Something new, in ransomware. Notes on cyberespionage by the Lazarus Group and Charming Kitten. Security CI/CD operations. FINRA says hold the emojis. Dispatches from the hybrid war’s cyber front.

Dave Bittner: 8base ransomware is overlooked and spiking. GuLoader targets law firms. Akira ransomware for Linux systems targets VMs. Kaspersky tracks the Lazarus group. Charming Kitten goes spearphishing. Securing continuous integration and continuous delivery operations. No emojis for the SEC, please. Unconfirmed reports say the Wagner Group hacked a Russian satellite communications provider. Our guest is Hanan Hibshi from Carnegie Mellon's picoCTF team. Chris Novak from Verizon discusses their 2023 Data Breach Investigations Report. And Anonymous Sudan wants you to know that they're not just a bunch of deniable Russian crooks -- where's the love?

Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Thursday, June 29, 2023. 

8base ransomware: overlooked but spiking.

Dave Bittner: VMware has published a report looking at the 8Base ransomware group, stating, "8Base is a Ransomware group that has been active since March 2022 with a significant spike in activity in June of 2023. Describing themselves as 'simple pen testers,' their leak site provided victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact them. What is interesting about 8Base's communication style is the use of verbiage strikingly familiar to another known group, RansomHouse." The threat actor primarily targets organizations in the business services, finance, manufacturing, and IT sectors. Over the past 30 days, 8Base was in the top two most active ransomware gangs.

GuLoader against law firms.

Dave Bittner: Morphisec is tracking a GuLoader campaign in the US. Its principal focus is law firms, with a secondary interest in healthcare and investment organizations. The threat actors are using the malware loader to deliver the Remcos RAT. The downloader is distributed via phishing emails: malicious PDF attachments with icons indicating that the PDFs need to be decrypted. Morphisec explains, "This icon contains an embedded link, which once clicked, redirects the user to the final URL by utilizing a popular adclick service called DoubleClick, which is provided by Google. DoubleClick is widely used in online advertising and offers various capabilities, including the ability to track and gather statistics and metadata information on user clicks. In this context, it is likely employed by the threat actors to gain insights into the effectiveness of their malicious campaign. The redirected URL in the chain prompts the user to enter the PIN that was previously sent via email. Once the PIN is provided, the GuLoader VBScript is downloaded, marking the next stage of the attack."

Akira ransomware for Linux systems targets VMs. 

Dave Bittner: BleepingComputer writes that a new Linux version of the Akira ransomware is targeting VMware ESXi virtual machines. The double extortion attacks were first reported in May of 2023 and have hit a range of sectors, including education, finance, real estate, and manufacturing. BleepingComputer explains the evolution, stating, "Over the past few years, ransomware gangs have increasingly created custom Linux encryptors to encrypt VMware ESXi servers as the enterprise moved to use virtual machines for servers for improved device management and efficient use of resources. By targeting ESXi servers, a threat actor can encrypt many servers running as virtual machines in a single run of the ransomware encryptor." It should be noted that Akira's encryptors lack many of the more advanced features which would allow automatic shutdown commands prior to encrypting files. BleepingComputer also assesses that the Linux version of Akira's ransomware was likely ported from its Windows version due to the Linux locker skipping certain windows files and folders. Cyble's Research and Intelligence Lab released a detailed technical report on June 28th, which explained that "Upon execution, the Akira ransomware loads a pre-determined RSA public key to encrypt files in the system." The encryptor targets a predetermined list of file extensions.

Kaspersky tracks the Lazarus group: typos and mistakes indicating an active human operator. 

Dave Bittner: Maybe AI would have done better for the North Korean threat group. Kaspersky's SecureList published a report detailing the Lazarus Group's use of the DTrack malware and Maui ransomware in mid 2022. While tracking an initial infection, Kaspersky was able to determine that a human operator was actively typing as the commands were riddled with typos and mistakes. Kaspersky writes, "It quickly became clear that the commands were run by a human operator, and judging by the amount of mistakes and typos, likely an inexperienced one. The researchers were also able to track a new remote access Trojan called EarlyRAT to a phishing document.

Charming Kitten goes spearphishing.

