The Cl0p gang moves its way into US government systems. It’ll take multiple showers to rinse out Shampoo malware. Hybrid war update. Arrests and indictments.
Dave Bittner: The U.S. government discloses exploitations of MOVEit vulnerabilities, and the Department of Energy is targeted by the Cl0p gang. CISA releases an updated advisory for Telerik vulnerabilities affecting government servers. Shampoo malware emerges with multiple persistence mechanisms. How the IT Army of Ukraine can exemplify a cyber auxiliary. Russophone gamers are being targeted with ransomware. An alleged LockBit operator has been arrested. Our guest is Will Markow from Lightcast, speaking with Simone Petrella about data-driven strategic workforce decisions. The FBI's Deputy Assistant Director for Cyber, Cynthia Kaiser, joins us with cybercriminal trends and recent successes. And a federal grand jury indicts the alleged Discord Paper leaker.
Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Friday, June 16th, 2023.
US Government discloses exploitation of MOVEit instances.
Dave Bittner: As Friday begins, so do announcements of compromise. The latest victims are United States government agencies compromised via the MOVEit file transfer vulnerability. U.S. Cybersecurity and Infrastructure Agency director Jen Easterly disclosed in a press briefing yesterday that several U.S. government agencies were compromised by the Cl0p ransomware gang via the recently disclosed MOVEit file transfer vulnerability, The Register reports. Easterly said that the agency is working closely with Progress Software and federal partners. Easterly added, we are not aware of Cl0p actors threatening to extort or release any data stolen from government agencies. Although we are very concerned about this, we're working on it with urgency. This is not a campaign like Solar Winds that presents a systemic risk to our national security or our nation's network. She noted that the threat actors are only stealing information that is specifically stored on your file transfer application at the precise time that the intrusion occurred.
US Department of Energy affected by Cl0p exploitation of MOVEit Transfer.
Dave Bittner: The U.S. Department of Energy is among the compromised agencies impacted by the MOVEit vulnerability. A department spokesperson told The Register that the department took steps for prevention of further exposure and notified CISA. Federal News Network says the two compromised DOE entities are Oak Ridge Associated Universities and the Waste Isolation Pilot Plant in New Mexico.
CISA and other agencies release updated advisory for Telerik vulnerabilities affecting Government IIS servers.
Dave Bittner: CISA, with support from the FBI and the Multistate Information Sharing and Analysis Center, the MSI-SAC, released an updated Cybersecurity Advisory (CSA) regarding the Telerik vulnerability. The original CSA reported indicators of compromise in a federal civilian executive branch agency. Multiple threat actors and at least one APT were able to exploit a vulnerability in the Progress Telerik user interface. The updated report shares that forensic analysis at another FCEB agency identified more indicators of compromise by an unattributed APT, which exploited the Telerik Rad Controls cryptographic weakness, which was rated as a critical on the CVSS scale. The vulnerability, as described by Telerik, can lead to cross-site scripting attacks, leak of machine key, compromise of the asp.net view state, and arbitrary file uploads and downloads. The agencies recommend patching all software, prioritizing fixes to the known exploited vulnerabilities catalogue.
Shampoo, a new ChromeLoader-esque malware campaign with multiple persistence mechanisms.
Dave Bittner: Researchers say the newly detected persistent malware being called Shampoo may take multiple showers to rinse from your system. HP's Wolf Security reports a newly detected malicious Chrome Loader-like malware campaign they're calling Shampoo. The researchers describe Chrome Loader as a family of Google Chrome browser extension malware first analyzed in early 2022 by security researchers with a goal of installation of a malicious extension in Google Chrome, used for advertising. The infection chain starts when a user downloads an ISO file from a malicious website. That in turn initiates the download of a VB script, which eventually downloads the malicious browser extension. After installation, the malware monitors the victim's searches and injects advertisements in their browser. The Shampoo malware is very difficult for a user to get rid of, as it's said to have multiple persistence mechanisms. One such mechanism is a built-in installation script that repeats every 35 to 75 minutes. Shampoo differs from a standard Chrome Loader by adding some additional counter-security features like encryption of locally-stored files and by its use of VB Script instead of an ISO file for initial infection.
Recent activity by Russian cyber auxiliaries.
Dave Bittner: Dutch media have attributed last week's distributed denial of service attacks against the websites of the Rotterdam and Groningen seaports to Russian hacktivists, specifically to No-Name 05716.
The IT Army of Ukraine as an example of a cyber auxiliary.
