CyberWire Daily - A Black Basta update. Okta talks Scatter Swine. Nobelium's MagicWeb. Wartime stress in the cyber underworld. LastPass security incident. CISA adds to its Known Exploited Vulnerabilities Catalog.
Episode Date: August 26, 2022Palo Alto describes the Black Basta ransomware-as-a-service operation. Okta on Scatter Swine, the threat actor that compromised Twilio. Microsoft describes Nobelium's new approach to establishing pers...istence. Russia's war against Ukraine has induced stresses in the cyber underworld. LastPass discloses a security incident. Josh Ray from Accenture on cyber crime and the cost-of-living crisis. Our own Dave Bittner sits down with Chris Handman from TerraTrue to discuss how he works to transform legal teams into advocates and collaborators that can ensure privacy is baked in every step of the way. And CISA adds ten entries to its Known Exploited Vulnerabilities Catalog. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/165 Selected reading. Threat Assessment: Black Basta Ransomware (Palo Alto Networks Unit 42) MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone (Microsoft Threat Intelligence Center) Microsoft Uncovers New Post-Compromise Malware Used by Nobelium Hackers (The Hacker News) Microsoft: Russian hackers gain powerful 'MagicWeb' authentication bypass (ZDNET) Detecting Scatter Swine: Insights into a relentless phishing campaign (Okta Security) Twilio hackers hit over 130 orgs in massive Okta phishing attack (BleepingComputer) Twilio says breach also compromised Authy two-factor app users (TechCrunch) How the war in Ukraine is reshaping the dark web (New Statesman) Notice of Recent Security Incident (The LastPass Blog) LastPass Says Source Code Stolen in Data Breach (SecurityWeek) LastPass developer systems hacked to steal source code (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Palo Alto describes the Black Basta ransomware as a service operation.
Okta on Scatterswine, the threat actor that compromised Twilio.
Microsoft describes Nobelium's new approach to establishing persistence.
Russia's war against Ukraine has induced stresses in the cyber underworld.
LastPass discloses a security incident.
Josh Ray from Accenture on cybercrime and the cost of living crisis.
Our own Dave Bittner sits down with Chris Handman of TerraTru to discuss how he works to transform legal teams into advocates and collaborators to ensure that privacy is baked in every step of the way.
And CISA adds 10 entries to its known exploited vulnerabilities catalog.
From the CyberWire studios at DataTribe, I'm Trey Hester filling in for Dave Bittner with your CyberWire summary for Friday, August 26, 2022.
Researchers at Palo Alto Networks have published a description of the operations of Black Basta,
a ransomware-as-a-service operation that emerged in April of this year and has since become one of the more active threats.
The report states,
The report states, quote,
End quote. Black Basta is a cross continue to attack and extort organizations.
End quote. Black Basta is a cross-platform double extortion threat. Its criminal users have been active against what Palo Alto characterizes as large organizations. The targets are found across
a wide range of sectors, consumer and industrial products, energy, resources and agriculture,
manufacturing, utilities, transportation, resources and agriculture, manufacturing, utilities,
transportation, government agencies, professional services and consulting firms, and realtors.
Chatter and underground fora by operators of the ransomware have shown a particular interest in
the Five Eyes, that is, Australia, Canada, New Zealand, the United Kingdom, and the United States.
But attacks have been observed in US, Germany, Switzerland, Italy, Kingdom, and the United States, but attacks have been observed in U.S.,
Germany, Switzerland, Italy, France, and the Netherlands. Group IB called the campaign
Octopus since one of the threat actors' principal goals in compromising Twilio
was to obtain credentials for Octa's identity and access management software.
Twilio, a widely used provider of programmable communication tools,
detected the social engineering campaign on August 7th and provided an update on the 24th.
Okta has since described the campaign and they're tracking the threat actor as Scatter Swine.
Okta has seen Scatter Swine before.
Quote, Scatter Swine has directly targeted Okta veeing phishing campaigns on several occasions,
but was unable to access accounts due to the strong authentication policies that protect access to our applications. End quote.
Using logs provided by Twilio, Okta's security team, quote,
established that two categories of Okta-relevant mobile phone numbers and one-time passwords
were viewable during the time in which the attacker had access to the Twilio console.
A one-time passcode is valid for five minutes.
End quote.
They determined that there had been two categories of threat activity.
First, a primary category.
Those mobile phone numbers the threat actor searched for directly in the Twilio console.
