What’s now being traded in the C2C markets. CISA would like comments on its software self-attestation form. And in Russia’s hybrid war, are there cyber war crimes, or real hacktivists?

Maria Varmazis: Cl0p and LockBit exploit PaperCut vulnerability in ransomware campaigns. Infostealer traded in the C2C market. All ads are trying to get your money, but some just take it. CISA requests comment on software self-attestation form. Our guest is Marcin Kleczynski, CEO of Malwarebytes, sharing thoughts on the current threat landscape and attacks on students and academic institutions. Betsy Carmelite from Booz Allen, discussing themes from the RSAC tied into critical infrastructure resilience. Ukraine argues that cyberattacks against civilian infrastructure should be classified as war crimes. And are there any genuine disinterested hacktivists on Russia's side, or are they all fronts?

Maria Varmazis: From the CyberWire Boston bureau, I'm Maria Varmazis with your CyberWire summary for Friday, April 28th, 2023.

Cl0p and LockBit exploit PaperCut vulnerability in ransomware campaigns.

Maria Varmazis: Microsoft tweeted Wednesday that they had attributed two campaigns exploiting vulnerabilities on PaperCut printers to Cl0p and BitLock. The two vulnerabilities (CVE-2023–27350 and CVE-2023–27351) were announced in a 19 April post by PaperCut. The company urged all admins to update their firmware with the latest patch to address them. Microsoft explained that they traced the infections back to a period before the vulnerabilities were discovered on April 13th.

Maria Varmazis: Microsoft said, "We're monitoring other attacks also exploiting these vulnerabilities, including intrusions leading to Lockbit deployment. More threat actors could follow suit. It's critical for organizations to follow PaperCut's recommendation to upgrade applications and servers."

Maria Varmazis: BleepingComputer, who's periodically in touch with the Cl0p operators, reports that "The C10p ransomware operation confirmed to BleepingComputer that they were behind the attacks on PaperCut servers, which they started exploiting on April 13th...In reply to our questions about the LockBit attacks, Microsoft said they had nothing further to share." In any case, the standing advice is still sound. Look to your systems and apply patches in accordance with vendor instructions.

Infostealer traded in the C2C market.

Maria Varmazis: Security Week reports that researchers at threat-intelligence company Cyble have analyzed an info-stealing malware tracked as "Atomic macOS Stealer," or AMOS, for short. The malware incorporates an array of data theft capabilities. One of its authors claims on Telegram that AMOS can steal "all passwords from the Keychain, full system information, and files from the compromised computer."

Maria Varmazis: The malware has been offered to the criminal-to-criminal trade by subscription on Telegram for $1,000 a month. AMOS is also allegedly capable of stealing passwords, cookies, crypto wallets, and payment information from a multitude of browsers. "The malware is delivered as a .dmg file and, when first executed, it displays a fake prompt to trick the victim into handing over their macOS system password." This is notable because Security Week highlights that while macOS-based malware may boast many capabilities, getting it to run on the system can prove difficult. Their report goes on to say that a Trellix researcher noted an IP address in use by the malware that could potentially be linked to Raccoon Stealer, a malware used by threat actors in Ukraine and Russia. 

All ads are trying to get your money, but some just take it.

Maria Varmazis: One weird trick to get people to click on that link, tell them they'll be taken to the kind of saucy content we've curiously agreed to call "adult"; although, in truth, it's really more accurately described as adolescent. Or so we hear; we never click ourselves. Anyhow, it's not news that threat actors use clickbait advertisements to infect users' computers with malware. As Guardio reports, however, the scale at which one threat actor has been conducting these campaigns is pretty noteworthy. "One of those campaigns, linked to a Vietnamese threat actor, has been ongoing for months now, gaining more traction lately using resilient deployment techniques and is estimated to surpass 500k infections worldwide so far."

Maria Varmazis: The campaign uses FaceBook ads, distributed from business accounts, depicting free adult content (venerable clickbait) to get users to download a zip file of the alleged images. The images are actually executable files, and they take the user to a website while "in the background, the stealer will silently deploy, execute, and gain persistency to periodically exfiltrate your sessions cookies, accounts, crypto-wallets, and more." The threat actor uses commercially available hard-disk manufacturers to avoid detection. Guardio reports that this campaign alone reached 500,000 deployments in three months. "With the opportunity to effortlessly distribute millions of copies a day with the power of social networks advertisement infrastructure, the damage that these threat actors can do in just a few hours, without detection, is overwhelming." So the ad that had your attention may immediately thereafter have your crypto wallet.

CISA requests comment on software self-attestation form.

