Mirai hits the honeypots. Medical device telemetry attacked. More on infostealers in the C2C market. Third-party risk management practices. Cyber skills gaps in the UK. SiegedSec hits NATO sites

Dave Bittner: The Mirai botnet afflicts Tomcat. CardioComm services are downed by cyberattack. Uptycs calls infostealers “organization killers" as related security incidents double in a year. Legacy third-party risk management practices meet with dissatisfaction. Cyber skill gaps reported in the UK's workforce. Our guest is George Prichici of OPSWAT with a look at a Microsoft Teams vulnerability. Our new Threat Vector segment features a conversation with David Moulton and Michael Sikorski on the potential threats from LLMs and AI. And SiegedSec hits NATO sites.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Thursday, July 27th, 2023.

Mirai botnet afflicts Tomcat.

Dave Bittner: What’s turning up in the honeypots, nowadays? Well, Mirai, among other things.

Dave Bittner: Aqua has published an analysis of Mirai malware attacks observed in its Apache Tomcat honeypots. The researchers found that “threat actors are actively seeking misconfigurations on Tomcat servers. Specifically, misconfigurations in the Tomcat web application manager.” The researchers add, “In our case, the host was infected with [Mirai], and based on our analysis of previous attacks and research, it appears that the threat actor intends to use this malware as a base for further attacks. These attacks could range from relatively low-impact campaigns like cryptomining to more severe DDoS attacks. It is important to note that this campaign is still ongoing, and the attacks are continuously evolving and changing to avoid detection.”

CardioComm services downed by cyberattack.

Dave Bittner: Heart-monitoring technology and medical electrocardiogram provider, CardioComm Solutions, experienced a cyberattack that resulted in the disruption of its business operations, as reported by TechCrunch. The company has disclosed that the impact on its business operations may extend for several days or even longer, contingent upon the promptness of data restoration and re-establishment of production server environments. According to CardioComm, there is currently no indication that the security breach led to the compromise of customers' health information, given that their software is designed to operate within each client's distinct server environment. Furthermore, the company affirms that it does not gather any patient health information from its clients. In response to the incident, CardioComm has taken precautionary measures against identity theft, aiming to mitigate potential repercussions on its personnel.

Uptycs calls infostealers “organization killers" as related security incidents double in a year.

Dave Bittner: A new report delves into the world of infostealers and their prominent role in the C2C market. According to Uptycs, these malicious entities are deemed "organization killers" due to their ability to provide threat actors with unauthorized entry into a company's confidential networks through the compromise of employee credentials. Uptycs defines an infostealer, also known as a stealer, as a specific type of malware that is intricately programmed to infiltrate computer systems and surreptitiously exfiltrate sensitive information. The stolen data is then transmitted back to the threat actor's command and control center, affording them the means to exploit the acquired information for nefarious purposes or peddle it on the dark web. Uptycs expounds on the modus operandi of infostealers and underscores the explicit peril they pose to organizations. Notably, in the first quarter of 2023, incidents involving stealers have more than doubled compared to the same period in the previous year.

Legacy third-party risk management practices meet with dissatisfaction.

Dave Bittner: Health3PT has released a survey whose results are intended to shine light on the challenges organizations associate with third-party risk management (TPRM), and how those challenges affect the healthcare sector in particular. 

Dave Bittner: The survey found that most companies considered the legacy methods of TPRM ineffective, with 50% of the covered entities claiming that TPRM is not keeping pace with the volume of security assessments they receive. They also complain of excessive turnaround times for fixing issues discovered in the audit process. Business associates, on the other hand, find that “Customers are unwilling to accept third-party validated assessments and certifications in place of proprietary control questionnaires.” The business associates also assess that companies need help in handling the variability of questionnaires and audits, and the resources and time required to meet compliance requirements.

Cyber skill gaps reported in the UK's workforce.

Dave Bittner: A study conducted by researchers on behalf of the UK Department for Science, Innovation and Technology (DIST) has revealed significant skill gaps within the cyber security industry. According to the report, approximately 739,000 businesses, constituting 50% of the total, exhibit basic skill gaps in their cyber security personnel. These gaps manifest in the lack of confidence and competence in performing fundamental tasks outlined in the government-endorsed Cyber Essentials scheme, while also lacking support from external cyber security providers. The tasks with the most common skill gaps include configuring firewalls, securely storing or transferring personal data, and detecting and removing malware.

