The CyberWire Daily Podcast 10.13.23
Ep 1926 | 10.13.23

Hacktivism in the war between Hamas and Israel, with a possibility of escalation. Healthcare cybersecurity. Looting FTX. CISA releases resources to counter ransomware.

Transcript

Dave Bittner: Hacktivism and nation-state involvement in the cyber phases of war in the Middle East, and the use of Telegram. Russian groups squabble online. Healthcare cybersecurity and its implications for patient care. The Looting of FTX on the day of its bankruptcy. Joe Carrigan shares research from the Johns Hopkins University Information Security Institute. Our guest is Mike Walters from Action1, marking the 20th anniversary of Patch Tuesday. And CISA releases two new resources against ransomware.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Friday, October 13th, 2023.

Hacktivism and nation-state involvement in the cyber phases of war in the Middle East.

Dave Bittner: The Wall Street Journal reports increased cyberattacks as Israeli forces strike into Gaza in retaliation for attacks by Hamas over the weekend. Most of the offensive cyber action the Journal describes is directed against Israel, and most of it remains the nuisance-level distributed denial-of-service (DDoS) activity that typically characterizes hacktivism. Defacements, another hacktivist staple, have also been observed. Security firm Check Point told CNBC that two smart billboards used for video advertising in Tel Aviv were briefly hijacked Thursday. The attackers “managed to switch the commercials into anti-Israeli, pro-Hamas footage,” CNBC quotes Check Point's Gil Messing as saying. The substituted video showed the Palestinian flag, a burning Israeli flag, and images of the fighting. The incident was short-lived.

Dave Bittner: The Wall Street Journal also describes threats of more significant cyberattacks. For the most part such threats have been simply that, claims intended to intimidate and inspire fear, but there has been an increase in attempts against infrastructure. So far these have been parried, but the threat remains a concern to Israel, particularly as threat actors more capable than ordinary hacktivists join the action. Security firm Sepio told the Journal that they've seen a rise in activity from Iran and Syria, as well as from Russian hacktivist auxiliaries (including KillNet).

Following hacktivism on Telegram.

Dave Bittner: Flashpoint researchers conclude that Telegram has become a principal communication channel for Hamas and groups that align themselves with that organization. "Telegram, with its 700 million-plus-strong user base, has evolved into a pivotal communication hub for Hamas and Palestinian Islamic Jihad (PIJ). Its robust privacy and encryption protocols safeguard communications while also providing a covert operational space for militant groups and cybercriminals."  

Dave Bittner: Researchers at Radware outline the course the cyber phases of the war have taken. Radware has been looking at hacktivist claims of DDoS on Telegram, where claimed attacks spiked on Saturday and have remained at elevated levels since then. Target selection, as reported by the hacktivists themselves, concentrated on Israeli government sites (36% of the claims), then on news and media (10%), travel (9%), financial services (5.6%), education (4.2%), and, finally, healthcare (3.5%). The hacktivist groups Radware has observed conducting or at least claiming attacks in support of Hamas include the Indonesian threat actor Garnesia_Team, Ganosec Team (also from Indonesia), the Moroccan Black Cyber Army, Mysterious Team Bangladesh, Team Herox (from India), Anonymous Sudan (which presents itself as a religious and political group from its eponymous country, but which in fact is a Russian auxiliary) and, of course, the Russian group KillNet, 

Dave Bittner: Radware also directly observed a number of DDoS attacks. They ranged in duration from minutes to hours, in some cases up to twenty-four hours. The most common attack vectors Radware saw were: HTTPS Floods, IPv4 UDP Floods, IPv4 UDP-FRAG Floods, IPv4 ICMP Floods, ARMS floods, Chargen Floods, UDP Flood Port 80, TCP FIN-ACK Flood, DNS Amplification flood, and HTTP SYN Floods. In the more successful, longer duration attacks, the operators switched between vectors as their targets adapted to the initial attack.

