An illicit market in account restoration. Resilience and the cyber workforce: a snapshot. New post-exploitation technique in Amazon Web Services.

Dave Bittner: An illicit market in account restoration. Resilience and the cyber workforce. New post-exploitation techniques in Amazon Web Services. Incursions into Norwegian government networks went on for four months. Rob Boyce from Accenture Security describes a “Perfect Storm” in the Dark Web threat landscape. Carole Theriault shares mental health social media warnings for teens. And the

Dave Bittner: Russian legislation seeks to reduce or eliminate online privacy.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Wednesday August 2nd, 2023.

An illicit market in account restoration.

Dave Bittner: Being banned from any platform is unpleasant. It can seem arbitrary or unfair, and it's often either beyond the possibility of appeal or can be appealed only at considerable cost in time and expense. It's a particularly troublesome experience for third-party sellers in the Amazon marketplace, who face a loss of income in addition to simple inconvenience. A market has grown up in which brokers offer assistance in restoring banned sellers' accounts. They often do so, however, illicitly. CNBC reports that the brokers frequently work by offering kickbacks to Amazon insiders who take advantage of their position to override bans. Amazon isn't alone--other large third-party markets are facing similar problems--but Amazon's size makes the problem particularly evident. “There is no place for fraud at Amazon and we will continue to pursue all measures to protect our store and hold bad actors accountable,” Christy Distefano, an Amazon spokesperson, told CNBC.

Dave Bittner: In addition to account restoration services, company insiders have also been found selling internal data, the better to help third-party sellers game the company's system to better position themselves for success in the online market.

Resilience and the cyber workforce: a snapshot.

Dave Bittner: Immersive Labs has released its Cyber Workforce Benchmark Report, noting significant improvements in response time to cyber incidents. The report notes “Organizations’ median response time to emerging threats improved by one-third, indicating a significant increase in the speed of response and continued progress compared to the year prior. Enterprises have enhanced their knowledge about newly discovered threats and vulnerabilities, enabling them to respond more rapidly than ever before.” The researchers point to the Log4j crisis as “a watershed moment that could well have been a catalyst for this urgency given its catastrophic impact on organizations around the world.”

New post-exploitation technique in Amazon Web Services.

Dave Bittner: Mitiga has published a report looking at a new potential post-exploitation technique in AWS. The technique involves “running AWS’s Systems Manager (SSM) agent as a Remote Access Trojan (RAT) on both Linux and Windows machines, controlling the endpoint using another AWS account.”

Dave Bittner: The researchers explain, “[T]he SSM agent, a legitimate tool used by admins to manage their instances, can be re-purposed by an attacker who has achieved high privilege access on an endpoint with SSM agent installed, to carry out malicious activities on an ongoing basis. This allows an attacker who has compromised a machine, hosted on AWS or anywhere else, to maintain access to it and perform various malicious activities. Unlike using common malware types, which are often flagged by antivirus software, using [an] SSM agent in this malicious manner allows the attacker to benefit from the reputation and legitimacy of this binary to cover his tracks.”

A look at cloud threats.

Dave Bittner: Cado Security has published its 2023 Cloud Threat Findings Report, finding that SSH is by far the most commonly targeted service by cloud-focused threat actors: “Since SSH is a protocol used across the internet, not just in cloud infrastructure, this statistic is unsurprising. SSH allows secure communication between clients and servers, and is typically used for server administration. This often means that SSH servers are internet facing and can pose an easy target if inadequately secured.”

Dave Bittner: The researchers also found that botnet agents are the most common form of malware targeting cloud services: “The vast majority of observed traffic is dedicated to spreading common botnet families, these include Mirai, XorDDoS and IRCbot - a generic name for botnets making use of the IRC protocol. It’s worth noting that samples categorized as Mirai may actually be one of the many existing variants of this malware.”

Incursion into Norwegian government networks went on for four months.

Dave Bittner: Investigators have concluded that a cyberespionage campaign against Norwegian government networks lasted four months before it was detected and action taken to stop it, Bloomberg reports. The effort, generally attributed to Russian intelligence services, exploited a now-patched vulnerability in Ivanti Endpoint Manager Mobile. Yesterday the US Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) released a joint Cybersecurity Advisory (CSA) on the incident.

Dave Bittner: The CSA, which includes extensive advice on detection, remediation, and prevention, says, "Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability. Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks."

Russian legislation seeks to reduce or eliminate online privacy.

