Ransomware in Colombia. An accidental data exposure. Cyberespionage hits unpatched systems. An attack on IT systems disrupts industrial production. Bots and bad actors.
Dave Bittner: Colombia continues its recovery from last week's cyberattacks. AI training data is accidentally published to GitHub. The cyberespionage techniques of Earth Lusca. Clorox blames product shortages on a cyber attack. Cybersecurity incidents in industrial environments. Where the wild bots are. Joe Carrigan looks at top level domain name exploitation. Our guest is Kristen Bell from GuidePoint Security with a look at vulnerability vs. exploitability. And there’s talk of potential Russia-DPRK cooperation in cyberspace.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Tuesday, September 19th, 2023.
Colombia continues its recovery from last week's cyberattacks.
Dave Bittner: Reuters reports that Colombia's President Gustavo Petro, in New York for this week's UN General Debate, said that more than fifty government agencies and private companies were affected by a ransomware attack on a widely used Internet service provider. President Petro didn't name the ISP (widely known to be IFX Networks), but he did comment that the attack's widespread impact showed the company didn't have the right cybersecurity measures in place, and he suggested that this placed it in breach of its contracts. AFP reports that Colombia was considering civil lawsuits and possibly criminal prosecution of IFX Networks over what Information and Telecommunications Minister Mauricio Lizcano characterized as "failures in security protocols."
AI training data accidentally published to GitHub.
Dave Bittner: Researchers at Wiz yesterday reported having found hat Microsoft’s AI research team accidentally exposed 38 terabytes of private data, including “secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.” The exposure occurred when a Microsoft employee published a bucket of open-source training data to a public GitHub repository. Users could download the training data via an Azure Storage URL; however, this URL granted permissions to the entire storage account, which included two Microsoft employees’ personal computer backups.
Dave Bittner: Microsoft has fixed the issue, and offered a reassuring statement: “No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue.”
Dave Bittner: Training data aren’t risk-free. They too can be stolen and abused.
Dave Bittner: We note, in full disclosure, that MIcrosoft is a CyberWire partner.
Earth Lusca's cyberespionage techniques.
Dave Bittner: Trend Micro says the China-aligned threat actor “Earth Lusca” is using a new Linux backdoor based on the open-source Windows malware Trochilus. The researchers are calling the Linux variant “SprySOCKS.” The researchers note, “The backdoor contains a marker that refers to the backdoor’s version number. We have identified two SprySOCKS payloads that contain two different version numbers, indicating that the backdoor is still under development. In addition, we noticed that the implementation of the interactive shell is likely inspired from the Linux variant of the Derusbi malware.”
Dave Bittner: Earth Lusca has been targeting public-facing servers belonging to “government departments that are involved in foreign affairs, technology, and telecommunications.” The threat actor is primarily interested in countries in Southeast Asia, Central Asia, and the Balkans.
Dave Bittner: This backdoor is installed by exploiting known vulnerabilities against unpatched systems. So there are two lessons observers are drawing. First, patch–please patch. And second, Linux needs some love, too–it’s not all Windows out there.
Cyberattack induces Clorox product shortages.
Dave Bittner: Cleaning product manufacturer Clorox disclosed in an SEC filing that the cyberattack it sustained on August 14th has led to ongoing consumer product availability issues.
Dave Bittner: The company is currently in the process of repairing the affected infrastructure and reintegrating offline systems. It anticipates starting the transition back to normal automated order processing around the week of September 25. While most manufacturing sites have resumed production, the full production ramp-up will take some time, and the company cannot provide an estimate for when it will fully normalize operations. Additionally, Clorox acknowledges that the financial and business impact of the attack is significant, particularly in terms of order processing delays and product shortages, which will likely have a material impact on its Q1 financial results.
Cybersecurity incidents in industrial environments.
Dave Bittner: Rockwell Automation has released a report looking at cyberattacks against critical infrastructure, finding that state-sponsored threat actors are responsible for nearly 60% of these attacks. Around 33% of these incidents are “unintentionally enabled by internal personnel.” The report found that “[t]hreat actors are most intensely focused on the energy sector (39% of attacks) – over three times more than the next most frequently attacked verticals, critical manufacturing (11%) and transportation (10%).”
