Some Squarespace users see their domains hijacked. Kaspersky Lab is shutting down US operations. BackPack APKs break malware analysis tools. Hackers use 7zip files to deliver Poco RAT malware. CISA’s red-teaming reveals security failings at an unnamed federal agency. Microsoft fixes an Outlook bug triggering false security alerts. Switzerland mandates open source software in the public sector. On our Industry Voices segment, N2K’s Rick Howard speaks with Alex Lawrence and Matt Stamper from Sysdig about their 555 Cloud Security Benchmark. Bellingcat sleuths pinpoint an alleged cartel member.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
On our Industry Voices segment, N2K’s Rick Howard speaks with Alex Lawrence and Matt Stamper from Sysdig about their 555 Cloud Security Benchmark. Learn more about the /555 benchmark.
Selected Reading
Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks (Krebs on Security)
Kaspersky Lab Closing U.S. Division; Laying Off Workers (Zero Day)
Beware of BadPack: One Weird Trick Being Used Against Android Devices (Palo Alto Networks Unit 42)
New Poco RAT Weaponizing 7zip Files Using Google Drive (GB Hackers)
CISA broke into a US federal agency, and no one noticed for a full 5 months (The Register)
Organizations Warned of Exploited GeoServer Vulnerability (Security Week)
Microsoft finally fixes Outlook alerts bug caused by December updates (Bleeping Computer)
New Open Source law in Switzerland (Joinup)
Exploring the Skyline: How we Located an Alleged Cartel Member in Dubai (Bellingcat)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyber Wire Network, powered by N2K. Some decisions are easy, like playing your favorite song. Other decisions are hard, like choosing the right credit card. But that's mostly because the financial system is complicated. There's so many offers, rates, and products, but which one's best for you? That's why we've reinvented credit karma to do the hard work for you. We scan for the latest offers from our trusted partners to help you find the best financial hits for your unique situation. That way you can spend less time saying, huh, and more time doing well, anything. Download into a credit karma today and get everything you need to outsmart the system. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies, like Atlassian, Flow Health, and Quora, use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's v-a-n-t-a.com/cyber for $1,000 off Vanta. Some Squarespace users see their domains hijacked. Kaspersky Lab is shutting down U.S. operations. Backpack APK's break malware analysis tools. Hackers use 7-zip files to deliver POCO-RAT malware. SIS's red teaming reveals security failings at an unnamed federal agency. Microsoft fixes an Outlook bug triggering false security alerts. Switzerland mandates open-source software in the public sector. On our industry voices segment, N2K's Rick Howard speaks with Alex Lawrence and Matt Stamper from SIS Dig, about their 555 cloud security benchmark. And Bellingcat sleuth's pinpoint and alleged cartel member. It's Tuesday, July 16, 2024. I'm Dave Bitner, and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It is great to have you with us. Last week, over a dozen organizations using Squarespace had their domains hijacked. Squarespace, which acquired Google domains a year ago, is migrating those domains. Many customers haven't set up new accounts yet, allowing hackers to exploit this by registering migrated domains using existing email addresses. The hijacks occurring between July 9th and July 12th targeted mainly cryptocurrency businesses. Attackers redirected domains to phishing sites to steal cryptocurrency. Security experts from MetaMask and Paradigm explain that Squarespace assumed users would log in via social options like Google or Apple, not via email. Hackers could thus create accounts with unregistered emails gaining domain access. Squarespace didn't require email verification compounding the issue. This has left domain owners with reduced security and control compared to Google, a comprehensive guide advises enabling multi-factor authentication, identifying accessible emails and securing Google workspace accounts. Squarespace has not commented on the incident. Kaspersky Lab, a Russian cybersecurity firm, is shutting down its US operations and laying off employees after the US Commerce Department banned the sale of Kaspersky software starting July 20th. The ban follows national security concerns that Kaspersky or the Russian government could exploit the software to spy on American customers. Kaspersky confirmed the shutdown, citing the ban's impact on its US business viability. The closure affects fewer than 50 US employees who will receive severance packages. The US had previously banned Kaspersky software from federal and military systems due to security concerns. Despite denying any misuse of its software, Kaspersky faced allegations of extracting NSA hacking tools from an employee's computer. US officials stress the ban protects Americans from potential exploitation by foreign adversaries. New research from Palo Alto Networks Unit 42 looks at APK files used by Android OS. These are packaged as zip archives containing a critical file named androidmanifest.xml. This file holds essential application data. In some cases, attackers tamper with zip headers to prevent analysis, resulting