Dave Bittner: Moreover, the study finds that 33% of businesses experience more advanced skill gaps in areas such as forensic analysis, security architecture, and interpreting malicious code. Interestingly, although the percentages for basic and advanced skill gaps have remained stable, there has been a steady increase in the proportion of businesses expressing doubt in their ability to carry out cyber security tasks since 2020.

Dave Bittner: The report highlights additional challenges faced by businesses in this domain. Specifically, 22% of businesses report encountering applicants who lack the requisite skills for cyber security roles, while 49% indicate that their current staff or job applicants fall short of meeting the necessary qualifications.

Dave Bittner: The study also delves into the preferences of cyber security workers, with 61% expressing an inclination towards a cyber generalist specialization. This career path involves diversifying their work across multiple specialties within the cyber security domain.

Dave Bittner: In terms of job opportunities, the report points out a notable increase in cyber security role listings, with a rate of 5,921 jobs per month in 2022, totaling 71,054 job postings for the entire year. This marks a 33% rise in core cyber job postings compared to the levels observed in 2021. Additionally, demand for "all cyber roles" has grown by 30% during the same time frame, as noted by the researchers.

SiegedSec hits NATO sites.

Dave Bittner: And, finally, a note on the cyber phase of Russia’s hybrid war.

Dave Bittner: BleepingComputer reports that NATO has confirmed it's investigating claims that the alliance's Communities of Interest (COI) Cooperation Portal has been compromised by the Russian hacktivist auxiliary SiegedSec. COI is a collaboration portal used for exchange of unclassified information. SiegedSec posted some 845MB of allegedly stolen files to a dump site. The group said, in its Telegram channel, "Do you like leaks? Us too! Do you like NATO? We don’t! And so, we present...a leak of hundreds of documents retrieved from NATO’s COI portal, intended only only for NATO countries and partners.”

Dave Bittner: Security firm Cloudsec has published the results of its own investigation, and they believe the compromise to have been accomplished with stolen credentials. "With low confidence and no direct proof, we assess that the credentials for the compromised user account may have likely been sourced from stealer logs." SiegedSec has been active since April of 2022 and claims to be animated by a zeal to expose NATO human rights abuses. This is a retaliation against the countries of NATO for their attacks on human rights," the group said on Telegram, adding "We hope this attack will get the message across to each country within NATO.” SiegedSec is not known to have engaged in financially motivated cybercrime (such as ransomware) and it says it's not involved in supporting Russia's war. The timing of the group's appearance and its target set render that claim implausible.

Dave Bittner: Coming up after the break, George Prichici from OPSWAT with a look at Microsoft Teams vulnerabilities. Our new "Threat Vector" segment features a conversation with David Moulton and Michael Sikorski on the potential threats from LLMs and AI. Stay with us.

Dave Bittner: It is my pleasure to introduce our newest recurring segment on the CyberWire. It's called "Threat Vector" and it's brought to you by Palo Alto Networks' Unit 42 and hosted by David Moulton.

Michael "Siko" Sikorski: Yeah, I think the biggest concern when it comes to ChatGPT, the LLM, everybody having access to this technology almost suddenly is where's it gonna impact and benefit the attacker the most.

David Moulton: Welcome to "Threat Vector," a segment where Unit 42 shares unique threat intelligence insights, new threat actor TPTs, and real-world case studies. Unit 42 is a global team of threat intelligence experts, incident responders, and proactive security consultants, dedicated to safeguarding our digital world.

David Moulton: In today's episode, I'm going to talk with Mike "Siko" Sikorski. Siko is a best-selling author and expert in reverse engineering and the CTO and Vice President of Engineering and Threat Intelligence for Unit 42. Siko, you got that name in college when there were, what, nearly a dozen Mikes on your track team?

Michael "Siko" Sikorski: Yeah, that's right. There was a lot of us and we needed ways to differentiate. Luckily, I had a pretty cool name 'cause my last name's Sikorski and Siko is kind of natural. And then kind of just ran with it into the- I guess that was a little bit of a pun. Ran with it into the hacking culture, right, and having a nickname like Siko is definitely a good one for- to build your street cred.

David Moulton: Well, it definitely works and it caught my attention when we first met. Before the show, I asked you what was top of mind or what should be top of mind for our audience right now. And you immediately jumped right to AI. And there are stories about AI everywhere right now, no matter where I look. What should our audience think and care about right now when it comes to AI?