Dave Bittner: The IT Army of Ukraine, an acknowledged hacktivist auxiliary working against Russian targes in loose concert with Ukraine's government, offers an unusually transparent example of offensive cyber operations, hacktivism, and the mobilization of a cyber auxiliary. Lawfare summarizes some of the key features of the group's performance during Russia's war. It's demonstrated the ability to conduct sabotage, denial of service, DOXing, and defacement. It crowdsources its operations over telegram, and its targeting has been opportunistic but selective. The transparency of the IT Army's operations and relations with the Ukrainian government is relative. Kiev has maintained that the IT Army coordinates only with civilian government agencies, not military or intelligence services, but it's clear that some coordination occurs with military and intelligence organizations. Some of that cooperation is done for deconfliction, some to receive direction, and in a few cases, for direct combat support.
Influence operations in the current phases of Russia's war.
Dave Bittner: The IT Army of Ukraine also uses its telegram channel to post news and opinions selected to influence its followers' views of the war. Russia has also mobilized social media to push its own narratives, most recently the narrative that Ukraine's counteroffensive has failed. That particular view seems not only false as well as being, in any case, grossly premature, but it also appears to have gained little traction, according to the Atlantic Council's DFR Lab monitoring. Some of the posts that failed to gain significant virality are associated with mrkim.com, to use his screen name. Mister dot-com's motivation in serving the Russian agents as a useful idiot is unclear.
Russophone gamers hit with ransomware.
Dave Bittner: Cyble Research and Intelligence Labs this week reported a ransomware campaign against Russian-speaking gamers playing the first-person shooter multiplayer game Enlisted. The attackers, who remain unknown for the time being, use a ransomware they're calling Wanna Cry 3.0. It is, however, unrelated to the genuine Wanna Cry, released in 2017.
Alleged LockBit operator arrested.
Dave Bittner: We close with two bits of news from the courts. In the first, Cyber Scoop reports that a 20-year-old Russian national has been arrested on charges of involvement with the LockBit ransomware gang. Ruslan Magomedovich Astamirov was taken into custody on Wednesday in Arizona, according to a criminal complaint. The charges identify the Chechnya native, Mr. Astamirov, as perpetrating at least five attacks against United States, Asia, Europe, and Africa-based victims between August 2020 and March 2023, The Record reports. His charges include conspiracy to transmit ransom demands, commit wire fraud, and intentionally damage protected computers. Bleeping Computer highlights the fact that this is the third affiliate of LockBit charged by the U.S. Department of Justice within the last seven months.
Federal grand jury indicts alleged Discord Papers leaker.
Dave Bittner: And in the second bit of courthouse news, Massachusetts Air National Guardsman Jack Teixeira has been indicted on felony charges involving leaks of classified military documents on Discord. The AP reports that Mr. Teixeira faces six counts of willful retention and transmission of national defense information. The investigation into the leak began in April after classified U.S. intelligence was seen circulating in social media. The former airman's position in the guard gave him a top secret clearance, which allowed him to access sensitive information. Newsweek writes that he was subsequently identified by investigators and accused of sharing hundreds of pages of sensitive information on a Discord server. A conviction could mean 10 years in prison and a $250,000 fine for each count of willful transmission of classified information. The Guardian quotes U.S. attorney general Merrick Garland in the case, who said that Teixeira is charged with sharing information with users on a social media platform he knew were not entitled to receive it. In doing so, he is alleged to have violated U.S. law and endangered our national security.
Dave Bittner: Coming up after the break, the FBI's Deputy Assistant Director for Cyber, Cynthia Kaiser, joins us with cybercriminal trends and recent successes. Our guest is Will Markow from Lightcast, speaking with Simone Petrella about data-driven strategic workforce decisions. Stay with us.
Dave Bittner: There's a strange mix of forces at play in the cybersecurity workforce. Many companies are hiring, some companies are experiencing layoffs, and yet overall, there's still a sense that there are many open positions out there waiting to be filled. Which is all to say, it's more important than ever for managers to take an evidence-based approach to hiring and retention. Will Markow is VP of Applied Research and Talent at Lightcast. My N2K colleague, Simone Petrella, spoke with him about using data to make strategic workforce decisions.
Simone Petrella: So, you know, we've talked about this in the past and certainly have very similar viewpoints on how organizations and companies can take a more strategic perspective on how to think about the cybersecurity workforce shortage, how to actually identify and make good decisions based on what they need to do. What are some of the common misperceptions that you view your clients, people that you work with having about this particular topic?
