Five Eyes disrupt FSB’s Snake malware. From DDoS to cryptojacking. Ransomware trends. Yesterday’s Patch Tuesday is in the books.

Dave Bittner: The Five Eyes disrupt Russia's FSB Snake cyberespionage infrastructure. Shifting gears: from DDoS to cryptojacking. Trends in ransomware. Our guest is Steve Benton from Anomoli with insights on potential industry headwinds. Ann Johnson from Afternoon Cyber Tea speaks with Roland Cloutier about risk and resilience in the modern era. And yesterday's Patch Tuesday is in the books, including a work-around for a patch from this past March.

Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Wednesday, May 10th, 2023.

The Five Eyes disrupt Russia's FSB Snake cyberespionage malware.

Dave Bittner: The Five Eyes took down the Snake infrastructure that Russia's FSB security and intelligence service has used for espionage and disruptive activity for the past two decades. Operation MEDUSA, as the takedown is being called, involved both the technical disruption of Snake malware deployments, and lawfare as well. Operation MEDUSA was the work of an international partnership whose principal members included the United States' NSA, FBI, CISA, and Cyber National Mission Force. Members from the other Four Eyes included the Canadian Cyber Security Centre, the United Kingdom National Cyber Security Centre, the Australian Cyber Security Centre, and the New Zealand National Cyber Security Centre.

Dave Bittner: The Joint Cybersecurity Advisory these agencies issued describes Snake as "the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service for long-term intelligence collection on sensitive targets." The malware is stealthy, readily tailored to specific missions, and well-engineered. And that unit, which has been commonly known as "Turla," has been actively collecting intelligence against targets in some fifty countries for nearly two decades. NATO members have been among the most common targets, and the FSB collected against many sectors in those countries, not just government agencies, but businesses, not-for-profits, universities, and research institutions as well.

Dave Bittner: You can find technical details about Snake, its detection and the uses to which the FSB had put it, in the Joint Security Advisory the partners issued. It's worth noting that Operation MEDUSA had a significant legal dimension and that it involved waging lawfare as much as it did technical hunting and disruption of a hostile infrastructure.

Dave Bittner: Indeed, The Justice Department describes Operation MEDUSA as "a court-authorized operation," and the FBI obtained a Rule 41 warrant to remove Snake from eight infested systems. Such warrants are uncommon. The Department of Justice has used them twice in the past, the reports, once to disrupt China's Hafnium espionage campaign and once to dismantle Cyclops Blink, a Russian intelligence service botnet. So a well-done to all involved with Operation MEDUSA.

From DDoS to cryptojacking.

Dave Bittner A threat actor has decided to shift gears and move from DDoS to cryptojacking. The new RapperBot campaign is unlike the gang's past activity, FortiGuard Labs reported yesterday. In the gang's activity from August and December of last year, the RapperBot hackers were observed launching Distributed Denial of Service (DDoS) attacks. In a campaign active since at least January of this year, the RapperBot actors are involved in cryptojacking, specifically targeting Intel x64 machines running the Linux operating system. Researchers say they initially observed the threat actors executing a separate cryptominer alongside the RapperBot malware, but both have now been combined into one bot. The malware is regularly seen undergoing updates to better evade detection.

Trends in ransomware.

Dave Bittner: Sophos today released its annual State of Ransomware report for 2023, surveying a variety of cybersecurity industry experts across 14 countries. 66% of organizations surveyed were hit by ransomware within the last year, with 36% caused by exploited vulnerabilities. The education sector has seen much ransomware activity, with about 80% of high and lower education organizations surveyed reporting being victimized. Just over three-quarters of the ransomware attacks of those surveyed resulted in the encryption of data, and in 30% of these cases, data was also stolen. Just under half of those that had their data encrypted paid the ransom, with larger organizations significantly more likely to pay. The average ransom demand of $1.54 million in 2023 nearly doubles that of 2022's figure of $812,380. The average cost of recovery is even higher than the ransom demands, at $1.82 million. This is another trend study that confirms the prominent place ransomware now places in the underworld, and the pervasive threat it's become to organizations of all sizes, in all sectors. 

Yesterday's Patch Tuesday is now in the books.

