Hacktivism in two hybrid wars (with an excursus on gastropods).
Dave Bittner: The Hamas-Israel war continues to be marked by hacktivism. Arid Viper's exploitation of Arabic speaker's Android devices. Iran shows improved cyberespionage capabilities. A URL shortener in the C2C market. Taking down the Mozi botnet. Ransomware in healthcare. Two are Russians arrested on treason charges, accused of hacking for Ukraine. In our sponsored Industry Voices segment, Anna Belak from Sysdig shares a new threat framework for the cloud. Rick Howard previews his new online course on cyber security first principles. And no, Russia hasn’t really replaced its currency with Arctic Ocean gastropods.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Wednesday, November 1st, 2023.
The Hamas-Israel war continues to be marked by hacktivism.
Dave Bittner: We begin with a look at some of the cyber activity surrounding the war between Hamas and Israel.
Dave Bittner: Hacktivists on both sides continue nuisance-level engagement with targets in Israel and Gaza. C4ISRNet writes, "Such attacks are relatively unsophisticated and have little consequence on national security operations, experts said. While a vandalized website can disconcert the public, it likely does not sidetrack military operations." The outlines of the cyber phases of the current war remain unclear, but IT-Online has a useful table of known hacktivist groups on both sides, with their allegiance and specialties listed. They’re geographically widely scattered. A few of them, like Anonymous Sudan, which is a Russian front group, are state run, but so far this war is unusual for the prominence of true hacktivists.
Arid Viper's exploitation of Arabic speaker's Android devices.
Dave Bittner: Cisco Talso yesterday published a report on recent activity by Arid Viper, the espionage group based in Gaza and generally held to be affiliated with Hamas. The campaign socially engineers its targets to install malicious software masquerading as an update for the otherwise legitimate dating app Skipped. There's enough overlap in code with Skipped to suggest, Cisco Talos says, "the Arid Viper operators are either linked to Skipped’s developer or somehow gained illicit access to the shared project’s database." Once installed the spyware disables security notifications, collects and exfiltrates a wide range of sensitive information, and establishes a backdoor for installation of other malware on the device.
Dave Bittner: Despite Arid Viper's association with Hamas, Cisco Talos is agnostic as to whether the cyberespionage campaign is related to the current war with Israel. The operation seems to antedate last month's Hamas attack by some months--the researchers say it was active during 2022.
Iran shows improved cyberespionage capabilities.
Dave Bittner: A sponsor and ally of Hamas, Iran has shown a recent increase in its cyberespionage capabilities. The New York Times reports that Tehran has mounted ongoing cyberespionage campaigns against regional rivals, especially Israel, but also Saudi Arabia, and Jordan. The campaigns' primary goal, according to Check Point research the Times cites, appears to be espionage, with the secondary purpose of battlespace preparation for possible future disabling cyberattacks.
Dave Bittner: The FBI, the Record reports, is on alert for increased Iranian cyberespionage.
A URL shortener in the C2C market.
Dave Bittner: Infoblox describes “Prolific Puma,” a threat actor that provides a URL shortening service to cybercriminals: “They create domain names with an RDGA and use these domains to provide a link shortening service to other malicious actors, helping them evade detection while they distribute phishing, scams, and malware.”
Dave Bittner: The researchers note, “Prolific Puma has registered thousands of domains in the usTLD since May 2023. This is remarkable because, according to the usTLD Nexus Requirements Policy, only U.S. citizens, or U.S.-affiliated businesses are eligible to register domains in it. Moreover, the usTLD requires transparency; no domain names may be registered privately. As a result, the email address, name, street address, and phone number associated with the domain are publicly available. While this might seem a likely deterrent to crime, it has not been effective; the usTLD is well-known for abuse.”
Dave Bittner: Why do the crooks like shortened urls? It makes it a little tougher for alert users to see where that link is actually going to carry them.
Taking down the Mozi botnet.
Dave Bittner: ESET has published an analysis of the August 2023 disruption of the Mozi botnet, noting that the botnet contained a kill switch that was targeted by an unknown operator: “We spotted the control payload (configuration file) inside a user datagram protocol (UDP) message that was missing the typical encapsulation of BitTorrent’s distributed sloppy hash table (BT-DHT) protocol. The person behind the takedown sent the control payload eight times, each time instructing the bot to download and install an update of itself via HTTP.”
Dave Bittner: The researchers add that the kill switch was likely added by Mozi’s developers themselves: “This leads us to the hypothesis suggesting two potential originators of this takedown: the Mozi botnet creators, or Chinese law enforcement forcing the cooperation of the creators. The sequential targeting of bots in India and then in China suggests that the takedown was carried out deliberately, with one country targeted first and the other a week later.”