Russian hacktivist groups squabble online.

Dave Bittner: Russian hacktivist auxiliaries have not been unanimous on the war in the Middle East. KillNet has been outspoken against Israel during the current fighting Hamas initiated last weekend, as has Anonymous Sudan. The Cyber Army of Russia disagrees sharply, not because it wishes to engage on behalf of Israel, but because the Cyber Army sees war in the Middle East as a distraction from Russia's main concern: the war in Ukraine. Cyble's Cyber Express reports that the Cyber Army of Russia is seeking to organize sentiment against KillNet under the hashtag #STOPKillNet.

Influence operations and disinformation.

Dave Bittner: Menacing texts and other messages represent a low-grade, targeted, and unpleasant form of influence op. 

Dave Bittner: Israelis have been receiving threatening texts and Whatsapp messages, apparently from Hamas sympathizers in Yemen and Afghanistan. Bloomberg reports that Israeli parents (and Jewish parents in other countries) are having their children delete social media apps (especially Instagram and TikTok) to avoid exposure to violent images. Much of this is preventive, a precaution rather than a reaction, but Hamas has distributed images of executions and hostage-taking.

Dave Bittner: The European Union is pursuing its investigation into X, the platform formerly known as Twitter. According to the Financial Times an EU commissioner wrote X, “We have, from qualified sources, reports about potentially illegal content circulating on your service despite flags from relevant authorities.” X's proprietor Elon Musk replied, "Our policy is that everything is open source and transparent, an approach that I know the EU supports. Please list the violations you allude to on X, so that that [sic] the public can see them. Merci beaucoup.” After some other dismissals and protests of misunderstanding, X announced, Reuters reports, that it's "removed hundreds of Hamas-affiliated accounts and taken action to remove or label tens of thousands of pieces of content." The EU is looking into the actions X took to moderate its content as it evaluates its next steps in the case.

Healthcare cybersecurity: implications for patient care.

Dave Bittner: A Ponemon Institute survey commissioned by Proofpoint looked at the consequences of cyberattacks against healthcare organizations. Such attacks are both a business risk and a threat to patient care and patient privacy. The study found that 88% of healthcare organizations sustained an average of forty cyberattacks over the past twelve months, with the average total cost of successful attacks reaching $4.9 million. Losses included “all direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs, and lost business opportunities.” The most expensive consequence of these attacks was “disruption to normal healthcare operations because of system availability,” causing an average of $1.3 million in losses.

Dave Bittner: Notably, 77% of respondents said supply chain attacks had an impact on patient care: “Patients were primarily impacted by delays in procedures and tests that resulted in poor outcomes such as an increase in the severity of an illness (50 percent) and a longer length of stay (48 percent). Twenty-one percent say there was an increase in mortality rate.” 100% of the surveyed organizations had at least one incident in which sensitive healthcare data were lost or stolen: “ On average, organizations experienced 19 such incidents in the past two years and 43 percent of respondents say they impacted patient care. Of these respondents, 46 percent say it increased the mortality rate and 38 percent say it increased complications from medical procedures.”

Looting FTX on the day of its bankruptcy.

Dave Bittner: Elliptic has published an analysis of the $477 million theft of cryptocurrency from FTX in November 2022, noting that, “Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges.”

Dave Bittner: The researchers add, “Whoever was behind the hack, the stolen assets continue to be moved and laundered through the blockchain. Various cross-asset and cross-chain laundering techniques have been used to avoid seizure of these assets, and to attempt to conceal the money trail.”

CISA releases two new resources against ransomware.

Dave Bittner: And, finally, the US Cybersecurity and Infrastructure Security Agency (CISA) has released two resources for identifying vulnerabilities and misconfigurations exploited by ransomware:

  • “A ‘Known to be Used in Ransomware Campaigns’ column in the KEV Catalog that identifies KEVs associated with ransomware campaigns.

