Challenges to intelligence-sharing. The complexity of supply-chain security. Ransomware developments. Notes on Russia’s hybrid war, including possible sensor data manipulation.

Dave Bittner: Reports on a 2020 Chinese penetration of Japan's defense networks. MOVEit-connected supply chain issues aren't over. Akamai looks at the current state of ransomware. Mallox ransomware continues its evolution. Machine identities and shadow access. Ukrainian hacktivist auxiliaries hit Russian websites. Joe Carrigan unpacks statistics recently released by CISA. Our guest is Jeffrey Wheatman from Black Kite discussing the market shift from SRS to cyber risk intelligence. And radiation sensor reports from Chernobyl may have been manipulated.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Tuesday, August 8th, 2023.

2020 Chinese penetration of Japan's defense networks reported.

Dave Bittner: The Washington Post reports, on the basis of recently obtained information from US and Japanese sources, that in the fall of 2020 the US NSA discovered a major Chinese penetration of classified Japanese defense networks. "The hackers had deep, persistent access and appeared to be after anything they could get their hands on — plans, capabilities, assessments of military shortcomings, according to three former senior U.S. officials, who were among a dozen current and former U.S. and Japanese officials interviewed, who spoke on the condition of anonymity because of the matter’s sensitivity." 

Dave Bittner: Reuters says that Japan was unable or unwilling to confirm whether information had been compromised. The incident complicated US-Japanese defense cooperation, especially intelligence-sharing, which has grown closer as China adopts an increasingly assertive policy in East Asia.

Dave Bittner: Russia’s war against Ukraine has repeatedly shown the value of intelligence sharing among friendly intelligence services. Anything that inculcates suspicion of whether that sharing can be done safely and securely, then, is a win for the adversary.

MOVEit-connected supply chain issues aren't over.

Dave Bittner: Reuters puts the tally of organizations breached in ways traceable to MOVEit vulnerability exploitation at six-hundred and counting, and cites experts who say that many more breaches, possibly thousands more, are likely in the future. The Cl0p gang began exploiting Progress Software's MOVEit on May 27th. Progress realized something was amiss and began investigating on May 28th. On May 30th it had learned enough to issue a warning, and on May 31st Progress made a patch available. That exploitation continues illustrates the complexity and interdependence of software supply chains, and of the difficulty of getting users to patch promptly and effectively.

Akamai looks at the current state of ransomware.

Dave Bittner: Akamai has published a report looking at the ransomware landscape in 2023. The researchers found that the “rampant abuse of zero-day and one-day vulnerabilities in the past six months led to a 143% increase in victims when comparing Q1 2022 with Q1 2023.” 

Dave Bittner: Akamai also notes that, “Ransomware groups now increasingly target the exfiltration of files, which has become the primary source of extortion, as seen with the recent exploitation of GoAnywhere and MOVEit. This underscores the fact that file backup solutions, though effective against file encryption, are no longer a sufficient strategy.” If the hoods threaten you with doxing, they’re not going to care whether your files are backed up or not. The more copies, the merrier. So think of backups as necessary but not sufficient.

Mallox ransomware continues its evolution.

Dave Bittner: Trend Micro warns that the TargetCompany ransomware (also known as “Mallox”) is using the fully undetectable (FUD) obfuscator engine BatCloak. The threat actors use vulnerable SQL servers to deliver the Remcos RAT, which is then used to deploy TargetCompany: “Since the initial efforts were terminated and blocked by the existing solutions, the attackers opted to use the FUD-wrapped version of their binaries. The FUD packer used by Remcos and the one used by the TargetCompany ransomware has a style of packaging that closely resembles the style used by BatCloak: Using a batch file as an outer layer and afterward, decoding and loading using PowerShell to make a LOLBins execution.”

Dave Bittner: “TargetCompany,” it should be unnecessary to say, but of course it’s not, has no connection with the Minneapolis-based retail giant. It’s just the name of a malware strain. And the alternative name, “Mallox,” has no connection to either malls or big draft animals. It’s just, like, the name they gave it. But in any case, keep an eye out for incursions.

Machine identities and shadow access.

Dave Bittner: Stack Identity has published a report looking at identity and access management (IAM) trends, finding that “Shadow Access, the invisible and unmonitored identity and access, increases the risk of breaches, malware, ransomware, and data theft that current IAM tools are not built to mitigate.” 

Dave Bittner: The proliferation of shadow access is caused by two factors: “First, visibility to who is accessing your data and who has access to data is scattered across Cloud IAM, Cloud IDP, Infrastructure as Code, data stores, and HR systems. Second, visibility to who is authorized to access your data is scattered across ticketing systems, emails, spreadsheets, and screenshots.”

Dave Bittner: As an aside, the report also found that only 4% of identities in enterprise cloud environments are human, while the rest are non-human identities.