Dave Bittner: TorrentFreak, writing with outrage, describes a bill signed into law by President Putin on Monday. Federal Law No. 406-FZ (On Amendments to the Federal Law ‘On Information, Information Technologies and Information Protection’ and the Federal Law “On Communications”) will prohibit foreign email systems, and it will require all domestic platforms to verify the identity of all users by government-approved methods. VPNs aren't banned outright, but the VPN services remaining in operation in Russia are compliant with state regulations and afford little if any anonymity or privacy. Attempting to evade identity verification requirements will be risky, as the new laws criminalize preparation to make such attempts. "Posting information online that amounts to advice on how to use VPNs, Tor, and similar tools, for circumvention purposes, will be considered a crime. On top, regular hosting providers will be subjected to state registration and new obligations along similar lines to those imposed on VPN providers."

Dave Bittner: The law is an example of what Foreign Policy calls Russia's return to its totalitarian past. Information control, censorship, and draconian suppression of dissent are becoming the norm.

Dave Bittner: Coming up after the break, Rob Boyce from Accenture Security describes a "Perfect Storm" in the Dark Web threat landscape. Carole Theriault shares mental health social media warnings for teens. Stay with us.

Dave Bittner: If you have a teen, and I do, chances are you're concerned about how much time that teen spends online on social media platforms, Carole Theriault has been looking into the mental health of teens on social media platforms and she files this report.

Carole Theriault: In mid-May, the American Psychological Association, the APA, issued sweeping recommendations intended to help teens use social media safely. This was the first guidance of its kind and just a few weeks later, the Surgeon General for the United States warned of an urgent public health issue regarding social media usage and youth mental health. The U.S. Surgeon General, Dr. Vivek H. Murthy, called for more research to determine the extent of mental health and its impact on young people, including the type of content generating the most harm, societal factors that could protect youth, and ways in which social media can be beneficial. "To date, the burden of protecting youth has fallen predominantly on children, adolescents, and their families. The entire burden of mitigating the risk of harm of social media cannot be placed on the shoulders of children and parents." Yes, yes, and yes. It is fallen on parents to manage and from what they tell me, it is as thorny as a prickly pear. On one side, as a parent, your job is to keep your kids safe and being able to see where they are and be contactable is a pretty big component of safety. So, what do you do? You give your kid a phone. But then there's the whole matter of the content available. The entire digital world at their fingertips, including the socials. Cited reasons as to why social media is not good for kids are numerous. They interfere with social work and grades. They're addictive. They increase anxiety and depression. They interfere with sleep. They can expose kids to inappropriate content. The Cleveland Clinic says that it can also impact daily behaviors and moods, with kids perhaps showing signs of increased irritability, increased anxiety, and even lack of self-esteem. So the U.S. Surgeon General called on social media companies to prioritize safety and privacy in their product designs and ensure minimum age requirements are enforced. For example, most social media platforms have a minimum user age of 13, which Murthy says he believes is too early for kids to be on social media. Describing the ages as a time when kids are developing their identity and sense of self. So until regulations catch up, what is a parent to do? Psychologists say that adolescent brain development starts around age 10 and continues through early adulthood. The APA cautions that sites that use like buttons and artificial intelligence to encourage excessive scrolling may be dangerous for developing brains and recommends limiting social media on these types of platforms through phone settings. And in addition to the limits, the APA strongly encourages ongoing discussions about social media use and active supervision, especially in early adolescence. Parents are encouraged to model healthy social media use, including taking social media holidays as a family. I am not a social media addict, thank the lords, but many of my friends, including those with children, are. And it may be time to put that phone away when the kids are around. I know, I know. This was Carole Theriault for the CyberWire.

Dave Bittner: And it is always my pleasure to welcome back to the show, Robert Boyce. He is global lead for cyber resilience and managing director at Accenture. Rob, it's great to have you back. I want to touch today on some work that I know you and your colleagues there at Accenture are doing when it comes to some things you're tracking on the Dark Web. What's going on here?

Rob Boyce: Yeah, thanks Dave, and first of all, it's always a pleasure to be here, so thank you again for hosting me. Yeah, we've actually been seeing a really interesting uptick in the focus of threat actors in OT systems. You know, and I think OT systems have you know, long been vulnerable to cyber-attacks and we've known that, we have seen some very focused attacks in the past. But you know, quite honestly, the majority of OT impacts we see today are usually a leakage from an IT incident, or you know, some self-imposed shutdown due to uncertainty of what an IT incident may cause to an OT environment. And so we've never, you know, and I would say maybe even before 2021, right, when we saw the Colonial Pipeline disruption, we saw threat actors really stay away from crossing the line into national critical infrastructure and oil and gas, due to potential you know, what it could mean in this state of you know, real potential warfare. And then, when we actually saw that happen, because there was so much focus on this area, we saw a lot of Dark Web marketplaces take down though OT tools, and advertisements, and things that they were talking about, because they just didn't want to have that focus.

