Unpatched instances and vulnerabilities rear their ugly heads. Russian telecom provider targeted in an act of “cyber anarchy.” Alleged crypto heist conspirators face charges.

Dave Bittner: Attacks against unpatched versions of Visual Studio and Win32K continue. Progress Software patches two MOVEit vulnerabilities. The Cyber Anarchy Squad claims to have taken down a Russian telecommunication provider's infrastructure. RomCom resumes its activity in the Russian interest. Deepen Desai from Zscaler describes Nevada ransomeware. Our guest is Clark Rodgers from Amazon Web Services with insights on what CISOs say to each other when no one else is listening. And the Mount Gox hacking indictment has been unsealed.

Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Monday, June 12, 2023.

Attacks against unpatched Visual Studio and Win 32k continue.

Dave Bittner: Threat actors continue to exploit a vulnerability in Microsoft's Visual Studio installer, "The Register" reports. According to researchers at Varonis, the flaw can allow an attacker to spoof an extension signature and effectively impersonate any publisher. Microsoft patched this vulnerability on April 11. And according to researchers at Newman, other attackers are also exploiting a privilege escalation vulnerability affecting Win32K. Newman says that the vulnerability poses a major risk to systems older than Windows 11. Microsoft issued a patch for this flaw in May, and we note in full disclosure Microsoft is a CyberWire partner.

MOVEit exploit update: Progress Software patched two MOVEit vulnerabilities including widely exploited CVE-2023-34362.

Dave Bittner: In the continuing story of threats to MOVEit and the steps being taken to thwart them, MOVEit vendor Progress Software released an update to its file transfer software, the patch that previously exposed and exploited CVE2023-34632. Progress also disclosed and fixed a new yet to be exploited bug. The new vulnerability which hasn't yet been assigned a CVE was discovered during a proactive investigation conducted in coordination with cybersecurity firm Huntress. Progress advises users to update their software, and explicitly urges users to only update their products through Progress' blog.

Minnesota Department of Education and UK’s Ofcom are among the latest victims of MOVEit vulnerability exploitation. 

Dave Bittner: The older MOVEit vulnerability continues to be exploited in instances whose users haven't yet applied the available fixes. On Friday, June 9, the Minnesota Department of Education, the MDE, reported that one of its servers was compromised through exploitation of the earlier MOVEit vulnerability CVE2023-34362 which the MDE had not yet patched. MDE explained that 24 files had been accessed which compromised approximately 95,000 names of students placed in foster care throughout the state as well as students qualifying for the pandemic electronic benefits transfer and students in particular college classes and bus routes. No financial information was exposed. MDE recommends that affected individuals should monitor their credit reports and take steps to protect their identity. The 74 reported that ransomware gang Medusa has claimed responsibility for the breach and is demanding $1 million in ransom. The outlet says that a preliminary review of the gang's dark web leak site by the 74 suggests the compromised files include a significant volume of sensitive documents including information related to student sexual violence allegations, finances, and student discipline, among others. And other in the U.K the regulatory body Ofcom this morning disclosed that it too had been affected by exploitation of this vulnerability. Ofcom said, "A limited amount of information about certain employees we regulate, some of it confidential, along with personal data of 412 Ofcom employees, was downloaded during the attack." Investigation and remediation are in progress. If you're a MOVEit user, do consult Progress Software's blog.

Cyber Anarchy Squad claims to have taken down Russian telecom provider's infrastructure.

Dave Bittner: The Cyber Anarchy Squad which represents itself as a hacktivist organization dedicated to supporting Ukraine in defending itself against Russia, claimed to have successfully hit the Russian telecommunications provider Infotel JSC last Thursday evening. Infotel JSC confirmed that its systems had indeed come under attack, Bleeping Computer reports, saying that "Restoration work is currently underway. Additional deadlines for completing the work will be announced. We hope for your understanding and further cooperation." For its part, the Cyber Anarchy Squad crowed about their destruction of Infotel JSC's infrastructure, "The Record" reports. Infotel JSC has a number of clients in the financial sector including Russia's central bank. Connectivity between the central bank and other financial service and e-commerce businesses depends to a significant extent on the telco's infrastructure and the Cyber Anarchy Squad claims that its attack has rendered it difficult and in some cases impossible for banks to conduct routine transactions. The attack coincided with the opening of Ukraine's counter offensive and according to Security Affairs affairs included website defacements celebrating Ukraine's attack. There are no obvious indications, however, that the cyber attack was a closely coordinated combat support operation. It seems rather to have been malevolent exuberance directed towards Russia.

RomCom resumes its activity in the Russian interest.

Dave Bittner: Blackberry researchers find that the operators of the RomCom remote access Trojan have recently stepped up their activity against Ukrainian politicians among other targets. The particular politicians targeted are working closely with western governments, and at least one U.S organization involved in delivering relief to Ukrainian refugees with a goal of information collection. Blackberry writes that the threat actor behind the RomCom rat appears to be actively interested in what western countries are doing to support Ukraine, what Ukraine is doing, and who the refugees are receiving help from in the United States.

Mt. Gox hacking indictment unsealed.

