Security risks in the hardware and software supply chains. Patches and proofs-of-concept. A look at recent incidents hitting major corporations. Online surveillance and social credit in Russia.
Tré Hester: Apple patches actively exploited iOS 17 vulnerability. Qakbot's survival of a major takedown. BADBOX puts malware into the device supply chain. LoonyTunables and a privilege-escalation risk. Scattered Spider believed responsible for cyberattack against Clorox. Sony discloses information on its data breach. In today’s Threat Vector segment, Chris Tillett, Senior Research Engineer at Palo Alto Networks and member of the Advisory Board at Titaniam Labs, joins host David Moulton to delve inside the mind of an insider threat. Dave Bittner sits down with Eric Goldstein, Executive Assistant Director at CISA, to discuss shared progress against the ransomware threat. And the Kremlin tightens control over the Russian information space.
Tré Hester: I’m Tré Hester filling in for Dave Bittner Dave Bittner with your CyberWire intel briefing for Thursday, October 5th, 2023.
Apple patches actively exploited iOS 17 vulnerability.
Tré Hester: First, some patching news out of Cupertino.
Tré Hester: Apple has patched two serious vulnerabilities affecting iOS and iPadOS, SecurityWeek reports. Apple says one of the flaws, CVE-2023-42824, a privilege escalation vulnerability affecting the kernel, “may have been actively exploited against versions of iOS before iOS 16.6.” SecurityWeek notes that this is “the 16th documented in-the-wild zero-day against Apple’s iOS, iPadOS and macOS-powered devices.”
Tré Hester: The other flaw, CVE-2023-5217, is a buffer overflow vulnerability affecting WebRTC that could enable remote code execution. This vulnerability involves a problem with the libvpx video codec library. BleepingComputer writes, "The libvpx bug was previously patched by Google in the Chrome web browser and by Microsoft in its Edge, Teams, and Skype products.'
Tré Hester: The patches merit your quick attention, if you’re an Apple user.
Qakbot's survival of a major takedown.
Tré Hester: The operators of Qakbot are back, Cisco Talos researchers report. They're distributing Ransom Knight ransomware in a campaign that began in early August and continues into the present. The activity continues despite an FBI-led takedown of Qakbot's infrastructure. "Notably, this activity appeared to begin before the FBI seized Qakbot infrastructure in late August and has been ongoing since, indicating the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command and control (C2) servers."
Tré Hester: Qakbot’s operators lost an important part of their infrastructure, but they remain at large, and may well be working to reconstitute their operation. No one really expects that an infrastructure takedown puts a gang out of business permanently, not while the gangsters remain at large.
BADBOX puts malware into the device supply chain.
Tré Hester: Security firm HUMAN has disrupted “a key monetization mechanism of a sophisticated series of cybercriminal operations involving backdoored off-brand mobile and CTV Android devices, sold to end users through major retailers originating from repackaging factories in China.” The campaign, “BADBOX,” uses the Triada malware “to steal personally identifiable information, establish residential proxy exit peers, steal one-time passwords, create fake messaging and email accounts, and other unique fraud schemes.”
Tré Hester: HUMAN worked with Google and Apple to disrupt the ad fraud portion of BADBOX, dubbed “PEACHPIT.” Additionally, the researchers “shared information about the facilities at which some BADBOX-infected devices were created with law enforcement, including information about the organizations and individual threat actors believed to be responsible for the PEACHPIT operation.”
Tré Hester: It’s not the first time malware has been introduced into devices before they were purchased, and it’s unlikely to be the last, but HUMAN thinks this operation was an unusually clever and complicated one.
Tré Hester: Not to rain on any entrepreneur’s parade, but it’s probably a good idea to stay away from off-brand connected devices, maybe buy your next router or smart phone from a vendor you know, and not from Leon’s House of Tire Chains and Connectivity. Just a thought. No offense intended, Leon.
LoonyTunables and a privilege-escalation risk.
Tré Hester: Researchers at Qualys have discovered a buffer overflow vulnerability that could grant attackers root privileges on millions of Linux systems, Dark Reading reports. The flaw affects “GNU C Library’s dynamic loader’s processing of the GLIBC_TUNABLES environment variable.”
