The CyberWire Daily Podcast 3.29.23
Ep 1790 | 3.29.23

Traffers and the threat to credentials. WiFi protocol flaw. Cross-chain bridge attacks. A shift in Russian cyber operations. Piracy is patriotic.


Dave Bittner: Traffers and the threat to credentials. A newly discovered Wi-Fi protocol flaw. Cross chain bridge attacks. A shift in Russian cyber operations. Ann Johnson from "Afternoon Cyber Tea" chats with EY principal, Adam Malone. Our guest is Toni Buhrke from Mimecast with a look at the State of Email Security. And is piracy patriotic?

Dave Bittner: From the "CyberWire" studios at DataTribe, I'm Dave Bittner with your "CyberWire" summary for Wednesday, March 29th, 2023.

Traffers and the threat to credentials.

Dave Bittner: Outpost24's KrakenLabs describes how traffers fit into the criminal ecosystem. Traffers are cybercriminal gangs focused on stealing and selling credentials. The criminals hide info-stealing malware and cracked software products and distribute it via social engineering. The researchers explain, "To spread the malware as far and wide as possible, they have formed an industry-like structure of product and service providers as well as dedicated marketplaces in a form of Telegram channels to facilitate the sale of those credentials."

WiFi protocol flaw.

Dave Bittner: Bleeping Computer reports that researchers from Northeastern University and imec-DistriNet have discovered a flaw in the IEEE 802.11 Wi-Fi protocol standard that can allow an attacker to access Wi-Fi frames in plain text. The researchers were able to exploit a flaw in the Wi-Fi protocol's power-saving features which queues frames that are sent to sleeping devices. The researchers state that an attacker can override and control the security context of frames that are yet to be queued. This exploits the design flaw in hotspot-like networks and allows the attacker to force an access point to encrypt yet-to-be-queued frames using an adversary chosen key thereby bypassing Wi-Fi encryption entirely. Our attacks have a widespread impact as they affect various devices and operating systems - Linux, FreeBSD, iOS and Android - and because they can be used to hijack TCP connections or intercept client and web traffic.

Cross-chain bridge attacks.

Dave Bittner: Moody's Investors Service has released a report detailing cross chain bridge attacks and the need for block chains to institute more security against such threats. Cross chain bridges or a set of computer codes that enables the transfer of assets, data, or information between two different block chains are open to a number of vulnerabilities. The report says that attacks on cross chain bridges last year saw losses of upwards of $2 billion. Half of the 10 most profitable cyber thefts ever were observed against cross chain bridges with last year's attack on the Ronin Bridge, a prime example, seeing losses of upwards of $600 million. Most bridges have a centralized architecture that creates a single target point that can be exploited but attacks have also been seen making use of operational weaknesses.

A shift in Russian cyber operations.


Dave Bittner: Barron's reviews industry consensus that Russia's cyber war on Ukraine largely failed and Moscow is increasingly targeting Kyiv's European allies. Thales Cyber Threat Intelligence team is the latest industry source to discern a change in Russian cyber operations. Ukraine having proved a hard target and cyberattacks there having been largely supplanted by kinetic strikes, Russian operators are increasingly focused on hitting Western Europe. Thales says, "The third quarter of 2022 marked the turning point in cyberattacks related to the conflict in Ukraine with a clear transition from a cyber war focused on Ukraine in Russian to a high-intensity, hybrid cyber war across Europe. The cyber war is targeting Poland and the Baltic and Nordic countries in particular with an increasing focus on critical national infrastructure in sectors including aviation, energy, healthcare, banking, and public services. So, the Baltic and Nordic countries along with Poland have been singled out for special attention as have smaller states who are candidates for full EU integration such as Montenegro and Moldova. Much of the heavy lifting against Western Europe seems to have been delegated to hacktivist auxiliaries. Thales says, "From targeted destruction campaigns to guerilla cyber harassment, pro-Russian hacktivists are using DDoS attacks to make servers temporarily inaccessible and disrupt services. They are a part of Russia's strategy to engage in information warfare as a way to wear down public and private organizations." Among the auxiliaries, Thales calls out are Anonymous Russia, Killnet, and Russian hacking teams. The report suggests that they've sought to pattern some of their activities after operations by the opposing Ukrainian IT Army. The Russian groups represent a wide range of skill levels and are often, although not invariably, associated with cybercriminal gangs. Their control by the state ranges from direct command through inspiration to simpatico political alignment with Russian war objectives, and their most common tactic by far has been DDoS. Some of the attacks against countries that support the cause of Ukraine are directly tied to current events. Slovakia's decision to transfer 13 MiG-29 fighters to Ukraine for example was immediately followed by an Anonymous Russia DDoS attack against the range of Slovak government sites, Ukrainian Pravda reports.

