The CyberWire Daily Podcast 4.3.23
Ep 1793 | 4.3.23

"Cylance" ransomware (no relation to Cylance). Update on the 3CX incident. The FSB's arrest of Evan Gershkovich. Ukrainian hacktivist social engineering in the hybrid war.


Dave Bittner: "Cylance" the ransomware (with no relation to Cylance, the security company). An update on the 3CX incident. The FSB's arrest of a Wall Street Journal reporter. Simone Petrella from N2K Networks unpacks 2023 cybersecurity training trends. Deepen Desai from Zscaler has the latest on cloud security. And Hacktivists claim to have tricked wives of Russian combat pilots into revealing personal information.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday April 3rd, 2023.

"Cylance" ransomware appears (but it's no relation to Cylance).

Dave Bittner: Palo Alto Network's Unit 42 late last week spotted a new strain of ransomware that's calling itself Cylance, with no relation to the security firm Cylance acquired by BlackBerry in 2019. The malware is targeting Windows and Linux systems. The ransom note instructs victims to email the attackers to begin negotiations and it reads in part, "All your files are encrypted and currently unusable, but you need to follow our instructions. Otherwise, you can't return your data. Never. It's just a business. We absolutely do not care about you and your deals except getting benefits. If we do not do our work in liabilities nobody will cooperate with us. It's not in our interests."

Dave Bittner: The crooks responsible for the attacks encrypt the victims' files with the extension.cylance. Why they've chosen to pick on Cylance and their nomenclature is unknown, but there's no obvious social engineering angle to the use of the name, no attempt to impersonate BlackBerry Cylance, for example. HackRead reports that the ransomware has already compromised several victims.

Update on the 3CX incident.

Dave Bittner: The 3CX desktop app attacks increasingly look like the work of North Korea's Lazarus group, The Record reports. CrowdStrike initially disclosed “suspected nation-state involvement” by the Lazarus Group (or “Labyrinth Chollima,” as CrowdStrike tracks it). The outlet reports that Sophos on Friday also linked some evidence from the attacks to Lazarus, reporting that a shellcode loader used had previously been seen only in Lazarus Group operations. Computing reports that the attack likely was ultimately intended to deploy information-stealing malware, with a particular focus on browsing history.

Dave Bittner: Given the likely attackers, espionage makes sense as an ultimate goal. Computing also notes that it's not yet publicly known how the attacker entered 3CX's systems, and whether or not they still have access. Fortinet released threat research on Thursday detailing the supply chain attack, which has been assigned the designation CVE-2023-29059. They note that the

primary targets have been organizations in Europe and North America, and they provide indicators of compromise.

The FSB's arrest of Evan Gershkovich.

Dave Bittner: The FSB's arrest of reporter Evan Gershkovich is widely regarded in Western media as official hostage taking, and his arrest has been denounced as such by the US State Department and the White House. The AP reports that US Secretary of State Anthony Blinken called his Russian counterpart, Foreign Minister Lavrov, to demand the journalist's immediate release. Secretary Blinken also demanded the release of Paul Whelan, an American citizen whom Russia has detained for four years on espionage charges.

Dave Bittner: Russian state television takes a different line, as commentators on a Roccia-1 news show say that Gershkovich was never a journalist and filed no stories from Russia. That's an easy charge to debunk. The Wall Street Journal has published 11 stories with Gershkovich's byline in just March of this year, and the paper is justifiably outraged at Russia's conduct. If you're not a subscriber to The Wall Street Journal, the paper has moved Evan Gershkovich's articles from behind the paywall, so you can read for yourself what he's been filing.

Hacktivists claim to have tricked wives of Russian combat pilots into revealing personal information.

Dave Bittner: And finally, Cyber Resistance, a pro-Ukrainian hacktivist group, is reported to have inveigled the spouses of officers in the Russian 960th Assault Aviation Regiment, responsible for killing some 600 civilians who had taken shelter in a Mariupol theater last year, as well as having hit hospitals, into participating in a bogus morale-building calendar photo shoot, in the course of which the identities of the regiment's officers were revealed. The wife of the regiment's commander was duped into organizing the photoshoot. The Telegraph writes, the 41-year-old believed she was communicating with an officer from her husband's regiment, not a Ukrainian activist, when she agreed to take part and organize the patriotic photoshoot in an airfield. HackRead reports that the information obtained included a great deal of sensitive data.