Maria Varmazis: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) yesterday released a request for comment on a drafted self-attestation form for federal government software providers. The Secure Software Development Attestation Common Form was a combined effort between CISA and the OMB, or the Office of Management and Budget, and is based on the National Institute of Standards and Technology's (NIST) Secure Software Development Framework (SSDF). Lots of acronyms there. Speaking of acronyms, the FCW explained on Tuesday that the form is intended for software vendors to prove that their products are secure to the standards of federal government customers. With the government's ultimate goal being to work toward securing the supply chain. This follows a 2021 executive order on improving cybersecurity throughout the United States, and a later memo that same year from OMB requiring federal agencies to acquire self-attestation forms from vendors, with a looming September deadline. Public comment on the form will be accepted through June 26, 2023, via a comment box on the regulations.gov website. So go take a look and let CISA know what you think.

Ukraine argues that cyberattacks against civilian infrastructure should be classified as war crimes.

Maria Varmazis: Speaking at RSAC this week, Illia Vitiuk, Ukraine's head of the Department of Cyber Information Security in the Security Service of Ukraine, urged that cyberattacks against civilian infrastructure should be treated as war crimes. Infosecurity Magazine quotes him as saying this, "I do believe that military commanders that are in charge of special forces and special services, like the Russian GRU or SVR, who are responsible for cyber-attacks on civilian infrastructure should also be convicted as war criminals." Such attacks would presumably violate one or more of the principles that underlie the laws of armed conflict - proportionality, discrimination, and military necessity.

No genuine hacktivists on Russia's side?

Maria Varmazis: Vitiuk also presented the case, CyberScoop reports, that there are no genuine hacktivists working in the interest of Russia. "More than 90% of all cyber attacks targeting Ukraine are either conducted by special services or by state-sponsored groups," Vitiuk said. "I do believe that there is no so-called 'hacktivism' in Russia at all." Now, he described a brief wave of pre-war Russian arrests of cybercriminals as, effectively, an intimidation campaign. Work for the security organs or face the consequences. The arrests of some REvil members in the weeks before the war were an example of that kind of strong-arm recruitment. Noting that the prosecutions had all stalled by May, Vitiuk added this, "This was an attempt to intimidate them and others to show that you need to work for us. And now you need to work against Ukraine." Recruiting auxiliaries to work as fronts for Russian security and intelligence services would not have been particularly difficult. The ties between the organs and the underworld have been close for a long time. And a final note on the most prominent Russian hacktivist auxiliary, KillNet. This week the group announced that it would henceforth act as a private military hacking corporation, a kind of Wagner Group for cyberspace. It's just now announced, presumably for the benefit of prospective customers, that it would be unavailable for 72 hours while it reorganizes. We wonder if, like so many other corporate reorganizations, it will be accompanied by consultants, off-sites, team-building exercises, and the like. So, consider KillMilk, which is the nom de hacker of the guy in charge. Is this guy going to test as an ENTP on the Meyers-Briggs? Our money is this guy tests out as a J-E-R-K. But that's just us. Lead by example, Mr. Milk.

Maria Varmazis: Coming up, our guest is Marcin Kleczynski, CEO of Malwarebytes, sharing thoughts on the current threat landscape and attacks on students and academic institutions. Betsy Carmelite from Booz Allen discussing themes from the conference Tied into Critical Infrastructure Resilience.

Dave Bittner: Marcin Kleczynski is CEO at Malwarebytes. I caught up with him at the RSA Conference for his insights on the threat landscape and the tradeshow itself. So here we are at RSA Conference. And I'm curious as we come into this year, as we're making our way around the show floor and meeting with all the different people we're meeting, what is your sense of where we stand? Like, where do we find ourselves at this moment?

Marcin Kleczynski: Well, every time I walk into RSA every year, the stress level just feels like it's emanating from the -- from the room. So I feel like that's where we're at again this year.

Dave Bittner: Yeah.

Marcin Kleczynski: Threats have gotten worse. You know, complexity has gotten worse. Everything's gotten worse. And, you know, a lot of defenders in that room. And that's what we're proud of, you know, being in that room.

Dave Bittner: Where are you all focused this year in terms of coming at the threat and taking your place in the community?

Marcin Kleczynski: Yeah. So Malwarebytes is really focused on really simplifying security for a lot of folks. A lot of SMBs, MSPs that are underwhelmed -- or, overwhelmed, underwater, in terms of resourcing. We at Malwarebytes just really want to give them the tools to be successful and be able to protect themselves or their customers.

Dave Bittner: What are the stories that you're hearing from folks in terms of the specific pain points they're experiencing?

Marcin Kleczynski: Every year ransomware is just a common thread. We're seeing smaller and smaller businesses, education, hospitals, continue to be, you know, affected by ransomware. And this is really causing real-life issues, right? We're now talking about students' mental health being exposed online. Patients' records being locked. Every year it seems the stakes are getting, you know, bigger, and this year does not fail to surprise us again.

