What if you had a front-row seat to one of the most riveting stories in cybersecurity today? Join us as we unravel the story of the Chinese state-sponsored Advanced Persistent Threat, BlackTech, and their exploitation of the Cisco Zero Day CVE 2023-20109. We dissect their strategy of modifying router firmware on Cisco routers, maintaining a stealthy persistence, and pivoting from international subsidiaries to headquarters in Japan and the U.S. We also shed light on their target: branch routers and the abuse of trusted relationships within corporate networks. In addition, we touch on the recent ransomware attack that Johnson Controls faced and the FBI's warning about dual attacks with diverse ransomware variants.
As we navigate the dense terrain of cybersecurity, we promise to enlighten you on network segmentation, a crucial measure for enhanced security and cost savings. We will guide you on creating network enclaves to handle sensitive information securely and discuss the benefits of firewall and switch segmentation for absolute separation of network communications. Furthermore, we emphasize the importance of adhering to the latest security standards like CMMC for better compliance. This episode is a goldmine of practical solutions for network security, making it essential for anyone who lives in the digital world. Stay tuned for this enlightening experience on the pressing issues in cybersecurity today.
This is Encrypted Ambition—a podcast about the builders rewriting the rules. Join Petronella Technology Group as we decode the ideas, challenges, and momentum behind tomorrow’s business, technology, and leadership breakthroughs.
That’s a wrap on this episode of Encrypted Ambition. Subscribe wherever you listen, and if today’s guest inspired you—leave us a review or share the show with someone in your circle.
To learn more about how we support innovators with AI, cybersecurity, and compliance, head to PetronellaTech.com.
Thanks for listening—and remember, the future favors the bold.
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
- YouTube PetronellaTech
- YouTube Craig Petronella
- Podcasts
- Compliance Armor
- Blockchain Security
- Call 877-468-2721 or visit https://petronellatech.com
Episode Transcript
Good morning.
Today is September 27th 2023.
This is your host, craigPetronella.
We're going to do a little bitof a different spin on our
typical podcasts.
We're going to give you thehighlights of the latest and
greatest in cybersecurity andcompliance news.
Today we have a Cisco Zero DayCVE 2023-20109 exploit, which is
(00:31):
from a Chinese state-sponsoredAPT or Advanced Persistent
Threat called BlackTech.
It's been caught hacking intonetwork edge devices using
firmware implants to stay hiddenand silently hop around
corporate networks of the UnitedStates and Japanese
multinational companies.
Now they've said that thehackers had to have had elevated
(00:53):
privilege, but it's importantto note that this is why you
should have logging and a SEMsolution that is constantly
being monitored by either asecurity operations center or
staff on your team ofcybersecurity experts.
If you have them in-house, youshould always be knowing who's
logging in and trying to attemptto exploit old administrative
(01:17):
credentials or root credentials.
But according to a high-poweredjoint advisory from the NSA,
the FBI, cisa and Japan's NISC,blacktech has been observed
modifying router firmware onCisco routers to maintain a
stealthy persistence and pivotfrom international subsidiaries
(01:39):
to headquarters in Japan and theUnited States, specifically
upon gaining an initial footholdinto a target network and
gaining admin access to networkedge devices.
The BlackTech cybertech badactors are often modifying the
firmware to hide their activityacross the edge devices and for
(02:00):
further maintain persistence inthe network.
To extend their foothold acrossan organization, blacktech
attackers are targeting branchrouters, which are typically the
smaller appliances that areused at remote branch offices
that are smaller edge networksto extend access to corporate.
(02:21):
They're abusing the trustedrelationships of the branch
routers within the corporatenetworks that they're targeting.
The attackers are then usingcompromised public-facing branch
routers as part of theirinfrastructure for proxying
traffic, blending in withcorporate network traffic.
So it's harder for thecybersecurity or SOC teams to
identify.
So BlackTech has been activesince about 2010.
(02:47):
They're a prolific Chinese APTthat specifically targets
government industrial technology, media electronics and
telecommunications, includingmilitaries of the US and Japan.
They've traditionally usedcustom malware tools and living
(03:07):
off the land tactics, such asdisabling the logging on the
routers themselves, to covertheir tracks.
So if you've got any commentsaround this, please PM us or
send us an email.
But as far as my perspective onthis, I'm Cisco certified.
I'm a big supporter of Cisco asa company.
(03:29):
However, I do think that in thepast or the recent year, cisco
has really priced themselvesinto the mid enterprise market
and essentially made themselvesunaffordable for most small
businesses.
