Phishing for Zimbra credentials. Developments in PlayCrypt and Cuba ransomware. #NoFilter exploitation. Cyber gangs (and some services) threaten security researchers. Anglo-Saxonia update.
Dave Bittner: Phishing for Zimbra credentials. PlayCrypt ransomware described. The Cuba ransomware group adopts new tools. #NoFilter. Cyber criminals threaten security researchers. Our guest is Kevin Paige from Uptycs with thoughts on the Blackhat conference. Eric Goldstein, Executive Assistant Director at CISA joins us discussing next steps on the Secure by Design journey. And Russian disinformation takes on "Anglo-Saxonia."
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Friday, August 18th, 2023.
Phishing for Zimbra credentials.
Dave Bittner: ESET is tracking a major phishing campaign that’s targeting Zimbra account credentials. Most of the targets are located in Poland, Italy, and Ecuador, but the attackers don’t seem to be focused on any particular sector. The campaign has been running since at least April 2023, targeting “a variety of small and medium businesses and governmental entities.”
Dave Bittner: The phishing emails are tailored to each targeted organization, and inform users that they need to log in to Zimbra to resolve an issue. The researchers note, “[O]n several occasions we observed subsequent waves of phishing emails sent from Zimbra accounts of previously targeted, legitimate companies, such as donotreply[redacted]@[redacted].com. It is likely that the attackers were able to compromise the victim’s administrator accounts and created new mailboxes that were then used to send phishing emails to other targets.”
PlayCrypt ransomware described.
Dave Bittner: Researchers at Adlumin outline a “concentrated global campaign” involving the Play ransomware (also known as “PlayCrypt”). The campaign is targeting managed service providers used by “mid- market enterprises in the finance, software, legal, and shipping and logistics industries, as well as state, local, tribal and territorial (SLTT) entities in the US, Australia, UK, and Italy.” The threat actors usually gain initial access by abusing Remote Monitoring and Management (RMM) software.
Dave Bittner: The researchers note, “PlayCrypt ransomware’s code is highly obfuscated and shows strong resistance to typical analysis techniques. Notably, this ransomware group is the first to employ intermittent encryption – a technique that partially encrypts files in chunks of 0x100000 bytes to evade detection.”
The Cuba ransomware group adopts new tools.
Dave Bittner: BlackBerry has published an analysis of new tools used by the Cuba ransomware gang. The threat actor conducted attacks in June 2023 against a critical infrastructure organization in the US and an IT integrator in Latin America. BlackBerry says the gang “deployed a set of malicious tools that overlapped with previous campaigns associated with this attacker, as well as introducing new ones — including the first observed use of an exploit for the Veeam vulnerability CVE-2023-27532.”
Dave Bittner: It’s also worth noting that despite the gang’s Cuban branding, the threat actors appear to be based in Russia. The group seems to be a privateer, making its money by hitting Western, anglophone, democratic targets–that is, targets in countries Russia has framed as adversaries.
#NoFilter.
Dave Bittner: Deep Instinct describes a privilege escalation technique that abuses the Windows Filtering Platform (WFP). The researchers built a tool for mapping Remote Procedure Calls (RPCs), which allowed them to find ways to “manipulate benign services to perform malicious actions, such as code injection or file encryption.” The researchers explain, “All the RPC servers on the system were mapped and methods were marked if the parameters that will be sent to the WinAPI are controlled by the RPC client. The WinAPI could be called directly by the RPC method, or after several internal calls. RPC methods were also marked if specific keywords appear in their name”
Dave Bittner: Deep Instinct found that access token duplication can be performed in the kernel using WFP, which makes the attack extremely stealthy.
Cyber criminals threaten security researchers.
Dave Bittner: The Financial Times reports a trend: cyber threat actors, both criminal and state-directed, menacing security researchers and journalists who've drawn attention to the groups' activities. The threats come from both criminals and state agencies, but criminal threats--which often extend to researchers' families--seem much more common. “These are young folks, teenagers, folks in their twenties that aren’t employees of companies that are tasked with hacking, nor are they members of military or intelligence organisations,” Mandiant's CTO Charles Carmakal told the Financial Times. “It’s a bunch of folks with no rules of engagement. They have an unlimited amount of free time. They really push the envelope. They bring a lot of pain to individuals and make it feel very real.”
Dave Bittner: It can be more than simple harassment. Some of the hoods have engaged in swatting, a particularly malign action in which they spoof a call to police, reporting–falsely–that an active shooter is holed up at their victim’s address. The criminals hope the police will respond to the bogus emergency with a SWAT team, which necessarily brings with it fear, humiliation, and the real possibility of misapplied deadly force.