Tré Hester: Qualys says, “Our successful exploitation, leading to full root privileges on major distributions like Fedora, Ubuntu, and Debian, highlights this vulnerability’s severity and widespread nature. Although we are withholding our exploit code for now, the ease with which the buffer overflow can be transformed into a data-only attack implies that other research teams could soon produce and release exploits. This could put countless systems at risk, especially given the extensive use of glibc across Linux distributions. While certain distributions like Alpine Linux are exempt due to their use of musl libc instead of glibc, many popular distributions are potentially vulnerable and could be exploited in the near future.”
Scattered Spider believed responsible for cyberattack against Clorox.
Tré Hester: Scattered Spider, the ALPHV-affiliated gang of youthful Anglophone miscreants associated with the ransomware incidents at MGM Resorts and Caesars Entertainment is now believed, Bloomberg reports, to have also been responsible for the cyberattack against Clorox.
Tré Hester: Many details of the attack on Clorox remain unclear--it's not, for example, known with certainty whether the attackers deployed ransomware, nor whether they used social engineering to gain access to Clorox systems, although both seem likely. But there’s little doubt that it had an impact on the company’s results.
Tré Hester: The company has been concerned about the effect of the attack on its business, since production of several product lines was interrupted during the incident. Clorox warned yesterday, the Wall Street Journal writes, that the incident caused sales to fall between 23% and 28% for that quarter that closed on September 30th. The company will also show a loss for the quarter; it had projected roughly $150 million in profit. Thus the cyberattack was clearly material under any construal of the SEC's new reporting regulations.
Sony discloses information on its data breach.
Tré Hester: Sony has confirmed a data breach that exposed the personal information of the company’s employees and their family members, BleepingComputer reports. A threat actor exploited a vulnerability in Progress Software’s MOVEit Transfer platform to steal the data several days before Progress disclosed the flaw in May 2023.
Tré Hester: Sony has said, in the course of notifying people who may have been affected, “On June 2, 2023, [Sony Interactive Entertainment] discovered the unauthorized downloads, immediately took the platform offline and remediated the vulnerability. An investigation was then launched with assistance from external cybersecurity experts. We also notified law enforcement.”
Tré Hester: The Cl0p ransomware gang, which exploited the MOVEit flaw to launch widespread attacks earlier this year, added Sony to its list of victims in June.
Tightening control over the Russian information space.
Tré Hester: And, finally, the Institute for the Study of War has reported what it characterized as an intensification of "digital authoritarianism" in Russia.
Tré Hester: The Russian Prosecutor General’s Office has asked that VKontakte block posts from relatives of mobilized servicemen that call for their return home. The Prosecutor General's request effectively has the force of law: dissemination of "unreliable information" about the special military operation is legally prohibited. Russia's FSB on Tuesday proposed that the Duma expand the FSB's authority over personal and geolocation data. This authority would be in addition to earlier proposals to give the FSB complete access to user data handled by Russian internet, banking, and telecom companies.
Tré Hester: The model appears to be China. There's even a project underway in which "the Russian State Social University is developing and testing a social rating system for Russians based on the Chinese model and that the intended generated social scores will link to personal data that government entities and banks will have access to."
Tré Hester: Thus Moscow’s organs seem willing to learn from the best. What would lower your social score? Wanting your son home in one piece. Not being happy about the former Wagnerite criminals pardoned and permitted to show up in your village. Trying to use a VPN. Calling the special military operation a “war” (unless, of course, you’re on state TV). These things are bad. Not like beheadings, assault on civilians, summary execution, penal battalions, rocket strikes against funerals. Those things are, presumably, signs of strength and determination. We’ve seen it on Russian state TV. Don’t believe us? Just ask the FSB. And if you slander the Russian army, life’s not going to be all vodka and cucumbers.
