Need a Lyft? Not if Anonymous Sudan has anything to say about it. Closing time, open all the doors and let KillNet into the world.
Dave Bittner: Anonymous Sudan targets Lyft and American hospitals following remarks from US Secretary of State. NSA releases advisory on North Korean spear phishing. The US government's Moonlighter satellite will test cybersecurity in orbit. "Operation Triangulation" offers an occasion for Russia to move closer to IT independence. The SEC drops cases over improper access to Adjudication Memoranda. Executives and board members are easy targets for threat actors trolling for sensitive information. Rick Howard targets zero trust. The FBI's Deputy Assistant Director for Cyber, Cynthia Kaiser shares trends from the IC3 Annual Report. And KillNet seems to say it's disbanding, or is it?
Dave Bittner: I'm Dave Bittner with your CyberWire Intel Briefing for Monday, June fifth, 2023.
Anonymous Sudan targets Lyft and American hospitals following remarks from US Secretary of State.
Dave Bittner: Anonymous Sudan began targeting US organizations on Saturday in a newly distributed denial-of-service campaign after the hacktivists took offense at comments made by U.S. Secretary of State Anthony Blinken regarding a possible US involvement in Sudan. The hacktivist group posted a threat on its Telegram page today, and targets included US ride-share program Lyft and five US healthcare organizations, which the group has reportedly taken a break from as they are "satisfied" with their results. It's unclear if more attacks are to occur, but Anonymous Sudan seems dedicated to pursuing nuisance-level attacks on countries that displease them.
NSA releases advisory on North Korean spearphishing campaigns targeting think tanks, universities, and media organizations.
Dave Bittner: The U.S. National Security Agency stated in a press release that it has partnered with five U.S. and Republic of Korea agencies to release a cybersecurity advisory. In the advisory, the agencies note that North Korea's primary intelligence agency, the Reconnaissance General Bureau, is responsible for spear phishing campaigns. The statement named the threat actors associated with these attacks as: Kimsuky, Thallium, APT43, Velvet Chollima, and Black Banshee. In many cases, the threat actors will pretend to be real journalists to build rapport with their targets. Typically, the actors will then ask questions regarding current events and U.S. expert opinion on North Korean affairs. The actors will also masquerade as scholars, think-tank advisors and officials from the government in email correspondence. Eventually, they will send a fake email pretending to be the target's email service provider requesting that they reset their password, threatening to permanently delete their account if they fail to follow the instructions. NSA advises all potential targets to consider the risks before clicking on links sent over email from unverified sources. Additionally, they suggest training employees on spear phishing awareness.
MOVEit file transfer vulnerability added to CISA’s known exploited vulnerability catalog.
Dave Bittner: CISA added theProgress MOVEit Transfer SQL Injection Vulnerability -- CVE-2023-34362 -- to its Known Exploited Vulnerabilities Catalog on June second. Mandiant reports that this vulnerability seems to have been used on May twenty seventh by UNC4857 and describes it as "a newly created threat cluster with unknown motivations. Industries in Canada, India, and the US have found themselves targets. Mandiant's researchers add that the threat actors have been seen deploying a newly discovered web shell called LEMURLOOT which is used for data theft. Mandiant adds that it's unable to conclusively attribute this new activity to an established threat group, but they list FIN11 and UNC2546 as groups of interest due to shared tactics, techniques and procedures. The researchers add that they have also noticed Cl0p searching for partners that utilize SQL injection, so it may be possible that the ransomware group is associated with this exploit.
Moonlighter will test cybersecurity in orbit.
Dave Bittner: The launch of the Moonlighter satellite, a government funded satellite coined "the world's first and only hacking sandbox in space" was delayed from yesterday to today due to high winds, Spaceflight Now reports. The launch was scheduled for lift off from the Kennedy Space Center aboard a SpaceX Falcon 9 on a resupply mission to the International Space Station. Earlier Sunday, the outlet reports another Falcon 9 rocket saw a launch from the neighboring Cape Canaveral Space Force Station. The Moonlighter was built by the Aerospace Corporation, the Register reports, "a federally funded research and development center in Southern California, in partnership with the US Space Systems Command and the Air Force Research Laboratory." The satellite will support cybersecurity training and exercises in orbit, with the software developed by those working in the info security and aerospace engineering fields.
"Operation Triangulation" offers an occasion for Russia to move closer to IT autarky.
Dave Bittner: The Record reports that in response to FSB claims that Apple colluded with the US National Security Agency to facilitate NSA access to Russian users' iPhones, Russia is moving to equip officials with phones running Rostelecom's Aurora operating system. Apple has denied working with NSA or any other intelligence service to compromise the security of the devices it sells. The move toward greater self-sufficiency has a duel motivation. The first is concern for security. The second is concern to maintain a national IT capability in the face of international sanctions levied in response to Russia's war against Ukraine. A campaign dubbed "Operation Triangulation" by Kaspersky researchers, which they say they detected in iOS devices and may presumably the same campaign the FSB complained of, remains mysterious. ComputerBild offers a rundown of how the campaign may have unfolded and notes some possible similarities to other operations using commercial spyware.