Dave Bittner: There are, however, occasions in which governments, especially the Russian government, have been involved in the menacing. German authorities are, for example, investigating the apparent poisoning of a dissident Russian journalist in Munich last autumn. The Guardian reports that the victim, Elena Kostyuchenko [kost-you-CHEN-koh], was at the time a reporter for the now-closed Novaya Gazeta. Her coverage of the special military operation was unwelcome in Moscow.
Perfidious Albion (and that includes you too, Yankees).
Dave Bittner: According to the Telegraph, Russian military and diplomatic sources (amplified by state-controlled media) say that Britain's MI6 has assembled a team of Ukrainian "Nazis" and dispatched them, possibly aboard a grain ship now transiting the Black Sea, to kill Africans sympathetic to Russia. “The goal of the Ukrainian unit that has been trained by British intelligence is to carry out acts of sabotage on key infrastructure in Africa and assassinate the African leaders who favour co-operation with Russia,” those sources said.
Dave Bittner: The story of Ukrainian Nazi hit squads dispatched by MI6 to trouble African dreams of national self-realization is implausible, to say the least, but it's consistent with Russian propagandists' increasing attempts to frame Russia's war as a purely defensive operation, with the aggression all coming from "Anglo-Saxonia," that is, from the Americans and the British.
Dave Bittner: London and Washington, Russian pundits argue, have been at war with Moscow continuously since 1945. It’s all a continuation of the Great Patriotic War, which increasingly sounds as if the British and the Americans were on the side of the Axis.
Dave Bittner: And now they’re using Ukrainian Nazis, slaves, zombies–take your pick, as the terms are slung around freely and interchangeably–to prosecute a war against Russia, which stands alone as a bulwark of civilization against the soulless hegemons of Anglo-Saxonia.
Dave Bittner: Or, actually, they’re not entirely alone. Pyongyang’s Dear Respected Marshall Kim, Outstanding Leader of the Juche [joo-shay] Revolution and the only and unique successor and leader of that Juche Revolution, the peerlessly great man, lettered in basketball at his high school in Switzerland, etc. has pronounced North Korea’s firm solidarity with the cause of Russia. The pundits on Russian state TV have been pleased to point that out, because, y’know, hey–you got that going for you. You’ve gotta have some angle, after all–it’s not as if this time around the Royal Navy is convoying shiploads of American Lend Lease to keep the Red Army in the field. Maybe they can truck some ammo over the border from North Korea instead. A brother’s gotta hope, right?
Dave Bittner: Coming up after the break, our guest, Kevin Paige from Uptycs has thoughts on the Blackhat conference. Eric Goldstein, Executive Assistant Director at CISA, joins us to discuss next steps on the Secure by Design journey. Stay with us.
Kevin Paige: Folks have had a few days now to settle in and recover from Blackhat and DefCon, Hacker Summer Camp as it's sometimes called. I checked in with Kevin Paige, CISO of security firm Uptycs, for his take on this year's festivities in Las Vegas.
Kevin Paige: I think that the tone and the content was pretty interesting. I think that I'm seeing Blackhat be very much like RSA. I mean, it almost felt like I was at RSA at Blackhat this year. So, you know, the tone was really focused on, I think, a lot of smaller companies getting more mature in their capabilities, which was great to see. It was great to see some of these companies, you know, really taking a look at consolidation. I think that was good. And I think there was also a little bit of sadness. I - there was a lot of security professionals that happen to be out of work right now, so there was a lot of people looking for work and a lot of people looking for great people that were available on the market. So, that was also an interesting tone and lots of interesting conversations about both of those topics. You know, like, you know, what's going on in the security world, like why are companies letting go of security team members when our threats are not going down and vulnerabilities aren't getting less. So, why would companies start to lay off some of their security people? And lots of talks about, I think, consolidation as well. So, lots of talks about like, "Hey, you know, I have a 20-person security team and I have 32 security products, like, what can we do to make this better and more efficient in the long term?" So, from a theme perspective, I definitely felt a lot of those types of capabilities that were going on at Blackhat this year. And it was definitely feeling a lot like RSA. So, very, very corporate, which is I've been coming to Blackhat for a long, long, long time and this was probably the first year that I felt like, "Am I" - I had to wonder, "Am I at RSA or am I at Blackhat?" And then I would walk downstairs and be like, "Oh, I'm definitely at Blackhat. This is Vegas."
[ Laughing ]
Dave Bittner: I mean, is that shift a good thing, a bad thing? Is it an inevitable thing? Like, as someone who's been attending these for a long time, how do you feel about that?
