CyberWire Daily - A cyberespionage operation of unclear provenance shifts its targets. Cyberattacks on voting in Ecuador. Other notes from the cyber underworld. And doxing the Duma.
Episode Date: August 22, 2023HiatusRAT shifts its targets. Ecuador's difficulties with voting is attributed to cyberattacks. Carderbee is an APT targeting Hong Kong. auDA (OOO-duh) turns out not to have been breached. Ukrainian h...acktivists claim to dox a senior member of Russia's Duma. Russian influence operations take aim at NATO's July summit. Joe Carrigan describes attacks on LinkedIn accounts. Our guest is John Hernandez from Quest to discuss why he believes the MOVEit flaw is a wakeup call for CISOs. Security, not by obscurity, but by typo. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/160 Selected reading. HiatusRAT Malware Resurfaces: Taiwan Firms and U.S. Military Under Attack (The Hacker News) New HiatusRAT campaign targets Taiwan and U.S. military procurement system (Security Affairs) HiatusRAT Returns after a Hiatus in a Fresh Wave of Attacks (Cyware Labs) No rest for the wicked: HiatusRAT takes little time off in a return to action (Lumen) Ecuador’s national election agency says cyberattacks caused absentee voting issues (Record) Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong Resolution of cyber incident (auDA) Ukrainian hackers claim to leak emails of Russian parliament deputy chief (Record) Summit Old, Summit New (Graphika) Summit Old, Summit New: Russia-Linked Actors Leverage New and Old Tactics in Influence Operations Targeting Online Conversations About NATO Summit (Graphika) The simple typo that stopped bank robbers from stealing $1 billion (LAD Bible) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Hiatus Rat shifts its targets. Ecuador's difficulties with voting is attributed to cyber attacks. IATUS RAT SHIFTS ITS TARGETS
ECUADOR'S DIFFICULTIES WITH VOTING IS ATTRIBUTED TO CYBER ATTACKS
CARTER B IS AN APT TARGETING HONG KONG
BOODA TURNS OUT NOT TO HAVE BEEN BREACHED
UKRAINIAN HACKTIVISTS CLAIM TO DOX A SENIOR MEMBER OF RUSSIA'S DUMA
RUSSIAN INFLUENCE OPERATIONS TAKE AIM AT NATO'S JULY SUMMIT
JOE CARRIGAN DESCRIBES ATTACKS ON LINKEDIN ACCOUNTS influence operations take aim at NATO's July summit. Joe Kerrigan describes attacks on
LinkedIn accounts. Our guest is John Hernandez from Quest to discuss why he believes the move-it
flaw is a wake-up call for CISOs. And security not by obscurity, but by hypo.
I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, August 22, 2023. Thank you. targeting from Latin America and European entities and is now primarily focused on organizations in
Taiwan. Luhmann states, the Taiwanese targeting affected a wide range of organizations from
semiconductor and chemical manufacturers and at least one municipal government organization.
The threat actor also targeted a server used by the military. Luhmann says, given that this website was associated with
contract proposals, we suspect the threat actor could gather publicly available information about
military requirements or search for organizations involved in the defense industrial base.
The researchers note, the shift in information gathering and targeting preference exhibited in
the latest campaign are synonymous with the strategic interest of the People's Republic of China,
according to the 2023 ODNI threat assessment.
Attribution is unclear.
The targeting is consistent with Chinese intelligent interests,
but such consistency is merely circumstantial.
Absentee balloting in Ecuador's current election has been a problem.
The record quotes Diana Atamaint, president of the National Electoral Council, as saying,
We inform the Ecuadorian people that according to preliminary reports, the telematic voting platform suffered cyber attacks that affected the fluidity of accessing the vote.
voting platform suffered cyber attacks that affected the fluidity of accessing the vote.
She added, we also clarify and emphasize that the cast votes have not been violated.
She made no attribution and offered no speculation about motives, but did say that the attacks were identified as coming from seven countries, India, Bangladesh, Pakistan, Russia, Ukraine, Indonesia, and China.
