Vigilance isn’t purely receptive. Without criticism, it will become blind with detail.

Dave Bittner: Nation-states exploit the WinRAR vulnerability. Criminals leak more stolen 23andMe data. QR codes as a risk. NSA and partners offer anti-phishing guidance. A Ukrainian hacktivist auxiliary takes down Trigona privateers. Hacktivism and influence operations remain the major cyber features of the Hamas-Israeli war. On today’s Threat Vector, David Moulton speaks with Kate Naunheim, Cyber Risk Management Director at Unit 42, about the new cybersecurity regulations introduced by the SEC. Our own Rick Howard talks with Jen Miller Osborn about the 10th anniversary of ATT&CKcon. And the epistemology of open source intelligence: tweets, TikToks, Instagrams–they’re not necessarily ground truth.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Thursday, October 19th, 2023.

Nation-states exploit the WinRAR vulnerability.

Dave Bittner: Google’s Threat Analysis Group’s (TAG) warns that several government-backed threat actors are exploiting CVE-2023-38831, a vulnerability in WinRAR that was patched on August 2nd. The flaw “allows attackers to execute arbitrary code when a user attempts to view a benign file (such as an ordinary PNG file) within a ZIP archive.”

Dave Bittner: TAG says Russia’s Sandworm and APT28 threat actors (both attributed to the GRU) have been making use of the flaw, along with China’s APT40 (also known as “ISLANDDREAMS”). The threat actors use phishing emails to deliver malicious ZIP archives containing the exploit.

Another malvertising campaign described.

Dave Bittner: Malwarebytes describes an ongoing malvertising campaign that’s using several improved techniques to evade detection. The campaign impersonates the website for Notepad++, a text editor for Windows. The researchers say the threat actors “are successfully applying evasion techniques that bypass ad verification checks and allow them to target certain types of victims. With a reliable malware delivery chain in hand, malicious actors can focus on improving their decoy pages and craft custom malware payloads. This is another space where we see some innovation and where security vendors are currently running behind.” Malvertising can be insidious. Who doesn’t basically trust ads, after all? Some of them we like a lot. Our sponsors’, for example, or the Dr. Rick ads for insurance companies. Sure, sometimes ads can be irritating, but they’re so much a part of the background that we take them for granted. As Dorothy Sayers said so many years ago, “It pays to advertise.” (And some of the ads she wrote in the 1920s are still in use today.)

Criminals leak more stolen 23andMe data.

Dave Bittner: A cybercriminal using the nom-de-hack "Golem" has dumped more data stolen from 23andMe onto BreachForums. TechCrunch reports that the company is investigating the authenticity of the claimed leak, which Golem says includes data from “the wealthiest people living in the U.S. and Western Europe." 23andMe says its systems weren't compromised with malware or left open through a security lapse, but rather that the attackers gained access through credential stuffing.

QR codes as a risk.

Dave Bittner: SlashNext outlines QR code phishing, or “quishing,” noting that users should treat QR codes with the same wariness they’d use when clicking a regular URL. SlashNext cautions, “Traditional security filters, including Microsoft SafeLinks and other URL rewriting solutions, often focus on URLs. By using QR codes instead, attackers can sidestep these filters, making their phishing attempts more likely to succeed.”

Dave Bittner: SlashNext adds, “QR codes are used in various contexts, such as marketing campaigns, ticketing systems, and contactless payments. This wide range of applications provides hackers with numerous opportunities to exploit QR codes for their malicious purposes.”

Dave Bittner: And the malice lies in the destination, not the journey. There are many roads to security perdition, and some of them are paved with QR codes.

NSA and partners offer anti-phishing guidance.

Dave Bittner: The US National Security Agency (NSA) and its partners have issued a report outlining guidance to protect against evolving phishing attacks. The Cybersecurity Information Sheet (CSI) offers some actionable recommendations small- and medium-sized businesses should be able to turn to good use. Read the whole thing at nsa dot gov, and search for “How to protect against evolving phishing attacks.

Details of the present surge in ransomware.

