The CyberWire Daily Podcast 7.13.23
Ep 1862 | 7.13.23

Taking steps to stop a Chinese APT. Implementing the US National Cybersecurity Strategy. LokiBot is back. Malware masquerading as a proof-of-concept. Swapping cyber ops in a hybrid war.

Transcript

Dave Bittner: CISA and the FBI issue a joint cybersecurity advisory on exploitation of Microsoft Exchange Online. Implementing the U.S. National Cybersecurity Strategy. FortiGuard discovers a new LokiBot campaign. Training code turns out to be malicious. In a new proof-of-concept attempt discovered on GitHub. Russia resumes its pursuit of a sovereign Internet. The GRU's offensive cyber tactics. Chris Novak from Verizon discusses business email compromise and the 2023 DBIR. Our guest is Joy Beland of Summit Seven on the role of managed service providers in the supply chain to the defense industrial base. And a probable Ukrainian false flag operation.

Dave Bittner: Dave Bittner: I'm Dave Bittner with your Cyber Wire Intel briefing for Thursday, July 13th, 2023.

CISA and the FBI issue a joint Cybersecurity Advisory on exploitation of Microsoft Exchange Online.

Dave Bittner: We begin with some follow up to a cyber espionage campaign that's troubled the US. Government over the past weeks. Late yesterday the U.S. Cybersecurity and Infrastructure Security Agency and the FBI released a joint Cybersecurity Advisory regarding a Chinese cyberespionage campaign that’s targeting government officials. The advisory urges organizations, especially those operating critical infrastructure, to step up their monitoring and logging of activity surrounding Microsoft Exchange Online environments. Microsoft described the campaign in a blog post earlier this week noting that the threat actor compromised email accounts at approximately 25 organizations by using forged authentication tokens to access user email using an acquired Microsoft account consumer signing key. In full disclosure, we note that Microsoft is a CyberWire partner. The Washington Post reports that the campaign targeted the U.S. Commerce and State Departments and an email account belonging to U.S. Commerce Secretary Gina Ramando was compromised. The Associated Press notes that the hacks occurred just before U.S. Secretary of State Anthony Blinken's trip to Beijing last month. The State Department appears to have been the first agency to recognize the suspicious activity.

Implementing the US National Cybersecurity Strategy.

Dave Bittner: The White House this morning published the Cybersecurity Strategy Implementation Plan, which provides guidance on how responsible parties are to put the national strategy into effect. The Implementation Plan has five "pillars:" An accompanying fact sheet listed them as Pillar one, Defending Critical Infrastructure, where operators are advised to pay particular attention to CISA's National Cyber Incident Response Plan, which the agency will update regularly. Pillar two, disrupting and dismantling threat actors. The Joint Ransomware Task Force led by CISA and the FBI will play a leading role here. Pillar three, shaping market forces and driving security and resilience. This pillar supports, in particular, the security of the supply chain. Pillar four, investing in a resilient future. This pillar involves developing standards that will enable security to keep pace with or even stay ahead of developments such as quantum computing. And pillar five, forging international partnerships to pursue shared goals. The State Department will lead the work here. The White House points out that the guidance is not exhaustive. Agencies are expected to take actions appropriate to their missions and circumstances.

FortiGuard discovers a new LokiBot campaign that uses Microsoft Word as an attack vector.

Dave Bittner: Researchers at Fortinet's FortiGuard's Labs have discovered a malicious campaign by LokiBot that's actively targeting Microsoft Office. The campaign's first stage has used two word documents, one with an external link exploiting CVE 2021 4044. The other with VBA script that executes a macro upon opening and takes advantage of CVE 2022 3190. The second stage deploys an injector that utilizes a hard coded key to decrypt the payload retrieved in stage one. The final stage locates and infiltrates sensitive information from web browsers, FTP email and various software on the infected machine or system. FortiGuard recommends that to protect themselves, users should exercise caution when dealing with any Office documents or unknown files, especially those that contain links to external websites. It is essential to be vigilant and avoid clicking on suspicious links or opening attachments from untrusted sources. Additionally, keeping the software and operating systems up to date with the latest security patches can help mitigate the risk of exploitation by malware.

Training code turns out to be malicious in a new proof-of-concept attack discovered on GitHub.

Dave Bittner: Upticks has discovered a proof-of-concept that hides a malicious backdoor through which data is stolen. Proof-of-concepts are used by cybersecurity researchers to understand potential vulnerabilities and are generally trusted to be the safe options to learn what harmful code can be used against a network. Upticks writes, "In this instance, the POC is a wolf in sheep's clothing harboring malicious intent under the guise of a harmless learning tool. Its concealed back door presents a stealthy, persistent threat. Operating as a downloader, it silently dumps and executes a Linux bash script, all the while disguising its operations as a kernel level process." Although the POC has been removed from GitHub, Upticks believes users who installed it are at high risk of compromise. The malicious POC copies code from an older, legitimate Linux exploit. But upon further examination of the code, researchers found malicious code inserted into the program. This type of tactic is not new, but this incident should remind researchers to always analyze files downloaded from the Internet and to do so skeptically.