in what are known as badpack APKs. Tools like APK tool and JADX often fail to extract content from these tampered files. Palo Alto Networks analysis of their advanced wildfire telemetry from June 2023 to June 2024 identified nearly 9,200 badpack samples. These files pose a significant threat by preventing normal extraction techniques and hindering security analysis. Badpack APK's alter zip header values leading to discrepancies that break analysis tools but not Android runtime. Researchers suggest reversing these changes for successful analysis. Tools like APK Inspector can handle such tampered files, enhanced detection and protection measures, including multi-factor authentication and monitoring, are crucial to countering this threat. Hackers are using seven zip files to bypass security measures and deliver POCO rat malware effectively. Discovered by cofence in early 2024, POCO rat targets Spanish speaking individuals in the mining industry initially through Google Drive hosted seven zip archives. By the second quarter of 2024, it reached four sectors with mining still being the main target. The malware, focused on basic rat functionality, uses consistent TTPs and exploits legitimate file hosting services to bypass secure email gateways. POCO rat is distributed via direct Google Drive URLs in emails, links in HTML files and links with attached PDFs. POCO rat employs POCO C++ libraries, arrives as an executable and establishes persistence via registry keys. It attempts to evade detection. It faces average detection rates of 38% for executables and 29% for archives. In 2023, a SISA Red Team exercise exposed significant security failings at an unnamed federal agency. These silent shield assessments, which simulate long-term nation-state threats without prior notice, revealed vulnerabilities in the agency's Oracle Solaris enclave to an unpatched CVE leading to a full compromise. Despite prompt notification, the agency delayed patching the vulnerability and public exploit code emerged, further jeopardizing security. The Red Team accessed the Windows network via phishing and identified weak passwords. They found unsecured admin credentials and gained access to highly privileged systems termed a full-domain compromise. The exercise highlighted the agency's inadequate logging and over-reliance on known indicators of compromise. SISA emphasized defense-in-depth principles, recommending network segmentation and stressing the need to move beyond reliance on IOCs. It also called for improved software security, logging, and cooperation with security information and event management, SIM, and security, orchestration, automation, and response, SOR providers. In unrelated SISA news, the agency urges federal organizations to patch a critical geo-server vulnerability due to active exploitation evidence. This flaw allows unauthenticated remote code execution via unsafe evaluation of expath expressions. Geo-server, an open-source server for geo-spatial data, improperly applies expath evaluation to all feature types. Federal agencies must identify and patch vulnerable instances by August 5th. Microsoft has resolved an outlook bug causing incorrect security alerts, identified in February after December updates. Users reported warnings like this location may be unsafe when opening ICS calendar files. These false alerts stemmed from security updates which prevented NTLM hash theft via crafted files. Initially fixed in April, the update was rolled back due to issues found in testing. The bug was finally fixed in the July 9th update. Users who applied a registry workaround should reverse it before installing the update. Switzerland has enacted the federal law on the use of electronic means for the fulfillment of governmental tasks, or EMBAG, mandating open-source software for public sector bodies, championed by Professor Dr. Matthias Sturmer, the law aims to reduce vendor lock-in, enhance digital transparency, and cut IT costs. Public bodies must disclose the source code of government-developed software ensuring transparency and public contribution unless precluded by third-party rights or security concerns. Article 9 of EMBAG also allows public bodies to offer related services at cost-covering remuneration to maintain competitive balance. Despite initial resistance, persistent lobbying led to the law's adoption, which advocates say promotes digital sovereignty, innovation, and collaboration within the public sector. This legislative milestone may serve as a model for other countries, highlighting OSS benefits like security, cost efficiency, and increased public trust. Coming up after the break, Rick Howard speaks with Alex Lawrence and Matt Stamper from Sysdig about their 555 Cloud Security Benchmark. Stay with us. And now, a word from our sponsor, know-before. Where would infosec professionals be without users making security mistakes? Working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons know-before-developed security coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach. Learn more at knowbefore.com/securitycoach. That's knowbefore.com/securitycoach and we thank know-before for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. [MUSIC] On today's sponsored industry voices segment, our own Rick Howard speaks with Alex Lawrence and Matt Stamper from Sysdig, about their 555 cloud security