Dave Bittner: GuidePoint Security’s Research and Intelligence Team (GRIT) has released a report looking at ransomware trends in the third quarter of 2023, finding a 15% increase in ransomware attacks compared to Q2 2023, and an 83% year-over-year increase in publicly posted ransomware victims. 

Dave Bittner: The surge in posts lends itself to different interpretations. It might be that there’s more ransomware out there, of course. But it might also mean that more hoods crooks are posting victims because the victims aren’t as ready to pay up as they used to be.

Dave Bittner: By the way, before we leave the  topic of cybercrime, we’re sometimes asked what to do if you’ve learned of a cyberattack. We recommend contacting the FBI. if you’ve got a tip about cybercrime, or about some malfeasance in cyber matters, let the Bureau know about it. Blow the whistle to the FBI at tips dot fbi dot gov.

Ukrainian hacktivist auxiliary takes down Trigona privateers.

Dave Bittner: Turning now to the world’s two major hybrid wars, in one of them we’re seeing a hacktivist auxiliary boarding a privateer in their own smoke.

Dave Bittner: Members of the Ukrainian Cyber Alliance (UCA) claim to have gained access to servers used by the Trigona ransomware gang. BleepingComputer reports that the hacktivists say they "exfiltrated all of the data from the threat actor’s systems, including source code and database records," and then wiped the servers. The UCA exploited CVE-2023-22515, a recently described vulnerability in Atlassian's Confluence Data Center and Server to gain remote access and elevate their privileges to work their damage. "Welcome to the world you created for others!" a member of the UCA tweeted above a taunting screenshot headlined "Trigona is gone." They're still sorting through the data they exfiltrated from Trigona, but if they find the files contain decryption keys, they say they intend to make those publicly available for the victims of Trigona attacks to use in recovering their systems. 

Dave Bittner: Trigona is a Russian gang that's operated since at least October of 2022, when its emergence was noted and described by the Malware Hunter Team. It functions as a privateer, its criminal activity tolerated and protected by the Russian government as long as its money-making raids avoid Russian targets and hit adversaries of the Russian state.

Dave Bittner: The Ukrainian Cyber Alliance is a hacktivist auxiliary working in the interest of the Ukrainian government. It began forming in 2014 (the year Russia invaded and took Crimea) and has since been officially chartered as a non-governmental organization "governed by civic duty" to Ukraine. The group's tagline is "disrupting russian criminal enterprises (both public and private) since 2014."

Dave Bittner: Everybody needs a tagline–it pays to advertise.

Hacktivism and influence operations remain the major cyber features of the Hamas-Israeli war.

Dave Bittner: ZeroFox has a useful account of the ways in which misinformation (false claims made without malicious intent) and disinformation (intentional lies told with a political purpose) are unfolding in the current war. Some of the disinformation originates from third-parties to the conflict. "ZeroFox intel has identified a notable uptick in anti-Palestinian disinformation from seemingly Indian accounts and anti-Israel disinformation from seemingly pro-Russian accounts."

Dave Bittner: Bloomberg describes a surge in hacktivism related to the war, some of it a genuine grassroots phenomenon, some of it conducted by state-directed auxiliaries and front groups. A significant number of the front groups appear to be run from Iran.

Dave Bittner: An example of competing narratives has been on prominent display with respect to damage to a Gaza hospital. Both sides had accused the other of a strike against the Al Ahli Hospital, with Hamas calling it an Israeli airstrike and Israel calling it a malfunctioning rocket launched toward Israel by Palestinian Islamic Jihad. Evidence increasingly points to the latter. The US National Security Council tweeted its evaluation of the Al Ahli Hospital incident. "While we continue to collect information, our current assessment, based on analysis of overhead imagery, intercepts and open source information, is that Israel is not responsible for the explosion at the hospital in Gaza yesterday."

Dave Bittner: OSINT isn't immediate ground truth.

Dave Bittner: And, finally, we’ve seen a lot of attention paid to open source intelligence in the two ongoing hybrid wars. It’s worth remembering the old distinction between intelligence and information. Information is unanalyzed, stuff people say, pictures people show up with. Intelligence is the conclusion drawn, critically and rationally, with various degrees of confidence, from that information. There’s been a tendency to take open source information at face value, assuming that the tweeted video of a missile is real, not faked, not pulled from, say, Rainbow Six Siege screenshots. 