Dave Bittner: Mark Cristiano, commercial director of Global Cybersecurity Services at Rockwell Automation, explained the implications of the findings. He said, “Energy, critical manufacturing, water treatment and nuclear facilities are among the types of critical infrastructure industries under attack in the majority of reported incidents.” In particular, these sectors can expect to face an increasingly stringent regulatory environment. It’s already tightening up with respect to disclosure. Crisiano added, “Anticipating that stricter regulations and standards for reporting cybersecurity attacks will become commonplace, the market can expect to gain invaluable insights regarding the nature and severity of attacks and the defenses necessary to prevent them in the future.”
Where the wild bots are.
Dave Bittner: Netacea (net-uh-SEE-uh) has published a report looking at bot-fueled attacks against businesses in the US and UK, finding that 72% of respondents suffered attacks originating in China and 66% from Russia. 53% of all bot attacks came from these two countries. The researchers note that bot attacks from Russia have increased by 82% over the past two years. The report adds, “Vietnam is an outlier as third highest country of origin, with 48% seeing attacks from here despite the country accounting for just 2% of the population of Asia.”
Potential Russia-DPRK cooperation in cyberspace.
Dave Bittner: Russia's immediate interest in cultivating its relationship with North Korea is the prospect of Pyongyang supplying Russia's army with artillery ammunition, as expenditures have far exceeded Russian production capacity. There are, however, other potential areas of cooperation, notably in cyberspace. An essay in the EconoTimes argues, "Both North Korea and Russia are highly capable cyberwar and cyber intelligence nations: they can disrupt or break key infrastructure and steal sensitive government information. North Korea’s Lazarus group of hackers has been identified –– through careful process tracing –– to be responsible for thefts of crypto currency totalling tens of millions of dollars." Such cooperation wouldn't necessarily require much coordination. Most of North Korea's offensive cyber operations are already directed against countries whose relations with Russia are at least cool, if not downright adversarial.
Dave Bittner: So sure, Russia wants that 122 mm cannon ammunition, even if it is a few decades old. But it might also welcome the Lazarus Group’s services as an auxiliary. Keep an eye out for what Russian television is proudly, if oddly and a little uneasily, calling the Moscow-Pyongyang “Axis.” No, really, they’re saying “Axis” like it’s a good thing. Go figure.
Dave Bittner: Coming up after the break, Joe Carrigan looks at top-level domain name exploitation. Our guest is Kristen Bell from GuidePoint Security with a look at vulnerability versus exploitability. Stay with us. [ Music ] Let's take a moment and think about vulnerability versus exploitability. They are not the same things, and the nuance between them should inform an organization's approach to risk assessment. Kristen Bell is Director of Application Security at GuidePoint Security and she shares her expertise on the difference between the two.
Kristen Bell: So I think, in general, the consensus kind of is that vulnerabilities in and of themselves may not be executable, but they could be, so vulnerabilities are all things that could contribute to an attack. Whereas, exploitabilities are a subset of that, right? So exploitabilities, to me, is something that you can take that vulnerability and directly execute an attack on either a user or a system or whatnot. Whereas, vulnerabilities that fall outside of that category really give maybe a component of attack or may give the attacker more information to craft an attack.
Dave Bittner: So in terms of folks coming at this and defending themselves, is this a matter of kind of taking stock at what they have and then deciding which is which?
Kristen Bell: In some cases. So I've -- I had a client, a very large, you know, kind of name brand company that decided to really make that differentiation more so than I've ever seen in any other environment, and they really put all the prioritization on remediation of anything that was exploitable and everything else that they felt wasn't -- kind of sat in a holding tank. The problem with that is that, if you ask people very specifically around specific vulnerabilities which ones are exploitable or not, you may get some banter back and forth and some debate, right? So there are different schools of thought about what makes something exploitable versus what doesn't, and that's why I say that very high-level definition is pretty generic. So it's a slippery slope to kind of go down that path. I really prefer that people look more at risk, right? What kind of risk does this particular vulnerability pose to the application? If it's obviously exploitable, so like SQL injection or cross-site scripting, right, then, yeah, absolutely, that's going to -- that's going to impact the severity level of that vulnerability. Those exploitable vulnerabilities are going to have a higher severity rating than the less exploitable kinds of vulnerabilities.
Dave Bittner: What about the vulnerabilities? I mean, is it fair to say that over time things can change their status, something that's just a vulnerability over time as processes change within an organization they may become exploitable?
