Ep 1918 | 10.2.23

Adventures of ransomware, and other developments in cybercrime. Cyberespionage and hybrid warfare. A government shutdown averted. Cybersecurity Awareness Month is underway.

Transcript

Tré Hester: Double-tapping ransomware hits the same victim twice. Exim mail servers are found exposed to attack. Iran's OilRig deploys Menorah malware against Saudi targets. North Korea's Lazarus Group targets a Spanish aerospace firm. Update your ransomware scorecards: LostTrust is a rebrand of MetaEncryptor. Increased domestic surveillance in Russia, done partly so propaganda can be more effectively targeted. Killnet claims to have hit the British Royal family with a DDoS attack. A US Federal Government shutdown has been averted, for now, anyway. Michael Denning, CEO at SecureG for Blu Ventures, shares developments in zero trust. Rob Boyce from Accenture Security talks about Dark Web threat actors targeting macOS. And Cybersecurity Awareness Month begins this week.

Tré Hester: I’m Tré Hester filling in for Dave Bittner with your CyberWire intel briefing for Monday, October 3rd, 2023.

Double-tapping ransomware.

Tré Hester: The US Federal Bureau of Investigation (FBI) has issued a Private Industry Notification outlining emerging trends in ransomware attacks, including “multiple ransomware attacks on the same victim in close date proximity and new data destruction tactics in ransomware attacks.” The Bureau notes, “This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments. Second ransomware attacks against an already compromised system could significantly harm victim entities.” Ransomware variants involved in these attacks include AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal.

Exim mail servers exposed to attack.

Tré Hester: BleepingComputer reports that millions of Exim mail servers are exposed to a zero-day flaw that can allow an unauthenticated attacker to perform remote code execution. According to Trend Micro’s Zero Day Initiative (ZDI), “The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.” ZDI notes, “Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.”

Tré Hester: BleepingComputer says that more than 3.5 million Exim servers are currently exposed to the Internet.

Iran's OilRig deploys Menorah malware against Saudi targets.

Tré Hester: Trend Micro says the Iran-aligned threat actor APT34 (also known as “OilRig” or “Helix Kitten”) is using a new strain of malware called “Menorah” to conduct cyberespionage. The researchers observed the malware delivered via a spearphishing attack that targeted a Saudi Arabian entity. Menorah appears to be a new variant of the SideTwist backdoor: “The .NET-written malware delivered through the malicious document is primarily deployed for cyberespionage and possesses multifaceted capabilities. The malware can fingerprint the targeted machine, list directories and files, upload selected files from the compromised system, execute shell commands, and download files to the system. Compared to the previous variant of SideTwist, the new variant has more functions to hash the traffic to the command and control (C&C) server and make it stealthier to avoid detection.”

North Korea's Lazarus Group targets Spanish aerospace firm.

Tré Hester: ESET warns that North Korea’s Lazarus Group targeted employees of a Spanish aerospace company by posing as job recruiters and sending Trojanized coding challenges: “The fake recruiter contacted the victim via LinkedIn Messaging, a feature within the LinkedIn professional social networking platform, and sent two coding challenges required as part of a hiring process, which the victim downloaded and executed on a company device.”

Tré Hester: The challenges were used to deliver a new remote access Trojan called “LightlessCan,” which ESET says “represents a significant advancement compared to its predecessor, BlindingCan.”

LostTrust ransomware is a rebrand of MetaEncryptor.

Tré Hester: LostTrust ransomware became active this past March, but achieved widespread notoriety only last month, when it established a data dump site. It now appears, BleepingComputer reports, to represent a rebranding of the MetaEncryptor ransomware, which itself only appeared in August 2022.

Increased surveillance in Russia.

Tré Hester: The Russian parliament, the Duma, is considering expanding the FSB's domestic surveillance remit to conduct more extensive monitoring of Russian Internet, banking, and telecommunications company users, the ISW reported. The surveillance would extend beyond simple intrusion and monitoring, and would amount to full control of databases, with the FSB authorized to remotely access, edit, and delete information in Russian private businesses’ databases. The Russian tech sector, including Yandex, opposes the measure on the grounds that FSB activities would render data less secure.

Tré Hester: The Institute for the Study of War, citing the independent Belarusian media outlet Vot Tak, reports that Russian First Deputy Presidential Chief of Staff Sergey Kiriyenko had engaged the not-for-profit organization Dialog to categorize Russian Internet users, the better to tailor its messaging to their beliefs, interests, and dispositions. The categories, developed from both user data and information from government agencies, classify users by "profession, interests, and political beliefs and specifically orients false news about the war in Ukraine and pro-war narratives toward Russian military personnel, relatives of military personnel, and civil servants." And Dialog also sorts users as "loyal" or "disloyal." The classification and subsequent targeting seems to derive from Dialog's inability to develop "unified and clear narratives" that would appeal to the Russian public as a whole. Targeted messaging could also serve to promote self-censorship.