Dave Bittner: Yeah. You know, we're seeing economic headwinds, and that is finally sort of hitting the folks in cyber. We've seen some layoffs. And, of course, every year folks have to submit their budgets to the boards and the powers that be.

Marcin Kleczynski: Yeah.

Dave Bittner: What are your insights on how people go about prioritizing the things that they present, the things they buy?

Marcin Kleczynski: Yeah. Well, security is a necessity, right? It's a conversation in the boardroom. And you don't want to be the company in the news, or, you know, more importantly, you don't want your data stolen, your business affected. But every year is a challenge to go get the budget that you need for people, for technology. And over the years I've seen many tools, products, that are marketed well. You know, booths at RSA.

Dave Bittner: Sure.

Marcin Kleczynski: But sit on the shelf. And I think, you know, over the years people continue to buy things but don't necessarily implement them. As we face economic headwinds, security will always be necessary, but not as much of it. I think using the tools in your arsenal effectively -- more effectively is really the name of the game.

Dave Bittner: Do you have recommendations for how people set those priorities? As they look at their security stack, you know, what do I keep? What do I -- what am I making use of? What am I not? Or is that usually pretty self-evident for folks?

Marcin Kleczynski: Well, both, right? I think there are some things where you just look at it and we haven't really used this in a year and it's not really delivering value or we can consolidate it with another vendor. But it's an exercise that you kind of have to go through every year to see what are we using. What is deployed? What could be deployed? What is implemented well? What can replace a person -- or, better said, fill a need where, you know, we can't hire that person or can't find that person.

Dave Bittner: Right.

Marcin Kleczynski: So I think it's an exercise every year to just, well, justify all the technology and things you've implemented, really.

Dave Bittner: In terms of longer-term trends, as you walk around the show floor here, where do you think we're going as you look towards the horizon?

Marcin Kleczynski: More marketing.

Dave Bittner: Well, that's certainly the easy message to give here right now.

Marcin Kleczynski: Yeah, there's yet another, you know, buzzword somewhere on some booth that will be, you know, predominant next year. Look, I think security is really hard, and we as vendors make it even harder by throwing out all these marketing terms.

Dave Bittner: Yeah.

Marcin Kleczynski: First there's MDR. Now it's XDR. What's next, right? EDR, and so on. I do think as an industry we need to get better around just simplifying security for our customers. And buzzwords and, you know, handwaving and all that -- I just think that really creates a lot of confusion. It's one of my pet peeves at RSA is walking around and just seeing some of the messaging, knowing what the product and the company do versus what is on the --

Dave Bittner: Yeah.

Marcin Kleczynski: -- you know, actual -- actual banner and such. So, you know, my best advice to folks is always get a demo and really understand the value that this could provide. And are you solving a security need, or did you get drawn in by pretty good marketing messaging on the -- on the banners?

Dave Bittner: Yeah. How about the human side of it as well? I mean, the folks who are making these decisions, running these products, and implementing them every day. They're facing real stress.

Marcin Kleczynski: Yeah.

Dave Bittner: How do you feel about that side of it, and how we're attending to their emotional needs?

Marcin Kleczynski: Yeah. I'm very empathetic because, you know, I obviously am in security. I'm a CEO of a security company. At the same time, I know that we have people that haven't worked in security their entire life -- accountants and, you know, HR folks, and so on. And so their needs are, you know, as with every other company. Like, you've got to protect them. They don't know security. We continue to phish them. So I am, you know, empathetic because I understand the problem set. I also work with, you know, thousands of customers -- very small businesses up to kind of medium enterprises -- and every day is a challenge. It's like, well, I have to do this all by myself because I don't have the staff and I don't have the money for the staff. So, like, really, every day we wake up it's, like, how do we make this simpler? And I think the industry as a whole needs to embrace that mentality.

Dave Bittner: That's Marcin Kleczynski, CEO at Malwarebytes.

Dave Bittner: And it is always my pleasure to welcome back to the show Betsy Carmelite. She is a principal in cyber defense operations at Booz Allen. Betsy, great to see you here in person at the RSA Conference.

Betsy Carmelite: Likewise, Dave. This is really fun.

Dave Bittner: We have a specific topic we want to touch on here today, and that is critical infrastructure and resilience. I know that's something that you -- that is something that you and your colleagues have been focused on lately. What can share with us here?

Betsy Carmelite: Yeah. So the theme of this year's RSA Conference has been "Stronger Together." And if I've heard one thing throughout all these panels, it's this theme of understanding how to be resilient. And cyber resiliency, among others, with partnerships has very much played out in a lot of the panels and discussions that I have observed and my colleagues and I are having here at RSA.

Dave Bittner: So when we're talking about resilience when it comes to critical infrastructure, I mean, there's a lot of players that that notion touches.