Dave Bittner A quick note about Patch Tuesday, which, this month, fell yesterday. Companies addressed a large number of vulnerabilities. Microsoft has fixed 40 security vulnerabilities. Mozilla released two patches, one for Firefox 113, and another for Firefox ESR 102.11. Adobe has patched 14 vulnerabilities in Substance 3D Painter and Onasis released a blog detailing the SAP patch day patches. Do take a glance at the updates. You can find a summary on our website. And go and do as CISA always advises: "apply updates per vendor instructions."

A work-around for a March patch.

Dave Bittner One final coda for Patch Tuesday, researchers at Akamai have discovered a critical vulnerability in an internet explorer component. This vulnerability tricks an Outlook client into connecting with the attacker's server, allowing the attacker to crack the victim's password offline or use it in a relay attack. Russian threat actors have been seen using this exploit for over a year, targeting the European government, transportation, energy and military sectors. Importantly, this attack is classified as a no-click attack, which means that the victim doesn't have to interact with the malware by clicking a link or downloading a file. It works by sending a reminder email to the victim with a custom sound notification containing a path to the attacker's server. Akamai informed Microsoft of this vulnerability and Microsoft released an update in the March Patch Tuesday to fix the problem, but Akamai has since determined that there are workarounds that could get past the patch. Microsoft addressed those remaining issues in yesterday's Patch Tuesday. Sometimes you need a second swing.

Dave Bittner Coming up after the break, Steve Benton from Anomali has insights on potential industry headwinds. Ann Johnson from Afternoon Cyber Tea speaks with Roland Cloutier about risk and resilience in the modern era. Stay with us.

Dave Bittner Steve Benton is vice president of Threat Research at Anomali. I spoke with him at the RSA conference about the potential headwinds the industry is facing with economic uncertainty on the horizon and the threat of potential layoffs. What is he seeing from leaders with tough decisions to make?

Steve Anomali: Well, I think they're making a lot of choices, choices about what tooling do we need to bring into our enterprise, but also what tooling to be no longer required. Because they're having to manage a budget. So they're really trying to understand how do I increase my grip on the security posture of my organization, what toolsets are actually going to assist me with that, what toolsets will compensate and provide amplifying controls. But I can't afford to run everything, so I'm going to have to hunker down into something smaller. So how do I figure that one out? Well, it needs to be threat informed. It needs to be intelligence informed. So you need to be thinking about, what are the attackers and their likely objectives of my organization, and how are they likely to come at me? And therefore, what are the set of overlapping and compensating controls that are going to help me most with that? And if you've assessed that in terms of risk, then you can act upon that. And so what you're looking to do, if you like, is if you imagine like a hype cycle, you're trying say, okay, I've got my tools that are absolutely hitting that sweet spot. Am I getting the maximum out of those tools? And I'll come back to that in a moment. And then I've got tools that, you know what, we've had for a while. Security team might love them, you know. But they may have to let go because it's not really giving us what we need. And what it's giving me is cost but also overhead in terms of spending time with my analysts looking after those tools and utilizing them. So we need to stop that, exit that, to make the time for the top of the hill. And then there may be some tools that I've just bought but the adoption isn't there. I haven't brought it up to the top of the slope. So that's actually a failing control, because it isn't implemented correctly. That's kind of the challenge the organization has, is to create that. Now, if you turn that into a narrative that you have with your senior leaders, they now see you as running an efficient business, because you're taking those things into consideration. And that's really important, because now you become investable as a part of the business. You're seen as part of the business. Because the other thing that's happened, you know, over the last sort of five years, is cyber threat is more than just a data leak type issue. It's more than a brand and reputation piece. Fundamentally, if you suffer a cyber incident, more than likely it will stop the business. Because your business is fundamentally dependent on its digital footprint, whether that's for its employees, how they interact with the organization, whether it's how you organize or interface with your marketplace, indeed, you know, how you interact with your supply chain. So we've seen evidence of businesses literary stop when they get hit with a cyber attack. So nowadays there's a business interruption risk. Which means that now it has an equal seat at the table, if you like, up to the C-level. And so they want to know that you as a CISO have got grip. What I mean by that is you've got grip on the relevant threat environment -- relevant threats that are likely to cause us harm -- that you've got grip on our security posture to those threats. And then fundamentally then it means you've got grip on the shearing -- the ability of our business to operate and growth. And that completes the cycle of making the CISO an investable part of the organization and a trusted partner in helping to put the right things in place to assure the operation and growth of the business.