Ransomware in healthcare.
Dave Bittner: Sophos has published a report looking at ransomware in the healthcare industry, finding that attackers succeeded in encrypting data in nearly three-quarters of attacks: “This is the highest rate of encryption in the past three years and a significant increase from the 61% of healthcare organizations that reported having their data encrypted last year.” In 37% of successful attacks, the criminals also stole data. Compromised credentials were the most common root cause of ransomware attacks in the sector.
Dave Bittner: The researchers also found that “[h]ealthcare organizations are now taking longer to recover, with 47% recovering in a week, compared to 54% last year.” Additionally, the report notes, “The number of healthcare organizations surveyed that paid ransom payments declined from 61% last year to 42% this year. This is lower than the cross-sector average of 46%.”
Two Russians arrested on treason charges, accused of hacking for Ukraine.
Dave Bittner: Two men in Russia have been arrested on charges of treason in connection with hacking incidents. They're accused of participating in cyberattacks against Russian targets Both men were computer scientists, and both were arrested in Siberia (they're from Tomsk and Kuzbass). The FSB, which has them in custody, hasn't said whether the two men's activities were related. Both are charged under Article 275 of the Criminal Code of the Russian Federation (that is, with "high treason in the form of providing assistance to a foreign state or foreign organization") and face sentences upon conviction of twenty years to life. Kommersant reports that the FSB says both men were working under the direction of Ukrainian intelligence services.
Ukrainian hacktivist auxiliaries deface Russian payments website.
Dave Bittner: The Record reports that Ukrainian hacktivist auxiliaries associated with DumpForums and the Ukrainian Cyber Alliance defaced the website of NSPK, the Russian-government-operated paycard system. They also claim to have taken some 30 Gigabytes of data from the system, and have posted a screenshot of a folder as evidence of their success. That, of course, is far from a conclusive proof-of-hack.
Dave Bittner: NSPK confirmed to TASS that its website had been defaced, but denied that any data had been compromised. The bank said that the "Mir" [meer] payment system itself was uncompromised, All user data, says NSPK, are safe. The defaced website was run, NSPK explains, by a third-party contractor, and that therefore the attackers had no ability to pivot into sensitive data. Maybe, but third-party responsibility is no more proof-of-security than a screenshot of a folder is proof-of-hack.
Dave Bittner: Mir, whose name has the double meaning of "world" and "peace," was established to bucket along as a domestic alternative to Western payment systems like Visa and Mastercard. Since the invasion of Ukraine sanctions have left Russians on thin financial services ice, and Mir is intended to give them a reliably accessible payment method. It's not much good for foreign travel, unless you're traveling to Belarus, Cuba, or Venezuela, in which case you might be able to use your charge-a-plate in Minsk, or Havana, or Caracas, if you found something you wanted to buy.
Dave Bittner: The message DumpForums put on the NSPK site announces that Russia has left the ruble zone, and has adopted cowrie shells as its currency, provisionally, until it can upgrade its currency with sea snails from the Arctic Ocean. The authors are satirists, of course. Russia’s central bank isn’t really going on the gastropod standard.
Dave Bittner: Coming up after the break, Anna Belak, Director of the Office of Cybersecurity Strategy at Sysdig, shares a new threat framework for the cloud. Rick Howard previews his new online course on cybersecurity first principles. Stick around. [ Music ] Anna Belak is Director of the Office of Cybersecurity Strategy at Sysdig. In this sponsored Industry Voices segment, I speak with her about a new threat framework for the cloud.
Anna Belak: To be honest, I think we find them all over the place. You know, some folks are just getting started, even though it feels like cloud's been around forever. Some folks were the pioneers, and so they are actually incredibly mature and they're doing very, very complex things at massive scale in cloud. Our customers tend to veer more to the higher maturity side because they've been adopting containers and DevOps and Kubernetes for, in some cases, almost a decade now, but we see all kinds of folks, and the migration continues, sort of, and probably will continue for the next, I don't know, decade or two.
Dave Bittner: And I know you and your colleagues there at Sysdig are advocating for a new mindset when it comes to cloud security. What exactly are you all pursuing here?