The telematic voting platform is used to handle absentee balloting.
The Symantec Threat Hunter team has published a report on Carter B,
an APT group that's launching supply chain attacks against organizations in Hong Kong.
The threat actor is using the legitimate Cobra DockGuard encryption software to deliver
the CorePlug malware, also known as PlugX. The researchers note, malicious activity was seen on
about 100 computers in impacted organizations. However, Cobra DockGuard software was installed
on around 2,000 computers, indicating that the attacker may be selectively pushing payloads
to specific victims.
CorePlug is known to be used by several threat groups.
Which one is responsible for the current Carter B wave,
however, is so far unknown.
OODA, the domain authority for the Australian top-level domain.au,
late yesterday said it had completed its investigation
of an apparent cyber attack
and concluded that there is no evidence
that cyber criminals have accessed OODA systems
or have obtained OODA data.
A sole trader with an Australian domain name
was being extorted by a ransomware operator.
The trader didn't pay,
and the gang then claimed, falsely,
as it turned out, to be in possession of UDA data. So, the UDA incident seems to have been a case of
gangland's big talk, far outrunning reality. The Cyber Resistance Hacktivist Auxiliary,
which operates in sympathy with Ukraine during the present war, claims to have obtained access to emails belonging to Alexander Babakov,
deputy chair of Russia's Duma.
The cyber resistance provided the documents, some 11 gigabytes of material, to InformNapalm for analysis and assessment.
Inform Napalm, in its turn, says the email is also being made available to international journalists in the interest of exposing Mr. Babakov's alleged corruption.
That corruption, the cyber resistance suggests, extends to bribery Babakov's passport, tax and financial documents, as well as his medical records.
The authenticity of the material remains under investigation, but Mr. Babakov's reputation for corruption is longstanding.
He's been under sanction by the EU, Switzerland, and Canada since 2014, by the U.S. since 2017.
A lot of the specific corruption he's been associated with by these countries involves, of course, sanctions evasion.
One sidelight, InformNapalm alleges that the emails include congratulations from Mr. Babakoff to Mr. Steven Seagal, who has received both honorary
citizenship and the order of freedom from President Putin. There are also some communications to a
third party asking that a billion rubles be donated to the Steven Seagal Cinematography
Support Fund. The scale of the donation is justified, the communications allegedly explain,
by the scale of the personality, that personality being presumably Mr. Seagal himself,
the auteur responsible for the environmentally themed action film On Deadly Ground. A billion
rubles is currently worth about 11 million dollars, not as much as it used to be, but still not chump change. Grafika has announced
Russian influence operations aimed at shaping a narrative around the Atlantic Alliance's July
summit in Vilnius. The campaign featured documents the operators claimed to have been stolen from the
Lithuanian government, and it exhibited a strong interest in driving a fissure between France and the other
members of the alliance. The content distributed included bogus press releases disseminated by
inauthentic persona. Grafica identified two distinct operations in the campaign.
The researchers attribute one to Doppelganger, which they describe as a sprawling campaign that has impersonated media outlets and
government agencies since at least May 2022 to disseminate pro-Russia messaging. The other
operation is attributed to a familiar group, Secondary Infection, known since 2014 for using
fake persona to stage falsified and hacked documents online. Whether the two operations were closely coordinated
or simply shared a common strategic objective is unclear.
The campaign was complex and extensive, but its results were negligible.
Grafica says their content received minimal shares from authentic users
and what online traction they did generate was largely in existing pro-Kremlin communities.
Grafika also observed social media users, including influential pro-Kremlin figures,
calling out the activity as fake, suggesting the actors often failed in their efforts to deceive
online audiences. The secondary infection material in particular was marked by slovenly linguistic execution.
The post contained grammatical errors typical of native Russian speakers,
such as incorrect use of definite and indefinite articles,
you know, like shadow speak, only not as funny.
And finally, spelling counts, friends.
