Hacking the ICC. ShroudedSnooper active, simple, and novel. New criminal malware used against Chinese-speakers. More on the materiality of cyberattacks.
Dave Bittner: The International Criminal Court reports a "cybersecurity incident." ShroudedSnooper intrusion activity is both novel and simple. Criminal malware targets Chinese-speaking victims. The costs of insider risk. More on the casino attacks (and related social engineering capers). In our Learning Layer segment, Sam Meisenberg drops into a CISSP tutoring session and offers some test-taking tips. Our guest is Aaron Brazelton, Dean of Admissions and Advancement at the Alabama School of Cyber Technology and Engineering. And the Clorox incident shows how one company navigates unfamiliar new SEC rules.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Wednesday, September 20th, 2023.
The International Criminal Court reports a "cybersecurity incident."
Dave Bittner: Reuters reports that yesterday in the Hague the International Criminal Court (ICC) said it had sustained a "cybersecurity incident." Not only the ICC's staff, but also lawyers for both victims and accused were affected. The ICC's brief statement, communicated in its X (formerly Twitter) channel, said that the Court detected "anomalous activity affecting its information systems," at which time "immediate measures were adopted to respond to this cybersecurity incident and to mitigate its impact." The ICC is investigating with the help of Netherlands authorities, but beyond that the Court has so far offered no further information. In particular there's no attribution, but the most prominent cases before the ICC involve allegations of war crimes and crimes against humanity committed by Russia in the course of its invasion of Ukraine.
Dave Bittner: The AP reviewed some recent history of Russia's troubled relations with the ICC: "Last year, a Dutch intelligence agency said it had foiled a sophisticated attempt by a Russian spy using a false Brazilian identity to work as an intern at the court, which is investigating allegations of Russian war crimes in Ukraine and has issued a war crimes arrest warrant for President Vladimir Putin, accusing him of personal responsibility for the abductions of children from Ukraine." Russia responded to the warrant, SecurityWeek reminds readers, by placing ICC prosecutor Karim Khan on its own “wanted” list.
Dave Bittner: So, no attribution yet, but if you bet on form, put your money on Moscow.
ShroudedSnooper intrusion activity is both novel and simple.
Dave Bittner: Cisco Talos describes a new intrusion set dubbed “ShroudedSnooper” that’s targeting telecommunications providers in the Middle East. The threat actor is using two implants Cisco Talos calls “HTTPSnoop” and “PipeSnoop.” Talos states, “Based on the HTTP URL patterns used in the implants, such as those mimicking Microsoft’s Exchange Web Services (EWS) platform, we assess that this threat actor likely exploits internet-facing servers and deploys HTTPSnoop to gain initial access.” The researchers add, “HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint.”
Dave Bittner: There's no attribution, yet, and Talos says that the group's tactics, techniques, and procedures don't match any known groups, and so they're tracking the activity as representing something new. The report notes, however, that state-sponsored groups, particularly groups operating on behalf of Iran and China, have recently shown a strong preference for attacking telecommunication providers, especially providers in the Middle East and Asia.
Criminal malware from China prospects Sinophone victims.
Dave Bittner: It’s worth remembering that there are criminal gangs that operate in, from, and around China that represent a law enforcement problem not only for China’s neighbors, but for China itself.
Dave Bittner: Proofpoint is tracking suspected Chinese cybercriminal campaigns that are targeting Chinese-speaking users with malware-laden phishing emails: “Campaigns are generally low-volume and are typically sent to global organizations with operations in China. The email subjects and content are usually written in Chinese, and are typically related to business themes like invoices, payments, and new products. The targeted users have Chinese-language names spelled with Chinese-language characters, or specific company email addresses that appear to align with businesses' operations in China.”
Dave Bittner: While most of the activity is focused on users in China, at least one campaign is targeting Japanese organizations, which the researchers believe suggests “a potential expansion of activity.”
More on the casino attacks (and related social engineering capers).