Dave Bittner: The Iranian threat actor Charming Kitten is launching sophisticated spearphishing attacks to distribute a new version of its POWERSTAR malware, according to researchers at Volexity. Charming Kitten (also known as "APT35) often uses social engineering in its cyberespionage campaigns. The campaigns demonstrate an ability to conduct protracted interactions with the intended victim before the phish hook is set. Volexity states, "Charming Kitten appears to be primarily concerned with collecting intelligence by compromising account credentials and, subsequently, the email of individuals they successfully spear phish. The group will often extract any other credentials or access they can, and then attempt to pivot to other systems, such as those accessible via corporate virtual private networks or other remote access services." The threat actor has, for example, posed as an Israeli reporter and began communicating with the targeted individual. After several days of conversation, the threat actor sent the victim a password-protected document that would install the malware.

Securing continuous integration/continuous delivery operations.

Dave Bittner: CISA and the NSA have released a Cybersecurity Information Sheet outlining advice on securing Continuous Integration and Continuous Delivery (CI/CD) environments. The two agencies explain why this is important, stating, "The CI/CD pipeline is a distinct and separate attack surface from other segments of the software supply chain. Malicious cyber actors can multiply impacts severalfold by exploiting the source of software deployed to multiple operational environments. By exploiting a CI/CD environment, MCAs can gain an entryway into corporate networks and access sensitive data and services."

Now do leetspeak.

Dave Bittner: Post-structuralists, call your office. Advice from FINRA, the Financial Industry Regulatory Authority, via the Wall Street Journal, says, "If your communication is discoverable or reportable, lay off the emojis." The idea, as business communication gets more social, more distributed, more informal, less take-a-memo and more lemme-answer-this-text, the regulators would like to bring the wink-and-nod style of conveying what the Journal calls "subtextual messages" under control. Of course, it's possible to convey coded subtext in words, too, but that normally requires coordination, whereas the emoji is freer and more suggestive. After all, you just KNOW the smiling poop emoji's got to mean "buy on material non-public information," whereas the black-eyed ghost with its tongue out means "sell." But what about leetspeak? If they're deconstructing subtext, trust us, leetspeak is a lot easier to decode than emojis. But maybe that's the problem, and we wish you could see the emojis floating around here right now. Heart. Smiley face. Crab signaling "touchdown."

Unconfirmed reports say the Wagner Group hacked a Russian satellite communications provider.

Dave Bittner: Cybernews reports that the Wagner Group claims to have conducted a destructive cyberattack against Dozor-Teleport, a satellite firm that provides communications services to some elements of the Russian Ministry of Defense. Discussions of the reported incident should be treated with caution if not outright skepticism. They appear to originate with a Telegram channel having few followers and no obvious connection to the Wagner Group. They've also been amplified by Ukrainian social media accounts, which, no matter where one's sympathies lie, aren't exactly disinterested parties.

Anonymous Sudan is wounded by reports that it's a Russian front.

Dave Bittner: And, finally, straight up: Anonymous Sudan is a Russian front. We'd say "cat's paw" except we don't want to be offensive in suggesting that someone's like an animal, because we wouldn't do that. Here's how they explain what they're up to. A representative of the allegedly Anonymous and allegedly Sudanese group told Bloomberg, "Everything that is hostile to Islam and all countries that are hostile to Islam are hostile to Russia." Contra Anonymous Sudan's denials, Bloomberg quotes Stockholm-based security firm Truesec to the effect that "Anonymous Sudan is a Russian information operation that aims to use its Islamic credentials to be an advocate for closer cooperation between Russia and the Islamic world -- always claiming that Russia is the Muslims' friend. This makes them a useful proxy." In this, Truesec represents informed opinion. So straight up -- it's the Russians. At any rate, Anonymous Sudan has lately taken to calling its opponents "dogs" in the evident belief that the characteristic Middle-Eastern insult lends them Islamist street-cred. But they say they're not Russians. Coming up after the break, Hanan Hibshi from Carnegie Mellon's picoCTF team. Chris Novak from Verizon discusses their 2023 Data Breach Investigations Report. Stay with us.

Dave Bittner: And it is my pleasure to welcome back to the show Chris Novak. He is the managing director of Cybersecurity Consulting with Verizon. Chris, great to have you back.

Chris Novak: Thanks, Dave. It's a pleasure to be back.

Dave Bittner: So it is that time of year when you and your colleagues at Verizon release the DBIR. Which I think it's fair to say is one of the most anticipated cybersecurity reports of the year. This is the Data Breach Investigations Report. Can we start with a little overview here of what prompts the creation of this report every year?