Dave Bittner: And finally two Russian nationals were charged with the 2014 hack of the Mount Gox cryptocurrency exchange described by Coinbase as one of the biggest cryptocurrency heists in crypto history. An indictment from 2019 was unsealed last Friday detailing how the two hackers stole upwards of 647,000 Bitcoins from the exchange between 2011 and 2017. Once the funds were lifted, they were then laundered. Both alleged conspirators are being charged with conspiracy to commit money laundering while one of them also faces a charge for operating an unlicensed money services business. And here in America they're regarded as innocent until proven guilty. So they got that going for them.

Dave Bittner: Coming up after the break, Deepen Desai of Zscaler describes Nevada ransomware. Our guest is Clark Rodgers from Amazon Web Services with insights on what CISOs say to each other when no one else is listening. Stay with us.

Dave Bittner: The AWS Reinforce Conference is taking place this week in Anaheim, California. And the CyberWire is happy to be a media partner for the event. In anticipation of the conference, I spoke with Clark Rodgers, enterprise security strategist at Amazon Web Services, about a series of special events they host for CISOs, a gathering they call CISO circles.

Clark Rodgers: The CISO role has evolved over the years. You know, my background, I'm a former CISO myself in the insurance and financial services industries. And have been at AWS now for about six and a half years. And I've had the opportunity to meet with over 750 customers, a large percentage of those being CISOs. And as I've seen the CISO role evolve over the years, you know, it used to be the sort of firefighter security professional. Right? So something bad happens. Here's the security person who's going to go take care of it. Right? There wasn't a lot of strategy behind it. There wasn't much programmatic thought around the security and compliance role in an organization. It's just we needed that function. And over the years I'm very happy to say that the CISO role has transitioned into a business leader. Right? Where security is viewed not as a have to have, but a must have as far as enabling the business to go faster, take more risks, really leaning into security as a strategic advantage. So as that role has evolved, you know, the education around, you know, security tooling and best practices and, you know, the top 10 lists of what you should and should not do as a security professional, those are all still important. But more often than not those are taken care of by security engineering teams or security operations center, whatever the case may be in the particular organization. And then the CISO, that role is really doing a few things. The CISO is translating the business needs to the security and development community. You know, here's the outcomes that we need to have. The CISO is reporting up. Right? So reporting to the board and saying, "Well, here's the risks that face the business. Here's the mitigants that I have in place. Here's the mitigants that we need to put in place." Right? To actually keep pace with what the business is trying to do. And then it's navigating and really much more of a business leader in the sense of the social cohesion around building that strong security culture throughout the organization. And that's where we see CISO -- CISO's really focusing on these days in addition to their traditional sort of protection duties.

Dave Bittner: Now you and your colleagues at AWS have taken a role in hosting some events for CISOs to try to facilitate some of these conversations. Can you describe that for us?

Clark Rodgers: Certainly. The program itself is called the CISO circles or the AWS CISO circles. And we started them around November of 2020. You know, that was prime pandemic time so we wanted to make sure that we were developing a curriculum and a reason and building the community for CISOs to sort of get together and quote, unquote, "Talk shop." Right? So not so much the bits and the bytes, but more of what I was talking earlier. Right? How do I get -- how do I build a strong security culture within my organization? How do I make sure executives care about it? What are some best practices on X, Y, and Z? So we developed these, and you know it's a global program today broken down by region. And we'll typically have anywhere between 10 and 25 customer CISOs under NDA and Chatham House rule to speak freely about their security programs, and to engage with one another around what works, what doesn't, what some of the problems are that are facing them these days. And, you know, ideally some solutions. And we're really there to facilitate the conversation. It's a -- what I'll call a sort of no cell zone. Right? So even though it's an AWS event, we don't have third parties sponsor it so you don't have to listen to a spiel about the latest security tool from vendor X. We don't typically talk about AWS services unless it aligns with the topic that the CISOs actually want to talk about. So if it's a -- you know, if they want to discuss, you know, what are some best practices in logging, for example, we'll make sure that we have an expert to facilitate a discussion around that, you know, from an AWS perspective. Those types of topics tend to come up more often than not.

Dave Bittner: You know, you're deliberate about making this a safe space for them to have these types of conversations. I'm curious what sort of things come up when it comes to the challenges of the job itself.