Dave Bittner: To regard raw, unanalyzed information--from social media feeds, videos, etc.--as conclusive ground truth is to misunderstand OSINT. An essay in 404 Media argues that familiar, amplified, blue-checked accounts aren't automatically credible, but rather must themselves be subjected to analysis and verification. Such sources have contributed greatly to the generation of disinformation and misinformation.

Dave Bittner: So stay critical, and stay safe.

Dave Bittner: Coming up after the break, on today's "Threat Vector," David Moulton speaks with Kate Naunheim, Cyber Risk Management Director at Unit 42, about the new cybersecurity regulations introduced by the SEC. Our own Rick Howard talks with Jen Miller Osborn about the 10th anniversary of ATT&CKcon. Stay with us. [ Music ]

David Moulton: Welcome to "Threat Vector," a segment where Unit 42 shares unique threat intelligence insights, new threat actor TTPs, and real-world case studies. [ Music ] Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. [ Music ] In today's episode, I'm going to be talking with Kate Naunheim about the new SEC rules. Kate is a Cyber Risk Management Director at Unit 42 with over 15 years-experience in technology solutions delivery and a decade of expertise in cybersecurity. The information provided on this podcast is not intended to constitute legal advice. All information presented is for general informational purposes only. The information contained may not constitute the most update, legal or interpretative compliance guidance. Contact your own attorney to obtain advice with respect to any particular legal matter. [ Music ] Kate, thanks for joining me today on "Threat Vector." I want to start us off with a really simple question: What is the SEC?

Kate Naunheim: I'm really glad you started there David. So, the SEC is essentially the U. S. Securities and Exchange Commission, which is an independent agency that was established in 1934, really after the Stock Market crashed in 1929 and the resulting Great Depression. It oversees multiple functions related to the securities market. So, things like enforcement of laws, regulation, registration of securities, reporting, [inaudible 00:13:04] protection, and rule-making. The agency helps create a level playing field and ensures transparency, and protects the interest of investors.

David Moulton: What are SEC rules Kate?

Kate Naunheim: Yes, so SEC final rules are legally binding regulations relates to enforce securities laws.

David Moulton: Can you explain the rational between the SEC's decision to introduce cyber regulations at this time?

Kate Naunheim: The SEC Chair, Gary Gensler said that currently, many public companies provide cybersecurity disclosure to investors, but he said "I think its companies and investors alike would benefit if this disclosure were made in a more consistent comparable and decision-useful way, through helping to ensure the companies disclose materials cybersecurity information."

David Moulton: How would these regulations affect reporting and disclosure requirements for publically traded companies?

Kate Naunheim: Yeah, so there's several requirements for publically traded companies. The first is that the new form AK Item 1.05 will require registrants to disclose any cybersecurity incident they determine to be material and describe the material aspects of the nature of scope and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant. This really must be done within 4 business days of determining that an incident is material. There will be another requirement through new regulation SK Item 106 which will require registrants to describe their processes, if any, for accessing identifying managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have material affected or are reasonably likely to materially affect the registrant. And then form 6K will be amended to require form private issuers to furnish information of material cybersecurity incidents that they make, were required to make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders.

David Moulton: Are there specific industries or sectors that will be more heavily affected by these regulations? Why is that?

Kate Naunheim: Yes, David, so there are definitely industries that will be impacted more greatly by the final rule. Any industries that have high numbers of cybersecurity incidents will be more heavily affected. Those are things like publically traded companies in industries like manufacturing, finance, professional services, health care services, energy and utilities, and then any publically traded companies in industries that are not highly regulated or subject to compliance requirements may also be affected, because those industries will have to scramble to develop their cyber risk management programs quickly.

David Moulton: What steps should organizations take to ensure compliance with the new cyber regulations and what are the potential consequences of noncompliance?

