CISA's new Binding Operational Directive. “CosmicEnergy” tool doesn’t pose a cosmic threat. Hackers’ homage to fromage in attacks against the Swiss government. Industry advice for the White House.

Dave Bittner: CISA issues a new Binding Operational Directive. An update on CosmicEnergy. Hackers' homage to fromage in attacks against the Swiss government. Ukraine's Cyber Police shut down a pro-Russian bot farm. Clothing and footwear retailers see impersonation and online fraud. A 2021 ransomware attack contributed to a hospital closing. A proof-of-concept exploit of patched MOVEit vulnerabilities. An industry letter calls for a new framework on the White House cybersecurity strategy. Joe Carrigan examines a ChatGPT-fueled phishing scam. Our guest is Neha Rungta, Applied Science Director at AWS Identity discussing Amazon Verified Permissions. And trends in cyber risks for small and medium businesses.

Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Tuesday, June 13th, 2023.

CISA issues Binding Operational Directive 23-02.

Dave Bittner: We begin with some news from CISA, the U.S. Cybersecurity and Infrastructure Security Agency. The Agency this morning issued Binding Operational Directive 23-02. The directive requires federal civilian executive agencies to remove specific networked management interfaces from the public-facing internet, or implement zero trust solutions within two weeks. The directive's intent is to reduce the attack surface that misconfigured or otherwise insecure management interfaces present to potential adversaries.

An update on CosmicEnergy: it’s "not an immediate threat."

Dave Bittner: Researchers at Mandiant last May announced discovery of new malware they've coined "CosmicEnergy" that appeared to have potentially been designed to disrupt electrical distribution and associated critical infrastructure. Mandiant was cautious in its assessment and said that CosmicEnergy may, in fact, have been a Russian red teaming tool used in exercises to simulate an electric infrastructure attack. Yesterday, Dragos released some reassuring conclusions from its own research. CosmicEnergy is not related to either Industroyer or CrashOverride, two known threats to infrastructure. Dragos finds that the malware is nonfunctional in several respects and isn't, as it stands, a threat.

Swiss government discloses widespread ransomware attack.

Dave Bittner: Much like the nation's famed cheese, hackers have poked holes in the Swiss government's IT infrastructure in a ransomware attack against IT firm Xplain. The recent ransomware attack on Xplain may have caused the exposure of Swiss government operational data, The Record reports. Xplain and IT providers serving a multitude of Switzerland's federal agencies was victimized in a May 23rd ransomware attack that saw the leakage of 907 gigabytes of stolen files on the first of this month. The files are said to include sensitive data, including financial and taxation information, BleepingComputer reports. The Play Ransomware gang has been cited as the perpetrator of the attack by Xplain. The nation's cybersecurity center and law enforcement were notified and are aiding in the investigation of the attack. "Switzerland's federal agencies have also been targets of DDoS claimed by pro Russian hacktivist gang, NoName, that rendered the websites of multiple Swiss governmental agencies and state-affiliated companies inaccessible yesterday," writes Infosecurity Magazine. A press release from the Swiss government portal says that measures are in place to restore access to the sites and applications after the agency quickly caught on to the attack.

Ukraine's Cyber Police shut down a pro-Russian bot farm.

Dave Bittner: Ukraine's Cyber Police on Monday announced the arrest of three bot farmers who are operating from a garage in the west-central Ukranian city of Vinnytsia. They were engaged in automated disinformation distributed through inauthentic accounts they ran in the Russian interest. The Record reports that about 500 bogus accounts were created each day at the hands of these bot farmers and were used to disseminate pro-Russian propaganda and disinformation. Their motivation may have been primarily financial, as they received payments in Russian rubles of about the equivalent of $13,500 per month, presumably from Russian paymasters. The rubles, which are currently prohibited in Ukraine, were laundered through illicit payment services like WebMoney and Perfect Money, then converted to cryptocurrencies and loaded onto bank cards. The crew was also allegedly engaged in criminal fraud on various e-commerce platforms.

Brand impersonation online fraud.