Dave Bittner: It was just too much heat?

Rob Boyce: I think a little bit too much heat, yeah. And then what we saw, starting really when the Russia Ukraine conflict happened, is those rules started to go a bit out the window. And so, you know, our team has been researching this, we've seen a significant up tick really around into May this year, where we're seeing more and more threat actors on the Dark Web, start talking about targeting OT systems, and really, OT systems of Western national critical infrastructure, as well as oil and gas. That's been the focus.

Dave Bittner: And when we say targeting, what exactly are we talking about here?

Rob Boyce: They're looking to buy access into these environments, they're looking for people who are creating exploits within the OT infrastructure, or OT systems, so that they are able to, you know, of course successfully be able to cause disruption. I think the thing that's really fascinating to me here is we're seeing, this is one of the first times I've seen this, where we're seeing three different ideologies really, have motivations in this space. Meaning, you know, we're seeing hacktivists, of course, want to be able to target OT systems to you know, maybe make headlines in a meaningful way by causing, you know, national disruptions. We're seeing financially motivated cyber criminals get into this space, just of course, big surprise for money. As we see more and more requests or more and more demand, you know, obviously there is more interest for these financially motivated criminals to be able to produce you know, produce materials, assets that they can help further exploitation in OT environments, and then we're seeing of course, the political motivated threat actors and this is largely, as you can imagine, representing Russia against all enemies of Russia. That's the most popular we're seeing there. But it's been, it's been quite interesting to see these three ideologies, one of the first times I've seen, all come together with a singular mission but for different purposes.

Dave Bittner: And is it kind of coincidental that those three different directions are converging?

Rob Boyce: I don't know if it's coincidental, I really again, I do think that the Russia Ukraine conflict has opened the door to, I don't want to say encourage this behavior, but to make it not as, to make it more acceptable, right, like and so, I feel like and a lot of it is in terms of you know, hacktivists again targeting Western primarily, Western national critical infrastructure, as well as oil and gas. Because of you know, in support of Russia Ukraine conflict and then of course the political motivation is similar, and you know, and when you have financially motivated criminals, I think they just follow the money, right? Where the demand is. So, I don't know if it's coincidental, I think it's just all of the right reasons came together to really create almost what we would say is a perfect storm of opportunity for these three groups.

Dave Bittner: Yeah. So, based on what you all are seeing here, what are your recommendations for those folks who are responsible for OT security?

Rob Boyce: Great question, and this has been quite honestly a challenge we've seen in industry. I think there's been this false notion that attackers will not be as successful in OT environments because there's this concept of logical and physical separation, which we now know, well even if it was ever true, I'm not sure, but we now know is definitely not true, because we're seeing that leakage from IT to OT consistently when we see the disruptions in OT today. And as well, like there's a huge investment that needs to be made by threat actors to maybe even purchase physical equipment to try and find vulnerabilities within that equipment. But now that these threat actors are so well-funded, that and equipment is much more readily available, even that is reduced the barrier to entry for interest here. So, you know, the first thing I would say is, organizations who have a large OT footprint, especially again, in you know, national critical infrastructure and oil and gas, need to understand that the threats to the OT environment are the same as the threats to the IT environment. And I always find it interesting because the OT operators, they measure their business in terms of minutes sometimes, as far as you know, down time is a direct correlation to impacted revenue loss. And so, you know, the way that they think about OT, they think about it more from resiliency, from up time, human safety, and so what we find works very well is to create those same themes from a security perspective and start to educate the OT operators on why cyber risk is a very similar risk as you would see in how it directly impacts resiliency and up time and revenue. And so I guess again, going back to your question, in the spirit of like it just needs to be a business objective to secure OT and the risk there need to be understood clearly and the messaging of the importance of cyber really needs to be framed up in a way that the OT owners and operators will understand and how it correlates to the impact to their business.

Dave Bittner: Alright, well Robert Boyce is global lead for cyber resilience and managing director at Accenture. Rob, thanks so much for joining us.

Rob Boyce: Thank you for having me, Dave.

Dave Bittner: And that's the CyberWire. For links to all of today's stories check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast, you can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the correctly security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben, our mixer is Tre Hester, with original music by Elliot Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening, we'll see you back here tomorrow.