Shields Ready for attacks against critical infrastructure. These may be indiscriminate, and they may be opportunistic.
Dave Bittner: CISA, FEMA, and Shields Ready. Ransomware operators exploit 3rd-party tools. A Bittrex bankruptcy phishing campaign. Spammers abuse Google Forms quizzes. Imperial Kitten in action against Israeli targets. Iranian cyberattacks against Israel are called "reactive and opportunistic." In our sponsored Industry Voices segment, Adam Bateman from Push Security outlines how attackers are targeting cloud identities. Luke Vander Linden from RH-ISAC speaks with Target's Ryan Miller and Leah Schwartzman about the evolving fraud landscape retailers are facing with the holidays approaching. And Sandworm and Ukraine's power grid: 2022 attacks may foreshadow the winter of 2023 and 2024.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Thursday, November 9th, 2023.
CISA, FEMA, and Shields Ready.
Dave Bittner: This week the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA) launched Shields Ready, “a sustained national campaign to increase the security and resilience of America’s critical infrastructure.” Shields Ready complements CISA’s “Shields Up” campaign. According to FEMA, “Shields Ready focuses more broadly and strategically on how to prepare critical infrastructure for a potential disruption and how to build more resilience into systems, facilities and processes by taking action before a crisis or incident even occurs.”
Dave Bittner: The approach encourages critical infrastructure operators to focus on things they can do drive down risk:
Dave Bittner: First, “Identify Critical Assets and Map Dependencies: Determine the systems that are critical for ongoing business operations and map out their key dependencies on technology, vendors, and supply chains.”
Dave Bittner: Next, “Assess Risks: Consider the full range of threats that could disrupt these critical systems and the specific impacts such threats could pose to continuity of operations.”
Dave Bittner: Third, “Plan and Exercise: Develop incident response and recovery plans to reduce the impact of these threats to critical systems and conduct regular exercises under realistic conditions to ensure the ability to rapidly restore operations with minimal downtime.”
Dave Bittner: And, finally, “Adapt and Improve: Periodically evaluate and update response and recovery plans based on the results of exercises real-world incidents and an ongoing assessment of the threat environment.”
Dave Bittner: Threats to critical infrastructure aren’t purely theoretical risks. A bit later we’ll see how they’ve played out in one of the hybrid wars currently troubling an unhappy world.
Ransomware operators exploit 3rd-party tools.
Dave Bittner: The FBI has issued a Private Industry Notification outlining recent trends in ransomware attacks, specifically “ransomware actors exploiting vulnerabilities in vendor-controlled remote access to casino servers, and companies victimized through legitimate system management tools to elevate network permissions.”
Dave Bittner: The Bureau says, “The FBI continues to track reporting of third-party vendors and services as an attack vector for ransomware incidents. Between 2022 and 2023, the FBI noted ransomware attacks compromising casinos through third-party gaming vendors. The attacks frequently targeted small and tribal casinos, encrypting servers and the personally identifying information (PII) of employees and patrons.”
Bittrex bankruptcy phishing campaign.
Dave Bittner: Scammers are using the bankruptcy of the crypto trading platform Bittrex as phishbait, Abnormal Security warns. The phishing emails targeted former customers of Bittrex, informing them that they still have more than $1,000 stored on the platform that they’ll need to withdraw before Bittrex shuts down. The researchers think the timing of the phishing campaign was no accident. The bankruptcy court approved Bittrex’s requests to shutdown its US operations on Monday, October 30. That action and that date were foreseeable, and probably appeared in the court docket. Crooks can read dockets as well as anyone, and they probably used that information to determine that October 23 was the best day to begin their criminal campaign. As always, fear, uncertainty, dread, and urgency make the best chum for phishing.
Spammers abuse Google Forms quizzes.
Dave Bittner: In another case of phishing, Cisco Talos researchers report a spike in the abuse of the "release results" feature of Google Forms quizzes. It's a way of getting spam sent from trusted Google servers, and so increasing the likelihood that the spam message will find its way through many screens and filters that would have otherwise flagged it as suspect. Here the chum is trust.
Imperial Kitten in action against Israeli targets.
Dave Bittner: Turning to the hybrid war in Israel and Gaza, CrowdStrike describes a series of cyberattacks that targeted Israeli organizations in the transportation, logistics, and technology sectors last month.