Killnet claims Royal family DDoS.

Tré Hester: The British Royal family's official website went down Sunday due to a distributed denial-of-service (DDoS) attack, Sky News reports. No data was lost, and services on the site were restored within hours. The Russian hacktivist auxiliary KillNet claimed responsibility in its Telegram channel, but those claims could not be verified. NDTV quotes KillNet as saying the DDoS campaign was an "attack on pedophiles."

A US Federal Government shutdown averted (for now).

Tré Hester: The US Congress avoided a government shutdown Saturday with the eleventh hour passage of a continuing resolution that will keep the government operating for another forty-five days, by which time Congress hopes to have passed the budget for Fiscal Year 2024. Fiscal Year 2024 begins on October 1st. The government would face another shutdown in the middle of November if a budget isn’t passed by then, so it’s worth keeping the implications of the continuing resolution in mind over the coming weeks.

Cybersecurity Awareness Month begins this week.

Tré Hester: And, finally, October is Cybersecurity Awareness Month, and this year the US Cybersecurity and Infrastructure Security Agency (CISA) has announced a theme: “Secure Our World.” As CISA explains, “Not only will Secure Our World remain a consistent theme for every Cybersecurity Awareness Month in the future, but it will also launch as CISA’s new cybersecurity awareness program.”

Tré Hester: The idea behind the campaign is to educate Americans about simple ways they can improve their cyber hygiene. The four main recommendations are using strong passwords, activating multifactor authentication, recognizing and reporting phishing scams, and updating software to ensure all security patches and salutations have been installed. The agency has created a “Secure Your Business” web page that focuses on corporate cybersecurity advice, and a page dedicated to tools geared toward small and medium-sized businesses. CISA and the National Cybersecurity Alliance (NCA) joined forces to develop a Partner Toolkit complete with a PDF guide, a sample email to spread the word to employees, and a Cybersecurity 101 presentation to educate staff and other stakeholders. As well, CISA will be offering a series of free webinars throughout the month.

Tré Hester: The President and Congress first declared October Cybersecurity Awareness Month in 2004, meaning this year marks its 20th anniversary. In honor of this milestone, the National Institute of Standards and Technology (NIST) has shared a timeline summarizing the history of the agency’s cybersecurity program. NIST will also be offering a blog series covering various topics of interest, and hosting events throughout the month including a Block Cipher Modes of Operation workshop, a social media challenge, and Cybersecurity Career Week. The first entry in NIST's blog series addresses the first week's theme: "enabling multifactor authentication."

Tré Hester: So it’s Cybersecurity Awareness Month–do you know where your multifactor authentication is?

Tré Hester: Coming up after the break, Rob Boyce from Accenture Security talks about Dark Web threat actors targeting macOS. And as part of our sponsored Industry Voices segment, Michael Denning, CEO at SecureG for Blue Ventures, shares developments in zero trust. Stick around.

Dave Bittner: Mike Denning is CEO at SecureG, provider of cloud native PKI for Zero Trust. In this sponsored Industry Voices segment, he shares his thoughts on Zero Trust machine identity, AI, and the current state of startup innovation and funding.

Mike Denning: I use -- usually use an analogy that involves a mall for people that are new to security or cybersecurity or want to understand that, when you grant permission previously, prior to Zero Trust, you would grant access to the mall. And, in that mall, you'd be allowed to pretty much go to a Footlocker or a Macy's or the Apple Store or visit pretty much any store you want once you got through that initial door into the mall itself. The Zero Trust paradigm changes that. And what ends up happening now is you have to get -- to get into the mall, you have to disclose your specific destination that you're intending to go, let's say Footlocker. You're allowed to go there, and then you're allowed to come back. You're not allowed to visit any other stores on the way. So that Zero Trust to me, at this most simple level, is you're authenticated for a purpose. You're allowed to accomplish that purpose, and then you've got to reauthenticate yourself if you plan to do anything else.

Dave Bittner: That's a great analogy. Let's talk about machine identity when it comes to Zero Trust. What exactly do we need to know there?