But I wanted to highlight thefact that with Cisco and some
other companies, you have tohave a subscription to get their
(03:52):
latest and greatest updates.
And if you have an olderproduct and you don't get the
updates, that's called a legacyproduct, and that legacy product
is a risk to your network.
And so, if you think about thatfor a minute, what devices on
your network are legacy and areunable to be patched?
(04:14):
Because those devices are goingto be the ones that hackers are
going to target.
In regards to Cisco, if youdon't have that active
subscription, you're not goingto get the latest patches.
So it's important that whenchoosing a vendor, you have to
(04:34):
look at not just the hardwareand the software costs but also
the costs for the maintenance.
And if your business can'tafford the maintenance or isn't
able to keep the maintenanceactive, then you really
shouldn't be running thatequipment on your network,
because it's just a matter oftime before it's going to be
exploited.
And that goes for any company,not just Cisco.
So you want to choose a companythat is well-rounded and is
(04:58):
affordable for your business andyour needs.
There's another advisory thatwas released in regards to
Johnson Controls and ransomware.
So Johnson Controls confirmedthat they got hit with a
disruptive cyber attack, that agroup a ransomware group claimed
(05:20):
that they stole 27 terabytes ofinformation.
Now we talked about ransomwarein the past.
Ransomware is malware thatbasically encrypts your computer
systems and scrambles your datain an encrypted method so that
you can't access it in exchangefor a ransom payment from the
(05:43):
bad actors.
Now you can recover from aransomware attack without paying
the ransom if you have strongdata backup, disaster recovery
and business continuity.
Others like to drop ransomwareor attempt to exploit ransomware
(06:05):
onto a victim because they knowthat most cannot recover.
They know that most are notdoing the testing around their
disaster recovery plan.
They're not testing theirtabletop exercises and
penetration testing and findinggaps in their networks to cover
(06:25):
themselves.
They know that most people arenot doing all this extra work to
protect their companies, sothey know it's easy to get
ransomware into their networkand force them to pay.
So that's really why ransomwareis such a hot topic now.
But bringing this back toJohnson Controls and their
(06:45):
attack, they did confirm thatthey got hit.
They have filed an 8K form withthe Security Exchange
Commission that basically saidthat some of its internal IT and
applications were disrupted asa result of the cybersecurity
incident.
They're launching aninvestigation to figure out what
(07:07):
the root cause.
They're saying that mostly,their company and their
applications are largelyunaffected and remain
operational.
However, they are followingtheir business continuity plan
and implementing workarounds forcertain operations to mitigate
disruptions and continuing toservice their customers.
(07:28):
However, they have said thatthey've expected to continue
with delays and findingdifferent ways to do things
until they get recovered.
So they're also saying thatthis group that claims
responsibility is called the VXunderground and they're known as
(07:52):
the Dark Angels behind theattack.
They've claimed to have stolen27 terabytes of data from the
company system and they'reholding it ransom to see if
Johnson Controls can recoverwithout it or, ideally, pay them
.
That's what they want.
They want the money to be ableto exchange for that data back.
(08:15):
What the FBI has releasedrecently is what's called a dual
attack, where the bad actorswill attack somebody like
Johnson Controls with a certainvariant of ransomware, most
commonly the following, whichwould be Aevos, Locker, diamond,
(08:36):
hive, karakurt, lockbit,quantum or Royal.
Those are the top variants thatare being deployed in various
combinations in what's called adual ransomware attack.
So they're saying that they hita victim with one of these
variants and then between two to10 days, they hit them again
(09:02):
with a different variant.
They're saying that they'realso using custom data theft,
wiper tools and malware to putpressure on the victims to pay
up.
So the double hit punchapproach is basically a way to
speed up.
It's a catalyst to get theirvictims to pay faster.
(09:22):
They're saying that the dualransomware variants resulted in
a combination of data encryption, exfiltration and financial
losses from the ransomwarepayments.
Second, ransomware attacksagainst an already compromised
system could significantly harmthe victims at entities.
(09:43):
So it's worth noting that dualransomware attacks are not an
entirely new phenomenon.
They've been detected as earlyas May of 2021.
Last year, sofos revealed thatan unnamed automotive supplier
got hit with a triple ransomwareattack, which comprised of
Lockbit, hive and Blackcat, overa span of just two weeks
(10:08):
between April and May of 22.
Earlier this month, symantecdetailed a 3am ransomware attack
targeting an unnamed victimfollowing an unsuccessful
attempt to deliver Lockbit inthe target.