Kevin Paige: I feel it's an inevitable thing, I think. You know, 'cause people - you know, I think corporate wants to have their kind of corporate events, you know, with people all across security from venture capitalists to cybersecurity startups to enterprise security companies. The ability to bring those together at events I think is great. I think RSA's much smaller venues, much smaller capabilities. And I think that Blackhat's maybe a little bit more centrally located than San Francisco, even if there are a lot of startups and venture capital that are focused on security in the Bay Area. This kind of more corporate move to Blackhat, you know, you kind of saw it coming over the years, you know, as Blackhat got more corporate and DefCon got, you know, a little bit, you know, less corporate, but still a lot more corporate than it used to be. I think it's kind of inevitable. So, it'll be interesting to see what happens, you know, with RSA and Blackhat in the future, 'cause people aren't going to want to go to two conferences that're the exact same thing. So, we'll see what happens in the future.
Dave Bittner: You know, as someone who's in a leadership position, as CISO at Uptycs, as you are, how do you plan out your time to make the - you know, the maximum use of the amount of time you have there at a conference like this?
Kevin Paige: So, yeah, I focus on a couple of different things. The first thing I focus on is meeting up with people I've worked with in the past, other CISOs, making sure that we're getting great collaboration and, you know, passing stories along, helping each other out. So, for me, my first priority is making sure that that's happening. So, that's my main priority when I'm going to these events. It - just kind of at my stage of having gone to these for a long time and, you know, made a lot of friends, you know, at place - other places that I've worked and also just, you know, coming to this event. So, that's probably priority number one. Priority number two is, you know, I like to think of myself as a - you know, kind of a innovative security executive. I'm always looking for something that's modern, something that's helping solve a problem that I have today, something that's associated with my roadmap. So, I'm looking at lots of the cybersecurity companies, not just in the vendor hall, but the ones that are around the vendor hall. Right? There's a lot of young, innovative companies that are not paying for a booth inside of the venue. So, you know, I'm definitely having lots of conversations with startups around the venue as well, you know, kind of looking for, you know, more efficient - more operationally efficient ways to help me solve some of the problems that I have is a key priority. And then key priority number three is definitely meeting with everybody, you know, venture capital, you know, other larger security company vendors and just trying to stay in the loop and, hopefully, ahead of the curve on - on a lot of the different types of security issues that lots of people see coming, lots of innovative ways to solve problems that we see coming. You know, that's kind of, I think, a big focus area. So, those are my three things that I focus on when I come to these types of events to, you know, spend my time on.
Dave Bittner: And, you know, this week, when you're back home and you've got some time to reflect on the information that you've gathered, what is this week like for you? Is it - do you spend a lot of time reflecting on it?
Kevin Paige: I do spend a lot of time reflecting. It's probably one of the key things is that once you've kind of, you know, dealt with the glamour of Vegas and dealt with, you know, all of the, you know, tens of thousands of people that you've interfaced with, you know, throughout the week, you know, now it's time to figure out, you know, like what's really going on, you know, what was the most valuable use of my time when I was there, what did I get out of it and, you know, how can I make sure that we can use and learn from the information that I learned from others, whether it was the - whether it was my friends, other CISOs, venture capital, some of the other enterprise security vendors, what is the trend, what are people doing, why are they going there. You know, very interesting to be able to do that. And then see what we can do to be able to help Uptycs, be able - what I can do to help, you know, some of the other more junior security people in the industry that I mentor. You know, where can we use this information to help security as a whole and myself continue to move forward?
Dave Bittner: Was there anything unexpected or surprising? Or did you have any "aha" moments while you were there that you didn't call for?
Kevin Paige: I didn't have a ton of "aha" moments this year. Definitely one of the "aha" moments was the discussion about many of the really good security professionals that are out of work right now. So, that was, you know, maybe not directly tied to it, but because we had so many security leaders and executives together having conversations, I think that was something that came out. And it was definitely a moment of saying like, "Hey, why is this happening?" Probably the other one is lots of discussions about tool consolidations. Like lots of people saying - you know, talking to vendors or talking to another vendor and we're having conversations saying like, "I can't - like, I can't have another tool in my toolbelt. You know, like, I have too many and I'm not using them all effectively. Like, I have too many tools." So, lots of discussions around too many tools in security for security teams to be able to handle effectively. So, I think from an "aha" moment, I - I've just - you know, I've heard, you know, bits and pieces of those at other times, but those two were two - my two kind of "aha" moments. Like, "Wow, like, there is - like, every place I go, we're talking about these two topics." And I found it very interesting that it was such a - those topics were everywhere. I don't think I had a conversation in the three days I was at Blackhat that didn't touch on those two topics.
Dave Bittner: That's Kevin Paige, Chief Information Security Officer at Uptycs.
Dave Bittner: And it is always my pleasure to welcome back to the show Eric Goldstein. He is Executive Assistant Director at CISA. Eric, great to have you back. I want to touch base today on this whole notion of Secure by Design, which I know is a focus of you and your colleagues there at CISA. Where do we stand and where are we going with this?