Ladd Bible reports on a story told in the new documentary Billion Dollar Heist
about a major theft from the Federal Reserve Bank of New York by suspected North Korean hackers.
The hackers sent 35 fraudulent orders via the Swift network
to transfer nearly $1 billion from an account belonging to Bangladesh Bank.
The first five orders were successful, giving the hackers just over $100 million.
One request, however, contained a typo.
The hackers had misspelled foundation as Fandation, which caused the automated defense system to flag the transaction for further review.
As a result, the other 29
requests were also blocked, preventing the attackers from stealing another $850 million.
So friends, stay in school.
Coming up after the break, Joe Kerrigan describes attacks on LinkedIn accounts.
Our guest is John Hernandez from Quest to discuss why he believes the move-it flaw is a wake-up call for CISOs.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
Thank you. ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your
executives and their families at home. Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
The move-it flaw continues to make headlines as more organizations reveal they've fallen victim to the vulnerability.
John Hernandez is president and general manager at Quest Software, and he believes for CISOs, MoveIt should serve as a wake-up call.
It's crazy how we just can't, as businesses and operators, we just can't wait around for Klopp to come out
with their ransom payment demands and take time to secure our software supply chains.
Every company and government around the world really needs to get ahead of this as much as
they can as things are continuing to evolve in the marketplace based on the move in exposure there.
And some of those things that we're seeing out there
is the need to have a real strong defense in-depth approach
that really ensures that the people
are following basic procedures and processes.
I mean, as a matter of fact,
we work with Microsoft pretty deeply as a partner with them
and they identify key things
in the digital defense report that came out late last year that 88% of impacted customers do not even employ best practices of security.
And 90% of accounts compromised via password attacks were not even protected with strong authentication.
So there's just some basic things that can be done there to make sure that you're tightening up your environments.
Can we get into some of the specifics here? I mean, I think it's fair to say many organizations saw this move at vulnerability as a bit of a wake-up call or a shot across the bow.
Looking forward, what sort of things should people be putting in place to make sure that
they're not victim of the next version of this?
Yeah, I think what we're seeing is every CISO and their teams that we're working with is really putting in the risk mitigation framework and really understanding what is the cost to
mitigate these risks and how you mobilize budget and teams and vendors to help secure
the environments here. And when you
look at those types of those trade-offs, it is really understanding where you attack the high
priority items first to reduce those vulnerabilities, obviously. And as they're thinking
through that, and we're working with many companies and governments on that that is applying things like the NIST framework and the security
cyber resilience lifecycle that that lays out around, you know, how do you identify
your vulnerabilities?
That's the first thing out there is if you don't know where your vulnerabilities are,
you can't do anything to tighten them up.
And once you identify those things, you absolutely have to protect and detect when things are
happening against those
vulnerabilities. And ultimately, your response and the ability to recover if a breach like this does
happen is very critical to keep the supply chain going. As a matter of fact, we got a webinar
coming up at the end of the month with our customers and partners. And we took a little
survey with them over the last few weeks. and surprisingly, one of the top five things that are top of mind right now, based on this movement exposure here,
is the supply chain is very much top of mind right now. Well, speaking of supply chain,
what's your take on some of the efforts that have been made here? And I'm thinking of things like
S-bombs, software builds of material, that sort of thing. Are they helpful? Do they complete the picture? No, it's going to take much more than
that, obviously. I mean, this is a complicated, multiple, variable challenge that every enterprise
is really experiencing and trying to get ahead of. And I think that's why you see so many vendors
and agencies out there trying to put together
things like Gartner,
taking a look at what they call
the cybersecurity mesh architecture,
which is a broad and extensive architecture
that includes many, many different software solutions
and SaaS platforms and services organizations
to really pull that together.
Now, when you look at each of these different enterprises and governments alike, it's
understanding, again, where your vulnerabilities are so you can attack those things first.
