The CyberWire Daily Podcast 10.27.23
Ep 1936 | 10.27.23

Social engineering as a blunt instrument–almost like swatting without the middleman.

Transcript

Dave Bittner: Eastern European gangs overcome their reservations about working with anglophone criminals. Mirth Connect is vulnerable to a critical flaw. A look at a mercenary spyware strain. “PepsiCo” as phishbait. Ben Yelin explains the FCC’s renewed interest in Net Neutrality. Our guest is Wade Baker from the Cyentia Institute with insights on measuring risk. And Europol thinks police should take a good look at quantum computing and law enforcement.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Friday, October 27th, 2023.

Eastern European gangs overcome their reservations about anglophone criminals.

Dave Bittner: Microsoft describes “Octo Tempest,” a financially motivated threat actor that uses social engineering to compromise organizations around the world.

Dave Bittner: “In mid-2023," Microsoft researchers write. "Octo Tempest became an affiliate of ALPHV/BlackCat, a human-operated ransomware as a service (RaaS) operation, and initial victims were extorted for data theft (with no ransomware deployment) using ALPHV Collections leak site. This is notable in that, historically, Eastern European ransomware groups refused to do business with native English-speaking criminals. By June 2023, Octo Tempest started deploying ALPHV/BlackCat ransomware payloads (both Windows and Linux versions) to victims and lately has focused their deployments primarily on VMWare ESXi servers. Octo Tempest progressively broadened the scope of industries targeted for extortion, including natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services.” Among the gang's victims, the Record points out, was MGM Resorts. At the time of that attack, the group was being called Scattered Spider, 0ktapus or UNC3944

Dave Bittner: One of the more repellent features of Octo Tempest's activity is its willingness to make direct personal threats of violence to bully victims into giving up their credentials. A sample threat reads as follows: "if we dont get ur [redacted] login in the next 20 minutes were sending a shooter to ur house ur wife is gonna get shot if u dont fold it lmk [redacted] well send shooters to both LOL."

Dave Bittner: It’s even worse in print than it is read aloud, and there’s a lot more than this. It’s not just the leetspeak, the LOLs when referring to shootings.These aren’t just misled kids. The Octo Tempest hoods crooks are suffering from a bad case of Internet disinhibition.

Mirth Connect vulnerable to critical flaw.

Dave Bittner: SecurityWeek reports that Mirth Connect, an open-source data integration platform developed by NextGen HealthCare, is vulnerable to a flaw that could allow attackers to bypass protections for a critical-severity remote-code-execution flaw (CVE-2023-37679) that was patched in August. Researchers at Horizon3.ai discovered the new flaw, noting that it was fixed in version 4.4.1 of Mirth Connect. The researchers state, “We urge all users of Mirth Connect, especially instances that are Internet-facing, to prioritize updating to 4.4.1 ASAP.”

A look at a mercenary spyware strain.

Dave Bittner: Researchers at HYAS Labs have published an analysis of the Predator spyware developed by Cytrox. The researchers note that Sekoia earlier this month found evidence suggesting that the spyware may have been used by the Madagascar government.

Dave Bittner: Again, one of the recurrent concerns about spyware products, or lawful intercept tools, as they’re also called, is the perennial temptation to abuse by governments they represent.

“PepsiCo” used as phishbait.

Dave Bittner: INKY is tracking a phishing campaign that’s impersonating PepsiCo to deliver malware: “As usual, it all starts with a phishing email. In this case, the phishers are impersonating the PepsiCo brand, pretending to be potential clients. They are claiming to need what the recipient sells and they’re asking them to submit a quote for PepsiCo to review. What the would-be victim doesn’t know is that attached to the email is a malicious disk image, disguised as [an] RFQ,” that is, a request for quote.

Prebunking disinformation.

Dave Bittner: The US State Department is attempting to "prebunk" Russian disinformation campaigns, the New York Times reports. Operating from the premise that disinformation is easier to discredit and refute before it begins to spread through amplification in legitimate and semi-legitimate channels. The effort works by identifying disinformation operations in their earliest phases, and by exposing the fronts and agents of influence before they can begin repeating their themes. Prebunking is part refutation (addressing the false claims on their merits) and part transparency (identifying the fronts and trolls as such before they gain traction).