Dave Bittner: Okta has told Reuters that the criminals from ALPHV (also known as BlackCat) and Scattered Spider (the gangs are entangled in an affiliate relationship) used vishing attacks against MGM Resorts and Caesars Entertainment. They posed as employees and inveigled IT staff into giving them access to the companies' Okta client. This enabled the attackers to obtain further credentials within the Okta identity management system used by the organizations. Okta said that three of its other customers (unnamed, but said to be in the manufacturing, retail, and technology sectors) have recently sustained similar attacks.
Dave Bittner: On August 31st the identity management provider warned of this trend. "Okta has observed attacks in which a threat actor used social engineering to attain a highly privileged role in an Okta customer Organization (tenant)," the company blogged. "When successful, the threat actor demonstrated novel methods of lateral movement and defense evasion. These methods are preventable and present several detection opportunities for defenders." Prevention would include adopting "phishing-resistant methods for enrollment, authentication and recovery," tight privilege management, and implementation of "dedicated access policies for administrative users." Okta also recommends close monitoring and swift investigation of any "anomalous use of functions reserved for privileged users."
Dave Bittner: Of the two casino chains hit, Caesars Entertainment saw data belonging to its loyalty program affected, but was able to keep its operations online during the incident. The Form 8-K the company filed with the SEC strongly hinted that it had paid the attackers ransom. MGM Resorts has had by all accounts a more difficult time. The New York Post reports that MGM continues to have trouble with its slot machines and hotel systems eight days after the attack was detected. The company is estimated to be losing as much as $8.4 million per day in revenue.
Dave Bittner: The MGM and Caesars incidents come as public companies come to grips with recently promulgated US Securities and Exchange Commission (SEC) regulations mandating quick disclosure of cyber incidents deemed likely to have a material effect on a business. These two companies face an additional regulatory burden, Dark Reading points out, in the form of oversight by the Nevada Gaming Control Board, whose regulation 5,260 requires "covered entities" (including casino operators) to establish effective cybersecurity measures. In the event of an incident "resulting in a material loss of control, compromise, unauthorized disclosure of data or information, or any other similar occurrence," a casino operator must disclose the incident to the Board within seventy-two hours and undertake both investigation and remediation of the incident.
Clorox incident shows how one company navigates unfamiliar new SEC rules.
Dave Bittner: There’s another object lesson on compliance and materiality underway at Clorox. The cyberattack that disrupted operations at the major consumer products company was also among the first major incidents to fall under the US Securities and Exchange Commission (SEC) rules that went into effect on September 5th. (Compliance dates for mandatory reporting are somewhat later, falling for most companies in Dave Bittner: December. "The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023," the SEC explained.)
Dave Bittner: The Wall Street Journal reviews how the company has responded publicly to the incident, and it seems to be doing about the best that can be done under fluid conditions with imperfect regulatory clarity.. Clorox has issued six statements, including two Forms 8-K, since the incident was disclosed on September 14th, shortly after it was detected. There are at least two challenges. The first is keeping reporting current as an investigation unfolds ("A stream of 8-Ks will be the new norm,” one expert told the Journal), because after all investigation takes time. And the second challenge is determining whether an incident has a material impact on a public company. Materiality is a reasonable-investor, common-sense standard that will doubtless undergo some clarification over time.
Dave Bittner: In the meantime, when in doubt, file those 8-ks.
Dave Bittner: Coming up after the break, in our "Learning Layer" segment, Sam Meisenberg drops into a CISSP tutoring session and offers some test-taking tips. Our guest is Aaron Brazelton, Dean of Admissions and Advancement at the Alabama School of Cyber Technology and Engineering. Stay with us. Many have said that if we want to meet the workforce gaps facing cybersecurity, we need to reach kids earlier in their educational journey, provide them with experiences and opportunities to get a head start on a potential cybersecurity career. The U.S. state of Alabama is doing just that. Back in 2018, Alabama Governor Kay Ivey signed legislation establishing the Alabama School of Cyber Technology and Engineering, a high school located in Huntsville. Aaron Brazelton is Director of Admissions and Advancement at the school.
