Update on Chinese cyberespionage incident. ICS vulnerabilities. USB attacks. New KEVs. Updates from Russia's hybrid war, as hacktivists swap DDoS attacks and observers draw lessons learned.

Dave Bittner: Developments in the case of China's cyberespionage against government Exchange users. Industrial controller vulnerabilities pose a risk to critical infrastructure. USB attacks have risen three-fold in the first half of 2023. CISA adds two vulnerabilities to its Known Exploited Vulnerabilities Catalog. Ghostwriter's continued activity focuses on Poland and Ukraine. Hacktivist auxiliaries swap DDoS attacks. Awais Rashid from the University of Bristol shares insights on threat modeling. Our guest is Chris Cochran from Huntress on the challenges small and medium sized businesses face with cyber security. And lessons learned from cyber warfare in Russia's war.

Dave Bittner: I'm Dave Bittner with your Cyberwire Intel Briefing for Friday, July 14th, 2023.

Developments in the case of China's cyberespionage against government Exchange users.

Dave Bittner: The Washington Post reports that the US government is still investigating how a Chinese APT carried out attacks against US State and Commerce Department email accounts. Specifically, the government is trying to determine how the threat actor obtained the Microsoft account consumer signing keys used to gain access. Microsoft hasn't disclosed any vulnerabilities related to the attack. Adam Meyers, senior vice president of intelligence at CrowdStrike, wonders if the attack involved a Microsoft insider, since the hackers would have needed a more powerful internal key controlled by Microsoft in order to create consumer signing keys. Jason Kikta, chief information security officer at Automox, stated, "This attack used a stolen key that Microsoft's design failed to properly validate. The inability to do proper validation for authentication is a habit, not an anomaly." The cyberespionage wasn't necessarily confined to American targets. The UK's National Cyber Security Centre is also working with Microsoft to determine the impact of the hacks, according to Reuters. In full disclosure, we note that Microsoft is a Cyberwire partner.

Industrial controller vulnerabilities pose a risk to critical infrastructure.

Dave Bittner: Researchers at Armis discovered nine vulnerabilities affecting Honeywell's Experion distributed control system products, TechCrunch reports. An attacker with network access could exploit the flaws to remotely run unauthorized code on both the Honeywell server and controllers. Curtis Simpson, CISO at Armis, told TechCrunch, "Worst-case scenarios you can think of from a business perspective are complete outages and a lack of availability. But there's worse scenarios than that, including safety issues that can impact human lives." Honeywell issued patches for the flaws last month. Honeywell spokesperson Caitlin E. Leopold said in a comment to TechCrunch, "We have been working with ARMIS on this issue as part of a responsible disclosure process. We have released patches to resolve the vulnerability and notified impacted customers. There are no known exploits of this vulnerability at this time. Experion C300 owners should continue to isolate and monitor their process control network and apply available patches as soon as possible."

USB attacks have risen three-fold in the first half of 2023. 

Dave Bittner: Mandiant reports that USB attacks have risen by three times in the first half of 2023. Their report details two new USB attack campaigns: the SOGU malware infection that targets industries across the globe, and the SNOWYDRIVE infection that seems to target oil and gas companies across Asia. Both campaigns use a USB drive for initial infection and propagation, while installing malware that steals sensitive information from the host computer. SOGU is the more prevalent USB infection campaign and has spread to various sectors, including pharmaceutical, IT, energy, communications, and healthcare organizations across North America, Europe, Asia, and Oceania. Mandiat states, "While some threat actors targeted specific industries or regions, this campaign appears to be more opportunistic in nature. This campaign may be part of a long-term collection objective or a later-stage follow-up for subjects of interest to state-sponsored threat actors." USB campaigns are especially dangerous as they are a method for attacking air-gapped systems, that is, systems with no connection to the outside internet. The most famous example of a USB-based attack was Stuxnet which, as Trellix explains, was an infection spread to Iranian nuclear facilities delivered by USB sticks.

CISA adds two vulnerabilities to its Known Exploited Vulnerabilities Catalog.

Dave Bittner: CISA has  added two vulnerabilities to its Known Exploited Vulnerabilities Catalog. CVE-2023-37450, Apple Multiple Products WebKit Code Execution Vulnerability, and CVE-2022-29303, SolarView Compact Command Injection Vulnerability. CISA explains, "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise." Federal civilian Executive agencies have until August 3rd to apply updates per vendor instructions or discontinue use of the product if updates are unavailable.