Kate Naunheim: For many publically traded companies, they'll have to start reporting in December, material cyber security incidents. So, organizations should first develop resources to identifying a playbook for how this is done, because cobbling together the appropriate procedures from separate policies and groups is going to be prohibited if an incident does occur. Following this organization subject to the rules, should immediately perform a gap assessment against the new requirements to understand where they fall either through a self-assessment or independent assessment. And then when they've identified those gaps, they need to implement corrective actions through a workflow system and set due dates so the remediations are really completed in a timely manner. These corrective actions are likely going to include changes to policy and procedures, process creation, materiality analysis, processes, and SEC reporting processes. And then once their remediations are complete, the company should perform a reassessment to make sure they have closed all the gaps.

David Moulton: How do these regulations align with existing cybersecurity standards or framework such as NIST or ISO?

Kate Naunheim: The new regulations line well with the frameworks at a high-level and that both NIST and ISO require risk management programs are in place. For example, NIST maintains the NIST [inaudible 00:16:53] for risk management framework and that's a comprehensive approach to risk management. But NIST also maintains special publication 853 Revision 5, which is, "security and privacy controls for information systems and organizations." ISO 27001 and 27002 also have [inaudible 00:17:09] to risk management such as requirements for information security risk assessments and treatments, as well as general risk management requirements.

David Moulton: Kate, looking at what trends or developments in cybersecurity regulation should we be watching out for in the near future?

Kate Naunheim: I'm really interested to see what comes to the push for harmonization of cybersecurity frameworks. Due to an increasingly crowded field of laws and regulations with respect to cybersecurity standards, on July 19th, 2023 the Office of the National Cyber Director, ONCD, released a request for information or RFI asking for public comment on opportunities, foreign challenges to harmonizing federal cybersecurity regulations. An effort to harmonize competing requirements and assessments is long overdue. So, this focus has the potential to be really beneficial. I'm very interested to see what comes along with that. And this SEC rule is just one of a number of efforts in the U.S. and around the globe where policymakers are expecting to do more on their cybersecurity posture. Many of these recent regulatory efforts and proposals focus on two similar buckets; cyber incident reporting and cyber risk management plan. [ Music ]

David Moulton: Hey, thanks for joining me today on "Threat Vector." This conversation has been a great reminder of how integral security has become for every organization. If you're interested in going deeper on this topic, join the Unit 42 experts on November 9th for a webinar on the proposed SEC rules. A link will be in the Show Notes. The title of that webinar is The Ransomware Landscape: Threats Driving the SEC Rule and Other Regulations. We'll be back on the CyberWire in two weeks. In the meantime, stay secure, stay vigilant. Goodbye for now. [ Music ]

Dave Bittner: We hope you enjoyed this week's "Threat Vector" segment. We're hoping to gather some insights from you, our audience, and you would like to shape future "Threat Vector" segments. Would you take three minutes or so to help us out? There's a link on today's Show Notes to our brief survey. Please, share your thoughts. [ Music ] Rick Howard recently got together with Jen Miller-Osborn, Senior Principal Research Scientist at NetWitness and Adam Pennington, the current Lead for MITRE ATT&CK. Here's their conversation.

Rick Howard: Anyone that has ever heard me talk knows that I'm a gigantic fan of the MITRE ATT&CK framework. It features prominently, in my book, cybersecurity first principles, a reboot of strategy and tactics, and I always dedicate a slide or two to the subject whenever I'm giving a presentation to a security crowd. Well, MITRE is hosting ATT&CKcon 4.0 at their company headquarters in McLean, Virginia on 24 and 25 October and to celebrate their 10-year anniversary of releasing the ATT&CK framework to the masses, they are bringing back most of the original team to give their perspective on why they created it, how it connects to the Lockheed Martin Kill Chain model, and the Department of Defense's Diamond model; how the Infosec community has adopted it at the DeFacto Repository for open source intelligence and what the future might hold for the framework in the next ten years. I sat down with Jen Miller-Osborn who just recently stepped down as the Palo Alto Network's Deputy Intelligence Director for Unit 42, and Adam Pennington, the current Lead for MITRE ATT&CK. I started by asking Jen how she got started with MITRE ATT&CK back in the day.

Jen Miller-Osborn: It was just a natural fit for my skills. It was technical analysis project, but also needed some language skills as someone who was a Mandarin translator previously for the government, I had a lot of the skills to kind of guide it and I found what we were doing and the data that we had absolutely fascinating. It's still one of my favorite things that I've worked on. I will always miss it.