Dave Bittner: Info Napalm, a hacktivist group cooperating with the Cyber Resistance explained, among the large volumes of correspondence and spam in the mail dumps of the 960th AAR Commander, Colonel Sergey Atroshchenko, we managed to find and isolate various detailed lists of pilots, performance evaluation records of officers, bulletins, memos, theoretical and practical calculations and so on, which are of material interest for the Ukrainian intelligence.

Dave Bittner: Both Cyber Resistance and Info Napalm have a longer track record than most hacktivist groups involved in Russia's war. They were formed in response to Russia's 2014 invasion of Crimea. The data pulled and partially published by Cyber Resistance, unfortunately, also included information about the wives themselves, who after all, flew no strikes and bombed no hospitals.


Dave Bittner: Coming up after the break, Deepen Desai from Zscaler has the latest on cloud security. Simone Petrella, from N2K Networks unpacks 2023's cybersecurity training trends. Stay with us.

Dave Bittner: The market for cybersecurity talent continues to be highly competitive. It's true the layoffs that have been rolling through tech have touched cyber, but overall people with cybersecurity skills remain highly employable, which makes the care and feeding of your current cybersecurity staff all the more important, and part of that is investing in training. For insights on this, I turned to our own in-house expertise, and spoke with Simone Petrella, President at N2K Networks and CEO and founder at CyberVista.

Simone Petrella: It's really fascinating because 2022, has come out as the year that has shown the most demonstrative demand for talent. So it continues to grow, and that growth in cybersecurity talent demand has obviously grown year over year, but if you look at cybersecurity job postings by volume, 9 of the 10 highest-ranked months in cybersecurity job openings happened in the year 2022, so demand has continued to increase for a number of factors, but then kind of counter intuitively, if you look at the demand for upskilling workforce, how do we think about creative ways to fill this increasing demand, there is a disconnect between the high desirability of organizations to create programs, but then a fairly surprising stagnation in their ability to mature those programs. They're getting really stuck.

Dave Bittner: Why do you suppose that is? What's the stumbling block here?

Simone Petrella: You know, to sort of back up for a second before I answer, the big statistic that comes from this is actually based on a report done by LinkedIn around learning and development, and they found that in 2021, 52% of organizations had a mid-stage maturity upskilling program that they had already put in place in their organization. And in 2022, and I should preface this by saying over 80% of organizations were putting something like this in place in 2022, that number at mid-maturity had only crept up to about 54%, so there was only a 2% improvement in maturity from moving to like early stage to mid-stage to then fully mature.

Simone Petrella: I think the reason for this disconnect ultimately boils down to the difficulty that organizations have in coming up with an executable strategy around their talent development, especially in fields that are highly specialized like cybersecurity, like in tech and IT. We see this because many of these organizations, you can't upskill if you don't have a clear understanding and inventory of the roles that you need, the skills that are actually incumbent to perform those roles, and then compare that against where your people are today, either the ones you have in your workforce or the ones that you plan on bringing on board.

Simone Petrella: If you don't have those two pieces of information, you can't come up with a pathway to provide them opportunities to upskill, because you're- there's sort of like an inherent mismatch. I think that's one of the biggest things that I would hypothesize is attributing to like that stagnation on actually deploying these upskilling programs at scale.

Dave Bittner: Is there any concern for backfilling? I mean, I'm imagining in a tight workforce, a tight hiring market where these skills are in short supply, is there a concern in the organization that if I upskill someone and move them up, then well, who's going to do what they were doing before? I may just have shifted my problem around.

Simone Petrella: Yeah, I think a lot of that, the industry is really relying on automation and places to gain efficiencies through technology and other ways that can allow for the knowledge base to shift in some of these roles. Where I see the biggest transition of skill requirements is actually around the digital transformation that's occurring in companies, meaning we're going from traditional security, you know, deployment and operations into cloud environments.

Simone Petrella: And so, in our research, over 41%, of organizations we spoke to plan to increase their investment in the cloud. That's shifting the type of personnel and skills they require to conduct security in the cloud. It's not replacing another. It's just a shift in what they have to focus on. A good majority of the rest of the skillsets ultimately do still boil down to the same old bread and butter that we think about when we think about security best practices, vulnerability management, identity and access management, security and defense operations.