Dave Bittner: CrowdStrike’s researchers attribute the campaign to the Iran-aligned threat actor IMPERIAL KITTEN. IMPERIAL KITTEN is believed to be associated with Iran’s Islamic Revolutionary Guard Corps (IRGC), and “likely fulfills Iranian strategic intelligence requirements associated with IRGC operations.” In this case, IMPERIAL KITTEN used spearphishing emails to deliver several strains of malware via malicious Excel documents, including IMAPLoader and StandardKeyboard.
Iranian cyberattacks against Israel have been "reactive and opportunistic."
Dave Bittner: That Tehran supports Hamas, and that Iran acts against Israel in cyberspace, is beyond dispute. But support, a coincidence of interests, and even sponsorship, don't guarantee or amount to coordination in cyberspace. A study by Microsoft finds that Iranian cyberattacks against Israeli targets have been "reactive and opportunistic," not forming part of an integrated campaign developed in cooperation with Hamas.
Dave Bittner: There have been many suggestions, in the media and elsewhere, that Iran's government was involved with the planning and even execution of Hamas's attacks on October 7th. At least insofar as cyber support for the operation is concerned, that seems not to have been the case. "Microsoft does not see any evidence suggesting Iranian groups (IRGC and MOIS) had coordinated, pre-planned cyberattacks aligned to Hamas’ plans and the start of the Israel-Hamas war on October 7." In fact, Iranian operators took a week-and-a-half before they began cyberattacks that can be construed as support for Hamas. "Observations from Microsoft telemetry suggest that, at least in the cyber domain, Iranian operators have largely been reactive since the war began, exploiting opportunities to try and take advantage of events on the ground as they unfold. It took 11 days from the start of the ground conflict before Microsoft saw Iran enter the war in the cyber domain."
Dave Bittner: Redmond also notes that Iran has remained true to its familiar playbook, which always includes influence in its calculus of effects. "Microsoft observes Iranian operators continuing to employ their tried-and-true tactics, notably exaggerating the success of their computer network attacks and amplifying those claims and activities via a well-integrated deployment of information operations. This is essentially creating online propaganda seeking to inflate the notoriety and impact of opportunistic attacks, in an effort to increase their effects."
Sandworm and Ukraine's power grid: 2022 attacks.
Dave Bittner: Finally, Mandiant has released a study of Sandworm's cyberattacks against Ukraine's electrical power grid last year. Sandworm, also known as Voodoo Bear, is a threat actor operated by the GRU's Unit 74455.
Dave Bittner: "While we were unable to identify the initial access vector into the IT environment," Mandiant wrote, "Sandworm gained access to the OT environment through a hypervisor that hosted a supervisory control and data acquisition (SCADA) management instance for the victim’s substation environment. Based on evidence of lateral movement, the attacker potentially had access to the SCADA system for up to three months." Those three months of preparation culminated in the exploitation, on October 10th, 2022, in the exploitation of end-of-life Hitachi Energy MicroSCADA control systems that brought the affected systems under Sandworm control, and which enabled the attackers to issue commands that tripped breakers in electrical power distribution substations. Two days later Sandworm deployed a new variant of CaddyWiper (discovered in Ukraine the previous March by ESET) which served both to damage the associated IT networks and to obscure its own operations. The attack was marked by living-off-the-land techniques, significant because they "decreased the time and resources required to conduct a cyber physical attack," and because they reduced the likelihood of detection.
Dave Bittner: The Russian campaign stands out for several reasons. First, it was a successful attack against a widely deployed OT system. Such attacks have been rare, and have proven difficult to execute. Second, the cyberattacks coincided with a kinetic Russian missile campaign designed to cripple Ukrainian infrastructure as winter approached. Such coordination of cyberattack into a combined arms operation has also been rare, and difficult for Russian forces to achieve. Third, the attack showed both careful preparation and an ability to develop offensive tools quickly. And, finally, the attack showed what Russia is likely to attempt in its infrastructure disruption campaign during the winter of 2023 and 2024.
Dave Bittner: And, of course, there’s no reason to think any campaign against infrastructure will be entirely confined to Ukraine. Russia’s cyber auxiliaries have shown a willingness to pester any country they perceive as sympathetic to Ukraine, and there’s no reason to assume that the GRU’s regulars will constrain their operations to the combat zone proper. No reason to panic, but, as CISA would say, Shields Up, and Shields Ready.
Dave Bittner: Coming up after the break, Adam Bateman from Push Security outlines how attackers are targeting cloud identities. Luke Vander Linden from the RH-ISAC speaks with Target's Ryan Miller and Leah Schwartzman about the evolving fraud landscape retailers are facing with the holidays approaching. Stay with us. [ Music ] We've seen an uptick in attacks against organizations in the cloud, with notable targets like MGM, 23andMe, and even Okta themselves. Adam Bateman is cofounder and CEO at Push Security. And in this sponsored Industry Insight segment, he explains how attackers are targeting cloud identities and what it means for the industry.