But at the end of the day, us working with Gartner and really tying into that mesh architecture,
they've been published out there saying that by 2025, 45% of organizations worldwide will have experienced attacks on their
software supply chain. So this is definitely a wake-up call which happened over the summer and
making sure that folks are putting this top of mind, mobilizing budgets, and going after those
vulnerabilities. When you think of the organizations that you and your colleagues work with and you see
success, are there any
common elements for the ones who seem to be coming at this from the right direction?
Yeah, you know, one thing that we see pretty common where there's success is obviously working
with the CISO office and the CIO on projects like this to really tighten up security vulnerabilities
and protect areas like Active Directory, which is the authentication for
like 90% of corporations and governments around the world. It's so critical to protect those
crown jewels of all that data that can be held ransom and then take down the entire enterprise
or government. But as we're thinking through those types of engagements with our customers
and government agencies as well that we work with, it really is, you know, the combination of not only the CISO office and all the things that they're bringing to bear on these topics, but it's also interesting enough working with the digital workplace transformation teams in both customers and partners.
both customers and partners, because there's a lot going on over in that side of the shop that really can tighten up some of those security things and clean up some of the environments that
have exposure before you even apply security protocols on top of it. Cleaning it up is very
important as well. What are your recommendations for organizations who want to come at this? I mean,
where do they begin? Yeah, I think the first thing
is really doing the identification
like the NIST framework highlights.
You know, understanding what the attack paths
look like into your enterprise,
understanding where your vulnerabilities exist
that allows you to prioritize as an organization
what are your biggest areas of concern
that you're going to have to mobilize quickly
to go and tighten up.
Some of the other things, like I mentioned earlier, is just applying some of the best
practices around two-factor authentication and password protection and the ability to
make sure that you're using best practices that are published out there.
It's surprisingly how many companies just don't do that today.
Those are some of the basic building blocks just to get right out of the gate.
Then there's so many ways
you can take it on from there.
But really understanding what you're dealing with
is the number one priority.
That's John Hernandez from Quest Software.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host on the Hacking Humans podcast.
Hey, Joe.
Hi, Dave.
Interesting story came by.
This is from the folks over at CyberInt, the threat intelligence company.
Yep.
And they're tracking
what they're seeing as attacks on LinkedIn accounts. What's going on here, Joe? So somebody
is attacking LinkedIn accounts and they are following a very specific modus operandi here,
is what they call it, MO. And what's happening is one of two things is happening to people. Either their accounts
are getting compromised because of either a credential stuffing attack or brute forcing
or something. They're somehow getting into the accounts. Or they are forcing the login so often
that LinkedIn has an automated response that says, okay, you need to validate your account.
So you have to go in and do a few things so that we know it's you.
And it's interesting to note that one of the things CyberInk does in this is tracking the Google searches that have changed.
this is tracking the Google searches that have changed. So over the past 90 days, they've noticed that LinkedIn contact number searches have increased 150%. So people are going to Google
searching for LinkedIn contact number and trying to get in touch with LinkedIn.
Right.
They're also noticing that there's a lot longer response time from LinkedIn support because LinkedIn is probably dealing with a bunch of these.
Yeah.
They've noticed some breakout search terms, LinkedIn account hack 2023, LinkedIn account restriction verify identity, and LinkedIn account recovery appeal.
When people who have lost control of their accounts are losing control of their accounts,
one of two things is happening.
Either the accounts are just being deleted,
which is kind of odd,
or they're being held for ransom for a relatively low amount,
a couple, they're saying a few tens of dollars.
You know, so give me 50 bucks
and you can have your account back.
Kind of a nuisance ransomware.
Yeah, almost.
I don't know what the threat actor is up to here.
I don't, if this were a nation state,
they wouldn't be locking people out of their accounts.
You know, if they were doing an intelligence operation,
they'd just lay low and hopefully you'd never check
and find out that someone was logging in
from a different location.
Yeah.
You can check that on LinkedIn to see where you're logged in,
and you can terminate those sessions as well.
