Disinformation and its often overlooked potential for denial-of-services.
Dave Bittner: Hacktivism and influence operations in the Hamas-Israel war. An OilRig cyberespionage campaign prospects a Middle Eastern government. Emailed bomb threats in the Baltic. Darkweb advertising yields insight into ExelaStealer malware. Casio discloses breach of customer data. The FCC proposes a return to net neutrality, while Consumer Financial Protection Bureau proposes data-handling rules under Dodd-Frank. Deepen Desai from ZScaler shares insights on MOVEit transfer vulnerabilities. Our own Simone Petrella speaks with Google’s Tatyana Bolton about the challenges of bridging the cyber talent gap. And RagnarLocker has been taken down by international law enforcement.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Friday, October 20th, 2023.
Hacktivism and influence operations in the Hamas-Israel war.
Dave Bittner: Cyber operations in the Hamas-Israel war continue to be characterized by a high-volume of opportunistic nuisance-level hacktivism. Influence operations contend over responsibility for the blast at Al Ahli Hospital in Gaza. The US Intelligence Community has concluded, tentatively, that the explosion seems to have been an accident caused by a malfunctioning rocket fired from Gaza toward Israel by Islamic Jihad. That was the Israeli position shortly after the incident. Hamas's claims that the explosion was due to an Israeli airstrike, however, continue to be generally accepted and circulated in Islamist and wider Arab circles, where they've driven widespread protests this week.
Dave Bittner: Most of the hacktivism in the conflict has been conducted in the interest of Hamas. Israeli operations by private-sector actors seem to have concentrated on collection and analysis, particularly with respect to identifying and locating hostages taken in the initial Hamas attacks. Haaretz reports that NSO, Rayzone, and AnyVision have been especially involved in this effort.
An OilRig cyberespionage campaign prospects a Middle Eastern government.
Dave Bittner: Iran's OilRig threat group, also known as APT34 and, by Symantec, as Crambus, conducted an eight-month intrusion campaign against a Middle Eastern government. The Threat Hunter Team at Symantec (a Broadcom company) reported yesterday that Crambus "stole files and passwords and, in one case, installed a PowerShell backdoor (dubbed PowerExchange) that was used to monitor incoming mails sent from an Exchange Server in order to execute commands sent by the attackers in the form of emails, and surreptitiously forwarded results to the attackers." Which government was targeted Symantec doesn't say, but the researchers do note that the Crambus target list has historically included Saudi Arabia, Israel, the United Arab Emirates, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, the United States, and Turkey.
Emailed bomb threats in the Baltic.
Dave Bittner: The Baltic Times reports that waves of emailed bomb threats have been arriving in the region. They appear to represent a coordinated campaign run by Russian operators. "It has been established that the senders of the e-mails are actively participating in Telegram channels created by Russian-speaking pro-Russian groups and instigating (the spreading of) e-mails threatening to blow up educational establishments," Lithuanian Police Commissioner General Renatas Pozela said. The campaign began last Friday, with 900 bomb threats against Lithuanian kindergartens and schools, and it continued over the weekend with some 1500 threats against "educational establishments, municipal buildings and other public locations."
Dave Bittner: The threats were empty; no bombs were found. Lithuania's Interior Minister Agne Bilotaite called it a regional attack, since Estonia, Latvia, and Poland had all been affected. "This is an attempt to create a certain panic, to destabilize the situation in a sense, and to burden institutions, especially law enforcement, with an additional load," she said at a news conference.
Dave Bittner: We’re all familiar with distributed denial-of-service, when a website or service is choked with traffic. The bomb threats aren’t DDoS in this sense, but consider them a denial-of-services with-an-ess, services in the plural, campaign. When investigators and first responders are chasing false alarms, they’re not able to handle real threats. And kids aren’t learning if their school day is one long fire drill.
Darkweb advertising yields insight into ExelaStealer malware.
