CyberWire Daily - A creepy new geolocation payload for Smoke Loader. Speed of criminal attack, malware delivery, and the evolution of malicious AI. Ransomware at a Belgian social services agency.
Episode Date: August 23, 2023The Smoke Loader botnet has a creepy new payload. Ransomware gets faster. How AI has evolved in malicious directions. The Snatch ransomware gang threatens to snitch. The FSB continues to use both USB...s and phishing emails as attack vectors. A ransomware attack shutters Belgian social service offices. Tim Starks from the Washington Post explains a Biden administration win in a DC court. Our guest Ben Sebree of CivicPlus describes how the public sector could combat cybercrime during cloud adoption. And the deadline for comment on US cybersecurity regulations? It’s been extended. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/161 Selected reading. Smoke Loader Drops Whiffy Recon Wi-Fi Scanning and Geolocation Malware (SecureWorks) Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders (Sophos News) HP Wolf Security Threat Insights Report Q2 2023 | HP Wolf Security (HP Wolf Security) Barracuda XDR Insights: How AI learns your patterns to protect you (Barracuda) Deep Instinct Study Finds Significant Increase in Cybersecurity Attacks Fueled by Generative AI (Deep Instinct) Cyberattack on Belgian social service centers forces them to close (Record) Ukraine’s Military Hacked by Russian Backed USB Malware (Ophtek) Request for Information on Cyber Regulatory Harmonization; Request for Information: Opportunities for and Obstacles To Harmonizing Cybersecurity Regulations (Federal Register) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The smoke loader botnet has a creepy new payload.
Ransomware gets faster.
How AI has evolved in malicious directions.
The snatch ransomware gang threatens to snitch.
The FSB continues to use both USB and phishing emails as attack vectors.
A ransomware attack shutters Belgian social service offices.
Tim Starks from the Washington Post explains a Biden administration win in a D.C. court. Our guest is Ben Seabury of Civic Plus to describe how the public sector could combat cybercrime during cloud adoption.
And the deadline for comment on U.S. cybersecurity regulations?
It's been extended.
I'm Dave Bittner with your CyberWire Intel briefing for Wednesday, August 23rd, 2023. Smoke Loader may be a familiar name to many of you,
and the notorious botnet is back in the news today.
Secureworks this morning announced that Smoke Loader botnet
has been dropping a new malicious payload,
a custom Wi-Fi scanning executable.
SecureWorks is calling that executable Wi-Fi recon,
and what it's after, apparently, is the geolocation of infected systems.
SecureWorks writes that it triangulates the infected system's positions
using nearby Wi-Fi access points as a data point for Google's geolocation API.
This new activity was first observed on August 8th.
It's not yet known what Smoke Loader's criminal operators will do with the information,
but there are a number of possibilities.
The Wi-Fi data is scanned every 60 seconds and enriched with geolocation information.
SecureWorks speculates that demonstrating access with geolocation information. SecureWorks speculates that
demonstrating access to geolocation information could be used to intimidate victims or pressure
them to comply with demands. Imagine a text, I'd like to buy you a drink. In fact, I'd like to buy
you the same drink you had at the Dew Drop Inn in Rabbit Hash, Kentucky at 11.47 p.m. Eastern Daylight Time last Friday.
We're kidding, of course.
There is no Dew Drop Inn in Rabbit Hash,
but Wiffy Recon is not a joke.
It's pretty creepy.
Check out SecureWorks' report
on this latest version of Smoke Loader
and take appropriate precautions.
Sophos' 2023 Active Adversary Report for tech leaders
has found that the speed of ransomware attacks has increased significantly since the beginning
of 2023. Sophos says, one key finding in the report is that the time available to respond
to a ransomware attack has dwindled to nearly half of what it was at the start of the year. The median dwell time
in ransomware attacks dropped from nine days in 2022 to just five days in the first half of 2023.
With adversaries accelerating the execution of their attacks, defenders have less time to detect
and stop them before files are encrypted. The report also found that in all types of attacks,
the average time to gain control of Active Directory
is just 16 hours.