Dave Bittner: I'm curious -- because I can understand or imagine the impulse that a CISO might have of, I don't want to be the person who gets rid of the tool that in retrospect the board says, well, why didn't we continue that; that might've stopped the breach? Do you understand that, I guess it's a fear-based motivation or a voidance?

Steve Anomali: It is. And security, for years and years, has operated on a diet of fear.

Dave Bittner: Yeah.

Steve Anomali: But it shouldn't be operating on a diet of feat. It should be operating on a diet of being informed. So threat-informed defense is where the game is at. Because we do have limited resources. So we do need to double down on what's important. And the way to think about it is, you know, a lot of organizations, they organize their SOCs. The teams there literally are just going through alerts. It's rinse and repeat, rinse and repeat, rinse repeat. And they're almost like a junior soccer team. So they like playing the game and they turn up and they play the match. They're not really thinking about who they're playing against or who the next match is going to be against. Now, when you progress up in soccer and you get to more professional teams, they analyze their opposition. They prepare for the next match. And they think about who they're going to be playing. And, therefore, they start to double down on the right kind of playbooks, but also the right kind of overlapping and compensating and amplifying controls. And that's really motivating actually for the soccer team, because now they're actually thinking about the game they're in. And that narrative can be taken up then to the C-level, and they feel part of the team as well. And it's hugely motivating, but also demoralizing for the attackers, because they're now playing against a professional team.

Dave Bittner: In terms of of the folks making those presentations to the board and winnowing down the number of tools that they're using and justifying that, I mean, I would imagine that that's something that all the various leaders of the various parts of a business are also doing. Does the cyber group get more scrutiny than some of the others? Is cyber just a bit more mysterious to the board members? Or where do you suppose that stands?

Steve Anomali: Yeah, cyber is mysterious to the board members, because it doesn't directly deliver the output of the business. It protects the business's ability to operate. So it's a little bit like it's a semi black box. They don't really understand why we have all this stuff and what does it do. And they go to the SOC, and they're pleased when they see the big map of the world and things flashing around, because it gives them a kind of assurance that, ah, we have command.

Dave Bittner: Ping, ping, ping.

Steve Anomali: Yes. But they don't really know, you know, what the utility is and all the various aspects for it. And that's where I think it's important for a modern CISO to be talking about threat, to be talking about not just individual threats and indicators, but actually proper attack chains and motivations and how actors operate, and give them a character, give them a story that can be told. Because then, you know, the business leaders understand who's out there just wishing to come at them and for what reason and how that would happen. But we've got it, right, we've got the security posture under control. We're monitoring it. So it's in a dynamic way. We can shift into heightened awareness when we have something important happening in the business. Maybe it's end of year. Maybe there's a new product launch. Maybe you're entering a new market. We've done the risk assessment. We've got the controls in place. I'm giving you the assurance that we have eliminated as much of the uncertainty about that next move, that next phase of growth, from a cyber risk perspective. We have created cyber resilience in operation.

Dave Bittner: That's Steve Benton from Anomali.

Microsoft's Ann Johnson is the host of the Afternoon Cyber Tea podcast right here on the CyberWire Podcast Network. She recently spoke with Roland Cloutier about risk and resilience in the modern era. Here's a segment from that conversation.

Ann Johnson: Today I am thrilled to be joined by Roland Cloutier, who is currently Principal at the Business Protection Group, which is an executive cybersecurity advisory firm. Prior to the Business Protection Group, Roland was the Global Chief Security Officer at Byte Dance and TikTok, one of the world's largest leading media, social, and online technology companies. And prior to Byte Dance and TikTok, Roland held Chief Security and security leadership roles at ADP, EMC, Paradigm Technology, and more. Roland has also held roles in law enforcement and is a veteran of the US Air Force. With over 25 years of experience in the military, law enforcement, and commercial sector, Roland is one of today's leading experts in corporate and enterprise security, cyber defense program development, and business operations protection. Welcome to Afternoon Cyber Tea, Roland.