benchmark. Alex Lawrence is the field CISO at Sysdig, and Matt Stamper is the co-author of the Cybersecurity Canon Hall of Fame book, the CISO's desk reference guide. He's also the CEO of Executive Advisors Group and, as like we haven't, an advisor at Sysdig. I started out by asking Alex about their newly proposed cloud native security benchmark called 555. Yeah. In essence, it comes down to speed, right? One word to describe the whole thing. Basically, the concept here is that most security models that people are using today follow a number of practices and business concepts around security that are a little bit behind the times, if we're being perfectly honest. They're built around a on-premises data center where you had kind of a known ingress and ingress points. You could do things a little bit easier. You controlled a lot more of the environment. The reality is, as we moved to the cloud and we moved to more modern architectures, you don't really have those same capabilities you used to have. You have new ones. You have arguably ones that are maybe a little bit better for your business. They let you move faster. They let you automate more. They let you do a lot of really interesting things with your infrastructure. That necessitates a change in the security model, right? You don't have hours and days to respond to threats to make changes to do investigations. You have literal minutes, right? Attacks can be executed in seconds in the cloud. A lot of movement happens in less than 10 minutes in the cloud. As all these things have changed, we used to go from four hours at the minimum to maybe a couple of days at the maximum for a lateral movement. You don't have that luxury anymore, right? You have to go significantly faster. We produced a benchmark called 555 to help people reconceptualize how they build a good security model and how they build a good security program. Basically, this means you have about five seconds to detect. You've got about five minutes to triage. You've got about five minutes to respond. Pretty simple and straightforward. As an example of why we need the 555 benchmark, the CISTIG threat research team described in their security blog back in 2023, an attack against one specific target that only took the hackers five minutes from initial access to when they found the crown jewels. CISTIG named the attack Scarlet Eel. And you guys may not know this, but I'm a huge fan of the first principal intrusion kill chain prevention strategy. And I was very pleased to see that the CISTIG analysis described the attack in terms of the intrusion kill chain. An attack that planted a diversion in part of the victim's network, a decoy, so to speak. They installed and ran some crypto mining software that was very loud and noisy so that they could go off in another part of the network undetected to look for the crown jewels. So Alex, can you give us an overview of what happened here? Yeah, yeah. They're just a plug for those guys. They're wonderful. They produce some really great content. If you haven't heard about them before, look them up. You get a school CISTIG threat research team. You'll find lots of great articles they put out there. And they've got a knack for explaining things in a way that makes sense, right? It's not overly technical, nor is it too generic, right? It actually gives you some decent value. This attack, Scarlet Eel, is one that's kind of a multi-phased attack. It's actually not dissimilar from things that we've dealt with in the past in terms of kind of a complexity of attack and misdirection and things like that. But in its essence, it's an attack that effectively breaks into your cloud environment. It installs crypto miners. And that really is kind of like the red canary. It's trying to get you to go look at that and look at the shiny object that you can take care of quickly. And realistically, people like to attack crypto miners and go after them as the security team because they're easy, right? You can detect one. It's XM rigs running. This thing's easy to go find. It goes to do something about that. Reality is it's trying to distract you from the bigger thing, right? Lateral movement is always kind of like the reward in any cyber attack. It's how do I persist in the environment? How do I gain more access to the environment? And so we're going to go get in. We'll break in via some exploit or some misconfiguration. We'll install a crypto miner. And then we're going to go hunt for actual important things, right? We're going to look for access keys in this provisioned roles. We're going to go try to gain access to other stuff we can use at a later point in time. So the Scarlet Eel attack is kind of a combination of multiple TTPs where they're trying to break in in various ways, throw in some distractions, and then go get something that's bigger to escalate privilege, to persist privilege, to last longer to be able to go look for sensitive information, extract, exploit data, right? All those things that we try to prevent and stop in the cyber security world. So it's generally just kind of a good model of attack to study in general because it kind of gives you that multi-pronged approach. You can dive into a number of aspects of it. So it's a fun one. Matt, let me bring you in here. First, the Scarlet Eel attack campaign is an example of one particular