HP Wolf Security has released
its quarterly Security Threat Insights report,
finding that CACBOT spam activity
spiked in the second quarter of 2023.
Wolf Security says, creative CACBOT campaigns saw
threat actors connecting different blocks together to create unique infection chains.
By switching up different file types and techniques, they were able to bypass detection
tools and security policies. 32% of the CACBOT infection chains analyzed by HP in the second quarter were unique. The
researchers also observed a multilingual malware campaign using several programming languages to
avoid detection. They say, firstly, it encrypts its payload using a cryptor written in Go,
disabling the anti-malware scanning features that would usually detect it. The attack then switches language to
C++ to interact with the victim's operating system and run the.NET malware in memory,
leaving minimal traces on the PC. Barracuda outlines the ways in which AI is being used
for malicious purposes. In addition to enabling attackers to craft convincing phishing emails,
AI can be used to automate evasive attacks. Barracuda says, command-line utilities powered
by AI can rapidly adapt to changes in a target's defenses, identify vulnerabilities, or even learn
from previous failed attempts to improve subsequent attacks. An early example of such a tool is WormGPT,
which is already being advertised on an underground forum and can be used by threat
actors to automate the generation of malicious scripts and commands and adapt them dynamically
to each specific target. Independently, Deep Instinct describes some of the ways in which
generative AI has begun to trouble security professionals.
They say, the top three generative AI threat issues include growing privacy concerns, undetectable phishing attacks, and an increase in the volume and velocity of attacks.
The best-known member of this new class of threat is WormGPT, now being traded in criminal-to-criminal underground markets.
Emsisoft researcher Brett Callow reports that the Snatch ransomware gang has begun telling
non-paying victims that the gang will give insurance companies details of how the attack
succeeded. The threat is that this knowledge will induce the underwriters to decide that the incident isn't covered.
It's a crude approach with little evident understanding of how insurance coverage works,
but it's novel and shows the determination of at least one gang to ratchet up the pressure on its marks.
The Charleroi branch of Belgium's social services agency, the Public Centre of Social Action,
the CPAS in its French acronym, closed its offices yesterday after sustaining what appears to be
a ransomware attack, according to Sudinfo. Only emergency services will be available until
remediation is complete, which is expected Thursday. Belgian organizations have recently sustained
ransomware attacks at roughly the typical Western European rate. The country is home to both NATO
headquarters and the capital of the European Union, but this incident seems to be a straightforward
criminal one. Older threats continue to gutter on in Russia's hybrid war against Ukraine.
Older threats continue to gutter on in Russia's hybrid war against Ukraine.
Ofteck reports that the FSB's Shuckworm group is using both phishing emails and malicious USB drives as infection vectors in ongoing cyber espionage attempts against Ukrainian targets.
The typical payload carried in either method of delivery is Terodo malware, a backdoor that's been in use for some time
in Trend Micro's accounting at least since October 2019. And finally, you now have more
opportunities to tell the U.S. federal government how to put its regulatory house in better order.
The U.S. Office of the National Cyber Director has invited public comment on opportunities for and obstacles to harmonizing cybersecurity regulations per Strategic Objective 1.1 of the National Cybersecurity Strategy.
The challenge involved in understanding the implications of regulatory overlap is complicated, and ONCD has extended the deadline for comments from September 15th
to October 31st. You can submit your comments through regulations.gov and let ONCD know what
you think. Coming up after the break, Tim Starks from the Washington Post
explains a Biden administration win in a D.C. court.
Our guest, Ben Seabury of Civic Plus,
describes how the public sector could combat cybercrime
during cloud adoption.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. Public sector organizations provide an attractive target for threat actors,
often combining critical missions like 911 services with limited budgets that come with
the territory. Ben Seabury is Senior Vice President of R&D at online platform provider
Civic Plus, and he joins us with thoughts on how public sector organizations
can better protect themselves. We kind of see a myriad of different cloud maturities or just
technology maturities within the public sector right now, especially in local government,
which is where most of our expertise is in. Starting in about the year 2000 with the pandemic,
there was a rush in local government in order to take all of these in-person
services and paper processes and turn them into a remote, friendly service industry, since we wanted
public safety and everything to really be at the top of mind for serving the residents of those
different municipalities. So there was a rush for cloud adoption from technologies that were more internally hosted,
more accessible outside of an office building or something like that, or were just very in-person.