Kristen Bell: That's what we have always said as an industry, right? That as people got smarter, you know, when I first started in the app sec so many years ago, people were still finding the very simplistic SQL injection attacks and vulnerabilities within applications, and now we don't see that as much, right? Those SQL injection attacks that are exploitable are much, much -- they take much more education on the behalf of the attacker. So, and we also, you know, back in the day, when there were a lot of low-hanging fruit like that, we kind of talked about the exploitability factor being different, and that also impacted the severity level. So if you had to have a very skilled attacker, so, say, like cross-site request forgery, then the severity level might -- and the risk level might be a little bit lower just based on the fact that you have to have a very experienced targeted attack with a very experienced attacker versus a script kiddie who can find OR1 equals 1, you know, in an application and a login form. But I think, to your point, over time, as people have sort of taken app sec a little bit more seriously and shored up some of that, those sort of easier attacks, the exploitability factor is impacted by how skilled does somebody have to be to form that attack and will attackers get better, and we we've seen that they have, right? They have been able to increase what they're doing. We're seeing it through open-source vulnerabilities now, like Log4j. We're seeing them find different kinds of attack vectors that maybe we weren't paying as much attention to before. So yes, I think that we need to always be evaluating and reevaluating what's out there as far as the attack surface and the vulnerabilities that we're finding to see how the impact changes over time.
Dave Bittner: What are your recommendations for folks setting the amount of risk they assign to various vulnerabilities and exploitabilities? How should they come out that and set their priorities?
Kristen Bell: So I think like I said, it's twofold. They should have vulnerability severity levels that are mapped to their organizational risk profile in general, right? So some people, say, in retail may bump up certain kinds of vulnerabilities from highs to criticals. Most consulting companies I've seen don't risk things or call out criticals. They call out highs because critical can be so objective from organization to organization. So we tend to not get into those kinds of debates, but we encourage clients to level up to critical on things that for their risk organization they want to see addressed first and foremost based on their business vertical or whatever might be the case if they're, you know, healthcare organization or PCI, you know, have PCI requirements and those sorts of things. But you take that, so once they've established and sort of gone through the vulnerabilities, make sure that the risk -- that the severity levels are appropriate for their organization. They may also need to look at the risk profiles of their application portfolio so that they can say, okay, now, if we have a high-risk application, a higher critical in those cases needs an SLA that's a shorter time period than, say, a medium-risk or a low-risk application. So a low-risk application may have a 30-day window to fix the higher critical, whereas a high-risk application may have three to five days, and that really does help with not burdening developers and giving them sort of guidance on where they should spend their time and how they should fix their issues.
Dave Bittner: That's Kristen Bell from GuidePoint Security. [ Music ] And joining me once again is Joe Carrigan. He is from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast. Hey, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: So when I think of domain names for -- the top-level domains for organizations in the United States --
Joe Carrigan: Right.
Dave Bittner: I generally think of dot-com as being the default.
Joe Carrigan: That's right.
Dave Bittner: And I think I'm right in thinking that overall.
Joe Carrigan: I think so, too, yeah.
Dave Bittner: So there's an interesting article that came by from Brian Krebs over Krebs On Security about the dot-us, top-level domain being used in a lot of phishing scams. So what's going on here, Joe?
Joe Carrigan: Every country, or most countries, I don't know of a country that doesn't have this, but they all get a two-letter, top-level domain, a country code TLD, CCTLD.
Dave Bittner: Yeah.
Joe Carrigan: Is what that's called, and then it's up to the country how they want to manage it. So for example, TV, I can't remember what actual country it is. I know it's a small series of islands in the Pacific.
Dave Bittner: Yeah.
Joe Carrigan: But what they've decided to do is they're just going to sell all their domains.
Dave Bittner: Right.
Joe Carrigan: So you can buy a dot-tv domain for like 45 bucks.
Dave Bittner: Yeah.
Joe Carrigan: And they get a portion of that, and I imagine it goes right to the government as a stream of revenue.
Dave Bittner: Sure.
Joe Carrigan: There are also dot-uk, where the U.K. has decided, no, we're not going to use dot-com. We're going to use dot-co-dot-uk, so every website in the U.K. has to be registered under one of our domains.
Dave Bittner: Yeah.