Clark Rodgers: As I mentioned earlier, these are all under NDA and they're also under Chatham House rule which basically says you can learn from each other, you just can't attribute what someone said during the session. Right? So with those rules in place the CISOs feel very comfortable to say, you know, "I tried either product or process X. It didn't work." Right? Or, "I'm having struggles." Or, "I'm struggling with the trying to get developers on board to care about security. Does anybody have any tips on how to do this?" There's no way without that sort of safe space would any CISO go in public and say something like that. This is their peer group. We purposefully mix these up by industry. Right? So it's not -- you're not going to have a room of financial services professionals together. You'll have a mix of maybe financial services, media and entertainment, retail, technology. They'll all be in the room together. And despite their industry differences, we find that they all typically have the same challenges and opportunities within their organization. Right? So it's around security education. It's staffing. Where am I going to find that next -- or where am I going to train that next great security professional for my team? What are some of you all doing to make sure that you're growing your security teams and growing these security influences throughout the organization? How are you aligning security outcomes with business outcomes? How do you budget? Again what are some best tips for reporting to the board? One example from a CISO circle we had last year that sort of sticks with me is one of the CISOs recommended that, you know, he looked up who was part of his board, and then found out what other boards they were on. He then reached out to the CISO at that other company which actually happened to be a competitor, and they had a long discussion around how to best present security information to that particular board member. And, you know, when you have -- when you have someone say something like that, you sort of look around the room and you see these other CISOs, you know, writing down feverishly that, hey, you know, that's a great idea. That's not something I've thought about before. So it's really great to really be able to facilitate these discussions. And we just sort of really stand back and just sort of make sure, you know, that the venue is there. We'll MC it and make sure that the topics that are covered are covered to the degree that the CISOs want. And then we also do follow ups with them to say, "What else would -- what are you interested in? What's top of mind?" And, you know, "What can we bring to the next CISO's room?"

Dave Bittner: That's Clark Rodgers from Amazon Web Services. The AWS Reinforce Conference is taking place this week in Anaheim, California.

Dave Bittner: And joining me once again is Deepen Desai. He is the global CISO and head of security research and operations at Zscaler. Deepen, it is always a pleasure to welcome you back to the show. I want to talk to you today about Nevada ransomware. I know this is something you and your colleagues there at Zscaler have had an eye on. What do we need to know about this?

Deepen Desai: Yeah. Thank you, Dave. So Zscaler ThreatLabZ tracks various ransomware families and the goal is to make sure we add detection intelligence into our platform, protect our customers, and then also help the community where we collaborate with CERTs, ISACS, agencies in order to make sure we do our part in fighting against these ransomware groups. So as part of that tracking operation we came across a new variant of Nokoyawa ransomware family. And this is not the first variant. We have seen a couple others in the past. So one called Karma and then another called Nemty ransomware. These are all variants of Nokoyawa. The original origin of Nokoyawa ransomware was introduced just almost a year back. It was in fact 2022. And it was written in C programming language. They were using file encryption ciphers like elliptical curve cryptography with sect 2D3R1. Right? And then the most recent variant that I'm about to talk is Nevada ransomware which was observed in December of 2022. And a unique part as it was advertised in criminal forums as part of a new ransomware as a service affiliate program.

Dave Bittner: And what sets it apart from any other previous versions here?

Deepen Desai: So this specific variant is written in Rust programming language with support for Linux and also 64 bit versions of Windows. It does have significant code similarities, though, with Nokoyawa ransomware including things like debug strings, command line arguments. Even the encryption algorithm is similar, but it's written in entirely new language. And then, as I mentioned, this has also been offered as ransomware as a service affiliate program which means all the grunt work is already done. Right? And you could just subscribe to it and then you have payload and infrastructure ready to target your victim. The group behind this, though, the Nokoyawa ransomware group, what we're seeing is there are almost two parallel code branches and each of them written in different programming languages. Potentially to confuse researchers, evade detection, and then also maybe they're taking a look at which one is turning out to be more successful in some of these campaigns and attacks that they're launching in the wild.

Dave Bittner: What are you tracking in terms of proliferation here? How -- how popular is this?

Deepen Desai: This one is not very prevalent. I mean there are many other ransomware groups out there like Clop. You know, Blockbuster. I mean those are much more prevalent than this one, but this is yet another group which we -- which we saw come to the scene in December. Has some unique things that we talk about. And yeah. It's something to keep an eye out for for future developments as well.

Dave Bittner: And in terms of preventing yourself from falling victim to this, I suppose the usual -- the usual rules apply here?

Deepen Desai: Yes. The usual rules apply. You have to be cautious about clicking on those links that arrive. You know, things like office document. More recently we're seeing a lot of One Note documents being leveraged by Qakbot, Emotet groups. That's the stage one of many of the ransomware attacks that you see out there, and they start with Qakbot. They will then have post exploitation tools downloaded which will then lead to these ransomware families being planted on the victim organization. Another concerning trend we're seeing in the ransomware threat landscape is many of these groups -- when I say many of them, we know at least four to five of them where they're not encrypting the files on the victim's machine. What they're doing is they will exfiltrate tons and tons of data. And I'm talking about terabytes of data in many of the victims that we're tracking. And they will literally work with the victim to, "Hey, we don't want you guys to be in the public news, and we don't want our group to be in the public news either. It's a bad situation for both of us. So pay the ransom. We have all the data. We didn't bring down your infrastructure so that you don't get any kind of negative press, any kind of attention." So they're all trying to stay under the radar. And -- and that's -- that's definitely concerning because now you will not know how many actual attacks are also happening out there. And so this basically makes that whole notion of making sure you have consistent security policy, the zero trust architecture implementation, making sure anything that leaves your environment goes through an in line DLP solutionware that solves inspection. Very, very important because once they have your data, they're going to demand ransom.

Dave Bittner: All right. Well, word to the wise, Deepen Desai, thank you for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producers Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show was written by Rachel Gelfand. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.