Piracy is patriotic.

Dave Bittner: And finally, did you know that piracy is patriotic? Well, at least in some places it seems to be. Ukraine's defense ministry said this week that Russia has declared online piracy patriotic stating, "The word pirate is now rehabilitated in Russia. Deputy chairman of the security council, Medvedev, and Putin's spokesman, Peskov, urge Russians to download Western movies, music and programs from pirate sites. No need to be shy, just add the skull and bones to the tricolor." Kyiv, of course, is just taking an opportunistic albeit understand swing at Moscow but they're not really exaggerating either. TASS reported back in December that piracy in Russia was likely to increase alas under the pressure of Western sanctions. Like the special military operation itself, that's to be regretted but after all, it was forced on Russia by the aggressive posture of the collective West. One of the more popular movies in Russia right now we hear on the street is "The Batman" and it's probably one of the most illegally streamed. Apparently, there are only so many times you can watch "Battleship Potemkin."


Dave Bittner: Anyhow, enjoy "The Batman" and imagine Saint Petersburg as Gotham on the nieva. Coming up the after the break, Ann Johnson from "Afternoon Cyber Tea" chats with EY principal Adam Malone. Our guest is Toni Buhrke from Mimecast with a look at the State of Email Security. Stay with us. Microsoft's Ann Johnson is the host of the "Afternoon Cyber Tea" podcast. And in their most recent episode, she sat down with EY principal, Adam Malone. Here's Ann Johnson.

Ann Johnson: On today's episode of "Afternoon Cyber Tea." I am joined by Adam Malone, principal at EY. Adam currently leads a private equity sector within EY's cyber consulting practice. He has also led EY's globally recognized threat resiliency capability. And prior to joining the private sector, Adam was a supervisory special agent for the FBI where he led teams investigating cybercrime, acts of terrorism, and cyber-enabled economic espionage by nation states. He has also spent time as a senior systems engineer for BAE Systems and is a veteran of the US Air Force. Welcome to "Afternoon Cyber Tea," Adam. I am absolutely thrilled to have you on today.

Adam Malone: Thanks, Ann. It's great to be here and I really appreciate the opportunity to talk to your listeners.

Ann Johnson: I know your time in the FBI you're involved in several high-profile cyber investigations and a lot of events. When you were leading these investigations, were there any surprising trends you were seeing again and again? And are you still seeing the same type of trends today?

Adam Malone: I think the answer to both of those questions is yes. You know, I think the first observation that I had is it- it really all comes down to people at the end of the day. And so, you know, people always played a pivotal role in either preventing a crime occurring or advancing a crime, sometimes intentionally or unintentionally but that was a big piece of it. You know, I think today we still hear about the threat of business email compromise and that's been the most significant financial technology-enabled crime, I think, over the past two decades and it was a big thing then, right? And that really relies on people preying on our comfort with one another and our communication skills and sometimes our willingness to bend process to ease our actions. And so, that was a big thing that I saw a lot in the FBI from my early career to my later career. I think the other piece, you know, we- we've seen a lot about what's happened with malware and how it became very prevalent and sometimes it- it kind of shifted to being less prevalent when we- we- we went to thinking about how attackers used technology against us.

Ann Johnson: Do you see people who actually end up unintentionally and

they're actually victimized by cyber criminals into doing criminal-type activities themselves?

Adam Malone: You know, I think yes is part of an answer there especially when you look at the- the economic ecosystem of cybercrime, right? At the end of the day, cyber is about- cybercrime at least is about economics and power, whether it's a criminal group or a nation state. Well, there are great, you know, we'll use the term hackers, right? There are great hackers out there that are great at breaking a control, you know, getting a piece of malicious code into a system for example to steal credit card numbers off of a PCI network. They still have to cash that money out, right? They got to take it from digital to hard currency. And where we used to see a lot of interesting- let's call it unintentional crime that was committed was in people preying on- or in criminals preying on, you know, regular people that are trying to, you know, make it in life and advance their careers.

Ann Johnson: So, one of the things I'm seeing today in cyber trend is this need for business and cyber leaders to be more aware and proactive mitigating against all of the geopolitical events we're seeing around the world. What's your take on this trend and what are you hearing when you talk to your customers?

Adam Malone: That's a great question. You know, I think never has it been more apparent than in today's global economy kind of starting with the supply chain, right? It's everywhere, right? And we could see from some of the recent Russian and Ukrainian conflicts that there are businesses that had suppliers, maybe digital suppliers, maybe they were coders, you know, they were in agricultural industry that they relied on to- to make their businesses run. Luckily, we've gotten smarter for the past several years but we still have a ways to go. Understanding where your supply chain is, where it shifts, right, and how those geopolitical, you know, events or conflicts can impact them is huge.