In these cases, the threat actor was seeking to expand access
using credentials stolen in earlier attacks.
A secondary category, mobile phone numbers that can be considered incidental actor was seeking to expand access using credentials stolen in earlier attacks.
A secondary category, mobile phone numbers that can be considered incidental to the specific actions or objectives of the threat actor.
That is, these were phone numbers that may have been present in the Twilio portal during
the threat actor's limited activity window.
Okta's analysis reveals no indication that the threat actor targeted or used such mobile
phone numbers.
Okta's account includes a lengthy discussion of the attacks, techniques, and procedures
Scatterswine used, and these are interesting for what they reveal about the conduct of a
social engineering attack, about the way in which intelligent use of fish bait and convincing voice
imposter combine with commodity fishing kits to harvest user credentials. They also include advice
on how an organization can protect itself. Quote, use behavior detection to act via setup authentication
or alert via system log when a user's sign-in behavior deviates from a previous pattern of
activity. This threat actor is almost always attempting to authenticate from a new device
and a new IP address that has no previous association with the user, end quote. Microsoft researchers have described how Nobelium,
the Russian state threat actor more commonly known as Cozy Bear, that is, the SVR Foreign
Intelligence Service, maintains persistence in compromised environments. Nobelium is engaged
in cyber espionage, quote, executing multiple campaigns and parallel targeting government organizations,
non-governmental organizations, intergovernmental organizations,
and think tanks across US, Europe, and Central Asia, end quote.
It's deploying a new toolkit Microsoft calls Magic Web
to maintain persistence in the face of attempts to evict it from compromised networks.
Quote,
Magic Web is a malicious DLL that allows manipulation of the claims passed in tokens
generated by an activity directory federated services server.
It manipulates user authentication certificates used for authentication,
not the signing certificates used in attacks like Golden SAML.
End quote.
the signing certificates used in attacks like Golden SAML, end quote. Microsoft concludes its advisory with some guidelines for hunting magic web infestations, and it strongly recommends that
organizations accord ADFS servers appropriate protection, quote. It's critical to treat your
ADFS servers as a tier zero asset, protecting them with the same protections you would apply
to a domain controller or other critical security infrastructure.
End quote.
An essay in The New Statesman describes the ways in which the special military operation has produced fissures in the criminal precincts of the dark web.
The report cites observations by researchers at security firm ZeroFox,
whose Adam Dara says that the code of criminality,
which is generally governed behavior in russophone fora,
had been stressed to the breaking point by the war.
Dara explained, quote,
You're not allowed to develop tools or sell embarrassing information
that could hurt any nation in the Commonwealth of Independent States,
a group made up of former Soviet republics, end quote.
The gangs had operated under a modus
vivendi, guaranteed by Russian official toleration and protection. Bukhanti's public declaration for
Russia's cause in the early days of the war fractured the consensus under which the criminal
gangs had conducted business. Criminals have intensified their activities, and that activity
increasingly mirrors the political conflicts in the open, above-ground world.
LastPass, whose password manager is widely used by both individuals and organizations,
disclosed yesterday that an unauthorized party accessed a portion of the company's development environment.
The intruder gained access through a compromised developer account
and was able to take portions of source code and some proprietary LastPass technical
information. LastPass says its customers' accounts remain secure and that its services are operating
normally. The company says its contain the incident, is working on mitigation, and will
keep customers apprised of developments. Proper caution would advise enabling multi-factor
authentication on LastPass accounts if you haven't already done so.
And finally, the U.S. Cybersecurity and Infrastructure Security Agency, or CISA,
yesterday added 10 new vulnerabilities to its known exploited vulnerabilities catalog,
based on evidence of active exploitation in the wild.
U.S. federal civilian executive agencies have until September 15th
to search for and remediate this most recent set of vulnerabilities. The prescribed remediation is, as is normally the case,
to apply the vendor-supplied updates.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
When we talk about user privacy, it's fair to say that in a lot of organizations,
there is, if not outright hostility, maybe low-level suspicions between the software
development team and the folks in legal.
Everyone's doing their jobs in good faith, of course, but sometimes they can find themselves
at odds. Chris Handman is co-founder and chief operating officer at TerraTrue, an organization
that's aiming to foster collaboration between the legal and software development teams
to make sure privacy is baked in every step of the way.
With the privacy landscape,
when you think about where we are today,
at least here in the United States,
we still are largely governed by a kind of free-for-all.