But these guys are going in,
changing the email address to an email
that's just a bunch of random characters,
and then changing the password, locking the people out.
I see.
There is some talk in here about the consequences of that,
the impact of a LinkedIn account.
And they talk about the damage to your reputation if your account is hacked, right?
Like they can publish content.
They can damage your professional reputation if you're heavily relying on LinkedIn for that.
They can do things where they attack
people that you know through other attacks. We had a recent story on hacking humans where we
talked about the possibility of somebody getting, you know, that just because you've lost access to
one of your accounts and the malicious actor now has it, that doesn't mean you're the only person
that's affected by that. It spreads throughout your network, throughout whoever you're connected to. They're also now at risk.
And that's a very real, real problem. But on LinkedIn, it can be amplified because this is
a professional social network. You're supposed to be conducting yourself professionally on here.
Although I will say that I've noticed that LinkedIn is more like Facebook lately, but that's just my
grumpy old man-ness about it. I wonder too, could it be multi-tiered? In other words,
folks are going after people's credentials, and if it's a low-profile credential,
then they hit them with nuisance ransomware. But if it's a high-profile credential,
maybe that has more value on the open market.
Yeah, this article doesn't make any statement about that.
But, yeah, I would imagine that if they get a high-profile individual's account,
probably, well, it's definitely more valuable to them whether or not they want to do anything about it as bad actors is up to them and whether or not they even realize it.
I mean, the fact of the matter is this could be
young kids, right? Just doing these attacks, try to make a couple of fast bucks.
And of course, they emphasize the importance of multi-step verification, multi-factor authentication.
Yeah. They say what you can do, you can check your account access. So if you log into LinkedIn,
They say what you can do, you can check your account access.
So if you log into LinkedIn, you can go to privacy and security under settings and find out where you're logged in.
You can terminate sessions there.
You have to enter your password to terminate a session, which I guess kind of makes sense.
Yeah.
Check your email for any messages from LinkedIn indicating the addition of another email account.
If you didn't initiate that, consider that a significant warning sign, they say.
Password security.
Employ a strong and lengthy password
unique to your LinkedIn account
and avoid password reuse across platforms,
which is always a good idea.
And the best way to manage that
is with a password manager.
And then they say multi-factor authentication,
enabling two-step verification in your LinkedIn account.
Now, I went to LinkedIn and looked at the options that they have.
They only have two options.
You can only get a text message
or you can use one of those authenticator apps
to generate a one-time password using a seed.
Okay.
So they're going to flash a barcode up
and then you're going to be able to do that.
So be mindful that you've able to do that. So, you know, be mindful that that,
you've had problems with that with Discord,
that if you lose access to that seed,
then you lose access to LinkedIn.
Yeah.
You know, it would be nice to see them do something
where you could use something with the FIDO2 compliant system.
Right.
They're Microsoft, LinkedIn is owned by Microsoft.
Microsoft is part of FIDO2.
They're on the board.
They're board-level members
of the FIDO2 alliance,
or the FIDO alliance, rather.
FIDO2 is the protocol.
I'm misspeaking there.
So I'd like to see LinkedIn
let you use some kind of FIDO device.
All right.
Well, the original article here
is from the folks over at Cyberint. It's titled LinkedIn Accounts Under Attack. Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge. It's a necessity. Thank you. give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default deny approach can keep your company safe and compliant.
This episode is brought to you by RBC Student Banking.
Here's an RBC student offer that turns a feel-good moment into a feel-great moment.
Students, get $100 when you open a no-monthly fee RBC Advantage Banking account
and we'll give another $100 to a charity of your choice.
This great perk and more, only at RBC.
Visit rbc.com slash get 100, give 100.
Conditions apply.
Ends January 31st, 2025. Complete offer eligibility criteria by March 31st, 2025. Choose one of five eligible charities. Up to $500,000 in total contributions.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
changing world of cybersecurity. We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the
public and private sector, as well as the critical security teams supporting the Fortune 500 and many
of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce
Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com