Dave Bittner: The organizations that are finding success here, what do they have in common? Are there any common aspects that you see when those folks rise to the top?

Simone Petrella: Yeah, I think one of the biggest drivers (and many of them all stem back to culture) is the organizations that are the most successful really tie a people strategy, and when I say a people's strategy, I not only mean recruiting, but retention, talent development, to their business goals and objectives. The organizations that have an executive and a leadership team that understand the correlation between high-performing teams and people, to how that can help the business, I think are more successful, because they're inherently baking in not only to the culture, but also the expectations of the business, that this is something that will help the business succeed, not just a nice-to-have for individuals to progress in their own career.

Simone Petrella: I think the kind of secondary component to that, that I touched on is around culture. We are in a state of the world right now where employees do demand to have an opportunity to progress and develop in their

field, and I think organizations that have really doubled down on building a more people-centric culture are faring better, and then seeing the results because the metric that many, if not most, organizations use when looking at development ROI, is retention, right? How is our retention rate improving based on things that we're doing? And that's inclusive of not only here's a pathway for people, but what are opportunities that we have to use talent in different parts of the organization that ultimately keeps them in our organization, even if it's not in the same division or specialty area?

Dave Bittner: In terms of how organizations come at this, how important is it that they stay focused in terms of the sourcing and how they target what they're after here?

Simone Petrella: Yeah, that's a really interesting question. In 2022, in the research we conducted, 87% of our respondents reported that they're using two or more vendors' training methods, including on-the-job and internal methods to actually upskill their talent, and I think that's great. I think that the overall increase in that number is indicative of the degree of importance that organizations are putting on it, but it also comes with the pitfall of, you know, the tragedy of too many choices without a kind of anchoring strategy or plan to leverage them in the way that makes that type of upskilling and those development opportunities most effective to the business, right?

Simone Petrella: Like if the overarching goal is to tie an upskilling program and talent development to the business goals, and then you're using three-plus different types of solutions to get there, you're potentially at risk of kind of throwing a lot of individually interesting and great initiatives at the wall, but not necessarily letting any of them stick, and then you're incapable of kind of tying them back to that singular strategy.

Dave Bittner: That's our own Simone Petrella, President at N2K Networks and CEO and founder at CyberVista.

Dave Bittner: And joining me once again is Deepen Desai. He is the global CISO and head of security research and operations at Zscaler. Deepen, it is always great to welcome you back to the show, and I know you and your colleagues recently released a report that was looking at cloud security, or perhaps the opposite of that. Can you share with us, what exactly is it that you all dug into here?

Deepen Desai: Yes, so this is our annual report where we look at public cloud security categories where we monitor for things like misconfigurations, vulnerabilities, compromised accounts, supply chain attacks, you know, other configurations used for ransomware defense. And the goal over here is to, you know, call out where are we seeing opportunities for improving the security

posture for the public cloud environments that we're seeing out there?

Deepen Desai: So one of the key stats I'll call out is 55% of the organizations that we studied as part of this dataset are leveraging more than a single cloud provider, so we're living in a world where it's a hybrid cloud approach. You will have Azure, you will have AWS, you will have GCP, and so on. And 66% of these organizations have some form of cloud storage buckets, so they are leveraging these cloud environments for storing data.

Dave Bittner: And what are you tracking there in terms of trends? What directions are we headed here?

Deepen Desai: Yeah, so the key findings, as I mentioned earlier, what we did were we classified them into these five types of threats or risks that we see around public cloud environments. I'll start with the misconfiguration where we saw- I mean, some of these numbers are staggering, but this involves any kind of misconfiguration. That's where you need to have continuous monitoring and mitigation, a solution that allows you to do that, a CNAPP solution. So we saw 98% of organizations have some form of misconfigurations in their cloud environment that can lead to data leakage or cause any other risks to their infrastructure because they're inadvertently exposing those workloads, those assets to the internet.

Deepen Desai: The second one is vulnerabilities, right? So this is where public cloud environment is where you are running workloads. You are using compute resources. So we saw 17%, a little over 17% of the organizations had workloads which were vulnerable to some form of known vulnerabilities, right? So this is where you have a workload running. Let's take an example, Log4j. When Log4j vulnerability was disclosed, there were tons of workloads that potentially had that library running in it, and now if that workload is exposed to the internet, the threat actors will rapidly build, exploit, and search for these kinds of assets, right? And then they will target and exploit vulnerability and try to take control of these assets.

