The CyberWire Daily Podcast 3.22.23
Ep 1785 | 3.22.23

Detecting sandbox emulations. VEC supply chain attacks. Updates from the hybrid war. CISA and NSA offer IAM guidance. Other CISA advisories. Baphomet gets cold feet after all.


Dave Bittner: Malware could detect sandbox emulations. A VEC supply chain attack. A new APT is active in Russian-occupied sections of Ukraine. An alleged Russian patriot claims responsibility for the DC Health Link attack. CISA and NSA offer guidance on identity and access management.Tim Starks from The Washington Post has analysis on the BreachForums takedown. Our guest is Ryan Heidorn from C3 Integrated Solutions with a look at the CMMC compliance timeline. And Baphomet backs down.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner, with your CyberWire summary for Wednesday, March 22, 2023.

Malware could detect sandbox emulations.

Dave Bittner: Researchers at crypto wallet provider ZenGo discovered vulnerabilities in leading transaction simulation solutions. Transaction simulations are used to perform sandbox emulations to evaluate the potential outcome of the intended transaction before executing them, primarily to combat theft and scams. The researchers found that malware could detect that it was operating in a sandbox and then reveal its true malicious nature only when actually executed in a real environment. The researchers dubbed this a "red pill attack" since the malware knows it's in a simulated environment. The researchers note that "all vendors were very receptive to our reports, and most of them were quick to fix their faulty implementations." Some vendors, including Coinbase, awarded ZenGo with bug bounties.

VEC supply chain attack

Dave Bittner: Abnormal security describes an attempted vendor email compromise attack that tried to steal $36 million from a commercial real estate company. The attackers posed as a trusted contact at an insurance firm, sending the phishing emails from a domain that ended in ".cam" instead of ".com." The phishing emails contained phony invoices.

Report: a new APT is active in Russian-occupied sections of Ukraine.

Dave Bittner: Kaspersky reported yesterday that it had discovered a new advanced persistent threat operating against government, agriculture, and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. The attacks begin with phishing emails whose payload is carried in malicious attached Word files that purport to be government documents. Once the phish hook is set, it installs the power magic backdoor, and then the common magic framework. Kaspersky says the campaign is thus far unattributed. The organizations, government, and otherwise that Kaspersky refers to in its report appear to be Russian occupation and separatist organizations. And so the suggestion would be that the APT is acting either for Ukraine or at least against Russian interests. But Kaspersky, a Russian company, carefully avoids either claim. Circumstantially, the campaign's purpose seems to be cyber espionage.

Someone claiming to be a Russian patriot claims responsibility for the D.C. Health Link attack.

Dave Bittner: Make of it what you will but, someone using the hacker name Denfur has claimed, according to CyberScoop, that he is a Russian patriot who breached DC Health Link and obtained the personal data of many of the system's users, including members of the US Congress. It was, Denfur said, "an idea born out of Russian patriotism," presumably because of the congressional and other government worker data the compromise of DC Health Link would reveal. The potential for harassment, embarrassment, or simple violation of privacy is obvious. The self-proclaimed attacker said he breached the healthcare service by simple Google Dorking, the persistent and clever searching for information that ought to be secured but isn't. When asked by CyberScoop to provide proof of Russian nationality, Denfur told the publication they'd simply have to take his word for it. CyberScoop is properly reticent in its story. And Denfur's claims should be at best regarded as not proven.

CISA and NSA offer guidance on identity and access management (IAM).


Dave Bittner: CISA and NSA have released, as part of their Enduring Security Framework, Identity and Access Management Recommended Best Practices Guide for Administrators. The ESF's IAM best practices are organized into five categories: identity governance, environmental hardening, identity federation and single sign-on, multifactor authentication, and IAM monitoring and auditing. Each class of best practice is accompanied by an explanation of what it is, why it matters, and how its implemented, with notes on the threat landscape interspersed in the discussion. An appendix to the document contains a checklist of actions organizations can take now. If you'd like a brief primer on identity and access management, check out our most recent episode of Word Notes where we discuss exactly that.

CISA updates Cybersecurity Performance Goals.