Dave Bittner: Fortinet is tracking a new commodity infostealer called “ExelaStealer” that emerged on underground markets in August 2023: “ExelaStealer is a largely open-source InfoStealer with paid customizations available from the threat actor. It is written in Python, although it pulls resources from other languages (e.g., JavaScript) where needed. It can steal sensitive information from a Windows-based host (e.g., passwords, credit cards, cookies and session data, and general keylogging).”
Dave Bittner: Criminal customers in the C2C market can pay a monthly subscription of $20 to use ExelaStealer, or they can spend a one-time fee of $120 for lifetime use.
Email threat trends.
Dave Bittner: VIPRE Security Group’s Q3 2023 Email Threat Report has found that “[t]hreat actors are increasingly hiding malicious links in Google Drive and other cloud storage spaces.” VIPRE states, “Google Drive is a convenient, centralized location for hiding malware and a great watering hole for unsuspecting users. Cybercriminals can stuff docs full of malicious links and click to download malware that otherwise wouldn’t make it through traditional email protection solutions.”
Dave Bittner: Pdfs and QR codes are showing up a lot in malicious spam. VIPRE says, “PDFs as a malspam delivery tool have more than quadrupled since Q1 this year.” Notably, the researchers state that “QR code-based phishing emails accounted for a full ten percent of the total phishing emails we received this quarter.”
Casio discloses breach of customer data.
Dave Bittner: Japanese electronics company Casio has disclosed a data breach of personal information belonging to customers in 149 countries. The breach affected ClassPad, Casio's education web application, and involved “91,921 items belonging to customers, including individuals and 1,108 educational institution customers.” The exposed data included customer names, email addresses, purchasing information (the company notes that it doesn’t retain credit card data), and service usage information.
Dave Bittner: Casio said in its disclosure, “On the evening of Wednesday, October 11, when the person in charge attempted to work in the development environment, it was discovered that a database failure had occurred, and the company assessed the situation. As the company continued to analyze the situation, it was additionally confirmed that, on the evening of Thursday, October 12, the personal information of some residents of countries other than Japan was accessed. At this time, it has been confirmed that some of the network security settings in the development environment were disabled due to an operational error of the system by the department in charge and insufficient operational management. Casio believes these were the causes of the situation that allowed an external party to gain unauthorized access.”
Dave Bittner: One lesson seems to be, don’t neglect the development environment, and test code with security in mind.
FCC proposes a return to net neutrality.
Dave Bittner: This week has seen a couple of regulatory developments. The US Federal Communications Commission (FCC) is moving toward a return to net neutrality. The Wall Street Journal characterizes the proposed regulation as treating Internet service providers like utilities. The regulations would prevent carriers, for example, from giving favorable treatment to some content providers.
CFPB proposes data-handling rule under Dodd-Frank.
Dave Bittner: Yesterday the US Consumer Financial Protection Bureau (CFPB, an independent agency responsible to the Federal Reserve) proposed a rule that would affect how financial institutions handle their customers' data. The Personal Financial Data Rights rule would give consumers more control over the data they share with institutions, and it would impose certain restrictions on how those institutions handle those data. It would in particular prevent firms from "misusing or wrongfully monetizing the sensitive personal financial data." The authority for the proposed rule is Section 1033 of Dodd-Frank. The rule is open for comment until December 29th.
RagnarLocker taken down by international law enforcement action.
Dave Bittner: And, finally, there’s been a notable law enforcement success. The RagnarLocker ransomware operation’s negotiation and data leak sites were seized yesterday by an international group of law enforcement agencies, BleepingComputer reports. A spokesperson for Europol told TechCrunch that the agencies will officially announce the takedown later today. Based on the takedown notice posted to the seized websites, the operation involved law enforcement entities from the US, Germany, France, Italy, Japan, Spain, the Netherlands, the Czech Republic, and Latvia.
Dave Bittner: BleepingComputer notes that RagnarLocker wasn’t part of a ransomware-as-a-service operation, but was a private gang that would recruit outside help to breach networks.