security strategy working, the aforementioned intrusion kill chain prevention strategy. The potential victims had some holes in their prevention controls across the kill chain. But when the hackers got to the part on the attack path where they had to escalate privilege to get to the crown jewels, they didn't have a way to do that. This is the kill chain strategy working, right? The victim broke the kill chain by ensuring privilege escalation didn't happen. I think you're right. If you look at what are the conditions precedent that would allow a threat actor to succeed, if you know what those conditions precedent are, and you go through and you start implementing controls or telemetry to help reduce the likelihood of those occurring, that's a great way to address this. And I think if you know that to be able to execute X, Y, and Z requires these conditions to be in place, you now can instruct your infrastructure and operations team, your cloud security teams to be able to put in those controls and validate that telemetry and visibility. Can I rip up what Matt just said there real quick, Rick? If I kind of expose my age and talk about about 20-ish some years ago when I first started getting a security, I heard a really fascinating talk about a threat model for an organization called the Assumption of a Breach. So they were a large organization. They basically said we can't ever assume we're not breached, right? There's never a state in which we don't have something going on in our environment. And so they built their entire security model around that concept. And it stuck with me, you know, 20-some years later, that this organization basically designed a program that wasn't just preventative, and it wasn't just detective. It was this kind of blend of everything. I think right now, like Matt was just saying, people focus a lot on configuration. They focus a lot on setup. They focus a lot on trying to make sure that they've done their due diligence that when they go into production, they're not going to have something easy to actually wipe. The organization I was speaking of had a really novel kind of implementation of that concept and kind of what I was getting at was they had a really wonderful blend of both detective and preventative controls. And so they had spent their time doing their due diligence to make sure that they had a good posture on how they can figure their assets so that when they went into production, you know, they were doing the things required, but not overly so. You know, if you're running like a bicycle, you know, you put your helmet on and then you went for a bike, right? You didn't just go for a bike ride without protective gear, right? They did basic stuff. But they didn't go overboard, right? They didn't, you know, put on elbow pads and knee pads and a full body airbag and all the other stuff, right? Like they did what made sense, they didn't encumber themselves in their program because they knew they were always breached, right? And so it was kind of a matter of how much preventative made sense and then how can I really build robust detective controls. So if I know that there's always something going on, what can I put in place and what can I do to know when there is a live issue? So Matt, let me bring this back around to the 555 benchmark. Putting on your CSO hat, how do you think about this 555 strategy? I mean, how do you measure something like that and how do you hold vendors accountable to the standard? Yeah, I think, Rick, to your point, my first reaction when I read the framework is oh crap. You know, our incident response procedures, our incident response plans fundamentally are not up to these temporal challenges in modern cloud environments. You know, we're still responding in largely manual ways, doing a lot of manual triage, very kind of cumbersome, laborious type work, trying to understand what a threat actor is doing. And the epiphany that I had is essentially where I used to talk, you know, I used to think about things like what is it that we don't see that we should see? Why don't we see it? Now it's one of the things that we're not doing timely enough that we should be doing in kind of machine or real time and how that might impact our incident response programs. And so I think one of the critical things is when you put the 555 framework in play within your own organization, when you start looking at your tabletop exercises, when you start looking at your telemetry, ask those tough temporal questions. You know, when we be able to detect this in the timeframes necessary to kind of preclude a level of damage or a level of impact. And if we're not able to detect and respond in those very aggressive timeframes, what is it that we're not doing that we need to start doing? And how do we start fast tracking that no pun intended as soon as possible? We really don't have the luxury of time anymore when our adversaries are fundamentally automated using machine speed techniques. And we're responding in a very kind of manual cumbersome way. We have to effectively up our games very quickly. Yeah, I mean, it's very much about people, procedures and tools, right? It's those things combining together to have a quick response. It's kind of, you know, operating at the speed of the cloud. We all have adopted the cloud and we love the cloud because of automation. But