DPRK tried to hit RoK-US military exercises. Australian domain administrator auDA may have been breached. WoofLocker's tech support scam. US warns of cyber threats to space systems.
Dave Bittner: The DPRK's Kimsuky attempts to hit joint military exercises. Australian domain administrator auDA (OW-duh) may have been breached. WoofLocker's version of a tech support scam. The US Intelligence Community warns of cyber threats to space systems. Rick Howard looks at forecasting cyber risk. Deepen Desai from Zscaler shares ransomware trends. And more wartime disinformation out of Russia.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Monday, August 21st, 2023.
DPRK's Kimsuky attempts to hit RoK-US military exercises.
Dave Bittner: South Korea’s Gyeonggi Nambu Provincial Police Agency said yesterday that the North Korean threat actor Kimsuky targeted South Korean contractors working for a joint military exercise between the US and South Korea, SecurityWeek reports. The agency found that an IP address used in the attack was also used in an alleged Kimsuky hack against a South Korean nuclear reactor operator in 2014.
Dave Bittner: The threat actor used spearphishing attacks in an attempt to steal information. The police agency stated that “military-related information was not stolen.”
Australian domain administrator auDA may have been breached.
Dave Bittner: The NoEscape ransomware gang claims to have breached Australia’s .au domain administrator auDA, the Record reports. The gang says it’s stolen 15 GB of data, including personal information.
Dave Bittner: auDA stated on Sunday, “Today, the cyber criminal has provided evidence of a small sample of data they say is in their possession. It includes screenshots of a file list from a computer. Our investigation remains ongoing, including to verify the cyber criminal’s claims and the provenance of this data. We will provide an update when further information is available. In the interim, we encourage everyone to remain vigilant to potential malicious online activity such as phishing attempts and scams from persons or organisations requesting, or using, your personal details.”
Dave Bittner: The non-profit said that it’s notified the Australian Cyber Security Centre (ACSC), the Department of Home Affairs, and the Office of the Australian Information Commissioner (OAIC) of the potential breach. Investigation continues.
WoofLocker's version of a tech support scam.
Dave Bittner: Malwarebytes has published an update on WoofLocker. This is a “complex traffic redirection scheme” used for tech support scams, and Malwarbytes has been tracking it for some time. The company says that attribution in this case is murky. “While we still do not know a lot about who is behind this scheme, we believe it may be the work of different threat actors that specialize in their area of expertise,” the researchers wrote. They added, “WoofLocker may very well be a professional toolkit built specifically for advanced web traffic filtering and used exclusively by one customer. Victims that fall for the scam and call the phone number are then redirected to call centres presumably in South Asian countries.”
Dave Bittner: WoofLocker is distributed via compromised websites, most of which are of an adult nature. The researchers note that WoofLocker’s “infrastructure is now more robust than before to defeat potential takedown attempts.” So absent other measures, keep your adult nature in check, and maybe stay off those sites.
US Intelligence Community warns of cyber threats to space systems.
Dave Bittner: The US Federal Bureau of Investigation (FBI), the National Counterintelligence and Security Center (NCSC), and the Air Force Office of Special Investigations (AFOSI) have issued a bulletin outlining cyberespionage threats targeting the space industry, Reuters reports. The bulletin states, “Foreign intelligence entities (FIEs) recognize the importance of the commercial space industry to the US economy and national security, including the growing dependence of critical infrastructure on space-based assets. They see US space-related innovation and assets as potential threats as well as valuable opportunities to acquire vital technologies and expertise. FIEs use cyberattacks, strategic investment (including joint ventures and acquisitions), the targeting of key supply chain nodes, and other techniques to gain access to the US space industry.”
Dave Bittner: The warning is heavy on the threat to intellectual property, but it also warns against direct threats to space systems themselves. The New York Times points out that China and Russia represent the serious adversaries in this field, and that the US Intelligence Community thinks it likely that any future war will open with a cyberattack against satellite systems. Russia’s invasion of Ukraine provides the template.
Wartime disinformation out of Russia.