Joe Carrigan: Well, the U.S. has something similar. We have the dot-us domain. That's our, here in America, that's our CCTLD.
Dave Bittner: Right.
Joe Carrigan: And there is something called the "U.S. Nexus requirement," which is a requirement that theoretically limits registrations to parties with some kind of stake in the United States.
Dave Bittner: Okay.
Joe Carrigan: Now, I looked at these regulations, Dave. They're all five pages long.
Dave Bittner: Okay.
Joe Carrigan: And there are three classes of registrants. One is an individual who is either a citizen or a permanent resident of the United States. Another is a company that's in the United States, and the third is a foreign company that has a legitimate business within the United States.
Dave Bittner: Okay.
Joe Carrigan: Well, it would seem that these requirements are not being properly enforced because, according to this article, between May 1, 2022, and April 30th of this year, the Interisle Consulting Group found 30,000 phishing domains registered with dot-us.
Dave Bittner: Huh.
Joe Carrigan: Thirty thousand.
Dave Bittner: Okay.
Joe Carrigan: That means somebody is not applying these Nexus requirements. Now, the Krebs article points out that this is managed by GoDaddy, but if you go to about.us and you do a domain name search and you want to buy a domain, there's a bunch of different services under there that you can buy a domain through.
Dave Bittner: Sure.
Joe Carrigan: It's not just GoDaddy. GoDaddy is the first one. I don't know if GoDaddy has some principle, you know, first among equals kind of thing, you know, going on there, or if they're in charge of things, or whatever.
Dave Bittner: Right.
Joe Carrigan: But it's clear that somebody is not enforcing these Nexus requirements.
Dave Bittner: Is it a kind of a self-attestation kind of thing?
Joe Carrigan: Well, yeah, if you're a citizen, that's essentially what it is. You just have to say that you're a citizen or a permanent resident.
Dave Bittner: Okay.
Joe Carrigan: There's nothing in there that describes, in the requirements, that describes what that attestation must look like. Now, I could probably scrawl it on a piece of paper, take a picture of it, and email it in, you know, or I'm reminded of Benchwarmers where the guy says, "Can I see your birth certificate?" And he shows him a picture of -- says, "I'm 12."
Dave Bittner: Right, right.
Joe Carrigan: But it's that kind of thing. It's pretty easy to get one of these domains, and people are abusing it.
Dave Bittner: Yeah, and the dot-us gives people a false sense of security.
Joe Carrigan: Right. There is a guy by the name of Dean Marks who is the Meritus Executive Director of the Coalition for Online Accountability. Their organization has been critical, and they note that a lot of other people in the EU don't have this problem, people like Hungary, New Zealand, and Finland. Proof of identity or evidence of incorporation is required, so you probably have to give them some kind of photo ID to register one of these names.
Dave Bittner: Right.
Joe Carrigan: Even doing something as simple as that would probably cut down on the number of bad actors registering dot-us domains.
Dave Bittner: Yeah, interesting.
Joe Carrigan: Because now you have to do an extra step. Now you have to, you know, come up with some fake documents, probably easy to find, but it's more work.
Dave Bittner: Right.
Joe Carrigan: And these guys are -- they're like me. They're all lazy, right? So they're going to do the least amount of work possible. They're just going to go out and try to get some kind of lookalike domain or something else.
Dave Bittner: Yeah. Real quick, before I let you go. We've seen some hurricanes making landfall here in the U.S. and with that always comes scammers not that far behind.
Joe Carrigan: That's right. I've said this before, I think, on Hacking Humans, but I envision the scammers sitting in their little scam offices, running their scam businesses, and on the wall there's the big calendar of scams.
Dave Bittner: Right.
Joe Carrigan: And right now we're in hurricane season, so that's one of the things they're going to be sending out emails about. CISA has a warning about hurricane-related scams on their webpage and they recommend you check out the Federal Trade Commission, "Stay Alert to Disaster-Related Scams" page, and before giving to a charity, which I think lets you -- tells you how to go through and vet a charity.
Dave Bittner: Right, right, yeah.
Joe Carrigan: Which is always a good idea regardless of why you're giving.
Dave Bittner: Yeah, a good thing to share with your loved ones, right?
Joe Carrigan: Right, yup.
Dave Bittner: All right. Well, Joe Carrigan, thanks so much for joining me.
Joe Carrigan: It's my pleasure, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