So we see that there's a lot of cloud adoption that's happened over the last two years.
And then we've seen that a lot of those have been on a very rapid pace.
those have been at a very rapid pace.
So really ensuring that we're doing good cloud practices from a security standpoint is pretty key for a government right now.
You know, we always hear that folks in the public sector in particular
come up against budget limitations.
What are your recommendations for them to balance that reality
against their security needs?
Absolutely.
Security is definitely something that is from
mind when it comes to highly regulated industry and public sector is very highly regulated.
There's a lot of sensitive information that governments can have. So really ensuring that
we're investing in keeping breaches from happening from a government standpoint is something that's
breaches from happening from a government standpoint is something that's pretty top of mind for not only local governments itself, but just there's a lot of interest from CISA and
other organizations to ensure that that infrastructure is secure, as well as it's
just something that we need to do to ensure that the residents of our country have their data
protected. What are your recommendations for these organizations to come at this?
And any tips or words of wisdom?
Absolutely.
So the biggest thing that we need to keep in mind when we're adopting cloud,
when it's something that we might have had as a manual paper process before,
or if it was something that we managed around servers beforehand,
we want to really make sure that we understand the shared responsibility model as it comes to CSPs or cloud service providers.
So the cloud service providers are really responsible for the security of the cloud, of the services that you're using.
But you, as a user of the cloud, are responsible for the security in the cloud.
the security in the cloud. So the applications that you're putting in the cloud, the data that you're storing in the cloud, and the configurations of those specific services are the responsibility
of the client of the CSP and not of the CSP itself. There's a lot of really great tools out there
that really help do some checking and auditing of those different systems to make sure that they are
set up correctly, but really understanding that it is a shared responsibility between both the CSP and the public sector who is leveraging that cloud
provider is probably the most key piece of advice that we can give to folks who are adopting cloud.
Do you find that there's some common misunderstandings there as people go down this path?
Absolutely. I think there's a lot of misunderstandings
around that specifically.
And some of that is around the cloud
and leveraging the cloud is really nice
because they manage so much for you.
The infrastructure upgrades to the infrastructure
and just constant R&D dollars
going into protecting the services
that are in the cloud.
And so it's really easy to just assume that they have 100% of that managed.
And so really, really kind of diving in and understanding what our responsibilities are
or what a client's responsibility is of leveraging the cloud
and that people are generally the weakest link in the security models that we have there
is really important for our municipalities as they go and adopt the infrastructure.
Yeah, it really sounds like there's almost a false sense of security that some people have.
Sometimes, yeah. And so that's why it's really important to make sure that we evangelize.
And as we go and do due diligence on the providers that we might be looking at leveraging,
we want to make sure that it's a very clear shared responsibility matrix
to where we know exactly what we're responsible for
and what exactly the cloud service provider is responsible for.
What are you tracking in terms of trends here?
I mean, are you finding that the maturity level continues to grow
and the gap between public sector and private
sector organizations? Are you seeing that narrow at all? Yeah, I think we definitely are. We're
seeing, especially with the pandemic and everything going remote, we're seeing a lot of
innovation that's happening within the public sector, specifically around creating those remote experiences or those online experiences for the residents of those municipalities.
And one piece of really interesting data that we have, and we can show correlation, we can't
show causality yet, is that residents trust their local governments more and more as more
and more digital services go online.
Now, it's a correlation right now.
And so it'll be interesting in the next few years
to see if it's actually a causation of visual services,
building that transparency and that trust
between residents and their local government.
Where do you suppose we're headed here?
As you look towards the horizon,
which sort of place do you suppose
these organizations are going to find themselves?