There is, as of today at least,
no federal privacy legislation to speak of.
There are a handful of state laws that have
recently come down the pike, starting first in California and sort of extending eastward into
Colorado and Virginia and a few others, about a half dozen states at this point.
And all of those states were taking their cues, not from Congress, but from the EU, which famously passed the GDPR in 2018
when it came effective.
And what we are really dealing with today
is still this privacy revolution
that remains in its infancy.
Laws still are forming.
Privacy, when done properly,
is a motivation from companies
wanting to do the right thing
and understanding the processes, the cultures,
the mechanisms and tooling to be able to get privacy right.
And the only way you can really think about privacy
in this day and age, being able to keep pace
with a fast-moving iterative lifecycle of software development
is to, this is the phrase, shift left.
We know about the concept in the security space about shifting left,
moving regulation and testing and all sorts of scrutiny
further into the ideation and development cycle,
as opposed to this reactive, after products go out the door,
take a look.
I think privacy has historically occupied
this almost rightward tilt on that continuum.
It's a very reactive, very siloed type of discipline in the past.
And I think what companies have increasingly come to embrace
is this notion of shifting privacy left.
Some have called it privacy by design,
but I think that has sometimes this almost academic tone to it.
And I think what privacy needs to do and what a lot of companies are starting to recognize is move privacy from this siloed, compliance-heavy idea into sort of a forward thinking, how can we enhance the products from the get-go?
How can privacy be a component of the way we enhance and develop our products?
And that shift in thinking has already, I think you see at companies across the board,
developed richer, better privacy protective products. And in fact, you kind of see it now
manifest in really unique cultural ways. Look at Apple, for example, when they're advertising
iPhones, right? They are having national campaigns built around really one value prop, right?
This iPhone will protect your privacy.
And that is a unique change.
And I think the zeitgeist, the way we think about privacy, the way companies develop products.
enhance that privacy posture, to have more agility as new laws come down and have to adapt to new regulatory rules, having privacy built in this proactive shift left mentality is going to be a
really important way of guiding those future developments. You know, you're using the term
collaboration, which I like, but I can imagine that there are lots of organizations out there who,
from the developer's point of view, they look at the legal team as almost being adversarial.
You know, they're the one, the Department of No, throwing up roadblocks and speed bumps.
How do you execute that culture shift to make it a true collaborative effort?
It's a great point.
And I think one of the fears that I think most modern legal teams have
is that they're going to be viewed as the place that good ideas go to die.
And it is precisely that concern that I think is one of the biggest impediments
to developing the types of privacy programs that are effective and dynamic
and well-suited for today's environment.
And I think it begins with trust.
A legal team, a privacy team,
that goes into a product team or an engineering team
and starts reciting chapter and verse
about Article 39 of the GDPR
or some obscure subsection of the CPRA
is very unlikely to garner the types of trust.
You need to speak about privacy in terms of product
and the way privacy can enhance the product,
the goodwill, the types of proactive approaches
to the way we want to think about our consumers
that I think product people tend to want
to pride themselves on.
And it is a matter then of meeting them where they work.
That is both a virtual and a sort of physical manifestation.
It's trying to work in the same tools.
It's trying to go to those stand-ups,
trying to be involved in those specs or Confluence docs
or wherever they happen to be iterating on these concepts.
And then gradually creating that culture that says,
hey, my role here isn't to veto. It's not to fly spec what you're doing. It's to really help you
understand perhaps unintended or unseen consequences of using a type of data.
There's a lot of uncertainty around even what data we are using. It's remarkable when you
start talking to some product folks, they may not even appreciate
all the types of data that is being collected, or may not appreciate that this is data that
can actually be repurposed to specifically target individuals.
And so there's an educational process.
And as you begin to talk in those pragmatic terms, I think those teams come to appreciate the value that legal
and privacy teams can impart to the way they build their products. But that's really, the emphasis is
on building products as opposed to checking them off for going through a regulatory box checking
exercise. And so it's a matter of tone, it's a matter of culture, it's a matter of emphasis.
But I think when you combine those, the privacy teams have a very unique ability
to become players in that development process.
And if you can't do that,
then the whole concept of shifting left
or privacy by design
or whatever rubric you want to put this under,
it becomes completely illusory.
And you really do then default to the old world
of just privacy as being this sort of compliance checkbox.