Dave Bittner: So bravo to all the agencies involved in the takedown. It probably represents a knockdown and not a knockout for RagnarLocker, but nonetheless, well done, and three cheers for international law enforcement cooperation.
Dave Bittner: Coming up after the break, Deepen Desai from ZScaler shares insights on MOVEit transfer vulnerabilities. Our own Simone Petrella speaks with Google's Tatyana Bolton about the challenges of bridging the cyber talent gap. Stick around. [ Music ] Tatyana Bolton is security policy manager at Google and a senior advisor on the U.S. Cyberspace Solarium Commission. Our own N2K president Simone Petrella spoke with Tatyana Bolton about the challenges of bridging the cyber talent gap.
Simone Petrella: When you talk about all these amazing initiatives that are happening across the industry, including what Google's doing to increase the pipeline, and that, you know, not only the pipeline of cyber talent, but even more diverse cyber talent. It always strikes me that it's not possible to think about that pipeline unless you create room within organizations to allow for those new candidates to actually come into entry-level positions and kind of upskill or give a path for those who are there in the companies already. And I'm curious if there's anything, even just anecdotally, you can share about how Google thinks about talent in a retention sense. Because if you don't have a way to retain and pathway people, it's hard to kind of create a world where we can take that entry-level talent and actually grow them into the roles.
Tatyana Bolton: Yeah. Well, so, Google does a lot, like it helps us significantly with growing our expertise. We've got, you know, great support to get training and upskill, try new positions at Google. So, those are all I think best practices that Google, you know, currently uses. But I think, just generally, we need to make sure that we are thinking about, like you were talking about, the issue of people coming in the door and like the - some of the requirements. I think there's a number of things we could do there. Right? We've got bachelor's degree requirements, CISSP requirements, five years of experience for entry-level positions. That's just silly. And I think we've been talking about this for a long time. But it is inherent on the people who are doing the hiring to take that in and really do strategic assessments of their hiring documents and the position descriptions to determine whether a CISSP is actually needed for an entry-level position, or if you could actually do better for your organization as a whole by bringing in more entry-level talent, helping them, mentoring them. Obviously, that's a really critical component. And you can't like bring on entry-level talent and not help them along, not do the training because that, you know, presents a number of issues. But if you're committed to the mentorship and the training piece, if you bring in the entry-level talent, you can get - you can really help a person grow their career and it bring - and it allows them to grow, develop as a professional with room for - you know, with room for growth. Right? So, you don't always - I think in DC, you see this a lot in the federal government, everybody's like a 13, 14. They're senior-level policy people. Right? They're senior-level technical people. There's very - there's almost very little room at the beginning. And I think we need to address the structural underlying issues, such as those position descriptions, the fact that managers are eager to get experienced talent. So, we need to address those types of things to make sure that it's easy or easier for organizations to hire that entry-level person - professional, right, and make sure the requirements are reasonable. And then, to your point on retention, yeah, absolutely, like it's - I think culture plays a big role in this, too. Pretend like - you've got to have a good culture in order to retain your talent. You need to give people room for growth. You have to allow them training. That helps not only the person, it helps - the professional, it also helps your organization. And, so, I think there is - you know, with some of those things built in, you can do a lot of work. Obviously, CISA has focused on the pay piece, which is great. I think it's addressed some of those problems by putting in cyber pay at CISA, making it more enticing to work there. Obviously, they're competing against large name brands and organizations -
Simone Petrella: Like Google.
Tatyana Bolton: It is amazing to work here. So, you know, what can I say? But, you know, NSA also has a great recruitment and retention program. Right? NSA has almost a best in class within the federal government. They - you know, they allow rotations, they encourage training, trying new things, they hire at the entry level, they grow their talent. So, it is possible. Right? And, so - and I think like there's pockets of this excellence across the world. And I think we should take some of those best practices and put them to work across the ecosystem. Because, you know, CISA has cyber pay, but have they really implemented the rotational part of what makes NSA hiring so great and retention so great? No. And, so, I think we need to - we still have work - we still have work to do and room to grow that. But nothing - you know, Rome wasn't built in a day. I just hate myself for having said that cliche out loud.