Chris Novak: Sure, yeah. And I will add, it is definitely one of the most anticipated things on our calendar as well. So we work all year round to produce it. I tell folks, you know, the moment the DBIR is released, we are already starting to work on the next one. It's that much goes into it. But the idea really stemmed from, you know, organizations wanting real-world, factual, evidence-based data to drive or to help them understand what the threat landscape looks like, what's working, what's not, what are threat actors doing. And then obviously, most importantly, everybody wants to make sure that they're not a next statistic in one of our DBIRs. And so how is it that they can take the learnings from what that research shows and actually apply it to their business? And, you know, one of the things I think we've really strived to do quite substantially was around not having it be a single source of data, right, subject to potential bias. Obviously, any statistical analysis has the potential for bias. And we even call that out in the report. But we try to source our data from a number of different places, a number of different types of organizations, in order to try to weed out as much of that as possible.

Dave Bittner: Can you give us some insights as to what makes Verizon in a good position to publish this sort of thing? What is your unique view of the landscape?

Chris Novak: Yeah. So we've been doing it now, this is 16 years in the running. So I think, you know, one, we were the first to really jump out there and actually say, let's talk about breaches. In fact, when I think back to the first one -- I had the pleasure of being part of the team back in 2008 when we released the first report. And there was a lot of debate as to whether or not this is even something that should be kind of talked about in a public forum, if anyone really wanted to see the numbers. It was kind of, I don't know if I want to say kind of talked about in dark corners of rooms, where everyone kind of knew people had breaches but nobody really spoke about it. And I think, you know, one, we kind of took that first step, which I think was fantastic. And I think also, the breadth of capability of our team. So we don't just do the analytics and research, but our team also does a tremendous amount of incident response projects for organizations all across the world. It's, you know, hundreds if not thousands a year depending on the given year. And so we also have the data science, data analytics background, as well as, you know, a long-standing incident response background, having done that now for, you know, well over 20 years.

Dave Bittner: Well, let's dig into some of the statistics here, the things that you found. What caught your eye here?

Chris Novak: So I would say that, one, it still continues to show, no surprise here, that we've got a global problem. I always kind of start with that. Because a lot of times when I talk to different people in different countries, you know, everyone kind of tends to think that it's going to be very different than -- and this may shock folks. But, you know, we represent 81 countries in the DBIR in terms of where breaches have happened. And interestingly enough, we still have parts of the world where people will claim there just are not breaches, and so that's why it's not represented. So we've got obviously some maturity to do here. But obviously, 81 countries is a lot of the world represented, and I think probably a lot of our reader base there as well. The number of incidents comes in at over 16,000 in the last year, the number of breaches, just shy of 5,200. I always tell people, you know, this is not intended to be a barometer of we're getting better or we're getting worse; really more just to be transparent around the volume of data that makes up the data set to show that, you know, ultimately what we draw from it is fairly conclusive. Other things that are really interesting. Ransomware continues to be a giant thorn in our side, but surprisingly has actually leveled off. For the first time, around a quarter of the cases involve ransomware. And that was the same as it was last year, which kind of really surprised us. The other thing I would also call out is the role of the human factor. In the previous report, we called out the human factor as being involved in about 82% of all breaches. And this year -- I don't know if I want to celebrate this -- it's down, but it's only down to 74%. So I tell people, there's a lot of numbers that have changed in the DBIR, and some of them are moving in the right direction. But it's not like we've gone from 82% to 2%. We've gone from 82 to 74, right? Ransomware has remained flat. I think there's a whole host of conversations we can have around the why and what that means.

Dave Bittner: So what are the takeaways for you and your colleagues here? When you look at the long-term trends, what's your advice to industry?

Chris Novak: I'd say my big advice is focusing on the fundamentals remains to be one of the most important things . We continue to see a lot of organizations sometimes getting really caught up in the advanced and sophisticated technologies that are out there. Not saying any of those are bad, but if you're missing the fundamentals, that's where we still see a lot of organizations, large and small, still getting very tripped up. And that's the avenue I tell people, threat actors are looking for the easy in; they don't necessarily want to make their lives any more difficult. They've got hundreds of other organizations to target after you. And so if they can get in in an easy way, that's what they're going to do.

Dave Bittner: All right, well, Chris Novak, thanks for joining us.