I think we're going to find that there's going to be a lot of adoption of different technologies
and innovations. And we're going to move more towards smart cities and the ability to self-serve,
especially as employment and just finding talent becomes harder and harder and a lot more expensive.
So we want to create those automations where possible and
those self-service ways that more tech-savvy individuals who are residents of those municipalities
want to engage with their government. Some folks want to go in person and engage with their
government that way, and some folks just really want to do it from the couch and be able to have
access to all the services. That's Ben Seabury from Civic Plus.
It is always my pleasure to welcome back to the show Tim Starks. He is the author of the
Cybersecurity 202 at the Washington Post. Tim, great to have you back.
Howdy, Dave.
So in today's 202, you are covering some wins here from the Biden administration
when it comes to their cyber agenda. What's going on here, Tim?
Yeah, so last year, the Treasury Department moved to sanction what's commonly referred to as
a cryptocurrency mixer, where the idea is that the nature of the transactions and who's moving
things around is obscured by this. And there's an argument that it's about privacy, but there's an
argument from the Treasury Department that this is actually about money laundering in this particular
case. And I think they calculated that $7 billion worth had been laundered there.
A significant percentage of which was transactions involving stolen cryptocurrency,
in particular from North Korea.
So they sanctioned this organization last year, said, you know,
Americans can't really do business with it.
And some folk who used the service decided to sue over this,
saying that it was a violation of First Amendment rights, a violation of Fifth Amendment rights,
and some other complaints. Now, this is the kind of thing that the administration has said in their
strategy that they really want to do, that they want to disrupt the flow of money, they want to
disrupt the nature of the operations of cyber gangs. And so this was an important kind of piece of what they want to be doing.
The lawsuit presented an obstacle for them. But in this particular case, a judge in Texas said,
not even going to go to trial with us. We're going to have a summary judgment to the Biden
administration. So pretty clear cut win for them, at least for now, because there's always the chance
for appeals and there's indications that there might be. But in terms of what they were trying to get done with these
kinds of sanctions, this is a win for them that's pretty significant. What was the argument they
were trying to make for being able to use this? And what did the judge take issue with?
Yeah, it's a roundabout sort of process with an Emergency Powers Act that the president has.
And if you recall, it's interesting that this is something that uh that might have seemed insignificant to me at the
time and and i think people have have joked about but there's this constant emergency declaration
that has been that is being made on cyber by all administrations they kind of renew every year
it's like well if all the time is an emergency then what what's it like when there's not an
emergency uh because because it doesn't seem to be a
case where there isn't one. But in the case of the legal foundation, this is key because this gives
them some authority to go after entities, and this gets into some legal definitions of the nature of
an entity and the nature of a person. In this case, there's been an established bit of case law
and usage where the administration has said, no, we can go after these kinds of
entities. One of the complaints from the people who filed the suit, the plaintiffs, is that they
are not that kind of entity. They're not really associated in the way of a traditional organization
that could be defined this way. But the judge rejected that. So that's the start of the
foundation of what they're, the basis of the power. But then
they actually have some rebuttals to the idea that this was about First Amendment or Fifth Amendment.
And this organization is called Tornado Cash?
Correct. Yes, Tornado Cash. And a fairly prominent company, Coinbase, was a backer of this lawsuit.
Interestingly as well, the Electronic Frontier Foundation was a backer of this lawsuit on a different kind of cyber-ish related issue.
After these sanctions, there was a Tornado Cache project that was open source on GitHub, and GitHub took it down.
So the argument from Electronic Frontier Foundation is that this was actually going to make it harder for people to work on cyber issues and privacy issues.
That was also rejected.
Interesting.
Is this the final word or are these folks going to appeal?
It does look like they're going to appeal.
And one of the people who is, I think,
the top legal officer for Coinbase
had said that they're going to support an appeal.
Nothing's been decided yet,
but they were always of the mind
that this was probably going to need to go up the chain
of appeals to the appeals court. I want to touch on some other reporting that you've done. You and
your colleagues put out a survey looking at sort of the regulatory regime we find ourselves in here.
Can you share some of the insights you gained from that? Yeah, and this is very related to the
kind of thing that we're talking about today.