The shift in tactics boils downto several contributing factors
(10:31):
, including the exploitation ofthe two-zero-day I'm sorry,
including the exploitation ofzero-day vulnerabilities and
proliferation of initial accessbrokers and affiliates in the
ransomware landscape who canresell access to victim systems
and deploy various streams inquick succession.
(10:53):
Organizations are advised tostrengthen their defenses by
maintaining offline backups,monitoring external remote
connections and remote desktopprotocol or RDP use, enforcing
phishing-resistant MFA ormulti-factor authentication,
auditing user controls, auditinguser accounts and segmenting
(11:14):
networks to prevent the spreadof ransomware.
So we talked about differenttypes of data backup, disaster
recovery and business continuitysolutions.
In the past, we've talked aboutsoftware, software as a service
solutions.
They do make solutions thatcover Microsoft's, their
ecosystem in Microsoft 365,because, as you know Microsoft
(11:37):
and a lot of the big vendors,they don't back up your systems.
So you have to use thesethird-party tools to back up
your data and then you need todo the tabletop exercises and
the pen testing to test and makesure that you can recover and
that all the data that you werehoping was being captured and
backed up by your tools isactually happening.
(11:59):
So we strongly advise doingthat at least annually.
They talked about securityhardening around remote desktop
protocol.
Back in 2013, it was reallycommon for ransomware actors to
drop their payloads through theRDP port 3389.
(12:21):
A simple solution back in 2013was to simply block port 3389,
and ideally, in a perfect world,block all of the ports and
require the use of the VPN.
That's still common today where, if you can on your network,
block all the ports, don't openany ports, don't use any access
(12:43):
control lists and force theusage of a VPN.
That is the best securityhardening methodology.
But again, you can't rely onone thing to protect your
network.
Obviously, that's just onesmall layer.
You still want to do the otherfunctions that just have systems
in place to back up your dataand test those systems with the
(13:04):
exercises that we talked about.
They talked about enforcing MFA.
Obviously, multi-factorauthentication or MFA is super
common these days and evenrequired by cybersecurity
insurance providers and otherrisk profile or risk aware
vendors.
So if you have the capability,you definitely want to leverage
(13:26):
it.
If you don't have thecapability, you should explore
options on how you can add thatcapability into your systems, to
add that additional layerprotection.
And ideally you want to use MFAsystems that are token based on
a software authentication appor a hardware proximity token or
a combination thereof.
(13:46):
Try to avoid a cell phoneone-time pin usage, because then
that subjects you to some typeof SIM swap attack.
Obviously, you want to audityour users and who's on your
networks.
As far as you're, if you'reusing Microsoft Active Directory
, you want to make sure thatyou're deleting and or disabling
(14:10):
any unneeded or unused accounts, especially in the admin or
admin administrators group.
You, as a best practice, wantto disable the administrator's
account or make it a really long, complex password and don't use
it.
It's better to assignadministrators to certain people
(14:33):
in your company and only giveadmin access to those that
absolutely need it, and for atemporary period of time if
possible, and you want to have achecks and balance as well.
So you don't want to have justone administrator in your
company.
You should have another person.
So they kind of you know theyhelp each other and they work
(14:53):
together for you and there'sredundancy there.
Segmenting your networks that iswhere you can.
We talked about enclaves in thepast.
Enclaves are a segment of yournetwork that you handle
sensitive information and yousecurity harden those systems
and they're separate from therest of the network.
(15:15):
So that's what segmentation isand it's a networking capability
on your firewall as well asyour switching with the lands,
where you can completelyseparate the network
communications so there's nospillover onto the main network
and that helps greatly withsecurity and also makes it more
(15:36):
affordable for companies toadopt and comply with the latest
security standards, like CMMCso that's your top news for the
day and cyber and compliance.
So I hope you enjoyed thisdifferent approach and let us
know in the comments or send usa message and we'll continue
carrying on for next week.
(15:56):
Thank you, guys.
Popular Podcasts
Are You A Charlotte?
In 1997, actress Kristin Davis’ life was forever changed when she took on the role of Charlotte York in Sex and the City. As we watched Carrie, Samantha, Miranda and Charlotte navigate relationships in NYC, the show helped push once unacceptable conversation topics out of the shadows and altered the narrative around women and sex. We all saw ourselves in them as they searched for fulfillment in life, sex and friendships. Now, Kristin Davis wants to connect with you, the fans, and share untold stories and all the behind the scenes. Together, with Kristin and special guests, what will begin with Sex and the City will evolve into talks about themes that are still so relevant today. "Are you a Charlotte?" is much more than just rewatching this beloved show, it brings the past and the present together as we talk with heart, humor and of course some optimism.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.