Dave Bittner: For over 10 years now, Carnegie Mellon University's picoCTF has been working to close the cybersecurity talent gap, introducing the field to students of all ages through its annual Capture the Flag competition and year-round educational platform. To learn more, I spoke with Hanan Hibshi, an assistant teaching professor at Carnegie Mellon University.

Hanan Hibshi: The motivation for this program comes from the need in the nation for increasing the cybersecurity workforce. We have a deficit in the United States. We have a deficit worldwide. And the research shows that for any career, actually, if we start early, if we spread awareness, if children in grade schools learn about some career paths early on, it's most likely that they will choose those paths and find their passion. So picoCTF -- pico comes from the word "small." Meaning that we're trying to target the younger population. That does not mean that the competition itself is small or the kind of challenges are not complicated. They start at the beginning level, but students use a gaming style platform where the solve Jeopardy style challenges, trying to get a flag every time, and then they win and they go to the next challenge and they win another flag. And by doing this, we are actually teaching them lots of things. We're teaching them how to use complex concepts like cryptography, reverse engineering, all in this activity mode where they feel like they're playing more than they're sitting in a traditional classroom. But it's also a good tool for teachers. They can use it as classroom activities, as homework, to encourage classes to learn about cybersecurity and to even maybe build their own curriculum around it.

Dave Bittner: Now, as you and I are recording this, you all are in the midst of hosting a picoCTF at your Pittsburgh campus. What specifically is going on there?

Hanan Hibshi: Well, as I said, pico is available as a free public platform out there. But it's a lot of work to go ask teachers who are already overwhelmed with their day-to-day duties in their K-12 schools to go and tell them, hey, let's go and find some time to learn this new tool and then introduce cybersecurity in your classroom. So we took it a step further and, with the support of the GenCyber Program, we were able to secure the funding where we can host this program for free to support teachers and have local teachers from the Pittsburg area or our neighboring states to come and spend a week in person where they meet with us and where we actually teach them cybersecurity concepts through the platform, have them practice the exercises, and at the same time, help them create lesson plans by using the platform. We reach a point where we say, now that we taught you how to use pico, we taught you a lot about cybersecurity, you will learn how to solve those challenges yourself, how about you look at your own classes that you teach at school -- it could be a CS class, it could be the AP CS classes -- and try to think how would you weave the cybersecurity content within the resources you have. It doesn't necessarily have to be a new class, or something that they just put out there in a student club or something. It could be actually weaved into the CS curriculum. Because what I would love as an educator is to have our students think about cybersecurity as they're learning other things in engineering. As they're learning programming, as they're doing their daily lives, I want them to be thinking about those things.

Dave Bittner: And what is the age range of students that you all are targeting here?

Hanan Hibshi: Well, as early as middle school. But anybody can play pico. As I said, the challenges will start from a beginner level and go high up until they reach even further than a grad level. I'm actually very impressed by how, during the competition season, we have challenges that I personally wouldn't feel comfortable assigning in a graduates class, because not every student might get it. But I actually get impressed by the high school students from around the nation who solve those challenges during the competition time. And that speaks for the hidden talents that we have out there. picoCTF reached every 50 states. We have representation from different states, and we have representation from different countries around the world. Children in Japan and India are playing pico. Children in Canada. And these are middle school and high school students. Most of our winners have been high school students. They start at middle school, they build the skills, and then they feel that they're ready for the competition. But even adult learners are finding a value in pico. We've heard some anecdotes from people who were able to find some free time and try creating an account there and playing some of those challenges, just enhanced their cybersecurity skills.

Dave Bittner: And why is it important for a university like Carnegie Mellon to take the lead on a program like this?

Hanan Hibshi: Because at the end, we are -- we can't just stay disconnected from our communities, that's number one. And number two, we really need to start working with our K-12 educators. It's unfair that we come and say, oh, we deal with undergrads and graduate students and we do research, and we don't care about what happens before that. Universities have an interest in betterment of the society, betterment of the world. Universities try to provide solutions. And we are trying to address this pipeline issue in every way possible. While some researchers are trying to work on AI solutions that would maximize productivity and maximize the benefit the benefit that we can get from humans. We also have other directions where we try to increase the pipeline through educational outreach programs.

Dave Bittner: That's Hanan Hibshi from Carnegie Mellon University.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.