Dave Bittner: CISA has published an update to its Cybersecurity Performance Goals. These are cross-cutting goals intended to be applicable across all critical infrastructure sectors. CISA says the CPGs are voluntary practices that businesses and critical infrastructure owners can take to protect themselves against cyber threats. The CPGs have been reorganized, reordered, and renumbered to closely aligned with NIST CSF functions -- identify, protect, detect, respond, and recover -- to help organizations more easily use the CPGs to prioritize investments as part of a broader cybersecurity program built around the CSF.

CISA releases eight ICS advisories.

Dave Bittner: CISA has been busy with other matters as well. Yesterday, the agency released eight industrial control system advisories. They affect Key Light, Delta Electronics, Siemens, VISAM, Rockwell Automation, and Hitachi Energy products. Operators should review the alerts and apply updates in accordance with the vendor's instructions.

Baphomet backs out.

And finally, hey, everybody, remember how yesterday we asked, speaking of Baphomet, the guy who said he would be taking over as a proprietor of a revived BreachForums? Whom can you trust if you can't trust someone with a demonological hacker name? Boy, were we ever wrong?

Dave Bittner: Turns out the record reports that Baphomet has changed his mind about bringing back BreachForums. His infernal majesty posted yesterday, "This will be my final update on Breached, as I've decided to shut it down. I'm aware this news will not please anyone, but it's the only safe decision now that I've confirmed that the glowies likely have access to Poms machine."

He added, "Any servers we use are never shared with anyone else, so someone would have to know the credentials to that server to be able to log in. I now feel like I'm put into a position where nothing can be assumed safe, whether it's our configs, source code, or information about our users, the list is endless. This means I can't confirm the forum is safe, which has been a major goal from the start of this show.".

Dave Bittner: There will also be some uncertainty in criminal circles as to whether the FBI has the goods on more people than just Pompompurin. Allegedly, we say, of course, since Pompompurin is entitled to the illegal presumption of innocence. But with respect to Mr. Baphomet and the whole underworld of cybercrime, we still say "Good hunting, FBI. Mr. Baphomet, may the Feds be with you.".

Dave Bittner: Coming up after the break, Tim Starks from The Washington Post has analysis on the BreachForums takedown. Our guest is Ryan Heidorn from C3 Integrated Solutions with a look at the CMMC compliance timeline. Stay with us.

Dave Bittner: CMMC stands for the Cybersecurity Maturity Model Certification. It's a program that was announced in 2019 by the US Department of Defense, and it's aimed at combating the theft of intellectual property from organizations that are on a DOD supply chain. For insights on what CMMC means for government contractors, I checked in with compliance expert Ryan Heidorn from C3 Integrated Solutions.

Ryan Heidorn: Yeah, this program actually goes back well over a decade in different forms. So the DOD has been trying to combat the threat of nation- state adversaries stealing sensitive intellectual property on everything from fighter jets to nuclear submarines from companies that are in the defense industrial base, or DIB. And the vast majority of those companies are actually small businesses, so if you think small manufacturers, tech companies, R&D. And these companies really face the same challenges around cybersecurity as a small business in any other industry. What's important to note is that CMMC is likely to impact any company with a DOD contract. And there's an estimated 300,000 plus companies playing various roles on the supply chain, so obviously, that's why the impact. And CMMC certification will be required to win or participate on new DOD contracts with a phased rollout expected to extend into 2025. So it's an important program to pay attention to. It could represent an existential threat for organizations that are relying on DOD business as a revenue source.

Dave Bittner: Yeah, I'm curious for -- for that aspect of it. I mean, to what degree -- I guess, can you -- can you give us a notion of the spectrum to which this is a burden for various organizations?

Ryan Heidorn: Sure. So CMMC has three different maturity levels: levels one, two, and three. And they each have a set of security requirements. But most of the industry is pretty focused on level two, which is the level that's required for organizations that are handling this type of sensitive data called Controlled Unclassified Information, or CUI. That's the type of information that the DOD is looking to protect on companies' private networks with CMMC. And really, in level two, you're looking at 110 different security requirements. And of those 110, there's an underlying 320 assessment objectives. So what that means is there's 320 different things that an assessor needs to check or validate for an organization to pass that level two assessment. And these are going to range from things that are fairly simple, like perform background checks on your employees, all the way to very complex and nuanced requirements, like only use certain forms of validated cryptography to protect this controlled unclassified information. So it's really quite an undertaking.