Russia resumes its pursuit of a "sovereign Internet."

Dave Bittner: In a renewed push for a protected and controllable sector of cyberspace, Russia is pursuing a sovereign Internet. But the program faces difficulties. Scientific American reports a test last week attempted to disconnect Russia's Internet from the rest of the world. The Kremlin declared the trial a success, but outside observers conclude to the contrary that it ended in failure, producing widespread outages among Russian websites. The sovereign Internet isn't a simple or unitary project, but rather a system of technologies, deep packet inspection tools figuring prominently among them that would give the government greater ability to cut off external, that is, international connections and monitor domestic traffic and content. There's also an element of self sufficiency in the program as Russia seeks to provide domestic alternatives to hardware and software that would otherwise be provided from foreign sources.

The GRU's offensive cyber tactics.

Dave Bittner: Turning to the hybrid war Russia has been waging against Ukraine, Moscow has responded to Ukraine's counter offensive with a surge in cyber attacks,  CSO Online reports. The GRU isn't the only Russian service involved, but it's been a prominent player in these operations. Mandient has been tracking cyber operations by Russia's military intelligence service. The GRU, often known in its cyber mode as Fancy Bear, and its researchers have discerned a common, well thought through and repeatable process underlying the GRU's approach. It sees a five phase operational style. First, living on the edge. Second, living off the land. Third, going for the GPO. Fourth, disrupt and deny, and finally, telegraphing success. The researchers see the playbook as systematizing some well established approaches and combining them into an operational method that's effective, repeatable and responsive. It yields, for all of its fixed and stereotypical structure, a paradoxical agility and adaptability that render cyber operations a practical combat support capability.

A probable Ukrainian false-flag operation.

Dave Bittner: And finally, here's another action in the hybrid war that looks like the waving of a false flag. The June 29th cyber attack against Russian satellite communications provider Dozer Teleport ZAO was claimed online by an actor who identified themselves as a member of the Vogner Group. The hack, which came five days after the Vogner group stood down from its march on Moscow, was represented as a contribution to the mutiny. But the timing seems to have been off. Some of the activity antidated the Vogernite action and the actual wiper attack occurred after negotiations had brought an end to the incident. Bloomberg reports that there are more circumstantial signs of Ukrainian involvement in the action. For example, news of the attack didn't spread until Andre Baronovich, a spokesman for a group of Ukrainian hackers named the Ukrainian Cyber Alliance tweeted about it. The Ukrainian Cyber Alliance is a hacktivist auxiliary working in Kiev's interest. [Music] If the cyber attack was a false flag operation, it was well conceived as a contribution to doubt and mistrust in Russia.

Dave Bittner: Coming up after the break, Chris Novak from Verizon discusses business email compromise in the 2023 DBIR. Our guest is Joy Beland of Summit Seven on the role of managed service providers in the supply chain to the Defense Industrial Base. Stay with us.

Dave Bittner: The Defense industrial base has been mandated since 2017 to implement over a hundred security controls. But early on, the DOD asked that these organizations self attest. As you might imagine, that led to decidedly mixed results. And so, about two years ago, the CMMC Assessment Program was introduced, which ultimately will result in certified assessors going into these organizations in the defense supply chain to assess them for their actual implementation of those controls. Joy Beland is vice president of Strategic Partnership and Cybersecurity Education at Summit Seven, a company that focuses on cybersecurity and compliance for the DOD.

Joy Beland: The Department of Defense themselves estimates there's more than 300,000 businesses that this would impact. And when you look at that, and so there's a handful of primes and then there's another layer of the major subs right underneath the primes. But what it really boils down to is 90 some percent of the supply chain are very small businesses. These are businesses anywhere from, you know, five people family owned for 40 years that they've been making one part that goes on to the fighter jets. And they've been a provider to the DOD for all of these decades. Right. All the way up to, you know, 100 people in their business. But the size of that business is so small that they don't have their own in house IT people. They can't afford it. They can't afford to have somebody really skilled, you know, when they're on a manufacturing floor and have them dedicated to nothing but their computers. So they outsource this and the outsourcing for the IT takes place to manage service providers or MSPs. And MSPs have never been regulated, ever. It's kind of funny that as a woman, I can walk in a beauty salon to have my nails done, and I'm assured that there's some type of training, testing, and health aspects that the state has licensed anybody doing my nails to be able to meet these certain controls. But as a small business, I can call Todd the IT guy, and he has nothing regulating him or licensing him to say that he's qualified to be managing my computer system.