Dave Bittner: Speaking of fraud, researchers at Bolster have observed a phishing campaign that's impersonating more than a hundred clothing and footwear brands, its direct fraud targeting online consumers. The impersonated brands include Nike, Puma, and Adidas, among others. The threat actors have used over 6,000 domains, more of half of which are still active. The researchers note that some of the scam sites appear prominently in Google search results.

A 2021 ransomware attack put a hospital under financial pressure that caused it to close.

Dave Bittner: St. Margaret's Health in Spring Valley, Illinois, is shuttering its operations, which they've blamed in large part on the fallout of a ransomware attack on their systems, NBC reports. Becker’s Hospital Review writes that the hospital's coming June 16th closure follows a 2021 ransomware attack that rendered St. Margaret's unable to submit claims to payers. Not only did the claim information not get submitted, but the systems were down for at least fourteen weeks and required months of catch-up and recovery. The financial pressure this induced wound up being a factor in its closure, said Vice President of Quality and Community Services at the hospital, Linda Burt. The health system also ended operations at a Peru, Illinois-based facility in January.

Industry letter on the White House cybersecurity strategy.

Dave Bittner: Industry leaders are calling for a new framework for the U.S. National Cybersecurity strategy as the signatories believe that issues surrounding identity were not adequately addressed in the existing form of the cyber strategy. The CyberWire received a copy of the letter, whose signatures include the American Bankers' Association and the Better Identity Coalition, among others. The groups advocate enhanced protections against identity-related cyber crime. Their recommendations include launching a taskforce dedicated to accelerated development of tools to guard against identity crimes and documentation of the budget savings achieved when digital identity infrastructure and tools are implemented. Also suggested was a prioritization of the National Institute of Standards and Technology's identity and attribute validation services with the end goal of a digital identity framework encompassing standards and best practices for identity security.

Cyber risk trends for small and medium businesses.

Dave Bittner: And, finally, researchers at BlackFog have determined that 61% of small and medium businesses have sustained a successful cyber attack in the past twelve months. Organizations were said to see around five successful breaches or attacks on average with business downtime as the primary business impact of cyber attacks affecting 58% of those surveyed. The researchers write that the successful attacks also negatively impacted customer trust and retention, with a third of all respondents reporting that the incidents resulted in the loss of customers.

Dave Bittner: Coming up after the break, Joe Carrigan examines a ChatGPT-fueled phishing scam. Our guest is Neha Rungta, Applied Science Director at AWS Identity, discussing Amazon Verified Permissions. Stay with us.

Dave Bittner: As we noted on yesterday's program, the AWS re:Inforce Conference is taking place this week in Anaheim, California, and the CyberWire is happy to be a media partner for the event. A highlighted announcement at the event is the general availability launch of Amazon Verified Permissions, a scalable permissions management and fine-grained authorization service for building applications. For details on the launch and why it matters, I spoke with Nega Rungta, Applied Science Director at AWS Identity.

Neha Rungta: Amazon Verified Permissions is a permissions management and authorization service for a wide range of applications, including healthcare applications, banking applications, productivity apps, a dog-walking app, anything you can think of. And it empowers developers to centralize their permissions management by decoupling their authorization logic from their business logic. And Verified Permissions uses the Cedar policy language. It's an in-house authorization language that we developed at AWS and open sourced last month at the Open Source Summit.

Dave Bittner: Well, let's dig into some of the specifics here. I mean, first of all, can you give us an example of a typical use case?

