Cyber phases in two hybrid wars. A ransomware gang claims an attack against a major firm. Social engineering implicated in Shadow PC breach. Privateering, coin mining, and other worries.
Dave Bittner: Hacktivism and disinformation in the war between Hamas and Israel. Disinformation and the war between Hamas and Israel. LockBit claims an attack on CDW. Shadow PC's breach. Void Rabisu deploys a lightweight RomCom backdoor against the Brussels conference. Rick Howard describes Radical Asymmetric Distribution. Our guest is Jason Birmingham from Broadridge Financial Solutions with a look at asset management. And coin mining as a potential front for espionage or a staging area for sabotage.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Monday, October 16th, 2023.
Dave Bittner: We begin with a quick look at the cyber dimensions of the war between Hamas and Israel.
Hacktivism and the war between Hamas and Israel.
Dave Bittner: Pro-Hamas hacktivism, mostly at a low-grade, and to a significant extent overstated to the point of fiction, continues to be the most prominent cyber feature of the war between Hamas and Israel, POLITICO reports. Confirmed cyberattacks have for the most part been distributed denial-of-service activity. One organization, Medical Aid for Palestine, says that its website had been disrupted by unspecified cyberattacks that have impeded its delivery of humanitarian aid to Gaza.
Disinformation and the war between Hamas and Israel.
Dave Bittner: A great deal of disinformation in the present war has involved over-promising and under-delivery. Last Friday, for example, was supposed to have been a day of global protest in support of Palestinians throughout the Islamic and Arab worlds. This was quickly glossed as a "day of global jihad," which didn't materialize.
Dave Bittner: There have also been some attempts to walk back Hamas inspirational content--Hamas fighters holding captured Israeli babies, Hamas fighters spitting on desecrated civilian corpses, civilians being dragged into captivity--that on reflection Hamas thinks may not be polling well. Basim Naim, the Hamas head of international relations, said in an English-language press conference that Hamas fighters were under instruction not to target civilians, and were "keen" to avoid doing so. Other Hamas officials said their attack “targeted only Israeli military bases and compounds that were suffocating the people of Gaza for more than 17 years.” And as for the massacre at the Supernova music festival, Hamas officials suggested that their fighters probably mistook the roughly two-hundred-sixty concert-goers they murdered for "resting Israeli soldiers."
Dave Bittner: Where are false or dubious claims concentrated? The DFR Lab reports that pro-Israeli accounts (especially in English) have tended to show a preference for X (the platform formerly known as Twitter) despite X's recent difficulties with its hosting of pro-Hamas posts. The Hamas-run accounts have gravitated to Telegram. Much of the amplification of disinformation is achieved through the use of accounts that impersonate trusted sources.
LockBit claims attack on CDW.
Dave Bittner: Technology services giant CDW is investigating claims of data theft made by the LockBit ransomware gang, the Record reports. A CDW spokesperson said the company is “addressing an isolated IT security matter associated with data on a few servers dedicated solely to the internal support of Sirius Federal, a small U.S. subsidiary of CDW-G.” CDW added, “We are aware that a third party has made data available on the dark web which it claims to have taken from this environment. As part of the ongoing investigation, we are reviewing this data and will take appropriate action in response – including directly notifying anyone affected, as appropriate.”
Dave Bittner: The LockBit gang said it demanded $80 million in exchange for not publishing the stolen data, but was offered only $1.1 million.
Shadow PC's breach.
Dave Bittner: Cloud-based gaming company Shadow has confirmed a data breach in which attackers were able to obtain customers’ “full names, email addresses, dates of birth, billing addresses and credit card expiry dates,” TechCrunch reports.
Dave Bittner: Shadow CEO Eric Sèle said in an email, “At the end of September, we were the victim of a social engineering attack targeting one of our employees. This highly sophisticated attack began on the Discord platform with the downloading of malware under cover of a game on the Steam platform, proposed by an acquaintance of our employee, himself a victim of the same attack.”