Dave Bittner: Yeah. So where does that leave the MSPs then? Is there going to be a certification process?

Joy Beland: Well, it looks like that. And the Department of Defense, you know, if they had their way, they are looking at MSPs through a lens of almost the same criteria as a cloud service provider. And being able to assure, give a very large level of assurance to the government that any of the services that they're providing are going to meet Fed RAMP moderate requirements. And what that would mean is 325 controls, not 110. So the Fed RAMP moderate requirement comes out of Nest 853, and so it's a much higher bar for managed service providers to meet. And most of those MSPs that are currently servicing the very small businesses in the Defense Industrial base have nowhere near the amount of resources, skills, knowledge, processes even to be able to get through the 110 controls in NIST 800 171, meeting the same level of cybersecurity that their own clients would be required to meet so much as the 325 controls in the Fed RAMP moderate baseline.

Dave Bittner: So what's the real world situation here then? As we ramp up to meet these standards? What's the impact going to be?

Joy Beland: Yeah, it's a huge problem and there's not enough visibility for what's happening because what we are suspecting is going to happen is that at a minimum, the NIST 800171 requirements would be applied to those managed service providers who have clients in the defense industrial base. And I think that right now there's about a handful of managed service providers in the United States that can meet that criteria and are actively focused on it and working toward it. And that would mean, you know, those managed service providers currently heading in that direction, like the one that I'm working for at Summit Seven, it's an incredible amount of resources. You basically have to retool your entire company culture. All of your processes, huge amount of maturity in your documentation, change management, vulnerability management. You have to be very careful about the tools that you use, what other organizations you outsource any of those capabilities to. And so it's a very expensive and laborious process to meet those requirements. We think that there's going to be a huge amount of fallout in the managed services industry, that they're going to look at this and say, hey, you know, I've been supporting Joe's Airplane Parts for 15 years. They're my buddies, I can't afford to do that anymore. And they're going to have to turn over those clients to the MSPs that are truly capable of providing those services. But what that means for the small business itself is that they can no longer afford what they were paying Joe for their IT services. They're going to be looking at the cost of leveraging a mature MSP and saying to themselves, is it really worth it for me to have this defense contract? Because they know that they can't do it themselves. It's way over their heads. They likely have to turn over and refresh a lot of their own technology, their own company culture, their own processes. And being able to leverage a mature MSP for that is going to cost them twice as much easily and they're going to look at that. So the question is, you know, how many of our suppliers in the defense industrial base are we willing to lose in order for all of the ecosystem to come up under the mandate of NIST 800171? And also it's necessary. It's necessary in order for us to protect our intellectual property and all of the defense controlled unclassified information that is being handled throughout our, for our national security. So we're in a situation right now that there isn't a good answer. And it's really time is of the essence and a lot of decisions are being made without the industry understanding what's happening.

Dave Bittner: A couple of things strike me here. I mean, first of all, you know, there's that old was practically a cliché now about the, you know, the $500 hammer that the defense industrial base needs. And it seems to me like we could be headed in that direction with things that people consider to be basic bread and butter, IT services sorts of things that you get through your MSPs. Suddenly we're going to be seeing some sticker shock here. The other thing is that I wonder, are we, to mix metaphors, decreasing our genetic diversity. If only a handful of suppliers are going to be able to meet this standard, is that a risk as well, that we have a limited number of suppliers, and so there's risk there?

Joy Beland: Absolutely. I mean, we've already seen this massive consolidation across the primes. And a huge part of our economy is driven by those defense contracts. You know, that's where the small business is. It's a large part of the bread and butter. But the truth is, Dave, as you're saying, you know, table stakes for cybersecurity, the most basic cybersecurity, a lot of these organizations, including the MSPs that support them, have never properly addressed cybersecurity for the protection of their own intellectual property. Let's look aside from those defense contracts and say, look, you've got something that only you can do and you've been doing it really well for all of these years. If you have a computer in your network anywhere, you are at risk of having that intellectual property being hemorrhaged, being stolen, being leveraged by our adversaries, and everybody loses in that scenario. Not just our national defense, but our actual economy. So we're seeing this at scale in every other industry. It's just finally being pointed out and properly addressed by the defense industrial base. And it's, you know, it's hugely necessary. At the most basic level, there are 17 controls that are required in order to even have a contract with the DOD. Those 17 controls it is astonishing how many organizations still don't even have that much implemented. So 17 out of the 110. So, you know, this is a wakeup call for everybody, not just the defense industry, but [music] small businesses and the managed service providers who have been assuring them all along we've got you covered. It's time for them to mature as well.

Dave Bittner: That's Joy Beland from Summit Seven.

Dave Bittner: And it is my pleasure to welcome back to the show Chris Novak. He is the Managing director for Cybersecurity Consulting at Verizon. Chris, you and I have been discussing some of the details of the DBIR from your colleagues there at Verizon. And I want to focus today on business email compromise, which is something you dig into in the report here. What's the news when it comes to BEC?