Neha Rungta: Imagine you are a developer of a banking application and you want to provide your CFO the ability to define which employees can access what company bank accounts under what circumstances. And, for that, you want consistency, scalability, and security. So before talking about what Amazon Verified Permissions gives you, I'll talk a little bit about what happens today. As a developer, you often end up adding authorization logic within the application logic itself. Now if the banking application needs a mobile version, you'll have to go copy all the authorization logic from the original version. And oftentimes these systems won't be even implemented in the same programming language. Verified Permissions makes it easy. It decouples the permissions from the application logic. After this consistency comes scalability. The challenge with homegrown permissions management systems is often they run into scaling challenges. So when an application is designed, you can imagine there is a few hundred users, a few thousand permissions. And if it's a U.S. bank that is now expanding its business in Europe and Asia, you'll have a lot more users, a lot more permissions that are governed by the regulatory requirements in these regions, and that's what we have a lot of experience in AWS -- running authorization at scale. So we leverage our lessons in AWS to provide a scalable authorization solution. Access requests are evaluated within milliseconds and, as other AWS services, it does scale with the application. And, finally, here's how it will help with security. Today, the security administrators would have to reconcile permissions across many different permission systems. And that's hard. It can lead to blind spots. Verified Permissions provides security administrators essentially an ability to centralize governance and auditing, to be able to track who can do what. So with Verified Permissions, customers get consistency, scalability, and security.

Dave Bittner: So one of the things that you have noted here in the development of this is -- is this notion of automated reasoning, which is a technology you and your colleagues there at Amazon use. Can you describe that for us? What part does that play?

Neha Rungta: So automated reasoning is the use of mathematical logic to solve customer problems. In automated reasoning, you use a set of specialized facts about a particular domain. An example is the rules of access control in AWS or the rules of network configurations in VPCs. What automated reasoning does is it combines the facts with configurations to derive new facts, and it has covered features such as Amazon S3 Block Public Access. It tells you, with certainty, is this S3 bucket public? And the differentiation there is the results are verifiable. There is no guessing or probabilities. It is computing the result from a fact. It is explainable. Why is this bucket public? And we have leveraged the same techniques in the development of Amazon Verified Permissions. I talked a bit about -- it uses a custom authorization language, Cedar. And to raise the assurance in the correctness and security of Cedar, we follow a new verification-guided development process. In this process, we formally model the authorization rules of Cedar and automatically prove the correctness of properties, such as a forbid statement will always trump a permit statement. And that's where automated reasoning comes into play. And now that we've proved the correctness of the model, we use a technique called "differential random testing" to ensure that the behaviors in the model match those of the implementation.

Dave Bittner: You know, zero trust is -- is certainly a hot topic in the industry now. How does this all intersect with that?

Neha Rungta: Zero trust is all about continuous, dynamic, and consistent authorization. And with Verified Permissions, it's easy to do that. You can specify fine-grained permissions to say only healthy device posture -- with Verified Permissions now it is easy to specify permissions such as grant access only if access requests are coming from healthy device posture. And those types of flexibility and dynamic information, that is easy for everyone to use each one of the applications. And that's why we believe Verified Permissions is a key to enabling zero trust across all aspects of your application development.

Dave Bittner: You mentioned Cedar, the open source language and SDK. Why was it important for you all to make that open source?

Neha Rungta: We want to democratize security. And part -- access control is part of that. So we looked at a lot of different options and we wanted an authorization language that is secure by design. It is secure, it is fast, and easy to use. With us open sourcing Cedar, we want to build a community around access management for folks to see this is how we're doing the development. We want them to contribute, and for it to become essentially a standard for how we do authorization across multiple different types of applications.

Dave Bittner: That's Neha Rungta, Applied Science Director at AWS Identity.

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, and also my co-host over on the "Hacking Humans" podcast. Joe, welcome back.

Joe Carrigan: Hi, Dave.

Dave Bittner: So caught my eye over -- from the folks at INKY. This is posted by Alison Rusk. This is about a phishing scam which, of course, is something we talk about all the time over on "Hacking Humans," combines some phishing and some ChatGPT. Can you unpack what's going on here, Joe?

Joe Carrigan: Right. So actually it's victimizing ChatGPT and OpenAI --

Dave Bittner: Hmm.

Joe Carrigan: -- in -- by impersonating their brand. Now we've talked on "Hacking Humans" how these guys have calendars and follow the news and everything.

Dave Bittner: Right.

Joe Carrigan: So they've seen that ChatGPT has gotten enormously popular. If you think about that, when did they launch it? They launched it in, like --

Dave Bittner: Hmm, six months ago? Something like that?

