Ransomware and DDoS hit diverse sectors. The DDoS is a nuisance, the ransomware more serious.

Dave Bittner: Australian ports are recovering from a cyberattack. SysAid is hit by Cl0p user Lace Tempest. Ransomware targets China's largest bank. LockBit doxes Boeing as Boeing hangs tough on paying ransom. Docker Engine for DDoS. Rick Howard looks at the SEC’s targeting of SolarWinds’ CISO. And Anonymous Sudan claims attacks on ChatGPT and Cloudflare.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Monday, November 13th, 2023.

Australian ports recovering from cyberattack.

Dave Bittner: Our first story is about a major attack on a national supply chain.

Dave Bittner: Australia's National Cyber Security Coordinator announced Saturday that the government was investigating a cyberattack that disrupted several Australian ports. The Coordinator tweeted, "DP World Australia has advised it has restricted access to its Australian port operations in Sydney, Melbourne, Brisbane and Fremantle while it investigates the incident. This interruption is likely to continue for a number of days and will impact the movement of goods into and out of the country. DP World Australia is working with its stakeholders to consider the impacts on its operations at specific ports." 

Dave Bittner: DP World began restoring operations at the affected ports Monday, according to the BBC, and cargo is again moving in Australia.

Dave Bittner: The precise nature of the attack hasn’t, as of this report, been revealed, but the unspecified cyber incident the Coordinator said, "a nationally significant cyber incident." 

Dave Bittner: DP World Australia’s operational shutdown was preventive, according to the Guardian. All that was publicly known as of late yesterday is that "unauthorized activity" had been detected in DP World Australia's systems.

Dave Bittner: DP World Australia has said, Bloomberg reports, that it has not received a ransom demand. The Conversation recounts informed speculation to the effect that the incident represents sabotage "by a foreign state actor." The story is developing; we’ll have more as the information becomes available.

SysAid exploitation by Cl0p user Lace Tempest.

Microsoft’s threat intelligence team has warned that Lace Tempest, is now exploiting a recently disclosed path traversal vulnerability (CVE-2023-47246) affecting on-premise SysAid servers. SysAid issued a patch for the flaw on November 8th.  Lace Tempest is the Cl0p ransomware actor that was behind the widespread attacks against the MOVEit file transfer software earlier this year

SysAid says the threat actor exploited the vulnerability as a zero-day by “[uploading] a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service.” Rapid7 notes, “Post-exploitation behavior included deployment of MeshAgent remote administration tooling and GraceWire malware.”

Ransomware attack against China's largest bank.

Dave Bittner: Reuters reports that a ransomware attack hit the Industrial & Commercial Bank of China (ICBC) last week, disrupting trades in the US Treasury market. The Lockbit ransomware gang is believed to be behind the attack, although the gang itself hasn’t claimed responsibility. A US Treasury spokesperson told Reuters, “We are aware of the cybersecurity issue and are in regular contact with key financial sector participants, in addition to federal regulators. We continue to monitor the situation.” ICBC said in a notice on its website that the bank is “progressing its recovery efforts with the support of its professional team of information security experts.”

Dave Bittner: Reuters says the hack left the bank’s US broker-dealer, ICBC Financial Services, “temporarily owing BNY Mellon (BK.N) $9 billion, an amount many times larger than its net capital.” The brokerage received a cash injection from its Chinese parent to pay back BNY.

LockBit doxes Boeing as Boeing hangs tough on paying ransom.

Dave Bittner: Boeing sustained a ransomware attack by the LockBit gang with a November 2nd deadline to pay up or face the release of stolen data. Boeing reported that its parts and distribution units were affected.

Dave Bittner: The aerospace company told the Register, they are currently investigating the situation in collaboration with law enforcement and regulatory bodies. Despite the breach, Boeing maintains that the incident has not compromised the safety of its aircraft or flight operations.

Dave Bittner: Dark Reading reported late last week that this actually showed some uncharacteristic circumspection on the part of a ransomware operator. Such criminal gangs are usually quick to publish proof-of-hack. Reuters reports that LockBit escalated to doxing on November 10th, releasing files they claim were taken in the attack. Computing wrote this morning that the leaked files appear to contain some financial data, and that Boeing had refused to pay the ransom, effectively calling LockBit’s bluff.

Docker Engine for DDoS.

Dave Bittner: Researchers at Cado Security describe “OracleIV,” a DDoS botnet agent that’s targeting publicly-exposed instances of the Docker Engine API. Attackers are “exploiting this misconfiguration to deliver a malicious Docker container, containing malware written in Python and compiled as an ELF executable.” 