  • A ‘Misconfigurations and Weaknesses Known to be Used in Ransomware Campaigns’ table on StopRansomware.gov that identifies misconfigurations and weaknesses associated with ransomware campaigns. The table features a column that identifies the Cyber Performance Goal (CPG) action for each misconfiguration or weakness.”

Dave Bittner: Take a look–the advice is actionable and relevant.

Dave Bittner: Coming up after the break, Joe Carrigan shares research from the Johns Hopkins University Information Security Institute. Our guest is Mike Walters from Action1, marking the 20th anniversary of Patch Tuesday. Stay with us. This past Tuesday was this month's Patch Tuesday, a monthly event that's been around long enough now that its cadence is something folks in InfoSec hardly think twice about. But how did Patch Tuesday start and why did it catch on? Mike Walters is VP of Vulnerability and Threat Research and co-founder of security firm Action1. And I spoke with him about the legacy of Patch Tuesday.

Mike Walters: Microsoft introduced it back in October of 2003. So it's been almost 20 years, which also coincides with the 20th year anniversary of Cybersecurity Awareness Month. And prior to 2003, the approach to deploying security updates, it's been pretty much an ad hoc basis here and there, different vendors releasing updates. And then in October of 2003, Microsoft introduced this concept of Patch Tuesday, which is a monthly security patch release cycle, which set the cadence and made scheduling of security updates more predictable. On top of that, they added other information sources. So it initially was a security bulletin system. And then in 2017, they replaced it with the security update guide, which is a comprehensive vulnerability information source. And then on top of security updates, they just used the same channels to make non-security updates, feature updates available along with security updates. But still, the main focus remains on setting the cadence for ensuring that security updates reach all of the systems that need those. There's been some mishaps along the way, of course. Pretty much early on, so there's been some very well-known incidents like back in Windows XP Service Pack 2004, so about a year after the introduction, so that caused major compatibility issues with some third-party applications and hardware. And then Windows Vista 2007, yeah, there's been issues which Microsoft took to heart. So they worked with the customers, they understood the concerns. Over time, they've been trying to improve the quality. There's still issues that remain, right? There's still, you know, as recent as actually August of this year, since the cumulative update had issues with certain types of hardware causing blue screens of death. And, you know, that's a major thing because it's all about trust and reliability. Because if you don't deliver reliable updates on a consistent basis, then people lose trust and they stop installing those updates. And that's not what you want to have. It's all over the news. There's security breaches, there's some well-known attacks like WannaCry back in 2017 that showed the importance of timely patching. Because if you don't do this, then your attack surface is -- you know, you're exposed. You basically have open doors for anyone to come in and hack your systems.

Dave Bittner: And other organizations have sort of adopted this cadence as well, right? It's not just Microsoft anymore.

Mike Walters: Yeah, Adobe, Oracle, a few other vendors, yeah, they fit in the same cycle. And some of them even integrated with Microsoft update systems to provide the same update channel, essentially, and simplify lives of IT professionals. Unfortunately, not everyone does it, which makes patching of different applications really challenging, right? Because if you run a big stack of applications and you need to patch those, first of all, there's no consistency in the release cycles. Patch Tuesday is not every vendor's approach. And also, the technology, how do you deploy those updates regularly and consistently, that's highly dependent on the vendor technology, unfortunately. But, you know, there's been some industry developments that attempts to streamline that and make it more standardized. But so far, we have yet to see the actual results of that.

Dave Bittner: Have we seen any examples of any of the adversaries taking advantage of this cadence of, you know, knowing that things are going to happen on this sort of schedule?