Eric Goldstein: Thanks so much, Dave. It is always a pleasure to be on. Just to catch listeners up, you know, Secure by Design really is a concept that's now been codified in the National Cybersecurity Strategy. The idea being that the burden of cybersecurity really has to rest with those who are most able to bear it. Which, in many cases, is actually not the individual enterprises who are being victimized by cyber intrusions, but is actually the manufacturers of the products that every enterprise is relying upon, and that we know are exploited at scale by nation states and by criminal groups. And, so, our goal with Secure by Design is to work with the technology community and with partners across the world to really define what are the attributes of a safe and secure technology product and then really drive change across the ecosystem so that technology companies make needed investments to ensure that their products are fit for purpose wherever they're deployed. In April of this year, we released our first white paper on this topic with six other countries from around the world. We released it at the RSA conference. And the goal of that was to really be a first chapter in this conversation to say, "Here are the principles that we think underpin a Secure by Design culture," principles like technology companies taking accountability for the security outcomes of their customers, technology companies showing radical transparency in their security programs and gaps therein. And then some really specific areas for future investment, areas like ensuring that we are making progress towards memory-safe coding languages or making sure that multifactor authentication is turned on as a default feature, not an additional expense that you have to enable and pay for yourself. Over the past few months, we've been getting feedback from companies across sectors, a lot of the country's largest tech companies, as well as startups and innovators in this space, as well as other international partners. And we're now really excited to be working on our next iteration of this work, which is going to get a bit more specific to say, "Well, now that we understand generally what are the characteristics of a safe and secure technology product, how can we actually show it? What are the artifacts? You know, how do we show our work to actually demonstrate that we're making progress towards this goal?" And we're really excited to get a bit more specific and applied in making progress towards this goal.
Dave Bittner: Can you share with us any of the things that we might see as we're looking towards the future here?
Eric Goldstein: Absolutely. You know, I think the next thing that we're really going to see is some work by CISA and our international partners. And I'll note that we have many more international partners who we expect to be signing on to our next products, even than the first one. But we're going to be seeing some examples of expectations that we should be setting of technology manufacturers who are deploying their products across sectors. One example is, of course, we spent a lot of time in our first product talking about the challenges of memory-unsafe coding languages. You know, I'll just note for the listeners, many might have seen a recent document from our partners at MITRE about the most common CWEs that were released this year. Well, the majority of those are actually the result of memory safety vulnerabilities or the use of memory-unsafe coding languages. And we did some mapping. And what we were able to show is not only are those the most common CWEs, but they also reflect back to the most known exploited vulnerabilities that were identified by CISA as being widely exploited by adversaries. So, what does this mean in practice? It means that not only do we know that the use of memory-unsafe coding languages, like C and C++, leads to more vulnerabilities, but those are the vulnerabilities that adversaries are exploiting to cause harm. So, what do we do about that? Right? That is a major challenge that takes real investment to address both for new products, for new code bases and legacy. So, what we're saying is, "Well, let's encourage tech manufacturers to at least have a roadmap to say, 'We understand the risk. We are going to publish CWEs for all of our vulnerabilities to be transparent about the extent to which our vulnerabilities are deriving from this problem. And we have a roadmap to make progress that we're going to publish and hold ourselves accountable to.'" At the end of the day, there is no silver bullet here. It's really about driving accountability over the long term.
Dave Bittner: And what sort of feedback are you getting here? I mean, it strikes me that, you know, CISA, one of the main abilities you have is influence. You know, you don't necessarily have regulatory oversight or power, but you do have a voice here. What's the feedback you're getting?
Eric Goldstein: That's exactly right. You know, one of the most exciting aspects of this work is we have spoken to security and business leaders at major tech manufacturers, we have spoken to security leaders and business leaders at major enterprises, and there is consensus across the board that we as a country, we as a society, we as an economy need technology that is safe and secure by design and default. The question is. "What does that mean and how do we get there?" And, so, the work we have to do now is leveraging, for example, the great work that NIST has done in their Secure Software Development Framework, the SSDF, be really clear about what are the most important steps that can be taken to develop a product that is reasonably secure by design. And then, even in the absence of any new regulation, in the absence of any new shift in liability, let's drive consensus around enterprises who are purchasing these technologies, including the federal government, about what do we expect. And there's consensus around that direction, the steps to take. Now we just need to get specific about what it means in practice.
Dave Bittner: All right. Well, Eric Goldstein is Executive Assistant Director at CISA. Eric, always a pleasure having you on.
Eric Goldstein: Thanks so much, Dave. And I'll just note, if folks want to learn more, they can go to cisa.gov/securebydesign.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Dmitry Bestuzhev from Blackberry. We're discussing their work, "RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine." That's "Research Saturday." Check it out. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.