Dave Bittner: The researchers point out

Dave Bittner: The OracleIV issue highlights ongoing security risks where attackers exploit misconfigured Docker Engine APIs to gain initial access for various malicious activities. The nature of containerization allows these attacks to operate consistently across different system setups. Although OracleIV is not a direct supply chain attack, it raises concerns about the presence of harmful container images in Docker's library, a problem that is not expected to be resolved soon. The malicious account responsible for OracleIV has been reported to Docker by Cado researchers, with the hope that the offending image will be taken down.

Anonymous Sudan claims attacks on ChatGPT and Cloudflare.

Dave Bittner: Finally, a Russian hacktivist auxiliary seeks to cover itself with a figleaf of Pro-Palestinian commitment.

Dave Bittner: Bloomberg reports that Anonymous Sudan claimed responsibility for distributed denial-of-service (DDoS) attacks that intermittently interrupted OpenAI's ChatGPT last week. Despite its name, Anonymous Sudan is a Russian hacktivist auxiliary. The group cited OpenAI's Israeli investments as justification for the operation, thus posing as a more-or-less Islamist group instead of the Kremlin front it is. Anonymous Sudan offered an explanation in its Telegram channel for its attack on OpenAI.

Dave Bittner: The group targeting OpenAI and ChatGPT cited OpenAI's collaborations with Israel and investments in the country, as well as meetings with Israeli officials, as reported by Reuters. They also noted the use of AI in military and intelligence applications by Israel, asserting that it contributes to the oppression of Palestinians. They pointed out that as an American company, OpenAI is a target, and they claimed that ChatGPT shows a bias toward Israel in its responses, which they believe needs to be corrected.

Dave Bittner: The group also claimed responsibility for DDoS attacks against Cloudflare. CyberDaily quotes Anonymous Sudan's Telegram channel: "Cloudflare is strongly down by skynet / Godzilla-Botnet / AnonymousSudan.” Skynet is a DDoS-for-hire operation. Cloudflare quickly restored normal operations.

Dave Bittner: The incidents are further evidence of how irresistible nuisance DDoS attacks are to hacktivists and those who pose as hacktivists. They’re an irritating low-hanging fruit for those who have little need for art and small interest in science. 

Dave Bittner: Coming up after the break, Rick Howard looks at the SEC's targeting of SolarWinds' CISO. Stay with us. [ Music ] And it is always my pleasure to welcome back to the show, Rick Howard. He is the CyberWire's Chief Security Officer and also our Chief Analyst. Rick, welcome back.

Rick Howard: Hey, Dave.

Dave Bittner: So, the news came by over the past week or so that the SEC was going after SolarWinds in an SEC filing, specifically Tim Brown, who is their CISO.

Rick Howard: I know! Tim Brown! I am gobsmacked, okay, that this is going on, right? So go ahead. I'm sorry.

Dave Bittner: No, no, no. Well, so why I want to talk to you specifically is, of course, you are our Chief Security Officer here at the Cyber Wire and N2K. Before that, you were Chief Security Officer at Palo Alto Networks. What I like to tease you is that is a Big Job with a capital B and a capital J. So I think you have a good perspective on someone having the responsibility for security at a large organization like this. So I just want to check in with you, what your take is on this move by the SEC.

Rick Howard: Well, I think at first to get your heads around this because it's very complicated, right, and a completely new thing that the SEC is doing. But I think it might help to just kind of figure out how we got here. So you remember, you know, it was back in 2019, around that timeframe, that the Dark Halo attack campaign compromised the Solarwinds' network and poisoned their SolarWinds Orion product. And this is one of those supply chain cases that came out during those times. And, you know, there's been a number of them since. But this is kind of like the big one that put a spotlight on that particular attack vector. By the way, the first victims of that were US think tanks, right, which was, I didn't know that until I was looking up all the details here. And then FireEye goes public with, they've been hacked by that same product poisoning on December 8th, 2020, right? And then SolarWinds did a SEC filing a couple weeks after that, right? And so fast forward then to 26 July 2023. The Securities and Exchange Commission they adopted new disclosure rules around material cyber incidents, meaning that there's all these special rules now that you have to report immediately if you've determined that your company has been materially impacted by a cyber event.

Dave Bittner: Right, if you're a public company.

