Ransomware in Colombia. An accidental data exposure. Cyberespionage hits unpatched systems. An attack on IT systems disrupts industrial production. Bots and bad actors.
Colombia continues its recovery from last week's cyberattacks. AI training data is accidentally published to GitHub. The cyberespionage techniques of Earth Lusca. Clorox blames product shortages on a cyber attack. Cybersecurity incidents in industrial environments. Where the wild bots are. Joe Carrigan looks at top level domain name exploitation. Our guest is Kristen Bell from GuidePoint Security with a look at vulnerability vs. exploitability. And there’s talk of potential Russia-DPRK cooperation in cyberspace.
I’m Dave Bittner with your CyberWire intel briefing for Tuesday, September 19th, 2023.
Colombia continues its recovery from last week's cyberattacks.
Reuters reports that Colombia's President Gustavo Petro, in New York for this week's UN General Debate, said that more than fifty government agencies and private companies were affected by a ransomware attack on a widely used Internet service provider. President Petro didn't name the ISP (widely known to be IFX Networks), but he did comment that the attack's widespread impact showed the company didn't have the right cybersecurity measures in place, and he suggested that this placed it in breach of its contracts. AFP reports that Colombia was considering civil lawsuits and possibly criminal prosecution of IFX Networks over what Information and Telecommunications Minister Mauricio Lizcano characterized as "failures in security protocols."
AI training data accidentally published to GitHub.
Researchers at Wiz yesterday reported having found hat Microsoft’s AI research team accidentally exposed 38 terabytes of private data, including “secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.” The exposure occurred when a Microsoft employee published a bucket of open-source training data to a public GitHub repository. Users could download the training data via an Azure Storage URL; however, this URL granted permissions to the entire storage account, which included two Microsoft employees’ personal computer backups.
Microsoft has fixed the issue, and offered a reassuring statement: “No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue.”
Training data aren’t risk-free. They too can be stolen and abused.
We note, in full disclosure, that MIcrosoft is a CyberWire partner.
Earth Lusca's cyberespionage techniques.
Trend Micro says the China-aligned threat actor “Earth Lusca” is using a new Linux backdoor based on the open-source Windows malware Trochilus. The researchers are calling the Linux variant “SprySOCKS.” The researchers note, “The backdoor contains a marker that refers to the backdoor’s version number. We have identified two SprySOCKS payloads that contain two different version numbers, indicating that the backdoor is still under development. In addition, we noticed that the implementation of the interactive shell is likely inspired from the Linux variant of the Derusbi malware.”
Earth Lusca has been targeting public-facing servers belonging to “government departments that are involved in foreign affairs, technology, and telecommunications.” The threat actor is primarily interested in countries in Southeast Asia, Central Asia, and the Balkans.
This backdoor is installed by exploiting known vulnerabilities against unpatched systems. So there are two lessons observers are drawing. First, patch–please patch. And second, Linux needs some love, too–it’s not all Windows out there.
Cyberattack induces Clorox product shortages.
Cleaning product manufacturer Clorox disclosed in an SEC filing that the cyberattack it sustained on August 14th has led to ongoing consumer product availability issues.
The company is currently in the process of repairing the affected infrastructure and reintegrating offline systems. It anticipates starting the transition back to normal automated order processing around the week of September 25. While most manufacturing sites have resumed production, the full production ramp-up will take some time, and the company cannot provide an estimate for when it will fully normalize operations. Additionally, Clorox acknowledges that the financial and business impact of the attack is significant, particularly in terms of order processing delays and product shortages, which will likely have a material impact on its Q1 financial results.
Cybersecurity incidents in industrial environments.
Rockwell Automation has released a report looking at cyberattacks against critical infrastructure, finding that state-sponsored threat actors are responsible for nearly 60% of these attacks. Around 33% of these incidents are “unintentionally enabled by internal personnel.” The report found that “[t]hreat actors are most intensely focused on the energy sector (39% of attacks) – over three times more than the next most frequently attacked verticals, critical manufacturing (11%) and transportation (10%).”
Mark Cristiano, commercial director of Global Cybersecurity Services at Rockwell Automation, explained the implications of the findings. He said, “Energy, critical manufacturing, water treatment and nuclear facilities are among the types of critical infrastructure industries under attack in the majority of reported incidents.” In particular, these sectors can expect to face an increasingly stringent regulatory environment. It’s already tightening up with respect to disclosure. Crisiano added, “Anticipating that stricter regulations and standards for reporting cybersecurity attacks will become commonplace, the market can expect to gain invaluable insights regarding the nature and severity of attacks and the defenses necessary to prevent them in the future.”
Where the wild bots are.
Netacea (net-uh-SEE-uh) has published a report looking at bot-fueled attacks against businesses in the US and UK, finding that 72% of respondents suffered attacks originating in China and 66% from Russia. 53% of all bot attacks came from these two countries. The researchers note that bot attacks from Russia have increased by 82% over the past two years. The report adds, “Vietnam is an outlier as third highest country of origin, with 48% seeing attacks from here despite the country accounting for just 2% of the population of Asia.”
Potential Russia-DPRK cooperation in cyberspace.
Russia's immediate interest in cultivating its relationship with North Korea is the prospect of Pyongyang supplying Russia's army with artillery ammunition, as expenditures have far exceeded Russian production capacity. There are, however, other potential areas of cooperation, notably in cyberspace. An essay in the EconoTimes argues, "Both North Korea and Russia are highly capable cyberwar and cyber intelligence nations: they can disrupt or break key infrastructure and steal sensitive government information. North Korea’s Lazarus group of hackers has been identified –– through careful process tracing –– to be responsible for thefts of crypto currency totalling tens of millions of dollars." Such cooperation wouldn't necessarily require much coordination. Most of North Korea's offensive cyber operations are already directed against countries whose relations with Russia are at least cool, if not downright adversarial.
So sure, Russia wants that 122 mm cannon ammunition, even if it is a few decades old. But it might also welcome the Lazarus Group’s services as an auxiliary. Keep an eye out for what Russian television is proudly, if oddly and a little uneasily, calling the Moscow-Pyongyang “Axis.” No, really, they’re saying “Axis” like it’s a good thing. Go figure.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Don’t forget to check out the “Grumpy Old Geeks” podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find “Grumpy Old Geeks” where all the fine podcasts are listed. And check out the “Recorded Future” podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That’s at recordedfuture.com/podcast.
We’d love to know what you think of this podcast. You can email us at firstname.lastname@example.org—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.
Microsoft mitigated exposure of internal information in a storage account due to overly-permissive SAS token (Microsoft Security Response Center)
The Clorox Company FORM 8-K (US Securities and Exchange Commission)
Clorox Warns of Product Shortages Following Cyberattack (Wall Street Journal)
Clorox warns of product shortages after cyberattack (Fox Business)
Death By a Billion Bots (Netacea)