Roland Cloutier: Roland Cloutier: Ann, always great to be having a little chat with you over tea. Thanks for having me.

Ann Johnson: So look, the world has changed a lot since then, right? It's gotten more treacherous over the years. Right now, I'm giving a talk with Nadab Safrir [phonetic] from TeamMate on geopolitical resilience at RSA, which is happening, you know, right after we're recording this. And we're putting out a call to leaders that they have to think about how they're going to plan for geopolitical resilience as well as cyber resilience and these inevitable global events and the issues we're having. I'd love your take on this. How do you think leaders and organizations need today to build capabilities to ensure success amidst this challenging global environment? And what role does the cyber team play in building these capabilities?

Roland Cloutier: It is such a multi-level question, and not that I've lived this for the last few years, but you know, I'll give you my take on it. So I think foundational bottom line basics where chief security officers, chief information security officers, EIEIOs, however you want to look at them, they have to understand business resiliency and really that three-legged stool. You know, the business continuity and business impact analysis and how your business works. They have to be business leaders. They have to understand the difference between disaster recovery and continuity of operations, or old school, you know, government folks like you and I, kind of cogs, and then that third component of crisis management. And not just cyber incident, IR crisis management. I'm talking about business-impacting events that require strategic and tactical senior-level capabilities to manage through, you know, crisis problems for the entirety of the business. So I think if you focus on those and you have the ability to understand your business, understand what has to be in place in order for that organization to operate and what are the critical functions that impact the normal operations of business, you're in a great spot.

Ann Johnson: You know, when I talk to your peers, they're talking a lot about technology, right? They're starting to talk more about operations because they have to. They're talking about business resilience and operational resilience because they have to. But I'd love to get your advice. But a lot of the companies I talk to, right, and probably even people you talk to, are more mature organizations. They're more mature on their journey. So can we go to companies that are earlier on the journey? They don't have the most mature security programs. They don't have the biggest budgets. They don't have the most people. What fundamental decisions do they need to make right now? Or what discussions should they be having?

Roland Cloutier: In the context of geopolitical issues or in the context broadly of being able to support the business itself?

Ann Johnson: Yeah, and I think that's a great clarification. I would love to talk about how they support the business. But then how do they support the business in dynamically changing times, right? What are like the must-haves that they should be doing right now?

Roland Cloutier: All right, I'm going to take you in the Wayback Machine because I still think it's fundamentally important. As you know, Ann, I don't call security security all the time. I often call it business operations protection because I really believe that's what we're there for. Whether you work in a business or an agency, you're there for the assurance and continuity of operations and the protection of what they take to market. And so if we can take a step back and do something as simple as what most MBAs would call Michael Porter's Value Chain, but do a value chain, you know, assessment of the business. If you can sit down and understand how your business develops product, takes product to market, makes money, and services and keeps clients in the context of how your company operates, then you've gone a long way. Because, you know, we always say you can't protect what you can't see. How can you protect the business which you don't understand? I mean, just because you can protect the data center or a cloud compute infrastructure or a messaging platform, or, or, or, it doesn't mean you understand it. And it's the same with a business. I think in today's environment where CISOs, CPOs, CDOs, all the folks that are required to protect some level of operation in some way, or meet regulatory requirements, they need to start understanding that they need to assess how their responsibilities goes across the entirety of the business and what they should really be looking at. And the good thing that pops out of that is that not only do you know how you protect your business, or you know what's critical to the operations of your organization, like the critical access protection program, but you also understand how your business operates. And you can actually educate often your company on how their company operates. You know, like if those two third parties go away, we can't do revenue rec, nor can we deliver cloud compute services here, right? I mean, like, those are big a-ha moments. I've had a-ha moments in my life, Ann, where we've lost literally like a smoking hole in the ground of a data center in Europe. And, you know, I show up a couple days after, it's still smoldering. And we're in the middle of a DR process, realizing that we didn't even understand the extent on which continents that that one data center impacted. And CISO, a good way to start is get in front of their business by helping map out their business. And this is one of the most basic things any chief security officer should be doing day one.

Dave Bittner: You can hear more of Ann Johnson's conversation with Roland Cloutier on our website, thecyberwire.com.

And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.