Dave Bittner: Shadow access is commonly a legacy problem involving over-permissioned accounts that are permitted to persist in a network, overlooked and unattended.

Ukrainian hacktivist auxiliaries hit Russian websites.

Dave Bittner: Radio Free Europe | Radio Liberty reports that a Ukrainian hacktivist group calling itself "sudo RM-RF" [SOO-doh are-em are-eff] claimed in its Telegram channel to have compromised the site of MosgorBTI [MOS-gore-bee-tee-eye], Moscow's property registration bureau. sudo RM-RF has been heard from before, surfacing in reports of a cyberattack against the Skolkovo [SKOLE-koh-vuh] Foundation in 2022. The group said that its goal was collection, specifically "information about state officials, politicians, military, and special services officers who support the Ukraine war." That information, sudo RM-RF said, "had been handed to Ukraine's defense forces." They also claimed to have destroyed data and "infrastructure." Their claims were made not only in Telegram, but on the MosgorBTI website sudo RM-RF defaced. (Some reports called the compromised site an "engineering service website," probably because the data MosgorBTI holds includes building plans and technical diagrams.)

Unidentified threat group deploys an open-source RAT against Ukrainian government sites.

Dave Bittner: UAC-0154, a threat group whose provenance and allegiance is unclear, the Record reports, has used the open source tool MerlinAgent as the phish hook in a campaign against Ukrainian government sites. MerlinAgent is a post-exploit command-and-control tool, that is, a remote-access Trojan (RAT), intended for use in legitimate research and testing, but like many such products, it's a dual-use item. 

Dave Bittner: CERT-UA, Ukraine’s cyber defense authority, says that the typical phishbait in the current campaign has been a document named "INTERNAL CYBER THREAT.chm." The sender misrepresents itself as acting on behalf of CERT-UA, and uses the email address cert-ua@ukr [dot] net. The campaign seems to be cyberespionage, but attribution is unclear. MerlinAgent is widely available, and the threat actor, UAC-0154, hasn't been clearly associated with any government.

Radiation sensor reports from Chernobyl may have been manipulated.

Dave Bittner: And, finally, there’s a suggestive and disturbing report due at Black Hat later this week.

Dave Bittner: Citing research by Ruben Santamarta, scheduled to be presented in full at Black Hat this Thursday, WIRED reports that radiation sensor data from the Chernobyl exclusion area may have been manipulated during the Russian Army's brief occupation of Chernobyl during February and March of 2022. The sensors showed troubling but inexplicable spikes in radiation levels. Those reports appear to have been bogus, the data possibly manipulated by a cyberattack. 

Dave Bittner: The published abstract of Santamarta's talk says, "Evidence confirms that the radiation levels depicted by a very specific set of real-time radiation maps, which during those days were consulted by millions of people and also consumed as a single source of information by media outlets and official entities, did not correspond to the actual physical conditions of the Chernobyl Exclusion Zone." 

Dave Bittner: If the data were indeed manipulated in a cyberattack, that's troubling: corruption of sensor data in industrial systems would represent a major safety issue for many sectors, and for the public at large.

Dave Bittner: Coming up after the break, Joe Carrigan unpack statistics recently released by CISA. Our guest is Jeffrey Wheatman from Black Kite discussing the market shift from SRS to cyber risk intelligence. Stay with us.

Dave Bittner: My guest today is Jeffrey Wheatman. He's a former Gartner analyst and now cyber evangelist at Black Kite, focusing on the business impact of third-party risks and solutions to treat those risks. This is part of our Industry Voices Series of sponsored content. Our conversation centers on the market shift from SRS to cyber risk intelligence. Here's Jeffrey Wheatman.

Jeffrey Wheatman: So SRS, Security Rating Services, came out a number of years ago. And what they do is we collect data from the outside, and we can assess the security posture of an organization. And that gets fed into -- to third-party risk. The problem is, historically, it's been very much, okay. Here's your score. You have a 400, or you have a C. What we have seen, though, is that does not drive better decision-making. You need more than a score in order to actually manage risk, assess, risk, prioritize, etc. So what we have done is we've actually created a mechanism where we can provide financial context. So you're a C, but you have regulated data, or you're critical to our production, whether digital or physical; and, therefore, you can reprioritize. We also have mechanisms for assessing where the exposures are in our third-party ecosystem for ransomware. We've seen a lot of recent issues with particular software packages. SolarWinds is the real big one from a number of years ago, and the most recent one is MOVEit, right. MOVEit is a very simple -- maybe not simple but a basic mechanism for moving data securely from one place to another. Well, tons of companies are using it and don't realize it. So being able to identify where in that ecosystem those things sit help you understand where your exposures are, where you should be looking, where you should be paying attention. So the market is evolving. And we're leading the charge on that to move from just having a score, a number, or a letter to providing intelligence so that sourcing people, vendor management people, business people can make better and more informed and critically defensible decisions about what risks they want to treat versus which ones they want to accept.