Michael "Siko" Sikorski: Yeah, I think the biggest concern when it comes to ChatGPT, the LLM, everybody having access to this technology almost suddenly is where is it gonna impact and benefit the attacker the most. And that's with social engineering. We've all seen this technology used for, hey, write a song in the style of this artist, and, you know, with the lyrics to my friend or family member, and it comes out perfectly sounding like them. You can imagine now the attacker has the ability to do that same thing but say, "Hey, write an e-mail and sound like this person." And if you think about it, we respond to upwards of 1,000 instant response engagements a year in Unit 42 and the number one way that the attacker gets in is still through phishing. And now we've just lowered the bar for them to be able to craft better phishing attacks. So the days of them being caught due to broken English or unable to communicate properly to someone is gone, so they won't be getting caught as much. Which means phishing attacks is probably gonna go up.

David Moulton: So, Mike, you talked about lowering the bar from social engineering. Let's flip it around. A lot of people are using ChatGPT or different AI tools. And I'm wondering does that create a security vulnerability for enterprises today?

Michael "Siko" Sikorski: Yeah, I think companies need to be hyper aware of how their users and employees are using this technology. Do they understand that whatever they type in that- it's not a private conversation and there's a huge risk to data leakage, right? If you're having it rewrite sensitive e-mails for you so you sound more clear, yes, the LLM's gonna do a great job of rephrasing. But if you have information in there, it can create huge risks to an entity. And so corporations need to quickly roll out policies surrounding this technology.

David Moulton: So in about a month, Black Hat's gonna happen, and I'm wondering what would you tell our listeners to look for when they're at Black Hat?

Michael "Siko" Sikorski: I think it's one of those things where I think pretty much every vendor is probably gonna say the term AI when you're out there, so you're going to be getting a hit with a lot of that, a lot of talk of that. I think it's about realizing what are science projects that these- some of these physicists have rolled out, technologies being rolled out, that don't really provide a ton of benefit. Instead, I would look to say who's been on the AI journey for a long time and actually have other things outside of the LLM more recent wave to show for, right? For example, here at Palo Alto, we've been on a journey of AI for a really long time. Early days of malware detection, malware family identification using AI, and then more recently is how do you automate the SOC, right? You're getting flooded with tremendous amounts of alerts. And we've been investing for a long period of time of how to use AI to go from a whole pile of alerts just to a set of incidents that you could actually make it through. So I think it's about trying to maybe peel things back a little bit and figure out, you know, which one- which technologies are maybe implemented. And, you know, just using an LM really quickly and to get something out for Black Hat. Versus, you know, which ones have actually, you know, are gonna have an impact in your life in a larger scale.

David Moulton: So, Mike, thanks for joining me today on "Threat Vector" and sharing your insights about how AI is changing cybersecurity. We will be back in two weeks with a look at the top threats and trends seen by the Unit 42 threat intelligence team. In the meantime, stay secure, stay vigilant, and goodbye for now.

Dave Bittner: That's "Threat Vector" hosted by David Moulton and brought to you by Palo Alto Networks' Unit 42.

Dave Bittner: Recently, a member of the US Navy's Red Team released a tool called TeamsPhisher, which exploits an unresolved security problem in Microsoft Teams. It's a known vulnerability enabling hackers to send harmful files or programs to unsuspecting users. George Prichici is Vice President of Products for Application Security at OPSWAT and he joins us with insights on the issue.

George Prichici: Definitely there was a [inaudible] identified by [inaudible] I want to say last month. The entirety at there was- the vulnerability was based on the IDOR like insecure data object reference. The logic is pretty simple, right? I'm able to like go, and more or less, if you want, almost like impersonate or like get access to someone's [inaudible], upload the file. And that can be a malicious file in someone's- in an org that I don't have permission to do that. So that is definitely a huge security risk in my perspective. Now I know at Microsoft [inaudible] there needs to be a social engineering info to actually be able to exploit that point. But still, the fact that they're able to bypass which was unfortunately just a client-side verification, it's still a huge problem.

Dave Bittner: Yeah, can we talk about that sort of blend there between the social engineering and the technical vulnerability? I mean, it strikes me that that's not that unusual. You know, lots of vulnerabilities have a social engineering component.