Betsy Carmelite: Yeah. So I think in the past we've -- we've really focused on cyber defense. And that's certainly the field that I work in. But this theme of cyber resiliency is really the sense of being able to withstand and recover from a cyber-attack or incident. And the acknowledgment of the fact that you will be attacked, you've likely been compromised or will be compromised, is really at the core of anticipating how you do withstand an attack and recover. Also, zero trust plays into this. You and I have talked a lot about zero trust in the past already. But, yeah, this is really the lens through which I've attended these sessions, listened, and observed, and really focused on critical infrastructure resiliency too.

Dave Bittner: And what are you seeing this year at the conference in terms of the attention that this topic is receiving?

Betsy Carmelite: I have to start with Ukraine. Some of the discussions with our Ukrainian counterparts who are here talking about their roles as they're going through an ongoing conflict with Russia. And how the speakers, whether it's across the U.S. government, private industry, vendors -- how they're talking about holding -- holding up Ukraine as a model of cyber resiliency. And really taking those lessons and working to maintain the operability of Ukraine's infrastructure in the day-to-day war. But also, you know, when it comes to the U.S. -- what we're anticipating with our adversaries -- what are we going to learn and continue to uphold that example of Ukraine as a model.

Dave Bittner: And what are some of the specific things that are being discussed when it comes to that?

Betsy Carmelite: Yeah. So we heard that the Ukrainian lessons in resilience made their way into the National Cybersecurity Strategy. There was a lot of time to consider what was going -- going on in Ukraine. It's been under attack since at least 2014 when the annexation of Crimea occurred, if not longer -- before that. And it's really been a testing ground for cyber capabilities. So taking the lessons of how the Russians turned their tools on Ukraine and often before unleashing them on the U.S. And let's talk about, like, how APT28 has affected us in our election infrastructure. So, you know, taking those lessons learned, and it's very interesting that that made it into our own National Cybersecurity Strategy. Also, we're seeing from Ukraine the private industry and U.S. government and partner support in the cybersecurity space was a psychological game-changer for Ukraine. To kind of sustain -- understand that they're supported by the international community. It really buoyed its ability to react to both kinetic and cyber attacks. On the Ukrainian power grid, for example, they were able to understand and anticipate a kinetic attack because they saw their telecoms infrastructure under a cyberattack the day before. A TV tower went down in a physical attack.

Dave Bittner: Mm-hmm. Mm-hmm. And so moving beyond what's going on in Ukraine, I mean, how does that inform how we approach these things here stateside?

Betsy Carmelite: Yeah. So if we're looking at resiliency, and using that as an example, but also our day-to-day -- you know, as our own uplift and enhancements occur across our own cybersecurity organizations, private industry, trust and communication has been a theme. Not surprising. But that's really, you know, building the trust, maintaining the trust. We saw private companies reaching out to the Ukrainian government. How can we help you? With our data? With our cybersecurity tools? The FBI reaching out to companies and calling in requests to help Ukraine. Informing U.S. companies if they were unknowingly supporting Russian activities via their infrastructure.

Dave Bittner: So as we look forward toward the horizon, where do you suppose we're headed here?

Betsy Carmelite: More immediately, in another kind of geopolitical view on this that's kind of on everybody's minds, is this really positions the U.S. to consider the range of potential attacks that might result from a China/Taiwan scenario. And so, you know, what can we pay attention to with how Ukraine has shown its resiliency? But also, let's be aware, China is paying attention to U.S. reactions to Russia and how our assistance is playing out in cyberspace. So it's very encouraging in knowing that our, you know, larger partnership across, again, public, private, government, industry -- they're all watching this, as well, and taking the notes to see what could happen, probably, in a China/Taiwan scenario as well.

Dave Bittner: Yeah. Yeah. As they say, "interesting times," right?

Betsy Carmelite: Yeah. And there are -- there are a couple of other interesting pieces that have come out of the cybersecurity strategy -- the National Cybersecurity Strategy. But really enabling organizations to figure out how tactically their going to shift their day-to-day operations. And in the longer view, for their strategic thinking, themes like secure by design, secure by default, holding the industry accountable for taking the burden off the victim for the attack and attack outcomes. We know that the U.S. is looking into legislation right now with mandatory reporting for breach notification.

Dave Bittner: Mm-hmm.

Betsy Carmelite: We heard the encouragement for the open comments on that legislation and that document right now coming up from CISA. The information that comes from victims informs the threat, and the result of those investigations then informs cyber operations. So partnership and encouraging victims to come forward is really at the core of that -- you know, that trust and communication. And that's really what builds resilience.

Dave Bittner: All right. Well, Betsy Carmelite, interesting insights as always. Thank you so much for joining us.

Betsy Carmelite: Thanks, Dave. Great to be here in person with you.

Maria Varmazis: And that's the Cyberwire. For links for all of today's stories, check out our Daily Briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Tré Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and Dave Bittner. I'm Maria Varmazis. Thanks for listening.