Dave Bittner: An individual who has claimed responsibility for the attack is selling the data on an underground forum, alleging that the database contains the information of more than 530,000 Shadow customers.
Void Rabisu deploys lightweight RomCom backdoor against Brussels conference.
Dave Bittner: Trend Micro describes the recent activities of Void Rabisu, which it describes as "an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine." In this case the intrusion was directed against the Women Political Leaders (WPL) Summit that convened in Brussels between June 7th and 8th of this year. The Summit's goal was to increase the participation of women in politics, and while that may not have been something the threat actors necessarily approved of, it seems likelier that the conference was simply a target of opportunity, a occasion to prospect and compromise devices and systems belonging to political leaders. The ultimate payload Void Rabisu delivered was "a new version of ROMCOM backdoor that we have dubbed as “ROMCOM 4.0” (also known as PEAPOD)."
Dave Bittner: Void Rabisu is an interesting mixed case of a organization (or, if you will an intrusion set) that has been financially motivated, that trades in the criminal-to-criminal market, but which engages in espionage and, once it's on its target, acts like an advanced persistent threat (APT). Some of its earlier, more clearly financially motivated actions have been thought to be associated with a Cuba ransomware affiliate, BleepingComputer notes, but the activity now seems focused on zero-day exploitation for the purposes of espionage.
Dave Bittner: There's no attribution of the activity so far. "While we have no evidence that Void Rabisu is nation-state-sponsored," Trend Micro writes, "it’s possible that it is one of the financially motivated threat actors from the criminal underground that got pulled into cyberespionage activities due to the extraordinary geopolitical circumstances caused by the war in Ukraine." And in general Void Rabisu has consistently acted against Ukrainian interests.
Coinmining as an (alleged, potential) front for espionage or a staging area for sabotage.
Dave Bittner: Finally, coin mining is famously hungry for both electrical power and computational power. It's now far advanced from the days when it might have been possible for some regular Joe to make some money on his laptop. Coin mining operations are now, effectively, large, powerful, single-purpose data centers. Some of the mines are owned, sometimes via a series of cutouts, by the Chinese government or Chinese corporations, and US has begun taking note.
Dave Bittner: The New York Times reports, "In at least 12 states, including Arkansas, Ohio, Oklahoma, Tennessee, Texas and Wyoming, The Times identified Chinese-owned or -operated Bitcoin mines that together use as much energy as 1.5 million homes. At full capacity, the Cheyenne, Wyo., mine alone would require enough electricity to power 55,000 houses." The Wyoming mine is particularly interesting. It's situated between a big Microsoft data center that supports the US Department of Defense and F.E. Warren Air Force Base, a command center for US intercontinental ballistic missiles.
Dave Bittner: Now, physical proximity isn’t any more closely connected with cyber access than correlation is with causation, but the coin mine’s neighbors are at least suggestive.
Dave Bittner: Microsoft warned the US Treasury Department's Committee on Foreign Investment in the United States last year of the threat such installations could pose. The mines are positioned to be able to collect intelligence on sensitive activity, and their consumption of electrical power is so high that they can stress the power grid, or, by cycling that consumption, upset the balance on which a reliable grid depends.
Dave Bittner: The prospect of destabilizing the grid is probably the more serious of the risks. Coin mines are largely unregulated, and US agencies are considering the possibility of prescribing how rapidly they can start and stop their active mining operations.
Dave Bittner: Coming up after the break, Rick Howard describes radical asymmetric distribution. Our guest is Jason Birmingham from Broadridge Financial Solutions with a look at asset management. Stay with us. Jason Birmingham is Chief Technology Officer at Broadridge Financial Solutions. I spoke with him about the challenges facing financial institutions, specifically when it comes to asset management.