Rick Howard: Well, let's paint the picture Adam, right? So, before MITRE ATT&CK framework, what were we all doing as Intel Analysts that prompted us to build something like the framework? What were we all doing before?

Adam Pennington: So, we had some high-level models that we were using pretty effectively and looking at sort of the overall threat picture. So, we had things like the Diamond model, if we were looking to do attributions, sort of pulling together the different aspects of an advisory or the Cyber Kill Chain if we were looking for things like a gap analysis sort of for the high-level stages for an attack. But we were doing a series of Red and Blue Team exercises internally. I think it was back before we were really using the work "Purple" teaming where there was this need to be able to get into a bit more granularities, so telling a Red Team "Do this Kill Chain step," or "Do this point of the Diamond model." It's not enough detail for the Red Team to really even sort of form a plan. You know, it's something like in model they're worked to, but it's not sort of, you know, a great use case or some of those existing models. And so, as Jen said, we had this great data source. We had a bunch of insights from Honey Pots into specific behaviors that mostly state actors had been doing over periods of time. I had worked with Jen on the analysis of that data and then they were able to take it and start extracting out those finer grain techniques; what became techniques in ATT&CK in order to describe those much more close in behaviors.

Rick Howard: Do you remember the advisory campaign that -- the initial that you started with? Is it still around or is it an old one that no one remembers anymore?

Jen Miller-Osborn: It is still around. It does not have the same name anymore, but the actors are still around. Every now and then we'll see kind of a blast from the past with some of the malware that we discovered and made over the course of, you know, the last nine years in Unit 42, and we won't have seen it for years, and they'll be "Oh, look it's back."

Rick Howard: Do you remember the name we used to call it?

Jen Miller-Osborn: Scarlett Mimic was [multiple speakers].

Rick Howard: Scarlett Mimic! I remember those guys, yeah. I totally remember them. Adam, coming back to you, we all forget that back before you guys standardized the language, both English language and machine-readable language, right, that most of the security vendors on the planet had their own version of how to describe things. So, you know, security vendor A would be talking about one advisory campaign; security vendor B might be talking about the same -- the same group or the same campaign strategy or techniques, but nobody knew because they all used different language, they all had different names for it, and so, it took the community, oh you know, a gigantic amount of effort just to figure out what was going on. So, this is a big innovation, right, for MITRE ATT&CK, because they all speak the same language.

Adam Pennington: Right, yeah I think getting it out there was probably the biggest innovation. And that, yeah so there were other people that were doing work looking at categorizing these threats doing their own internal pieces where they were, you know, coming up with names for their behaviors. And so, you know, Jen and her team created the original TTP sheet, you know, the original Excel spreadsheet all the way back in 2013. So, this year we're celebrating the 10th anniversary.

Rick Howard: It's your fault then that we still use spreadsheets to track advisories, okay.

Jen Miller-Osborn: To be fair, Blake is equally culpable on the spreadsheet thing, but I -- everything is a spreadsheet. [ Laughter ] It's so crazy to me, but it's -- yeah, how insane it went over 10 years given how hard we had to fight.

Adam Pennington: It has been a fun ride. I don't think any of us predicted, right, just the intelligence nature where it came from from real data at the beginning. We've said that out in public in the past. Most people actually don't catch it that, you know, it was -- was from this real -- real honey pot data where Jen was doing the really hard analysis on these very long reports getting into every single activity that these actors were doing. Some of those reports were pretty insane that were the precursor to ATT&CK. And it's just I'm absolutely thrilled to have the four original creators coming back to join us next month. Black Strom was the original lead and then the creators along Blake were Jen Miller-Osborn, Eric Sheesley, and Brad Crawford. And then moderating the panel is going to be somebody who came into MITRE right around ATT&CK's original public release Katie Nickels. I'm super excited about the 10th anniversary panel that Jen's going to be a part of as one of those creators, and I'm just going to be part of ATT&CK on where I get to step back, sit in the audience, and just enjoy.

Dave Bittner: That's Rick Howard speaking with Jen Miller-Osborn and Adam Pennington. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our "Daily Briefing" at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.