What if you had a front-row seat to one of the most riveting stories in cybersecurity today? Join us as we unravel the story of the Chinese state-sponsored Advanced Persistent Threat, BlackTech, and their exploitation of the Cisco Zero Day CVE 2023-20109. We dissect their strategy of modifying router firmware on Cisco routers, maintaining a stealthy persistence, and pivoting from international subsidiaries to headquarters in Japan and the U.S. We also shed light on their target: branch routers and the abuse of trusted relationships within corporate networks. In addition, we touch on the recent ransomware attack that Johnson Controls faced and the FBI's warning about dual attacks with diverse ransomware variants.
As we navigate the dense terrain of cybersecurity, we promise to enlighten you on network segmentation, a crucial measure for enhanced security and cost savings. We will guide you on creating network enclaves to handle sensitive information securely and discuss the benefits of firewall and switch segmentation for absolute separation of network communications. Furthermore, we emphasize the importance of adhering to the latest security standards like CMMC for better compliance. This episode is a goldmine of practical solutions for network security, making it essential for anyone who lives in the digital world. Stay tuned for this enlightening experience on the pressing issues in cybersecurity today.
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Good morning. Today is September 27th 2023. This is your host, craig Petronella. We're going to do a little bit of a different spin on our typical podcasts. We're going to give you the highlights of the latest and greatest in cybersecurity and compliance news.
Speaker 1:
Today we have a Cisco Zero Day CVE 2023-20109 exploit, which is from a Chinese state-sponsored APT or Advanced Persistent Threat called BlackTech. It's been caught hacking into network edge devices using firmware implants to stay hidden and silently hop around corporate networks of the United States and Japanese multinational companies. Now they've said that the hackers had to have had elevated privilege, but it's important to note that this is why you should have logging and a SEM solution that is constantly being monitored by either a security operations center or staff on your team of cybersecurity experts. If you have them in-house, you should always be knowing who's logging in and trying to attempt to exploit old administrative credentials or root credentials. But according to a high-powered joint advisory from the NSA, the FBI, cisa and Japan's NISC, blacktech has been observed modifying router firmware on Cisco routers to maintain a stealthy persistence and pivot from international subsidiaries to headquarters in Japan and the United States, specifically upon gaining an initial foothold into a target network and gaining admin access to network edge devices. The BlackTech cybertech bad actors are often modifying the firmware to hide their activity across the edge devices and for further maintain persistence in the network. To extend their foothold across an organization, blacktech attackers are targeting branch routers, which are typically the smaller appliances that are used at remote branch offices that are smaller edge networks to extend access to corporate. They're abusing the trusted relationships of the branch routers within the corporate networks that they're targeting. The attackers are then using compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic. So it's harder for the cybersecurity or SOC teams to identify. So BlackTech has been active since about 2010. They're a prolific Chinese APT that specifically targets government industrial technology, media electronics and telecommunications, including militaries of the US and Japan. They've traditionally used custom malware tools and living off the land tactics, such as disabling the logging on the routers themselves, to cover their tracks.
Speaker 1:
So if you've got any comments around this, please PM us or send us an email. But as far as my perspective on this, I'm Cisco certified. I'm a big supporter of Cisco as a company. However, I do think that in the past or the recent year, cisco has really priced themselves into the mid enterprise market and essentially made themselves unaffordable for most small businesses. But I wanted to highlight the fact that with Cisco and some other companies, you have to have a subscription to get their latest and greatest updates. And if you have an older product and you don't get the updates, that's called a legacy product, and that legacy product is a risk to your network. And so, if you think about that for a minute, what devices on your network are legacy and are unable to be patched? Because those devices are going to be the ones that hackers are going to target. In regards to Cisco, if you don't have that active subscription, you're not going to get the latest patches. So it's important that when choosing a vendor, you have to look at not just the hardware and the software costs but also the costs for the maintenance. And if your business can't afford the maintenance or isn't able to keep the maintenance active, then you really shouldn't be running that equipment on your network, because it's just a matter of time before it's going to be exploited. And that goes for any company, not just Cisco. So you want to choose a company that is well-rounded and is affordable for your business and your needs.
Speaker 1:
There's another advisory that was released in regards to Johnson Controls and ransomware. So Johnson Controls confirmed that they got hit with a disruptive cyber attack, that a group a ransomware group claimed that they stole 27 terabytes of information. Now we talked about ransomware in the past. Ransomware is malware that basically encrypts your computer systems and scrambles your data in an encrypted method so that you can't access it in exchange for a ransom payment from the bad actors. Now you can recover from a ransomware attack without paying the ransom if you have strong data backup, disaster recovery and business continuity. Others like to drop ransomware or attempt to exploit ransomware onto a victim because they know that most cannot recover. They know that most are not doing the testing around their disaster recovery plan. They're not testing their tabletop exercises and penetration testing and finding gaps in their networks to cover themselves. They know that most people are not doing all this extra work to protect their companies, so they know it's easy to get ransomware into their network and force them to pay. So that's really why ransomware is such a hot topic now.