Dave Bittner: The warning about space systems arrived without a lot of explicit discussion of Russia’s successful, albeit short-lived, cyberattack against Viasat modems in the opening hours of its invasion. That disruption, which Ukraine was able to overcome in a matter of about a week, still represents one of the few tactically significant cyber actions of Russia’s war against Ukraine. It hasn’t really been repeated, with most cyber action declining into hacktivist demonstrations and conventional cyberespoionage.
Dave Bittner: So the cyber front in Russia's war has been quiet of late, with few cyberattacks or significant instances of cyberespionage reported over the last several days. But disinformation continues. Recent themes in Russian influence operations (debunked by the Canadian Government's standing fact-checking of Russian claims) have sought to portray Poland as avid to recover territories the Soviet Union annexed to the Ukrainian Republic at the end of the Second World War.
Dave Bittner: The overarching theme of Russian influence operations, represented in a very long interview TASS conducted with Russian Foreign Minister Lavrov, is that Russia is the victim of aggression, with Ukraine's government serving as a cat's paw for the United States, which seeks Russia's reduction to a permanent state as an impoverished, minor power. (The theme is repeated by Iran's semi-official Mehr News Agency.)
Dave Bittner: There's also some retail disinformation in progress. Ukrinform reports that Russian bot operators are sending residents of Kherson threatening texts over social media warning them of physical harm. The recipients are told they'll be spared if they report on the "Nazis" to the Russians, that is, if they reveal information about Ukrainian forces. What effect, if any, the threats will have remains unclear.
Dave Bittner: Coming up after the break. Rick Howard looks at forecasting cyber risk. Deepen Desai from Zscaler shares ransomware trends. Stay with us. And it's always my pleasure to welcome back to the show, Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, welcome back.
Rick Howard: Hey, Dave.
Dave Bittner: So on this week's "CSO Perspectives" Podcast, you are providing an update on the current state of risk forecasting. What do you have in store for us?
Rick Howard: Well, Dave, you know, fans of the show know that I've been going on and on over the last three years about finding a practical way to forecast risk for the business. And I want to emphasize the word "practical," here because, you know, I've read all the best books on the subject. You know, there's Superforecasting: The Art and Science of Prediction by Tetlock And Gardner which I highly recommend. There's How to Measure Anything in Cyber Risk by Hubbard and Seiersen. And Measuring and Managing Information Risk: A FAIR Approach, one of the originals. It's probably the original book back in the day by Freund and Jones, all cybersecurity Canon Hall of Fame inductees, by the way. And I've interviewed most of the authors either for the Canon project or for the CyberWire. And some of them are friends of mine. Seiersen and I even presented together on the subject at the RSA Conference a few years back. And Jack Freund reviewed the chapter on risk in my book, Cybersecurity First Principles. So up to now, I felt like we were all just a bunch of rebels shouting into the wind and not getting much traction. Like we were a bunch of crazies, you know. You know, those people, Dave. But I think this beginning to change.
Dave Bittner: How come? I mean has there been some event you can point to, any kind of turning point that represents this change in mindset?
Rick Howard: Well, admittedly, my indicator is maybe anecdotal, but I'm starting to see security vendors incorporate some of these ideas into their products to make it easier for people like us to incorporate them into their info site programs. So for this show, I talked to two security vendor founders and discuss why these things, these changes are happening now and what's driving the change.
Dave Bittner: All right. We'll look forward to that. It's CSO Perspectives, it is part of CyberWire Pro. You can find out all about that on our website, thecyberwire.com. Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And it is my pleasure to welcome back to the show, Deepen Desai. He is the global CISO and head of security research and operations at Zscaler. Deepen, always great to have you back on the show. I want to touch today on the ransomware report that you and your colleagues have recently published. This is your 2023 Ransomware Report. Bring us up to date here. What did you all find?