Mike Walters: Unfortunately, yes. Quite recent term, somebody coined called Exploit Wednesday, which is a Wednesday that follows Patch Tuesday. Patch Tuesday, second Tuesday of the month, 10 a.m. Microsoft publishes all the CVs that they have patched in the cumulative update that's released on that day. And all the threat actors mostly know that the majority of organizations don't deploy those updates right away. And there's a testing requirement. So they take advantage of that. And as soon as the following day, we hear about massive exploitation attempts, it becomes extremely easy because there's vulnerabilities well documented. Sometimes there's proofs of concept. Sometimes there's existing hacker toolsets that can be used to make those exploits, you know, readily available exploits, basically. But there's been incidents taking advantage of that. But it's best to document them, make patches available. And then there's probably better ways to do mitigation controls, such as in the future, I suppose, there's going to be technologies that isolate vulnerabilities before they're patched. Maybe there are ways to tackle this. But yeah, to answer your question, so unfortunately, it has its negative side effects as public vulnerability source, which is available to everyone, not just to the good people, but bad people as well.

Dave Bittner: That's Mike Walters from Action1. And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, and also my co-host over on the Hacking Humans podcast. Hey there, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: You have some interesting information to share with us that came out of your place of employment, Johns Hopkins University. What's going on here, Joe?

Joe Carrigan: So we have finished up conducting a cybersecurity survey of Maryland residents. This was a survey commissioned by the Maryland Cybersecurity Council. We received some funding from the National Cryptologic Foundation, and we provided some funding ourselves. And this was a pilot study that we did just to kind of get a gauge, put our finger on the pulse of Maryland cybersecurity awareness to see really how we would focus another research study to get a better look at what the cybersecurity posture of Maryland looks like.

Dave Bittner: So this is sort of a preliminary study to better focus the next study that you will do?

Joe Carrigan: Exactly. Right.

Dave Bittner: So what are some of the interesting bits of information you all gathered here?

Joe Carrigan: So one of the things I want to talk about is we have some basic knowledge questions. And we said, what is social engineering and information security context? 25% of people got that right out of a possible four answers with an I don't know. So I guess five answers.

Dave Bittner: Yeah.

Joe Carrigan: 25% of people got that right. That's pretty close to a random guess.

Dave Bittner: Right.

Joe Carrigan: So it seems to me that people don't really know what the term social engineering means, which indicates that, well, once again, Joe was right and this is a terrible term.

Dave Bittner: Okay.

Joe Carrigan: And I've said this many times. I don't like the term social engineering. First time I heard it, I thought of something completely different than what it is. But in the security industry, we all call it social engineering. By contrast, 61% of people know what phishing is, which actually in our study, we found pretty similar results to the most recent ProofPoint State Of The Phish report where they found 58% of people were able to correctly identify that term.

Dave Bittner: Okay.

Joe Carrigan: So we're pretty close there. 70% of people said they knew what multi-factor authentication was. And when you break that down further, we found that 42% of people say they use some form of multi-factor authentication on their more important accounts. And then other people use it on most accounts, like 25% of people said they use it on most accounts. And then only 23% say they use it everywhere it's offered. The fact that people are using it, that's good. It's a large percentage of people who are using it at some level.

Dave Bittner: Yeah.

Joe Carrigan: I don't use it on all my accounts. I don't recommend that everybody use it on all their accounts, all their very important accounts, I say yes.

Dave Bittner: Yeah.

Joe Carrigan: Only 7.5% of people were using hardware tokens, which we talk about frequently.

Dave Bittner: Right.

Joe Carrigan: There's some shocking information about passwords. 20% of people use the same password for most of their accounts.

Dave Bittner: Wow.

Joe Carrigan: And only 26% said they use long, complex passwords. And that kind of lines up with the percentage of people that use a password manager at 28%. So that doesn't surprise me that those two numbers are very close, because if you use a password manager, it'll generate the complex passwords for you.

Dave Bittner: Right, right. And it removes the burden of having to remember them.

Joe Carrigan: Exactly.

Dave Bittner: Yeah.