those same automation techniques exist for our adversaries as well. And so if we're not updating to meet those same concerns, we need to be doing that yesterday or the day before yesterday. We're coming to the end of this. So I'm going to ask both of you this question. Alex, let's start with you. What's the big takeaway from this conversation we just had? I would be remiss if I didn't make a call out to our 555 framework. We have lots of content online for this. If you go to cystic.com/555, you will find plenty of information on this whole framework that we've been talking about today. I'll weigh in on that point. It is a must read. If you're a CISO and you're not familiar with this framework, caveat enter. You really need to read this. Takeaway number two for me. The big thing to kind of focus on here is again, a security model that looks at your stuff holistically, right? You can't put all your eggs in one basket and one basket. You need to have both a combination of preventative and detective controls, right? Blend those things together because when you do that, you actually have a security model that can achieve this concept of 555. Even if you're not going for 555 because you're not on the cloud and you're still on premises, whatever, that's fine. But think about your model in terms of where attackers are going, right? Update it. Think about the new age era of stuff. Work on better response mechanisms. And for nothing else, train your people, right? Spend your time and your investment in your people in your process and you're going to have a better outcome. Alex, that is great advice. I would say is bring temporal challenges front and center when you look at your security program. Ask those questions. How quickly can we respond to this type of issue or this type of threat technique or this type of threat actor that is operating at machine speed? And I think one of the things that we need to do is when we start looking at our incident response and doing playbooks and doing tabletop exercises, bring those time scales and time constraints front and center in them. It's a great way to evaluate whether or not we're literally flat-footed or we're operating at machine speed and can keep pace with threat actors that are doing things that are very novel all the time. Our thanks to Rick, Alex, and Matt. You can learn more about the 555 Benchmark with the link in our show notes. ♪♪ ♪♪ Most of our listeners who deal with legacy privileged access management products know they tend to be expensive, difficult to deploy, and hard to use. Keeper security is the answer. Keeper's Zero Trust Solution delivers password, secrets, and connection management in one easy-to-use platform. It's fast to deploy, agentless, clientless, and has no implementation fees. Plus, Keeper is FedRAMP authorized. That's why we trust Keeper to prevent breaches and gain full control over privileged users. Visit keeper.io/cyberwire to schedule a quick demo. That's keeper.io/cyberwire. And thanks to Keeper security for supporting our podcast. ♪♪ And finally, our luxury high-rise desk pointed us to research from Netherlands-based investigative journalism group Bellingcat, which revealed how they pinpointed the luxury-to-buy residence of alleged cartel member, Dennis Kadric, in 2023. Bellingcat's sleuths determined Kadric was renting an apartment owned by Candido and Sui Okomo, the brother-in-law of Equatorial Guinea's president. Kadric's arrest in Bosnia for alleged organized crime left him under house arrest. But his wife's Instagram posts flaunted her designer outfits against the Dubai skyline. These posts, showcasing the distinctive pools and landmarks of Burj Khalifa, the world's largest skyscraper, gave Bellingcat a vital clue. Bellingcat's team started their investigation by identifying the unique pools and surrounding skyscrapers seen in her photos, confirming the location as the Burj Khalifa. Next, they analyzed perspective angles from the photos to narrow down the floor level, using visible landmarks as reference points. Creating a 3D model of the famous skyscraper using Blender, an open-source software, allowed Bellingcat to match the exact views from the Instagram posts. By tracing perspective lines and finding the eye level, they pinpointed the floor level with remarkable accuracy. Their investigation established Kadric as a renter in the Burj Khalifa, thus exposing a connection to their investigation into dirty money in Dubai real estate. This geolocation work was a crucial piece of the puzzle in uncovering financial misdeeds. So next time you're on a digital detective mission, remember, Instagram, perspective angles, and a 3D model can lead you to the truth. And if you're up to no good, you may want to remind your loved ones to cut back on posting pics to social media. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast, your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes, or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, our mixer is Trey Hester, with original music and sound design by Elliot Keltzman. Our executive producer is Jennifer Ivan, our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [MUSIC] On September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most, right now, to frontline practitioners. Register early and save at mwise.io/cyberwire. That's mwise.io/cyberwire. [MUSIC]
