicon Valley Bank. Our guest is Chris Eng from Veracode, with a look at application security. Stay with us.

Dave Bittner: Security firm Veracode recently released their 2023 State of Security Software report, focusing this year on flaw introduction and what it means for an application's lifecycle when flaws are introduced. Chris Eng is chief research officer at Veracode.


Chris Eng: This time, we decided to look at a couple of different angles. We try to, you know, not report on the same thing every time. But in the past, we've looked a lot at flaw accumulation, like what is the security debt that accumulates in an application over time. And this time, we took a slightly different angle and we looked at flaw arrival. What does -- what are the patterns associated with when flaws appear in applications? Which is slightly different. And so one of the surprises for us was that, when you look at applications, you know, you're always adding new code, you're adding new features, right. Any website out there, any application's always growing, very rarely shrinking. And so despite the fact that code bases are growing at, on average, about 40% a year, we don't see the same rate of flaw introduction at that steady rate of, you know, that mirrors that 40%. Instead what we see is, you know, at the beginning, you discover some flaws. About 30% of applications have some flaws, which may have accumulated up to the point where they've, you know, did their first scan. But over the next year or year and a half, that flaw arrival rate actually decreases. Developers introduce fewer flaws. Not zero, but it goes down to like the 20% range. After which, you know, you get to that one, one and a half year mark, and then they start steadily rising again, to where, you know, after you -- if you look all the way out to like the five-year mark, it's back above that 30% again. So we've kind of labeled this in the report as honeymoon phase, where there's just this 12 to 18 month period where fewer flaws are introduced before it kind of goes back to, you know, what we expect, which is like applications, you know, code base grows, you introduce more flaws, right. Nobody's -- nobody's perfect. That was very interesting for us to see, that it didn't -- it didn't correlate with the code base growth.

Dave Bittner: Any insights as to why that might be?

Chris Eng: Yeah, it's a a good question as to why this is happening. You know, we have the data that we can see what's happening, and we have to kind of make guesses about why that's happening. One of the reasons I think is that you have a certain amount of turnover with developers on a team. As the application gets more mature, as some developers move on to other projects, they may take some institutional knowledge with them about how that code base works. Also, as the functionality grows, as new features grow, you may -- let's say you're adding new integrations to the application, these are things that increase the surface area, they increase, you know, the connections, and the code base. And these are all things that, you know, somebody new that may join the project, you know, they may not know how everything fits together. And so they may end up introducing some flaws because they just,

you know, they don't know about the security measures that are in place, or the ones that they need to take, or so on. But there are any number of reasons that I think this could happen. Software is complex, and that's kind of my initial guess as to why we might be seeing that pattern.

Dave Bittner: Yeah. You know, I guess it's safe to say that not all flaws are created equal. Is there any information that you are tracking here is to the severity of flaws?

Chris Eng: Yeah. We look at not only the different flaw categories but also, as applications are introducing new flaws, are they flaws that are, you know, important ones? Are they in the OWASP Top 10? Which is the most, you know, 10 most common categories that affect web application. Or are they in the CW Top 25? Which is another taxonomy there. And when you look at, you know, are they introducing high-severity flaws, you know, those are actually a lot less prevalent than flaws in general, which is what you would hope, right. It tells you that developers and development teams or at least focusing on the right things. It's hard to kind of prevent everything from creeping in, but at least there's some effort being paid to make sure that developers understand about the ones that are going to be the most impactful, the most security impacting to their application. So yeah, that's a good trend.

Dave Bittner: Yeah. Well, based on the information that you all have gathered here, what are your recommendations then, for folks who are in this world day- to-day? Any words of wisdom?

Chris Eng: Yeah, absolutely. When we go back to that flaw introduction thing, we also didn't just look at, you know, what's the overall rate, but we looked at the various factors that influence that rate. So you start with like a base rate of about 27%. We found that there's about a 27% chance that an application will introduce one or more new flaws every month. But there are factors that can bump that number up or down. So they can make it less likely that you would introduce new flaws. And if you did introduce new flaws, you could even reduce the number of flaws that you would introduce. And so those factors really hinged around automation. If you were scanning via the API using, you know, using the APIs and automation rather than, you know, relying on a human to remember to do a scan and go upload it and so on, you actually reduce the probability of new flaws and the volume of new flaws. If you conducted -- if your developers were taking training, interactive trainings -- so if on your application team, you had a least 10 trainings completed -- that actually reduced the probability that new flaws would be introduced. And so these are additive, also. So if you're doing like multiple of these good behaviors, you know, you're putting yourself in a much better position. So we did see -- and we've seen this before, but we'd never looked at in terms of flaw introduction. We've looked at it more in terms of security debt. But all these factors around -- and these are things you see in DevOps a lot, right. Automation, building these good

practices into the toolchain, so that they just become a matter of hygiene as

opposed to something that you have to remember to do. So all this automation and training does pay off, and it results in fewer flaws coming to the application, which means fewer flaws that you have to deal with later. So those are things that we would recommend keeping on top of.