Speaker 1:
But bringing this back to Johnson Controls and their attack, they did confirm that they got hit. They have filed an 8K form with the Security Exchange Commission that basically said that some of its internal IT and applications were disrupted as a result of the cybersecurity incident. They're launching an investigation to figure out what the root cause. They're saying that mostly, their company and their applications are largely unaffected and remain operational. However, they are following their business continuity plan and implementing workarounds for certain operations to mitigate disruptions and continuing to service their customers. However, they have said that they've expected to continue with delays and finding different ways to do things until they get recovered. So they're also saying that this group that claims responsibility is called the VX underground and they're known as the Dark Angels behind the attack. They've claimed to have stolen 27 terabytes of data from the company system and they're holding it ransom to see if Johnson Controls can recover without it or, ideally, pay them. That's what they want. They want the money to be able to exchange for that data back.
Speaker 1:
What the FBI has released recently is what's called a dual attack, where the bad actors will attack somebody like Johnson Controls with a certain variant of ransomware, most commonly the following, which would be Aevos, Locker, diamond, hive, karakurt, lockbit, quantum or Royal. Those are the top variants that are being deployed in various combinations in what's called a dual ransomware attack. So they're saying that they hit a victim with one of these variants and then between two to 10 days, they hit them again with a different variant. They're saying that they're also using custom data theft, wiper tools and malware to put pressure on the victims to pay up. So the double hit punch approach is basically a way to speed up. It's a catalyst to get their victims to pay faster. They're saying that the dual ransomware variants resulted in a combination of data encryption, exfiltration and financial losses from the ransomware payments.
Speaker 1:
Second, ransomware attacks against an already compromised system could significantly harm the victims at entities. So it's worth noting that dual ransomware attacks are not an entirely new phenomenon. They've been detected as early as May of 2021. Last year, sofos revealed that an unnamed automotive supplier got hit with a triple ransomware attack, which comprised of Lockbit, hive and Blackcat, over a span of just two weeks between April and May of 22. Earlier this month, symantec detailed a 3am ransomware attack targeting an unnamed victim following an unsuccessful attempt to deliver Lockbit in the target. The shift in tactics boils down to several contributing factors, including the exploitation of the two-zero-day I'm sorry, including the exploitation of zero-day vulnerabilities and proliferation of initial access brokers and affiliates in the ransomware landscape who can resell access to victim systems and deploy various streams in quick succession.
Speaker 1:
Organizations are advised to strengthen their defenses by maintaining offline backups, monitoring external remote connections and remote desktop protocol or RDP use, enforcing phishing-resistant MFA or multi-factor authentication, auditing user controls, auditing user accounts and segmenting networks to prevent the spread of ransomware. So we talked about different types of data backup, disaster recovery and business continuity solutions. In the past, we've talked about software, software as a service solutions. They do make solutions that cover Microsoft's, their ecosystem in Microsoft 365, because, as you know Microsoft and a lot of the big vendors, they don't back up your systems. So you have to use these third-party tools to back up your data and then you need to do the tabletop exercises and the pen testing to test and make sure that you can recover and that all the data that you were hoping was being captured and backed up by your tools is actually happening. So we strongly advise doing that at least annually.
Speaker 1:
They talked about security hardening around remote desktop protocol. Back in 2013, it was really common for ransomware actors to drop their payloads through the RDP port 3389. A simple solution back in 2013 was to simply block port 3389, and ideally, in a perfect world, block all of the ports and require the use of the VPN. That's still common today where, if you can on your network, block all the ports, don't open any ports, don't use any access control lists and force the usage of a VPN. That is the best security hardening methodology. But again, you can't rely on one thing to protect your network. Obviously, that's just one small layer. You still want to do the other functions that just have systems in place to back up your data and test those systems with the exercises that we talked about.
Speaker 1:
They talked about enforcing MFA. Obviously, multi-factor authentication or MFA is super common these days and even required by cybersecurity insurance providers and other risk profile or risk aware vendors. So if you have the capability, you definitely want to leverage it. If you don't have the capability, you should explore options on how you can add that capability into your systems, to add that additional layer protection. And ideally you want to use MFA systems that are token based on a software authentication app or a hardware proximity token or a combination thereof. Try to avoid a cell phone one-time pin usage, because then that subjects you to some type of SIM swap attack.
Speaker 1:
Obviously, you want to audit your users and who's on your networks. As far as you're, if you're using Microsoft Active Directory, you want to make sure that you're deleting and or disabling any unneeded or unused accounts, especially in the admin or admin administrators group. You, as a best practice, want to disable the administrator's account or make it a really long, complex password and don't use it. It's better to assign administrators to certain people in your company and only give admin access to those that absolutely need it, and for a temporary period of time if possible, and you want to have a checks and balance as well. So you don't want to have just one administrator in your company. You should have another person. So they kind of you know they help each other and they work together for you and there's redundancy there.
Speaker 1:
Segmenting your networks that is where you can. We talked about enclaves in the past. Enclaves are a segment of your network that you handle sensitive information and you security harden those systems and they're separate from the rest of the network. So that's what segmentation is and it's a networking capability on your firewall as well as your switching with the lands, where you can completely separate the network communications so there's no spillover onto the main network and that helps greatly with security and also makes it more affordable for companies to adopt and comply with the latest security standards, like CMMC so that's your top news for the day and cyber and compliance. So I hope you enjoyed this different approach and let us know in the comments or send us a message and we'll continue carrying on for next week. Thank you, guys.