Aaron Brazelton: When you're in a traditional high school, you know, your class selection, it's like a booklet. You can pick your classes, it's a buffet. You know, you can decide, do you want to take this or you want to take that? At our school, it's more of a seated dinner, chicken or fish. We prescribe to you the classes that you're going to take in order for you to get through your program in three years. That's another thing that makes us different is our entry points are 9th grade and 10th grade. So we enroll rising 9th graders, so current 8th graders going into 9th grade, and rising 10th graders, so current 9th graders going into 10th grade. And the students, they come in, they learn in 9th grade on campus. They learn in 10th grade on campus. They learn in 11th grade on campus. But their senior year, they are full-time in internship with one of our 75 partners. And you can go online, you can check out all of our partners in education. And two of our biggest gifts came from Raytheon Technologies and also Redstone Federal Credit Union. But our partners span the spectrum of industry. We have partners from commercial industry, from private industry, from DOD, from government, from K-12, from higher education. And so that senior year, kids take everything they've learned in theory for the past three years and they apply it in practice their senior year, full-time in an internship.
Dave Bittner: Well, I would imagine with an opportunity like this, there's a lot of demand. How do you select who's going to be able to go through the program?
Aaron Brazelton: So our admissions demand far exceeds our capacity to enroll. So our admissions process is definitely research-based. We look at academic factors and non-academic factors. We look at cognitive factors and non-cognitive factors to try and get a full view of the students coming in. So we ask for three years of academic transcripts. So those are your grades, attendance, and discipline. There's a parent letter of interest, there's a student letter of interest. There are some short essays that you have to write. And then there's also a recommendation from your current math teacher and a recommendation from your current counselor or school administrator to supplement your application. For those students applying from virtual situations or homeschool situations or private school, we do require a nationally recognized standardized test, such as the ACT, the SAT, or the SSAT.
Dave Bittner: And what about for folks who come from underrepresented groups, women or people of color?
Aaron Brazelton: Absolutely. So one thing that has made our school so attractive for industry is the fact that we are designed to be disrupting what representation can look like in the STEM field. So at our school this year, 38% of our students are students of color and 35% are female students. We've done that very intentionally by partnering with community-based organizations like Boys and Girls Clubs, Girls Inc., Girl Scouts, NAACP. We're partnering with churches across the state. I'll actually be headed down to Mobile in just a couple of days to meet with the Boys and Girls Club down there to talk about our program. Now it is important to note that with the recent decision from the Supreme Court to just reaffirm our stance that we actually don't look at race or gender in the application process. But we do work to increase the number of female students applying to our school and to increase the number of students of color applying to our school because we know that if they're represented at higher levels in the application process, then naturally more will be accepted when it comes to enrollment.
Dave Bittner: Now as the students make their way through this program, are most of them college-bound or will some of them be heading right into industry when they finish high school?
Aaron Brazelton: It's an interesting conundrum that we face because with our students in internship full-time and just the talent and quality of our students enrolled at our school, industry does want to hire students right out of high school. But we are a high school and our goal is for 100% of our seniors to matriculate to the college or university of their choice. We just graduated our first senior class. There were only 17 in that class. They were our first group of kids that came in. Those seniors, the average ACT score was a 31. They were accepted to 37 colleges and universities and they earned about $3.7 million in merit aid scholarships alone. And they 100% went to university.
Dave Bittner: How are you all measuring success here and what are your hopes to grow the program in the future?