Tré Hester: Coming up after the break, in today's "Threat Vector" Chris Tillett, Senior Research Engineer at Palo Alto Networks and member of the Advisory Board at Titaniam Labs, joins host David Moulton to delve inside the mind of an insider threat. Dave Bittner sits down with Eric Goldstein, Executive Assistant Director at CISA, to discuss shared progress against the ransomware threat. Stick around. [ Music ]
David Moulton: Welcome to "Threat Vector," a segment where Unit 42 shares unique threat intelligence insights, new threat actor TPTs, and real-world case studies. [ Music ] Unit 42 is a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, director of Thought Leadership for Unit 42. [ Music ] In today's episode, I'm going to talk with Chris Tillett. Chris is a senior research engineer at Palo Alto and a member of the advisory board for Titaniam Labs. Chris, your bio on LinkedIn is really short. It says, "Author, speaker, technologist, and failure expert." Before we get in today's topic on insider threat, I want you to talk to me a little bit about what you mean by failure expert.
Chris Tillett: Yeah, that's a title I've earned through pain and experience. I had to really learn by doing. And I have a natural curiosity, so by me looking at something and going, well, I wonder if we did this, how would that impact the network? Or if we did that, how would that impact the systems? It helped me learn and fail fast.
David Moulton: I love it. You've got to be fearless to be able to go into something knowing that the odds could be stacked against you. But no risk, no reward. What is insider threat and why has that become such a growing concern in today's cybersecurity landscape?
Chris Tillett: Insider threats are probably the most difficult thing to address because, in reality, they start in a person's figurative heart. To catch the early traces of it is extremely difficult. There are just some people that are wired to find the loopholes in an organization. When we look at what an insider threat is, in reality, it's anyone who has access to our systems, our data, our information that could use that for their own gain, or the gain for somebody else.
David Moulton: So tell our audience the common motivations or factors that you've seen that lead individuals to become insider threats. And then how understanding those motivations helps in identifying and mitigating those risks.
Chris Tillett: Yeah. So I have -- I call it the 10-80-10 rule. I talked earlier of -- there are people that are just wired to find the holes in your organization. That's about 10% of your employees. Sometimes that's data theft. Sometimes that could actually be money theft. That's also why you put controls in place. Typically, those controls are going to catch people where it starts with a dollar or two, and then eventually they get more and more bold and then they trip a control later on. The other 10% of people that are on the other opposite end of that spectrum are people that we never have to worry about. They will never steal from the organization. As a matter of fact, they won't even borrow a pencil and take it home. It's just not how they're wired and they refuse to do it. To me, those two sides are very easy. You have the ones that are just going to get bold and eventually screw up. And then you've got others that you never have to worry about. The hard part is the 80% in the middle. And the reason why is many of them will never become insider threats, ever. But all it takes is a change in their circumstances, a change in the organization, and all of a sudden, the thoughts creep in. That seed of motivation. The 80% are the hardest to find.
David Moulton: So what are some of those key indicators or behavioral patterns that organizations should be aware of when trying to identify those insiders in their workforce?
Chris Tillett: It's crucial for the management to know their employees and for the SOC to be in communication with that management and track normal across an organization. Having something that does behavioral tracking is absolutely crucial. What is insider threat for HR? What is insider threat for accounting? For IT? When we're using digital assets, we're creating a profile of what is normal. If we're not able to track that, then when a user deviates from that normal, we're not going to catch those beginning indicators. CISOs need to leverage the business units.
David Moulton: Having that baseline on behavior immediately is one of the most important things an organization should do, but that's just my opinion.
Chris Tillett: It's absolutely true, David. And so when you look at that baseline in comparison not only to themselves but their organization and their peers is going to be truly enlightening to the SOC. Being able to evaluate an individual against their peer groups is going to be crucial to see whether or not they're really deviating from their norm. [ Music ]
David Moulton: Chris, thanks for joining me today on "Threat Vector." We'll be back on the CyberWire Daily in two weeks. Until then, stay secure, stay vigilant. Goodbye for now.
Tré Hester: That's host David Moulton speaking with Chris Tillett of Palo Alto Networks as part of our "Threat Vector" segment. [ Music ]
Dave Bittner: And I'm pleased to be joined once again by Eric Goldstein. He is Executive Assistant Director at CISA. Eric, it's always a pleasure to welcome you back to the show. I want to touch base with you today on where we stand when it comes to ransomware and some of the partnerships that you and your colleagues there at CISA have taken on.