Rick Howard: Yes, yes, if you're a public company. And there's lots of debate about how they structured those rules and, you know, and how hard this is going to be going forward. And we were all kind of just waiting to see what was going to manifest out of all that. And then in just, right, the eve of Halloween, this, right, which is great for Tim Brown, I guess, right, so, but they charged Tim, okay, with this civil case, right? And so, you know, I like to string those events together, just kind of get a sense of all that. And so here are some facts, right, that we should just consider when we go through all this. This is a civil case. It's not a criminal case, meaning nobody is going to go to jail, right? But there are court costs and follow-on job opportunities for Tim, okay? And we're not going to know the results of all that for months, maybe even years. So that's one big fact. The second big fact is the current CEO, Sudhakar Ramakrishna, he was not the CEO at the time of the incident. That CEO was Kevin Thompson, but he left, and then Sudhakar came in and took over. So Sudhakar is just kind of, he's kind of manhandling this whole incident after he took over from his predecessor.

Dave Bittner: Right.

Rick Howard: And then Tim was not the CISO at the time of the incident. He didn't get the CISO title until after, right? He got promoted into that job. So apparently, the leadership team thought he was doing it good and gave him the title for it. And by the way, he's not a director of SolarWinds. Meaning that he's not on the board. Meaning he's not -- right? He doesn't have any fiduciary responsibility that board members typically have. And he was not an officer of the company, meaning that he wasn't appointed by the board, you know. And that's important because directors and officers are protected against bad business decisions they make.

Dave Bittner: Right.

Rick Howard: They aren't -- Right. You know --

Dave Bittner: Errors and omissions, right?

Rick Howard: Yes. That kind of thing, right? They're not personally liable for reasonable mistakes of judgment, okay, that they make in their day-to-day jobs, as long as they're not doing it in bad faith. But Tim is just a simple vice president employee. He doesn't have any of those director and officer protections, like, you know, D and O insurance, directors and officers insurance, that would cover court costs and lawyer salaries and those kinds of things that Mr. Brown is going to have to, you know, shell out as this thing, you know, wanders through the courts and all that.

Dave Bittner: Right.

Rick Howard: And so the good news for him, though, is I happen to know through reliable sources that SolarWinds is standing behind Tim Brown and covering all those legal fees for him because they don't want him to get screwed over by this entire process. The SolarWinds CEO thinks this is kind of a mistake, right, what the SEC has done. I don't know. So those are the facts that I know. And what do you think about all that, Dave?

Dave Bittner: Well, you know, I'm curious because, to me, this points out something you and I have talked about before, which is this notion that CISOs are C-level in name only --

Rick Howard: In only.

Dave Bittner: -- and don't have the, in this case, the power, but also the shielding that comes with being at that level. Is that an accurate assessment?

Rick Howard: That's exactly right. You know, we get the fancy title. But, you know, we don't get the -- we don't get the office in the corner, you know. So it's not one of those things, right? But up to this point, it really has not been that big of a deal, right, because nothing bad has ever happened to us until now, all right, with, you know, the SEC reaching down and charging Mr. Brown with these kinds of things, right? So --

Dave Bittner: Right.

Rick Howard: So here's my big hot take, Dave.

Dave Bittner: Yeah.

Rick Howard: I'm not a lawyer. And I confess that I haven't read the, in detail, the entire over-100-page civil complaint, right? That's something I'll defer to you for, you know, a little nighttime reading.

Dave Bittner: Yeah.

Rick Howard: But I don't understand how the SEC could reach into a company like SolarWinds, past the board, past the officers of like the two CEOs I was talking about before, two layers deep in the leadership hierarchy, and charge somebody like Tim for repeatedly violating the anti-fraud disclosure and internal controls provisions of federal securities law. Okay? How is that his fault, right? So --

Dave Bittner: Mm hmm.

Rick Howard: I'm here to tell you that the CISO in no company ever has ever had the power to make disclosure decisions for the company. Okay? In the best case, the CISO has input to the decision made by the board and the officers. In the worst case, and I would say in most cases, the CISO is not even in the room when those decisions are made, right? So if the SEC wants to make an example of SolarWinds for the rules changes they made in July of this year, by the way, okay, and it's brand new, by the way, they don't go into effect until the end of this year, I think they completely missed the mark. I'm not saying I agree with their aggressiveness. But if you're going to set an example, wouldn't you go after the leaders of the company and not the doers? Okay?

Dave Bittner: Yeah.

Rick Howard: Well, I don't understand this at all. It's kind of like they're pulling a trigger on something that's not going to have any effect, right? I don't know. What are you -- Am I completely crazy about that?

Dave Bittner: I don't think so. I mean, and I'm just speculating here with you that, is this their way of sending a message to all the CISOs out there that we're going to be serious about enforcing these rules?

Rick Howard: To people who have no authority in disclosing those things, right? That the rules --

Dave Bittner: Right.

Rick Howard: -- say you have to disclose anything that's material, you know, that's happened to you materiality when -- in terms of materiality, right? The CISO doesn't make those calls for any company that I know.