Mike Denning: I think a lot with machine identity is just the volume and complexity. As the market of evolves, as you're seeing new applications, the complexity of those applications that drive the command and control of machines is becoming much more ethereal. And those things dissipate. They move away. They -- maybe they exist in a period of time. So some of the bigger challenges we've seen in the marketplace are around how do you authenticate, validate, attest to things that maybe are turned up and turned down in a very short amount of time? And virtualized environments and virtual networks even present kind of a unique challenge for Zero Trust.

Dave Bittner: And where do we stand when it comes to the availability of some kind of standardized framework?

Mike Denning: Well, I think you look at how security, part of the work we're doing at my company is that we're looking very closely at how standards can be used and deployed across the smallest possible form factor, whether that form factor is a chip or a singular device or even a virtualized Kubernetes cluster. The important part there is the ability to give an identity that might exist in a point of time, and you have the control to turn it up and turn it down in a really short amount of time, I think referencing public key infrastructure. It's a pretty well-understood standard but still very complicated to deploy. And when you start adding the complexity of the speed with which you want to turn up and turn down virtualized environments, it becomes that much more complicated. So there's a lot of work going on today, particularly in the IETF and some of the other standards bodies to help companies understand how we're going to deal with kind of the emerging threat landscape when it moves from just compromising individuals to compromising the subsystems that make up the kind of unseen critical infrastructure that drives a lot of our everyday lives.

Dave Bittner: You know, Mike, I think it's fair to say that we're in this moment right now where certainly the public's imagination has been captured by artificial intelligence. And it's being talked about far and wide. What part do you think it has to play in the security marketplace here? I mean, is this -- to what degree does this need to have our attention?

Mike Denning: I think -- I think you'll see the evolution in -- of AI. It's not -- all the headlines, I think, in AI today are the kind of the generative language. I think inside of security it's going to be slightly different. We've been working, you know, over the last 25 years of my time in the security industry around identifying anomalous behavior. And so I do think that AI can play a critical role in helping to understand the nuances, and they're getting smaller and smaller as people attend to obfuscate their movements within networks, within systems. With permissions, AI will be able to help further refine where to look. AI will be able to help sharpen the systems and the inputs to say, hey. These -- this is really anomalous behavior that should focus your attention because it's always been for us in the security industry the challenge of finding the needle in the haystack of needles, right. And so I really think AI will be -- help to inspect things in a much more granular level and bring those to the top.

Dave Bittner: You know, as an entrepreneur yourself and, as you mentioned, someone who's been in the industry for some time now, can we talk a little bit about the place of these innovative startups in the community here, the important role that they play.

Mike Denning: Yeah. I think we're doing that a lot. I've only been the CEO of this company about 18 months. Before that, I was a partner at a cybersecurity focused early stage, seed stage A round of venture investors. There's a lot, I think, for -- for folks that have a good idea in the -- in the cybersecurity space. There's a lot of excitement and helping hands, if you will, that want to see us as entrepreneurs in the cybersecurity space succeed. And I think you see hubs of those, whether it's -- you know, I'm in the Washington, DC area, so you get a lot of public sector expertise, fighting nation state attacks. But you see it across, you know, Silicon Valley and Boston and New York. I think these are the events like the one that our Blue is putting on later this month that's going to be, you know, we get a lot of people. There's just excitement, right? You want to see what's next. Those are the kinds of things that are going to be really bringing entrepreneurs with savvy tech investors with -- with the support system to do it, I think is, is what's required. I think the other challenge really right now is capital for investing in these early stage companies across the board is taking a pause, right. It's -- there's still a lot of opportunity for early stage startups. But I think you're seeing kind of check sizes are a little smaller. People want to see a little more traction for some of the most innovative companies. They want to see customer one. They used to be okay with an idea. Now they want to see customer one, two, or three signing off to that. So I think it's pretty interesting what's happening. It's causing entrepreneurs to get -- sharpen the pencils a little bit. I think we're starting to see more fractional work. We've kind of gone from quiet quitting to, you know, I think a lot of fractional talent. So whether it's software developers or finance professionals. Legal professionals tend to always be in this fractional type role until the companies get bigger. But I think that's the thing that we're seeing is that, you know, having the right person even 20% of their time is better than having 100% of the wrong person's time. So I think that's the other thing we're seeing that's kind of a post-COVID, you know, quiet quitting combined with the people are having to get smarter with and a little stingier with their deployment of capital.

Dave Bittner: That's Mike Denning, CEO at SecureG.

Tré Hester: Thank you again to Michael Denning for joining us. He's appearing on behalf of the Blue Cyber Venture Forum. You can find details for the conference through the link in our show notes.