Ghostwriter's continued activity focuses on Poland and Ukraine.

Dave Bittner: Yesterday Cisco Talos researchers described the recent activity of a Belarusian threat actor engaged in cyberespionage between April of 2022 and June of 2023. Talos says, "Ukraine's Computer Emergency Response Team has attributed the July campaign to the threat actor group UNC1151, as a part of the GhostWriter operational activities allegedly linked to the Belarusian government." The attack begins with a malicious Microsoft Office document, usually either an Excel or PowerPoint file, which, if opened, delivers an executable downloader and a payload hidden in an image file. The final payloads include the AgentTesla remote access trojan, Cobalt Strike beacons and njRAT. The targets are Ukrainian and Polish military and governmental organizations.

Hacktivist auxiliaries swap DDoS attacks.

Dave Bittner: Russian and Ukrainian hacktivist auxiliaries have both recently conducted distributed denial-of-service attacks. The Center for European Policy Analysis calls it "crowdsourced cyber warfare," the principal organizers of which have been, on the Russian side, NoName057(16), and on the Ukrainian side, the Ukrainian IT Army. None of the attacks, CEPA rightly notes, have amounted to much more than a nuisance. They are, however, easy to mount, and require little in the way of technical skill to pull off. They may represent the upper limits of the crowdsourced approach to organizing a cyber auxiliary.

Lessons learned from cyber warfare in Russia's war.

Dave Bittner: The Center for Strategic and International Studies looks at the record of the war so far and draws some lessons that might inform thinking about cyber warfare in the future. In sum, the lessons suggest that some of the catastrophic fears that have surrounded cyber warfare appear less likely after a year-and-a-half of operational experience. The study draws three major conclusions. First, cyber operations will play a supporting rather than decisive role in major theater wars. Intelligence collection and operational deception are likely to be cyber's most prominent contribution, once the shooting starts. Second, war will still be a continuation of politics by other means and rely on the more tangible effects of violence than on the exclusive effects of compromising information networks. As the fight escalates along the spectrum of conflict, sure kinetic effects will be preferred to the uncertain results of cyber operations. And the merits of cyber operations continue to be their utility as a tool of political warfare because they facilitate an engagement short of war that leverages covert action, propaganda, and surveillance but in a manner that poses a fundamental threat to human liberties. So, disinformation and surveillance in tandem can be expected to be features of future war. The study concludes with appropriate policy recommendations. Increase public-private partnership, improve cyber diplomacy and international information-sharing, and work to counter cyber-enabled information operations.

Dave Bittner: Coming up after the break, Awais Rashid from the University of Bristol shares insights on threat modeling. Our guest is Chris Cochran from Huntress on the challenges small and medium sized businesses face with cybersecurity. Stay with us.

Dave Bittner: Chris Cochran is Advisory CISO and Chief Evangelist at Huntress, and one of the founders and hosts at Hacker Valley Media. I reached out to Chris for insights on the specific challenges facing small and medium sized businesses when it comes to securing their assets.

Chris Cochran: Back in the day, you could look at small, medium sized businesses as being not in the mix when it comes to bigger threats like APT level threats. But what you're finding with automation and artificial intelligence, it's really easy to target at scale. So now you're having the same tactics and techniques that are going against these big enterprise level folks. It's really come down to the SMBs that don't have near as much budget, not near as much personnel, and honestly, they're just trying to stay afloat amongst all the ridiculousness that we're dealing with on a day-to-day basis in cybersecurity.

Dave Bittner: And what are the specific threats that are being aimed at them?

Chris Cochran: A lot of ransomware events, because that is really fruitful for cyber attackers. They're finding that A, if we can get 1,000 folks affected with ransomware, it makes making one infection seem dim in comparison, unless you're talking about these big, giant whales as they call it. What that really means is if you're looking at someone from a supply chain perspective, it only takes one intrusion to affect many. And so when you look at that, you could be affecting hundreds if not thousands of organizations just by one intrusion. So with the advent of automation and AI, it's really easy for folks to find themselves on a compromised situation when it comes to cybersecurity.

Dave Bittner: And what does a typical small business do in terms of provisioning themselves? I mean what's available and out there that is within their reach?

Chris Cochran: It really depends on the business. A lot of times, you'll see that they might have a really small IT shop, and that IT shop might have the security responsibilities that a regular team of security practitioners would have. And they don't necessarily have the training, they don't have the experience to have all the work that they're doing. But they have to, because there is no other choice. They might not have budget for a full-time security practitioner. They might not have the budget for some of the top tier solutions when it comes to cybersecurity. And so really, they're having to do a lot of work with very little resources.