Deepen Desai: Hey, thank you, Dave. So, yeah, this report, this is our annual threat labs report that we published based on the findings from the year 2022. And it does cover some of the trends that we're seeing in 2023 as well. What the team does behind the scene is look at ransomware attacks that were observed across the globe. This is where we take into account the telemetry that Zscalar, Zero Trust Exchange, our product provides, as well as the tracking effort that the team does. Globally, we're tracking various threat actor groups and their infrastructure. So some of the key findings from the report. Number one, ransomware impact actually was fairly high in terms of region on United States. In fact, the number that we saw was nearly half of the ransomware campaigns over the last 12 months were targeting US organizations in the United States. In terms of industry vertical, we saw arts, entertainment, recreation industries experiencing the biggest surge, year over year when you compare it to 2021. In 2023, these industries saw almost a 400% increase in the number of attacks. Manufacturing sector remain the most targeted industry vertical. This is consistent with the annual report that we published a year before. And it's actually accounting for almost 15% of the total ransomware attacks that we tracked. And it's followed by services sector, which experience almost 12% of the total ransomware attacks last year. And then a final inside that I'll call out is in terms of there are more and more ransomware families that keep coming up. There were 25 new families that the team discovered, and these were all ransomware families that were using double extortion or a new phenomena that we'll will discuss more that we're calling encryption less extortion attacks this year.
Dave Bittner: Well, let's dig into that. I mean, when we say encryption lists, I mean, it sounds self evident. But can you describe that for us?
Deepen Desai: Yeah. So what we're seeing, and I have my reasons to believe why these threat operators are going that route, but what we're starting to see is more and more of these prolific ransomware gangs, and I can name a few like Dark Angels. More recently, we've seen Clop Ransomware Gang as well. Like, what they're starting to do is they will not encrypt the files. They will not cause business disruption to these victim organization. And the goal over there is to potentially trying to stay under the radar, both from their perspective as well as the organization that is being targeted. Instead, they will exfiltrate large volume of data like lots and lots of data. And that's where they're holding the organization hostage, right, the data is held hostage. If ransom is not paid, yes, they will make it public and they will make it known to everyone that this organization fell for a ransomware attack. But if the ransom is paid out, in many of the cases the information does not become public.
Dave Bittner: Is the notion here that perhaps they're trying to avoid the organization's getting in touch with law enforcement?
Deepen Desai: I would say it's multiple things. Yes. Number one is they are trying to stay under the radar from law enforcement crackdowns. Right. So the less they are in the news, the better it is for them. Number two is, yes, it's also a signal to the organization, right, to not involve, you know, law enforcement in some of these attacks where the whole negotiation piece and the ransom payment piece happens under the radar. Having said that, I mean, one of the discussion I was having with a large siso was you need to disclose these attacks. That's the right thing to do, you have to. And you need to do that if you were to claim your insurance, your cyber insurance for these type of attacks. So there are pros and cons. I mean, every organization has their approach in how they would do it. I would absolutely be in the favor of doing the proper disclosure, going the right route, law enforcement, other stuff may or may not happen in each of these attacks.
Dave Bittner: Yeah. What are we seeing in terms of the trends? Is there any sense that organizations are doing a better job of defending themselves, or where do we stand?
Deepen Desai: Yeah. So there is definitely progress in terms of where the organization's security posture is. When it comes to say, five years ago, especially after the pandemic, we have seen fast tracking of the digital transformation. And I'm going to use the term zero trust [inaudible]. But I know that term has been heavily used and abused. [Inaudible] zero trust is where you're actually implementing fundamental zero trust principles like always verify, a Zoom breach, you know, and never trust. So this is where you're not bringing the users on the same network as applications, proper segmentation, identity based verification. Point I'm trying to make is, yes, organizations, almost all organizations have embarked on the path to that zero trust transformation journey. But the maturity level is different across the board. There's also certain areas that are further along. When I say "certain areas," certain industry verticals are further along than the others because of regulations and other stuff. These attackers are very, very opportunistic, right? Whenever they see an opportunity, whether it's a vulnerable host, whether it's an pre existing infection inside the environment, any organization where they're still having a relatively flat network, leveraging things like VPN, it's a juicy attack surface for these guys. So it makes their life easier to move laterally in those environments the large volume of data without being noticed. And then, you know, demand these ransoms.
Dave Bittner: All right. Well, it's the 2023 Ransomware Report from Zscaler. Deepen Desai is the global siso there. Deepen, thank you so much for joining us. And that's the CyberWire. Our links to all of today's stories, check out our daily briefing at the cyberwire.com. Don't forget to check out the "Grumpy Old Geeks" Podcast where I join Jason and Ryan on their show for a lively discussion of the latest news every week. Find "Grumpy Old Geeks" where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that n2k and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2k strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin, and Senior Producer Jennifer Eiben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.