Dave Bittner: And I'm pleased to be joined once again by Robert Boyce. He is managing director and global lead for cyber resilience at Accenture. Rob, it's always great to have you back. I know you and your colleagues there at Accenture have been looking into some Dark Web threat actors that seem to be targeting macOS lately. What are you looking at here?

Robert Boyce: Yep. Thanks, Dave. And it's always a pleasure to speak with you. You know, this is really interesting. I mean, we've gone back to 2019 to start pulling some trends around threat actors targeting macOS. And we are seeing since 2019 a thousand times more activity in the interest of finding vulnerabilities or access or ways around the ways to bypass security features of macOS. And 2023 already have surpassed 2022 six months into the year. And so it is clear that this is becoming much more of a focus area for threat actors right now.

Dave Bittner: You know, as a longtime macOS user myself, I will -- I will cop up to a certain smugness when it comes to feeling as though the system that I've chosen is, you know, comparatively secure to some of the other ones that are out there. Is that no longer justified?

Robert Boyce: I think there's a lot of people have the same sentiment as you, including myself as a macOS user. And I think, as of today, you know, I would still say that, of course, Mac is a more secure platform. But there's a lot of that, that has been because of the lack of targeting by threat actors. Like, listen. Windows is -- is all over the world, right? It is a number one operating system. It still is the number one operating system right now. So it's not surprising that threat actors have been targeting that with emphasis. And, as we have seen, there is no shortage in security vulnerabilities that we continue to see through -- through that operating system. I think what we're really saying now is we need to be more mindful that that concept of buy a Mac and be secure is going to be a little less certain. Right? Like, we are absolutely seeing threat actors on the Dark Web advertise for wanting to buy either exploits that will bypass critical security features of macOS such as Gatekeeper or TCC, transparency consent controls. And they're offering -- we've seen one offer for, you know, $500,000 to be able to get an exploiter, a bypass of macOS Gatekeeper. We've seen other offers for up to a million dollars for a similar exploit available on the platform. So we know that the demand now is there, which I think will follow the demand is going to be the very talented hackers that will start to produce the content to meet this demand. And this is where we really haven't seen a focus. It's just not been there in the past. But we are now seeing threat actors have a much higher focus on being successful in this space.

Dave Bittner: How much of this is -- is a sense of, you know, the folks who tend to use macOS are being specifically targeted? In other words, is the value coming from the folks who are using these systems? Or is the value coming from the fact that these vulnerabilities are fewer and farther between, or is a blend of both?

Robert Boyce: You know, I remember reading a report a little while ago that estimated I think 23 -- this was in 2020 -- 23% of corporate devices are now running on macOS. And that was two, three years ago. So I am sure it's more than 25% at this point. So you can start to see it's not -- it's not just maybe targeting the people who are using them as much as it is now of consequence in an enterprise. And if we want to think about being able to cause maximum disruption or be able to obtain maximum foothold within an environment, we need to now consider macOS to be part of that enterprise solution. So I just think it's a shift over time of organizations adopting this technology that is now pushing threat actors to have more of a focus in that area.

Dave Bittner: And so what are your recommendations here for organizations who have macOS systems installed? Should they have a heightened sense of vigilance?

Robert Boyce: I think people now need to start understanding that the, you know, what we did think -- as you said earlier, like, what we thought before to be true where macOS was less targeted, impenetrable, we should now reframe that thinking to think about, you know, our macOS systems to be similar to any other IT system we have within our enterprise, and it needs to be protected the same. Our organizations need to keep watch in this space, right. They need to make sure that they're up to speed on their threat intel that's coming in or the -- you know, if they have a Dark Web search team, that this is now part of their collection requirements to really continue to keep focused on what is happening in the space because I promise it's going to go from we haven't seen this to overnight we will see a significant impact. And then because, you know, we're going to have very, very smart hackers creating this content, that knowledge will start trickling down to the next level. And then we will see more and more focus in this space, especially when people are offering half a million to a million dollars for a single exploit. And we -- and we have already started to see threat actors selling macOS exploitation capabilities already, so we know it's happening. We've also seen LockBit 3.0 start to talk about creating ransomware for macOS systems in particular. Now, we haven't seen it in the wild yet. But they have, you know, agreed that they have confirmed that they are developing and testing. So it will just be a matter of time, I think, until we start seeing more exploitation in the macOS space.

Dave Bittner: All right. Well, Rob Boyce is global lead for cyber resilience and managing director at Accenture. Rob, thanks so much for joining us.

Tré Hester: And that's it for the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think about this podcast. You can email us at the cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is me with original music by Eliot Peltzman. The show is written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Tré Hester filling in for Dave Bittner. Thanks for listening. We'll see you back here tomorrow.