Dave Bittner: What do you think the implications are here? What happens next?

Rick Howard: Well, I, you know, there's a number of things. And these are, you know, I'm going to peer into my crystal ball here and, you know, think of what might happen. The first one is I think it just layers a chilling effect on the CISO position going forward. Why would you take this position if you're not protected by the company for these kinds of lawsuits? I mean, holy cow.

Dave Bittner: Yeah. Who needs those headaches?

Rick Howard: Who needs that? Okay? CISO job is hard enough, right? Why would you do that, right? So --

Dave Bittner: Right.

Rick Howard: The second one is -- And I believe this was going on anyway because of the new rules by the SEC. But if the CISOs aren't having discussions about materiality with their corporate lawyers, okay, about what it is for that particular company and how you convey it to the board and officers, they better get in there post haste, right, because that's going to have some implications down the line maybe even financial to a lot of CISOs.

Dave Bittner: Yeah.

Rick Howard: And I will say, you know, my career, those discussions hardly ever happened, right? But with the new SEC rules, I think they are probably happening more and more. Some practical advice, though, I got this from my buddy, Steve Winterfeld. He's one of our hash table members. Comes on our shows all the time and helps us understand things. He says you should probably have a pretty detailed discussion with your lawyers about privileged communication, right? Because how do you do -- how do you communicate, hey, we found this new, you know, vulnerability in our system that may, you know, material impact us later on? How do you communicate that without it being discoverable so that you go to, you know, have to pay huge fines later on down the road, right? So one of the ways that some companies are talking about that is figuring out how to make those conversations privileged so that it doesn't show up in some court document somewhere. I think that's really good advice. I don't know if it's possible, but I think it's a good thing to try to pursue.

Dave Bittner: Mm-hmm.

Rick Howard: The next one is personal insurance for CSOs, okay, for these kinds of things. You know, if you don't have D and O insurance, like the corporate officers have, maybe you go get it yourselves. Maybe you negotiate that as part of your package of employment for the company you're taking that CISO job for, right?

Dave Bittner: Mm-hmm.

Rick Howard: So it is now another thing to consider as part of your compensation package.

Dave Bittner: Certainly, at the very least, a question to ask.

Rick Howard: It should be. Asking that question. And you should really consider whether or not you want to go work for that company who doesn't want to protect the CISO. You know what I'm saying?

Dave Bittner: Right.

Rick Howard: Maybe you're the guy they're going to throw under the bus, right? So yeah, something to think about. I have one last one, okay, that may be a ray of, you know, sunshine in this, you know, really dark cloud. But this might mean that the CISO position might finally get elevated to an officer position. And if they're going to have the responsibility for this kind of thing, you might as well give them the, you know, the title to it. So and a lot of CISOs I know have been angling for that for a long time, thought we would be here by now, and the community is not. So maybe after all this, that position gets elevated to the next level.

Dave Bittner: Why do you suppose that the position hasn't been elevated so far? You know, with all of the reliance on cybersecurity that organizations have in order to function these days, what's holding CISOs back?

Rick Howard: My hot take on this is that we did this to ourselves. Okay? In the early 90s, we, as a group, and I include myself in that, we talked about cybersecurity that it was so different that nobody can understand it. Only people like us, you know, with the great hallowed title of CISO, would understand what's going on. You guys, you businesspeople, stay over there, and we'll handle everything. Well, we never learned how to talk to the business leaders in terms that they can understand. We never related cyber risk to business risk. We talk in terms of vulnerabilities and malware and, you know, those kinds of things. Okay. But we never go to the company and say, you know, boss, because of our current situation, the business is at risk here. Okay? And the probability of material impact to this organization is a real number that we can calculate. And we're just now having that discussion in the InfoSec community. So I think we did it to ourselves. And I don't blame the business leaders for that.

Dave Bittner: Do you think that most CISOs want to be elevated to that officer level?

Rick Howard: I think that before all this happened, yeah, because, you know, I mean. But -- [laughing].

Dave Bittner: But be careful what you ask for?

Rick Howard: Yeah, then we're going, oh, wait. I don't want that. Okay?

Dave Bittner: Yeah.

Rick Howard: But, yeah, it's one of those. [laughing]

Dave Bittner: Okay. All right. Fair enough. Well, Rick Howard is the CyberWire's Chief Security Officer also our Chief Analyst here at N2K. Rick, thanks so much for joining us.

Rick Howard: Thank you, sir. I appreciate it. [ Music ]

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500, and many of the world's preeminent intelligence and law enforcement agencies. N2K's Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.