KillNet seems to say it's disbanding.
Dave Bittner: Citing chatter in the hacktivist auxiliary's VKontakte channel, Cybernews reports that KillNet says it's disbanding. The reasons are unclear, but the group's admin posted, "I do not intend to single out the rest, no one deserves an acclaim and a comment. Killnet has been completely disbanded." The announcement came after resignations and expressions of dissatisfaction. How seriously the announcement should be taken remains to be seen, in some ways the announcement looks more like a dos vidaniya to a disgruntled member than a dissolution.
SEC drops cases over improper access to Adjudication Memoranda.
Dave Bittner: The US Securities and Exchange Commission on Friday announced that it was dropping a number of cases in which Enforcement staff received improper access to restricted Adjudication Memoranda. The SEC attributed the incident to inadequate internal controls over sensitive information, saying that they "deeply regret that the agency's internal systems lacked sufficient safeguards surrounding access to Adjudication memoranda." They promise appropriate safeguards in the future.
Executive and board members are easy targets for threat actors trolling for sensitive information, study finds.
Dave Bittner: And finally, companies spend millions on cybersecurity to protect their corporate infrastructure, but what are the cybersecurity mitigations in place to protect the devices of the executives of the company when not at work? This is the question posed in a study by BlackCloak in their report titled "Understanding the Serious Risk to Executives’ Personal Cybersecurity and Digital Lives." Apparently, most companies don't protect the personal devices of their executives and board members. Fifty-eight percent of companies polled didn't incorporate the risk of key executive member's personal devices into their cyber security risk portfolio, and 62% of the companies had no dedicated services to respond to attacks on the high-ranking members. So executives, keep an extra close eye on your smartphones and tablets. Threat actors may be after more than just your playlists and grocery lists.
Dave Bittner: Coming up after the break, Rick Howard targets zero trust, the FBI's Deputy Assistant for Cyber Cynthia Kaiser shares trends from the IC3 Annual Report. Stay with us.
Dave Bittner: And it is always my pleasure to welcome back to the show, Rick Howard. He is the CyberWire's Chief Security Officer. I suppose I should say N2K's Chief Security Officer.
Rick Howard: That's exactly right. Get it right, Dave. Get it right.
Dave Bittner: That's right. Just a half-step behind. Also, our chief analyst. Rick, your podcast, CSO Perspectives, and the book that you just published spends a lot of time talking about cybersecurity first principles. And one of the key strategies that you advocate for is zero trust. Now, we're not talking about the vendor hype version of zero trust, about how their products are all zero-trust capable and all that stuff.
Rick Howard: Right.
Dave Bittner: But you're talking about the strategy and tactics that network defenders can use to actually implement the philosophy. Now, you and I were talking on some of our Slack channels this week about how zero trust, since its inception about 2010 or so has kind of been a bit of a moving target, and I was - I thought maybe this would be a good opportunity that we could chat about that. Maybe you could help improve my understanding about that. Why is it a moving target?
Rick Howard: Well, you're right, Dave. I fundamentally believe that for the right organization, zero trust is a highly impactful strategy that will help you buy down the risk to your own organization. But when John Kindervag wrote the original white paper back in 2010, we were mostly talking about limiting access to our employees and contractors based on a need to know. Right? But as the time slipped by and we got to around 2013 or so, when it started to become acceptable to allow employees to use their personal devices to do work, you know, like tablets and laptops and phones, we started thinking about how to limit device access, too. And then just this year, the US Cybersecurity Center for Excellence announced its research on data classification processes. A really boring name, by the way, but it's a great aspirational idea for being able to apply the same kinds of internal zero-trust controls that you and I might use with our own internal digital infrastructure to data that leaves your organizations like you know, email and files stored in public repositories, DropBox, and you know, Amazon S3 buckets. And then you and I just published a CyberwireX podcast on that very subject. It's called What is Datacentric Security and Why Should You Care?
Dave Bittner: Yeah.
Rick Howard: But in 2020, we were all relearning what a supply chain attack was when the hackers behind EPT29 compromised Solar Winds, and in 2021 when the InfoSec community discovered the LOG4J vulnerability and the risk of open-source software. We started to get serious about applying zero trust rules to commercial applications that we buy, software that we build ourselves, and open-source code libraries that are used by everybody.
Dave Bittner: And that is what you are talking about in this week's episode of CSO perspectives.
Rick Howard: That's right. It's called Zero Trust in an App-Centric World, and we invited two guests, one from Octa and one from Cato to join us here at the CyberWire [inaudible] table to discuss it.
Dave Bittner: All right. Well, look forward to that. Before I let you go, what is the phrase of the day over on your Word Notes podcast this week?
Rick Howard: The phrase is SEO poisoning, and we're going to demonstrate how the attack activity is the Great Waldo in the InfoSec space.
Dave Bittner: Okay.
Rick Howard: If you don't know what the Great Waldo is, you have to come and listen to the episode.
Dave Bittner: All right, fair enough. We'll check it out. Rick Howard is the CyberWire and N2K's Chief Security Officer. Rick, thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: It is my pleasure to welcome to the show, Cynthia Kaiser. She is Deputy Assistant Director for Cyber at the FBI. Cynthia, welcome to the show.