Will Markow: Great question, and I think there are a few misperceptions that are pretty common in the market. First misperception is that it is just a skills gap. And I think there definitely is a skills gap in cybersecurity, and we can talk about that a little bit later, but I think that there's also an expectations gap that a lot of employers don't realize that they are contributing to some of the hiring challenges that they have by asking for certain credentials or certifications or skillsets that may or may not be important in the roles that they're asking them for. So I'll give you a concrete example which we see more often than you would think, is that take a CISSP. This is a certification, which is a great certification, and it has its place, and it's important for people who are more advanced in their careers to consider getting a CISSP. But we see a lot of employers asking for a CISSP, which requires minimum of five years of prior work experience to qualify for a full CISSP, asking for this credential along with no more than two years of prior work experience, which it's impossible to have the two. And the hiring managers, it's not their fault. They know what a CISSP is, they know you have to have five years of work experience, but there's something in the internal process and the communication between the hiring manager and the HR team building that job requisition that results in a disconnect. And so I think that one big misperception is that either it's just a skills gap, or it's just an expectations gap, or hiring managers don't know what they're asking for. The reality is, hiring managers know what they're asking for. The reality is there are people out there who could fill some of these jobs, but there is a breakdown in communication in that process of building those job requisitions. So that creates that expectations gap. That said, I also hear a lot of people saying, oh wait, there is no skills gap. What are we talking about? And that's also not true. There also is a deficit of workers. When we look across the cybersecurity workforce, we see that we only have about two thirds of the workers we need to fill all of the jobs that employers are demanding. So that effectively means we're stepping onto the cyber battlefield missing a third of our army. So there is also a talent shortage, there is also a skills gap, and I think anybody who says it's just one or the other is contributing to some of the misperceptions in the market and is contributing to some of the information gaps that are exacerbating some of the talent gaps and the expectation gaps in the field.
Simone Petrella: Yeah. I can totally see where that comes into play. I know we've seen that ourselves in the expectation gap. What is your recommendation? How do you propose that we kind of solve that expectation gap, since job reqs are one of those interesting areas where it's in the domain of HR but the hiring managers do it. How do we improve that process?
Will Markow: So the first thing that you need to do, which I think you started to touch upon, is you need to break down silos. If you're in the cybersecurity world, if you're a CISO or a cybersecurity manager, you need to view HR as your friend and partner, not your rival, which I think is the culture in a lot of organizations. HR is also trying to work with cybersecurity managers to get the best job requisitions out there, and you need to figure out how can you work together in a more collaborative fashion. And I tell this to HR folks all the time as well, is that one of the first things you need to think about when building a job requisition is how is this supporting the stakeholders that it most needs to support, and how is it driving business value within your company? So the first thing you need to do, be collaborative. Second thing you need to do is you really need to define what is it that this person in this role needs to do? Not just a job title level, but at the underlying skill level. A lot of people call this skills-based hiring, which is a very amorphous term, and it means a little bit of one thing to one person, something different to someone else, so sometimes I stay away from that nomenclature, but it really is a manifestation of skills-based hiring is understanding and inventorying what are the skills associated with each role within your team so that you can build your job requisition around those skills that people need, not just the credentials or degree requirements that people have used as imperfect proxies for those skills. And once you do that, you can then start to figure out, okay, which skills are going to be most critical to include in the job requisition when we're going out and hiring for people versus when we're training those people internally, and which of those skills are need-to-haves versus nice-to-haves when somebody's walking through the door? I'll give you a concrete example of this in practice. There's a financial services company we worked with that was trying to right-size some of its job descriptions around the skills, not the credentials, not the certifications that were most important for proficiency in that role. And they were able to identify a few things that they could just take out, like a bachelor's degree requirement or a certification requirement or some emerging skills that were really nice-to-haves and not need-to-haves, and by just making a few simple tweaks to their job descriptions, they were able to reduce the average hiring cost by over $10,000 per hire, and they were able to expand their candidate pool by over 60%. So sometimes just making those slight tweaks to the skills you're asking for and the credentials you're asking for can have huge benefits to companies when they go out and hire for cybersecurity workers.
Dave Bittner: That's Will Markow from Lightcast, speaking with N2K President Simone Petrella. You can hear an extended version of this conversation on our website.
Dave Bittner: I am pleased to welcome back to the show Cynthia Kaiser. She is Deputy Assistant Director for Cyber at the FBI. Director Kaiser, it's great to have you back. I want to touch today on some of the cybercriminal trends that you and your colleagues there at the FBI are tracking. And you all have had some successes recently as well. What can you share with us today?
Cynthia Kaiser: Great, and once again, thanks for having me. Now, I think most people are tracking how pervasive the cybercriminal threat is, and I think really the state of cybercrime is this interconnected, state-protected, and callous about the impacts of their actions as long as they continue to make enough money along the way. And you know, they represent really a loose international network of actors who seek to exploit vulnerabilities, and they're wickedly opportunistic. They once targeted individuals and small businesses, but in recent years they've pivoted to these high-value targets including critical infrastructure, especially targets that can't afford downtime, that need to be able to have their operations. So you know, they're targeting hospitals and schools, I mean this is just the lowest of the low. So when we're looking at, like, we're looking at this landscape and looking at, you know, how are we, how are we going to really tackle this to have an impact? We don't want to play whack-a-mole. We want to make sure that we're having this broad impact that tightens the net around cybercriminal actors. And part of that has been looking at the key services that they're using. So we know across the cybercriminal ecosystem there are main groups, entities, services, just like an academy. It's a marketplace. And they need places that help them cash out money or exchange money or buy tools, and there's not a huge amount of those. You know, we had a lot of different cybercriminals going to the same places. So what our strategy's been is to look at those places that are facilitators of cybercrimes so that we can have a broader impact.