Dave Bittner: So, I mean, I think that really brings us to third-party risk management. And why is that such a priority these days it seems to me more than ever.

Jeffrey Wheatman: I always ask people a very simple question. If your biggest partner gets hit with ransomware and they're down for a week, how long are you down for? And the answer is typically longer than a week because everybody's doing just in time. And then I think also, to layer on top of that, we're seeing a lot of legal and regulatory requirements around managing digital, third parties, digital ecosystem, particularly within financial services. The latest one is DORA out of the EU, which has a whole section on third-party risk. And they're telling you, you need to monitor those risks. You are responsible for what's going on there. So we're starting to see that. And then the other thing, I always say cybersecurity is only a part of managing your supply chain. But it often has an outsized impact because, if a company you -- manufactures widgets for you and they get hit with ransomware, they probably can't send you the widgets. They probably can't pay their bills. They probably can't send invoices out. They can't pay their staff. And it just it becomes this sort of cascading failure. And if you don't at least have visibility and intelligence into your third-party ecosystem, it becomes virtually impossible to report to your board, report to your senior executives about what risks you have.

Dave Bittner: What are your recommendations, then, for organizations who want to explore this, who are looking to delve into this notion of cyber risk intelligence? What's a great way to begin?

Jeffrey Wheatman: So the first thing -- and I know a lot of technology people are going to not be comfortable with this. You have to go talk to your business stakeholders internally and understand who are they doing business with? Who are they sharing data with? Who are they relying on in order to achieve their goals and objectives? Then we need to look at how to prioritize those. Not all of those partners are of the same value. Not all of them are of the same criticality. And then we need to start assessing what the risk exposures are, understanding what they're doing from a cybersecurity perspective. Historically, you sent out questionnaires. And even assuming the questionnaires were accurate day 1, which is open for discussion, over time, 90 days they're less valuable, 180 three, you know, a year out, three years out. And we know from talking to people, some people are reassessing their partners every three years, which is beyond exposed, beyond risky. So being able to understand where your exposures are, looking at single points of failure, being able to have ongoing discussion with your third parties so that you can help them understand, look. You know, from the outside in, here's what the attackers are seeing. Here's what the hackers are seeing. You need to take a look at this because you're exposed. You're very susceptible to ransomware. And we know that because we've done research. We know companies that are getting victimized by ransomware are not doing some basic blocking and tackling. And we can see that from the outside. And that's where that intelligence comes in. And then, finally, you know, I spent a lot of years coaching CISOs and CROs and their ilk, and they tend to struggle communicating with business stakeholders. And I think the main reason for that is they're not talking about the financial element. So being able to bring in cyber risk quantification and being able to assess the financial impact of a breach or ransomware or a data loss in your partner ecosystem. And, you know, you can have great conversations there. If you go to your executives and say, well, we think something real bad might happen, they're not going to give you any money; and they're not going to solve the problem. But if you say, Look. This partner exposes us to $10 million worth of risk over the year, then they're going to perk their heads up and they're going to start paying a lot of attention. And then I think, finally, building this continuous improvement loop is really, really important. It's not just a point-in-time snapshot. It's reassessing and reevaluating over time and being able to reprioritize. Business models change. Architectures change. Businesses change. You need to be able to change the way you assess and report on risk. And, ultimately, you want to be able to go to the CEO and the board, and say, look. Here's the overall financial exposure within our digital ecosystem. And, right now, most organizations are unable to do that. And if all you're doing is bringing one score, one letter, one number without that financial context, without a compliance context, it just doesn't give you defensible decision-making.

Dave Bittner: That's Jeffrey Wheatman from Black Kite.

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my cohost over on the Hacking Humans podcast. Hey, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: Some interesting stats came out of CISA recently, and actually the folks over at Duo did a little analysis of it that caught my eye here. And I'm curious, so what are some of the things here from CISA that you think are worth sharing here?

Joe Carrigan: I think there's a lot in this report that's very interesting. Number one, more than 50 percent of successful intrusions at organizations began with a valid account for initial access.

Dave Bittner: Okay.

Joe Carrigan: What that means is there was some account that was open. This could be an old employee's account or an admin account with default passwords. That's how they classified it in here. But I would say that anything that -- even a user account, if you -- you know, the current user or current employee account would be a valid account, an account that has reason to exist and was how they gained initial access. These attacks are initiated or, actually, begun long before they actually set foot into the system, into the environment. And usually the first kinetic action is to send an email in to phish some credentials or try to do something. But once they're actually going to get access, more than 50 percent of the time they're using a valid account, which speaks to how effective phishing and spear phishing are --

Dave Bittner: Right.