George Prichici: I think it's a bit naïve to say that, hey, this is not a high risk because there needs to be additional social engineering component, right? At the end day, there's a new malicious file that's bypassing all your security measures you're trying to put in place to avoid those one- files reaching your SharePoint organization, let's say. And you're ending up with a malicious file in your SharePoint organization. The fact that an end user is going to go and access that file or not, you're kind of like late, already. Now I know you're training your employees not to click on links, not to open documents, and so on, but definitely there's a level of trust from end users in these collaboration tools, right? The fact that someone is already messaging you inside your organization. The fact that file's already accepted on your SharePoint, and so on, that will potentially increase the confidence level, let's say. And diminish the risk level from any end user when they're trying to access that one. I'm not saying they shouldn't verify that one, but I'm pretty sure that there are a lot of people are gonna actually ignore the external message warning, and so on, and they're gonna still open that file. So just by accepting your vulnerability that, again, the entirety is not to do just client site verifications when you're checking if someone has a permission to upload files. And they- Microsoft is allowing that. I think that's a pretty big mistake from their end.

Dave Bittner: What do we know about the technical vulnerability, itself, the issue within Microsoft Teams?

George Prichici: Well, in a nutshell, it's pretty much allowing you to say, "Hey, I want to upload a file to this particular organization," right? Now there needs to be a bit of- a few configurations there to allow content from external sources to be sent to the organization. But interesting enough, that's the default configuration for Microsoft Teams, right? And, again, there are organizations out there that are a lot more strict on like how they set up there Microsoft Teams account and all the security configurations for Microsoft Teams. But I'd like to believe that, well, like unfortunately I don't think everyone is going through all the extra efforts. And Microsoft Teams is a heavily-used tool worldwide. It's not just a matter of like some very like let's say organizations with very large security teams. So I'm pretty sure a lot of people are still using it in default mode. And that means that someone can actually go upload malicious files direct in Microsoft Teams because they can actually easily bypass a couple of things there. And it's not just verification of if you're allowed to upload files in that organization. It's also to like remove some additional banners or messages that these files are coming from an external untrusted source. So the fact that you have all those easily let's say bypassable mechanisms already in place that they're just enforcing it from the client, that's very risky.

Dave Bittner: So what are your recommendations here for folks to best protect themselves? So what are your words of wisdom?

George Prichici: Well, definitely for this particular example, there are some more [inaudible] team. I think JavaSec [assumed spelling] team did a great job explaining like how you can actually make sure you're not exposed and someone cannot actually do that in your organization. But the end day, again, going back to the zero trust, right, and I think zero trust is a methodology that we should take to heart and not just like training our employees and our- that's our customers not to take open doc messages and [inaudible], and so on. But I think it's also how we can enforce this better, right? And, again, there are things in the Microsoft Teams that JavaSec [assumed spelling] team explain on how they can actually prevent and not allow [inaudible] source and so on. If that's not fully available, then maybe we can create that allow list and which are the external sources you're, let's say, partners, your collaborators, are allowed to send you those files, and so on. But I think there's a step we need to take forward, right? And I think this is, again, back that it is your day- sorry, zero-trust mentality, it's also the meaning of can we actually trust that these collaboration tools are covering our security end to end, right? Because usually and you're looking, let's say, SharePoint being one of the examples, right, with this vulnerability. SharePoint is actually just storing the file for Teams, but at the end day, it's not doing any amount of validation. It like gives us a file, malicious or not, is they're doing any prevention, and so on. It's just storing the file. And there's so many tools out there. Microsoft Teams doing the same. Is this thing malicious? Is this file malicious? And so on, right? And there needs to be a lot more involvement from security teams to be able to prevent this ahead of time. Because our, I don't know, day-to-day activities is digital these days, right? COVID accelerated that a lot. Everyone is sharing files across a lot of, I don't know, a huge amount of like collaboration tools. So they need to go and scan those files, sanitize them, understand what kind of files accepting. That mentality that we need to make sure we're validating, we're filtering all the traffic that's coming in should be applied to also these collaboration tools. Not just on, let's say, on e-mail and the file upload function within a portal, right? And, again, this can be from applying file scanning with, let's say, a [inaudible] scanner to have a better detection ratio. Same as the content with content that's under construction. Checking for a lot more advanced features like are there hyperlinks in those documents. What are those hyperlinks? Are they malicious or not? Check them against your reputation source or actually just definitely don't and think about what's going on there, so on so forth. So there's a lot more that needs to be done to prevent these ones upfront, not just to rely on your end user they're going to be able to resist an [inaudible] during attack, right? Regardless how much you're training, it's not one person to do that and it's almost [inaudible].

Dave Bittner: That's George Prichici from OPSWAT. We note in full disclosure that Microsoft is a CyberWire partner.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our "Daily Briefing" at thecyberwire.com. We'd love to know what you think of this podcast. You can e-mail us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly-changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector. As well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.