Deepen Desai: The third category was compromised accounts, and this is where we look at configurations that strengthen your security posture, or make you resilient against any kind of compromised account activity. So in this case, we saw 97% of organizations were using privileged user access controls without MFA enforcement. Now in my opinion, MFA is a must. We're now actually starting to talk about traditional MFA versus what we need to do next because even MFA is no longer sufficient. Threat actors are able to evade that in some of the advanced attacks that we're seeing, but MFA is bare minimum thing you can do. Just relying on user password and not enforcing MFA is very, very weak security posture.

Deepen Desai: So we saw 84% of organizations give IAM power users administrative privileges without MFA enforcement. 43% of the organization's

had instances that were exposed to the internet and have identities with data access. And then 57% of organizations are using AWS Lambda services, again, violating least privileged access principle by assigning over-privileged roles to the users in this environment.

Deepen Desai: So what I just described is these are some of the weaknesses that threat actors will exploit in order to take over full control of the environment either by, you know, using stolen credentials and, you know, if there's no MFA, you know, they get in, then they do even more damage. If there is MFA, it significantly reduces the risk over there.

Dave Bittner: It certainly is a sobering set of numbers. I am curious on your sort of analysis of that, I mean, how do you suppose the people who are posting these numbers, how do they rationalize that? How do you- at this point in the game, how do you rationalize not having more robust MFA, for example?

Deepen Desai: Yeah, I mean, it's just, you know, many of these organizations will have MFA on their internal IdP side, right, for corporate employees and stuff, but similar security mechanism. Either they don't have the public cloud environment embedded with a single sign-on, right, which is one of the best practices, or they're just, you know, missing out on configuring MFA on the public cloud environment side. So it's not that they're not using MFA anywhere. It's just this public cloud environment, which is probably relatively new for some of these organizations in their usage. They're not enforcing best practices.

Deepen Desai: And also, one important point I'll call out over here, I'm talking about the enforcement piece, right? So it is possible for someone to create a privileged user account without MFA. Right? If you enable that configuration, it will enforce the user to always have MFA configured, without which they will not be allowed to access any of the resources in public cloud environment. So we're just focused on the configuration element right now. It doesn't necessarily mean that all the users didn't configure MFA.

Deepen Desai: There are a couple more buckets. I mean, the fourth one is supply chain attacks. This is where, you know, you have public cloud environment, you're collaborating with a third party or you have a third party who is doing admin work for some of the assets or some of the applications that are running in the environment. So think of contractors or third-party integration workers. Again, over there as well, we noticed some of the access control pieces were lacking. And 68% of these organizations have external users with admin permissions to the public cloud environment, which makes governance a big challenge, right? And it does increase the risk of supply chain attack when one of these vendors were to get hit, and a threat actor leverages their access to target the organization's dataset. So that's the supply chain risk.


Deepen Desai: And then finally, and this is- this was surprising to me, and maybe we need to do more knowledge-sharing sessions on this. Maybe public cloud vendors need to do more enlightening sessions around this, because this is around ransomware controls. And this is- this feature, which is called MFA delete, and versioning you need to enable that. What it essentially does is when you attempt to delete a file, and think of these cloud storage as your backups. So say you got hit with a ransomware. The ransomware threat actor will go after your backups. If they attempt to delete the file, if you have this MFA delete and versioning feature enabled, there will be a version of your file saved, right, unless they're also able to gain escalated privileges and do additional damage.

Deepen Desai: But Amazon's S3 versioning enables multiple object variants to be kept in the same bucket, so when that file is actually deleted by the threat actor, you still are able to recover from that previous version of the file. So we saw 60% of the organizations did not have this piece enabled for the cloud storage buckets.

Dave Bittner: Do you suppose that's just ignorance or they didn't know it was available?

Deepen Desai: Absolutely, that's- but there is no other reason why you wouldn't enable that. I mean, that's- in my opinion, that's a strong security best practice recommendation for anyone that's using cloud storage buckets.

Dave Bittner: Yeah. All right. Well, interesting insights and good advice as always/ Deepen Desai, thank you for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called "Security, HAH". I joined Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. The CyberWire Podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Trey Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.