Simone Petrella: I'll put it on my bingo card. But it's - you know, your point on job descriptions is so salient because, you know, not to sound overly crass, but the amount of times I've worked with organizations on their job descriptions and, frankly, they suck. And it's because people are busy, hiring manager is busy, we take one off the shelf and we kind of repurpose it. And, at the end of the day, even though it might take extra effort to get them right, what I hear you saying and what I kind of see myself is you have to know where you want to go with those rules before you can create a path or an opening for someone to get into them.
Tatyana Bolton: Right. I think this speaks to the need to develop a workforce strategy within your organization. If you're an organization that's struggling to get cyber talent, which many of them are, you need to think about it strategically. You need to sit down - and it should be an executive-level exercise. This is I think one of the areas where it goes wrong. There's not executive-level review and investment into the cyber workforce. And that is the level at which this needs to be done. With that, you can do an assessment. Are these the right people? Where are we going in five years? Where do we want to be in 10 years? And what does that workforce look like that gets us there, because it's not necessarily the workforce you have today. And, you know, obviously, technology change, you know, the times change, a pandemic happens. Who predicted that one? So, like you - obviously - and it's a hard task for companies. I'm not going to lie. It's not - you know, you have to almost look into a crystal ball and like - but do some - you know, do some data analysis. Cyberseek.org, plug for them, amazing work. They have great datapoints broken out by sector or broken out by levels of hiring. So, definitely a place to look as a resource as you're trying to do some of this review and analysis for your organizations. Also, one point, because I mentioned emerging technologies, AI I think also is definitely a place that will have an impact on the cyber workforce, as it will I think on most of the workforce. At Google, obviously, we've been working on and developing AI technologies for more than a decade already. But I think now, you know, there is a really big focus on it. And we are, you know, moving ahead boldly, but responsibly. You know? But we see opportunities in the workforce space. Right? For example, how AI can be used in a safe manner. We actually just put out the AI Safe Principles, SAIF. So, you can take a look at those. But the - they think - they talk about how you can actually use AI to secure your networks and how it can help the defender. Right? What defender doesn't have issues identifying, prioritizing and addressing the insane number of vulnerabilities that exist and applying patches in a prioritized manner? Right? What if we could figure out a way how AI can help that? Right? So, there is this - some of this toil that a lot of people experience and leads to burnout in the industry that we can also think creatively about how we can apply AI to help that. So, you know, I think it's - there's a lot of opportunity. And I think we're already looking at what - looking at how to apply these things. So, we are - so, there's stuff out there. At DEFCON, for example, we just did an AI red team. Right? And, so, we're try - we're looking at like not just talking about, you know, the defense of the past, but what it looks like in the future, training those professionals to think about AI, making sure they're engaged, making sure they're aware of the technology, how to work with it, how to address and then utilize the technology to best effect. And, you know, obviously, from my perspective, to defend our networks and systems.
Dave Bittner: That's Tatyana Bolton, security policy manager at Google, speaking with N2K president, Simone Petrella. [ Music ] There's a lot more to this conversation. If you want to hear more, head on over to the Cyberwire Pro and sign up for Interview Selects where you'll get access to this and many more extended interviews. [ Music ] And it is always my pleasure to welcome back to the show Deepen Desai. He is the Global CISO and head of Security Research and Operations at Zscaler. Deepen, it's great to welcome you back. It seems as though day after day we hear about more and more organizations who have been hit by this MOVEit file transfer vulnerability. And I know this is something you and your colleagues have had your eye on. What sort of things can you share with us about the research you all have been doing?