Dave Bittner: And what about organizations who say okay, I'm going to go with one of the big suppliers here. You know, I'm going to run everything through Microsoft or everything through Google and I'm going to let them handle most of the heavy lifting there. I mean, how far along does that get them? Does that put them ahead of some people? And is that good enough?

Chris Cochran: I will say that there is a benefit to working with larger providers, suites of tools, talking about the Googles, the Microsoft. But it isn't going to be 100% solution for anyone. I would say that in those instances, you could try to defer some of the responsibility to those folks, but it's really going to be up to you. Because when we're looking at things like SAS adoption, people are bringing in SAS applications all the time. And I don't, in my opinion, I don't think that there is just a one clearcut solution to support all of the operations, whether you're doing migration from on prem to the cloud, whether you're dealing with folks working online, you know, working remotely versus working in the SOC itself, or working in the organization itself. There are a lot of situations where it is going to be a much more targeted approach. You can't really just have the easy button when it comes to small and medium sized businesses. You really have to look at what are the high leverage technologies, processes, and individuals I can have in my organization to combat the threats.

Dave Bittner: How do you recommend people come at that? When someone is starting this journey? How do they set their priorities both for their time and their financial resources as well?

Chris Cochran: I would say, when you look at prioritization of where are you going to put your time and efforts, look at what is most important to you. As I was talking about crown jewels or critical assets, talk about functionality of your company. If you were to look at the cyber attacks that are happening today, what would your company be in the news for? Is it the loss of IP, is it the loss of information that you were holding? Is it the availability? Are you a company that prides itself on being available but now you've gone through a DDoS, and that has taken the confidence away from your customers? Figuring out what is the most important things for your business. And then working backwards from there. So say okay, if availability is most important to me, I know I need DDoS protection. Or I know that all of my end points have really interesting and specific information that I want to protect, so maybe you need to look at something like a managed EDR. Because you need to protect all of these end points at scale. That's what you really need to look at. Is you need to look at what are the most important things for my business to do? What do I need to do to continue to operate? And then how do you protect those things across the board? And of course, you're going to have to weigh the options against itself because you could over invest in one area when you should have been investing in another. But really just weighing out like who are the stakeholders for the security program? What is the most important thing that we could do today to improve the security posture so that the company can continue to operate?

Dave Bittner: I think it's really challenging for folks, if you're out there shopping around, you know, you go to a trade show or even talking to, you know, folks in the same business. There's so much fear, uncertainty, and doubt being tossed around. It can really be intimidating. I can empathize with people who are on the one hand kind of afraid to start asking questions. Because you know, everyone's put so much fear in them that they're afraid what's going to be uncovered in their business. One thing that I found, you know, through my journey, through my career, is that story is really about taking information and eliciting or evoking some type of emotional response. And what folks have found in cybersecurity, is that it's much easier to evoke the feeling of fear, uncertainty, and doubt, because we're dealing with threats. And when you're dealing with threats, that emotion of fear is an easy one to lean on. What I think we need to step back and realize is that when we're using fear, that doesn't exactly cultivate the best relationship with everyone. If you want to bring someone into a situation where there is a lot of fear or things to be worried about, what you really want to bring out of them is hope. Optimism. The feeling of togetherness. The understanding that we are all one team, one fight in this plight of cybersecurity. So we're really trying to help each other get to that next level, protect the stuff that we care about, the people, the data, the resources that we care about. And honestly, at the end of the day, to have a much more secure internet that people can enjoy.

Dave Bittner: That's Chris Cochran from Huntress.

Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to the Cyberwire Pro, and sign up for interview selects, where you'll get access to this and many more extended interviews.

Dave Bittner: And I'm pleased to be joined once again by Professor Awais Rashid. He is the Director of the National Research Center on Privacy, Harm Reduction, and Adversarial Influence Online at University of Bristol. Dr. Rashid, always good to have you back. I want to talk today about threat modeling. But you have kind of an interesting angle to discuss this. What can you share with us today?