Dave Bittner: And what's the word on the street here from the folks who are -- who are on their way to -- to getting this done? What are their thoughts on having to do this?

Ryan Heidorn: Well, it's really important to note that while CMMC is new as a program, these underlying requirements are not new at all. So defense contractors have actually been required to implement the security requirements, which come from a NIST publication called NIST 800-171 since the end of 2017. However, the reason we have CMMC right now is because repeated reports from industry, in the DOD inspector general have shown that companies have really overwhelmingly failed to implement these requirements. So CMMC is really an enforcement mechanism for the requirements. And it's going to require some organizations to undergo a third- party assessment and certification before they can participate in new DOD contracts.

Dave Bittner: So where do we stand now in terms of the timeline and organizations being able to meet it?

Ryan Heidorn: Yeah, well, CMMC rulemaking is expected to hit what's called the Federal Register in the May 2023 timeframe. And there's a lot of uncertainty still on whether we're going to get CMMC as what's called an interim final rule or a proposed rule. That distinction is probably too nuanced to unpack on today's show. But really, suffice to say that the rollout timeline will be slightly extended if we get a proposed rule rather than an interim final. So there's a lot of conversation around that right now. But my number one piece of advice to companies in the defense industrial base is you don't need to wait to see what's changing and CMMC, because it's highly, highly unlikely that

we're going to see any changes to the underlying security requirements. So we already know what's going to be on the test. It could easily take you a year or more to be ready for an assessment. So organizations that are in kind of a kick- the-can mindset might already be out of time.

Dave Bittner: Well, I mean, a little -- let's dig into that. What is your advice for organizations who will fall under this? What sort of things should they be working on today?

Ryan Heidorn: Yeah, well, just like really any other security or compliance framework, you can't prepare overnight, right? So in CMMC, there's a mix of technical and non-technical controls that, in my experience, could take, you know, eight, 12, 18 months even for a small organization to implement and to adequately prepare for that assessment. When you really dig into the security requirements, some of them are just very basic security hygiene, I mean, things that any organization should be doing, to all the way, like I said, to some more complex undertakings. I think a -- a useful strategy for preparing for CMMC is to really step back and understand where -- what is the scope of IT systems, business processes that this is going to apply to. There's a huge difference in whether you're applying these requirements to the entire organization versus a relatively narrow scope for where this controlled unclassified information is being handled.

Dave Bittner: That's Ryan Heidorn from C3 Integrated Solutions. It is always my pleasure to welcome back to the show Tim Starks. He is the author of the Cybersecurity 202 at The Washington Post. Tim, welcome back.

Tim Starks: Hi, Dave.

Dave Bittner: So, today you write about the end of BreachForums and how that might affect the cybercrime ecosystem. Can we start off with just some descriptive stuff here for folks who may not be keeping up to date here? What's the background we need to know about BreachForums?

Tim Starks: Yeah, it's -- I would say it's arguably if not definitively the most popular forum that had been going for hackers to essentially trade in stolen information among other kinds of cybercrime. It had taken over for a similar forum, called RaidForums, last year. And, yeah, this was -- this has been a big, big part of the cybercrime ecosystem during that time and has been quite popular and infamous. The thing it was in the headlines most recently for was, you know, that someone claimed to post -- posted the data from the DC Health Link breach there. That was the one that, you know, ended up getting, I think, 17 members of Congress -- members of -- yeah -- their information compromised. So that -- just to give you a sense of like what kind of thing happens there.

Dave Bittner: And so we had some movement from the FBI this week. There

was an arrest.

Tim Starks: Yes, they arrested a 19-year-old fellow in New York City, who they say claim to be the -- admitted to being the administrator. And that was Friday, I believe. And, so yeah, that's -- that was the last thing that -- well, that was the thing that triggered all series of events since.

Dave Bittner: And those events are?