Dave Bittner: That's Ann Johnson from the "Afternoon Cyber Tea" podcast. You can find that on our website or wherever you find your podcasts. The folks at Mimecast recently published their 2023 State of Email Report tracking trends in that most ubiquitous of online interaction tools. Toni Buhrke is director of sales engineering at Mimecast and I caught up with her for details from the report.

Toni Buhrke: Not only is it in heavy use but it remains the top vector for attack surface and, you know, there's a reason for that. A lot of cyber criminals know that the utilization of email has gone opposite especially since COVID and it provides them really with the most digital doors and windows to get them away to climb into an organization. And in the survey, we found that a lot of our participants, 75% to be exact, say that they've seen email-based threats increase over the last year and those threats are becoming increasingly more sophisticated in nature and they say that that's one of their biggest challenges

and three-quarters of them feel that an email-borne attack is going to have serious consequences for their org in the coming year. And then, you couple that with the fact that some of the email solutions that they're leveraging like Microsoft 365 and Google Workspace, they have good security but with the type of threats that we're seeing and the frequency of those attacks, businesses need great security and that was reflected in the survey. Ninety- four percent of the people we surveyed said that the security provided by Microsoft and Google is too thin. So, the reality is in a world where half of the malicious email attachments are Microsoft 365 files, we really need to have an additional layer of protection for our email application. So, I don't really see email going away as our number one attack vector for some time.

Dave Bittner: And what are you all tracking in terms of- of people responding to this threat? Are- are they- are they budgeting for this? How- how are they responding?

Toni Buhrke: Well, the good news that I think when we look at the industry as a whole, we've really beaten the drum to get the attention of the C-Suite and boards and the challenges that we're facing in the trenches, right? But the boards now and the executives are really focused on other priorities right now too like our economy and the impact of that to their business. So, what we see a lot of companies doing now that we have this attention is really putting together a better case for cyber resiliency as a whole. Now, unfortunately, the cases that we're presenting to the boards and the- the C-Suite aren't always turning into budget dollars, right? Two-thirds of our respondents said that their organization cyber security budget is less than it should be and that's similar to what we found last year. So, some companies are responding by going through and leveraging cyber insurance but cyber insurance rates have been rising as more and more claims have been filed. And so, the insurance companies are putting a lot more scrutiny on organization cyber hygiene during the underwriting process. So, whether they go to cyber insurance route or they decide to build a better cyber hygiene program, that's really up to the organization to decide because we see more of the enterprise companies going the path of really shoring up their cyber hygiene where some of the small- to medium-sized businesses are still relying upon cyber insurance to fill that gap.

Dave Bittner: Well, based on the information that you all have gathered here, what are your recommendations then? How do organizations do a better job protecting themselves from these email threats?

Toni Buhrke: Well, to avoid getting phished which, as I mentioned, is - is so pervasive now based upon the survey respondents, we need to do a better job of training the users, right? Phishing attacks rely on false pretenses, social engineering, anything that they can to deceive employees. But what we've shown in the survey that ongoing and engaging awareness training can teach them to spot those sort of threats and avoid them right at the source. Employees are the frontline of defense and we really need to do a better job of


training them and making them more aware of their responsibility to protect the organization and themselves. Another recommendation I would have is that spoofing is a problem, DMARC is the answer. So, nearly every company getting spoofed, I think it was around 90%, and we're seeing an increase over this year over year but what I'm not seeing is them taking advantage of DMARC. And DMARC is a robust cost-effective protocol that helps ferret out bogus emails. And companies need to realize that protecting a brand is hard. It's hard to be proactive but repairing a brand that's been damaged is even harder. So, that makes successfully implementing a proven solution like DMARC a no-brainer and something that we should really be focused on as an industry. And last but not least, a cyber insurance policy doesn't replace your own cyber preparedness plan. It may make financial sense to insure against cyber risk but even the best cyber insurance can only compensate for what happens after a breach, right? It doesn't help prevent it from occuring in the first place. So, C-level executives and their staff need to own their cyber preparedness plans, make them robust, and fight the increase in cyber insurance cost that are going to continue to go up as more and more breaches occur. So, focus on your cyber preparedness plan and that would be the best way to address the overall risk.

Dave Bittner: That's Toni Buhrke from Mimecast. And that's the "CyberWire". For links to all of today's stories, check out our daily briefing at The "CyberWire" podcast is a production of N2K Networks proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cyber security teams and technologies. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show is written by John Petrik. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you again tomorrow.