Jason Birmingham: Asset management is a hot sector in general. And, from a cybersecurity perspective, it's a very, very attractive space if you're looking to cause some mischief. Obviously, a lot of customer financial data is in play in the asset management space. The intellectual property that's in some of these trading strategies, the algorithmic trading increasingly, is very attractive to hackers, both in terms of disrupting the flow of the financial markets but also looking for ways to actually fund some other activities going forward. You know, obviously, I think there's a little bit of a perception that maybe security isn't as big of a focus in this space as it would be in some of the more, you know, traditional banking sectors or capital market sectors where there's, you know, discrete programs that people are running on cyber as, you know, part of the bank, for example. So I think people look at the sector as ripe for, you know, a potential intrusion. And so, you know, I think, if you're an asset manager and you haven't been paying attention to this so far, I think now is the time to really start paying attention to it.
Dave Bittner: What are your recommendations, then, in terms of best practices?
Jason Birmingham: The number one path of intrusion still, even today, you know, 10 or 15 years into discussion about cyber, it's still people. Phishing attacks remain at the top of the list in terms of how intruders and hackers get into firms to begin with. And I think, you know, the notion that firms have to spend a ton of money on having good cyber practices is a bit of a misnomer. Obviously, you need to have good tools around multifactor, endpoint detection, secure backups. I mean, there's certainly a technical aspect of all this. But, you know, getting the basics right around making sure you have good employee training programs related to phishing, you know, making sure that your employees know what to do if they suspect that there might be a breach; having proper, you know, controls and policies and practices and procedures that get drilled regularly, you know, something that doesn't cost anything but, you know, oftentimes is something that will either prevent an issue from happening altogether or certainly will limit the blast radius if something does start to happen. So, you know, I think just getting clarity on what you can do, you know, from the training and the incident response perspective, that's essentially free. And then I think, you know, going from there and just some good foundational technology practice, as I mentioned, multifactor, you know, I think having endpoint detection or, you know, moving into the cloud, for example, where you get a lot of these controls somewhat natively from your cloud providers, or at least there's a base level of protection versus what you would have if you were still trying to run your own infrastructure on prem, you know, certainly is a good perspective there. But, you know, I think as you get into the discussion further, certainly role-based access, you know, and understanding what people can do and decision rights and access rights is very, very critical. You know, oftentimes, you know, when we're helping customers talk through some of this stuff as part of what we do, just understanding who can do what and who has access to what and even what your inventory of assets is becomes a series of projects for a lot -- a lot of firms. And so I think, again, like, just the good discipline around having that inventory, knowing who can, you know, access things and change things, very, very important.
Dave Bittner: With the folks that you all work with there, do you find that, as you're engaging, are there common errors that people make when it comes to asset management or common misunderstandings that folks have?
Jason Birmingham: You know, the asset management space and you look at the firm's that make up the space, obviously, you have very, very large firms that are very sophisticated. And, you know, with them, I think there's a very strong understanding of, you know, the right practices and the right technologies and how you, you know, manage cyber appropriately. But the other end of that spectrum are very small shops, you know, boutique firms that spin up around the strategy or smaller shops that are trading or even could be family offices, you know, people that, you know, don't have the resources and the wherewithal to really understand the full breadth of the discussion. And I think the mistake that gets made is -- is realizing that too late. You know, if you're in this space, if you have customers' money, you have their data, you know, I think you have to view yourself as a target. The asset management space is kind of at the junction of a lot of things in financial services. You have retail data and, you know, access to the retail markets with the consumers, you're obviously tapped into the broader financial services ecosystem with your payments and, you know, the trading infrastructure that's out there. And so, you know, a hacker or somebody looks at you as a -- as kind of an interstate, right, or at least a junction on how to get into a place. If they can exploit one asset manager, they then have access potentially to other things. And so I think, you know, understanding that that's how your view in the land of the bad -- bad guys I think is -- is important. And that's usually where people fall down. Once people understand the magnitude of that, you know, I think the best practices in the playbooks are pretty standard at this point and quite straightforward to understand. But most people miss the -- you know, maybe I'm -- maybe I'm smaller than most, and nobody's paying attention to me. I think in some ways that makes you a more attractive target. But you don't have to spend a fortune. You don't have to have a big bank or a big, you know, hedge fund sort of budget to be able to protect yourself I think is the good news. I think it does take a bit of, you know, management discipline and, you know, the ability to really focus the resources you do have, which might be people's time rather than going out and spending money, focusing people's time and their attention and maybe aligning their incentives to getting the basics right.