Dave Bittner: That's Chris Eng from Veracode. And joining me once again is Johannes Ullrich. He is the dean of research at the SANS Technology Institute, and also the host of the ICS StormCast Podcast. Johannes, it's always great to welcome you back.

Johannes Ullrich: Thanks for being and having me here.

Dave Bittner: Well, I want to touch base with you today on some research that you shared with us recently. You all are tracking some of the fallout from the Silicon Valley Bank run and implosion and the cybersecurity aspects of that. What can you share with us today?

Johannes Ullrich: Yeah, so basically what happened here is, after all this uncertainty on Friday, right, big news came out that the Silicon Valley Bank is going to be taken over by the government and you may not get your money back, we saw a large number, relatively large number, of new domains being registered that basically used SVB as part of their name, that acronym for Silicon Valley Bank. Some of them looked more suspicious than others. For example or or domain names that in particular took a look at. But then also, some domain names that, well, look more like, for example, attracting lines for lawsuits, or in one case even, things like that. So some of them, fairly simple moneymaking schemes; others, probably a little bit more nefarious. The problem with an event like this SVB takeover is that, of course, over that weekend, there was an awful lot of uncertainty -- how are you going to communicate with the bank? How are you going to get your money back? How much money are you going to get back? And that is really ripe for fraud. We did then on Monday also see reports of SVB customers trying to update their account information. So you may have received an email if you had -- if you're a customer of a company that used SVB. But it told you, hey, SVB, as you hear, went under. We are now using a different bank. Here are our new bank details. We haven't seen any abuse of this yet, but these type of emails, they're essentially what you usually find with business email compromise. A hacker is breaking into an email system, waiting for the right email, and then replying with just a ton of information. So this really allowed for mass business email compromise without actually compromising your business email.

Dave Bittner: I suppose it's worth mentioning here that, in all of this, there are a lot of people who understandably would be in a heightened emotional state.

Johannes Ullrich: Exactly. So that urgency. And, you know, once the adrenaline kicks in here, you may not really think as clearly as you're supposed to. So that

really helps the fraudsters as much as it hurts the good people you're trying to defend.

Dave Bittner: So what are you recommending here? I mean, should we be putting filters in place to look for the SVB phrase? Or how do we protect ourselves from these things?

Johannes Ullrich: Well, in part, vendors already have taken care of this. So at this point, many of these domains, if you're pulling them up in your browser, they'll be blocked because they're considered malicious, if they are malicious. The other thing, of course, is just to use it as education for their users. Train them not to sort of fall for social engineering, to let their guard down and not follow procedure. For example, for account updates. It's hardly ever critical if a payment isn't going through one particular day, if it waits another day or so. So it's better than losing a ton of money to some fraudster with little recourse to get the money back again.

Dave Bittner: That's a great point of using something like this high-profile, where, you know, there's broader knowledge of it, to use it as a teaching moment.

Johannes Ullrich: Correct. And that way, everybody's already kind of aware of it. They may have seen some of these emails and such in their own inbox. So use it as a teaching moment. I wouldn't use it like as a phishing test, that that may be a little bit too much. But just as part of your awareness newsletter, or if you're talking to your accounting staff, in particular people that may receive business email compromised emails. Say, hey, we keep talking about this, this is just one of these events you have to be aware of and you have to be careful about. Talk to us, let us know if you're seeing a suspicious email. Rather report one too many than not enough.

Dave Bittner: I'm curious, can you give us some insights? You know, you and your colleagues there at SANS, when you're tracking this sort of thing, what sort of tools are you using to keep an eye on these domain registrations? How do you go about that?

Johannes Ullrich: Yeah, we have a couple tools that we sort of use for that. First off, for some of the top level domains, you can get daily zone files -- as they call them. It's a list of all the registered domains -- and figure out which ones are new. Another tool we find quite helpful is something called certificate of transparency. Whenever you register a certificate for a domain for a hostname, it's been published in sort of a transparency log. So we look in those logs. Because these days, even phishing sites use TLS and register certificates as a result. Or even if you go to your average registrar, they often set you up with like a little parked domain page. They register automatically a certificate for that parked domain page. So that's how we get the information. We also make it available -- if you don't want to parse it yourself beyond API, that we offer on our website. So you can go back a couple years now I think, so we started doing that, and basically search for domain names for simple keywords. Just download the list and do something interesting with it yourself.


Dave Bittner: Yeah. All right, well, Johannes Ullrich, thanks so much for joining us. And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire Podcast is a production of N2K Networks. Proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester. With original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.