Russian intelligence services' cyber operations in the hybrid war. 

Dave Bittner: ESET's APT Activity Report for the 2nd and 3rd quarter of 2023 matches unpatched vulnerabilities with government-sponsored offensive cyber operations. 

Dave Bittner: Unsurprisingly, Russian cyber activity retains its focus on Ukraine. The main Russian APT groups ESET tracks are Sandworm (operated by the GRU's Unit 74455, and also known as Voodoo Bear), Turla (associated with the FSB, and also known as Venomous Bear), Sednit (more familiarly known as Fancy Bear, and run by the GRU), and Gamaredon (an FSB operation, also known as Primitive Bear). 

Dave Bittner: ESET says that the greatest of these, from the Ukrainian perspective, is Gamaredon, "which significantly enhanced its data-collecting capabilities by redeveloping existing tools and deploying new ones."

Dave Bittner: The others aren’t to be dismissed, either. The French security agency ANSSI warned yesterday that Fancy Bear, APT28, or Sednit, whichever name you prefer, has succeeded in penetrating sensitive networks in France. The targeting is commonplace for an espionage campaign. Fancy Bear has been interested in government agencies, businesses, universities, research institutes, and think tanks.  

Russian hacktivist auxiliaries pester Australia for "Russophobia."

Dave Bittner: Cyber Daily reports that NoName057(16), specialists in nuisance-level distributed denial-of-service (DDoS) attacks, has put Australia on notice (NoName says) for its "Russophobic"contributions to Ukraine's war effort. The hacktivist auxiliary said it had hit sites belonging to Adelaide Bank’s netbank portal, the Transperth transport agency, the Administrative Appeals Tribunal’s online portal, and the Northern Territory Department of Infrastructure, Planning and Logistics.

Dave Bittner: The hacktivists' communique deplored Australia's decision to send a military aid package worth $12 million to Ukraine. The only effect the shipment will have, NoName said, will be to give the Russians more materiel to capture. And besides, it amounts to theft from the Australian taxpayers. “We are going to Australia for destroying (sic) portals of critical infrastructure!” It's an overstatement. Only the Transperth website sustained periodic and annoying disruption. The other three targets rode out the attack without much difficulty.

Quantum computing and law enforcement.

Dave Bittner: And, finally, Europol is urging its colleagues in law enforcement to think hard about the implications of quantum computing.

Dave Bittner: Europol's Innovation Lab has published a report, "The Second Quantum Revolution," in which it outlines the potential implications of the new technology for law enforcement. Greater computational power promises new cryptographic challenges and new sensing opportunities. The report represents preparatory work. It urges agencies to stay aware of developments in the new field, and it summarizes its recommendations under five headings:" Observe quantum trends," "Build up knowledge and start experimenting," "Foster research and development (R&D) project," "Assess the impact of quantum technologies on fundamental rights," and "Review your organisation's transition plans." 

Dave Bittner: That is, of course, transition to the post-quantum future. And trust us, it’s not going to look like the quantum realm from Ant Man. 

Dave Bittner: Coming up after the break, Ben Yelin explains the FCC's renewed interest in net neutrality. Our guest is Wade Baker from the Cyentia Institute, with insights on measuring risk. Stick around. [ Music ] [ Music ] Wade Baker is co-founder of the Cyentia Institute and also a professor in the College of Business at Virginia Tech. Cyentia Institute recently published the latest edition of their information risk insight study, or IRIS reports, focusing on threat event analysis. I checked in with Wade Baker for the details.

Wade Baker: I've done a lot of studies in the information security space going back years. And I've always wanted to demonstrate how to quantify cyber losses. And I just haven't had the data to do it in the past. So I'm probably best known for starting and working on Verizon's data breach investigations report for a long time. And we had phenomenal information about how incidents occur and who's behind them and how assets are impacted and how organizations respond. But we never had what are the losses. You know, how do those events impact organizations long after the forensic investigation is gone? So the IRIS Series, Information Risk Insight Study, is all about, you know, what is the probability of an event? And how much do those events cost? And showing that you actually can come up with historically proven numbers on those kinds of things. And you don't have to make it all guesswork.

Dave Bittner: Hm. Well, let's dig into some of the findings from this year's version. What are some of the things that stood out to you?