The administration has been, first off, they've had the strategy, the National Cyber Security Strategy, since earlier this year, but they've been working on it for a long time, and it reflected a lot of the work that they've already been doing.
So the administration came in with the idea, we're going to press a couple different things on cyber.
One is what we were just talking about with the sort of disruptive operations. And the other was to make a more regulatory push.
And there was a case with the Environmental Protection Agency where they had a setback in court over this.
So we talked about that in today's, but going back to the overall fundamental regulatory picture,
we had asked people back at the beginning of the Biden administration,
do we need to have more regulations in the cybersecurity?
Because there's always been this idea that it should be hands-off,
that it should be public-private cooperation.
Right. Move fast and break things.
You and I love that term because we've discussed it before
and how common it was for a while.
Well, the Biden administration still says they want to do that,
but they also are being more regulatory than any previous administration.
What we wanted to do was check in with people and say,
also are being more regulatory than any previous administration. What we wanted to do was check in with people and say, okay, they've been in office for a year and a half plus, two years,
really, and a half plus. And let's see what people think about how they're doing on these regulations.
And we gave them the choices of not going far enough, hitting the sweet spot, essentially,
or going too far. And pretty close to a significant majority, pretty close to
a majority, I think it was 49% of the people we polled said not going far enough. And then another
significant percentage said hitting the right target. But if you look at the answers where
they get specific, it's a little bit more mixed than that, where some people say they're going
too far in some cases and not far enough in other cases. And then a pretty small percentage, I think it was close to 15% that said they're going too
far. So it was a little bit eye-opening because I wasn't sure, I thought it might be a different
kind of mix. I mean, I do think that probably our audience, by virtue of being a lot of cyber
experts, might place a different emphasis point on the need to go further than maybe some other
kinds of people might. If we just talk to the business community, I'm sure that the business community as a whole would say,
yeah, going too far, or at least some significant percentage of it would. But we also have business
groups on the answers. So it's not like they're not reflected there. It's just that I think that
the results might be a little skewed in terms of who are our audiences that we pull.
It's interesting, again, tying into our first story we talked about here,
how the administration is able to use the tools that it has,
like those emergency powers you mentioned,
to sort of get things done despite a dysfunctional Congress.
Yeah, and when we talk about the EPA case,
that's a case of them not having maybe the kinds of authorities that they need legally to do this.
And that might have been why they had hit the trouble they did.
If you look at what they're using, they're using the Clean Water Act.
And I would say even if you agree with their interpretation of that, it is a liberal interpretation.
And I don't mean liberal politically.
I mean it's an interpretation that is potentially stretching the boundaries of what the Clean Water Act should be able to do. So they have some authorities that are pretty clear-cut
and have not run into any legal trouble. I think the EPA one is the only one that has run into legal
trouble regulatory. And that's because it's on the outer edges. So there are some things that
the administration has said they would like to do, but they know they need more authority from
Congress. And the EPA one was one where they were looking at legislation for a pretty long time,
and then they said, well, let's just do it this way. And I think that getting help from Congress on
this is going to be difficult with Republicans controlling the House. They've pretty strongly
indicated that they don't want to help the administration on this. Right. All right. Well,
Tim Starks is the author of the Cybersecurity 202 at the Washington Post. Tim, thanks so much for
joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. student offer that turns a feel-good moment into a feel-great moment. Students, get $100 when you open a no-monthly-fee RBC Advantage
banking account, and we'll give another $100 to a charity of your choice.
This great perk and more, only at RBC. Visit rbc.com slash get100
give100. Conditions apply. Ends January 31, 2025. Complete offer
eligibility criteria by March 31, 2025. Choose one of five eligible charities.
Up to $500,000 in
total contributions. And that's the Cyber Wire. For links to all of today's stories, check out
our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's
preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people. We make you smarter about your team
while making your team smarter. Learn more at n2k.com. This episode
was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with
original music by Elliot Peltzman. The show was written by our editorial staff. Our executive
editor is Peter Kilby and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.