Anna Belak: Yeah, so we are into embracing the cloud way of operating in the cloud, which sounds obvious, but like, one of the biggest mistakes that organizations make when they move to cloud is they take their on-premise mindset and habits and operating models with them and then they try to operate that way in the cloud, which doesn't really work, and there's lots of reasons why it doesn't work, but one of them is actually you're failing to take advantage of the programmability of the cloud infrastructure, right? So you're able to do everything as code, you're able to do all of it on demand, scaling, for example, and you're able to create these environments that are basically built for purpose and then disappear very quickly when they're no longer needed. That's really powerful, but it creates some interesting problems for security. So one of the things that Sysdig is the most known for perhaps is threat detection in modern environments. So when you're talking about deploying applications built in containers, for example, one issue is that those containers live for less than five minutes on average. So that workload can come and go and you may have never seen it in any of your legacy tooling. So we're trying to provide tooling and then help people build process around tooling that is able to deal with those kinds of scenarios.
Dave Bittner: Well, you're promoting a new benchmark here. You call it the "555 benchmark." What exactly does that entail?
Anna Belak: Yes, people love benchmarks, of course. Our threat research team is constantly watching what we call the "threat landscape," so they are seeing what the bad guys are doing in the cloud because that lets us create the best kind of content, I mean, detection content, to protect our customers, right? And so what -- one of the things that we reported in our most recent threat report is that the average length of an attack is about 10 minutes, so that's 10 minutes from when an attacker finds your exposed environment, like from when an attacker finds you, to when they're able to do damage to your systems, and that's incredibly short, right? Like, for reference, we know that Mandiant reports a dwell time of about 16 days, which means that's how long the attacker is in your environment, typically on premise, until you discover them, and there are all kinds of other data points that are on the range of minutes, hours, days, or sometimes weeks and months for how long attackers hang around. So in cloud, they don't hang around much. They come in, they do a bunch of things, and then they're out in 10 minutes, having potentially stolen something or taking something down or caused some other kinds of damage.
Dave Bittner: Well, let's unpack this 555. What does that represent?
Anna Belak: Yeah, so 555 is inspired by the 10-minute timeframe because what we're seeing, basically, is attackers are accelerating what they're doing, in part because they leverage the benefits of cloud that I mentioned earlier, right? They use a ton of automation. They use scripting. They actually leverage the cloud services and abuse the cloud services, and they abuse things like cloud formation, or Terraform, that we all use for building code infrastructure. So 555 basically says that if you are able to detect all of the necessary signals within five seconds, if you're able to correlate them to each other so that you can triage what's really going on, because one signal is usually not enough information, and security, you need a lot of context to know that something is really scary rather than just like some mundane admin activity, and then five minutes to begin incident response.
Dave Bittner: This sounds to me like a high-velocity operation here. Are we talking about leaning on a good bit of automation?
Anna Belak: Yes, exactly. Automation is going to play a key role. Obviously, you can't automate everything. Our argument is that the cloud allows you to automate a lot, right? You have access to all of the API-based infrastructure now. You have access to a lot of modern tools that are built around sort of version-controlled systems and the DevOps workflows, and so you're able to actually, for example, describe your entire infrastructure, applications, workloads, everything, configuration around them in code and then you can store that code in a repository. You can very quickly deploy that, or redeploy that should it come down, in case there's an incident. So on the one hand, things like down time that were a huge concern when we were responding to incidents on premise, that can be less of a concern because it's much more straightforward to bring an environment back, and you're much more likely to actually get it back in the same state that it was originally running in. I will say that when we talk about incident response and automation of incident response, a lot of people recoil in horror because there's always the fear that you're going to, like, irreparably break something, and many elements of that process have to be manual, right? Like, you have to go and call certain people into the room. You have to have these conversations because you have -- you could have potentially huge business impact to what you're doing, but the point is that if you automate away the simple stuff, the stuff that is, you know, definitely automatable, right? Like, there's no reason why cryptominers should be running in AWS instances or any cloud instances, right? Because, like, why? It's ridiculous. So if you automate away the simple stuff, then it gives you a lot more time and breathing room to deal with the more complex manual stuff that will always be there.
Dave Bittner: So for organizations that find themselves in regulatory regimes, and I'm thinking of, you know, particularly we've seen increased scrutiny from the SEC, for example, how does this align with those realities?
Anna Belak: It's a great question. It's a very timely question and it kind of made our work on this framework all the more relevant, sort of an accident. And yeah, so the SEC has -- they've actually been speaking about this for a while, but they, you know, published their disclosures about incident response, that you have to disclose the material incident within four days, and we know that four days in the grand scheme of how long it usually takes folks to identify that they've been breached is just very short, right? Like, I think the IBM report numbers are on the order of 200-some days, is how long it usually takes. So four days is very fast. Basically, from where we sit, I don't know how you can disclose a material breach within four days if you don't have an incident response team that is able to react on the timescales that we're talking about. So again, 10 minutes sounds fast, but when you got to tell the SEC in four days, 10 minutes seems like it's not that fast after all.