Wade Baker: So there are quite a few things. And some of them are, I hate to say obvious because that sounds negative, but, you know, we get the opportunity to add data to some things that maybe we believe. And then, you know, in other cases, data overturns maybe what we believe. But just an example, you know, we do a lot about how industry and size of organizations impact the probability of different types of loss events and how much those events are. So, you know, what's probably not surprising is if you are a really large organization, you are much, much, much, much, much more likely to have a security incident than a really small organization, right? You have a bigger attack surface. You have brand recognition and maybe targeted attacks, all of those kinds of things. So, you know, that's one of those that's maybe not so incredibly obvious -- or sorry -- is pretty obvious. And then, you know, I think we have some other things that maybe less so. You know, what is the cost of a typical security incident? I think there's, you ask anybody, lots of different opinions on that. You know, we found that the median loss is about $260,000. And I get lots of different reactions when I say that. Some think that's, whoa, that's ridiculously low. How can that possibly be? Others think that's high. But, you know, we're talking about all types of security incidents here. The 95th percentile loss is much larger. That's $52 million. And I kind of think maybe that's part of the misconception is people think about the really big stuff that we hear about, the headlines, and forget about the sort of daily things that stack up but don't cost a huge amount.

Dave Bittner: Yeah. One of the challenges that I find for myself personally is taking those numbers and making them meaningful, you know. There are all these numbers thrown around. But how do I align that with my own organization, and how I should go about evaluating my own risk?

Wade Baker: A hundred percent. And, you know, I think that's a huge challenge because we hear of all of these reports of incidents occurring. And, you know, some terrible thing happens to another organization. And the obvious question is, hey, could that happen to us? And if so, what would that be like? And we try to tackle a few of those things in the report. One of the things that we do is, you know, we can measure losses objectively and say, hey, this was a $100 million loss. And what is the probability that any given organization experiences a $100 million loss? Okay. You can answer that. But we can also make that a little bit more relevant by looking at it as a proportion of revenue, you know, and asking the question, you know, what is the likelihood that a small organization will have a loss that equals 1%, 10%, you know, 100% of their revenue versus a large organization. And that is something that I think was a really important point in the latest IRIS is that smaller organizations are very disproportionately impacted by security events. In other words, it might be smaller amounts from a just straight dollars perspective. But as a proportion of their revenue, even menial events can be, you know, a quarter or much higher of their revenue. And that hurts a lot when you're a small company and margins are slim.

Dave Bittner: You know, as you gather your data here, are there any myths that you want to dispel here? You know, I think about sometimes I think folks call them zombie facts, you know. They're dead, but they keep on living. And we can't seem to shed them. Any things like that in your findings?

Wade Baker: There is one in particular that comes to mind as a myth. And I'm not going to name names here. But there is a study that is very often cited that gives a straight dollar per record as a means of quantifying losses around an event. So if you have, you know, it's $150 per record or $180 per record, and then you take the number of records that were compromised in an event, you multiply it by $150 and, voila, you know, that's how much the event cost. And we do some picking apart of that because it is just dead wrong. There is no such thing as a linear dollar per record loss. The data time and time again shows this. And there are much, much better, more accurate ways of estimating losses given something like the amount of data that was compromised rather than just multiplying by, you know, a single amount. And that's a myth that we have tried, you know, some say a little bit too hard, in these reports to dispel, but it still sticks around.

Dave Bittner: Hm. What do you hope people take away from this report in terms of actionable items?

Wade Baker: I am hoping that one, people will say that, hey, we can quantify risk and therefore better manage it. There's been a long-time argument over whether that's possible. And I think if you read the IRIS and look at what we've done, we've proven that you can actually do that. And then second, I hope that people look at some of this analysis and say, hey, I think we could benefit from this. I would like to have this to aid my decisions on, you know: Are we over at risk? What should we do about it? Which threats are more relevant to my organization? and those kinds of things. Because I really do think the time is far past in the management of cybersecurity that we take a more measured and risk-oriented approach. We always preach that. But very few people get beyond sort of the high-, medium-, low-type buckets applied to risk and realize that we can do this. And the outcomes are going to be better.

Dave Bittner: That's Wade Baker from the Cyentia Institute. The report is IRIS Threat Event Analysis. [ Music ] And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Ben, welcome back.