That's Chris Handman from TerraTrue. There's a lot more to this conversation. If you want to
hear more, head on over to the CyberWire Pro and sign up for Interview Selects,
where you'll get access to this and many more extended interviews. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Josh Ray. He is the Managing Director and Global Cyber Defense Lead at Accenture. Josh, always great to welcome you back.
Dave, thanks so much for having me.
You know, we are not in a bubble here in the cybersecurity world, and we're seeing headlines every day about how the price of everything is going up,
even extending to the war in Ukraine,
about how that can affect the cost of everyday goods.
I know this is something that you and your colleagues have been looking into here,
the true broad effect of the cost of cybercrime.
What can you share with us today?
Yeah, Dave, I think, you know, today the team and I,
and I was having a great conversation with a colleague of mine, Paul Mansfield, about this.
It's really, you know, along the lines of a public service announcement, right?
You know, this whole confluence of world events, you know, the fallout from the pandemic, the conflict in Ukraine.
And people, you know, I think across the board are really feeling the squeeze around this cost of living increase and some economic hardships.
And what we've noticed is, you know, similar to what we saw during the pandemic, where
we saw a whole new raft of cyber criminals focused on COVID fraud and really focused
on defrauding, you know, governments and organizations and using those as lures.
Now we're seeing that really starting to kind of pivot towards the end consumer. And we really just wanted to make sure that we are helping folks kind of raise
their awareness in that regard. What sort of things are you all tracking?
Well, you know, we're seeing a lot of things like opportunistic criminals have been targeting early
providers of say like rebates and refunds by distributing phishing campaigns that are really designed to trick victims into divulging things like, you know, personal and financial information.
And while, you know, this is obviously not a new thing and people get targeted by these types of things every day, it's really kind of targeting on the heartstrings or the emotional effects of the economic hardships and kind of the cost of living increases.
So we've seen things like, you know, cheap fuel cards, stolen gift cards, loyalty cards,
really focused on making sure that, you know, they are, again, focused on that emotional component
to really kind of elicit the quick response, the knee-jerk response from the consumer
to trick them into obviously giving up their financial information.
Yeah, and I guess it's worth pointing out that anyone can fall victim to this. We all have
emotions, and it's easy for all of us in the fast-paced world in which we live. Nobody's immune
to falling for these sorts of scams that can hit you emotionally. And as you say, they do it quickly.
That's correct. Yeah. And I think it's kind of a very much of a point in time type of thing,
right? So, you know, you imagine yourself, you're, you know, trying to make ends meet and you're
getting ready to go to the gas pump and, you, and you get targeted by one of these things.
Of course, you're going to potentially click on a link or try to find out how you can save a few bucks.
really kind of incumbent upon the security community as a whole, just to make sure that,
you know, people are taking a step back and just being aware that there are criminals out there that are taking advantage of folks. And we just want to make sure that, you know,
this whole notion of buyer beware, both for businesses and consumers to really stay vigilant.
Yeah. It's a good reminder that, you know, those of us who are
in this every day to reach out to our friends, our family, our coworkers, our colleagues,
even our kids, and remind them that those folks are out there.
No, that's absolutely right. And we do become, you know, as security professionals, very callous. And
I think, you know, we just accept this kind of as the norm.
But, you know, I do think we have a responsibility to make sure that, you know, the broader people that we're involved with on a day-to-day basis are aware of these types of scams or aware of these types of phishing attacks and know that, you know, there's bad people out there that are trying to take advantage of it.
Yeah.
All right.
Well, good advice as always.
Josh Ray, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out this weekend's episode of Research Saturday, where our own Dave Bittner sits down with Nick Ascoli from Fortrace to discuss their partnership with PIXM and their team's work on phishing tactics, how a threat actor stole one million credentials in four months.
That's Research Saturday.
Check it out. The CyberWire podcast
is proudly produced in Maryland
out of the startup studios
of DataTribe,
where they're co-building
the next generation
of cybersecurity teams
and technology.
Our amazing CyberWire team
is Elliot Peltzman,
Brandon Karp,
Eliana White,
Puru Prakash,
Liz Ervin,
Rachel Gelfand,
Tim Nodar,
Joe Kerrigan,
Pearl Theriault,
Ben Yellen,
Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell,, Nick Falecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilpie,
and I'm Trey Hester,
filling in for Dave Bittner.
Thanks for listening.
We'll see you back here next week. Thank you. practical, and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.