Deepen Desai: Thank you, Dave. So, the vulnerability that we're talking about over here is impacting MOVEit transfer application. And the specific one that has caused a lot of damage is the SQL injection vulnerability that results in threat actor being able to execute additional commands and steal sensitive information. This vulnerability, upon successful exploitation, could allow an unauthenticated user or an attacker to gain access to the MOVEit transfer database. So, this is where they are able to infer information about the internals of the database, alter or delete the elements, or even steal information that resides in the database. The type of databases is where, you know, you will - you guys will see the breadth of coverage across various organizations. So, the type of databases include MySQL, Microsoft SQL Server or your SQL, and this is where the vulnerability actually allows adversaries to implant a remote web shell in the victim environment with access to these databases.
Dave Bittner: Yeah, I mean, it really seems like at the moment this vulnerability is kind of the poster child for a third-party vulnerability. So, many organizations are finding themselves being hit here.
Deepen Desai: Yeah. I mean, this software is heavily used in several industry verticals starting with healthcare, there are like several IT departments, even in case of financial services, government, various global organizations were found to be using it. Now, the maximum damage that we have seen over here is where the application was exposed to the internet. And this is where we saw one of the notorious ransomware gang, KLO ransomware group. And this actually goes back to one of the trend that we're noticing, encryption-less ransomware attack. In this case, the KLO ransom gang just basically targeted any vulnerable systems with this vulnerability installed, that web shell, and exfiltrated large volume of data from several global organizations. And then they're demanding ransom from these organizations with a threat of making that data public if they don't pay the ransom. But they did nothing other than exploiting a vulnerable internet-exposed server and then exfiltrating data. No payload trans - well, there was a web shell planted, but no user being targeted, no asset, no persistence being established in the victim environment, no recon done. It's just targeting this high-profile application that is vulnerable.
Dave Bittner: Well, what are the lessons learned here? I mean, it's easy to look back and kind of, you know, armchair quarterback what's going on here. But what are the takeaways? Organizations trusted, move it as a provider, but this could happen to anybody.
Deepen Desai: Yeah, this could happen to anybody. And the closest one that I would relate this to is Log4j. Right? That's where - and it's not more so about the vendor, but the type of issue getting discovered and the amount of usage, both internal and external, of this specific application or the module that's actually vulnerable. That's what the common trend between those two things are. Now, lessons learned over here, you really need to reduce your external attack surface. That's the number one thing. And that's something that I was speaking about back when Log4j happened as well. Number one is if the attacker is not able to do a recon and target those applications, you know, you're automatically protected at a stage one. It still doesn't mean that you don't have to patch it. You absolutely must prioritize patching these type of vulnerabilities that target any of your critical applications, any application where Tier 1 data. Tier 1 definition, in my opinion, is your employee data, your customer data, your codebase, any sensitive information that can cause significant brand reputation harm. You need to prioritize patching. So, that's stage two. Stage one, reduce your attack surface. Stage two, prioritize patching. Even if that application is internal, you need to prioritize patching those application because what we're seeing in this threat landscape is the multistage attacks where if one of your user falls for an attack, they will use that machine to discover these type of applications that are vulnerable, even if it's internal. Right? So, that will reduce your blast radius to only your employees that may make mistake. But you're still vulnerable to these type of vulnerabilities. And especially when something like MOVEit or Log4j happens, these threat actors, the first quick thing they will do is anything that is exposed to the internet, they will target that. The next thing you will see is they will start weaponizing payloads that then gets planted on those end user machines. And that's where they will then move around in the environment discovering these vulnerable applications and stealing information in that manner.
Dave Bittner: Yeah, I mean, it really is a cautionary tale here. But I suppose it's good that there are lessons to be learned here.
Deepen Desai: Absolutely.
Dave Bittner: Yeah. All right. Well, Deepen Desai is Global CISO and head of Security Research and Operations at Zscaler. Deepen, thank you so much for taking the time for us today. [ Music ] And that's the Cyberwire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Sysdig's Alessandro Brucato and Michael Clark. We're discussing their research, AWS's hidden threat, AMBERSQUID Cloud-Native Cryptojacking Operation. That's "Research Saturday." Check it out. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. we'll see you back here next week.