Dave Bittner: That's Jason Birmingham, Chief Technology Officer at Broadridge Financial Solutions. And it is always my pleasure to welcome back to the show Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, welcome back.
Rick Howard: Hey, Dave.
Dave Bittner: So I saw the topic of today's discussion, and I have to say it captivated my imagination. And it is radical asymmetric distribution, which I have to say flows trippingly off the tongue.
Rick Howard: Yes. We should be marketeers, I think, because that's going to be great.
Dave Bittner: How did this come to your attention, Rick? And bring me up to speed. Why are we talking about this today?
Rick Howard: Well, a couple of weeks ago, a bunch of us went down to the mWISE Conference here in DC. This is the Google/Mandiant big security conference every year. And we talked to a bunch of really smart people. But the end conference keynote was done by one of my -- I'm a fan favorite of Malcolm Gladwell, right.
Dave Bittner: Oh, yeah.
Rick Howard: And, you know, for those who don't know Gladwell, he wrote a bunch of books that I love, The Tipping Point, Blink, Outliers, Talking to Strangers, and The Bomber Mafia. And he has this excellent podcast called Revisionist History that I listen to almost every week. It's fantastic. So I was going to be there to hear the -- here what Malcolm Gladwell was going to say about cybersecurity because he's not a cyber guy. I'm just -- you know, I just like to point that out.
Dave Bittner: Yeah.
Rick Howard: So he comes on stage. And he goes, he learned a long time ago that he should never come into an auditorium full of experts in the field and tell them how to do their job, right? So he said that's a bad thing to do
Dave Bittner: Good life advice there, you think? Yeah.
Rick Howard: He said, though, but he was doing some research, and he noticed this pattern of things called radical asymmetric distribution that he thinks might apply to cybersecurity. And he was looking for feedback on whether or not it was. So let me explain what it is.
Dave Bittner: Yeah.
Rick Howard: He used a case study of the COVID infectious rates. You know, back and when we -- when it was everybody was locking down, we all assume meaning all the scientists in the world assumed that, if Dave was infected and Rick was infected, that we had the equal chance of distributing that infection to somebody else. You know, it was an equal probability.
Dave Bittner: Yeah.
Rick Howard: And a bunch of MIT students were doing the study in the early days of the lockdown. This is March 2020. And they were tracking infectious vectors coming into Boston, and there were 300 people that came into the city in that timeframe that were infected with COVID. And what they discovered was, all those things died down. You know, they got sick, but nobody got hurt. Nobody died. Nobody went to the hospital out of those 300 except for one. One guy went to a business meeting, infected a bunch of people, and killed 300 people because of that infection. Right.
Dave Bittner: Wow.
Rick Howard: And the reason was, according to the paper, was that the amount of water modules coming out of that guy's breath was exponential compared to what normal people had. Okay. So he was more likely to infect somebody than anybody else in the world.
Dave Bittner: And this was just a random habit of the way that this person talked.
Rick Howard: Yeah. It's just his body makeup, you know, he has the ability to -- he's a super spreader. You know, that's kind of what he is, right? And so Gladwell says that, you know, If you knew that going in, that your strategies for reducing the pandemic, reducing infection rates might be different if you realized that the distribution scheme of the infection was asymmetric as opposed to evenly distributed, right. So if you're -- if it's evenly distributed, we're going to do all the things that we did, you know, mask and distancing and vaccines and, you know, shutdown schools and blah, blah, blah. We would do all those things, let's say. But if you knew it was asymmetrically distributed, we would just spend some time trying to find those people and lock those people away, right, and not worry about everybody else. Right? So that's a really complex story. Let me tell you a second one. The one he -- his big pet peeve was, you know, we all have to go into the mechanics every year and get our catalytic converters inspected.
Dave Bittner: Okay.