Eric Goldstein: Thanks so much, David. It's really great to be here, and particularly about this important topic. You know, over the past year or so, we at CISA and our partners across the U.S. government realize that although we've provided guidance, best practices, assessments to help organizations secure themselves against ransomware and against the epidemic that keeps affecting far too many organizations across sectors, we need to do more to measurably address the threat and risk that we're all facing. And so we've stood up two programs over the past year that have been remarkably impactful. The first is a program that was actually authorized by Congress last year called our Ransomware Vulnerability Warning Pilot. And the way this program works is we know that there are specific vulnerabilities that are targeted time and again by ransomware actors. You know, they have the vulnerabilities that they like to achieve their goals. They're going to keep coming back to it again and again. And one recent example this summer, of course, is the targeting of the vulnerability in the MOVEit managed file transfer application by the CL0p gang. With this ransomware vulnerability warning pilot, we scan internet-facing assets for thousands of organizations across the country to identify if they are running vulnerable assets that are targeted by ransomware actors. And if we find one, then one of our regional team members pronto gets on the phone or even knocks on a door and tells the organization, hey, you really want to mitigate or patch or take offline this asset before a ransomware actor comes around and creates a really hard day for your organization and your customers. And at this point, we've notified over 500 organizations of these vulnerabilities and driven hundreds of mitigation steps that otherwise wouldn't have occurred. But we also know that even with that program there are still too many intrusions happening every day. But we also know that with ransomware actors, the way they operate is actually similar to other threat actors in which they'll gain initial access but then they often don't immediately exfiltrate data. They often don't immediately encrypt data. They'll often move around the network for hours, even days, to find that high-value asset that they think they can monetize for the most ransom for the victim. And that gives us a window. And so what we've been able to do is build partnerships with security researchers, cybersecurity companies and government agencies who can actually see when a ransomware actor executes an intrusion on a victim organization -- on a school district, on a hospital, on a small business -- and they'll let us know the moment that they see that intrusion occur. And that gives us a short window where we can get out to that victim and we can say here's some technical information about the intrusion. Now here's the host ID, here's the IP address of the actor's command and control infrastructure, here's the credentials they're using. If you take these very specific remediation steps right now, you might actually be able to avoid harm. This has been extraordinarily impactful. Just this calendar year alone, we've done 430 of these notifications, including over 30 K-12 school districts, 50 higher education institutions, and over 40 hospitals around the country. And a very neat one here, we've also done over 80 notifications to international organizations across 19 different countries. And most of these we were able to get to fast enough that we could actually prevent harm. Now, obviously, this needs to scale, it needs to broaden. But both these programs are ways that we can actively show risk reduction against this cybersecurity threat.
Dave Bittner: It really does, to me, seem like a great example of success in this whole notion of a public-private partnership.
Eric Goldstein: That's exactly right. You know, particularly this second program, the pre-ransomware notification initiative is predicated entirely on, really, two things. The trusted partnerships that we have built with security researchers and cybersecurity companies who don't receive any compensation or other benefits. They're doing this because they want to help organizations that are being impacted by ransomware, as well as the partnerships that our regional team members at CISA had built with organizations around the country. Such that when an organization gets a call from a CISA team member, they take it seriously and take quick action to address the threat before harm occurs.
Dave Bittner: Are we at the point where CISA's reputation proceeds itself? Where if someone out of the blue gets a call from the agency that they're not left wondering who the heck are you and why are you calling me?
Eric Goldstein: CISA remains a fairly new agency.
Dave Bittner: Right.
Eric Goldstein: And although we do everything we can to make sure that our brand is out there and we have name recognition, there are certainly still organizations around there who have never heard of CISA or even thought about ransomware risks. And so that's why it's so important for us to have this regional workforce. So even if someone has never heard of CISA, perhaps our regional cyber advisor knows somebody who knows somebody who knows that enterprise and can actually get in there for a trusted conversation to encourage them to take quick action.
Dave Bittner: For folks in our audience who want to learn more, is there a best place for them to reach out?
Eric Goldstein: There absolutely is. We have a one-stop shop for information about all of our counter-ransomware initiatives. It is stopransomware.gov. And that is a great place to access both our guidance and to sign up for the ransomware vulnerability warning pilot.
Dave Bittner: All right. Eric Goldstein is Executive Assistant Director at CISA. Eric, thanks so much for taking the time for us. [ Music ]
Tré Hester: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at firstname.lastname@example.org. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is me, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Tré Hester filling in for Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]