Joe Carrigan: Yeah.

Dave Bittner: Yeah. Yeah.

Joe Carrigan: By March of 2023 is when they had -- so three months ago -- they had a billion users --

Dave Bittner: Right.

Joe Carrigan: -- explosive growth. Well, the scammers have noticed that. And what they've done is they're using brand impersonation to impersonate ChatGPT by send -- or OpenAI -- by sending out emails that look exactly like the emails that get sent out when you sign up for a ChatGPT account that say verify your email address.

Dave Bittner: Okay.

Joe Carrigan: However, they're also saying -- or configuring these emails to look like they're coming from the person's IT department.

Dave Bittner: Hmm.

Joe Carrigan: So if I know your email address, I know what company you're from.

Dave Bittner: Right.

Joe Carrigan: Probably put something together that looks like it comes from your IT department.

Dave Bittner: Okay.

Joe Carrigan: And a lot of corporations are starting to use ChatGPT --

Dave Bittner: Right.

Joe Carrigan: -- as corporate customers. So they're -- they're saying -- they're sending these emails out and they're trying to harvest credentials with this. So what they do is they send an email out that is using something called the Interplanetary File System --

Dave Bittner: Okay.

Joe Carrigan: -- which is a distributed file system for sharing files, but it also allows you to host web pages on it.

Dave Bittner: Hmm.

Joe Carrigan: So it's really hard to take these phishing sites down.

Dave Bittner: 'Cause it's a peer-to-peer system.

Joe Carrigan: It's a peer-to-peer system -- exactly.

Dave Bittner: Right.

Joe Carrigan: I can take down one node, take -- take the stuff off of one node. It's gone off that node, but it still exists on the network so somebody can still find it.

Dave Bittner: Okay.

Joe Carrigan: So that's the first problem. The next thing is that the email of the user is encoded in the URLs of the -- or is included in the URLs -- the query string of the URL.

Dave Bittner: Huh!

Joe Carrigan: So a couple weeks ago I was talking about putting an @ sign in a URL. If you put that in the server section of the URL, everything before the @ sign gets ignored.

Dave Bittner: Right.

Joe Carrigan: But if you put it in the query string or after the resource name, it's fine to have an @ symbol in there.

Dave Bittner: Okay.

Joe Carrigan: So these RFCs and all the way things happen, they're -- they're convoluted.

Dave Bittner: Yeah.

Joe Carrigan: So there's all these different ways you can hide stuff in -- in there. But when -- if I'm the malicious actor, I can say, okay, well, what's this guy's email address that I'm supposed to -- that I'm trying to catch credentials for?

Dave Bittner: Yeah.

Joe Carrigan: So, depending on their domain, I can have them -- I can have them see a page that looks exactly like their login page for their -- their corporation.

Dave Bittner: Oh!

Joe Carrigan: And that's what's happening is this -- this one phishing kit is impersonating tons of different corporations.

Dave Bittner: Huh!

Joe Carrigan: And when people see it, they are -- they're asked to login with their credentials. Now the URL does not look anything like the real URL --

Dave Bittner: Okay.

Joe Carrigan: -- with the exception of the fact that it does have their email in it.

Dave Bittner: Right.

Joe Carrigan: So if they just look -- and that's the last argument. So if they just look at the end of the email, it will say -- like, INKY uses the example inky.com --

Dave Bittner: Yeah.

Joe Carrigan: -- and that will be at the end of the email.

Dave Bittner: Huh!

Joe Carrigan: So perhaps that contributes also to people filling this out. When you go to enter your password, it says "Login fail. Enter your password again."

Dave Bittner: Hmm.

Joe Carrigan: Right? So it's -- it's asking you to enter it twice so it can harvest it twice.

Dave Bittner: Hmm.

Joe Carrigan: There's all kinds of reasons you do that. Number one is you can validate the information is correct if they enter the same password twice.

Dave Bittner: Right.