Cynthia Kaiser: Glad to be here.
Dave Bittner: So I want to touch with you today on the IC3 Annual Report, which you and your colleagues have recently put out. Before we dig into the report, for folks who might not be intimately aware, can you give us a little overview of the IC3 and the mission there?
Cynthia Kaiser: Sure. So the FBI's internet crime complaint center, also known as IC3, it serves as a really convenient mechanism to report suspected internet facilitated crime to the FBI, but it's also much more than that. Information gathered from IC3 through the public reporting is analyzed and disseminated for investigative and intelligence purposes for us to be able to conduct, you know, law enforcement actions or just for public awareness. The site is also a fantastic resource to review recent consumer alerts, industry alerts, and other relevant cybersecurity information.
Dave Bittner: Well, let's dig into the annual report here together. What are some of the things that caught your eye?
Cynthia Kaiser: Every year, IC3 reduced that annual report on trends that impact the public, as well as just routinely providing the public reporting about the trends that we're seeing. The information submitted to IC3 is in individual complaints, and then it's combined with other data to come out with this report. So just to kind of give you a little bit more background on the report itself. So in 2022, I think what struck me as - the IC3 received over 800,000 complaints, and that's actually a 5% decrease from 2021, but the potential total loss has grown from just about 7 billion in 2021 to over 10 billion in 2022. So we saw less reporting, but much larger sums.
Dave Bittner: And to what do you attribute that shift?
Cynthia Kaiser: In part, we've seen a big increase in investment fraud, and that includes cryptocurrency scams. We also have seen just a larger amount of, you know, business email compromise, the kind of tech-support fraud that will happen when, you know, people just get a call from a call center and it sounds legit and you're going to try to get, you know, yourself back online or give your password information, and then all of a sudden you've lost money. So you know, we did see growth in several areas, but I do think overall, some of what we also saw was a little bit of a decrease in ransomware complaints overall. Now, I think it's too soon to tell why exactly we saw that decrease, and we saw really a leveling off amount from ransomware complaints. But overall, we have seen actors trying to recalibrate given the better cyber hygiene that's going on across the nation. You know, given just industry and you know, private sector options that are available now for being able to counter ransomware and you know, we're continuing to monitor that to see if that's a downward trend, if it's a leveling off trend, etcetera. But we also know and we're able - it's kind of fun to see, you know, we have this reporting, we have the public reporting. And then we also see what's going on in our operations, and I think Hive is a great example where we're able to match up the two to better understand what's going on with reporting overall. So because of the access that we had during our Hive operation, we're able to see that only about 20% of victims from Hive are reporting to the FBI.
Dave Bittner: In terms of the reporting to the IC3, is that primarily consumers or is it businesses, or a mix of both?
Cynthia Kaiser: A mix of both. So we see anything from individual Americans who are being, you know, targeted in individual scams, especially you know, elder fraud scams to large businesses. This is where a lot of our private sector partners are going to put in a report when they've had a ransomware attack, or you know, their outside counsels or you know, other entities that are assisting them are helping us by submitting these reports, ensuring that we're able to keep record of it, we're able to keep track of it and engage with them in an appropriate way.
Dave Bittner: Well, based on the information that you all have gathered, here, what are your recommendations for folks to better protect themselves?
Cynthia Kaiser: You know, I think we encourage anyone who is victimized by a cyberattack or intrusion to alert us of that as early as possible. The sooner we're made aware, the sooner we can respond, assist, and mitigate damage to the victim and other potential victims. A good example of that is our financial fraud kill chain. Over 70% of reports that were made into IC3 in a certain category, we were able to help recover those funds because report had happened early on in the process. And that's over - I'm talking over 400 million recovered.
Dave Bittner: Wow.
Cynthia Kaiser: So it's a huge amount. So we're able to assist further. So I think the early reporting is you know, the best thing we can do. But backing up before something happens, some of the best practices we recommend are backing up data, system images, and configurations, testing backups, and making sure those backups are not connected, they're offline, using multi-factor authentication, updating and patching systems, making sure security solutions are up to date, and then overall reviewing and exercising an incident response plan, including ensuring that you have the FBI point of contact who you're going to call. They're not just kind of an unknown number, but you know that person. You have that person in your cell phone and we're happy to facilitate that. You know, it's great to call us ahead of time so that we're able to be apart of that.
Dave Bittner: Yeah, I mean, that's a message we've shared I think multiple times, here, that if you're a CISO out there, it's in your best interest to make that introduction to your local FBI field office.
Dave Bittner: Cynthia Kaiser. Exactly! And I think as a CISO, you want options. You want to know all the people you can call. You want to know who you're going to call for incident response. You want to know who you're going to call for legal advice and including the FBI in that is really important.
Dave Bittner: Cynthia Kaiser is Deputy Assistant Director for Cyber with the FBI. Cynthia, thank you so much for joining us.
Cynthia Kaiser: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Ivan. Our mixer is Trey Hester, with original music by Elliott Peltsman. The show was written by Rachel Galphin. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening and see you back here tomorrow.