Aaron Brazelton: Absolutely. So our metrics of success are trifold. First are we getting kids into the college or university of their choice, and how are they performing once they are there? And those numbers are coming back pretty strong with our first senior class being accepted to most of their first-choice options. The second thing that we're doing or how we measure success is the fact that all of our kids are going into internship, and we need to know that they are prepared to address the challenges in the current workforce. And we're starting to get that data back from industry saying, hey, your kids know X, Y, and Z and it will be helpful for them to know A, B, and C as well. So one thing that I'm proud of as a school is that we are reflective practitioners. We're not a school that can rest on our laurels and say that, hey, like this is what we need to do. This is how it's always been done. This is how we're going to do it. But every year we look at what works and what doesn't work and we pivot to meet the demands of both higher education and industry. The third metric of success for us is really increasing the number of partners in education that we have. Our foundation does incredible work under the leadership of Alicia Ryan and Peggy Lee Wright to ensure that the partners in education that are coming into our portfolio are not just mission fit, but that they are also able to provide opportunities for our students to gain real world experience. So to become a partner in education, not only do you provide mentorship, field experiences or internship opportunities for students, but you also have the opportunity to have naming rights for a building or for, you know, part of our campus. So if you look at how our school is funded, we receive a line item from the governor every year and that allows us to operate as a school. It covers utilities, it covers salary and personnel, food costs. But the actual brick and mortar of our campus, the buildings that we're in, that is all privately raised from our partners in education. So our foundation has done an incredible job. They've raised over $25 million in the past two and a half years to support the construction of this permanent campus. And with a grant that we received from the state of Alabama, we're going to be actually erecting a new student activity center in January, a $13 million building that is half privately funded, half state funded, that will also serve as campus. Our growth and how many students we're able to have on campus completely depends on our partnership levels. We do have plans in the works to add another academic building and another residential building that would allow for our enrollment to exceed, you know, 650, 700 students. But that will all happen as those donations roll in to construct our physical campus.
Dave Bittner: That's Aaron Brazelton from the Alabama School of Cyber Technology and Engineering. Coming up in our "Learning Layer" segment, host Sam Meisenberg drops into a CISSP tutoring session and offers some test taking tips. Here's Sam.
Sam Meisenberg: Welcome to "Learning Layer". On this segment, we're going to be dropping you into the middle of a CISSP tutoring session. So I'm actually going to be working with a student named Ethan, and we're going to be going over some tricky content from the CISSP exam. Now, even if you are not studying for the CISSP, I think the topic that we're going to talk about is still relevant. And we're going to be going over some general test taking and exam prep approach tactics. So I think no matter what exam you're studying for, it will be relevant. So without further ado, let's get to the session. So I think overall you're doing, you know, the right things. Seems like you have a good strategy and approach, but is there any content that you are struggling with?
Ethan: Yeah, I think something that I've been struggling a lot with in my studies is the difference between due care and due diligence. These things aren't just really making sense when I'm reviewing my notes and going over it.
Sam Meisenberg: So don't feel bad. It's a tricky concept that, you know, a lot of students wrestle with, but the good news is like once you know it, you really know it. It kind of makes sense. So before we get into like defining the words, though, let's take a step back, right? It's always important to see the forest, you know, and the trees. So what domain or what sort of umbrella topic area does this stuff fall under?
Ethan: Yeah, if I remember correctly, it falls under domain one, which is like a lot of the managerial stuff and talking about what businesses should be doing to maintain cyber practices.
Sam Meisenberg: Right. So domain one is called security and risk management. That risk management piece is about sort of, it's like the least technical, right, of all the domains. It's like, as you said, what the business should be doing. Now do care and due diligence are actually like legal words. So we're talking about concepts that protects the business, right? So you're making sure you're doing things in a proper way so that if, you know, something were to go wrong, we are protecting the business because we're doing things to, as you said, help secure the business. So it's about like if a compliance, you know, lawsuit ever came about, we're making sure that the senior leadership is protected and the business is protected. So with that context, let's get into the topics themselves. So easy way to think about it. Due diligence is sort of the precursor to due care. That's how they're related. What I mean by that is due diligence is like research. You are doing preemptive measures to make sure that you're not introducing unnecessary risk. And then due care is sort of the fall on to that, meaning after you make some sort of business decision, you are then doing upkeep, right? Sometimes you see it as like all reasonable measures is a favorite phrase of IFCCC. You basically are taking actions after a decision has been made. So does that sort of make sense?