Joe Carrigan: You don't want to let them enter a fake password. Maybe you want them to go, oh, okay, well, how do they know this isn't my password? Let me try my real password. Or, number two, if they do enter the password incorrectly the first time, you can get a second chance to get it. It just increases the accuracy --

Dave Bittner: Yeah.

Joe Carrigan: -- is all this does.

Dave Bittner: Huh.

Joe Carrigan: What happens after you enter your -- your email address and password on this site is -- actually, you don't have to enter your email. These hackers have kindly figured it out and put it in there for you.

Dave Bittner: Okay.

Joe Carrigan: So it's already there.

Dave Bittner: Right.

Joe Carrigan: Isn't that nice?

Dave Bittner: Yeah [laughing].

Joe Carrigan: These guys are really looking out for your best. Once you've entered your password twice, there's some Java script that changes the window dot location property by using the replace method.

Dave Bittner: Okay.

Joe Carrigan: So it actually takes the end of your email address and puts that in the www -- you know, puts a www on the front of it and calls window dot location dot replace which will replace the current URL or current location in your history.

Dave Bittner: Huh.

Joe Carrigan: So if you hit the back button, you can't go back to the phishing page --

Dave Bittner: Oh! Interesting.

Joe Carrigan: -- which is really cool. And it's out of your browser history.

Dave Bittner: Wow!

Joe Carrigan: So that artifact may not exist.

Dave Bittner: Huh!

Joe Carrigan: It will still be in any -- any place else it was logged --

Dave Bittner: Right.

Joe Carrigan: -- it won't be in the user's browser history.

Dave Bittner: So fairly sophisticated phishing campaign.

Joe Carrigan: Really sophisticated phishing -- I would say this is a very sophisticated phishing -- phishing campaign.

Dave Bittner: Yeah.

Joe Carrigan: INKY has some -- some best practices. They say carefully inspect the display name and the sender's email address. I don't know how reliable that is.

Dave Bittner: Yeah.

Joe Carrigan: The sender's email address is being spoofed here.

Dave Bittner: Right.

Joe Carrigan: Recipients should confirm with their employer if -- if they're requested to sign into a new system. That's a good idea.

Dave Bittner: Yeah!

Joe Carrigan: But that should be your policy.

Dave Bittner: Right. Right.

Joe Carrigan: Hover over links to see where it goes. That may or may not work -- here -- because if you see the end of the link, you're going to see that it says your company dot com.

Dave Bittner: Yeah.

Joe Carrigan: And you're going to go, okay, this looks legit.

Dave Bittner: It's a lot harder to do on mobile as well.

Joe Carrigan: Yeah! A lot harder to do on mobile.

Dave Bittner: Yeah.

Joe Carrigan: That's a big problem on mobile.

Dave Bittner: Yeah.

Joe Carrigan: My recommendation is just put in some kind of multi-factor authentication for everybody so that, if this does happen and the user enters a user name and password -- preferably a hardware-based multi-factor authentication --

Dave Bittner: Right.

Joe Carrigan: -- like something from the FIDO Alliance that you -- they can't -- they still can't get access because they don't have access to the hardware token.

Dave Bittner: Right.

Joe Carrigan: There's some -- been research from Google that shows that that they -- they distributed their Titan -- Google Titan -- which is a FIDO Alliance product or FIDO-compliant product --

Dave Bittner: Yeah.

Joe Carrigan: -- and they just stopped these phishing attacks from -- from leading to account compromise.

Dave Bittner: Right.

Joe Carrigan: It just -- and with thousands of users, they just stopped it.

Dave Bittner: Right. Yeah. Amazingly effective.

Joe Carrigan: Right.

Dave Bittner: Yeah. All right! Well, again, this is from the folks over at INKY. It's a blog post titled "Fresh Phish: ChatGPT Impersonation Fuels a Clever Phishing Scam." Joe Carrigan, thanks for explaining it to us.

Joe Carrigan: It's my pleasure, Dave.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our "Daily Briefing" at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly-changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's Strategic Workforce Intelligence optimizes the value of your biggest investment -- your people. We make you smarter about your team while making your team smarter. Learn more at N2K.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by Rachel Gelfand. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.