Dave Bittner: So really focusing on some of those bottlenecks there. Can you give some examples where you and your colleagues have had some success?
Cynthia Kaiser: Great, yeah. So recently we've been able to, with international partners as well, and our U.S. government partners, take down a number of key services. That includes ChipMixer, which was a, you know, major mixing service for cryptocurrency, and that was used by, you know, multiple different sets of actors, not just multiple ransomware actors, multiple nation-state actors as well. We've had targets against, you know, the back end of major ransomware variants, and I call that a key service because in the ransomware ecosystem, it's an affiliate model, so people are going and you know, they're an affiliate and they're going to, say they deploy four different types of ransomware. So they go find the developers, they take the developers, and everyone share the profit. If we can ensure that kind of backend is either monitored, we provide decryption keys, or then we just take it down, that provides us an ability to hamper those cybercriminal operations.
Dave Bittner: I'm curious, as you all are monitoring the communications of these actors on those online, you know, dark web forums that we hear about. Do you see your efforts being described there? Is it a factor of discouragement? Are they talking about the types of things that you all are up there, or that you all are up to, to try to thwart them?
Cynthia Kaiser: I hope so. That's kind of the point.
Dave Bittner: Fair enough.
Cynthia Kaiser: I mean, we want cybercriminals to know that we're over their shoulder, we're watching what they're doing, and we're waiting for the opportune time to be able to take down their operations, to hamper them, to ensure that we're keeping America safe.
Dave Bittner: And how about partnering with industry here. What part do they have to play in keeping those lines of communication open?
Cynthia Kaiser: Such a huge part. So, and then there's so many different levels of industry that we partner with. So there's the targeted entities or victims, so the businesses that are being targeted by cybercriminals. Partnering with them and ensuring that we're able to share information, so if they're targeted they don't get compromised, or help provide them not only remediation, advice, or just piece of mind after an incident, but justice, like justice for the crimes that were perpetuated against them. So that partnership is so critical and so key. But there's also layers of industry where, with the, say, cybersecurity firms or even the outside councils that companies may have, may be working with so that they can ensure that they're doing everything that they need to do from their own end to manage service providers. There's so many different levels of industry that are important for us to partner with in terms of being able to help. Because in the end, like, for over 100 years we've been a victim-centered organization, and so our partnership either at the operational partnership level, so how do we work with industry to help mitigate this, to the, we're actually supporting the, you know, we're supporting these victims or we're stopping people from becoming victims. That's just the most important thing to FBI.
Dave Bittner: You mentioned international partners as well. Can we touch on that? I mean, to what degree does the FBI take a role of global leadership here?
Cynthia Kaiser: The FBI is a global leader in cybercrime investigations and imposing risks and consequences on those cyber actors, and we take that role really seriously. We have over 16 cyber assistant legal attaches who are deployed across the world, in embassies across the world, and those assistant legal attaches do a few things. One is capacity build, and that's not necessarily like, you know, general cybersecurity advice. That's how do you run a cybercriminal investigation? And you know, then they also facilitate those operations. So we don't care if we arrest them in the U.S. or bring them back to the U.S. We care that these cybercriminals are offline. So if it is more advantageous or easier to be ensure that another country's able to provide these consequences, we're there. We're there to be those partners. And then finally, we've also, in a few instances, been able to deploy to our international partners. And I think Albania's a great example of that, where when the Albanian government was attacked by Iranian cyber actors, the FBI was there within days to help them. Within, I think a little over a week, we were sent an entire cyber action team, the same kind of team, technical team we might send to assist a U.S. victim, because they're an ally, and they asked, and we answered. And we know that cyber threats have no borders, so we can't keep it contained to the U.S. The help we give our allies helps American citizens as well.
Dave Bittner: Cynthia Kaiser is Deputy Assistant Director for Cyber at the FBI. Cynthia, thank you so much for joining us.
Cynthia Kaiser: Thank you.
Dave Bittner: And that's the CyberWire for Friday, June 16th. I would like to remind you all that this coming Monday is the U.S. federal holiday of Juneteenth, and we won't run our daily podcast then. We'll be back as usual on Tuesday. In the meantime, enjoy Juneteenth. Be sure to check out this weekend's "Research Saturday" and my conversation with Johannes Ulrich from the Sans Technology Institute. We're discussing machine learning risks, attacks against Apache Nifi. That's "Research Saturday", check it out. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at email@example.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by Rachel Gelfand. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.