Dave Bittner: That's Anna Belak, Director of the Office of Cybersecurity Strategy at Sysdig. [ Music ] It is always my pleasure to welcome back to the show Rick Howard. He is the CyberWire's Chief Security Officer, also our Chief Analyst. Rick, welcome back.
Rick Howard: Hey, Dave.
Dave Bittner: So you have been doing the CSO Perspectives podcast now for a little over three years, and I was doing some quick back-of-the-envelope math, that's 14 seasons, 124 episodes. You're catching up on me, Rick, when it comes to --
Rick Howard: You're so far ahead of me, Dave.
Dave Bittner: Content, but you've been mostly concentrating on this notion of cybersecurity first principles, and I've been talking to you about that idea before you joined the CyberWire, but for the uninitiated, what are we talking about here with first principles?
Rick Howard: Well, I've been doing this cybersecurity thing for, you know, a long time, some 30 years now, and about five years ago, I started to get this nagging feeling at the back of my neck that maybe all the best practices that the InfoSec community has collected over the last, say, three decades, and even before that, like, you know, the CIA triad and malicious tool prevention, incident response, the NIST cybersecurity framework, and, you know, just compliance in general, haven't really slowed down cybercriminals, cyber spies, or cyber hacktivists at all. And I'm not saying that these best practices are not good things to do. I'm just saying that perhaps as a community we haven't totally discovered the essence of the problem. With the CSO Perspectives podcast, I was able to spend some time unearthing the edges of what exactly that might be.
Dave Bittner: So when you say "essence of the problem," is that what a first principle is?
Rick Howard: Yeah, the idea of first principles have been around since, you know, the beginning of scientific thought. I mean, all the way back to Aristotle and Descartes. They wrote about how in order to solve some mind-numbingly complex problems, you had to reduce it down to its atomic elements, something that everybody in the field could agree, what's the thing that we were all trying to solve and then work your way back from there. Modern-day big thinkers like, you know, Reed Hastings, who, as the Netflix CEO, revolutionized how we all consume movies, used first principle thinking to do it, and our hero Elon Musk is the CEO of SpaceX. He used first principle thinking to design reusable spacecraft.
Dave Bittner: All right, well, you started thinking about that. What was the absolute cybersecurity first principle?
Rick Howard: Right, we explored these ideas on the CSO Perspectives podcast, and after about two years of that, I realized that we had enough material and solidified the idea enough that we published a book on the subject.
Dave Bittner: And I should say the book is called "Cybersecurity First Principles" -- very original, Rick -- "A Reboot of Strategy and Tactics." So let's get down to brass tacks here. I mean, what is the absolute cybersecurity first principle?
Rick Howard: Jeez, Dave, go right for the spoiler, okay? Jeez. So in the book, I make the case that this is the atomic first principle that all of us should pursue. Here it is. Reduce the probability of material impact due to a cyber event in the next, say, three to five years.
Dave Bittner: Okay. Well, the good news for us is that our colleagues over on the N2K training side of the business have just created a course that is dedicated to this very idea.
Rick Howard: Yeah, that's right, and we're all very proud of it. It's an on-demand course featuring me, yours truly, as the instructor, and I make the case as to why I think that's the absolute first principle and then go over the follow-on strategies that you might pursue to achieve it, things like zero trust, automation, resilience, intrusion kill chain prevention, and risk forecasting.
Dave Bittner: Where can we go get more information about the course?
Rick Howard: All right, so this is a kind of a crazy URL, but here it is, www.n2k.com /first-principles-preview. So that --
Dave Bittner: Well, maybe just go -- maybe just go to the website and search for it.
Rick Howard: Yeah, maybe that would be better.
Dave Bittner: All right. Well, I am looking forward to checking it out myself here. I know we've seen lots of folks have had just excellent reviews of the books, you know, people saying that you really crystallize their thoughts that, you know, after decades of being in the industry, this was one of the first times that they've seen someone sort of encapsulate what they were thinking, so --
Rick Howard: Thank you. I appreciate you saying that. I think I did, but, you know, you never know how crazy I might be, so please read the book and let me know what you think.
Dave Bittner: Well, I know how crazy you are and I'm friends with you anyway, so --
Rick Howard: Thank you, Dave. I appreciate that.
Dave Bittner: I encourage everyone to, first of all, check out the book. It is a good read. But then also, check out the course. You can do that over at n2k.com. Rick Howard, thanks so much for joining us. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at email@example.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]