Chris Novak: Yeah, great point there, Dave. So the staggering news there is it actually almost doubled year on year kind of within the scope of social engineering. And I think that is really problematic because I don't think we've seen an uptick in many things like that in the previous several years. So definitely a dramatic rise in business email compromise.

Dave Bittner: Is it just a matter of it works?

Chris Novak: I think that's part of it. It's what I put in the category of what I call belly button breaches. And that is-

Dave Bittner: Go on.

Chris Novak: - the human element plays a big role in these because a lot of it really comes down to tricking people. Right? It's the belly buttons and seats that are falling victim. It's not a vulnerable application or a system where you can say, hey, the problem is just push a patch out to everything. In a lot of these cases, and I hate to say the problem, but it's usually with the underlying humans. It's the individuals are either not well educated on what these types of threats look like or the organization doesn't have the right processes and controls in place such that when a human makes a mistake, there's no layered backup behind it. Right? When we look at what a business email compromise is, it is almost 100% around tricking a person to give up information or to wire money in some unauthorized fashion. And that's why I call it kind of the belly button breaches. It's that's really where almost all of these events happen?

Dave Bittner: Yeah, it's a really good point. I mean, I think about how on the one hand we tell people you got to train your employees to not click on the links. But on the other hand, no one's business should be structured in such a way that an employee clicking on a link can bring down the business.

Chris Novak: Absolutely right. And it's interesting because when I talk with a lot of organizations. This affects organizations of all sizes. The ones that I think are most unfortunate are, I mean, not that it's good for anybody, but your small to medium sized businesses where the loss can be really substantial to them. You know, I've worked with a number of organizations over the years, and my team has done countless business email compromise, you know, incident response events. And to see an organization, for example, that, you know, literally you'll have like a small business or medium business owner in tears saying, you know, I weathered COVID, which I didn't think that my business would survive. And then I got hit with a business email compromise and lost everything. And it makes it really real. You know, for a large organization, you know, they wire a million dollars, $5 million, $10 million to the wrong bank account. No one's excited about that. But they can probably weather that. Small businesses, medium businesses, that's obviously much more catastrophic. They may not even have, you know, some kind of insurance coverage that would backstop that. But, you know, what I tell people is the key thing to consider here is process. What is the process to backstop the human? You know, when we look at, you know, a large financial, if you want to go move $10 million, there's probably not one person who can click the button and say, send $10 million, and it just goes, right? I know within our own organization, if I want to move even just a small amount of money or pay a vendor, you know, I initiate the payment transaction. And then there is some litany of approvers and reviewers that need to make sure that it is sound before any money changes hands. And I think that process component is something that for some organizations, especially those that maybe are slightly lower down on the maturity curve, really need to look at, because that's something that's a relatively easy and I'd say kind of low cost step. Doesn't require fancy technology, but it's a good way to catch these.

Dave Bittner: Speaking of technology, what sort of things do you recommend for folks to shore up the security of their email systems themselves.

Chris Novak: Yes. So I think, you know, first and foremost, goes without saying multifactor authentication. You know, and I'm a big proponent of looking at things like either number matching multifactor authentication or using things like a Ubit Key or something along those lines in order to be able to, you know, best prevent your credential from being social engineered and then being able to be, you know, reused in any one of these nefarious purposes. And, you know, it's funny because, maybe not funny is the right word, but I presented the DBR to a lot of people, and one of the questions I got the other day was we've talked about multifactor authentication for what seems like, you know, two decades now. Are there really still organizations out there that don't have it? And, you know, I would bet right now there's probably, you know, hundreds, thousands, tens of thousands maybe of listeners that are probably going, yes. I still have spots in my org that don't have, right?

Dave Bittner: [Laughter] Yeah.

Chris Novak: So I think it's a bigger problem than most people realize. You see it when you log into your bank. You might see it when you log into your Gmail, but there's still a lot of people who still don't have it everywhere in all the sensitive parts of their organization.

Dave Bittner: Yeah. And I think incorrectly think that maybe they're too small to be interesting. And certainly the data in the DBIR proves that to not be the case.

Chris Novak: You're absolutely right, and in fact, that's probably a really good point to make, and I try to make this whenever I can, is that it doesn't matter the size of the organization. There's probably always someone bigger than you. There's probably always someone that you'd say might be more of an interesting target. But keep in mind, the threat actors really don't care. There's a handful of threat actors out there that are looking for notoriety and they're going after [music] specific targets for specific reasons. But by and large, what the data shows us is that they're largely opportunistic and they're going after whoever they can get something from.

Dave Bittner: Yeah. All right, well, Chris Novak is managing director for Cybersecurity Consulting with Verizon. Chris, thanks so much for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at CyberWire at n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.