Joe Carrigan: We also asked some questions about victimization. And we found that victims of crimes and scams, 20% of people said they had been a victim of ransomware. In the follow-on study, I want to do a more in-depth probe of that. Where were you a victim of ransomware? Is that at your workplace or is it at home? When we asked people -- this was kind of shocking. We asked the respondents, has your information been breached to your knowledge? 45% said yes. The other 55% said no, or they didn't know. 17% said they didn't know. 38% said no. I'm sure everyone who listens to this podcast knows that just about everybody has had their data breached at some point in time.

Dave Bittner: Right.

Joe Carrigan: I just got a couple of letters last week about another data breach that contained my personal information.

Dave Bittner: Right.

Joe Carrigan: So I'm shocked that less than half the people in Maryland are aware of this as an issue, or at least it would seem that way.

Dave Bittner: Wow.

Joe Carrigan: 23% of people said they were victims of a scam, online scam, where they had lost some kind of money, some amount of money. And we even had two -- we asked them how much they'd lost. We had two respondents who said they had lost $100,000 and nine people who said they had lost in the tens of thousands of dollars. Now, I don't know if the two that said they lost $100,000 are accurate or they're just like outliers. I mean, they're definitely outliers, but are they accurate outliers? I am not shocked by the $100,000 number on these things. We've had all kinds of stories. We had a story on "Hacking Humans" coming out that you covered somebody who lost $600,000 on an online scam.

Dave Bittner: Right, right.

Joe Carrigan: So $100,000 is not out of the realm possibility for these things.

Dave Bittner: Yeah.

Joe Carrigan: The average loss was $3,000. That's a mean, just a simple mean. And even if you take out the two $100,000 losses, the mean is still around $1,500 a person who suffered a loss, which if you do the extrapolation out to the full population, a very naive extrapolation, albeit, you wind up with a total loss of about $2.1 billion, billion with a B, which is a lot of money out of Maryland, just out of Maryland alone.

Dave Bittner: Yeah.

Joe Carrigan: So next we want to get some funding. We're going to try to get some funding for a broader survey that is more scientific. For this one used MTurk, which is fine for running a survey like this, but I really want to get a -- and Dr. DeBurr and I want to get a really good sample and a really good distribution. We're probably going to engage with somebody that has the infrastructure to do this. I mean, we're interested in this, but in the Information Security Institute and in computer science, we really don't have the infrastructure for this.

Dave Bittner: Right.

Joe Carrigan: Maybe we'll reach over to someone in our social sciences departments to find out.

Dave Bittner: Oh, there you go.

Joe Carrigan: But ultimately we would like the result of these surveys to be policy around protecting the end user and the consumer, the average person in Maryland.

Dave Bittner: Are you looking to do an awareness campaign?

Joe Carrigan: An awareness campaign would be good. An education campaign, changing the curriculum in schools would be awesome.

Dave Bittner: Right, yeah.

Joe Carrigan: Understanding that just a basic, even ads, just running something from a public service announcement that says, Microsoft doesn't give you their phone number in pop-up ads.

Dave Bittner: Right.

Joe Carrigan: They just don't do it.

Dave Bittner: Yeah. There's that saying, you don't know where you're going if you don't know where you are.

Joe Carrigan: Right.

Dave Bittner: So by establishing ground truth through a survey like this, this sort of mechanism, then you know where we got to go. How far away are we from the ideal?

Joe Carrigan: Yep.

Dave Bittner: Yeah.

Joe Carrigan: And then we can also take follow-on surveys again to see if these have any results, see if these campaigns have any results.

Dave Bittner: Yeah. All right. Interesting stuff. Joe Carrigan, thanks so much for joining us.

Joe Carrigan: My pleasure, Dave.

Dave Bittner: And that's The CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's edition of "Research Saturday" and my conversation with Amit Malik from Uptix. We're discussing their research, Unwanted Guests: Mitigating Remote Access Trojan Infection Risk. That's "Research Saturday". Do check it out. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like The CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Eiben. Our mixer is Trey Hester with original music by Elliot Pelzmann. The show was written by our editorial staff. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.