Rick Howard: Everybody does it. We pay 50 bucks a year, and we get it checked. And -- and he says, you know, how many times do the mechanics find something wrong with your catalytic converter? Never, you know. It never happens, right?
Dave Bittner: Right, right.
Rick Howard: It only happens if your car is old or there's some major, major mechanical problem, right? He goes, but we assume that the fix is evenly distributed. That means everybody has to go through this inspection when we've had that technology over 20 years that you could have a collector on the side of the street that would just watch cars go by, and they could identify it pretty quickly that it was, you know, a malfunctioning catalytic converter because we assume the problem was that it was evenly distributed.
Dave Bittner: Sure.
Rick Howard: So okay. So what -- and then he says, he thinks that maybe cybersecurity is an asymmetrically distributed problem also. And it just dawned on me that he might be right, right, because I've been saying for, I don't know, a couple of years now, if you just do the stats on publicly announced breaches -- I think the FBI back in 2021, you know, they said that there were 5000 reported breaches to their agency in that year. All right. So 5000 reported breaches. Okay. Let's assume that, I don't know. Let's go big. Let's say there was 100,000 total because 75,000 said we're not going to tell anybody, right. So let's say 100,000. There's like 6 million organizations in the United States. All right. So if you do 100,000 divided by 6 million, that's a really small number. Really small number, right? And -- but the industry for 30 years had been spending money like the problem was evenly distributed, meaning that any organization of that 6 million would have the equal chance to get hit by a bad guy in the cyberspace than in the other, when it turns out that's probably not true. Bad guys' going to go after financials, going to go after healthcare sectors. They're going to go after a Fortune 500s, right. But all the other companies are -- you know, their chances of getting hit are pretty small, right? And so the strategies they use to defend yourself, when you realize it's a asymmetrically distributed problem, are completely different than if it's evenly distributed to everybody. If it's evenly distributed, you're going to buy intrusion detection firewalls. You're going to build SOCs. You're going to have 24 by 7 coverage because, at any moment, this bad thing is going to happen. But if it's asymmetrically distributed, this is a black swan event. You know, it's likely not going to happen. But, if it does, it's catastrophic. All right. So the strategy you might use is something completely different. It'd be like a resilience strategy. You're going to try to put resources in to survive it and not worry so much about preventing it. I just thought it was a fantastic idea. That was a long explanation. Did I put you to sleep when I was doing all this?
Dave Bittner: No, no. It's interesting. I mean, a couple of things come to mind. It makes me wonder, you know, to what degree is this kind of like, you know, your life insurance policy is going to cost a different amount than mine if you're a -- if you're hobby is skydiving, right?
Rick Howard: Yeah. That's right.
Dave Bittner: I mean, does it align with that sort of type of thinking?
Rick Howard: That's right because, yeah. I think because it's -- that is -- skydiving is an asymmetric problem. Not everybody has that, right?
Dave Bittner: Right, right.
Rick Howard: You know, I shouldn't have to put a lot of money on everybody because, you know, just because grandma likes to jump out of airplanes when nobody else does, right?
Dave Bittner: Yeah. So, as you've been thinking about this, I mean, how do you suppose folks can take this notion and apply it to their own strategies?
Rick Howard: Well, you know, I've been thinking about, you know, how do you calculate cyber risk for a number of years now, and I think I finally figured it out, right. And what it's come to -- my conclusion is that for, you know, really small companies to maybe medium-sized companies, the best strategy for your organization is probably resilience and not prevention in the form of zero trust or intrusion kill chain prevention, all right, because, like I said, it's likely not to happen. But if you put a small amount of resources into things like backups and encryption and, you know, just a couple of little things like that, your chances of survival of a ransomware attack say next year will be, you know, really high compared to the other things you might invest in. So that kind of aligns directly with what I've been thinking for the last, I don't know, two or three years.
Dave Bittner: Yeah. All right. Well, interesting stuff, for sure. Thanks for sharing it with us. Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at firstname.lastname@example.org. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tr Hester with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.