Adam Bateman: We talk a lot about the identity perimeter, which has become a very, very hot topic, which is really -- identity is really online accounts, but anywhere that's Internet facing. And that's now the new company attack surface. And attacks here, they've really been happening for quite a long time. But because of the fact that awareness of these sorts of attacks and detection capability for these types of attacks have not been, you know, as strong as they are in other places, been happening a little bit more under the radar. And I think much more recently, even in the last three months, we've seen a real spike in much more publicly-facing kind of attacks, things that have happened. So we saw obviously MGM Resorts and recently saw retail -- the automation application -- even up to themselves. There's not much detail around that, but it looks like it was a target attack against a support system, which, you know, could well be SaaS, and different things like that. So we've noticed attackers really trending in this direction and targeting not just saasifications and using the information inside those saasifications to gain deeper access into company networks, but also targeting just directly the SSO logins themselves. Which, once you gain access to them, gives you downstream access to all the company's most sensitive applications behind that.
Dave Bittner: Can you walk us through how these attacks are typically carried out?
Adam Bateman: Yeah, sure. I mean, for the most part, it's not to do with vulnerabilities in the platforms themselves. It's not an exploit against a patchable bug that's happening in a saasification or an SSO provider. Even though these things do happen, the ones that have been, you know, more grabbing the headlines have just been attacks that result in the attacker logging in. So SIS engineering, phishing, the classic things that you've seen, but also password-based attacks like credential stuffing or brute force attacks in passwords. And I think in the last part, we recently saw the breach against 23andMe, which obviously had sensitive information on lots of individuals. In the attack there, the attacker took a leaked password from a prior breach and just sprayed that across all the different accounts against 23andMe and managed to gain access to those attacks over time. But that was against B2C apps, so it hit the headlines because of personal data and because it was a massive account compromise. But exactly the same is possible for any B2B app. Arguably, it's kind of more high impact against a B2B app. Because with a B2C app, you're in a position where the vendor host that but each person or each individual has their own account with their own data in it. And so in order for you to get access to lots of data, you need to compromise lots of accounts. With a B2B app, generally speaking, the company has a tenant. And so for the attacker doing that kind of password-based attack, you only actually often need one valid account and you gain access to the entire tenant. Sure there are different access levels in it, you could be admin or not. But generally speaking, if your goal is to get access to sensitive data, you can stop once you get access to one credential and then you can use that from there. And so those sorts of attacks are super easy to conduct.
Dave Bittner: Well, what are your recommendations then? I mean, how can defenders best protect themselves against this?
Adam Bateman: For the industry in general, I think it's important to recognize that this is kind of an era change. I talk about this quite a lot. I think the first era change was when people said the perimeter is dead. And really what they meant was it marking the change between attackers targeting your traditional infrastructure perimeter through to then instead targeting endpoints. And we're now in a position where people have, you know, the new phrases, identities of a new perimeter, and that's marking the shift from attackers shifting from endpoints to attacking the cloud. And so at the moment, all of the effort has gone into network and endpoint monitoring. And defensive controls for this particular era is just much thinner, which is why we're seeing attackers go there. And the attacks are much less understood. So as an industry, we really need to start paying attention to this. Like we have pushed doing a lot of research and pushing out all the novel ways that we're seeing these attacks can happen to help open and shine a light on this so that people can be prepared. But I think the other thing is that actually it lowers the barrier to entry for these adversaries. Now, I'm not saying by any means that these attackers aren't skilled. They are very, very skilled. But what I mean is, if I was going to go and attack a company, you know, like I did in my red team days, you used to have to go to a lot of effort to set up costume command-and-control server and then, you know, set up clever malware that you could use which would evade EDR and, you know, clever ways to tunnel traffic back up the network. You need to understand a lot. And if you're already advanced, you need to write custom exploits and understand about Windows internals and those sorts of things. And the thing is about these SaaS based attacks is really what you need is very, very good SysAdmin skills and the ability to think outside the box. I mean, the attacks are novel, but you're not sort of going deep into the Windows kernel to make them happen, right. It's phishing, social engineering, password attacks, and then knowing how to configure and leverage the functionality of these applications you go in. So I think really the lack of understanding in the industry, plus the lowering of the barrier to entry is a recipe, it's something that we need to pay attention to. I think, finally, the attacks will become opportunistic. If you think about things like credential stuffing against 23andMe, you'll find that more companies will just get caught in the crossfire. It became rather than being targeted, you can just sort of spray across lots of people's log-in page or lots of people's saasifications to see what you find. And then once you've gained access, you can go deeper into the network there. So the industry I think it's just an area that we need to continue to focus on and help develop our understanding of this area. And technical controls, I mean, all these novel attacks are interesting. But most of our customers are finding the most value from our platform at least and the data that we're seeing because of the fact that they know how to configure their identities so they're secure with unphishable MFA and with strong passwords and everything else. But they sort of think they're in a secure state but they're not. So often they'll deploy the platform and will just suddenly go, oh, wow, because of this configuration error or because someone had just disabled a control temporarily for testing or for compatibility, that actually there's an exposure. And so I think one thing is just really understand the state of the current identities. You know, make sure they are at the right level of control. And really what you want to be aiming for is MFA, but phishing resistant MFA. So hardware-based if you can and if you can afford it, both in terms of, you know, the cost required to implement that but also the time, and making sure that people are continually trained around sort of social engineering attacks. And finally I would say in terms of technical controls, to extend detection and response that we do on the network world into the SaaS world, and make sure that we're actually able to discover and get visibility into attacks that are happening there.