Ethan: Yeah. So if I'm following right, the due diligence takes place before you would do anything. It's making sure we have all our bases covered kind of to say, whereas due care that happens afterwards to make sure that we're routinely following and making sure our business protected, you know, months, weeks, years after down the line.
Sam Meisenberg: Absolutely. Absolutely. I think that's a pretty good summary. So also I think you had a question, right, that you wanted to ask.
Ethan: Yeah. This was one of the questions that I kind of got wrong, came back to, still was struggling with it, which is why I kind of asked this, brought this up with you, which is the question is before closing business deals, a best practice is to assess third party vendors to find what risks exist and develop ways to manage known risks.
Sam Meisenberg: All right, stop. So just from that question stem itself, right, because I think that the question itself then goes on to ask, what is this best practice known as? So even at that point, you should know the answer.
Sam Meisenberg: What is it?
Ethan: The answer is going to be due diligence in here.
Sam Meisenberg: Right.
Ethan: Because like some of the keywords that I'm looking at, you know, instantly kind of hopping off is like before, you know, seeing in the word assess, you know, kind of developing and finding, you know, it's things that you would do before entering that deal rather than afterwards.
Sam Meisenberg: Right. And the word assess, to be clear, you can do assessments as part of due care, right? Like for example, vulnerability assessments, pen testing, that's all sort of part of staying compliant and doing, you know, those actions after, for example, this business deal has closed. So in the context of a question, they're talking about assessing before you actually merge, before you actually, you know, close that business deal. So in this case, that's right. It's due diligence. So what just happened -- by the way, we should check the right answer. Is due diligence one of the answer choices?
Ethan: It is the right answer choice.
Sam Meisenberg: Great. Perfect. So what just happened is you predicted the right answer. You read the question stem, you thought about it, and then before reading the answer choices, you just went and found that. And that's how you go fast on exam day. That's how you get the right answer. So Ethan, I think you told me one time you're a football fan.
Ethan: Yes. Right. Diehard Eagles fan.
Sam Meisenberg: Eagles. Okay. Sorry. Apologies for the Super Bowl loss.
Ethan: Thank you for that.
Sam Meisenberg: Can you name somebody who like plays defense?
Ethan: Yeah. Darius Slay, you know, cornerback.
Sam Meisenberg: Cornerback?
Sam Meisenberg: Okay. So you know that play where like they -- I think it's called like jumping the route. They sort of anticipate the throw or the route and they kind of like jump in front and intercept the ball.
Sam Meisenberg: That's the feeling you should have on exam day when you're going through a question. You got to be proactive, not reactive. The answer choices are the scary, confusing places. The question stem is where you want to do all that hard work of thinking about the answer choice, predicting it. That way you don't get confused by the answer choices.
Sam Meisenberg: And if you predict and it's not there, then it's time to panic, right? Then you can sort of figure things out. But all of the sort of thinking and hard work should be happening in the question stem. Like if you do a question, it takes you a minute and a half. The minute, the 60 seconds should really be spent on the question stem before you get to the answer choices.
Ethan: That makes sense.
Sam Meisenberg: Thank you for joining me on today's "Learning Layer". Hopefully you got something out of that tutoring session with Ethan. And if you yourself are studying for a cybersecurity certification exam, whether it be CSSP or another one, and you have some tough questions that you want to throw my way, please feel free to email me at firstname.lastname@example.org. Happy studying.
Dave Bittner: That's my N2K colleague, Sam Meisenberg, with the "Learning Layer". And that's The CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at email@example.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like The CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Eiben. Our mixer is Trey Hester, with original music by Elliott Pelzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.