Tim Starks: Well, so a new administrator popped up and claimed they were taking over the forum and said that they were -- they were -- they had seen no information -- no suggestion that the user's information had been compromised, meaning, you know, it's kind of a turnabout here in the sense that they're -- these are usually where people are talking about other people's compromised information. This was the users who were the -- who -- this fellow -- this person, and we don't -- I don't know the person's gender, had said, "I'm worried about protecting you." That is the BreachForums users' data and information. And that was, you know, on Friday. And then, as of yesterday, Tuesday, changed their minds, said, "Actually, we're not sure anything is safe anymore here." Raising questions about whether the previous administrator had given information to the FBI. Or perhaps the FBI had obtained information about how to get into the system and learn things about the users of BreachForums. So that is the end BreachForums as we know it.

Dave Bittner: And so I suppose this plays out in a way that the FBI probably hoped that it would. Ultimately, the closure of this forum here, right?

Tim Starks: I have to imagine that they're pleased with it. They had -- they seized the previous forum that I mentioned, RaidForums, they seized that website entirely. This is something that I think everybody agrees -- well, except for cybercriminals anyway. It's a -- it's a good thing that this is happening. You know, at minimum, that site is gone but there might be other gains that they make from this. The question then becomes, you know, how long does this last? How long of a reprieve do we have from -- from, you know, English language folk who -- who traffic in this kind of information? How much of a reprieve will we really have and how long will there be before there's a successor to BreachForums?

Dave Bittner: So the person that the FBI arrested, who is alleged to have been running BreachForums, his name is Conor Brian FitzPatrick. As you mentioned, he was arrested in New York. Were folks surprised that this was being operated out of the US?

Tim Starks: Not to my knowledge. I guess my -- I think that folks think of these sorts of forums as generally, you know, happening overseas, being Russian operations where they can do so, you know, without worry of being tracked down by the FBI. So that particular detail certainly caught my eye. I think it's

notable, but I think that there are different forums, you know, that this was a -- this was the -- I guess the predominant English language forum. So it kind of makes sense in that context that it might be US, you know. Other forums
might be other languages, you know. Russia would have -- has had its own kind of forums before and probably still does. So, in this case, not surprising given the language that was being used in the forum.

Dave Bittner: Do you suppose that we might have sort of an accelerated game of whack-a-mole that's happening here? I mean, BreachForums was around for a shorter amount of time than RaidForums was. Is it -- is it -- maybe it's too soon to say if the FBI is accelerating going after these sorts of things, but it seems like it.

Tim Starks: Oh, yeah, I think there's a much more concerted effort to be disrupting cyber criminals, and hence anybody who's doing bad stuff in cyberspace. The idea is really outlined quite explicitly in the National Cybersecurity Strategy that just got released a couple weeks back, and it's something that they've been signaling over time. You know, I remember speaking to Adam Hickey a couple weeks ago. He was the former high top -- top-level DOJ official who worked on cyber cases. He -- he told me that the biggest -- one of the biggest differences at justice from the time he started to the time he left, I think he was there starting at least in 2008, if I recall correctly. Anyway, that was one of the first changes he mentioned, that, like, this is -- this is something where we're -- we're really trying to go after these criminals more directly and disrupt their operations. I think to answer your second question of -- second part of your question about the cyber -- about the whack-a-mole, yeah, I think that that's always kind of the game, you know, cops and robbers, cat and mouse. There's always this constant. Crime happens, FBI response, law enforcement response, criminals collect themselves, try to come up with a different, better way to do things. In the case of the administrator of BreachForums, the one who recently said they were taking over, they're talking about moving to Telegram. So whether that -- whether they follow -- whether the criminals follow that person or not, there will be a period where -- where there will be a -- a -- a rest recovery, recoup, and try to regroup -- regroup and do it better or -- or -- or in a way that's safer, more long-lasting. Whether that is something that's successful, I think eventually it will be, but whether -- whether we -- we get into a situation where we keep having these companies pop up, not these companies, these forums pop up and then get beaten back down, I think that's a possibility that we're going to see more happen more often.

Dave Bittner: Yeah, as the law enforcement continues to turn up the heat. Yeah. All right. Well, Tim Starks is the author of the Cybersecurity 202 at The Washington Post. Tim, always a pleasure. Thanks for joining us. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is a production of N2K Networks. Proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tré Hester with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.