Dave Bittner: That's Adam Bateman, cofounder and CEO at Push Security. [ Music ] Luke Vander Linden is host of the RH-ISAC podcast. And in his most recent episode, he spoke with Target's Ryan Miller and Leah Schwartzman about the evolving fraud landscape retailers are facing with the holidays approaching.
Luke Vander Linden: We are joined by two members of Target's cybersecurity team, Ryan Miller and Leah Schwartzman. Can you talk to us a little bit about the evolving fraud landscape that retailers are facing these days?
Leah Schwartzman: Yeah. So I'm sure a lot of people have heard on news, we're seeing, you know, stores getting hit with these organized attacks across the country at this point. And so, you know, that's not a victimless crime in that sense, you know, we want to protect our guests. And that goes beyond just the in-store fraud that we're seeing. Threat actors are evolving. These rings are organized. And so there's a cyber approach to investigating and mitigating this type of fraud. And so threat actors, they are, you know, organizing across mainstream social media. You know, a lot of people might come across on TikTok or Instagram or Facebook these groups that look suspicious that are advertising, recruiting, or selling different fraud methods. And that's really escalating these threat actors in communicating with one another. Similar to how we are communicating via social media with our friends and family, threat actors are doing the same. And that's taking what used to be a very central, organized group where they might have to go to their local pawn shop to sell the merchandise to this global economy that they can buy and sell merchandise online. And with sites like eBay, Facebook Marketplace, Craigslist, the ability to monetize stolen goods in a very quick way, very anonymously, has led to this increase in crime opportunities for these threat actors.
Ryan Miller: We just took a holistic approach to fraud within our organization. And the decision was made to bring fraud under our security umbrella. And so with that was the evolution of threat intelligence and specialization to focus on fraud intelligence. And really it became a need for us to understand that threat landscape, right. We need to understand what the threat actors are doing so we can defend against what those threat actors are doing. And with the same concepts of how we track phishing and malware and, you know, APT groups, we need to apply that to fraud. So if you don't have dedication there, it becomes this secondhand approach. Which a lot of, you know, intel teams I think are initially set up like that. So as the landscape of this fraud became more prominent, as we decided to take a stronger look into that from a security perspective, we had to dedicate fraud analysts, intel analysts, to look at that intel and pull it into the organization.
Leah Schwartzman: Yeah, we really aren't reinventing the wheel here. We are using that standardized collection methodology, that traditional CTI that teams are focusing on and just mapping that to fraud. And that's going to look very different depending on your organization, what experience that you have for your guests. Nowadays with all these omni channel experiences, guests pick up, drive up, same-day delivery. Although that's great for our guests, it's also exposing us to opportunity for threat actors to abuse those systems. And so leveraging what you know about your own internal environment, we know our environment better than anyone else, so leveraging those business partners outside of security to really understand how their systems flow, you know, what point are guests seeing this, how are guests impacted by different decisions that we make, and then taking that extra to say, okay, are we seeing any discussion of threat actors talking about these bypasses, these abilities to commit fraud against us in these variety of different ways? And that really is standard intelligence collection that can be applied to fraud. And once you gain that initial collection, it'll start flowing in. You know, there's an endless pool of chatter out there of methods being sold, guides, threat actors talking about it. So once you establish that initial collection from a fraud perspective, you're going to start to get that actual intelligence to share with your business teams.