Awais Rashid: So, threat modeling, you know, has been around for some time now. Those who work in certainly software development would be very, very familiar with something like stride, which is, you know, threat modeling approach that helps you analyze your potential application against a set of six key threats. Which is, you know, spoofing, tampering, repudiation, information leakage, denial of service, and escalation of privileges. And you know, this is something that we encourage software developers to do when they are designing their application. But the point that I wanted to come at it was threat modeling should not be just a one-off activity. Because certainly, we develop applications, they go out into the world, okay? And people use them. But at the same time, the threat landscape around us changes as well. So what we may have thought was the original scope of our threats potentially changes over that period of time. We also may add new features to our application. Okay? So the scope of the application changes. So as a result, you know, we need to really kind of regularly reevaluate if our threat models remain fit for purpose as the application's features grow. But also, as the threat landscape changes. And I could, for example, give you a very specific application if you think that would be quite interesting. Because it is something that we have looked at in a lot of detail.

Dave Bittner: Yeah, absolutely. Let's dig into it. What can you share with us?

Awais Rashid: Okay, so, you know, we all use end-to-end encrypted messaging applications. So, you know, Signal, WhatsApp, and those. And this is something that we have looked at in a lot of detail. So we looked at the fact that, for example, when these applications were originally designed, that they were designed on the basis that you have your messaging application on your phone. Okay? And you want to secure your communication with another party. So for example, you and I speaking to each other in that case, what the signal protocol, which is also used within WhatsApp in itself, ensures that people may know, someone may know that you and I have spoken, but they would not know what is the content of that message. Because we have messaged each other. But the content of the message is secure. And this was based on the assumption that the attacker is necessarily removed. So, if that hacker compromises the form, then of course they can see what is happening. However, over a period of time, these applications have also added desktop. So now you can use WhatsApp on your desktop. You can also use signal on your desktop. So now there are new devices that are now linked to the original device that is using the same connection. So now, you have new features added. Okay? So this is the example of new features. But also, the threat landscape has changed. So we know, for example, from research and increasingly in the news, that for example, those who may want to, for example, surveil intimate partners, you know, they may have direct access to devices. In case of, for example, such as by particular law enforcement organization depending on where you are in the world, they may have direct access to devices. And if you are using Signal or WhatsApp desktop on your corporate machine, which is normally remotely managed, and would have, administrators would have direct access to that, then again, you know, an unscrupulous administrator can have effectively full access to the full desktop online. And what we find is that actually the original threat model doesn't work in this case. So, that was based on the assumption that only your phone has to be secure in your possession. But now an unscrupulous actor can potentially leak your messages, depending on the type of application that you are using, this is not applicable across every end-to-end messaging application, but a number of them fall vulnerable to a number of attacks as a result because the threat model hasn't changed since they were originally conceived.

Dave Bittner: It's really an interesting concept. It reminds me of how, oh, folks like insurance providers will say you should check in with your provider from time-to-time for things like your life insurance or your homeowner's insurance because things change. Your situation may change. Your financial situation may change. Are you recommending a similar kind of thing, that people sort of check in with themselves from time to time and evaluate what's new, what's different?

Awais Rashid: Oh, absolutely. So, I think, you know, as development teams, you know, should regularly reevaluate. And there is two points at which, you know, you have to regularly sort of evaluate. If you add new features, like a desktop, then you have to think about has this changed now who else can have access to it? Is the trust boundary that I have, is it changed? Or, also regularly sort of considering, what new threats are emerging out there. So technically it's not our work, there are others who work in the industry have said you should do threat modeling little and often. Okay, and I think that's really the kind of key point here. That as we add things to our applications, or as we understand what the threats are and they change, then we have to regularly kind of consider is our threat model correct? And is our design now providing this appropriately? So I can -- I don't want to necessarily just pick on one, because we looked at six of these major end-to-end encryption applications, but for example, if we look at Signal as an example, as someone who has potentially got access to the desktop can actually clone the desktop and compromise forward secrecy. Okay, and then that creates a serious problem. Because now someone has actual direct access to the messages that you are sharing. Another counterargument to that would be of course that implies that someone has gained physical access to the desktop but that is not an inconceivable scenario given some of the way threats have changed over this period of time. So these are the kind of examples that you can see. We see these in some of the other applications as well. And some are better at kind of detecting threats than others. And so, it's clear that some things are doing this and others are perhaps doing this less, less, less.

Dave Bittner: Alright, interesting insights for sure. Professor Awais Rashid, thanks for joining us.

Dave Bittner: And that's the Cyberwire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday, and my conversation with Michael Clark from Sysdig. We're discussing SCARLETEEL 2.0, Fargate, Kubernetes, and Crypto. That's Research Saturday, check it out. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the Cyberwire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector. As well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and Senior Producer, Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening, we'll see you back here next week.