Joe Carrigan: -- which is the next point, it's kind of down the bottom of this article, but spear phishing has a 33 percent success rate. That is, one in three spear phishing emails is successful and that only 13 percent of spear phishing attempts are blocked. I would assume that means by some automated means.

Dave Bittner: Right.

Joe Carrigan: And that makes sense to me that spear phishing attempts don't get blocked because, generally, when you're going to do a spear phishing attack, you sit down and you think about what you're going to write. And you actually write something good, or maybe nowadays you use ChatGPT to write a nice phishing email.

Dave Bittner: Right.

Joe Carrigan: Or WormGPT as it is now, right?

Dave Bittner: Yeah.

Joe Carrigan: You can actually go out and use that. But the spear phishing attack is always going to be more successful than just a standard phishing attack or even a spam, you know, spam phishing attack --

Dave Bittner: Sure.

Joe Carrigan: -- because, first off, it's only going to one person. It's specifically crafted for that person.

Dave Bittner: Right.

Joe Carrigan: So 87 percent of the time is just going to pass right through a spam filter or a phishing filter or some kind of security product that's intended to block it. That's not going to happen because it doesn't match any signatures out there. It's a new creation, and it's tailored to do what it's going to do. When the person sees it, in cybersecurity terms, they're very likely to click on the -- click on the link or take the action that they're -- that they're told to take.

Dave Bittner: Right.

Joe Carrigan: I say very likely with 33 percent because normally a successful phishing email is maybe like a 1 percent success rate.

Dave Bittner: Yeah.

Joe Carrigan: A spam phishing attempt like the Nigerian prince scam, that might have well under a 10th of a percent success rate.

Dave Bittner: Yeah.

Joe Carrigan: But a spear phishing attack, remarkably effective. CISA also observed that 78 percent of links and attachments are blocked, which prevents the execution of any malicious activity, which is good. Sounds like the majority of things are getting -- getting blocked. But that means about 1 in 5 is getting through --

Dave Bittner: Right.

Joe Carrigan: -- which is not really a good record for a security product or for security products or for a security posture at an organization.

Dave Bittner: Well, yeah. And I would say, I guess, one way to look at this is that that's one line of defense.

Joe Carrigan: Correct.

Dave Bittner: Right. So if, you know, four out of five things are getting handled by your automation, that means the remaining one out of five in this case seems to me like this is where your security awareness training comes in.

Joe Carrigan: Yep.

Dave Bittner: And things like that or perhaps a secondary system. We always talk about defense in-depth.

Joe Carrigan: Yes.

Dave Bittner: This seems to me like this -- that's -- the successful organizations are going to have those kinds of things in place.

Joe Carrigan: Yeah. They are going to have those kind of things in place because you're 100 percent correct. If -- there is this concept of the cyber kill chain, that's -- was it MITRE that put that out?

Dave Bittner: Yeah.

Joe Carrigan: But, yeah. There's -- there's some parts of it you don't have any control over, right.

Dave Bittner: Right.

Joe Carrigan: And, like I say, the very early part of a cyberattack is going to be reconnaissance. And that is pretty much out of your control as an organization. There's nothing you can do to stop people from just gathering open source intelligence and calling in and probing and finding things.

Dave Bittner: Yeah.

Joe Carrigan: That's hard to prevent against. But once the rest of the attack is going on, yeah. They're going to have to do a phishing attack. That might get stopped. That email might get stopped. Then they're going to have to get -- convince a user. There's another opportunity to stop it. If the user is tricked into going out somewhere, then that's another opportunity to stop it. You can have multifactor authentication that would -- that pretty much shuts down account takeover if you use like something like FIDO2.

Dave Bittner: Right.

Joe Carrigan: Or it just makes it more difficult, so it has to be personally involved. That's -- there's all kinds of opportunities to stop it. And you're right. Defense in-depth is the way to go.

Dave Bittner: Yeah.

Joe Carrigan: Because along that kill chain the attacker has the disadvantage. They have to be right every single time. You only have to be right once.

Dave Bittner: Which is -- that's an inversion of what we usually hear, how it's usually described, right.

Joe Carrigan: But the flip side of that is they can do that all day long.

Dave Bittner: Right.

Joe Carrigan: And as long as they're doing that, you have to do it.

Dave Bittner: Yeah.

Joe Carrigan: So you have to stop them somewhere along that line every single time they try. They only have to get through the entire process once.

Dave Bittner: Yeah. All right. Interesting statistics here. I think some of these were a little surprising to me. Joe Carrigan, thanks for joining us.

Joe Carrigan: It's my pleasure, Dave.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's Strategic Workforce Intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tré Hester with original music by Elliott Peltzman. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.