Ryan Miller: And I'll just chime in that, you know, within the threat landscape, we're seeing the lines being blurred, right. Like cybercrime is crossing over into fraud, vice versa, right. Like the handoff is not separate anymore. And so by having a dedicated fraud analyst as well as a traditional threat intelligence analyst share the same platforms, the same tools, same services, and we're ingesting all that data, the correlation of that data from what we might say is only fraud is not turning out to be only fraud, right. You have broader visibility. And so you might see some of the tools that are used for DDoS, a botnet or something, right, that might also be leveraged to launch ATO attacks, right. So if you have these indicators from that, you can see that if they were completely separate, you know, you're going to miss some of that visibility. Same concept as like when fraud sits in some other corner of the organization than security does, you're not going to have that collaboration that you need to combat the threat.
Luke Vander Linden: You know, like again, you mention all the different ways now that retailers serve their customers. And even smaller organizations, smaller retailers, also have to do those things, but they might not have the resources as Target might. Do you have any advice for a smaller company that wants to get involved in this?
Leah Schwartzman: Yeah. Start with that first area, focus. And, you know, a lot of the help of the RH-ISAC, you know, people share information, people are sharing trends that could be out there in regards to how threat actors are operating. So take that information back to your organization and build out what we call a kill chain. So that's once again applying your traditional cybercrime to fraud. And map out, okay, if I was a threat actor hitting my organization or a specific process within my guest flow, how would they be able to bypass the controls that we might have in place? And really visualizing ending that kill chain flow is going to help you as one analyst to say, okay, who are the business partners within the organization that I need to basically make friends with to say, hey, your system is allowing threat actors to abuse X, Y, and Z? Maybe we need to have discussion around changing that process or flow without impacting the guests. And so all it takes is one analyst to begin to dive into that data. And once you have that key fraud focus area, it's really going out and getting that collection. So scraping of telegram, the discord, the social media channels, where the threat actors are living in that ecosystem that they're communicating within, leveraging that, pulling that in, and then applying that to your own organization. And it's a little time consuming on the front end, but once you have that preestablished collection and visibility, it'll start to flow and it'll become very clear where you need to prioritize your efforts within your own organization as well.
Luke Vander Linden: So all of that being said, we are about to enter the busiest season of the year for retailers. How is Target preparing for the holiday season?
Ryan Miller: I love this question and we get asked this every year. But, you know, we don't do a lot different, right. Like we take the approach like, let's just see as much we can all year around, right. Because the way that the fraud landscape has shifted, really the cybercrime landscape has shifted, is they don't stop, right. So yes they ramp up a little bit, but really for us, it's just really scrutinizing data a little bit more, right. So things that might've been a lower threshold in March and April are now going to be, hey, let's scrutinize this -- what activity is really going on here, right? So, you know, take ATO, for example, we're probably going to start to see an increase in that actors are preparing for the holiday season. But that doesn't happen in December, when, you know, you would think it would happen. It happens in September and October. They're trying to compromise those accounts ahead of time. So when they start to see people add credit cards or add gift cards that they get for the holiday, they already have access and can leverage that.
Luke Vander Linden: They need to prepare too, yeah.
Ryan Miller: So for us, it's just it's, you know, kind of status quo, but like being more vigilant, being more aggressive in the approach we take at our collection efforts and the analysis that we do on the alerting that we get, and just looking for these anomalies. Or, in the fraud case, right, like what are the threat actors interested in? And that can change on a weekly basis. But during the holidays, right, it's going to be gift cards, it's going to be washing gift cards or leveraging gifts cards they're purchasing. What are the hot items, right, that sell really great around the holiday? And how are they trying to hide in the mix of the heavy volume of traffic, right, that comes to our organization during the holiday season? And they're trying to kind of fly below the radar. So those are really the things that we're focusing on to get ahead of the holiday.
Leah Schwartzman: And part of intel collection on that is knowing what items are being launched across the industry. So whether it be like the hot commodity item for the resell value, so getting ahead of what those trends could look like to preestablish that visibility internally can help mitigate it before it becomes a fire drill during the busiest season.
Luke Vander Liden: Excellent. Leah, Ryan, thank you very much. Both from Target's terrific CTI team. Amazing. Thank you very much for joining us on the RH-ISAC podcast.
Dave Bittner: Luke Vander Linden is host of the RH-ISAC podcast, which you can hear right here on the CyberWire podcast network. Do check it out. It is a show worth your time. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2K.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. [ Music ]