Ben Yelin: Good to be with you, Dave.

Dave Bittner: Interesting story you and I talked about on this week's "Caveat" about how the FCC, thanks to having an additional member on their board, is able to make a move here with net neutrality. What's going on here, Ben?

Ben Yelin: So we finally have a Democratic majority on the FCC. The newest nominee from President Biden was just confirmed recently by the Senate. Back in 2015, the Obama administration initiated a rulemaking process that led to net neutrality. Basically, the idea here is reclassifying broadband as a telecommunication service. That allows the FCC to regulate internet service providers and make sure that they are not throttling companies who want to have -- want to use greater bandwidth, so things like Netflix and other streaming services. That's the point of maintaining that neutrality so this doesn't become kind of a fee-for-service jungle where the main providers, the Verizons, the AT&Ts of the world, are auctioning off this broadband space to the highest bidder. The Trump administration came in in 2017 under the leadership of Ajit Pai. They got their own majority on the FCC. And they reversed Obama-era net neutrality rules. Basically, their rationalization then is that this was a 1930s-style regulation on the open internet. That we should be fostering an open marketplace to the extent possible. And that this won't lead to the sort of parade of horribles that you would hear about in warnings in 2017: That we're going to lose our open internet. That net neutrality is going to cut against all the principles that make the internet great. In defense of Ajit Pai and his majority, I mean, we really haven't seen those types of impacts over the past several years. As far as we can tell, the internet is in pretty good shape. Streaming services work well without the need for this kind of heavy-handed federal government regulation. But the Biden administration is interested in reviving these Obama-era rules. So they're going through the rulemaking process right now. They're on the notice of proposed rulemaking stage. I'm sure industry is going to weigh in. The final rule will probably be published sometime in January or February. And then I think we can expect a lot of lawsuits that are challenging the statutory authority for the FCC to take this action and then possibly some constitutional issues as well. So, certainly, this is just the beginning of the story. And we'll have to see what happens with both the rulemaking process and the almost certain court cases that we're going to see.

Dave Bittner: Yeah. You know, I think it's fair to say one thing that industry hates is uncertainty. And with this swinging back and forth, you've got, you know, Obama puts this in play, Trump takes it out of play, Biden puts it back into play, you, know, it's easy to see perhaps if we get a Republican president, it goes back out of play. And how long can that go on?

Ben Yelin: Yeah, I mean, there are other areas of policy that go like this, where you just ping-pong based on presidential administrations. The long-running one is something called the Mexico City policy, which is about prohibiting any sort of foreign aid going to governments around the world that promote reproductive health and abortion services. January 20th, every time there's a new administration, when it's the Democrats, they reverse the Mexico City policy. When it's the Republicans, they reinstate it.

Dave Bittner: Interesting.

Ben Yelin: And I'm wondering if net neutrality is going to be one of those principles where the Democrats or the Democratic members, the FCC are so committed to this principle, they think that the regulation that was instituted in 2015 under Obama was necessary not just to maintain a free internet, but also giving the FCC more authority to protect national security on our broadband networks, implementing cybersecurity standards. And then the Republican members see this as heavy-handed federal regulation that actually plays no role in maintaining a free and open internet. So yeah, I think we could see this kind of ping-pong back and forth through presidential administrations. And I know that's frustrating for the industry because, as you said, they rely on certainty.

Dave Bittner: Yeah. This article points out that for sure, we're probably going to see lawsuits from industry once the rulemaking is done, that those lawsuits are inevitable.

Ben Yelin: I think they're absolutely inevitable. The legal challenges will come on day one when this is published in the Federal Register. I think the companies have obviously a large stake in net neutrality rules. I think there's certainly profit potential in a less regulated industry for companies like Verizon, AT&T, et cetera. But yeah, I think there's no doubt that we're going to see litigation.

Dave Bittner: All right. Well, we'll keep an eye on it here. An interesting move. Ben Yelin, thanks for joining us.

Ben Yelin: Thank you. [ Music ] [ Music ]

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Danny Adamitis from Lumen's Black Lotus Labs. We're discussing "No Rest for the Wicked: HiatusRAT Takes Little Time Off in a Return to Action." That's "Research Saturday." Check it out. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tré Hester with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.